1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

56 Commits

Author SHA1 Message Date
Andreas Schneider
85e3d1774c s4:tls: Do not use deprecated GnuTLS types
Those have been deprecated with GnuTLS 1.0.20 in 2004. I think it is
safe to use them now ;)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-05-09 23:20:08 +02:00
Björn Jacke
22a37c453d tls: increase Diffie-Hellman group size to 2048 bits
1024 bits is already the minimum accepted size of current TLS libraries. 2048
is recommended for servers, see https://weakdh.org/

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  3 03:47:48 CEST 2015 on sn-devel-104
2015-09-03 03:47:48 +02:00
Andrew Bartlett
ac25a8ac4f lib/tls: Ensure SSLv3 is disabled in the web server by default
By calling gnutls_priority_set_direct() the behaviour should now match the LDAP server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2015-08-31 01:10:22 +02:00
Andrew Bartlett
cdaa1224c4 lib/tls: Remove unused tls_init_client code
This is unused as the callers have now been migrated to tls_tstream

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2015-08-31 01:10:22 +02:00
Evangelos Foutras
c6ad8a10c1 s4:lib/tls: fix build with gnutls 3.4
gnutls_certificate_type_set_priority() was removed in GnuTLS 3.4.0. Use
gnutls_priority_set_direct instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8780

Signed-off-by: Björn Jacke <bj@sernet.de>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Wed Apr 29 22:29:02 CEST 2015 on sn-devel-104
2015-04-29 22:29:02 +02:00
Volker Lendecke
91b04f708f tls: Fix CID 242014 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 09:01:55 +01:00
Volker Lendecke
2be1eeab7f tls: Fix some noblank line endings
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 09:01:55 +01:00
Björn Baumbach
22af043d2f CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file (key.pem)
If the tls key is not owned by root or has not mode 0600 samba will not
start up.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Nov 11 13:07:16 CET 2013 on sn-devel-104
2013-11-11 13:07:16 +01:00
Andrew Bartlett
d0d05f8474 s4-lib/tls: Try socket_send() multiple times to send partial packets
This works around an artificial limitation in socket_wrapper that breaks
some versions of GnuTLS when we return a short write.

Instead, keep pushing until the OS will not take it.

The correct solution will be to use tls_tstream, but the client code
for this is not yet tested and needs the ldap client layer changed
to use it.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 18 11:23:55 CEST 2012 on sn-devel-104
2012-07-18 11:23:55 +02:00
Matthias Dieter Wallnöfer
32c82fe69b s4:lib/tls - include GNUTLS headers consistently using <...>
These are system-specific.

Reviewed-by: Jelmer

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Feb 18 00:43:58 CET 2012 on sn-devel-104
2012-02-18 00:43:58 +01:00
Andrew Bartlett
ac57defdb4 s4-lib/tls: remove unused tls_support()
Found by callcatcher: http://www.skynet.ie/~caolan/Packages/callcatcher.html

Andrew Bartlett
2012-02-10 16:45:12 +11:00
Matthias Dieter Wallnöfer
456c69f95e s4:lib/tls - call "gnutls_transport_set_lowat" only on GNUTLS < 3.0
This function call together with the lowat feature has been removed in release
3.0 as described in this mailing list post:
http://old.nabble.com/gnutls_transport_set_lowat-deprecated-td32554230.html.

Since we do not make any use of lowat (esprimed by each function call)
we are free to simply omit it on v3.0 and later.

This addresses bug #8537.

Reviewed by: abartlet + metze

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Wed Nov 30 20:11:14 CET 2011 on sn-devel-104
2011-11-30 20:11:14 +01:00
Simo Sorce
15efcbaa09 s4:lib: use tevent_ fns names instead of legcay event_ ones 2011-08-13 09:54:16 -04:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Matthias Dieter Wallnöfer
e9686985cb s4: Changes the old occurences of "lp_realm" in "lp_dnsdomain" where needed
For KERBEROS applications the realm should be upcase (function "lp_realm") but
for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch
implements the use of both in the right way.
2009-10-14 10:50:43 +02:00
Andrew Tridgell
c6936ab00f raise the debug level for a common message
when a client disconnects we expect this to happen, so don't print an
error each time
2009-08-12 15:19:42 +10:00
Stefan Metzmacher
6f40637ca8 s4:tls: avoid using talloc_reference() in tls_init_client()
metze
2009-07-31 14:42:04 +02:00
Stefan Metzmacher
d866497b18 s4:tls: avoid using talloc_reference() in tls_init_server()
metze
2009-07-31 14:42:03 +02:00
Matthias Dieter Wallnöfer
2627c6c0c2 Fixed some uninitialised variables
I tried hard to not change the program logic. Should fix bug #6439.
2009-06-19 11:32:01 +10:00
Andrew Tridgell
b1ff79dbb2 fixed some of the TLS problems
This fixes two things in the TLS support for Samba4. The first is to
use a somewhat more correct hostname instead of 'Samba' when
generating the test certificates. That allows TLS test clients (such
as gnutls-cli) to connect to Samba4 using auto-generated certificates.

The second fix is to add a call to gcry_control() to tell gcrypt to
use /dev/urandom instead of /dev/random (on systems that support
that). That means that test certificate generation is now very fast,
which was previously an impediment to putting the TLS tests on the
build farm.
2009-02-18 14:46:57 +11:00
Stefan Metzmacher
183c379fe5 s4:lib/tevent: rename structs
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"

for s in $list; do
	o=`echo $s | cut -d ':' -f1`
	n=`echo $s | cut -d ':' -f2`
	r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
	files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
	for f in $files; do
		cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
		mv $f.tmp $f
	done
done

metze
2008-12-29 20:46:40 +01:00
Jelmer Vernooij
dcc4081f75 Fix more compiler warnings. 2008-12-23 23:22:57 +01:00
Jelmer Vernooij
9d2d666109 Make lp_tls_* return absolute paths. 2008-10-23 21:49:40 +02:00
Jelmer Vernooij
87ec1d2532 Make sure prototypes are always included, make some functions static and
remove some unused functions.
2008-10-20 18:59:51 +02:00
Jelmer Vernooij
1b99d8fbb5 Use common util_file code. 2008-10-12 17:34:43 +02:00
Jelmer Vernooij
bbdfbf8d9d r26238: Add a loadparm context parameter to torture_context, remove more uses of global_loadparm.
(This used to be commit a33a553054)
2007-12-21 05:47:20 +01:00
Jelmer Vernooij
719a4ae0d3 r25522: Convert to standard bool types.
(This used to be commit 5e814287ba)
2007-10-10 15:07:47 -05:00
Jelmer Vernooij
2f3551ca7c r25446: Merge some changes I made on the way home from SFO:
2007-09-29 More higher-level passing around of lp_ctx.
2007-09-29 Fix warning.
2007-09-29 Pass loadparm contexts on a higher level.
2007-09-29 Avoid using global loadparm context.
(This used to be commit 3468952e77)
2007-10-10 15:07:34 -05:00
Jelmer Vernooij
37d53832a4 r25398: Parse loadparm context to all lp_*() functions.
(This used to be commit 3fcc960839)
2007-10-10 15:07:25 -05:00
Jelmer Vernooij
50bcb45692 r25033: Fix include
(This used to be commit d81bb09046)
2007-10-10 15:05:42 -05:00
Jelmer Vernooij
dccf3f99e4 r25027: Fix more warnings.
(This used to be commit 5085c53fcf)
2007-10-10 15:05:41 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Andrew Bartlett
a3a7c28765 r19217: Merge from SAMBA_4_0_RELEASE:
Re-enable TLS in the default configuration.  We passed on the build
farm because we have an explicit diffie-hilliman parameters file set.

Andrew Bartlett
(This used to be commit d20ab6a5ed)
2007-10-10 14:20:54 -05:00
Andrew Tridgell
30ee8beb93 r18301: I discovered how to load the warnings from a build farm build into
emacs compile mode (hint, paste to a file, and compile as "cat
filename").

This allowed me to fix nearly all the warnings for a IA_64 SuSE build
very quickly.
(This used to be commit eba6c84eff)
2007-10-10 14:18:04 -05:00
Andrew Tridgell
714f3991a1 r17674: fixed a problem on with our configure logic on systems that have
libgnutls but not some of the crt functions
(This used to be commit 7a0264c52d)
2007-10-10 14:16:22 -05:00
Simo Sorce
1ea8c378e2 r17412: fix missing colon
(This used to be commit 300d6e724d)
2007-10-10 14:15:22 -05:00
Andrew Bartlett
976b01b01a r17411: Try and compile on older versions of GnuTLS.
Andrew Bartlett
(This used to be commit 798c0791d8)
2007-10-10 14:15:22 -05:00
Andrew Bartlett
adefa4404c r17379: Pre-generate DH parameters, to avoid doing this at runtime in our testsuite.
Andrew Bartlett
(This used to be commit 23314c3953)
2007-10-10 14:15:20 -05:00
Andrew Bartlett
84b0eb6a57 r17286: Simply fail the tls_initialise if we don't have TLS compiled in.
Adjust the web_server code to cope with this.

Andrew Bartlett
(This used to be commit 3043969708)
2007-10-10 14:15:06 -05:00
Andrew Bartlett
9d6f276717 r17222: Change the function prototypes for the GENSEc and TLS socket creation
routines to return an NTSTATUS.  This should help track down errors.

Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.

Always return a new socket, even for the 'pass-though' case.

Andrew Bartlett
(This used to be commit 003e2ab93c)
2007-10-10 14:10:20 -05:00
Andrew Bartlett
ba07fa43d0 r17197: This patch moves the encryption of bulk data on SASL negotiated security
contexts from the application layer into the socket layer.

This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets.  It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default.  It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.

This patch mirrors the earlier work done to move TLS into the socket
layer.

Unusual in this pstch is the extra read callback argument I take.  As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data.  This would leave the system without an event
to restart the read (as the socket is dry).

As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop.  I believe that
the TLS code does require a similar callback.

In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:

+-----------------+---------------------+
| SASL  Packet #1 | SASL Packet #2      |
----------------------------------------+
| LDAP Packet #1       | LDAP Packet #2 |
----------------------------------------+

In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP.  Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.

Without data on the socket, read events stop.  That is why I add timed
events, until the SASL buffer is drained.

Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).

In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code.  The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length.  (1 + n/2).  This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.

Andrew Bartlett
(This used to be commit 5d7c9c12cb)
2007-10-10 14:10:18 -05:00
Andrew Bartlett
a1a842eb44 r17168: Now that TLS (and soon SASL) is below the socket layer, we need to
make the testnonblock skip some things.  The socket *under* the tls
socket is still tested.

Andrew Bartlett
(This used to be commit 9c33c6a20a)
2007-10-10 14:10:15 -05:00
Andrew Tridgell
971d30bb20 r15854: more talloc_set_destructor() typesafe fixes
(This used to be commit 61c6100617)
2007-10-10 14:08:32 -05:00
Andrew Bartlett
742c110cd6 r15400: Move the TLS code behind the socket interface.
This reduces caller complexity, because the TLS code is now called
just like any other socket.  (A new socket context is returned by the
tls_init_server and tls_init_client routines).

When TLS is not available, the original socket is returned.

Andrew Bartlett
(This used to be commit 09b2f30dfa)
2007-10-10 14:05:32 -05:00
Andrew Bartlett
ab758f383d r15357: Fix the build on systems without GNUTLS.
Andrew Bartlett
(This used to be commit 2cd2e524e6)
2007-10-10 14:05:25 -05:00
Andrew Bartlett
c2cc10c786 r15356: Remove unused 'flags' argument from socket_send() and friends.
This is in preperation for making TLS a socket library.

Andrew Bartlett
(This used to be commit a312812b92)
2007-10-10 14:05:25 -05:00
Andrew Tridgell
0f921145d5 r14412: init a var
(This used to be commit ec53f5fe96)
2007-10-10 13:57:20 -05:00
Jelmer Vernooij
d4de4c2d21 r12608: Remove some unused #include lines.
(This used to be commit 70e7449318)
2007-10-10 13:49:03 -05:00
Andrew Tridgell
8c53aba485 r7912: make private_path() recognise a non-relative filename, so we can have
sam database = sam.ldb

and it will know to put it in the private dir, but if you use

  sam database = ldap://server

it knows to use it as-is
(This used to be commit c5bccbc366)
2007-10-10 13:18:48 -05:00
Andrew Tridgell
30b68a0af2 r7773: fixed the tls code for the non-GNUTLS case
(This used to be commit bc6bc84ef4)
2007-10-10 13:18:34 -05:00