1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

23 Commits

Author SHA1 Message Date
Andreas Schneider
85e3d1774c s4:tls: Do not use deprecated GnuTLS types
Those have been deprecated with GnuTLS 1.0.20 in 2004. I think it is
safe to use them now ;)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-05-09 23:20:08 +02:00
Lukas Slebodnik
fa99ae70f1 tls: Fix warning Wunused-variable
The variable error_pos is used only with enabled ENABLE_GNUTLS
There are warnings if compiled witout gnutls

../source4/lib/tls/tls_tstream.c: In function ‘_tstream_tls_connect_send’:
../source4/lib/tls/tls_tstream.c:1053:14:
    warning: unused variable ‘error_pos’ [-Wunused-variable]
  const char *error_pos;
              ^~~~~~~~~
../source4/lib/tls/tls_tstream.c: In function ‘_tstream_tls_accept_send’:
../source4/lib/tls/tls_tstream.c:1333:14:
     warning: unused variable ‘error_pos’ [-Wunused-variable]
  const char *error_pos;
              ^~~~~~~~~

Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Sep 21 00:01:09 CEST 2016 on sn-devel-144
2016-09-21 00:01:08 +02:00
Stefan Metzmacher
64a9cd2a38 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Björn Jacke
22a37c453d tls: increase Diffie-Hellman group size to 2048 bits
1024 bits is already the minimum accepted size of current TLS libraries. 2048
is recommended for servers, see https://weakdh.org/

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  3 03:47:48 CEST 2015 on sn-devel-104
2015-09-03 03:47:48 +02:00
Andrew Bartlett
374d73617d lib/tls: Add new 'tls priority' option
This adds a new option to the smb.conf to allow administrators to disable
TLS protocols in GnuTLS without changing the code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 03:08:26 +02:00
Andrew Bartlett
1a8c1bd952 Remove support for OpenPGP certificates in our TLS client and server
We do not provide parameters to configure these, and OpenPGP for TLS (RFC 6091) is not used in AD

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 03:08:26 +02:00
Stefan Metzmacher
6f2c29a13c s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:08 +02:00
Evangelos Foutras
c6ad8a10c1 s4:lib/tls: fix build with gnutls 3.4
gnutls_certificate_type_set_priority() was removed in GnuTLS 3.4.0. Use
gnutls_priority_set_direct instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8780

Signed-off-by: Björn Jacke <bj@sernet.de>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Wed Apr 29 22:29:02 CEST 2015 on sn-devel-104
2015-04-29 22:29:02 +02:00
Stefan Metzmacher
f074e271a1 s4:lib/tls: add tls_cert_generate() prototype to tls.h
This avoids compiler warnings...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:12 +01:00
Stefan Metzmacher
a2c3479878 Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600"
This reverts commit 05c1fe5055.

This was discussed here:
https://bugzilla.samba.org/show_bug.cgi?id=10392#c11

This generated warnings like:
invalid permissions on file
'/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has
0600 should be 0400'.

I think we need a better way. Maybe file_check_permissions()
should get allow_perms and deny_perms. And we would call it
with allow_perms = 0400 and deny_perms = 0177. And bits in none
of them are ignored.

For now we revert this and wait for a better fix.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 28 12:37:17 CET 2014 on sn-devel-104
2014-03-28 12:37:17 +01:00
Michael Brown
05c1fe5055 s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392

Signed-off-by: Michael Brown <michael@netdirect.ca>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104
2014-01-31 01:27:03 +01:00
Björn Baumbach
22af043d2f CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file (key.pem)
If the tls key is not owned by root or has not mode 0600 samba will not
start up.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Nov 11 13:07:16 CET 2013 on sn-devel-104
2013-11-11 13:07:16 +01:00
Matthias Dieter Wallnöfer
32c82fe69b s4:lib/tls - include GNUTLS headers consistently using <...>
These are system-specific.

Reviewed-by: Jelmer

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Feb 18 00:43:58 CET 2012 on sn-devel-104
2012-02-18 00:43:58 +01:00
Matthias Dieter Wallnöfer
456c69f95e s4:lib/tls - call "gnutls_transport_set_lowat" only on GNUTLS < 3.0
This function call together with the lowat feature has been removed in release
3.0 as described in this mailing list post:
http://old.nabble.com/gnutls_transport_set_lowat-deprecated-td32554230.html.

Since we do not make any use of lowat (esprimed by each function call)
we are free to simply omit it on v3.0 and later.

This addresses bug #8537.

Reviewed by: abartlet + metze

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Wed Nov 30 20:11:14 CET 2011 on sn-devel-104
2011-11-30 20:11:14 +01:00
Stefan Metzmacher
93733e4e31 s4:tls_tstream: also use a dynamic buffer for the pull side
Maybe that fixes the remaining issues with some gnutls versions.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jan 18 17:26:08 CET 2011 on sn-devel-104
2011-01-18 17:26:08 +01:00
Stefan Metzmacher
361b4ed016 s4:tls_tstream: fix partial reads, so that the gnutls layer doesn't read the same data twice
metze
2011-01-18 16:34:28 +01:00
Stefan Metzmacher
69ad3f7f90 tls_tstream: use a dynamic buffer for the push case
Some versions of gnutls doesn't handle EAGAIN correctly,
so we better allow sending buffers without a low size limitation,
the limit is now UINT16_MAX (0xFFFF) and we allocate the buffer
with talloc each time.

metze
2010-12-04 12:12:21 +01:00
Matthieu Patou
a42ccab929 tls_tstream: increase the buffer size
The problem is that with certain version of gnutls are not working
properly if the server is sending in different packet things like (at
least)

* Certificate
* Server Key exchange
* Client certificate

Somehow it really expect this to be done in one packet as some
structures used _gnutls_send_handshake are reinitialized at every
packet exchange and intermediate steps didn't expect it

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-12-04 12:12:21 +01:00
Matthias Dieter Wallnöfer
6ce63655ef s4:lib/tls/tls_tstream.c - quiet warning on Solaris "cc" by casts 2010-11-29 14:48:13 +01:00
Stefan Metzmacher
9300f922ae s4:lib/tls: buffer writes in tstream_tls_push_function()
This works arround bugs in gnutls_handshake(),
which diesn't handle EAGAIN correctly, when they use the
push function.

Thanks to Marcel.Ritter@rrze.uni-erlangen.de and
Matthieu Patou <mat@samba.org> for the debugging work
on bug #7218.

metze
2010-10-08 11:53:08 +02:00
Stefan Metzmacher
a3d44d5504 s4:lib/tls: make more clear what the immediate event is for
metze
2010-10-08 11:53:06 +02:00
Stefan Metzmacher
cce2f9dde4 s4:lib/tls: fix enabled logic in tstream_tls_params_server()
metze
2010-10-08 11:53:06 +02:00
Stefan Metzmacher
ca360fba10 s4:lib/tls: add gnutls backend for tstream
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-09-28 02:29:42 +00:00