1
0
mirror of https://github.com/samba-team/samba.git synced 2025-07-25 00:59:11 +03:00
Commit Graph

120 Commits

Author SHA1 Message Date
bb187cc1e9 s4:lib/tls: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:46 +02:00
a2c3479878 Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600"
This reverts commit 05c1fe5055.

This was discussed here:
https://bugzilla.samba.org/show_bug.cgi?id=10392#c11

This generated warnings like:
invalid permissions on file
'/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has
0600 should be 0400'.

I think we need a better way. Maybe file_check_permissions()
should get allow_perms and deny_perms. And we would call it
with allow_perms = 0400 and deny_perms = 0177. And bits in none
of them are ignored.

For now we revert this and wait for a better fix.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 28 12:37:17 CET 2014 on sn-devel-104
2014-03-28 12:37:17 +01:00
05c1fe5055 s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392

Signed-off-by: Michael Brown <michael@netdirect.ca>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104
2014-01-31 01:27:03 +01:00
91b04f708f tls: Fix CID 242014 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 09:01:55 +01:00
2be1eeab7f tls: Fix some noblank line endings
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 09:01:55 +01:00
22af043d2f CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file (key.pem)
If the tls key is not owned by root or has not mode 0600 samba will not
start up.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Nov 11 13:07:16 CET 2013 on sn-devel-104
2013-11-11 13:07:16 +01:00
e0248cde8d CVE-2013-4476: s4:libtls: Create tls private key file (key.pem) with mode 0600
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-11-11 11:14:36 +01:00
d0d05f8474 s4-lib/tls: Try socket_send() multiple times to send partial packets
This works around an artificial limitation in socket_wrapper that breaks
some versions of GnuTLS when we return a short write.

Instead, keep pushing until the OS will not take it.

The correct solution will be to use tls_tstream, but the client code
for this is not yet tested and needs the ldap client layer changed
to use it.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 18 11:23:55 CEST 2012 on sn-devel-104
2012-07-18 11:23:55 +02:00
32c82fe69b s4:lib/tls - include GNUTLS headers consistently using <...>
These are system-specific.

Reviewed-by: Jelmer

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Feb 18 00:43:58 CET 2012 on sn-devel-104
2012-02-18 00:43:58 +01:00
ac57defdb4 s4-lib/tls: remove unused tls_support()
Found by callcatcher: http://www.skynet.ie/~caolan/Packages/callcatcher.html

Andrew Bartlett
2012-02-10 16:45:12 +11:00
456c69f95e s4:lib/tls - call "gnutls_transport_set_lowat" only on GNUTLS < 3.0
This function call together with the lowat feature has been removed in release
3.0 as described in this mailing list post:
http://old.nabble.com/gnutls_transport_set_lowat-deprecated-td32554230.html.

Since we do not make any use of lowat (esprimed by each function call)
we are free to simply omit it on v3.0 and later.

This addresses bug #8537.

Reviewed by: abartlet + metze

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Wed Nov 30 20:11:14 CET 2011 on sn-devel-104
2011-11-30 20:11:14 +01:00
15efcbaa09 s4:lib: use tevent_ fns names instead of legcay event_ ones 2011-08-13 09:54:16 -04:00
af5f494bd2 build: provide tevent-util as a public library
This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced
by generated PIDL output.

Andrew Bartlett
2011-08-08 13:34:06 +02:00
22fcb8e494 s4:lib/tls/wscript - exclude known broken GNUTLS releases
This definitely fixes bug #7218.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Mar 10 11:58:27 CET 2011 on sn-devel-104
2011-03-10 11:58:27 +01:00
93733e4e31 s4:tls_tstream: also use a dynamic buffer for the pull side
Maybe that fixes the remaining issues with some gnutls versions.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jan 18 17:26:08 CET 2011 on sn-devel-104
2011-01-18 17:26:08 +01:00
361b4ed016 s4:tls_tstream: fix partial reads, so that the gnutls layer doesn't read the same data twice
metze
2011-01-18 16:34:28 +01:00
69ad3f7f90 tls_tstream: use a dynamic buffer for the push case
Some versions of gnutls doesn't handle EAGAIN correctly,
so we better allow sending buffers without a low size limitation,
the limit is now UINT16_MAX (0xFFFF) and we allocate the buffer
with talloc each time.

metze
2010-12-04 12:12:21 +01:00
a42ccab929 tls_tstream: increase the buffer size
The problem is that with certain version of gnutls are not working
properly if the server is sending in different packet things like (at
least)

* Certificate
* Server Key exchange
* Client certificate

Somehow it really expect this to be done in one packet as some
structures used _gnutls_send_handshake are reinitialized at every
packet exchange and intermediate steps didn't expect it

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-12-04 12:12:21 +01:00
6ce63655ef s4:lib/tls/tls_tstream.c - quiet warning on Solaris "cc" by casts 2010-11-29 14:48:13 +01:00
3deece5591 s4: Remove the old perl/m4/make/mk-based build system.
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
2010-10-31 02:01:44 +00:00
f8d49958b2 tls: Inform the user if the cert/ca/private key can't be saved
Most of the time this problem is due to a missing <private>/tls dir.
Should close bug 7640.

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Oct 27 20:08:54 UTC 2010 on sn-devel-104
2010-10-27 20:08:54 +00:00
8cf61377aa waf: Remove lib prefix from libraries manually. 2010-10-26 10:17:17 -07:00
833480d3ad s4: Rename LIBSAMBA-* to libsamba-* 2010-10-24 00:20:04 +00:00
614c8ea986 tls: add missing dependency on util_tevent. 2010-10-10 23:08:12 +02:00
9300f922ae s4:lib/tls: buffer writes in tstream_tls_push_function()
This works arround bugs in gnutls_handshake(),
which diesn't handle EAGAIN correctly, when they use the
push function.

Thanks to Marcel.Ritter@rrze.uni-erlangen.de and
Matthieu Patou <mat@samba.org> for the debugging work
on bug #7218.

metze
2010-10-08 11:53:08 +02:00
a3d44d5504 s4:lib/tls: make more clear what the immediate event is for
metze
2010-10-08 11:53:06 +02:00
cce2f9dde4 s4:lib/tls: fix enabled logic in tstream_tls_params_server()
metze
2010-10-08 11:53:06 +02:00
ca360fba10 s4:lib/tls: add gnutls backend for tstream
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-09-28 02:29:42 +00:00
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
f9eae32f4b s4-waf: mark the wscript files as python so vim/emacs knows how to highlight them 2010-04-06 20:27:11 +10:00
17f4485722 s4-waf: disable_gnutls is gone 2010-04-06 20:27:05 +10:00
a6ce1c3dce build: need to mark disabled libraries as DISABLED 2010-04-06 20:27:05 +10:00
9df6c86123 build: honor both --enable-gnutls and --disable-gnutls
This shows how we can do the dual-boolean rules we use so much with
autoconf
2010-04-06 20:27:04 +10:00
0632fac52e build: add cflags from pkg_config results to header/function tests
When we find a package with pkg_config we may need to use the
resulting ccflags and ldflags in later tests.

Support this by adding lib= options to CHECK_FUNC and CHECK_HEADER

This gets gnutls on FreeBSD working
2010-04-06 20:27:01 +10:00
9730166fd6 build: configure fixes for opensolaris 2010-04-06 20:27:01 +10:00
00649a9c62 build: updated configure checks or new syntax 2010-04-06 20:27:00 +10:00
54941c86e7 build: fixed gnutls check 2010-04-06 20:26:58 +10:00
8f1b809d2c build: nearly there on samba4 build 2010-04-06 20:26:47 +10:00
332553d8ab build: check for libgpg-error 2010-04-06 20:26:44 +10:00
a2c866a5e6 build: gcrypt functions 2010-04-06 20:26:43 +10:00
aac8aec0d1 build: more config checks 2010-04-06 20:26:43 +10:00
8bae4823f2 build: waf build for lib/tls 2010-04-06 20:26:41 +10:00
f346079083 s4:tls: fix the build on Solaris
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2009-12-15 12:56:50 +01:00
e9686985cb s4: Changes the old occurences of "lp_realm" in "lp_dnsdomain" where needed
For KERBEROS applications the realm should be upcase (function "lp_realm") but
for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch
implements the use of both in the right way.
2009-10-14 10:50:43 +02:00
c6936ab00f raise the debug level for a common message
when a client disconnects we expect this to happen, so don't print an
error each time
2009-08-12 15:19:42 +10:00
6f40637ca8 s4:tls: avoid using talloc_reference() in tls_init_client()
metze
2009-07-31 14:42:04 +02:00
d866497b18 s4:tls: avoid using talloc_reference() in tls_init_server()
metze
2009-07-31 14:42:03 +02:00
bfda910a20 s4:tls Enable GnuTLS back to version 1.4 (an into the future)
We think we have the bug fixed.

Andrew Bartlett
2009-07-28 14:11:18 +10:00
2627c6c0c2 Fixed some uninitialised variables
I tried hard to not change the program logic. Should fix bug #6439.
2009-06-19 11:32:01 +10:00
a028e9640b Make S4 build on OpenSolaris.
Jeremy.
2009-02-24 15:27:47 -08:00