1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

15 Commits

Author SHA1 Message Date
Andreas Schneider
53e3a959b9 s3:lib:tls: Use better priority lists for modern GnuTLS
We should use the default priority list. That is a good practice,
because TLS protocol hardening and phasing out of legacy algorithms,
is easier to co-ordinate when happens at a single place. See crypto
policies of Fedora.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184
2020-06-17 17:42:02 +00:00
Andreas Schneider
0b84bc03e8 waf: Check if GnuTLS has support for crypto policies
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-19 20:46:41 +00:00
Andreas Schneider
d459ca04fc libcli:smb: Improve check for gnutls_aead_cipher_(en|de)cryptv2
This is available since version 3.6.10, but 3.6.10 has a bug which got fixed
in 3.6.11, see:

    https://gitlab.com/gnutls/gnutls/-/merge_requests/1085

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14250

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb  4 06:44:00 UTC 2020 on sn-devel-184
2020-02-04 06:43:59 +00:00
Andreas Schneider
fa255a36df waf: Check for gnutls_aead_cipher_encryptv2()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
2019-10-08 12:50:38 +00:00
Andreas Schneider
69be6b8416 waf: Check for AES128 CMAC support in GnuTLS
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:32 +00:00
Andrew Bartlett
068da56a20 build: Remove explicit check for HAVE_GNUTLS_AEAD as we require GnuTLS 3.4.7
We strictly require it and if this were to fail we would want the compile to fail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21 09:57:31 +00:00
Andrew Bartlett
52b91cb33c s4-rpc_server: Remove Heimdal-based BackupKey server
We rely on a modern GnuTLS now.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21 09:57:31 +00:00
Andrew Bartlett
974cebdf95 build: Set minimum GnuTLS version at 3.4.7
This will soon be required for encrypted_secrets in the AD DC, the BackupKey server
and SMB2 as we remove use of the internal AES code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21 09:57:31 +00:00
Andreas Schneider
20a42459df waf: Check for GNUTLS AES CFB support
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:29 +00:00
Andreas Schneider
1b9cd2acda waf: Also check for gnutls_privkey_export_x509()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-07 00:11:25 +00:00
Andreas Schneider
712e464fb7 waf: Remove unused GNUTLS defines
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:27 +00:00
Andreas Schneider
155f697e87 waf: Move check for gnutls_aead_cipher_init to main gnutls wscript
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:27 +00:00
Andreas Schneider
e35a8598c6 waf: Add check for gnutls_x509_crt_set_subject_unique_id()
This is used by the GnuTLS backupkey implementation.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:27 +00:00
Andreas Schneider
324a2eec86 waf: Move gnutls_pkcs7_get_embedded_data_oid to main gnutls file
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:27 +00:00
Andreas Schneider
382d5908a4 waf: Add mandatory requirement for GnuTLS >= 3.2.0
We plan to move to GnuTLS for crypto in Samba, this is the first step to
make it mandatory and to require a version which is in LTS
distributions.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:26 +00:00