summaryrefslogtreecommitdiff
path: root/source4/lib/tls/tls.c
AgeCommit message (Collapse)AuthorFilesLines
2012-07-18s4-lib/tls: Try socket_send() multiple times to send partial packetsAndrew Bartlett1-13/+26
This works around an artificial limitation in socket_wrapper that breaks some versions of GnuTLS when we return a short write. Instead, keep pushing until the OS will not take it. The correct solution will be to use tls_tstream, but the client code for this is not yet tested and needs the ldap client layer changed to use it. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jul 18 11:23:55 CEST 2012 on sn-devel-104
2012-02-18s4:lib/tls - include GNUTLS headers consistently using <...>Matthias Dieter Wallnöfer1-1/+1
These are system-specific. Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Feb 18 00:43:58 CET 2012 on sn-devel-104
2012-02-10s4-lib/tls: remove unused tls_support()Andrew Bartlett1-10/+0
Found by callcatcher: http://www.skynet.ie/~caolan/Packages/callcatcher.html Andrew Bartlett
2011-11-30s4:lib/tls - call "gnutls_transport_set_lowat" only on GNUTLS < 3.0Matthias Dieter Wallnöfer1-0/+4
This function call together with the lowat feature has been removed in release 3.0 as described in this mailing list post: http://old.nabble.com/gnutls_transport_set_lowat-deprecated-td32554230.html. Since we do not make any use of lowat (esprimed by each function call) we are free to simply omit it on v3.0 and later. This addresses bug #8537. Reviewed by: abartlet + metze Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Wed Nov 30 20:11:14 CET 2011 on sn-devel-104
2011-08-13s4:lib: use tevent_ fns names instead of legcay event_ onesSimo Sorce1-10/+10
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-8/+8
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-10-14s4: Changes the old occurences of "lp_realm" in "lp_dnsdomain" where neededMatthias Dieter Wallnöfer1-1/+2
For KERBEROS applications the realm should be upcase (function "lp_realm") but for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch implements the use of both in the right way.
2009-08-12raise the debug level for a common messageAndrew Tridgell1-1/+1
when a client disconnects we expect this to happen, so don't print an error each time
2009-07-31s4:tls: avoid using talloc_reference() in tls_init_client()Stefan Metzmacher1-6/+2
metze
2009-07-31s4:tls: avoid using talloc_reference() in tls_init_server()Stefan Metzmacher1-8/+1
metze
2009-06-19Fixed some uninitialised variablesMatthias Dieter Wallnöfer1-2/+1
I tried hard to not change the program logic. Should fix bug #6439.
2009-02-18fixed some of the TLS problemsAndrew Tridgell1-2/+8
This fixes two things in the TLS support for Samba4. The first is to use a somewhat more correct hostname instead of 'Samba' when generating the test certificates. That allows TLS test clients (such as gnutls-cli) to connect to Samba4 using auto-generated certificates. The second fix is to add a call to gcry_control() to tell gcrypt to use /dev/urandom instead of /dev/random (on systems that support that). That means that test certificate generation is now very fast, which was previously an impediment to putting the TLS tests on the build farm.
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-5/+5
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-12-23Fix more compiler warnings.Jelmer Vernooij1-10/+10
2008-10-23Make lp_tls_* return absolute paths.Jelmer Vernooij1-5/+5
2008-10-20Make sure prototypes are always included, make some functions static andJelmer Vernooij1-1/+0
remove some unused functions.
2008-10-12Use common util_file code.Jelmer Vernooij1-1/+1
2007-12-21r26238: Add a loadparm context parameter to torture_context, remove more ↵Jelmer Vernooij1-16/+12
uses of global_loadparm. (This used to be commit a33a5530545086b81a3b205aa109dff11c546926)
2007-10-10r25522: Convert to standard bool types.Jelmer Vernooij1-39/+39
(This used to be commit 5e814287ba475e12f8cc934fdd09b199dcdfdb86)
2007-10-10r25446: Merge some changes I made on the way home from SFO:Jelmer Vernooij1-6/+6
2007-09-29 More higher-level passing around of lp_ctx. 2007-09-29 Fix warning. 2007-09-29 Pass loadparm contexts on a higher level. 2007-09-29 Avoid using global loadparm context. (This used to be commit 3468952e771ab31f90b6c374ade01c5550810f42)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij1-7/+7
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r25033: Fix includeJelmer Vernooij1-0/+1
(This used to be commit d81bb09046a7ea65aa916be7fcfa94e86b6191f5)
2007-10-10r25027: Fix more warnings.Jelmer Vernooij1-0/+1
(This used to be commit 5085c53fcfade614e83d21fc2c1a5bc43bb2a729)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r19217: Merge from SAMBA_4_0_RELEASE:Andrew Bartlett1-1/+2
Re-enable TLS in the default configuration. We passed on the build farm because we have an explicit diffie-hilliman parameters file set. Andrew Bartlett (This used to be commit d20ab6a5ed7f980cb653e965c4de3de8d058d9c4)
2007-10-10r18301: I discovered how to load the warnings from a build farm build intoAndrew Tridgell1-2/+4
emacs compile mode (hint, paste to a file, and compile as "cat filename"). This allowed me to fix nearly all the warnings for a IA_64 SuSE build very quickly. (This used to be commit eba6c84efff735bb0ca941ac4b755ce2b0591667)
2007-10-10r17674: fixed a problem on with our configure logic on systems that haveAndrew Tridgell1-3/+3
libgnutls but not some of the crt functions (This used to be commit 7a0264c52dd8ab1b1bb321462f66955a866d90a9)
2007-10-10r17412: fix missing colonSimo Sorce1-1/+1
(This used to be commit 300d6e724d1ce386ad53852c0645fa8de374625a)
2007-10-10r17411: Try and compile on older versions of GnuTLS.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit 798c0791d8e8d10dde41a6dbceb0866265f9a709)
2007-10-10r17379: Pre-generate DH parameters, to avoid doing this at runtime in our ↵Andrew Bartlett1-2/+16
testsuite. Andrew Bartlett (This used to be commit 23314c3953676124a2ad06e8b3a3b297c11f2800)
2007-10-10r17286: Simply fail the tls_initialise if we don't have TLS compiled in.Andrew Bartlett1-5/+2
Adjust the web_server code to cope with this. Andrew Bartlett (This used to be commit 3043969708edbdab58ee57e2fbffa293b6406813)
2007-10-10r17222: Change the function prototypes for the GENSEc and TLS socket creationAndrew Bartlett1-10/+14
routines to return an NTSTATUS. This should help track down errors. Use a bit of talloc_steal and talloc_unlink to get the real socket to be a child of the GENSEC or TLS socket. Always return a new socket, even for the 'pass-though' case. Andrew Bartlett (This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
2007-10-10r17197: This patch moves the encryption of bulk data on SASL negotiated securityAndrew Bartlett1-2/+2
contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10r17168: Now that TLS (and soon SASL) is below the socket layer, we need toAndrew Bartlett1-2/+4
make the testnonblock skip some things. The socket *under* the tls socket is still tested. Andrew Bartlett (This used to be commit 9c33c6a20a77e3f15eac3d62488117517afad940)
2007-10-10r15854: more talloc_set_destructor() typesafe fixesAndrew Tridgell1-2/+1
(This used to be commit 61c6100617589ac6df4f527877241464cacbf8b3)
2007-10-10r15400: Move the TLS code behind the socket interface.Andrew Bartlett1-61/+158
This reduces caller complexity, because the TLS code is now called just like any other socket. (A new socket context is returned by the tls_init_server and tls_init_client routines). When TLS is not available, the original socket is returned. Andrew Bartlett (This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
2007-10-10r15357: Fix the build on systems without GNUTLS.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 2cd2e524e6e1acb2e2921e32c5551f528aa04bf4)
2007-10-10r15356: Remove unused 'flags' argument from socket_send() and friends.Andrew Bartlett1-5/+5
This is in preperation for making TLS a socket library. Andrew Bartlett (This used to be commit a312812b92f5ac7e6bd2c4af725dbbbc900d4452)
2007-10-10r14412: init a varAndrew Tridgell1-1/+1
(This used to be commit ec53f5fe9617ea36295522a410161bbca6edf9ad)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-1/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r7912: make private_path() recognise a non-relative filename, so we can haveAndrew Tridgell1-7/+21
sam database = sam.ldb and it will know to put it in the private dir, but if you use sam database = ldap://server it knows to use it as-is (This used to be commit c5bccbc366db144d3e1cb7b21f0e3284d841dd06)
2007-10-10r7773: fixed the tls code for the non-GNUTLS caseAndrew Tridgell1-1/+1
(This used to be commit bc6bc84ef4ad3434c6cb8d94a8d7a105ad2fd8c2)
2007-10-10r7769: added client support in the tls library apiAndrew Tridgell1-12/+119
(This used to be commit 71ee6a1df542b95c61217de71e6f56b8ce9d81b5)
2007-10-10r7751: only enable tls on the ldaps port in ldap server, and reject non-tlsAndrew Tridgell1-4/+5
connections on that port (This used to be commit 30da6a1cc41308a16a486111887f45bcf598f064)
2007-10-10r7750: handle STATUS_MORE_ENTRIES on send in tlsAndrew Tridgell1-0/+4
(This used to be commit 135c3367ff737246ea40030d3c852769666ff522)
2007-10-10r7747: - simplified the ldap server buffer handlingAndrew Tridgell1-1/+20
- got rid of the special cases for sasl buffers - added a tls_socket_pending() call to determine how much data is waiting on a tls connection - removed the attempt at async handling of ldap calls. The buffers/sockets are all async, but the calls themselves are sync. (This used to be commit 73cb4aad229d08e17e22d5792580bd43a61b142a)
2007-10-10r7745: better handling of recv errors in tls libraryAndrew Tridgell1-1/+10
(This used to be commit 42d8a1a222430bd64962da7cc4ac0193b5c003f7)
2007-10-10r7742: abstracted out the tls code from the web server, so that our other ↵Andrew Tridgell1-0/+420
servers can easily become tls enabled. This will be used to add support for ldaps (This used to be commit 950500f603725349d2a0e22878e83dd1b5975f9f)