summaryrefslogtreecommitdiff
path: root/source4/lib/tls
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r17379: Pre-generate DH parameters, to avoid doing this at runtime in our ↵Andrew Bartlett1-2/+16
testsuite. Andrew Bartlett (This used to be commit 23314c3953676124a2ad06e8b3a3b297c11f2800)
2007-10-10r17286: Simply fail the tls_initialise if we don't have TLS compiled in.Andrew Bartlett1-5/+2
Adjust the web_server code to cope with this. Andrew Bartlett (This used to be commit 3043969708edbdab58ee57e2fbffa293b6406813)
2007-10-10r17222: Change the function prototypes for the GENSEc and TLS socket creationAndrew Bartlett1-10/+14
routines to return an NTSTATUS. This should help track down errors. Use a bit of talloc_steal and talloc_unlink to get the real socket to be a child of the GENSEC or TLS socket. Always return a new socket, even for the 'pass-though' case. Andrew Bartlett (This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
2007-10-10r17197: This patch moves the encryption of bulk data on SASL negotiated securityAndrew Bartlett1-2/+2
contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10r17174: Enable gnutls code, which requires the HAVE_GNUTLS CPP macro.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit f3b6e57b2336f36416e25c3a5cd793aa036b5b40)
2007-10-10r17168: Now that TLS (and soon SASL) is below the socket layer, we need toAndrew Bartlett2-3/+5
make the testnonblock skip some things. The socket *under* the tls socket is still tested. Andrew Bartlett (This used to be commit 9c33c6a20a77e3f15eac3d62488117517afad940)
2007-10-10r15854: more talloc_set_destructor() typesafe fixesAndrew Tridgell1-2/+1
(This used to be commit 61c6100617589ac6df4f527877241464cacbf8b3)
2007-10-10r15829: we need to include socket.h before we can use enum socket_typeStefan Metzmacher1-0/+2
this fixes a compiler warning metze (This used to be commit dbf82fff10f1b5c3894b9600d98f81ee10e3d876)
2007-10-10r15538: Use pkg-config file where possible andJelmer Vernooij1-13/+14
only fall back to manual tests if that can't be found (for systems that have older versions of gnutls without the .pc file installed) (This used to be commit d77ea8f9072070f47b2b44676facaf66ed40fd17)
2007-10-10r15400: Move the TLS code behind the socket interface.Andrew Bartlett2-81/+164
This reduces caller complexity, because the TLS code is now called just like any other socket. (A new socket context is returned by the tls_init_server and tls_init_client routines). When TLS is not available, the original socket is returned. Andrew Bartlett (This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
2007-10-10r15363: Fix dependencies for shared libraryJelmer Vernooij1-2/+3
(This used to be commit f2ca71f1229f4c20296895116c09bacbd6a53b55)
2007-10-10r15357: Fix the build on systems without GNUTLS.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 2cd2e524e6e1acb2e2921e32c5551f528aa04bf4)
2007-10-10r15356: Remove unused 'flags' argument from socket_send() and friends.Andrew Bartlett1-5/+5
This is in preperation for making TLS a socket library. Andrew Bartlett (This used to be commit a312812b92f5ac7e6bd2c4af725dbbbc900d4452)
2007-10-10r15274: Drop default EXT_LIB_ prefix for external libraries. Fixes issues ↵Jelmer Vernooij2-2/+2
with local (empty) libpopt.a overriding global one (This used to be commit 2f06305e53478e5030c24550954f221a9a97c83f)
2007-10-10r15231: Try to fix detection of ability of CC to generate dependenciesJelmer Vernooij1-0/+3
(This used to be commit 11353d4b47964b762a72ec0e55221811a5a3d550)
2007-10-10r15207: Introduce PRIVATE_DEPENDENCIES and PUBLIC_DEPENDENCIES as replacementJelmer Vernooij1-1/+1
for REQUIRED_SUBSYSTEMS. (This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
2007-10-10r14806: Fix compiler warningsJelmer Vernooij1-1/+1
(This used to be commit b38a83407717b760c8a7aa3715ab3ca7f637c611)
2007-10-10r14575: Move some path-related functions to libsamba-config so libsamba-utilJelmer Vernooij1-1/+1
doesn't have to depend on the lp_* functions. (This used to be commit f97df7d90a41b77a9edd2d6bdc47c27bf1b6bb07)
2007-10-10r14477: Remove the NOPROTO property - it's no longer used as proto.h is gone.Jelmer Vernooij1-1/+0
(This used to be commit 9c37f847d32d2f327a88c53a90af0c73126b76be)
2007-10-10r14412: init a varAndrew Tridgell1-1/+1
(This used to be commit ec53f5fe9617ea36295522a410161bbca6edf9ad)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-1/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not usingJelmer Vernooij1-1/+1
the difference between these at all, and in the future the fact that INIT_OBJ_FILES include smb_build.h will be sufficient to have recompiles at the right time. (This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
2007-10-10r11596: switched the libcli/raw/ code over to using the lib/stream/ genericAndrew Tridgell1-0/+4
packet parsing code. This simplifies the logic in the raw client library a fair bit (This used to be commit f8d43f1f67876360e1295d85a3c3702d1d60ed7b)
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij1-2/+2
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
2007-10-10r11214: Remove scons files (see ↵Jelmer Vernooij1-7/+0
http://lists.samba.org/archive/samba-technical/2005-October/043443.html) (This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
2007-10-10r10586: Add MergedObject() builder. Default to Library() ratherJelmer Vernooij1-1/+1
then StaticLibrary() (This used to be commit b53313dc517986c69a4e4cb8fe3885b696f8faa1)
2007-10-10r10377: Save configuration stuff to sconf.cache so it isn't annoyingly runTim Potter1-3/+4
at every single build. Run 'scons configure=1' or delete sconf.cache to force checks to be re-run. Jelmer, I think this stuff is cached in the .sconf_cache directory but the message is still displayed and it looks like it caches the compiled test object file not the actual result of the test. (This used to be commit 9d001dc083937bbf5642af90bc8a8b1a27825de0)
2007-10-10r10366: More scons fixes. Building et, asn1, lex and yacc files sort-of ↵Jelmer Vernooij1-0/+4
works now (This used to be commit 22f18a84242e5e68a2d57b6d7ff77c089ee7434a)
2007-10-10r10348: Add scons scripts for remaining subsystems. Most subsystems build now,Jelmer Vernooij1-1/+0
but final linking still fails (as does generating files asn1, et, idl and proto files) (This used to be commit 4f0d7f75b99c7f4388d8acb0838577d86baf68b5)
2007-10-10r10336: Add sconscript for a couple more subsystems.Jelmer Vernooij1-0/+3
(This used to be commit 59d4450453c25f5cce9b67b808ff0c4433c1d194)
2007-10-10r8482: gnutls_x509_crt_set_subject_key_id is not available in some versionsAndrew Tridgell2-0/+20
of gnutls. Thanks to ab for spotting this. (This used to be commit 437c4057ae4e89725ddbdd026977510beb33c009)
2007-10-10r7912: make private_path() recognise a non-relative filename, so we can haveAndrew Tridgell1-7/+21
sam database = sam.ldb and it will know to put it in the private dir, but if you use sam database = ldap://server it knows to use it as-is (This used to be commit c5bccbc366db144d3e1cb7b21f0e3284d841dd06)
2007-10-10r7773: fixed the tls code for the non-GNUTLS caseAndrew Tridgell1-1/+1
(This used to be commit bc6bc84ef4ad3434c6cb8d94a8d7a105ad2fd8c2)
2007-10-10r7769: added client support in the tls library apiAndrew Tridgell2-12/+126
(This used to be commit 71ee6a1df542b95c61217de71e6f56b8ce9d81b5)
2007-10-10r7751: only enable tls on the ldaps port in ldap server, and reject non-tlsAndrew Tridgell2-5/+7
connections on that port (This used to be commit 30da6a1cc41308a16a486111887f45bcf598f064)
2007-10-10r7750: handle STATUS_MORE_ENTRIES on send in tlsAndrew Tridgell1-0/+4
(This used to be commit 135c3367ff737246ea40030d3c852769666ff522)
2007-10-10r7747: - simplified the ldap server buffer handlingAndrew Tridgell2-1/+25
- got rid of the special cases for sasl buffers - added a tls_socket_pending() call to determine how much data is waiting on a tls connection - removed the attempt at async handling of ldap calls. The buffers/sockets are all async, but the calls themselves are sync. (This used to be commit 73cb4aad229d08e17e22d5792580bd43a61b142a)
2007-10-10r7745: better handling of recv errors in tls libraryAndrew Tridgell1-1/+10
(This used to be commit 42d8a1a222430bd64962da7cc4ac0193b5c003f7)
2007-10-10r7742: abstracted out the tls code from the web server, so that our other ↵Andrew Tridgell4-0/+646
servers can easily become tls enabled. This will be used to add support for ldaps (This used to be commit 950500f603725349d2a0e22878e83dd1b5975f9f)