summaryrefslogtreecommitdiff
path: root/source4/lib/tls
AgeCommit message (Collapse)AuthorFilesLines
2010-04-06build: waf build for lib/tlsAndrew Tridgell1-0/+27
2009-12-15s4:tls: fix the build on SolarisBrian Lu1-0/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2009-10-14s4: Changes the old occurences of "lp_realm" in "lp_dnsdomain" where neededMatthias Dieter Wallnöfer1-1/+2
For KERBEROS applications the realm should be upcase (function "lp_realm") but for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch implements the use of both in the right way.
2009-08-12raise the debug level for a common messageAndrew Tridgell1-1/+1
when a client disconnects we expect this to happen, so don't print an error each time
2009-07-31s4:tls: avoid using talloc_reference() in tls_init_client()Stefan Metzmacher1-6/+2
metze
2009-07-31s4:tls: avoid using talloc_reference() in tls_init_server()Stefan Metzmacher1-8/+1
metze
2009-07-28s4:tls Enable GnuTLS back to version 1.4 (an into the future)Andrew Bartlett1-1/+1
We think we have the bug fixed. Andrew Bartlett
2009-06-19Fixed some uninitialised variablesMatthias Dieter Wallnöfer1-2/+1
I tried hard to not change the program logic. Should fix bug #6439.
2009-02-24Make S4 build on OpenSolaris.Jeremy Allison2-1/+3
Jeremy.
2009-02-18fixed some of the TLS problemsAndrew Tridgell3-10/+22
This fixes two things in the TLS support for Samba4. The first is to use a somewhat more correct hostname instead of 'Samba' when generating the test certificates. That allows TLS test clients (such as gnutls-cli) to connect to Samba4 using auto-generated certificates. The second fix is to add a call to gcry_control() to tell gcrypt to use /dev/urandom instead of /dev/random (on systems that support that). That means that test certificate generation is now very fast, which was previously an impediment to putting the TLS tests on the build farm.
2009-01-15Fix indentation for some configure options.Jelmer Vernooij1-1/+1
2009-01-08Don't attempt to use GNUTLS >= 2.6, as it is known broken with the ↵Jelmer Vernooij1-30/+28
socket-tls backend.
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher2-7/+7
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-12-24Rename samba-socket -> samba_socket to fix a couple more compilerJelmer Vernooij1-1/+1
warnings.
2008-12-23Fix more compiler warnings.Jelmer Vernooij1-10/+10
2008-10-23Make lp_tls_* return absolute paths.Jelmer Vernooij1-5/+5
2008-10-20Make sure prototypes are always included, make some functions static andJelmer Vernooij2-1/+4
remove some unused functions.
2008-10-12Use common util_file code.Jelmer Vernooij1-1/+1
2008-06-08Make it possible to disable gnutls at configure time,Simo Sorce1-25/+36
until someone will finally decide to fix it. (This used to be commit 0671dce355432a2a4c08ab010831eadd73e4561e)
2008-05-18Use variables for source directory in remaining subsystems.Jelmer Vernooij1-1/+1
(This used to be commit 6b6b2196a8a8d9e741f5c399185ded7a16938da0)
2008-04-08Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into v4-0-gmake3Jelmer Vernooij1-3/+1
Conflicts: source/auth/credentials/config.mk source/auth/gensec/config.mk source/build/smb_build/makefile.pm source/heimdal_build/config.mk source/lib/events/config.mk source/lib/nss_wrapper/config.mk source/lib/policy/config.mk source/lib/registry/config.mk source/lib/socket_wrapper/config.mk source/lib/tdb/config.mk source/lib/tls/config.mk source/lib/util/config.mk source/libcli/config.mk source/libcli/ldap/config.mk source/libnet/config.mk source/librpc/config.mk source/param/config.mk source/rpc_server/config.mk source/scripting/ejs/config.mk source/smbd/process_model.mk (This used to be commit 760378e0294dd0cd4523a83448328478632d7e3d)
2008-04-01Rename libsamba-config to libsamba-hostconfig.Jelmer Vernooij1-1/+1
(This used to be commit c46b7e90e347da76156ddcae4866adb88e9fec21)
2008-03-03Move object file lists to the Makefile.Jelmer Vernooij1-6/+2
(This used to be commit a7e6d2a1832db388fdafa1279f84c9a8bbfc87d6)
2008-02-11Make data about what subsystems/libraries are enabled available in the ↵Jelmer Vernooij1-1/+3
mkconfig.mk file. (This used to be commit 4cc93a98f984d322e41f403169cfa4945b469935)
2007-12-21r26238: Add a loadparm context parameter to torture_context, remove more ↵Jelmer Vernooij2-18/+17
uses of global_loadparm. (This used to be commit a33a5530545086b81a3b205aa109dff11c546926)
2007-10-10r25522: Convert to standard bool types.Jelmer Vernooij1-39/+39
(This used to be commit 5e814287ba475e12f8cc934fdd09b199dcdfdb86)
2007-10-10r25446: Merge some changes I made on the way home from SFO:Jelmer Vernooij1-6/+6
2007-09-29 More higher-level passing around of lp_ctx. 2007-09-29 Fix warning. 2007-09-29 Pass loadparm contexts on a higher level. 2007-09-29 Avoid using global loadparm context. (This used to be commit 3468952e771ab31f90b6c374ade01c5550810f42)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij1-7/+7
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r25035: Fix some more warnings, use service pointer rather than service ↵Jelmer Vernooij1-1/+1
number in more places. (This used to be commit df9cebcb97e20564359097148665bd519f31bc6f)
2007-10-10r25033: Fix includeJelmer Vernooij1-0/+1
(This used to be commit d81bb09046a7ea65aa916be7fcfa94e86b6191f5)
2007-10-10r25027: Fix more warnings.Jelmer Vernooij1-0/+1
(This used to be commit 5085c53fcfade614e83d21fc2c1a5bc43bb2a729)
2007-10-10r24712: No longer expose the 'BOOL' data type in any interfaces.Jelmer Vernooij1-2/+2
(This used to be commit 1ce32673d960c8b05b6c1b1b99e1976a402417ae)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell3-9/+6
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r19217: Merge from SAMBA_4_0_RELEASE:Andrew Bartlett1-1/+2
Re-enable TLS in the default configuration. We passed on the build farm because we have an explicit diffie-hilliman parameters file set. Andrew Bartlett (This used to be commit d20ab6a5ed7f980cb653e965c4de3de8d058d9c4)
2007-10-10r18301: I discovered how to load the warnings from a build farm build intoAndrew Tridgell1-2/+4
emacs compile mode (hint, paste to a file, and compile as "cat filename"). This allowed me to fix nearly all the warnings for a IA_64 SuSE build very quickly. (This used to be commit eba6c84efff735bb0ca941ac4b755ce2b0591667)
2007-10-10r17674: fixed a problem on with our configure logic on systems that haveAndrew Tridgell3-5/+5
libgnutls but not some of the crt functions (This used to be commit 7a0264c52dd8ab1b1bb321462f66955a866d90a9)
2007-10-10r17660: fixed configure testAndrew Tridgell1-1/+1
(This used to be commit 28238ad8f15b8bd3c49fb0b235becca25615cfe6)
2007-10-10r17659: cope with systems without the x509 gnutls functionsAndrew Tridgell1-1/+6
(This used to be commit 8148534d9c9e566c4ecd9b29857fa96916cd9e3f)
2007-10-10r17412: fix missing colonSimo Sorce1-1/+1
(This used to be commit 300d6e724d1ce386ad53852c0645fa8de374625a)
2007-10-10r17411: Try and compile on older versions of GnuTLS.Andrew Bartlett2-0/+7
Andrew Bartlett (This used to be commit 798c0791d8e8d10dde41a6dbceb0866265f9a709)
2007-10-10r17379: Pre-generate DH parameters, to avoid doing this at runtime in our ↵Andrew Bartlett1-2/+16
testsuite. Andrew Bartlett (This used to be commit 23314c3953676124a2ad06e8b3a3b297c11f2800)
2007-10-10r17286: Simply fail the tls_initialise if we don't have TLS compiled in.Andrew Bartlett1-5/+2
Adjust the web_server code to cope with this. Andrew Bartlett (This used to be commit 3043969708edbdab58ee57e2fbffa293b6406813)
2007-10-10r17222: Change the function prototypes for the GENSEc and TLS socket creationAndrew Bartlett1-10/+14
routines to return an NTSTATUS. This should help track down errors. Use a bit of talloc_steal and talloc_unlink to get the real socket to be a child of the GENSEC or TLS socket. Always return a new socket, even for the 'pass-though' case. Andrew Bartlett (This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
2007-10-10r17197: This patch moves the encryption of bulk data on SASL negotiated securityAndrew Bartlett1-2/+2
contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10r17174: Enable gnutls code, which requires the HAVE_GNUTLS CPP macro.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit f3b6e57b2336f36416e25c3a5cd793aa036b5b40)
2007-10-10r17168: Now that TLS (and soon SASL) is below the socket layer, we need toAndrew Bartlett2-3/+5
make the testnonblock skip some things. The socket *under* the tls socket is still tested. Andrew Bartlett (This used to be commit 9c33c6a20a77e3f15eac3d62488117517afad940)
2007-10-10r15854: more talloc_set_destructor() typesafe fixesAndrew Tridgell1-2/+1
(This used to be commit 61c6100617589ac6df4f527877241464cacbf8b3)
2007-10-10r15829: we need to include socket.h before we can use enum socket_typeStefan Metzmacher1-0/+2
this fixes a compiler warning metze (This used to be commit dbf82fff10f1b5c3894b9600d98f81ee10e3d876)
2007-10-10r15538: Use pkg-config file where possible andJelmer Vernooij1-13/+14
only fall back to manual tests if that can't be found (for systems that have older versions of gnutls without the .pc file installed) (This used to be commit d77ea8f9072070f47b2b44676facaf66ed40fd17)
2007-10-10r15400: Move the TLS code behind the socket interface.Andrew Bartlett2-81/+164
This reduces caller complexity, because the TLS code is now called just like any other socket. (A new socket context is returned by the tls_init_server and tls_init_client routines). When TLS is not available, the original socket is returned. Andrew Bartlett (This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)