The branch, master has been updated
via c3647ec web_server: Fix server not to segfault on startup
via 615d9b7 web_server: Use talloc_get_type_abort()
via ac25a8a lib/tls: Ensure SSLv3 is disabled in the web server by
default
via cdaa122 lib/tls: Remove unused tls_init_client code
from 4164d7b ctdb-scripts: Add default filesystem usage warnings
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c3647ec39e42e8dcdd3057dbab49918c2ccf5e9a
Author: Andrew Bartlett <[email protected]>
Date: Mon Aug 31 11:08:45 2015 +1200
web_server: Fix server not to segfault on startup
Pair-programmed-with: Garming Sam <[email protected]>
Signed-off-by: Andrew Bartlett <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Mon Aug 31 04:11:55 CEST 2015 on sn-devel-104
commit 615d9b734ef67f56ec77db05023b9244841ac1b8
Author: Andrew Bartlett <[email protected]>
Date: Mon Aug 31 10:59:58 2015 +1200
web_server: Use talloc_get_type_abort()
Signed-off-by: Andrew Bartlett <[email protected]>
Pair-programmed-with: Garming Sam <[email protected]>
commit ac25a8ac4fc314795f9a8a15a10d731e648deea7
Author: Andrew Bartlett <[email protected]>
Date: Mon Aug 31 10:48:08 2015 +1200
lib/tls: Ensure SSLv3 is disabled in the web server by default
By calling gnutls_priority_set_direct() the behaviour should now match the
LDAP server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Signed-off-by: Andrew Bartlett <[email protected]>
Pair-programmed-with: Garming Sam <[email protected]>
commit cdaa1224c4d518fd8e81a3e91ad4f80ba1503145
Author: Andrew Bartlett <[email protected]>
Date: Mon Aug 31 10:33:34 2015 +1200
lib/tls: Remove unused tls_init_client code
This is unused as the callers have now been migrated to tls_tstream
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Signed-off-by: Andrew Bartlett <[email protected]>
Pair-programmed-with: Garming Sam <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source4/lib/tls/tls.c | 88 +++++++----------------------------------
source4/lib/tls/tls.h | 7 ----
source4/web_server/web_server.c | 15 +++----
3 files changed, 22 insertions(+), 88 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index 2fe4ff7..0d9d3c9 100644
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -42,6 +42,7 @@ struct tls_params {
gnutls_certificate_credentials x509_cred;
gnutls_dh_params dh_params;
bool tls_enabled;
+ const char *tls_priority;
};
#endif
@@ -390,6 +391,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx,
struct loadparm_context *
return params;
}
+ params->tls_priority = lpcfg_tls_priority(lp_ctx);
+
if (!file_exist(cafile)) {
char *hostname = talloc_asprintf(mem_ctx, "%s.%s",
lpcfg_netbios_name(lp_ctx),
@@ -499,6 +502,7 @@ struct socket_context *tls_init_server(struct tls_params
*params,
int ret;
struct socket_context *new_sock;
NTSTATUS nt_status;
+ const char *error_pos;
nt_status = socket_create_with_ops(socket_ctx, &tls_socket_ops,
&new_sock,
SOCKET_TYPE_STREAM,
@@ -527,7 +531,16 @@ struct socket_context *tls_init_server(struct tls_params
*params,
talloc_set_destructor(tls, tls_destructor);
- TLSCHECK(gnutls_set_default_priority(tls->session));
+ ret = gnutls_priority_set_direct(tls->session,
+ params->tls_priority,
+ &error_pos);
+ if (ret != GNUTLS_E_SUCCESS) {
+ DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
+ __location__, gnutls_strerror(ret), error_pos));
+ talloc_free(new_sock);
+ return NULL;
+ }
+
TLSCHECK(gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE,
params->x509_cred));
gnutls_certificate_server_set_request(tls->session,
GNUTLS_CERT_REQUEST);
@@ -563,69 +576,6 @@ failed:
}
-/*
- setup for a new client connection
-*/
-struct socket_context *tls_init_client(struct socket_context *socket_ctx,
- struct tevent_fd *fde,
- const char *ca_path)
-{
- struct tls_context *tls;
- int ret = 0;
- struct socket_context *new_sock;
- NTSTATUS nt_status;
-
- nt_status = socket_create_with_ops(socket_ctx, &tls_socket_ops,
&new_sock,
- SOCKET_TYPE_STREAM,
- socket_ctx->flags |
SOCKET_FLAG_ENCRYPT);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return NULL;
- }
-
- tls = talloc(new_sock, struct tls_context);
- if (tls == NULL) return NULL;
-
- tls->socket = socket_ctx;
- talloc_steal(tls, socket_ctx);
- tls->fde = fde;
-
- new_sock->private_data = tls;
-
- gnutls_global_init();
-
- gnutls_certificate_allocate_credentials(&tls->xcred);
- gnutls_certificate_set_x509_trust_file(tls->xcred, ca_path,
GNUTLS_X509_FMT_PEM);
- TLSCHECK(gnutls_init(&tls->session, GNUTLS_CLIENT));
- TLSCHECK(gnutls_set_default_priority(tls->session));
- gnutls_priority_set_direct(tls->session, "NORMAL:+CTYPE-OPENPGP", NULL);
- TLSCHECK(gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE,
tls->xcred));
-
- talloc_set_destructor(tls, tls_destructor);
-
- gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr)tls);
- gnutls_transport_set_pull_function(tls->session,
(gnutls_pull_func)tls_pull);
- gnutls_transport_set_push_function(tls->session,
(gnutls_push_func)tls_push);
-#if GNUTLS_VERSION_MAJOR < 3
- gnutls_transport_set_lowat(tls->session, 0);
-#endif
- tls->tls_detect = false;
-
- tls->output_pending = false;
- tls->done_handshake = false;
- tls->have_first_byte = false;
- tls->tls_enabled = true;
- tls->interrupted = false;
-
- new_sock->state = SOCKET_STATE_CLIENT_CONNECTED;
-
- return new_sock;
-
-failed:
- DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret)));
- tls->tls_enabled = false;
- return new_sock;
-}
-
static NTSTATUS tls_socket_set_option(struct socket_context *sock, const char
*option, const char *val)
{
set_socket_options(socket_get_fd(sock), option);
@@ -693,15 +643,5 @@ struct socket_context *tls_init_server(struct tls_params
*params,
}
-/*
- setup for a new client connection
-*/
-struct socket_context *tls_init_client(struct socket_context *socket,
- struct tevent_fd *fde,
- const char *ca_path)
-{
- return NULL;
-}
-
#endif
diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h
index e6c27f3..71e6cfb 100644
--- a/source4/lib/tls/tls.h
+++ b/source4/lib/tls/tls.h
@@ -51,13 +51,6 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
const char *cafile);
/*
- call tls_init_client() on each new client connection
-*/
-struct socket_context *tls_init_client(struct socket_context *sock,
- struct tevent_fd *fde,
- const char *cafile);
-
-/*
return True if a connection used tls
*/
bool tls_enabled(struct socket_context *tls);
diff --git a/source4/web_server/web_server.c b/source4/web_server/web_server.c
index 0339b55..d83b35a 100644
--- a/source4/web_server/web_server.c
+++ b/source4/web_server/web_server.c
@@ -49,7 +49,7 @@ static void websrv_timeout(struct tevent_context
*event_context,
struct tevent_timer *te,
struct timeval t, void *private_data)
{
- struct websrv_context *web = talloc_get_type(private_data, struct
websrv_context);
+ struct websrv_context *web = talloc_get_type_abort(private_data, struct
websrv_context);
struct stream_connection *conn = web->conn;
web->conn = NULL;
/* TODO: send a message to any running esp context on this connection
@@ -142,8 +142,8 @@ NTSTATUS http_parse_header(struct websrv_context *web,
const char *line)
static void websrv_recv(struct stream_connection *conn, uint16_t flags)
{
struct web_server_data *wdata;
- struct websrv_context *web = talloc_get_type(conn->private_data,
- struct websrv_context);
+ struct websrv_context *web = talloc_get_type_abort(conn->private_data,
+ struct
websrv_context);
NTSTATUS status;
uint8_t buf[1024];
size_t nread;
@@ -199,7 +199,7 @@ static void websrv_recv(struct stream_connection *conn,
uint16_t flags)
destroy the stack variables being used by that
rendering process when we handle the timeout. */
if (!talloc_reference(web->task, web)) goto failed;
- wdata = talloc_get_type(web->task->private_data, struct
web_server_data);
+ wdata = talloc_get_type_abort(web->task->private_data, struct
web_server_data);
if (wdata == NULL) goto failed;
wdata->http_process_input(wdata, web);
talloc_unlink(web->task, web);
@@ -217,8 +217,8 @@ failed:
*/
static void websrv_send(struct stream_connection *conn, uint16_t flags)
{
- struct websrv_context *web = talloc_get_type(conn->private_data,
- struct websrv_context);
+ struct websrv_context *web = talloc_get_type_abort(conn->private_data,
+ struct
websrv_context);
NTSTATUS status;
size_t nsent;
DATA_BLOB b;
@@ -248,7 +248,8 @@ static void websrv_send(struct stream_connection *conn,
uint16_t flags)
*/
static void websrv_accept(struct stream_connection *conn)
{
- struct web_server_data *wdata = talloc_get_type(conn->private_data,
struct web_server_data);
+ struct task_server *task = talloc_get_type_abort(conn->private_data,
struct task_server);
+ struct web_server_data *wdata =
talloc_get_type_abort(task->private_data, struct web_server_data);
struct websrv_context *web;
struct socket_context *tls_socket;
--
Samba Shared Repository
