X-Git-Url: http://git.samba.org/samba.git/?a=blobdiff_plain;f=source4%2Flib%2Ftls%2Ftls.c;h=7bf2ff8e432a3d7db24f29d08f9c7a714caf2af7;hb=32c82fe69b588fe18674c0bda49cd7fc0f73f50a;hp=f72aafe542fc271e0e67cc9a14b05ab3bed91c82;hpb=5209a846a9157e649fcdcb561f7eaf19c8c0e465;p=samba.git diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index f72aafe542f..7bf2ff8e432 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -28,7 +28,7 @@ #include "param/param.h" #if ENABLE_GNUTLS -#include "gnutls/gnutls.h" +#include #define DH_BITS 1024 @@ -47,7 +47,7 @@ struct tls_params { /* hold per connection tls data */ struct tls_context { struct socket_context *socket; - struct fd_event *fde; + struct tevent_fd *fde; bool tls_enabled; #if ENABLE_GNUTLS gnutls_session session; @@ -126,21 +126,21 @@ static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size) return 0; } if (NT_STATUS_IS_ERR(status)) { - EVENT_FD_NOT_READABLE(tls->fde); - EVENT_FD_NOT_WRITEABLE(tls->fde); + TEVENT_FD_NOT_READABLE(tls->fde); + TEVENT_FD_NOT_WRITEABLE(tls->fde); errno = EBADF; return -1; } if (!NT_STATUS_IS_OK(status)) { - EVENT_FD_READABLE(tls->fde); + TEVENT_FD_READABLE(tls->fde); errno = EAGAIN; return -1; } if (tls->output_pending) { - EVENT_FD_WRITEABLE(tls->fde); + TEVENT_FD_WRITEABLE(tls->fde); } if (size != nread) { - EVENT_FD_READABLE(tls->fde); + TEVENT_FD_READABLE(tls->fde); } return nread; } @@ -168,11 +168,11 @@ static ssize_t tls_push(gnutls_transport_ptr ptr, const void *buf, size_t size) return -1; } if (!NT_STATUS_IS_OK(status)) { - EVENT_FD_WRITEABLE(tls->fde); + TEVENT_FD_WRITEABLE(tls->fde); return -1; } if (size != nwritten) { - EVENT_FD_WRITEABLE(tls->fde); + TEVENT_FD_WRITEABLE(tls->fde); } return nwritten; } @@ -185,7 +185,7 @@ static int tls_destructor(struct tls_context *tls) int ret; ret = gnutls_bye(tls->session, GNUTLS_SHUT_WR); if (ret < 0) { - DEBUG(0,("TLS gnutls_bye failed - %s\n", gnutls_strerror(ret))); + DEBUG(4,("TLS gnutls_bye failed - %s\n", gnutls_strerror(ret))); } return 0; } @@ -205,7 +205,7 @@ static NTSTATUS tls_handshake(struct tls_context *tls) ret = gnutls_handshake(tls->session); if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { if (gnutls_record_get_direction(tls->session) == 1) { - EVENT_FD_WRITEABLE(tls->fde); + TEVENT_FD_WRITEABLE(tls->fde); } return STATUS_MORE_ENTRIES; } @@ -298,7 +298,7 @@ static NTSTATUS tls_socket_recv(struct socket_context *sock, void *buf, ret = gnutls_record_recv(tls->session, buf, wantlen); if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { if (gnutls_record_get_direction(tls->session) == 1) { - EVENT_FD_WRITEABLE(tls->fde); + TEVENT_FD_WRITEABLE(tls->fde); } tls->interrupted = true; return STATUS_MORE_ENTRIES; @@ -334,7 +334,7 @@ static NTSTATUS tls_socket_send(struct socket_context *sock, ret = gnutls_record_send(tls->session, blob->data, blob->length); if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { if (gnutls_record_get_direction(tls->session) == 1) { - EVENT_FD_WRITEABLE(tls->fde); + TEVENT_FD_WRITEABLE(tls->fde); } tls->interrupted = true; return STATUS_MORE_ENTRIES; @@ -357,26 +357,33 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context * struct tls_params *params; int ret; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - const char *keyfile = private_path(tmp_ctx, lp_ctx, lp_tls_keyfile(lp_ctx)); - const char *certfile = private_path(tmp_ctx, lp_ctx, lp_tls_certfile(lp_ctx)); - const char *cafile = private_path(tmp_ctx, lp_ctx, lp_tls_cafile(lp_ctx)); - const char *crlfile = private_path(tmp_ctx, lp_ctx, lp_tls_crlfile(lp_ctx)); - const char *dhpfile = private_path(tmp_ctx, lp_ctx, lp_tls_dhpfile(lp_ctx)); - void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); + const char *keyfile = lpcfg_tls_keyfile(tmp_ctx, lp_ctx); + const char *certfile = lpcfg_tls_certfile(tmp_ctx, lp_ctx); + const char *cafile = lpcfg_tls_cafile(tmp_ctx, lp_ctx); + const char *crlfile = lpcfg_tls_crlfile(tmp_ctx, lp_ctx); + const char *dhpfile = lpcfg_tls_dhpfile(tmp_ctx, lp_ctx); + void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *, const char *); params = talloc(mem_ctx, struct tls_params); if (params == NULL) { talloc_free(tmp_ctx); return NULL; } - if (!lp_tls_enabled(lp_ctx) || keyfile == NULL || *keyfile == 0) { + if (!lpcfg_tls_enabled(lp_ctx) || keyfile == NULL || *keyfile == 0) { params->tls_enabled = false; talloc_free(tmp_ctx); return params; } if (!file_exist(cafile)) { - tls_cert_generate(params, keyfile, certfile, cafile); + char *hostname = talloc_asprintf(mem_ctx, "%s.%s", + lpcfg_netbios_name(lp_ctx), + lpcfg_dnsdomain(lp_ctx)); + if (hostname == NULL) { + goto init_failed; + } + tls_cert_generate(params, hostname, keyfile, certfile, cafile); + talloc_free(hostname); } ret = gnutls_global_init(); @@ -454,8 +461,8 @@ init_failed: setup for a new connection */ struct socket_context *tls_init_server(struct tls_params *params, - struct socket_context *socket, - struct fd_event *fde, + struct socket_context *socket_ctx, + struct tevent_fd *fde, const char *plain_chars) { struct tls_context *tls; @@ -463,9 +470,9 @@ struct socket_context *tls_init_server(struct tls_params *params, struct socket_context *new_sock; NTSTATUS nt_status; - nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, + nt_status = socket_create_with_ops(socket_ctx, &tls_socket_ops, &new_sock, SOCKET_TYPE_STREAM, - socket->flags | SOCKET_FLAG_ENCRYPT); + socket_ctx->flags | SOCKET_FLAG_ENCRYPT); if (!NT_STATUS_IS_OK(nt_status)) { return NULL; } @@ -475,16 +482,9 @@ struct socket_context *tls_init_server(struct tls_params *params, return NULL; } - tls->socket = socket; + tls->socket = socket_ctx; + talloc_steal(tls, socket_ctx); tls->fde = fde; - if (talloc_reference(tls, fde) == NULL) { - talloc_free(new_sock); - return NULL; - } - if (talloc_reference(tls, socket) == NULL) { - talloc_free(new_sock); - return NULL; - } new_sock->private_data = tls; @@ -505,7 +505,9 @@ struct socket_context *tls_init_server(struct tls_params *params, gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr)tls); gnutls_transport_set_pull_function(tls->session, (gnutls_pull_func)tls_pull); gnutls_transport_set_push_function(tls->session, (gnutls_push_func)tls_push); +#if GNUTLS_VERSION_MAJOR < 3 gnutls_transport_set_lowat(tls->session, 0); +#endif tls->plain_chars = plain_chars; if (plain_chars) { @@ -534,20 +536,19 @@ failed: /* setup for a new client connection */ -struct socket_context *tls_init_client(struct socket_context *socket, - struct fd_event *fde, +struct socket_context *tls_init_client(struct socket_context *socket_ctx, + struct tevent_fd *fde, const char *ca_path) { struct tls_context *tls; int ret = 0; const int cert_type_priority[] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; - char *cafile; struct socket_context *new_sock; NTSTATUS nt_status; - nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, + nt_status = socket_create_with_ops(socket_ctx, &tls_socket_ops, &new_sock, SOCKET_TYPE_STREAM, - socket->flags | SOCKET_FLAG_ENCRYPT); + socket_ctx->flags | SOCKET_FLAG_ENCRYPT); if (!NT_STATUS_IS_OK(nt_status)) { return NULL; } @@ -555,20 +556,16 @@ struct socket_context *tls_init_client(struct socket_context *socket, tls = talloc(new_sock, struct tls_context); if (tls == NULL) return NULL; - tls->socket = socket; + tls->socket = socket_ctx; + talloc_steal(tls, socket_ctx); tls->fde = fde; - if (talloc_reference(tls, fde) == NULL) { - return NULL; - } - if (talloc_reference(tls, socket) == NULL) { - return NULL; - } + new_sock->private_data = tls; gnutls_global_init(); gnutls_certificate_allocate_credentials(&tls->xcred); - gnutls_certificate_set_x509_trust_file(tls->xcred, cafile, GNUTLS_X509_FMT_PEM); + gnutls_certificate_set_x509_trust_file(tls->xcred, ca_path, GNUTLS_X509_FMT_PEM); TLSCHECK(gnutls_init(&tls->session, GNUTLS_CLIENT)); TLSCHECK(gnutls_set_default_priority(tls->session)); gnutls_certificate_type_set_priority(tls->session, cert_type_priority); @@ -579,7 +576,9 @@ struct socket_context *tls_init_client(struct socket_context *socket, gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr)tls); gnutls_transport_set_pull_function(tls->session, (gnutls_pull_func)tls_pull); gnutls_transport_set_push_function(tls->session, (gnutls_push_func)tls_push); +#if GNUTLS_VERSION_MAJOR < 3 gnutls_transport_set_lowat(tls->session, 0); +#endif tls->tls_detect = false; tls->output_pending = false; @@ -643,11 +642,6 @@ static const struct socket_ops tls_socket_ops = { .fn_get_fd = tls_socket_get_fd }; -bool tls_support(struct tls_params *params) -{ - return params->tls_enabled; -} - #else /* for systems without tls we just fail the operations, and the caller @@ -663,7 +657,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context * */ struct socket_context *tls_init_server(struct tls_params *params, struct socket_context *socket, - struct fd_event *fde, + struct tevent_fd *fde, const char *plain_chars) { return NULL; @@ -674,16 +668,11 @@ struct socket_context *tls_init_server(struct tls_params *params, setup for a new client connection */ struct socket_context *tls_init_client(struct socket_context *socket, - struct fd_event *fde, + struct tevent_fd *fde, const char *ca_path) { return NULL; } -bool tls_support(struct tls_params *params) -{ - return false; -} - #endif