source4/lib/tls/tls.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    transport layer security handling code
   5
   6    Copyright (C) Andrew Tridgell 2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "lib/events/events.h"
  25 #include "lib/socket/socket.h"
  26 #include "lib/tls/tls.h"
  27
  28 #if HAVE_LIBGNUTLS
  29 #include "gnutls/gnutls.h"
  30
  31 #define DH_BITS 1024
  32
  33 /* hold persistent tls data */
  34 struct tls_params {
  35         gnutls_certificate_credentials x509_cred;
  36         gnutls_dh_params dh_params;
  37         BOOL tls_enabled;
  38 };
  39
  40 /* hold per connection tls data */
  41 struct tls_context {
  42         struct tls_params *params;
  43         struct socket_context *socket;
  44         struct fd_event *fde;
  45         gnutls_session session;
  46         BOOL done_handshake;
  47         BOOL have_first_byte;
  48         uint8_t first_byte;
  49         BOOL tls_enabled;
  50         BOOL tls_detect;
  51         const char *plain_chars;
  52         BOOL output_pending;
  53 };
  54
  55
  56 /*
  57   callback for reading from a socket
  58 */
  59 static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size)
  60 {
  61         struct tls_context *tls = talloc_get_type(ptr, struct tls_context);
  62         NTSTATUS status;
  63         size_t nread;
  64
  65         if (tls->have_first_byte) {
  66                 *(uint8_t *)buf = tls->first_byte;
  67                 tls->have_first_byte = False;
  68                 return 1;
  69         }
  70
  71         status = socket_recv(tls->socket, buf, size, &nread, 0);
  72         if (NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)) {
  73                 return 0;
  74         }
  75         if (NT_STATUS_IS_ERR(status)) {
  76                 EVENT_FD_NOT_READABLE(tls->fde);
  77                 EVENT_FD_NOT_WRITEABLE(tls->fde);
  78                 errno = EBADF;
  79                 return -1;
  80         }
  81         if (!NT_STATUS_IS_OK(status)) {
  82                 EVENT_FD_READABLE(tls->fde);
  83                 EVENT_FD_NOT_WRITEABLE(tls->fde);
  84                 errno = EAGAIN;
  85                 return -1;
  86         }
  87         if (tls->output_pending) {
  88                 EVENT_FD_WRITEABLE(tls->fde);
  89         }
  90         if (size != nread) {
  91                 EVENT_FD_READABLE(tls->fde);
  92         }
  93         return nread;
  94 }
  95
  96 /*
  97   callback for writing to a socket
  98 */
  99 static ssize_t tls_push(gnutls_transport_ptr ptr, const void *buf, size_t size)
 100 {
 101         struct tls_context *tls = talloc_get_type(ptr, struct tls_context);
 102         NTSTATUS status;
 103         size_t nwritten;
 104         DATA_BLOB b;
 105
 106         if (!tls->tls_enabled) {
 107                 return size;
 108         }
 109
 110         b.data = discard_const(buf);
 111         b.length = size;
 112
 113         status = socket_send(tls->socket, &b, &nwritten, 0);
 114         if (!NT_STATUS_IS_OK(status)) {
 115                 EVENT_FD_WRITEABLE(tls->fde);
 116                 return -1;
 117         }
 118         if (size != nwritten) {
 119                 EVENT_FD_WRITEABLE(tls->fde);
 120         }
 121         return nwritten;
 122 }
 123
 124 /*
 125   destroy a tls session
 126  */
 127 static int tls_destructor(void *ptr)
 128 {
 129         struct tls_context *tls = talloc_get_type(ptr, struct tls_context);
 130         int ret;
 131         ret = gnutls_bye(tls->session, GNUTLS_SHUT_WR);
 132         if (ret < 0) {
 133                 DEBUG(0,("TLS gnutls_bye failed - %s\n", gnutls_strerror(ret)));
 134         }
 135         return 0;
 136 }
 137
 138
 139 /*
 140   possibly continue the handshake process
 141 */
 142 static NTSTATUS tls_handshake(struct tls_context *tls)
 143 {
 144         int ret;
 145
 146         if (tls->done_handshake) {
 147                 return NT_STATUS_OK;
 148         }
 149
 150         ret = gnutls_handshake(tls->session);
 151         if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
 152                 return STATUS_MORE_ENTRIES;
 153         }
 154         if (ret < 0) {
 155                 DEBUG(0,("TLS gnutls_handshake failed - %s\n", gnutls_strerror(ret)));
 156                 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 157         }
 158         tls->done_handshake = True;
 159         return NT_STATUS_OK;
 160 }
 161
 162
 163 /*
 164   receive data either by tls or normal socket_recv
 165 */
 166 NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen,
 167                          size_t *nread)
 168 {
 169         int ret;
 170         NTSTATUS status;
 171         if (tls->tls_enabled && tls->tls_detect) {
 172                 status = socket_recv(tls->socket, &tls->first_byte, 1, nread, 0);
 173                 NT_STATUS_NOT_OK_RETURN(status);
 174                 if (*nread == 0) return NT_STATUS_OK;
 175                 tls->tls_detect = False;
 176                 /* look for the first byte of a valid HTTP operation */
 177                 if (strchr(tls->plain_chars, tls->first_byte)) {
 178                         /* not a tls link */
 179                         tls->tls_enabled = False;
 180                         *(uint8_t *)buf = tls->first_byte;
 181                         return NT_STATUS_OK;
 182                 }
 183                 tls->have_first_byte = True;
 184         }
 185
 186         if (!tls->tls_enabled) {
 187                 return socket_recv(tls->socket, buf, wantlen, nread, 0);
 188         }
 189
 190         status = tls_handshake(tls);
 191         NT_STATUS_NOT_OK_RETURN(status);
 192
 193         ret = gnutls_record_recv(tls->session, buf, wantlen);
 194         if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
 195                 return STATUS_MORE_ENTRIES;
 196         }
 197         if (ret < 0) {
 198                 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 199         }
 200         *nread = ret;
 201         return NT_STATUS_OK;
 202 }
 203
 204
 205 /*
 206   send data either by tls or normal socket_recv
 207 */
 208 NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t *sendlen)
 209 {
 210         NTSTATUS status;
 211         int ret;
 212
 213         if (!tls->tls_enabled) {
 214                 return socket_send(tls->socket, blob, sendlen, 0);
 215         }
 216
 217         status = tls_handshake(tls);
 218         NT_STATUS_NOT_OK_RETURN(status);
 219
 220         ret = gnutls_record_send(tls->session, blob->data, blob->length);
 221         if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
 222                 return STATUS_MORE_ENTRIES;
 223         }
 224         if (ret < 0) {
 225                 DEBUG(0,("gnutls_record_send failed - %s\n", gnutls_strerror(ret)));
 226                 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 227         }
 228         *sendlen = ret;
 229         tls->output_pending = (ret < blob->length);
 230         return NT_STATUS_OK;
 231 }
 232
 233
 234 /*
 235   initialise global tls state
 236 */
 237 struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx)
 238 {
 239         struct tls_params *params;
 240         int ret;
 241         const char *keyfile = lp_tls_keyfile();
 242         const char *certfile = lp_tls_certfile();
 243         const char *cafile = lp_tls_cafile();
 244         const char *crlfile = lp_tls_crlfile();
 245         void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *);
 246
 247         params = talloc(mem_ctx, struct tls_params);
 248         if (params == NULL) return NULL;
 249
 250         if (!lp_tls_enabled() || keyfile == NULL || *keyfile == 0) {
 251                 params->tls_enabled = False;
 252                 return params;
 253         }
 254
 255         if (!file_exist(cafile)) {
 256                 tls_cert_generate(params, keyfile, certfile, cafile);
 257         }
 258
 259         ret = gnutls_global_init();
 260         if (ret < 0) goto init_failed;
 261
 262         gnutls_certificate_allocate_credentials(&params->x509_cred);
 263         if (ret < 0) goto init_failed;
 264
 265         if (cafile && *cafile) {
 266                 ret = gnutls_certificate_set_x509_trust_file(params->x509_cred, cafile,
 267                                                              GNUTLS_X509_FMT_PEM);
 268                 if (ret < 0) {
 269                         DEBUG(0,("TLS failed to initialise cafile %s\n", cafile));
 270                         goto init_failed;
 271                 }
 272         }
 273
 274         if (crlfile && *crlfile) {
 275                 ret = gnutls_certificate_set_x509_crl_file(params->x509_cred,
 276                                                            crlfile,
 277                                                            GNUTLS_X509_FMT_PEM);
 278                 if (ret < 0) {
 279                         DEBUG(0,("TLS failed to initialise crlfile %s\n", crlfile));
 280                         goto init_failed;
 281                 }
 282         }
 283
 284         ret = gnutls_certificate_set_x509_key_file(params->x509_cred,
 285                                                    certfile, keyfile,
 286                                                    GNUTLS_X509_FMT_PEM);
 287         if (ret < 0) {
 288                 DEBUG(0,("TLS failed to initialise certfile %s and keyfile %s\n",
 289                          certfile, keyfile));
 290                 goto init_failed;
 291         }
 292
 293         ret = gnutls_dh_params_init(&params->dh_params);
 294         if (ret < 0) goto init_failed;
 295
 296         ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS);
 297         if (ret < 0) goto init_failed;
 298
 299         gnutls_certificate_set_dh_params(params->x509_cred, params->dh_params);
 300
 301         params->tls_enabled = True;
 302         return params;
 303
 304 init_failed:
 305         DEBUG(0,("GNUTLS failed to initialise - %s\n", gnutls_strerror(ret)));
 306         params->tls_enabled = False;
 307         return params;
 308 }
 309
 310
 311 /*
 312   setup for a new connection
 313 */
 314 struct tls_context *tls_init_server(struct tls_params *params,
 315                                     struct socket_context *socket,
 316                                     struct fd_event *fde,
 317                                     const char *plain_chars)
 318 {
 319         struct tls_context *tls;
 320         int ret;
 321
 322         tls = talloc(socket, struct tls_context);
 323         if (tls == NULL) return NULL;
 324
 325         tls->socket          = socket;
 326         tls->fde             = fde;
 327
 328         if (!params->tls_enabled) {
 329                 tls->tls_enabled = False;
 330                 return tls;
 331         }
 332
 333 #define TLSCHECK(call) do { \
 334         ret = call; \
 335         if (ret < 0) { \
 336                 DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
 337                 goto failed; \
 338         } \
 339 } while (0)
 340
 341         TLSCHECK(gnutls_init(&tls->session, GNUTLS_SERVER));
 342
 343         talloc_set_destructor(tls, tls_destructor);
 344
 345         TLSCHECK(gnutls_set_default_priority(tls->session));
 346         TLSCHECK(gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE,
 347                                         params->x509_cred));
 348         gnutls_certificate_server_set_request(tls->session, GNUTLS_CERT_REQUEST);
 349         gnutls_dh_set_prime_bits(tls->session, DH_BITS);
 350         gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr)tls);
 351         gnutls_transport_set_pull_function(tls->session, (gnutls_pull_func)tls_pull);
 352         gnutls_transport_set_push_function(tls->session, (gnutls_push_func)tls_push);
 353         gnutls_transport_set_lowat(tls->session, 0);
 354
 355         tls->plain_chars = plain_chars;
 356         if (plain_chars) {
 357                 tls->tls_detect = True;
 358         } else {
 359                 tls->tls_detect = False;
 360         }
 361
 362         tls->output_pending  = False;
 363         tls->params          = params;
 364         tls->done_handshake  = False;
 365         tls->have_first_byte = False;
 366         tls->tls_enabled     = True;
 367
 368         return tls;
 369
 370 failed:
 371         DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret)));
 372         tls->tls_enabled = False;
 373         params->tls_enabled = False;
 374         return tls;
 375 }
 376
 377 BOOL tls_enabled(struct tls_context *tls)
 378 {
 379         return tls->tls_enabled;
 380 }
 381
 382 BOOL tls_support(struct tls_params *params)
 383 {
 384         return params->tls_enabled;
 385 }
 386
 387
 388 #else
 389
 390 /* for systems without tls we just map the tls socket calls to the
 391    normal socket calls */
 392
 393 struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx)
 394 {
 395         return talloc_new(mem_ctx);
 396 }
 397
 398 struct tls_context *tls_init_server(struct tls_params *params,
 399                                     struct socket_context *sock,
 400                                     struct fd_event *fde,
 401                                     const char *plain_chars)
 402 {
 403         if (plain_chars == NULL) return NULL;
 404         return (struct tls_context *)sock;
 405 }
 406
 407
 408 NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen,
 409                          size_t *nread)
 410 {
 411         return socket_recv((struct socket_context *)tls, buf, wantlen, nread, 0);
 412 }
 413
 414 NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t *sendlen)
 415 {
 416         return socket_send((struct socket_context *)tls, blob, sendlen, 0);
 417 }
 418
 419 BOOL tls_enabled(struct tls_context *tls)
 420 {
 421         return False;
 422 }
 423
 424 BOOL tls_support(struct tls_params *params)
 425 {
 426         return False;
 427 }
 428
 429 #endif