s4:lib/tls - include GNUTLS headers consistently using <...>
[samba.git] / source4 / lib / tls / tls.c
index 046c2b90368d475c4a65e098b82bd9178a656263..7bf2ff8e432a3d7db24f29d08f9c7a714caf2af7 100644 (file)
@@ -28,7 +28,7 @@
 #include "param/param.h"
 
 #if ENABLE_GNUTLS
-#include "gnutls/gnutls.h"
+#include <gnutls/gnutls.h>
 
 #define DH_BITS 1024
 
@@ -47,7 +47,7 @@ struct tls_params {
 /* hold per connection tls data */
 struct tls_context {
        struct socket_context *socket;
-       struct fd_event *fde;
+       struct tevent_fd *fde;
        bool tls_enabled;
 #if ENABLE_GNUTLS
        gnutls_session session;
@@ -126,21 +126,21 @@ static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size)
                return 0;
        }
        if (NT_STATUS_IS_ERR(status)) {
-               EVENT_FD_NOT_READABLE(tls->fde);
-               EVENT_FD_NOT_WRITEABLE(tls->fde);
+               TEVENT_FD_NOT_READABLE(tls->fde);
+               TEVENT_FD_NOT_WRITEABLE(tls->fde);
                errno = EBADF;
                return -1;
        }
        if (!NT_STATUS_IS_OK(status)) {
-               EVENT_FD_READABLE(tls->fde);
+               TEVENT_FD_READABLE(tls->fde);
                errno = EAGAIN;
                return -1;
        }
        if (tls->output_pending) {
-               EVENT_FD_WRITEABLE(tls->fde);
+               TEVENT_FD_WRITEABLE(tls->fde);
        }
        if (size != nread) {
-               EVENT_FD_READABLE(tls->fde);
+               TEVENT_FD_READABLE(tls->fde);
        }
        return nread;
 }
@@ -168,11 +168,11 @@ static ssize_t tls_push(gnutls_transport_ptr ptr, const void *buf, size_t size)
                return -1;
        }
        if (!NT_STATUS_IS_OK(status)) {
-               EVENT_FD_WRITEABLE(tls->fde);
+               TEVENT_FD_WRITEABLE(tls->fde);
                return -1;
        }
        if (size != nwritten) {
-               EVENT_FD_WRITEABLE(tls->fde);
+               TEVENT_FD_WRITEABLE(tls->fde);
        }
        return nwritten;
 }
@@ -185,7 +185,7 @@ static int tls_destructor(struct tls_context *tls)
        int ret;
        ret = gnutls_bye(tls->session, GNUTLS_SHUT_WR);
        if (ret < 0) {
-               DEBUG(0,("TLS gnutls_bye failed - %s\n", gnutls_strerror(ret)));
+               DEBUG(4,("TLS gnutls_bye failed - %s\n", gnutls_strerror(ret)));
        }
        return 0;
 }
@@ -205,7 +205,7 @@ static NTSTATUS tls_handshake(struct tls_context *tls)
        ret = gnutls_handshake(tls->session);
        if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
                if (gnutls_record_get_direction(tls->session) == 1) {
-                       EVENT_FD_WRITEABLE(tls->fde);
+                       TEVENT_FD_WRITEABLE(tls->fde);
                }
                return STATUS_MORE_ENTRIES;
        }
@@ -298,7 +298,7 @@ static NTSTATUS tls_socket_recv(struct socket_context *sock, void *buf,
        ret = gnutls_record_recv(tls->session, buf, wantlen);
        if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
                if (gnutls_record_get_direction(tls->session) == 1) {
-                       EVENT_FD_WRITEABLE(tls->fde);
+                       TEVENT_FD_WRITEABLE(tls->fde);
                }
                tls->interrupted = true;
                return STATUS_MORE_ENTRIES;
@@ -334,7 +334,7 @@ static NTSTATUS tls_socket_send(struct socket_context *sock,
        ret = gnutls_record_send(tls->session, blob->data, blob->length);
        if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
                if (gnutls_record_get_direction(tls->session) == 1) {
-                       EVENT_FD_WRITEABLE(tls->fde);
+                       TEVENT_FD_WRITEABLE(tls->fde);
                }
                tls->interrupted = true;
                return STATUS_MORE_ENTRIES;
@@ -357,27 +357,33 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
        struct tls_params *params;
        int ret;
        TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-       const char *keyfile = private_path(tmp_ctx, lp_ctx, lp_tls_keyfile(lp_ctx));
-       const char *certfile = private_path(tmp_ctx, lp_ctx, lp_tls_certfile(lp_ctx));
-       const char *cafile = private_path(tmp_ctx, lp_ctx, lp_tls_cafile(lp_ctx));
-       const char *crlfile = private_path(tmp_ctx, lp_ctx, lp_tls_crlfile(lp_ctx));
-       const char *dhpfile = private_path(tmp_ctx, lp_ctx, lp_tls_dhpfile(lp_ctx));
-       void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *);
-
+       const char *keyfile = lpcfg_tls_keyfile(tmp_ctx, lp_ctx);
+       const char *certfile = lpcfg_tls_certfile(tmp_ctx, lp_ctx);
+       const char *cafile = lpcfg_tls_cafile(tmp_ctx, lp_ctx);
+       const char *crlfile = lpcfg_tls_crlfile(tmp_ctx, lp_ctx);
+       const char *dhpfile = lpcfg_tls_dhpfile(tmp_ctx, lp_ctx);
+       void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *, const char *);
        params = talloc(mem_ctx, struct tls_params);
        if (params == NULL) {
                talloc_free(tmp_ctx);
                return NULL;
        }
 
-       if (!lp_tls_enabled(lp_ctx) || keyfile == NULL || *keyfile == 0) {
+       if (!lpcfg_tls_enabled(lp_ctx) || keyfile == NULL || *keyfile == 0) {
                params->tls_enabled = false;
                talloc_free(tmp_ctx);
                return params;
        }
 
        if (!file_exist(cafile)) {
-               tls_cert_generate(params, keyfile, certfile, cafile);
+               char *hostname = talloc_asprintf(mem_ctx, "%s.%s",
+                                                lpcfg_netbios_name(lp_ctx),
+                                                lpcfg_dnsdomain(lp_ctx));
+               if (hostname == NULL) {
+                       goto init_failed;
+               }
+               tls_cert_generate(params, hostname, keyfile, certfile, cafile);
+               talloc_free(hostname);
        }
 
        ret = gnutls_global_init();
@@ -455,8 +461,8 @@ init_failed:
   setup for a new connection
 */
 struct socket_context *tls_init_server(struct tls_params *params, 
-                                      struct socket_context *socket,
-                                      struct fd_event *fde, 
+                                      struct socket_context *socket_ctx,
+                                      struct tevent_fd *fde, 
                                       const char *plain_chars)
 {
        struct tls_context *tls;
@@ -464,9 +470,9 @@ struct socket_context *tls_init_server(struct tls_params *params,
        struct socket_context *new_sock;
        NTSTATUS nt_status;
        
-       nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, 
+       nt_status = socket_create_with_ops(socket_ctx, &tls_socket_ops, &new_sock, 
                                           SOCKET_TYPE_STREAM, 
-                                          socket->flags | SOCKET_FLAG_ENCRYPT);
+                                          socket_ctx->flags | SOCKET_FLAG_ENCRYPT);
        if (!NT_STATUS_IS_OK(nt_status)) {
                return NULL;
        }
@@ -476,16 +482,9 @@ struct socket_context *tls_init_server(struct tls_params *params,
                return NULL;
        }
 
-       tls->socket          = socket;
+       tls->socket          = socket_ctx;
+       talloc_steal(tls, socket_ctx);
        tls->fde             = fde;
-       if (talloc_reference(tls, fde) == NULL) {
-               talloc_free(new_sock);
-               return NULL;
-       }
-       if (talloc_reference(tls, socket) == NULL) {
-               talloc_free(new_sock);
-               return NULL;
-       }
 
        new_sock->private_data    = tls;
 
@@ -506,7 +505,9 @@ struct socket_context *tls_init_server(struct tls_params *params,
        gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr)tls);
        gnutls_transport_set_pull_function(tls->session, (gnutls_pull_func)tls_pull);
        gnutls_transport_set_push_function(tls->session, (gnutls_push_func)tls_push);
+#if GNUTLS_VERSION_MAJOR < 3
        gnutls_transport_set_lowat(tls->session, 0);
+#endif
 
        tls->plain_chars = plain_chars;
        if (plain_chars) {
@@ -535,20 +536,19 @@ failed:
 /*
   setup for a new client connection
 */
-struct socket_context *tls_init_client(struct socket_context *socket,
-                                      struct fd_event *fde,
+struct socket_context *tls_init_client(struct socket_context *socket_ctx,
+                                      struct tevent_fd *fde,
                                       const char *ca_path)
 {
        struct tls_context *tls;
        int ret = 0;
        const int cert_type_priority[] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 };
-       char *cafile;
        struct socket_context *new_sock;
        NTSTATUS nt_status;
        
-       nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, 
+       nt_status = socket_create_with_ops(socket_ctx, &tls_socket_ops, &new_sock, 
                                           SOCKET_TYPE_STREAM, 
-                                          socket->flags | SOCKET_FLAG_ENCRYPT);
+                                          socket_ctx->flags | SOCKET_FLAG_ENCRYPT);
        if (!NT_STATUS_IS_OK(nt_status)) {
                return NULL;
        }
@@ -556,20 +556,16 @@ struct socket_context *tls_init_client(struct socket_context *socket,
        tls = talloc(new_sock, struct tls_context);
        if (tls == NULL) return NULL;
 
-       tls->socket          = socket;
+       tls->socket          = socket_ctx;
+       talloc_steal(tls, socket_ctx);
        tls->fde             = fde;
-       if (talloc_reference(tls, fde) == NULL) {
-               return NULL;
-       }
-       if (talloc_reference(tls, socket) == NULL) {
-               return NULL;
-       }
+
        new_sock->private_data    = tls;
 
        gnutls_global_init();
 
        gnutls_certificate_allocate_credentials(&tls->xcred);
-       gnutls_certificate_set_x509_trust_file(tls->xcred, cafile, GNUTLS_X509_FMT_PEM);
+       gnutls_certificate_set_x509_trust_file(tls->xcred, ca_path, GNUTLS_X509_FMT_PEM);
        TLSCHECK(gnutls_init(&tls->session, GNUTLS_CLIENT));
        TLSCHECK(gnutls_set_default_priority(tls->session));
        gnutls_certificate_type_set_priority(tls->session, cert_type_priority);
@@ -580,7 +576,9 @@ struct socket_context *tls_init_client(struct socket_context *socket,
        gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr)tls);
        gnutls_transport_set_pull_function(tls->session, (gnutls_pull_func)tls_pull);
        gnutls_transport_set_push_function(tls->session, (gnutls_push_func)tls_push);
+#if GNUTLS_VERSION_MAJOR < 3
        gnutls_transport_set_lowat(tls->session, 0);
+#endif
        tls->tls_detect = false;
 
        tls->output_pending  = false;
@@ -644,11 +642,6 @@ static const struct socket_ops tls_socket_ops = {
        .fn_get_fd              = tls_socket_get_fd
 };
 
-bool tls_support(struct tls_params *params)
-{
-       return params->tls_enabled;
-}
-
 #else
 
 /* for systems without tls we just fail the operations, and the caller
@@ -664,7 +657,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
 */
 struct socket_context *tls_init_server(struct tls_params *params, 
                                    struct socket_context *socket,
-                                   struct fd_event *fde, 
+                                   struct tevent_fd *fde, 
                                    const char *plain_chars)
 {
        return NULL;
@@ -675,16 +668,11 @@ struct socket_context *tls_init_server(struct tls_params *params,
   setup for a new client connection
 */
 struct socket_context *tls_init_client(struct socket_context *socket,
-                                      struct fd_event *fde,
+                                      struct tevent_fd *fde,
                                       const char *ca_path)
 {
        return NULL;
 }
 
-bool tls_support(struct tls_params *params)
-{
-       return false;
-}
-
 #endif