Added SSL support from Christian Starkjohann <cs@obdev.at>

This patch may not yet compile with -DUSE_SSL enabled, further Makefile changes may be needed. But it was important to get this code in place before I go off to USENIX. Jeremy. (This used to be commit 31e768369fdc61e07c59630c86c62239f3d3f3f7)
author: Jeremy Allison <jra@samba.org> 1998-06-16 01:35:52 +0000
committer: Jeremy Allison <jra@samba.org> 1998-06-16 01:35:52 +0000
commit: cb757820f5452d192ce3b1eeb4f19a17ee93c3fe (patch)
tree: b40303dac4805a9ffb4a32e0f24d90648ed7a1e7 /source3/smbd
parent: e31b4f29f6b6b7f74a066e1219d85d1eb425eebb (diff)
download: samba-cb757820f5452d192ce3b1eeb4f19a17ee93c3fe.tar.gz
samba-cb757820f5452d192ce3b1eeb4f19a17ee93c3fe.tar.bz2
samba-cb757820f5452d192ce3b1eeb4f19a17ee93c3fe.zip
2 files changed, 291 insertions, 0 deletions
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 25ec11abaa..45a63a544a 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -2810,6 +2810,10 @@ max can be %d\n", num_interfaces, FD_SETSIZE));
 static void process_smb(char *inbuf, char *outbuf)
 {
   extern int Client;
+#ifdef USE_SSL
+  extern BOOL sslEnabled;     /* don't use function for performance reasons */
+  static int sslConnected = 0;
+#endif /* USE_SSL */
   static int trans_num;
   int msg_type = CVAL(inbuf,0);
   int32 len = smb_len(inbuf);
@@ -2834,6 +2838,18 @@ static void process_smb(char *inbuf, char *outbuf)
   DEBUG(6,("got message type 0x%x of len 0x%x\n",msg_type,len));
   DEBUG(3,("%s Transaction %d of length %d\n",timestring(),trans_num,nread));
 
+#ifdef USE_SSL
+    if(sslEnabled && !sslConnected){
+        sslConnected = sslutil_negotiate_ssl(Client, msg_type);
+        if(sslConnected < 0){   /* an error occured */
+            exit_server("SSL negotiation failed");
+        }else if(sslConnected){
+            trans_num++;
+            return;
+        }
+    }
+#endif  /* USE_SSL */
+
 #ifdef WITH_VTP
   if(trans_num == 1 && VT_Check(inbuf)) 
   {
@@ -5425,6 +5441,15 @@ static void usage(char *pname)
   if (!reload_services(False))
     return(-1);	
 
+#ifdef USE_SSL
+  {
+    extern BOOL sslEnabled;
+    sslEnabled = lp_ssl_enabled();
+    if(sslEnabled)
+      sslutil_init(True);
+  }
+#endif        /* USE_SSL */
+
   codepage_initialise(lp_client_code_page());
 
   pstrcpy(global_myworkgroup, lp_workgroup());
diff --git a/source3/smbd/ssl.c b/source3/smbd/ssl.c
new file mode 100644
index 0000000000..1bb89f05b1
--- /dev/null
+++ b/source3/smbd/ssl.c
@@ -0,0 +1,266 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 1.9.
+   SSLeay utility functions
+   Copyright (C) Christian Starkjohann <cs@obdev.at> 1998
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#ifdef USE_SSL  /* should always be defined if this module is compiled */
+
+#include "includes.h"
+#include <ssl.h>
+#include <err.h>
+
+BOOL            sslEnabled;
+SSL             *ssl = NULL;
+int             sslFd = -1;
+static SSL_CTX  *sslContext = NULL;
+extern int      DEBUGLEVEL;
+
+static int  ssl_verify_cb(int ok, X509_STORE_CTX *ctx)
+{
+char    buffer[256];
+
+    X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
+            buffer, sizeof(buffer));
+    if(ok){
+        DEBUG(0, ("SSL: Certificate OK: %s\n", buffer));
+    }else{
+        switch (ctx->error){
+        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+            DEBUG(0, ("SSL: Cert error: CA not known: %s\n", buffer));
+            break;
+        case X509_V_ERR_CERT_NOT_YET_VALID:
+            DEBUG(0, ("SSL: Cert error: Cert not yet valid: %s\n", buffer));
+            break;
+        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+            DEBUG(0, ("SSL: Cert error: illegal \'not before\' field: %s\n",
+                    buffer));
+            break;
+        case X509_V_ERR_CERT_HAS_EXPIRED:
+            DEBUG(0, ("SSL: Cert error: Cert expired: %s\n", buffer));
+            break;
+        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+            DEBUG(0, ("SSL: Cert error: invalid \'not after\' field: %s\n",
+                    buffer));
+            break;
+        default:
+            DEBUG(0, ("SSL: Cert error: unknown error %d in %s\n", ctx->error,
+                    buffer));
+            break;
+        }
+    }
+    return ok;
+}
+
+static RSA  *ssl_temp_rsa_cb(SSL *ssl, int export)
+{
+static RSA  *rsa = NULL;
+    
+    if(rsa == NULL)
+        rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
+    return rsa;
+}
+
+/* This is called before we fork. It should ask the user for the pass phrase
+ * if necessary. Error output can still go to stderr because the process
+ * has a terminal.
+ */
+int sslutil_init(int isServer)
+{
+int     err;
+char    *certfile, *keyfile, *ciphers, *cacertDir, *cacertFile;
+
+    SSL_load_error_strings();
+    SSLeay_add_ssl_algorithms();
+    switch(lp_ssl_version()){
+        case SMB_SSL_V2:    sslContext = SSL_CTX_new(SSLv2_method());   break;
+        case SMB_SSL_V3:    sslContext = SSL_CTX_new(SSLv3_method());   break;
+        default:
+        case SMB_SSL_V23:   sslContext = SSL_CTX_new(SSLv23_method());  break;
+        case SMB_SSL_TLS1:  sslContext = SSL_CTX_new(TLSv1_method());   break;
+    }
+    if(sslContext == NULL){
+        err = ERR_get_error();
+        fprintf(stderr, "SSL: Error allocating context: %s\n",
+                ERR_error_string(err, NULL));
+        exit(1);
+    }
+    if(lp_ssl_compatibility()){
+        SSL_CTX_set_options(sslContext, SSL_OP_ALL);
+    }
+    certfile = isServer ? lp_ssl_cert() : lp_ssl_client_cert();
+    if((certfile == NULL || *certfile == 0) && isServer){
+        fprintf(stderr, "SSL: No cert file specified in config file!\n");
+        fprintf(stderr, "The server MUST have a certificate!\n");
+        exit(1);
+    }
+    keyfile = isServer ? lp_ssl_privkey() : lp_ssl_client_privkey();
+    if(keyfile == NULL || *keyfile == 0)
+        keyfile = certfile;
+    if(certfile != NULL && *certfile != 0){
+        if(!SSL_CTX_use_certificate_file(sslContext, certfile, SSL_FILETYPE_PEM)){
+            err = ERR_get_error();
+            fprintf(stderr, "SSL: error reading certificate from file %s: %s\n",
+                    certfile, ERR_error_string(err, NULL));
+            exit(1);
+        }
+        if(!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)){
+            err = ERR_get_error();
+            fprintf(stderr, "SSL: error reading private key from file %s: %s\n",
+                    keyfile, ERR_error_string(err, NULL));
+            exit(1);
+        }
+        if(!SSL_CTX_check_private_key(sslContext)){
+            err = ERR_get_error();
+            fprintf(stderr, "SSL: Private key does not match public key in cert!\n");
+            exit(1);
+        }
+    }
+    cacertDir = lp_ssl_cacertdir();
+    cacertFile = lp_ssl_cacertfile();
+    if(cacertDir != NULL && *cacertDir == 0)
+        cacertDir = NULL;
+    if(cacertFile != NULL && *cacertFile == 0)
+        cacertFile = NULL;
+    if(!SSL_CTX_load_verify_locations(sslContext, cacertFile, cacertDir)){
+        err = ERR_get_error();
+        fprintf(stderr, "SSL: Error error setting CA cert locations: %s\n",
+                ERR_error_string(err, NULL));
+        fprintf(stderr, "trying default locations.\n");
+        cacertFile = cacertDir = NULL;
+        if(!SSL_CTX_set_default_verify_paths(sslContext)){
+            err = ERR_get_error();
+            fprintf(stderr, "SSL: Error error setting default CA cert location: %s\n",
+                    ERR_error_string(err, NULL));
+            exit(1);
+        }
+    }
+    SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb);
+    if((ciphers = lp_ssl_ciphers()) != NULL && *ciphers != 0)
+        SSL_CTX_set_cipher_list(sslContext, ciphers);
+    if((isServer && lp_ssl_reqClientCert()) || (!isServer && lp_ssl_reqServerCert())){
+        SSL_CTX_set_verify(sslContext,
+            SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb);
+    }else{
+        SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, ssl_verify_cb);
+    }
+#if 1 /* don't know what this is good for, but s_server in SSLeay does it, too */
+    if(isServer){
+        SSL_CTX_set_client_CA_list(sslContext, SSL_load_client_CA_file(certfile));
+    }
+#endif
+    return 0;
+}
+
+int sslutil_accept(int fd)
+{
+int     err;
+
+    if(ssl != NULL){
+        DEBUG(0, ("SSL: internal error: more than one SSL connection (server)\n"));
+        return -1;
+    }
+    if((ssl = SSL_new(sslContext)) == NULL){
+        err = ERR_get_error();
+        DEBUG(0, ("SSL: Error allocating handle: %s\n",
+            ERR_error_string(err, NULL)));
+        return -1;
+    }
+    SSL_set_fd(ssl, fd);
+    sslFd = fd;
+    if(SSL_accept(ssl) <= 0){
+        err = ERR_get_error();
+        DEBUG(0, ("SSL: Error accepting on socket: %s\n",
+            ERR_error_string(err, NULL)));
+        return -1;
+    }
+    DEBUG(0, ("SSL: negotiated cipher: %s\n", SSL_get_cipher(ssl)));
+    return 0;
+}
+
+int sslutil_fd_is_ssl(int fd)
+{
+    return fd == sslFd;
+}
+
+int sslutil_connect(int fd)
+{
+int     err;
+
+    if(ssl != NULL){
+        DEBUG(0, ("SSL: internal error: more than one SSL connection (client)\n"));
+        return -1;
+    }
+    if((ssl = SSL_new(sslContext)) == NULL){
+        err = ERR_get_error();
+        DEBUG(0, ("SSL: Error allocating handle: %s\n",
+            ERR_error_string(err, NULL)));
+        return -1;
+    }
+    SSL_set_fd(ssl, fd);
+    sslFd = fd;
+    if(SSL_connect(ssl) <= 0){
+        err = ERR_get_error();
+        DEBUG(0, ("SSL: Error conencting socket: %s\n",
+            ERR_error_string(err, NULL)));
+        return -1;
+    }
+    DEBUG(0, ("SSL: negotiated cipher: %s\n", SSL_get_cipher(ssl)));
+    return 0;
+}
+
+int sslutil_disconnect(int fd)
+{
+    if(fd == sslFd && ssl != NULL){
+        SSL_free(ssl);
+        ssl = NULL;
+        sslFd = -1;
+    }
+    return 0;
+}
+
+int sslutil_negotiate_ssl(int fd, int msg_type)
+{
+unsigned char   buf[5] = {0x83, 0, 0, 1, 0x81};
+char            *reqHosts, *resignHosts;
+
+    reqHosts = lp_ssl_hosts();
+    resignHosts = lp_ssl_hosts_resign();
+    if(!allow_access(resignHosts, reqHosts, client_name(fd), client_addr(fd))){
+        sslEnabled = False;
+        return 0;
+    }
+    if(msg_type != 0x81){ /* first packet must be a session request */
+        DEBUG(0, ("%s Client %s did not use session setup; access denied\n",
+            timestring(), client_addr(fd)));
+        send_smb(fd, (char *)buf);
+        return -1;
+    }
+    buf[4] = 0x8e;  /* negative session response: use SSL */
+    send_smb(fd, (char *)buf);
+    if(sslutil_accept(fd) != 0){
+        DEBUG(0, ("%s Client %s failed SSL negotiation!\n",
+            timestring(), client_addr(fd)));
+        return -1;
+    }
+    return 1;
+}
+
+#else /* USE_SSL */
+ void ssl_dummy(void) {;} /* So some compilers don't complain. */
+#endif  /* USE_SSL */
author	Jeremy Allison <jra@samba.org>	1998-06-16 01:35:52 +0000
committer	Jeremy Allison <jra@samba.org>	1998-06-16 01:35:52 +0000
commit	cb757820f5452d192ce3b1eeb4f19a17ee93c3fe (patch)
tree	b40303dac4805a9ffb4a32e0f24d90648ed7a1e7 /source3/smbd
parent	e31b4f29f6b6b7f74a066e1219d85d1eb425eebb (diff)
download	samba-cb757820f5452d192ce3b1eeb4f19a17ee93c3fe.tar.gz samba-cb757820f5452d192ce3b1eeb4f19a17ee93c3fe.tar.bz2 samba-cb757820f5452d192ce3b1eeb4f19a17ee93c3fe.zip