r7047: rearranged the tls code a bit, and improved the error messages when it fails

(This used to be commit f54533dfba4286a3dbab26f1812a926fa6408efd)
author: Andrew Tridgell <tridge@samba.org> 2005-05-28 01:29:45 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:17:08 -0500
commit: 2b0607248aceebd80938eb5ffad309aa7b47472e (patch)
tree: da73d55f1a0069aa699d613e7879f8f560ade1f4 /source4/web_server/tls.c
parent: 15ca4bb558152be326319cf8d825ddb86fc88d5c (diff)
download: samba-2b0607248aceebd80938eb5ffad309aa7b47472e.tar.gz
samba-2b0607248aceebd80938eb5ffad309aa7b47472e.tar.bz2
samba-2b0607248aceebd80938eb5ffad309aa7b47472e.zip
1 files changed, 131 insertions, 119 deletions
diff --git a/source4/web_server/tls.c b/source4/web_server/tls.c
index 2d71ac0c37..656c5ee6d6 100644
--- a/source4/web_server/tls.c
+++ b/source4/web_server/tls.c
@@ -45,74 +45,6 @@ struct tls_data {
 };
 
 /*
-  initialise global tls state
-*/
-void tls_initialise(struct task_server *task)
-{
-	struct esp_data *edata = talloc_get_type(task->private, struct esp_data);
-	struct tls_data *tls;
-	int ret;
-	const char *keyfile = lp_web_keyfile();
-	const char *certfile = lp_web_certfile();
-	const char *cafile = lp_web_cafile();
-	const char *crlfile = lp_web_crlfile();
-
-	if (!lp_web_tls() || keyfile == NULL || *keyfile == 0) {
-		return;
-	}
-
-	tls = talloc_zero(edata, struct tls_data);
-	edata->tls_data = tls;
-
-	ret = gnutls_global_init();
-	if (ret < 0) goto init_failed;
-
-	gnutls_certificate_allocate_credentials(&tls->x509_cred);
-	if (ret < 0) goto init_failed;
-
-	ret = gnutls_certificate_set_x509_trust_file(tls->x509_cred, cafile, 
-						     GNUTLS_X509_FMT_PEM);	
-	if (ret < 0) {
-		DEBUG(0,("TLS failed to initialise cafile %s\n", cafile));
-		goto init_failed;
-	}
-
-	if (crlfile && *crlfile) {
-		ret = gnutls_certificate_set_x509_crl_file(tls->x509_cred, 
-							   crlfile, 
-							   GNUTLS_X509_FMT_PEM);
-		if (ret < 0) {
-			DEBUG(0,("TLS failed to initialise crlfile %s\n", cafile));
-			goto init_failed;
-		}
-	}
-	
-	ret = gnutls_certificate_set_x509_key_file(tls->x509_cred, 
-						   certfile, keyfile,
-						   GNUTLS_X509_FMT_PEM);
-	if (ret < 0) {
-		DEBUG(0,("TLS failed to initialise certfile %s and keyfile %s\n", 
-			 lp_web_certfile(), lp_web_keyfile()));
-		goto init_failed;
-	}
-	
-	ret = gnutls_dh_params_init(&tls->dh_params);
-	if (ret < 0) goto init_failed;
-
-	ret = gnutls_dh_params_generate2(tls->dh_params, DH_BITS);
-	if (ret < 0) goto init_failed;
-
-	gnutls_certificate_set_dh_params(tls->x509_cred, tls->dh_params);
-	return;
-
-init_failed:
-	DEBUG(0,("GNUTLS failed to initialise with code %d - disabling\n", ret));
-	talloc_free(tls);
-	edata->tls_data = NULL;
-}
-
-
-/*
   callback for reading from a socket
 */
 static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size)
@@ -176,60 +108,15 @@ static ssize_t tls_push(gnutls_transport_ptr ptr, const void *buf, size_t size)
 static int tls_destructor(void *ptr)
 {
 	struct tls_session *tls_session = talloc_get_type(ptr, struct tls_session);
-	gnutls_bye(tls_session->session, GNUTLS_SHUT_WR);
-	return 0;
-}
-
-
-/*
-  setup for a new connection
-*/
-NTSTATUS tls_init_connection(struct websrv_context *web)
-{
-	struct esp_data *edata = talloc_get_type(web->task->private, struct esp_data);
-	struct tls_data *tls_data = talloc_get_type(edata->tls_data, struct tls_data);
-	struct tls_session *tls_session;
 	int ret;
-
-	if (edata->tls_data == NULL) {
-		web->tls_session = NULL;
-		return NT_STATUS_OK;
+	ret = gnutls_bye(tls_session->session, GNUTLS_SHUT_WR);
+	if (ret < 0) {
+		DEBUG(0,("TLS gnutls_bye failed - %s\n", gnutls_strerror(ret)));
 	}
-
-#define TLSCHECK(call) do { \
-	ret = call; \
-	if (ret < 0) { \
-		DEBUG(0,("TLS failed with code %d - %s\n", ret, #call)); \
-		goto failed; \
-	} \
-} while (0)
-
-	tls_session = talloc_zero(web, struct tls_session);
-	web->tls_session = tls_session;
-
-	TLSCHECK(gnutls_init(&tls_session->session, GNUTLS_SERVER));
-
-	talloc_set_destructor(tls_session, tls_destructor);
-
-	TLSCHECK(gnutls_set_default_priority(tls_session->session));
-	TLSCHECK(gnutls_credentials_set(tls_session->session, GNUTLS_CRD_CERTIFICATE, tls_data->x509_cred));
-	gnutls_certificate_server_set_request(tls_session->session, GNUTLS_CERT_REQUEST);
-	gnutls_dh_set_prime_bits(tls_session->session, DH_BITS);
-	gnutls_transport_set_ptr(tls_session->session, (gnutls_transport_ptr)web);
-	gnutls_transport_set_pull_function(tls_session->session, (gnutls_pull_func)tls_pull);
-	gnutls_transport_set_push_function(tls_session->session, (gnutls_push_func)tls_push);
-	gnutls_transport_set_lowat(tls_session->session, 0);
-
-	web->input.tls_detect = True;
-	
-	return NT_STATUS_OK;
-
-failed:
-	web->tls_session = NULL;
-	talloc_free(tls_session);
-	return NT_STATUS_OK;
+	return 0;
 }
 
+
 /*
   possibly continue the handshake process
 */
@@ -246,6 +133,7 @@ static NTSTATUS tls_handshake(struct tls_session *tls_session)
 		return STATUS_MORE_ENTRIES;
 	}
 	if (ret < 0) {
+		DEBUG(0,("TLS gnutls_handshake failed - %s\n", gnutls_strerror(ret)));
 		return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 	}
 	tls_session->done_handshake = True;
@@ -293,6 +181,7 @@ NTSTATUS tls_socket_recv(struct websrv_context *web, void *buf, size_t wantlen,
 		return STATUS_MORE_ENTRIES;
 	}
 	if (ret < 0) {
+		DEBUG(0,("gnutls_record_recv failed - %s\n", gnutls_strerror(ret)));
 		return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 	}
 	*nread = ret;
@@ -323,14 +212,137 @@ NTSTATUS tls_socket_send(struct websrv_context *web, const DATA_BLOB *blob,
 		return STATUS_MORE_ENTRIES;
 	}
 	if (ret < 0) {
+		DEBUG(0,("gnutls_record_send failed - %s\n", gnutls_strerror(ret)));
 		return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
 	}
 	*sendlen = ret;
 	return NT_STATUS_OK;
 }
+
+
+/*
+  initialise global tls state
+*/
+void tls_initialise(struct task_server *task)
+{
+	struct esp_data *edata = talloc_get_type(task->private, struct esp_data);
+	struct tls_data *tls;
+	int ret;
+	const char *keyfile = lp_web_keyfile();
+	const char *certfile = lp_web_certfile();
+	const char *cafile = lp_web_cafile();
+	const char *crlfile = lp_web_crlfile();
+
+	if (!lp_web_tls() || keyfile == NULL || *keyfile == 0) {
+		return;
+	}
+
+	tls = talloc_zero(edata, struct tls_data);
+	edata->tls_data = tls;
+
+	ret = gnutls_global_init();
+	if (ret < 0) goto init_failed;
+
+	gnutls_certificate_allocate_credentials(&tls->x509_cred);
+	if (ret < 0) goto init_failed;
+
+	ret = gnutls_certificate_set_x509_trust_file(tls->x509_cred, cafile, 
+						     GNUTLS_X509_FMT_PEM);	
+	if (ret < 0) {
+		DEBUG(0,("TLS failed to initialise cafile %s\n", cafile));
+		goto init_failed;
+	}
+
+	if (crlfile && *crlfile) {
+		ret = gnutls_certificate_set_x509_crl_file(tls->x509_cred, 
+							   crlfile, 
+							   GNUTLS_X509_FMT_PEM);
+		if (ret < 0) {
+			DEBUG(0,("TLS failed to initialise crlfile %s\n", cafile));
+			goto init_failed;
+		}
+	}
+	
+	ret = gnutls_certificate_set_x509_key_file(tls->x509_cred, 
+						   certfile, keyfile,
+						   GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		DEBUG(0,("TLS failed to initialise certfile %s and keyfile %s\n", 
+			 lp_web_certfile(), lp_web_keyfile()));
+		goto init_failed;
+	}
+	
+	ret = gnutls_dh_params_init(&tls->dh_params);
+	if (ret < 0) goto init_failed;
+
+	ret = gnutls_dh_params_generate2(tls->dh_params, DH_BITS);
+	if (ret < 0) goto init_failed;
+
+	gnutls_certificate_set_dh_params(tls->x509_cred, tls->dh_params);
+	return;
+
+init_failed:
+	DEBUG(0,("GNUTLS failed to initialise - %s\n", gnutls_strerror(ret)));
+	talloc_free(tls);
+	edata->tls_data = NULL;
+}
+
+
+/*
+  setup for a new connection
+*/
+NTSTATUS tls_init_connection(struct websrv_context *web)
+{
+	struct esp_data *edata = talloc_get_type(web->task->private, struct esp_data);
+	struct tls_data *tls_data = talloc_get_type(edata->tls_data, struct tls_data);
+	struct tls_session *tls_session;
+	int ret;
+
+	if (edata->tls_data == NULL) {
+		web->tls_session = NULL;
+		return NT_STATUS_OK;
+	}
+
+#define TLSCHECK(call) do { \
+	ret = call; \
+	if (ret < 0) { \
+		DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
+		goto failed; \
+	} \
+} while (0)
+
+	tls_session = talloc_zero(web, struct tls_session);
+	web->tls_session = tls_session;
+
+	TLSCHECK(gnutls_init(&tls_session->session, GNUTLS_SERVER));
+
+	talloc_set_destructor(tls_session, tls_destructor);
+
+	TLSCHECK(gnutls_set_default_priority(tls_session->session));
+	TLSCHECK(gnutls_credentials_set(tls_session->session, GNUTLS_CRD_CERTIFICATE, tls_data->x509_cred));
+	gnutls_certificate_server_set_request(tls_session->session, GNUTLS_CERT_REQUEST);
+	gnutls_dh_set_prime_bits(tls_session->session, DH_BITS);
+	gnutls_transport_set_ptr(tls_session->session, (gnutls_transport_ptr)web);
+	gnutls_transport_set_pull_function(tls_session->session, (gnutls_pull_func)tls_pull);
+	gnutls_transport_set_push_function(tls_session->session, (gnutls_push_func)tls_push);
+	gnutls_transport_set_lowat(tls_session->session, 0);
+
+	web->input.tls_detect = True;
+	
+	return NT_STATUS_OK;
+
+failed:
+	DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret)));
+	web->tls_session = NULL;
+	talloc_free(tls_session);
+	return NT_STATUS_OK;
+}
+
+
 #else
 
-/* for systems without tls */
+/* for systems without tls we just map the tls socket calls to the
+   normal socket calls */
 NTSTATUS tls_socket_recv(struct websrv_context *web, void *buf, size_t wantlen, 
 			 size_t *nread)
 {
author	Andrew Tridgell <tridge@samba.org>	2005-05-28 01:29:45 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:17:08 -0500
commit	2b0607248aceebd80938eb5ffad309aa7b47472e (patch)
tree	da73d55f1a0069aa699d613e7879f8f560ade1f4 /source4/web_server/tls.c
parent	15ca4bb558152be326319cf8d825ddb86fc88d5c (diff)
download	samba-2b0607248aceebd80938eb5ffad309aa7b47472e.tar.gz samba-2b0607248aceebd80938eb5ffad309aa7b47472e.tar.bz2 samba-2b0607248aceebd80938eb5ffad309aa7b47472e.zip