diff options
author | Andrew Tridgell <tridge@samba.org> | 2005-06-19 04:20:27 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:18:29 -0500 |
commit | 225d5a334fca1a52714f0120d0961236db0f236c (patch) | |
tree | 36c73bf7a722766cf4f7fb66416225d61bae59f0 /source4 | |
parent | aa6b2dcb9bdff582ac7628f0c2511de12da57242 (diff) | |
download | samba-225d5a334fca1a52714f0120d0961236db0f236c.tar.gz samba-225d5a334fca1a52714f0120d0961236db0f236c.tar.bz2 samba-225d5a334fca1a52714f0120d0961236db0f236c.zip |
r7742: abstracted out the tls code from the web server, so that our other servers
can easily become tls enabled. This will be used to add support for ldaps
(This used to be commit 950500f603725349d2a0e22878e83dd1b5975f9f)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/lib/tls/config.mk | 12 | ||||
-rw-r--r-- | source4/lib/tls/tls.c | 420 | ||||
-rw-r--r-- | source4/lib/tls/tls.h | 61 | ||||
-rw-r--r-- | source4/lib/tls/tlscert.c | 153 |
4 files changed, 646 insertions, 0 deletions
diff --git a/source4/lib/tls/config.mk b/source4/lib/tls/config.mk new file mode 100644 index 0000000000..0800a69829 --- /dev/null +++ b/source4/lib/tls/config.mk @@ -0,0 +1,12 @@ +################################################ +# Start SUBSYSTEM LIBTLS +[SUBSYSTEM::LIBTLS] +ADD_OBJ_FILES = \ + lib/tls/tls.o \ + lib/tls/tlscert.o +REQUIRED_SUBSYSTEMS = \ + LIBTALLOC EXT_LIB_GNUTLS +NOPROTO = YES +# +# End SUBSYSTEM LIBTLS +################################################ diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c new file mode 100644 index 0000000000..3b166b27a0 --- /dev/null +++ b/source4/lib/tls/tls.c @@ -0,0 +1,420 @@ +/* + Unix SMB/CIFS implementation. + + transport layer security handling code + + Copyright (C) Andrew Tridgell 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "lib/events/events.h" +#include "lib/socket/socket.h" +#include "lib/tls/tls.h" + +#if HAVE_LIBGNUTLS +#include "gnutls/gnutls.h" + +#define DH_BITS 1024 + +/* hold persistent tls data */ +struct tls_params { + gnutls_certificate_credentials x509_cred; + gnutls_dh_params dh_params; + BOOL tls_enabled; +}; + +/* hold per connection tls data */ +struct tls_context { + struct tls_params *params; + struct socket_context *socket; + struct fd_event *fde; + gnutls_session session; + BOOL done_handshake; + BOOL have_first_byte; + uint8_t first_byte; + BOOL tls_enabled; + BOOL tls_detect; + const char *plain_chars; + BOOL output_pending; +}; + + +/* + callback for reading from a socket +*/ +static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size) +{ + struct tls_context *tls = talloc_get_type(ptr, struct tls_context); + NTSTATUS status; + size_t nread; + + if (tls->have_first_byte) { + *(uint8_t *)buf = tls->first_byte; + tls->have_first_byte = False; + return 1; + } + + status = socket_recv(tls->socket, buf, size, &nread, 0); + if (!NT_STATUS_IS_OK(status)) { + EVENT_FD_READABLE(tls->fde); + EVENT_FD_NOT_WRITEABLE(tls->fde); + return -1; + } + if (tls->output_pending) { + EVENT_FD_WRITEABLE(tls->fde); + } + if (size != nread) { + EVENT_FD_READABLE(tls->fde); + } + return nread; +} + +/* + callback for writing to a socket +*/ +static ssize_t tls_push(gnutls_transport_ptr ptr, const void *buf, size_t size) +{ + struct tls_context *tls = talloc_get_type(ptr, struct tls_context); + NTSTATUS status; + size_t nwritten; + DATA_BLOB b; + + if (!tls->tls_enabled) { + return size; + } + + b.data = discard_const(buf); + b.length = size; + + status = socket_send(tls->socket, &b, &nwritten, 0); + if (!NT_STATUS_IS_OK(status)) { + EVENT_FD_WRITEABLE(tls->fde); + return -1; + } + if (size != nwritten) { + EVENT_FD_WRITEABLE(tls->fde); + } + return nwritten; +} + +/* + destroy a tls session + */ +static int tls_destructor(void *ptr) +{ + struct tls_context *tls = talloc_get_type(ptr, struct tls_context); + int ret; + ret = gnutls_bye(tls->session, GNUTLS_SHUT_WR); + if (ret < 0) { + DEBUG(0,("TLS gnutls_bye failed - %s\n", gnutls_strerror(ret))); + } + return 0; +} + + +/* + possibly continue the handshake process +*/ +static NTSTATUS tls_handshake(struct tls_context *tls) +{ + int ret; + + if (tls->done_handshake) { + return NT_STATUS_OK; + } + + ret = gnutls_handshake(tls->session); + if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + return STATUS_MORE_ENTRIES; + } + if (ret < 0) { + DEBUG(0,("TLS gnutls_handshake failed - %s\n", gnutls_strerror(ret))); + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + tls->done_handshake = True; + return NT_STATUS_OK; +} + + +/* + receive data either by tls or normal socket_recv +*/ +NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, + size_t *nread) +{ + int ret; + NTSTATUS status; + if (tls->tls_enabled && tls->tls_detect) { + status = socket_recv(tls->socket, &tls->first_byte, 1, nread, 0); + NT_STATUS_NOT_OK_RETURN(status); + if (*nread == 0) return NT_STATUS_OK; + tls->tls_detect = False; + /* look for the first byte of a valid HTTP operation */ + if (strchr(tls->plain_chars, tls->first_byte)) { + /* not a tls link */ + tls->tls_enabled = False; + *(uint8_t *)buf = tls->first_byte; + return NT_STATUS_OK; + } + tls->have_first_byte = True; + } + + if (!tls->tls_enabled) { + return socket_recv(tls->socket, buf, wantlen, nread, 0); + } + + status = tls_handshake(tls); + NT_STATUS_NOT_OK_RETURN(status); + + ret = gnutls_record_recv(tls->session, buf, wantlen); + if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + return STATUS_MORE_ENTRIES; + } + if (ret < 0) { + DEBUG(0,("gnutls_record_recv failed - %s\n", gnutls_strerror(ret))); + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + *nread = ret; + return NT_STATUS_OK; +} + + +/* + send data either by tls or normal socket_recv +*/ +NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t *sendlen) +{ + NTSTATUS status; + int ret; + + if (!tls->tls_enabled) { + return socket_send(tls->socket, blob, sendlen, 0); + } + + status = tls_handshake(tls); + NT_STATUS_NOT_OK_RETURN(status); + + ret = gnutls_record_send(tls->session, blob->data, blob->length); + if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + return STATUS_MORE_ENTRIES; + } + if (ret < 0) { + DEBUG(0,("gnutls_record_send failed - %s\n", gnutls_strerror(ret))); + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + *sendlen = ret; + tls->output_pending = (ret < blob->length); + return NT_STATUS_OK; +} + + +/* + initialise global tls state +*/ +struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) +{ + struct tls_params *params; + int ret; + const char *keyfile = lp_tls_keyfile(); + const char *certfile = lp_tls_certfile(); + const char *cafile = lp_tls_cafile(); + const char *crlfile = lp_tls_crlfile(); + void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); + + params = talloc(mem_ctx, struct tls_params); + if (params == NULL) return NULL; + + if (!lp_tls_enabled() || keyfile == NULL || *keyfile == 0) { + params->tls_enabled = False; + return params; + } + + if (!file_exist(cafile)) { + tls_cert_generate(params, keyfile, certfile, cafile); + } + + ret = gnutls_global_init(); + if (ret < 0) goto init_failed; + + gnutls_certificate_allocate_credentials(¶ms->x509_cred); + if (ret < 0) goto init_failed; + + if (cafile && *cafile) { + ret = gnutls_certificate_set_x509_trust_file(params->x509_cred, cafile, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + DEBUG(0,("TLS failed to initialise cafile %s\n", cafile)); + goto init_failed; + } + } + + if (crlfile && *crlfile) { + ret = gnutls_certificate_set_x509_crl_file(params->x509_cred, + crlfile, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + DEBUG(0,("TLS failed to initialise crlfile %s\n", crlfile)); + goto init_failed; + } + } + + ret = gnutls_certificate_set_x509_key_file(params->x509_cred, + certfile, keyfile, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + DEBUG(0,("TLS failed to initialise certfile %s and keyfile %s\n", + certfile, keyfile)); + goto init_failed; + } + + ret = gnutls_dh_params_init(¶ms->dh_params); + if (ret < 0) goto init_failed; + + ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS); + if (ret < 0) goto init_failed; + + gnutls_certificate_set_dh_params(params->x509_cred, params->dh_params); + + params->tls_enabled = True; + return params; + +init_failed: + DEBUG(0,("GNUTLS failed to initialise - %s\n", gnutls_strerror(ret))); + params->tls_enabled = False; + return params; +} + + +/* + setup for a new connection +*/ +struct tls_context *tls_init_server(struct tls_params *params, + struct socket_context *socket, + struct fd_event *fde, + const char *plain_chars) +{ + struct tls_context *tls; + int ret; + + tls = talloc(socket, struct tls_context); + if (tls == NULL) return NULL; + + tls->socket = socket; + tls->fde = fde; + + if (!params->tls_enabled) { + tls->tls_enabled = False; + return tls; + } + +#define TLSCHECK(call) do { \ + ret = call; \ + if (ret < 0) { \ + DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \ + goto failed; \ + } \ +} while (0) + + TLSCHECK(gnutls_init(&tls->session, GNUTLS_SERVER)); + + talloc_set_destructor(tls, tls_destructor); + + TLSCHECK(gnutls_set_default_priority(tls->session)); + TLSCHECK(gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, + params->x509_cred)); + gnutls_certificate_server_set_request(tls->session, GNUTLS_CERT_REQUEST); + gnutls_dh_set_prime_bits(tls->session, DH_BITS); + gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr)tls); + gnutls_transport_set_pull_function(tls->session, (gnutls_pull_func)tls_pull); + gnutls_transport_set_push_function(tls->session, (gnutls_push_func)tls_push); + gnutls_transport_set_lowat(tls->session, 0); + + tls->plain_chars = plain_chars; + if (plain_chars) { + tls->tls_detect = True; + } else { + tls->tls_detect = False; + } + + tls->output_pending = False; + tls->params = params; + tls->done_handshake = False; + tls->have_first_byte = False; + tls->tls_enabled = True; + + return tls; + +failed: + DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret))); + tls->tls_enabled = False; + params->tls_enabled = False; + return tls; +} + +BOOL tls_enabled(struct tls_context *tls) +{ + return tls->tls_enabled; +} + +BOOL tls_support(struct tls_params *params) +{ + return params->tls_enabled; +} + + +#else + +/* for systems without tls we just map the tls socket calls to the + normal socket calls */ + +struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) +{ + return talloc_new(mem_ctx); +} + +struct tls_context *tls_init_server(struct tls_params *params, + struct socket_context *sock, + struct fd_event *fde, + const char *plain_chars) +{ + if (plain_chars == NULL) return NULL; + return (struct tls_context *)sock; +} + + +NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, + size_t *nread) +{ + return socket_recv((struct socket_context *)tls, buf, wantlen, nread, 0); +} + +NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t *sendlen) +{ + return socket_send((struct socket_context *)tls, blob, sendlen, 0); +} + +BOOL tls_enabled(struct tls_context *tls) +{ + return False; +} + +BOOL tls_support(struct tls_params *params) +{ + return False; +} + +#endif diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h new file mode 100644 index 0000000000..f87d49d9eb --- /dev/null +++ b/source4/lib/tls/tls.h @@ -0,0 +1,61 @@ +/* + Unix SMB/CIFS implementation. + + transport layer security handling code + + Copyright (C) Andrew Tridgell 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +/* + call tls_initialise() once per task to startup the tls subsystem +*/ +struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx); + +/* + call tls_init_server() on each new server connection + + the 'plain_chars' parameter is a list of chars that when they occur + as the first character from the client on the connection tell the + tls code that this is a non-tls connection. This can be used to have + tls and non-tls servers on the same port. If this is NULL then only + tls connections will be allowed +*/ +struct tls_context *tls_init_server(struct tls_params *parms, + struct socket_context *sock, + struct fd_event *fde, + const char *plain_chars); + +/* + call these to send and receive data. They behave like socket_send() and socket_recv() + */ +NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, + size_t *nread); +NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, + size_t *sendlen); + +/* + return True if a connection used tls +*/ +BOOL tls_enabled(struct tls_context *tls); + + +/* + true if tls support is compiled in +*/ +BOOL tls_support(struct tls_params *parms); + + diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c new file mode 100644 index 0000000000..2cd46ff432 --- /dev/null +++ b/source4/lib/tls/tlscert.c @@ -0,0 +1,153 @@ +/* + Unix SMB/CIFS implementation. + + auto-generate self signed TLS certificates + + Copyright (C) Andrew Tridgell 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#if HAVE_LIBGNUTLS +#include "gnutls/gnutls.h" +#include "gnutls/x509.h" + +#define ORGANISATION_NAME "Samba Administration" +#define UNIT_NAME "Samba - temporary autogenerated certificate" +#define COMMON_NAME "Samba" +#define LIFETIME 700*24*60*60 + +/* + auto-generate a set of self signed certificates +*/ +void tls_cert_generate(TALLOC_CTX *mem_ctx, + const char *keyfile, const char *certfile, + const char *cafile) +{ + gnutls_x509_crt cacrt, crt; + gnutls_x509_privkey key, cakey; + uint32_t serial = (uint32_t)time(NULL); + char keyid[100]; + char buf[4096]; + size_t bufsize; + size_t keyidsize = sizeof(keyid); + time_t activation = time(NULL), expiry = activation + LIFETIME; + int ret; + + if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) { + DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n")); + return; + } + +#define TLSCHECK(call) do { \ + ret = call; \ + if (ret < 0) { \ + DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \ + goto failed; \ + } \ +} while (0) + + TLSCHECK(gnutls_global_init()); + + DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n")); + + DEBUG(3,("Generating private key\n")); + TLSCHECK(gnutls_x509_privkey_init(&key)); + TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 1024, 0)); + + DEBUG(3,("Generating CA private key\n")); + TLSCHECK(gnutls_x509_privkey_init(&cakey)); + TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, 1024, 0)); + + DEBUG(3,("Generating CA certificate\n")); + TLSCHECK(gnutls_x509_crt_init(&cacrt)); + TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, + GNUTLS_OID_X520_ORGANIZATION_NAME, 0, + ORGANISATION_NAME, strlen(ORGANISATION_NAME))); + TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, + UNIT_NAME, strlen(UNIT_NAME))); + TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, + GNUTLS_OID_X520_COMMON_NAME, 0, + COMMON_NAME, strlen(COMMON_NAME))); + TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey)); + TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial))); + TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation)); + TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry)); + TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 0)); +#ifdef GNUTLS_KP_TLS_WWW_SERVER + TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt, GNUTLS_KP_TLS_WWW_SERVER, 0)); +#endif + TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3)); + TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize)); + TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize)); + TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey)); + + DEBUG(3,("Generating TLS certificate\n")); + TLSCHECK(gnutls_x509_crt_init(&crt)); + TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, + GNUTLS_OID_X520_ORGANIZATION_NAME, 0, + ORGANISATION_NAME, strlen(ORGANISATION_NAME))); + TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, + UNIT_NAME, strlen(UNIT_NAME))); + TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, + GNUTLS_OID_X520_COMMON_NAME, 0, + COMMON_NAME, strlen(COMMON_NAME))); + TLSCHECK(gnutls_x509_crt_set_key(crt, key)); + TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial))); + TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation)); + TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry)); + TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0)); +#ifdef GNUTLS_KP_TLS_WWW_SERVER + TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0)); +#endif + TLSCHECK(gnutls_x509_crt_set_version(crt, 3)); + TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize)); + TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize)); + TLSCHECK(gnutls_x509_crt_sign(crt, crt, key)); + + DEBUG(3,("Exporting TLS keys\n")); + + bufsize = sizeof(buf); + TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize)); + file_save(certfile, buf, bufsize); + + bufsize = sizeof(buf); + TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize)); + file_save(cafile, buf, bufsize); + + bufsize = sizeof(buf); + TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize)); + file_save(keyfile, buf, bufsize); + + gnutls_x509_privkey_deinit(key); + gnutls_x509_privkey_deinit(cakey); + gnutls_x509_crt_deinit(cacrt); + gnutls_x509_crt_deinit(crt); + gnutls_global_deinit(); + + DEBUG(0,("TLS self-signed keys generated OK\n")); + return; + +failed: + DEBUG(0,("TLS certificate generation failed\n")); +} + +#else + void tls_cert_dummy(void) {} +#endif |