summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--source4/lib/tls/tls.c18
-rw-r--r--source4/param/loadparm.c3
-rwxr-xr-xsource4/script/tests/mktestsetup.sh11
3 files changed, 30 insertions, 2 deletions
diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index c3a6047e06..2a02ffa237 100644
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -356,6 +356,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx)
const char *certfile = private_path(tmp_ctx, lp_tls_certfile());
const char *cafile = private_path(tmp_ctx, lp_tls_cafile());
const char *crlfile = private_path(tmp_ctx, lp_tls_crlfile());
+ const char *dhpfile = private_path(tmp_ctx, lp_tls_dhpfile());
void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *);
params = talloc(mem_ctx, struct tls_params);
@@ -408,12 +409,25 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx)
goto init_failed;
}
+
ret = gnutls_dh_params_init(&params->dh_params);
if (ret < 0) goto init_failed;
- ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS);
- if (ret < 0) goto init_failed;
+ if (dhpfile) {
+ gnutls_datum_t dhparms;
+ dhparms.data = (uint8_t *)file_load(dhpfile, &dhparms.size, mem_ctx);
+ if (!dhparms.data) {
+ goto init_failed;
+ }
+
+ ret = gnutls_dh_params_import_pkcs3(params->dh_params, &dhparms, GNUTLS_X509_FMT_PEM);
+ if (ret < 0) goto init_failed;
+ } else {
+ ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS);
+ if (ret < 0) goto init_failed;
+ }
+
gnutls_certificate_set_dh_params(params->x509_cred, params->dh_params);
params->tls_enabled = True;
diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c
index 64713f74cf..6a47573932 100644
--- a/source4/param/loadparm.c
+++ b/source4/param/loadparm.c
@@ -139,6 +139,7 @@ typedef struct
char *tls_certfile;
char *tls_cafile;
char *tls_crlfile;
+ char *tls_dhpfile;
int max_mux;
int max_xmit;
int pwordlevel;
@@ -451,6 +452,7 @@ static struct parm_struct parm_table[] = {
{"tls certfile", P_STRING, P_GLOBAL, &Globals.tls_certfile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"tls cafile", P_STRING, P_GLOBAL, &Globals.tls_cafile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"tls crlfile", P_STRING, P_GLOBAL, &Globals.tls_crlfile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"tls dh params file", P_STRING, P_GLOBAL, &Globals.tls_dhpfile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"swat directory", P_STRING, P_GLOBAL, &Globals.swat_directory, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"large readwrite", P_BOOL, P_GLOBAL, &Globals.bLargeReadwrite, NULL, NULL, FLAG_DEVELOPER},
{"server max protocol", P_ENUM, P_GLOBAL, &Globals.srv_maxprotocol, NULL, enum_protocol, FLAG_DEVELOPER},
@@ -830,6 +832,7 @@ _PUBLIC_ FN_GLOBAL_STRING(lp_tls_keyfile, &Globals.tls_keyfile)
_PUBLIC_ FN_GLOBAL_STRING(lp_tls_certfile, &Globals.tls_certfile)
_PUBLIC_ FN_GLOBAL_STRING(lp_tls_cafile, &Globals.tls_cafile)
_PUBLIC_ FN_GLOBAL_STRING(lp_tls_crlfile, &Globals.tls_crlfile)
+_PUBLIC_ FN_GLOBAL_STRING(lp_tls_dhpfile, &Globals.tls_dhpfile)
_PUBLIC_ FN_GLOBAL_STRING(lp_unix_charset, &Globals.unix_charset)
_PUBLIC_ FN_GLOBAL_STRING(lp_display_charset, &Globals.display_charset)
_PUBLIC_ FN_GLOBAL_STRING(lp_configfile, &Globals.szConfigFile)
diff --git a/source4/script/tests/mktestsetup.sh b/source4/script/tests/mktestsetup.sh
index 9244bde796..e2c1ac563e 100755
--- a/source4/script/tests/mktestsetup.sh
+++ b/source4/script/tests/mktestsetup.sh
@@ -47,6 +47,7 @@ PRIVATEDIR=$PREFIX_ABS/private
NCALRPCDIR=$PREFIX_ABS/ncalrpc
LOCKDIR=$PREFIX_ABS/lockdir
TLSDIR=$PRIVATEDIR/tls
+DHFILE=$TLSDIR/dhparms.pem
WINBINDD_SOCKET_DIR=$PREFIX_ABS/winbind_socket
CONFIGURATION="--configfile=$CONFFILE"
export CONFIGURATION
@@ -71,6 +72,7 @@ cat >$CONFFILE<<EOF
name resolve order = bcast
interfaces = 127.0.0.1/8
tls enabled = $TLS_ENABLED
+ tls dh params file = $DHFILE
panic action = $SRCDIR/script/gdb_backtrace %PID% %PROG%
wins support = yes
server role = pdc
@@ -112,6 +114,15 @@ cat >$KRB5_CONFIG<<EOF
.samba.example.com = SAMBA.EXAMPLE.COM
EOF
+cat >$DHFILE<<EOF
+-----BEGIN DH PARAMETERS-----
+MGYCYQC/eWD2xkb7uELmqLi+ygPMKyVcpHUo2yCluwnbPutEueuxrG/Cys8j8wLO
+svCN/jYNyR2NszOmg7ZWcOC/4z/4pWDVPUZr8qrkhj5MRKJc52MncfaDglvEdJrv
+YX70obsCAQI=
+-----END DH PARAMETERS-----
+
+EOF
+
export KRB5_CONFIG
$srcdir/bin/smbscript $srcdir/setup/provision $CONFIGURATION --host-name=$NETBIOSNAME --host-ip=127.0.0.1 \
generated by cgit (git 2.34.1) at 2024-11-15 18:15:55 +0000