diff options
Diffstat (limited to 'source3/smbd/ssl.c')
-rw-r--r-- | source3/smbd/ssl.c | 286 |
1 files changed, 0 insertions, 286 deletions
diff --git a/source3/smbd/ssl.c b/source3/smbd/ssl.c deleted file mode 100644 index 7fcb48a954..0000000000 --- a/source3/smbd/ssl.c +++ /dev/null @@ -1,286 +0,0 @@ -/* - Unix SMB/CIFS implementation. - SSLeay utility functions - Copyright (C) Christian Starkjohann <cs@obdev.at> 1998 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -/* - * since includes.h pulls in config.h which is were WITH_SSL will be - * defined, we want to include includes.h before testing for WITH_SSL - * RJS 26-Jan-1999 - */ - -#include "includes.h" - -#ifdef WITH_SSL /* should always be defined if this module is compiled */ - -#include <openssl/ssl.h> -#include <openssl/err.h> - -BOOL sslEnabled; -SSL *ssl = NULL; -int sslFd = -1; -static SSL_CTX *sslContext = NULL; -extern int DEBUGLEVEL; - -static int ssl_verify_cb(int ok, X509_STORE_CTX *ctx) -{ -char buffer[256]; - - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), - buffer, sizeof(buffer)); - if(ok){ - DEBUG(0, ("SSL: Certificate OK: %s\n", buffer)); - }else{ - switch (ctx->error){ - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - DEBUG(0, ("SSL: Cert error: CA not known: %s\n", buffer)); - break; - case X509_V_ERR_CERT_NOT_YET_VALID: - DEBUG(0, ("SSL: Cert error: Cert not yet valid: %s\n", buffer)); - break; - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - DEBUG(0, ("SSL: Cert error: illegal \'not before\' field: %s\n", - buffer)); - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - DEBUG(0, ("SSL: Cert error: Cert expired: %s\n", buffer)); - break; - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - DEBUG(0, ("SSL: Cert error: invalid \'not after\' field: %s\n", - buffer)); - break; - default: - DEBUG(0, ("SSL: Cert error: unknown error %d in %s\n", ctx->error, - buffer)); - break; - } - } - return ok; -} - -static RSA *ssl_temp_rsa_cb(SSL *ssl, int is_export, int keylength) -{ -static RSA *rsa = NULL; - - if(rsa == NULL) - rsa = RSA_generate_key(keylength, RSA_F4, NULL, NULL); - return rsa; -} - -/* This is called before we fork. It should ask the user for the pass phrase - * if necessary. Error output can still go to stderr because the process - * has a terminal. - */ -int sslutil_init(int isServer) -{ -int err, entropybytes; -char *certfile, *keyfile, *ciphers, *cacertDir, *cacertFile; -char *egdsocket, *entropyfile; - - SSL_load_error_strings(); - SSLeay_add_ssl_algorithms(); - egdsocket = lp_ssl_egdsocket(); - if (egdsocket != NULL && *egdsocket != 0) - RAND_egd(egdsocket); - entropyfile = lp_ssl_entropyfile(); - entropybytes = lp_ssl_entropybytes(); - if (entropyfile != NULL && *entropyfile != 0) - RAND_load_file(entropyfile, entropybytes); - switch(lp_ssl_version()){ - case SMB_SSL_V2: sslContext = SSL_CTX_new(SSLv2_method()); break; - case SMB_SSL_V3: sslContext = SSL_CTX_new(SSLv3_method()); break; - default: - case SMB_SSL_V23: sslContext = SSL_CTX_new(SSLv23_method()); break; - case SMB_SSL_TLS1: sslContext = SSL_CTX_new(TLSv1_method()); break; - } - if(sslContext == NULL){ - err = ERR_get_error(); - fprintf(stderr, "SSL: Error allocating context: %s\n", - ERR_error_string(err, NULL)); - exit(1); - } - if(lp_ssl_compatibility()){ - SSL_CTX_set_options(sslContext, SSL_OP_ALL); - } - certfile = isServer ? lp_ssl_server_cert() : lp_ssl_client_cert(); - if((certfile == NULL || *certfile == 0) && isServer){ - fprintf(stderr, "SSL: No cert file specified in config file!\n"); - fprintf(stderr, "The server MUST have a certificate!\n"); - exit(1); - } - keyfile = isServer ? lp_ssl_server_privkey() : lp_ssl_client_privkey(); - if(keyfile == NULL || *keyfile == 0) - keyfile = certfile; - if(certfile != NULL && *certfile != 0){ - if(!SSL_CTX_use_certificate_chain_file(sslContext, certfile)){ - err = ERR_get_error(); - fprintf(stderr, "SSL: error reading certificate from file %s: %s\n", - certfile, ERR_error_string(err, NULL)); - exit(1); - } - if(!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)){ - err = ERR_get_error(); - fprintf(stderr, "SSL: error reading private key from file %s: %s\n", - keyfile, ERR_error_string(err, NULL)); - exit(1); - } - if(!SSL_CTX_check_private_key(sslContext)){ - err = ERR_get_error(); - fprintf(stderr, "SSL: Private key does not match public key in cert!\n"); - exit(1); - } - } - cacertDir = lp_ssl_cacertdir(); - cacertFile = lp_ssl_cacertfile(); - if(cacertDir != NULL && *cacertDir == 0) - cacertDir = NULL; - if(cacertFile != NULL && *cacertFile == 0) - cacertFile = NULL; - if(!SSL_CTX_load_verify_locations(sslContext, cacertFile, cacertDir)){ - err = ERR_get_error(); - if (cacertFile || cacertDir) { - fprintf(stderr, "SSL: Error error setting CA cert locations: %s\n", - ERR_error_string(err, NULL)); - fprintf(stderr, "trying default locations.\n"); - } - cacertFile = cacertDir = NULL; - if(!SSL_CTX_set_default_verify_paths(sslContext)){ - err = ERR_get_error(); - fprintf(stderr, "SSL: Error error setting default CA cert location: %s\n", - ERR_error_string(err, NULL)); - exit(1); - } - } - SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); - if((ciphers = lp_ssl_ciphers()) != NULL && *ciphers != 0) - SSL_CTX_set_cipher_list(sslContext, ciphers); - if((isServer && lp_ssl_reqClientCert()) || (!isServer && lp_ssl_reqServerCert())){ - SSL_CTX_set_verify(sslContext, - SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb); - }else{ - SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, ssl_verify_cb); - } -#if 1 /* don't know what this is good for, but s_server in SSLeay does it, too */ - if(isServer){ - SSL_CTX_set_client_CA_list(sslContext, SSL_load_client_CA_file(certfile)); - } -#endif - return 0; -} - -int sslutil_accept(int fd) -{ -int err; - - if(ssl != NULL){ - DEBUG(0, ("SSL: internal error: more than one SSL connection (server)\n")); - return -1; - } - if((ssl = SSL_new(sslContext)) == NULL){ - err = ERR_get_error(); - DEBUG(0, ("SSL: Error allocating handle: %s\n", - ERR_error_string(err, NULL))); - return -1; - } - SSL_set_fd(ssl, fd); - sslFd = fd; - if(SSL_accept(ssl) <= 0){ - err = ERR_get_error(); - DEBUG(0, ("SSL: Error accepting on socket: %s\n", - ERR_error_string(err, NULL))); - return -1; - } - DEBUG(0, ("SSL: negotiated cipher: %s\n", SSL_get_cipher(ssl))); - return 0; -} - -int sslutil_fd_is_ssl(int fd) -{ - return fd == sslFd; -} - -int sslutil_connect(int fd) -{ -int err; - - if(ssl != NULL){ - DEBUG(0, ("SSL: internal error: more than one SSL connection (client)\n")); - return -1; - } - if((ssl = SSL_new(sslContext)) == NULL){ - err = ERR_get_error(); - DEBUG(0, ("SSL: Error allocating handle: %s\n", - ERR_error_string(err, NULL))); - return -1; - } - SSL_set_fd(ssl, fd); - sslFd = fd; - if(SSL_connect(ssl) <= 0){ - err = ERR_get_error(); - DEBUG(0, ("SSL: Error conencting socket: %s\n", - ERR_error_string(err, NULL))); - return -1; - } - DEBUG(0, ("SSL: negotiated cipher: %s\n", SSL_get_cipher(ssl))); - return 0; -} - -int sslutil_disconnect(int fd) -{ - if(fd == sslFd && ssl != NULL){ - SSL_free(ssl); - ssl = NULL; - sslFd = -1; - } - return 0; -} - -int sslutil_negotiate_ssl(int fd, int msg_type) -{ -unsigned char buf[5] = {0x83, 0, 0, 1, 0x81}; -char *reqHosts, *resignHosts; - - reqHosts = lp_ssl_hosts(); - resignHosts = lp_ssl_hosts_resign(); - if(!allow_access(resignHosts, reqHosts, get_socket_name(fd), get_socket_addr(fd))){ - sslEnabled = False; - return 0; - } - if(msg_type != 0x81){ /* first packet must be a session request */ - DEBUG( 0, ( "Client %s did not use session setup; access denied\n", - client_addr() ) ); - if (!send_smb(fd, (char *)buf)) - DEBUG(0, ("sslutil_negotiate_ssl: send_smb failed.\n")); - return -1; - } - buf[4] = 0x8e; /* negative session response: use SSL */ - if (!send_smb(fd, (char *)buf)) { - DEBUG(0,("sslutil_negotiate_ssl: send_smb failed.\n")); - return -1; - } - if(sslutil_accept(fd) != 0){ - DEBUG( 0, ( "Client %s failed SSL negotiation!\n", client_addr() ) ); - return -1; - } - return 1; -} - -#else /* WITH_SSL */ - void ssl_dummy(void); - void ssl_dummy(void) {;} /* So some compilers don't complain. */ -#endif /* WITH_SSL */ |