From 225d5a334fca1a52714f0120d0961236db0f236c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 19 Jun 2005 04:20:27 +0000 Subject: r7742: abstracted out the tls code from the web server, so that our other servers can easily become tls enabled. This will be used to add support for ldaps (This used to be commit 950500f603725349d2a0e22878e83dd1b5975f9f) --- source4/lib/tls/tls.c | 420 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 420 insertions(+) create mode 100644 source4/lib/tls/tls.c (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c new file mode 100644 index 0000000000..3b166b27a0 --- /dev/null +++ b/source4/lib/tls/tls.c @@ -0,0 +1,420 @@ +/* + Unix SMB/CIFS implementation. + + transport layer security handling code + + Copyright (C) Andrew Tridgell 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "lib/events/events.h" +#include "lib/socket/socket.h" +#include "lib/tls/tls.h" + +#if HAVE_LIBGNUTLS +#include "gnutls/gnutls.h" + +#define DH_BITS 1024 + +/* hold persistent tls data */ +struct tls_params { + gnutls_certificate_credentials x509_cred; + gnutls_dh_params dh_params; + BOOL tls_enabled; +}; + +/* hold per connection tls data */ +struct tls_context { + struct tls_params *params; + struct socket_context *socket; + struct fd_event *fde; + gnutls_session session; + BOOL done_handshake; + BOOL have_first_byte; + uint8_t first_byte; + BOOL tls_enabled; + BOOL tls_detect; + const char *plain_chars; + BOOL output_pending; +}; + + +/* + callback for reading from a socket +*/ +static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size) +{ + struct tls_context *tls = talloc_get_type(ptr, struct tls_context); + NTSTATUS status; + size_t nread; + + if (tls->have_first_byte) { + *(uint8_t *)buf = tls->first_byte; + tls->have_first_byte = False; + return 1; + } + + status = socket_recv(tls->socket, buf, size, &nread, 0); + if (!NT_STATUS_IS_OK(status)) { + EVENT_FD_READABLE(tls->fde); + EVENT_FD_NOT_WRITEABLE(tls->fde); + return -1; + } + if (tls->output_pending) { + EVENT_FD_WRITEABLE(tls->fde); + } + if (size != nread) { + EVENT_FD_READABLE(tls->fde); + } + return nread; +} + +/* + callback for writing to a socket +*/ +static ssize_t tls_push(gnutls_transport_ptr ptr, const void *buf, size_t size) +{ + struct tls_context *tls = talloc_get_type(ptr, struct tls_context); + NTSTATUS status; + size_t nwritten; + DATA_BLOB b; + + if (!tls->tls_enabled) { + return size; + } + + b.data = discard_const(buf); + b.length = size; + + status = socket_send(tls->socket, &b, &nwritten, 0); + if (!NT_STATUS_IS_OK(status)) { + EVENT_FD_WRITEABLE(tls->fde); + return -1; + } + if (size != nwritten) { + EVENT_FD_WRITEABLE(tls->fde); + } + return nwritten; +} + +/* + destroy a tls session + */ +static int tls_destructor(void *ptr) +{ + struct tls_context *tls = talloc_get_type(ptr, struct tls_context); + int ret; + ret = gnutls_bye(tls->session, GNUTLS_SHUT_WR); + if (ret < 0) { + DEBUG(0,("TLS gnutls_bye failed - %s\n", gnutls_strerror(ret))); + } + return 0; +} + + +/* + possibly continue the handshake process +*/ +static NTSTATUS tls_handshake(struct tls_context *tls) +{ + int ret; + + if (tls->done_handshake) { + return NT_STATUS_OK; + } + + ret = gnutls_handshake(tls->session); + if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + return STATUS_MORE_ENTRIES; + } + if (ret < 0) { + DEBUG(0,("TLS gnutls_handshake failed - %s\n", gnutls_strerror(ret))); + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + tls->done_handshake = True; + return NT_STATUS_OK; +} + + +/* + receive data either by tls or normal socket_recv +*/ +NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, + size_t *nread) +{ + int ret; + NTSTATUS status; + if (tls->tls_enabled && tls->tls_detect) { + status = socket_recv(tls->socket, &tls->first_byte, 1, nread, 0); + NT_STATUS_NOT_OK_RETURN(status); + if (*nread == 0) return NT_STATUS_OK; + tls->tls_detect = False; + /* look for the first byte of a valid HTTP operation */ + if (strchr(tls->plain_chars, tls->first_byte)) { + /* not a tls link */ + tls->tls_enabled = False; + *(uint8_t *)buf = tls->first_byte; + return NT_STATUS_OK; + } + tls->have_first_byte = True; + } + + if (!tls->tls_enabled) { + return socket_recv(tls->socket, buf, wantlen, nread, 0); + } + + status = tls_handshake(tls); + NT_STATUS_NOT_OK_RETURN(status); + + ret = gnutls_record_recv(tls->session, buf, wantlen); + if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + return STATUS_MORE_ENTRIES; + } + if (ret < 0) { + DEBUG(0,("gnutls_record_recv failed - %s\n", gnutls_strerror(ret))); + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + *nread = ret; + return NT_STATUS_OK; +} + + +/* + send data either by tls or normal socket_recv +*/ +NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t *sendlen) +{ + NTSTATUS status; + int ret; + + if (!tls->tls_enabled) { + return socket_send(tls->socket, blob, sendlen, 0); + } + + status = tls_handshake(tls); + NT_STATUS_NOT_OK_RETURN(status); + + ret = gnutls_record_send(tls->session, blob->data, blob->length); + if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + return STATUS_MORE_ENTRIES; + } + if (ret < 0) { + DEBUG(0,("gnutls_record_send failed - %s\n", gnutls_strerror(ret))); + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + *sendlen = ret; + tls->output_pending = (ret < blob->length); + return NT_STATUS_OK; +} + + +/* + initialise global tls state +*/ +struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) +{ + struct tls_params *params; + int ret; + const char *keyfile = lp_tls_keyfile(); + const char *certfile = lp_tls_certfile(); + const char *cafile = lp_tls_cafile(); + const char *crlfile = lp_tls_crlfile(); + void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); + + params = talloc(mem_ctx, struct tls_params); + if (params == NULL) return NULL; + + if (!lp_tls_enabled() || keyfile == NULL || *keyfile == 0) { + params->tls_enabled = False; + return params; + } + + if (!file_exist(cafile)) { + tls_cert_generate(params, keyfile, certfile, cafile); + } + + ret = gnutls_global_init(); + if (ret < 0) goto init_failed; + + gnutls_certificate_allocate_credentials(¶ms->x509_cred); + if (ret < 0) goto init_failed; + + if (cafile && *cafile) { + ret = gnutls_certificate_set_x509_trust_file(params->x509_cred, cafile, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + DEBUG(0,("TLS failed to initialise cafile %s\n", cafile)); + goto init_failed; + } + } + + if (crlfile && *crlfile) { + ret = gnutls_certificate_set_x509_crl_file(params->x509_cred, + crlfile, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + DEBUG(0,("TLS failed to initialise crlfile %s\n", crlfile)); + goto init_failed; + } + } + + ret = gnutls_certificate_set_x509_key_file(params->x509_cred, + certfile, keyfile, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + DEBUG(0,("TLS failed to initialise certfile %s and keyfile %s\n", + certfile, keyfile)); + goto init_failed; + } + + ret = gnutls_dh_params_init(¶ms->dh_params); + if (ret < 0) goto init_failed; + + ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS); + if (ret < 0) goto init_failed; + + gnutls_certificate_set_dh_params(params->x509_cred, params->dh_params); + + params->tls_enabled = True; + return params; + +init_failed: + DEBUG(0,("GNUTLS failed to initialise - %s\n", gnutls_strerror(ret))); + params->tls_enabled = False; + return params; +} + + +/* + setup for a new connection +*/ +struct tls_context *tls_init_server(struct tls_params *params, + struct socket_context *socket, + struct fd_event *fde, + const char *plain_chars) +{ + struct tls_context *tls; + int ret; + + tls = talloc(socket, struct tls_context); + if (tls == NULL) return NULL; + + tls->socket = socket; + tls->fde = fde; + + if (!params->tls_enabled) { + tls->tls_enabled = False; + return tls; + } + +#define TLSCHECK(call) do { \ + ret = call; \ + if (ret < 0) { \ + DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \ + goto failed; \ + } \ +} while (0) + + TLSCHECK(gnutls_init(&tls->session, GNUTLS_SERVER)); + + talloc_set_destructor(tls, tls_destructor); + + TLSCHECK(gnutls_set_default_priority(tls->session)); + TLSCHECK(gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, + params->x509_cred)); + gnutls_certificate_server_set_request(tls->session, GNUTLS_CERT_REQUEST); + gnutls_dh_set_prime_bits(tls->session, DH_BITS); + gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr)tls); + gnutls_transport_set_pull_function(tls->session, (gnutls_pull_func)tls_pull); + gnutls_transport_set_push_function(tls->session, (gnutls_push_func)tls_push); + gnutls_transport_set_lowat(tls->session, 0); + + tls->plain_chars = plain_chars; + if (plain_chars) { + tls->tls_detect = True; + } else { + tls->tls_detect = False; + } + + tls->output_pending = False; + tls->params = params; + tls->done_handshake = False; + tls->have_first_byte = False; + tls->tls_enabled = True; + + return tls; + +failed: + DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret))); + tls->tls_enabled = False; + params->tls_enabled = False; + return tls; +} + +BOOL tls_enabled(struct tls_context *tls) +{ + return tls->tls_enabled; +} + +BOOL tls_support(struct tls_params *params) +{ + return params->tls_enabled; +} + + +#else + +/* for systems without tls we just map the tls socket calls to the + normal socket calls */ + +struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) +{ + return talloc_new(mem_ctx); +} + +struct tls_context *tls_init_server(struct tls_params *params, + struct socket_context *sock, + struct fd_event *fde, + const char *plain_chars) +{ + if (plain_chars == NULL) return NULL; + return (struct tls_context *)sock; +} + + +NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, + size_t *nread) +{ + return socket_recv((struct socket_context *)tls, buf, wantlen, nread, 0); +} + +NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t *sendlen) +{ + return socket_send((struct socket_context *)tls, blob, sendlen, 0); +} + +BOOL tls_enabled(struct tls_context *tls) +{ + return False; +} + +BOOL tls_support(struct tls_params *params) +{ + return False; +} + +#endif -- cgit From 28fd9ea80befe049ee786a9e4c7454181a576e9a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 19 Jun 2005 07:19:42 +0000 Subject: r7745: better handling of recv errors in tls library (This used to be commit 42d8a1a222430bd64962da7cc4ac0193b5c003f7) --- source4/lib/tls/tls.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 3b166b27a0..8f443c67d7 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -69,9 +69,19 @@ static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size) } status = socket_recv(tls->socket, buf, size, &nread, 0); + if (NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)) { + return 0; + } + if (NT_STATUS_IS_ERR(status)) { + EVENT_FD_NOT_READABLE(tls->fde); + EVENT_FD_NOT_WRITEABLE(tls->fde); + errno = EBADF; + return -1; + } if (!NT_STATUS_IS_OK(status)) { EVENT_FD_READABLE(tls->fde); EVENT_FD_NOT_WRITEABLE(tls->fde); + errno = EAGAIN; return -1; } if (tls->output_pending) { @@ -185,7 +195,6 @@ NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, return STATUS_MORE_ENTRIES; } if (ret < 0) { - DEBUG(0,("gnutls_record_recv failed - %s\n", gnutls_strerror(ret))); return NT_STATUS_UNEXPECTED_NETWORK_ERROR; } *nread = ret; -- cgit From c7496c6cdb7bdcdd483868c21457350f567ec054 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 19 Jun 2005 09:31:34 +0000 Subject: r7747: - simplified the ldap server buffer handling - got rid of the special cases for sasl buffers - added a tls_socket_pending() call to determine how much data is waiting on a tls connection - removed the attempt at async handling of ldap calls. The buffers/sockets are all async, but the calls themselves are sync. (This used to be commit 73cb4aad229d08e17e22d5792580bd43a61b142a) --- source4/lib/tls/tls.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 8f443c67d7..53b689f135 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -159,6 +159,20 @@ static NTSTATUS tls_handshake(struct tls_context *tls) return NT_STATUS_OK; } +/* + see how many bytes are pending on the connection +*/ +NTSTATUS tls_socket_pending(struct tls_context *tls, size_t *npending) +{ + if (!tls->tls_enabled || tls->tls_detect) { + return socket_pending(tls->socket, npending); + } + *npending = gnutls_record_check_pending(tls->session); + if (*npending == 0) { + return socket_pending(tls->socket, npending); + } + return NT_STATUS_OK; +} /* receive data either by tls or normal socket_recv @@ -222,7 +236,7 @@ NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t return STATUS_MORE_ENTRIES; } if (ret < 0) { - DEBUG(0,("gnutls_record_send failed - %s\n", gnutls_strerror(ret))); + DEBUG(0,("gnutls_record_send of %d failed - %s\n", blob->length, gnutls_strerror(ret))); return NT_STATUS_UNEXPECTED_NETWORK_ERROR; } *sendlen = ret; @@ -426,4 +440,9 @@ BOOL tls_support(struct tls_params *params) return False; } +NTSTATUS tls_socket_pending(struct tls_context *tls, size_t *npending) +{ + return socket_pending((struct socket_context *)tls, npending); +} + #endif -- cgit From 6720bd94b8506d652ddc273bdbe02944e5911e23 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 19 Jun 2005 11:00:13 +0000 Subject: r7750: handle STATUS_MORE_ENTRIES on send in tls (This used to be commit 135c3367ff737246ea40030d3c852769666ff522) --- source4/lib/tls/tls.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 53b689f135..559a54a2f0 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -111,6 +111,10 @@ static ssize_t tls_push(gnutls_transport_ptr ptr, const void *buf, size_t size) b.length = size; status = socket_send(tls->socket, &b, &nwritten, 0); + if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { + errno = EAGAIN; + return -1; + } if (!NT_STATUS_IS_OK(status)) { EVENT_FD_WRITEABLE(tls->fde); return -1; -- cgit From 7a17da2186c628f0d8e8a43ca34320b0f10d9d8f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 19 Jun 2005 11:10:15 +0000 Subject: r7751: only enable tls on the ldaps port in ldap server, and reject non-tls connections on that port (This used to be commit 30da6a1cc41308a16a486111887f45bcf598f064) --- source4/lib/tls/tls.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 559a54a2f0..86a2ca0f0b 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -332,7 +332,8 @@ init_failed: struct tls_context *tls_init_server(struct tls_params *params, struct socket_context *socket, struct fd_event *fde, - const char *plain_chars) + const char *plain_chars, + BOOL tls_enable) { struct tls_context *tls; int ret; @@ -343,7 +344,7 @@ struct tls_context *tls_init_server(struct tls_params *params, tls->socket = socket; tls->fde = fde; - if (!params->tls_enabled) { + if (!params->tls_enabled || !tls_enable) { tls->tls_enabled = False; return tls; } @@ -402,7 +403,6 @@ BOOL tls_support(struct tls_params *params) return params->tls_enabled; } - #else /* for systems without tls we just map the tls socket calls to the @@ -416,7 +416,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) struct tls_context *tls_init_server(struct tls_params *params, struct socket_context *sock, struct fd_event *fde, - const char *plain_chars) + const char *plain_chars, + BOOL tls_enable) { if (plain_chars == NULL) return NULL; return (struct tls_context *)sock; -- cgit From 64bf731865c7ea0a95d658099e7578f4bae3a9cc Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 20 Jun 2005 01:15:47 +0000 Subject: r7769: added client support in the tls library api (This used to be commit 71ee6a1df542b95c61217de71e6f56b8ce9d81b5) --- source4/lib/tls/tls.c | 131 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 119 insertions(+), 12 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 86a2ca0f0b..49f7b758c0 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -39,7 +39,6 @@ struct tls_params { /* hold per connection tls data */ struct tls_context { - struct tls_params *params; struct socket_context *socket; struct fd_event *fde; gnutls_session session; @@ -50,8 +49,19 @@ struct tls_context { BOOL tls_detect; const char *plain_chars; BOOL output_pending; + gnutls_certificate_credentials xcred; + BOOL interrupted; }; +#define TLSCHECK(call) do { \ + ret = call; \ + if (ret < 0) { \ + DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \ + goto failed; \ + } \ +} while (0) + + /* callback for reading from a socket @@ -80,7 +90,6 @@ static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size) } if (!NT_STATUS_IS_OK(status)) { EVENT_FD_READABLE(tls->fde); - EVENT_FD_NOT_WRITEABLE(tls->fde); errno = EAGAIN; return -1; } @@ -153,6 +162,9 @@ static NTSTATUS tls_handshake(struct tls_context *tls) ret = gnutls_handshake(tls->session); if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + if (gnutls_record_get_direction(tls->session) == 1) { + EVENT_FD_WRITEABLE(tls->fde); + } return STATUS_MORE_ENTRIES; } if (ret < 0) { @@ -163,6 +175,28 @@ static NTSTATUS tls_handshake(struct tls_context *tls) return NT_STATUS_OK; } +/* + possibly continue an interrupted operation +*/ +static NTSTATUS tls_interrupted(struct tls_context *tls) +{ + int ret; + + if (!tls->interrupted) { + return NT_STATUS_OK; + } + if (gnutls_record_get_direction(tls->session) == 1) { + ret = gnutls_record_send(tls->session, NULL, 0); + } else { + ret = gnutls_record_recv(tls->session, NULL, 0); + } + if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + return STATUS_MORE_ENTRIES; + } + tls->interrupted = False; + return NT_STATUS_OK; +} + /* see how many bytes are pending on the connection */ @@ -173,7 +207,12 @@ NTSTATUS tls_socket_pending(struct tls_context *tls, size_t *npending) } *npending = gnutls_record_check_pending(tls->session); if (*npending == 0) { - return socket_pending(tls->socket, npending); + NTSTATUS status = socket_pending(tls->socket, npending); + if (*npending == 0) { + /* seems to be a gnutls bug */ + (*npending) = 100; + } + return status; } return NT_STATUS_OK; } @@ -208,8 +247,15 @@ NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, status = tls_handshake(tls); NT_STATUS_NOT_OK_RETURN(status); + status = tls_interrupted(tls); + NT_STATUS_NOT_OK_RETURN(status); + ret = gnutls_record_recv(tls->session, buf, wantlen); if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + if (gnutls_record_get_direction(tls->session) == 1) { + EVENT_FD_WRITEABLE(tls->fde); + } + tls->interrupted = True; return STATUS_MORE_ENTRIES; } if (ret < 0) { @@ -235,8 +281,15 @@ NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t status = tls_handshake(tls); NT_STATUS_NOT_OK_RETURN(status); + status = tls_interrupted(tls); + NT_STATUS_NOT_OK_RETURN(status); + ret = gnutls_record_send(tls->session, blob->data, blob->length); if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { + if (gnutls_record_get_direction(tls->session) == 1) { + EVENT_FD_WRITEABLE(tls->fde); + } + tls->interrupted = True; return STATUS_MORE_ENTRIES; } if (ret < 0) { @@ -317,6 +370,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) gnutls_certificate_set_dh_params(params->x509_cred, params->dh_params); params->tls_enabled = True; + return params; init_failed: @@ -349,14 +403,6 @@ struct tls_context *tls_init_server(struct tls_params *params, return tls; } -#define TLSCHECK(call) do { \ - ret = call; \ - if (ret < 0) { \ - DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \ - goto failed; \ - } \ -} while (0) - TLSCHECK(gnutls_init(&tls->session, GNUTLS_SERVER)); talloc_set_destructor(tls, tls_destructor); @@ -379,10 +425,10 @@ struct tls_context *tls_init_server(struct tls_params *params, } tls->output_pending = False; - tls->params = params; tls->done_handshake = False; tls->have_first_byte = False; tls->tls_enabled = True; + tls->interrupted = False; return tls; @@ -393,6 +439,60 @@ failed: return tls; } + +/* + setup for a new client connection +*/ +struct tls_context *tls_init_client(struct socket_context *socket, + struct fd_event *fde, + BOOL tls_enable) +{ + struct tls_context *tls; + int ret; + const int cert_type_priority[] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; + tls = talloc(socket, struct tls_context); + if (tls == NULL) return NULL; + + tls->socket = socket; + tls->fde = fde; + tls->tls_enabled = tls_enable; + + if (!tls->tls_enabled) { + return tls; + } + + gnutls_global_init(); + + gnutls_certificate_allocate_credentials(&tls->xcred); + gnutls_certificate_set_x509_trust_file(tls->xcred, lp_tls_cafile(), + GNUTLS_X509_FMT_PEM); + TLSCHECK(gnutls_init(&tls->session, GNUTLS_CLIENT)); + TLSCHECK(gnutls_set_default_priority(tls->session)); + gnutls_certificate_type_set_priority(tls->session, cert_type_priority); + TLSCHECK(gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, tls->xcred)); + + talloc_set_destructor(tls, tls_destructor); + + gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr)tls); + gnutls_transport_set_pull_function(tls->session, (gnutls_pull_func)tls_pull); + gnutls_transport_set_push_function(tls->session, (gnutls_push_func)tls_push); + gnutls_transport_set_lowat(tls->session, 0); + tls->tls_detect = False; + + tls->output_pending = False; + tls->done_handshake = False; + tls->have_first_byte = False; + tls->tls_enabled = True; + tls->interrupted = False; + + return tls; + +failed: + DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret))); + tls->tls_enabled = False; + return tls; +} + BOOL tls_enabled(struct tls_context *tls) { return tls->tls_enabled; @@ -423,6 +523,13 @@ struct tls_context *tls_init_server(struct tls_params *params, return (struct tls_context *)sock; } +struct tls_context *tls_init_client(struct socket_context *sock, + struct fd_event *fde, + BOOL tls_enable) +{ + return (struct tls_context *)sock; +} + NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, size_t *nread) -- cgit From 30b68a0af2df78958aa6ec73b00014e55711a777 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 20 Jun 2005 04:18:23 +0000 Subject: r7773: fixed the tls code for the non-GNUTLS case (This used to be commit bc6bc84ef4ad3434c6cb8d94a8d7a105ad2fd8c2) --- source4/lib/tls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 49f7b758c0..f89e2f1028 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -519,7 +519,7 @@ struct tls_context *tls_init_server(struct tls_params *params, const char *plain_chars, BOOL tls_enable) { - if (plain_chars == NULL) return NULL; + if (tls_enable && plain_chars == NULL) return NULL; return (struct tls_context *)sock; } -- cgit From 8c53aba485e7986baacf91b2c99ef7999142aee4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 26 Jun 2005 00:12:44 +0000 Subject: r7912: make private_path() recognise a non-relative filename, so we can have sam database = sam.ldb and it will know to put it in the private dir, but if you use sam database = ldap://server it knows to use it as-is (This used to be commit c5bccbc366db144d3e1cb7b21f0e3284d841dd06) --- source4/lib/tls/tls.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index f89e2f1028..12087639c1 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -309,17 +309,22 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) { struct tls_params *params; int ret; - const char *keyfile = lp_tls_keyfile(); - const char *certfile = lp_tls_certfile(); - const char *cafile = lp_tls_cafile(); - const char *crlfile = lp_tls_crlfile(); + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + const char *keyfile = private_path(tmp_ctx, lp_tls_keyfile()); + const char *certfile = private_path(tmp_ctx, lp_tls_certfile()); + const char *cafile = private_path(tmp_ctx, lp_tls_cafile()); + const char *crlfile = private_path(tmp_ctx, lp_tls_crlfile()); void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); params = talloc(mem_ctx, struct tls_params); - if (params == NULL) return NULL; + if (params == NULL) { + talloc_free(tmp_ctx); + return NULL; + } if (!lp_tls_enabled() || keyfile == NULL || *keyfile == 0) { params->tls_enabled = False; + talloc_free(tmp_ctx); return params; } @@ -371,11 +376,13 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) params->tls_enabled = True; + talloc_free(tmp_ctx); return params; init_failed: DEBUG(0,("GNUTLS failed to initialise - %s\n", gnutls_strerror(ret))); params->tls_enabled = False; + talloc_free(tmp_ctx); return params; } @@ -450,6 +457,8 @@ struct tls_context *tls_init_client(struct socket_context *socket, struct tls_context *tls; int ret; const int cert_type_priority[] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; + char *cafile; + tls = talloc(socket, struct tls_context); if (tls == NULL) return NULL; @@ -461,11 +470,16 @@ struct tls_context *tls_init_client(struct socket_context *socket, return tls; } + cafile = private_path(tls, lp_tls_cafile()); + if (!cafile || !*cafile) { + goto failed; + } + gnutls_global_init(); gnutls_certificate_allocate_credentials(&tls->xcred); - gnutls_certificate_set_x509_trust_file(tls->xcred, lp_tls_cafile(), - GNUTLS_X509_FMT_PEM); + gnutls_certificate_set_x509_trust_file(tls->xcred, cafile, GNUTLS_X509_FMT_PEM); + talloc_free(cafile); TLSCHECK(gnutls_init(&tls->session, GNUTLS_CLIENT)); TLSCHECK(gnutls_set_default_priority(tls->session)); gnutls_certificate_type_set_priority(tls->session, cert_type_priority); -- cgit From d4de4c2d210d2e8c9b5aedf70695594809ad6a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 13:16:54 +0000 Subject: r12608: Remove some unused #include lines. (This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981) --- source4/lib/tls/tls.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 12087639c1..bbb7fde9f3 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -23,7 +23,6 @@ #include "includes.h" #include "lib/events/events.h" #include "lib/socket/socket.h" -#include "lib/tls/tls.h" #if HAVE_LIBGNUTLS #include "gnutls/gnutls.h" -- cgit From 0f921145d5bb687f2cbf4217fc199d3a133ac583 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 15 Mar 2006 02:41:25 +0000 Subject: r14412: init a var (This used to be commit ec53f5fe9617ea36295522a410161bbca6edf9ad) --- source4/lib/tls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index bbb7fde9f3..3d40fdafa0 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -454,7 +454,7 @@ struct tls_context *tls_init_client(struct socket_context *socket, BOOL tls_enable) { struct tls_context *tls; - int ret; + int ret=0; const int cert_type_priority[] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; char *cafile; -- cgit From c2cc10c7869221c7f43cbbb151feb4c4db173cb9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 30 Apr 2006 05:58:31 +0000 Subject: r15356: Remove unused 'flags' argument from socket_send() and friends. This is in preperation for making TLS a socket library. Andrew Bartlett (This used to be commit a312812b92f5ac7e6bd2c4af725dbbbc900d4452) --- source4/lib/tls/tls.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 3d40fdafa0..7c129b573c 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -77,7 +77,7 @@ static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size) return 1; } - status = socket_recv(tls->socket, buf, size, &nread, 0); + status = socket_recv(tls->socket, buf, size, &nread); if (NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)) { return 0; } @@ -118,7 +118,7 @@ static ssize_t tls_push(gnutls_transport_ptr ptr, const void *buf, size_t size) b.data = discard_const(buf); b.length = size; - status = socket_send(tls->socket, &b, &nwritten, 0); + status = socket_send(tls->socket, &b, &nwritten); if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { errno = EAGAIN; return -1; @@ -225,7 +225,7 @@ NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, int ret; NTSTATUS status; if (tls->tls_enabled && tls->tls_detect) { - status = socket_recv(tls->socket, &tls->first_byte, 1, nread, 0); + status = socket_recv(tls->socket, &tls->first_byte, 1, nread); NT_STATUS_NOT_OK_RETURN(status); if (*nread == 0) return NT_STATUS_OK; tls->tls_detect = False; @@ -240,7 +240,7 @@ NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, } if (!tls->tls_enabled) { - return socket_recv(tls->socket, buf, wantlen, nread, 0); + return socket_recv(tls->socket, buf, wantlen, nread); } status = tls_handshake(tls); @@ -274,7 +274,7 @@ NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t int ret; if (!tls->tls_enabled) { - return socket_send(tls->socket, blob, sendlen, 0); + return socket_send(tls->socket, blob, sendlen); } status = tls_handshake(tls); -- cgit From ab758f383dfd03f3c51f647829f14ecca6a9807c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 30 Apr 2006 06:44:19 +0000 Subject: r15357: Fix the build on systems without GNUTLS. Andrew Bartlett (This used to be commit 2cd2e524e6e1acb2e2921e32c5551f528aa04bf4) --- source4/lib/tls/tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 7c129b573c..5fd80e383a 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -547,12 +547,12 @@ struct tls_context *tls_init_client(struct socket_context *sock, NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, size_t *nread) { - return socket_recv((struct socket_context *)tls, buf, wantlen, nread, 0); + return socket_recv((struct socket_context *)tls, buf, wantlen, nread); } NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t *sendlen) { - return socket_send((struct socket_context *)tls, blob, sendlen, 0); + return socket_send((struct socket_context *)tls, blob, sendlen); } BOOL tls_enabled(struct tls_context *tls) -- cgit From 742c110cd67f4995639822981e8bfcb1f652f2c4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 2 May 2006 20:15:47 +0000 Subject: r15400: Move the TLS code behind the socket interface. This reduces caller complexity, because the TLS code is now called just like any other socket. (A new socket context is returned by the tls_init_server and tls_init_client routines). When TLS is not available, the original socket is returned. Andrew Bartlett (This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497) --- source4/lib/tls/tls.c | 219 ++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 158 insertions(+), 61 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 5fd80e383a..2872669948 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -3,8 +3,10 @@ transport layer security handling code - Copyright (C) Andrew Tridgell 2005 - + Copyright (C) Andrew Tridgell 2004-2005 + Copyright (C) Stefan Metzmacher 2004 + Copyright (C) Andrew Bartlett 2006 + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or @@ -35,23 +37,61 @@ struct tls_params { gnutls_dh_params dh_params; BOOL tls_enabled; }; +#endif /* hold per connection tls data */ struct tls_context { struct socket_context *socket; struct fd_event *fde; + BOOL tls_enabled; +#if HAVE_LIBGNUTLS gnutls_session session; BOOL done_handshake; BOOL have_first_byte; uint8_t first_byte; - BOOL tls_enabled; BOOL tls_detect; const char *plain_chars; BOOL output_pending; gnutls_certificate_credentials xcred; BOOL interrupted; +#endif }; +BOOL tls_enabled(struct socket_context *sock) +{ + struct tls_context *tls; + if (!sock) { + return False; + } + if (strcmp(sock->backend_name, "tls") != 0) { + return False; + } + tls = talloc_get_type(sock->private_data, struct tls_context); + if (!tls) { + return False; + } + return tls->tls_enabled; +} + + +#if HAVE_LIBGNUTLS + +static const struct socket_ops tls_socket_ops; + +static NTSTATUS tls_socket_init(struct socket_context *sock) +{ + switch (sock->type) { + case SOCKET_TYPE_STREAM: + break; + default: + return NT_STATUS_INVALID_PARAMETER; + } + + sock->backend_name = "tls"; + + return NT_STATUS_OK; +} + #define TLSCHECK(call) do { \ ret = call; \ if (ret < 0) { \ @@ -61,7 +101,6 @@ struct tls_context { } while (0) - /* callback for reading from a socket */ @@ -199,8 +238,9 @@ static NTSTATUS tls_interrupted(struct tls_context *tls) /* see how many bytes are pending on the connection */ -NTSTATUS tls_socket_pending(struct tls_context *tls, size_t *npending) +static NTSTATUS tls_socket_pending(struct socket_context *sock, size_t *npending) { + struct tls_context *tls = talloc_get_type(sock->private_data, struct tls_context); if (!tls->tls_enabled || tls->tls_detect) { return socket_pending(tls->socket, npending); } @@ -219,11 +259,13 @@ NTSTATUS tls_socket_pending(struct tls_context *tls, size_t *npending) /* receive data either by tls or normal socket_recv */ -NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, - size_t *nread) +static NTSTATUS tls_socket_recv(struct socket_context *sock, void *buf, + size_t wantlen, size_t *nread) { int ret; NTSTATUS status; + struct tls_context *tls = talloc_get_type(sock->private_data, struct tls_context); + if (tls->tls_enabled && tls->tls_detect) { status = socket_recv(tls->socket, &tls->first_byte, 1, nread); NT_STATUS_NOT_OK_RETURN(status); @@ -268,10 +310,12 @@ NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, /* send data either by tls or normal socket_recv */ -NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t *sendlen) +static NTSTATUS tls_socket_send(struct socket_context *sock, + const DATA_BLOB *blob, size_t *sendlen) { NTSTATUS status; int ret; + struct tls_context *tls = talloc_get_type(sock->private_data, struct tls_context); if (!tls->tls_enabled) { return socket_send(tls->socket, blob, sendlen); @@ -389,24 +433,41 @@ init_failed: /* setup for a new connection */ -struct tls_context *tls_init_server(struct tls_params *params, +struct socket_context *tls_init_server(struct tls_params *params, struct socket_context *socket, struct fd_event *fde, - const char *plain_chars, - BOOL tls_enable) + const char *plain_chars) { struct tls_context *tls; int ret; + struct socket_context *new_sock; + NTSTATUS nt_status; + + nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, + SOCKET_TYPE_STREAM, 0); + if (!NT_STATUS_IS_OK(nt_status)) { + return NULL; + } - tls = talloc(socket, struct tls_context); - if (tls == NULL) return NULL; + tls = talloc(new_sock, struct tls_context); + if (tls == NULL) { + return NULL; + } tls->socket = socket; tls->fde = fde; + if (talloc_reference(tls, fde) == NULL) { + return NULL; + } + if (talloc_reference(tls, socket) == NULL) { + return NULL; + } + + new_sock->private_data = tls; - if (!params->tls_enabled || !tls_enable) { + if (!params->tls_enabled) { tls->tls_enabled = False; - return tls; + return new_sock; } TLSCHECK(gnutls_init(&tls->session, GNUTLS_SERVER)); @@ -436,38 +497,49 @@ struct tls_context *tls_init_server(struct tls_params *params, tls->tls_enabled = True; tls->interrupted = False; - return tls; + new_sock->state = SOCKET_STATE_SERVER_CONNECTED; + + return new_sock; failed: DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret))); tls->tls_enabled = False; params->tls_enabled = False; - return tls; + return new_sock; } /* setup for a new client connection */ -struct tls_context *tls_init_client(struct socket_context *socket, - struct fd_event *fde, - BOOL tls_enable) +struct socket_context *tls_init_client(struct socket_context *socket, + struct fd_event *fde) { struct tls_context *tls; - int ret=0; + int ret = 0; const int cert_type_priority[] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; char *cafile; + struct socket_context *new_sock; + NTSTATUS nt_status; + + nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, + SOCKET_TYPE_STREAM, 0); + if (!NT_STATUS_IS_OK(nt_status)) { + return NULL; + } - tls = talloc(socket, struct tls_context); + tls = talloc(new_sock, struct tls_context); if (tls == NULL) return NULL; tls->socket = socket; tls->fde = fde; - tls->tls_enabled = tls_enable; - - if (!tls->tls_enabled) { - return tls; + if (talloc_reference(tls, fde) == NULL) { + return NULL; + } + if (talloc_reference(tls, socket) == NULL) { + return NULL; } + new_sock->private_data = tls; cafile = private_path(tls, lp_tls_cafile()); if (!cafile || !*cafile) { @@ -498,76 +570,101 @@ struct tls_context *tls_init_client(struct socket_context *socket, tls->tls_enabled = True; tls->interrupted = False; - return tls; + new_sock->state = SOCKET_STATE_CLIENT_CONNECTED; + + return new_sock; failed: DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret))); tls->tls_enabled = False; - return tls; + return new_sock; } -BOOL tls_enabled(struct tls_context *tls) +static NTSTATUS tls_socket_set_option(struct socket_context *sock, const char *option, const char *val) { - return tls->tls_enabled; + set_socket_options(socket_get_fd(sock), option); + return NT_STATUS_OK; } -BOOL tls_support(struct tls_params *params) +static char *tls_socket_get_peer_name(struct socket_context *sock, TALLOC_CTX *mem_ctx) { - return params->tls_enabled; + struct tls_context *tls = talloc_get_type(sock->private_data, struct tls_context); + return socket_get_peer_name(tls->socket, mem_ctx); } -#else - -/* for systems without tls we just map the tls socket calls to the - normal socket calls */ - -struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) +static struct socket_address *tls_socket_get_peer_addr(struct socket_context *sock, TALLOC_CTX *mem_ctx) { - return talloc_new(mem_ctx); + struct tls_context *tls = talloc_get_type(sock->private_data, struct tls_context); + return socket_get_peer_addr(tls->socket, mem_ctx); } -struct tls_context *tls_init_server(struct tls_params *params, - struct socket_context *sock, - struct fd_event *fde, - const char *plain_chars, - BOOL tls_enable) +static struct socket_address *tls_socket_get_my_addr(struct socket_context *sock, TALLOC_CTX *mem_ctx) { - if (tls_enable && plain_chars == NULL) return NULL; - return (struct tls_context *)sock; + struct tls_context *tls = talloc_get_type(sock->private_data, struct tls_context); + return socket_get_my_addr(tls->socket, mem_ctx); } -struct tls_context *tls_init_client(struct socket_context *sock, - struct fd_event *fde, - BOOL tls_enable) +static int tls_socket_get_fd(struct socket_context *sock) { - return (struct tls_context *)sock; + struct tls_context *tls = talloc_get_type(sock->private_data, struct tls_context); + return socket_get_fd(tls->socket); } +static const struct socket_ops tls_socket_ops = { + .name = "tls", + .fn_init = tls_socket_init, + .fn_recv = tls_socket_recv, + .fn_send = tls_socket_send, + .fn_pending = tls_socket_pending, + + .fn_set_option = tls_socket_set_option, -NTSTATUS tls_socket_recv(struct tls_context *tls, void *buf, size_t wantlen, - size_t *nread) + .fn_get_peer_name = tls_socket_get_peer_name, + .fn_get_peer_addr = tls_socket_get_peer_addr, + .fn_get_my_addr = tls_socket_get_my_addr, + .fn_get_fd = tls_socket_get_fd +}; + +BOOL tls_support(struct tls_params *params) { - return socket_recv((struct socket_context *)tls, buf, wantlen, nread); + return params->tls_enabled; } -NTSTATUS tls_socket_send(struct tls_context *tls, const DATA_BLOB *blob, size_t *sendlen) +#else + +/* for systems without tls we just map the tls socket calls to the + normal socket calls */ + +struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) { - return socket_send((struct socket_context *)tls, blob, sendlen); + return talloc_new(mem_ctx); } -BOOL tls_enabled(struct tls_context *tls) +/* + setup for a new connection +*/ +struct socket_context *tls_init_server(struct tls_params *params, + struct socket_context *socket, + struct fd_event *fde, + const char *plain_chars) { - return False; + return socket; } -BOOL tls_support(struct tls_params *params) + +/* + setup for a new client connection +*/ +struct socket_context *tls_init_client(struct socket_context *socket, + struct fd_event *fde) { - return False; + return socket; } -NTSTATUS tls_socket_pending(struct tls_context *tls, size_t *npending) +BOOL tls_support(struct tls_params *params) { - return socket_pending((struct socket_context *)tls, npending); + return False; } #endif + -- cgit From 971d30bb201f5c3faff5f575d26882eb79f7955a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 24 May 2006 07:34:11 +0000 Subject: r15854: more talloc_set_destructor() typesafe fixes (This used to be commit 61c6100617589ac6df4f527877241464cacbf8b3) --- source4/lib/tls/tls.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 2872669948..936c18c0c6 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -175,9 +175,8 @@ static ssize_t tls_push(gnutls_transport_ptr ptr, const void *buf, size_t size) /* destroy a tls session */ -static int tls_destructor(void *ptr) +static int tls_destructor(struct tls_context *tls) { - struct tls_context *tls = talloc_get_type(ptr, struct tls_context); int ret; ret = gnutls_bye(tls->session, GNUTLS_SHUT_WR); if (ret < 0) { -- cgit From a1a842eb44b5bbb59af445af7a2c4a00e8c0188a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 21 Jul 2006 01:34:56 +0000 Subject: r17168: Now that TLS (and soon SASL) is below the socket layer, we need to make the testnonblock skip some things. The socket *under* the tls socket is still tested. Andrew Bartlett (This used to be commit 9c33c6a20a77e3f15eac3d62488117517afad940) --- source4/lib/tls/tls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 936c18c0c6..1ba8ae9779 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -443,7 +443,8 @@ struct socket_context *tls_init_server(struct tls_params *params, NTSTATUS nt_status; nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, - SOCKET_TYPE_STREAM, 0); + SOCKET_TYPE_STREAM, + socket->flags | SOCKET_FLAG_FAKE); if (!NT_STATUS_IS_OK(nt_status)) { return NULL; } @@ -522,7 +523,8 @@ struct socket_context *tls_init_client(struct socket_context *socket, NTSTATUS nt_status; nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, - SOCKET_TYPE_STREAM, 0); + SOCKET_TYPE_STREAM, + socket->flags | SOCKET_FLAG_FAKE); if (!NT_STATUS_IS_OK(nt_status)) { return NULL; } -- cgit From ba07fa43d0b0090f5e686d8c1822468049f52416 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 23 Jul 2006 02:50:08 +0000 Subject: r17197: This patch moves the encryption of bulk data on SASL negotiated security contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0) --- source4/lib/tls/tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 1ba8ae9779..f9213af2a7 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -444,7 +444,7 @@ struct socket_context *tls_init_server(struct tls_params *params, nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, SOCKET_TYPE_STREAM, - socket->flags | SOCKET_FLAG_FAKE); + socket->flags | SOCKET_FLAG_ENCRYPT); if (!NT_STATUS_IS_OK(nt_status)) { return NULL; } @@ -524,7 +524,7 @@ struct socket_context *tls_init_client(struct socket_context *socket, nt_status = socket_create_with_ops(socket, &tls_socket_ops, &new_sock, SOCKET_TYPE_STREAM, - socket->flags | SOCKET_FLAG_FAKE); + socket->flags | SOCKET_FLAG_ENCRYPT); if (!NT_STATUS_IS_OK(nt_status)) { return NULL; } -- cgit From 9d6f2767179fad2f9a067c67c09afddb6304e4eb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Jul 2006 00:57:27 +0000 Subject: r17222: Change the function prototypes for the GENSEc and TLS socket creation routines to return an NTSTATUS. This should help track down errors. Use a bit of talloc_steal and talloc_unlink to get the real socket to be a child of the GENSEC or TLS socket. Always return a new socket, even for the 'pass-though' case. Andrew Bartlett (This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2) --- source4/lib/tls/tls.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index f9213af2a7..9a37dd0bc3 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -433,9 +433,9 @@ init_failed: setup for a new connection */ struct socket_context *tls_init_server(struct tls_params *params, - struct socket_context *socket, - struct fd_event *fde, - const char *plain_chars) + struct socket_context *socket, + struct fd_event *fde, + const char *plain_chars) { struct tls_context *tls; int ret; @@ -457,17 +457,19 @@ struct socket_context *tls_init_server(struct tls_params *params, tls->socket = socket; tls->fde = fde; if (talloc_reference(tls, fde) == NULL) { + talloc_free(new_sock); return NULL; } if (talloc_reference(tls, socket) == NULL) { + talloc_free(new_sock); return NULL; } new_sock->private_data = tls; if (!params->tls_enabled) { - tls->tls_enabled = False; - return new_sock; + talloc_free(new_sock); + return NULL; } TLSCHECK(gnutls_init(&tls->session, GNUTLS_SERVER)); @@ -503,9 +505,8 @@ struct socket_context *tls_init_server(struct tls_params *params, failed: DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret))); - tls->tls_enabled = False; - params->tls_enabled = False; - return new_sock; + talloc_free(new_sock); + return NULL; } @@ -649,7 +650,10 @@ struct socket_context *tls_init_server(struct tls_params *params, struct fd_event *fde, const char *plain_chars) { - return socket; + if (plain_chars) { + return socket; + } + return NULL; } @@ -659,7 +663,7 @@ struct socket_context *tls_init_server(struct tls_params *params, struct socket_context *tls_init_client(struct socket_context *socket, struct fd_event *fde) { - return socket; + return NULL; } BOOL tls_support(struct tls_params *params) -- cgit From 84b0eb6a57226b49dc835dda1fa4ed56ebe00037 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 28 Jul 2006 03:51:20 +0000 Subject: r17286: Simply fail the tls_initialise if we don't have TLS compiled in. Adjust the web_server code to cope with this. Andrew Bartlett (This used to be commit 3043969708edbdab58ee57e2fbffa293b6406813) --- source4/lib/tls/tls.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 9a37dd0bc3..c3a6047e06 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -634,8 +634,8 @@ BOOL tls_support(struct tls_params *params) #else -/* for systems without tls we just map the tls socket calls to the - normal socket calls */ +/* for systems without tls we just fail the operations, and the caller + * will retain the original socket */ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) { @@ -650,9 +650,6 @@ struct socket_context *tls_init_server(struct tls_params *params, struct fd_event *fde, const char *plain_chars) { - if (plain_chars) { - return socket; - } return NULL; } -- cgit From adefa4404cb612d8066b3a19f6fd545428e6441b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 3 Aug 2006 08:02:54 +0000 Subject: r17379: Pre-generate DH parameters, to avoid doing this at runtime in our testsuite. Andrew Bartlett (This used to be commit 23314c3953676124a2ad06e8b3a3b297c11f2800) --- source4/lib/tls/tls.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index c3a6047e06..2a02ffa237 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -356,6 +356,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) const char *certfile = private_path(tmp_ctx, lp_tls_certfile()); const char *cafile = private_path(tmp_ctx, lp_tls_cafile()); const char *crlfile = private_path(tmp_ctx, lp_tls_crlfile()); + const char *dhpfile = private_path(tmp_ctx, lp_tls_dhpfile()); void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); params = talloc(mem_ctx, struct tls_params); @@ -408,12 +409,25 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) goto init_failed; } + ret = gnutls_dh_params_init(¶ms->dh_params); if (ret < 0) goto init_failed; - ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS); - if (ret < 0) goto init_failed; + if (dhpfile) { + gnutls_datum_t dhparms; + dhparms.data = (uint8_t *)file_load(dhpfile, &dhparms.size, mem_ctx); + if (!dhparms.data) { + goto init_failed; + } + + ret = gnutls_dh_params_import_pkcs3(params->dh_params, &dhparms, GNUTLS_X509_FMT_PEM); + if (ret < 0) goto init_failed; + } else { + ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS); + if (ret < 0) goto init_failed; + } + gnutls_certificate_set_dh_params(params->x509_cred, params->dh_params); params->tls_enabled = True; -- cgit From 976b01b01a057de168355f5eab8c6f7caee0a4c1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 4 Aug 2006 23:46:03 +0000 Subject: r17411: Try and compile on older versions of GnuTLS. Andrew Bartlett (This used to be commit 798c0791d8e8d10dde41a6dbceb0866265f9a709) --- source4/lib/tls/tls.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 2a02ffa237..5679b5096d 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -31,6 +31,10 @@ #define DH_BITS 1024 +#if defined(HAVE_GNUTLS_DATUM) && !defined(HAVE_GNUTLS_DATUM_T) +typedef gnutls_datum gnutls_datum_t +#endif + /* hold persistent tls data */ struct tls_params { gnutls_certificate_credentials x509_cred; -- cgit From 1ea8c378e2e9847f008a0bf89fb7c028f5b5263a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 5 Aug 2006 05:03:10 +0000 Subject: r17412: fix missing colon (This used to be commit 300d6e724d1ce386ad53852c0645fa8de374625a) --- source4/lib/tls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 5679b5096d..73b39f8c2a 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -32,7 +32,7 @@ #define DH_BITS 1024 #if defined(HAVE_GNUTLS_DATUM) && !defined(HAVE_GNUTLS_DATUM_T) -typedef gnutls_datum gnutls_datum_t +typedef gnutls_datum gnutls_datum_t; #endif /* hold persistent tls data */ -- cgit From 714f3991a1895c6b2487bbc215ec2943902a93b4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 21 Aug 2006 23:00:53 +0000 Subject: r17674: fixed a problem on with our configure logic on systems that have libgnutls but not some of the crt functions (This used to be commit 7a0264c52dd8ab1b1bb321462f66955a866d90a9) --- source4/lib/tls/tls.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 73b39f8c2a..cd65e22bcb 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -26,7 +26,7 @@ #include "lib/events/events.h" #include "lib/socket/socket.h" -#if HAVE_LIBGNUTLS +#if ENABLE_GNUTLS #include "gnutls/gnutls.h" #define DH_BITS 1024 @@ -48,7 +48,7 @@ struct tls_context { struct socket_context *socket; struct fd_event *fde; BOOL tls_enabled; -#if HAVE_LIBGNUTLS +#if ENABLE_GNUTLS gnutls_session session; BOOL done_handshake; BOOL have_first_byte; @@ -78,7 +78,7 @@ BOOL tls_enabled(struct socket_context *sock) } -#if HAVE_LIBGNUTLS +#if ENABLE_GNUTLS static const struct socket_ops tls_socket_ops; -- cgit From 30ee8beb9316a99e8a49993306252591106cb349 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 9 Sep 2006 10:05:58 +0000 Subject: r18301: I discovered how to load the warnings from a build farm build into emacs compile mode (hint, paste to a file, and compile as "cat filename"). This allowed me to fix nearly all the warnings for a IA_64 SuSE build very quickly. (This used to be commit eba6c84efff735bb0ca941ac4b755ce2b0591667) --- source4/lib/tls/tls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index cd65e22bcb..8c885543ee 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -339,7 +339,7 @@ static NTSTATUS tls_socket_send(struct socket_context *sock, return STATUS_MORE_ENTRIES; } if (ret < 0) { - DEBUG(0,("gnutls_record_send of %d failed - %s\n", blob->length, gnutls_strerror(ret))); + DEBUG(0,("gnutls_record_send of %d failed - %s\n", (int)blob->length, gnutls_strerror(ret))); return NT_STATUS_UNEXPECTED_NETWORK_ERROR; } *sendlen = ret; @@ -419,11 +419,13 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) if (dhpfile) { gnutls_datum_t dhparms; - dhparms.data = (uint8_t *)file_load(dhpfile, &dhparms.size, mem_ctx); + size_t size; + dhparms.data = (uint8_t *)file_load(dhpfile, &size, mem_ctx); if (!dhparms.data) { goto init_failed; } + dhparms.size = size; ret = gnutls_dh_params_import_pkcs3(params->dh_params, &dhparms, GNUTLS_X509_FMT_PEM); if (ret < 0) goto init_failed; -- cgit From a3a7c28765f100a28557ba30ec57bde030a6e363 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Oct 2006 04:22:00 +0000 Subject: r19217: Merge from SAMBA_4_0_RELEASE: Re-enable TLS in the default configuration. We passed on the build farm because we have an explicit diffie-hilliman parameters file set. Andrew Bartlett (This used to be commit d20ab6a5ed7f980cb653e965c4de3de8d058d9c4) --- source4/lib/tls/tls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 8c885543ee..0c3f707582 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -417,12 +417,13 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) ret = gnutls_dh_params_init(¶ms->dh_params); if (ret < 0) goto init_failed; - if (dhpfile) { + if (dhpfile && *dhpfile) { gnutls_datum_t dhparms; size_t size; dhparms.data = (uint8_t *)file_load(dhpfile, &size, mem_ctx); if (!dhparms.data) { + DEBUG(0,("Failed to read DH Parms from %s\n", dhpfile)); goto init_failed; } dhparms.size = size; -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/lib/tls/tls.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 0c3f707582..bfe144a011 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -18,8 +18,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From dccf3f99e45137b6cd18c1de1c79808ad67130d1 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 13:27:14 +0000 Subject: r25027: Fix more warnings. (This used to be commit 5085c53fcfade614e83d21fc2c1a5bc43bb2a729) --- source4/lib/tls/tls.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index bfe144a011..3f148ff7bf 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -24,6 +24,7 @@ #include "includes.h" #include "lib/events/events.h" #include "lib/socket/socket.h" +#include "lib/tls/tls.h" #if ENABLE_GNUTLS #include "gnutls/gnutls.h" -- cgit From 50bcb45692005e348431fc92c60dea9c3e66d305 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 15:06:47 +0000 Subject: r25033: Fix include (This used to be commit d81bb09046a7ea65aa916be7fcfa94e86b6191f5) --- source4/lib/tls/tls.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 3f148ff7bf..71b120dc3c 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -25,6 +25,7 @@ #include "lib/events/events.h" #include "lib/socket/socket.h" #include "lib/tls/tls.h" +#include "param/param.h" #if ENABLE_GNUTLS #include "gnutls/gnutls.h" -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/lib/tls/tls.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 71b120dc3c..8be818433d 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -357,11 +357,11 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) struct tls_params *params; int ret; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - const char *keyfile = private_path(tmp_ctx, lp_tls_keyfile()); - const char *certfile = private_path(tmp_ctx, lp_tls_certfile()); - const char *cafile = private_path(tmp_ctx, lp_tls_cafile()); - const char *crlfile = private_path(tmp_ctx, lp_tls_crlfile()); - const char *dhpfile = private_path(tmp_ctx, lp_tls_dhpfile()); + const char *keyfile = private_path(tmp_ctx, lp_tls_keyfile(global_loadparm)); + const char *certfile = private_path(tmp_ctx, lp_tls_certfile(global_loadparm)); + const char *cafile = private_path(tmp_ctx, lp_tls_cafile(global_loadparm)); + const char *crlfile = private_path(tmp_ctx, lp_tls_crlfile(global_loadparm)); + const char *dhpfile = private_path(tmp_ctx, lp_tls_dhpfile(global_loadparm)); void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); params = talloc(mem_ctx, struct tls_params); @@ -370,7 +370,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) return NULL; } - if (!lp_tls_enabled() || keyfile == NULL || *keyfile == 0) { + if (!lp_tls_enabled(global_loadparm) || keyfile == NULL || *keyfile == 0) { params->tls_enabled = False; talloc_free(tmp_ctx); return params; @@ -565,7 +565,7 @@ struct socket_context *tls_init_client(struct socket_context *socket, } new_sock->private_data = tls; - cafile = private_path(tls, lp_tls_cafile()); + cafile = private_path(tls, lp_tls_cafile(global_loadparm)); if (!cafile || !*cafile) { goto failed; } -- cgit From 2f3551ca7cee59d4d053cceb87abdf1da1b3a1ad Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 1 Oct 2007 18:52:55 +0000 Subject: r25446: Merge some changes I made on the way home from SFO: 2007-09-29 More higher-level passing around of lp_ctx. 2007-09-29 Fix warning. 2007-09-29 Pass loadparm contexts on a higher level. 2007-09-29 Avoid using global loadparm context. (This used to be commit 3468952e771ab31f90b6c374ade01c5550810f42) --- source4/lib/tls/tls.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 8be818433d..d2f6d6f740 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -357,11 +357,11 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) struct tls_params *params; int ret; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - const char *keyfile = private_path(tmp_ctx, lp_tls_keyfile(global_loadparm)); - const char *certfile = private_path(tmp_ctx, lp_tls_certfile(global_loadparm)); - const char *cafile = private_path(tmp_ctx, lp_tls_cafile(global_loadparm)); - const char *crlfile = private_path(tmp_ctx, lp_tls_crlfile(global_loadparm)); - const char *dhpfile = private_path(tmp_ctx, lp_tls_dhpfile(global_loadparm)); + const char *keyfile = private_path(tmp_ctx, global_loadparm, lp_tls_keyfile(global_loadparm)); + const char *certfile = private_path(tmp_ctx, global_loadparm, lp_tls_certfile(global_loadparm)); + const char *cafile = private_path(tmp_ctx, global_loadparm, lp_tls_cafile(global_loadparm)); + const char *crlfile = private_path(tmp_ctx, global_loadparm, lp_tls_crlfile(global_loadparm)); + const char *dhpfile = private_path(tmp_ctx, global_loadparm, lp_tls_dhpfile(global_loadparm)); void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); params = talloc(mem_ctx, struct tls_params); @@ -565,7 +565,7 @@ struct socket_context *tls_init_client(struct socket_context *socket, } new_sock->private_data = tls; - cafile = private_path(tls, lp_tls_cafile(global_loadparm)); + cafile = private_path(tls, global_loadparm, lp_tls_cafile(global_loadparm)); if (!cafile || !*cafile) { goto failed; } -- cgit From 719a4ae0d32ab9ba817fd01f2b8f4cba220a8c60 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 5 Oct 2007 18:03:01 +0000 Subject: r25522: Convert to standard bool types. (This used to be commit 5e814287ba475e12f8cc934fdd09b199dcdfdb86) --- source4/lib/tls/tls.c | 78 +++++++++++++++++++++++++-------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index d2f6d6f740..4a8357d93b 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -40,7 +40,7 @@ typedef gnutls_datum gnutls_datum_t; struct tls_params { gnutls_certificate_credentials x509_cred; gnutls_dh_params dh_params; - BOOL tls_enabled; + bool tls_enabled; }; #endif @@ -48,32 +48,32 @@ struct tls_params { struct tls_context { struct socket_context *socket; struct fd_event *fde; - BOOL tls_enabled; + bool tls_enabled; #if ENABLE_GNUTLS gnutls_session session; - BOOL done_handshake; - BOOL have_first_byte; + bool done_handshake; + bool have_first_byte; uint8_t first_byte; - BOOL tls_detect; + bool tls_detect; const char *plain_chars; - BOOL output_pending; + bool output_pending; gnutls_certificate_credentials xcred; - BOOL interrupted; + bool interrupted; #endif }; -BOOL tls_enabled(struct socket_context *sock) +bool tls_enabled(struct socket_context *sock) { struct tls_context *tls; if (!sock) { - return False; + return false; } if (strcmp(sock->backend_name, "tls") != 0) { - return False; + return false; } tls = talloc_get_type(sock->private_data, struct tls_context); if (!tls) { - return False; + return false; } return tls->tls_enabled; } @@ -117,7 +117,7 @@ static ssize_t tls_pull(gnutls_transport_ptr ptr, void *buf, size_t size) if (tls->have_first_byte) { *(uint8_t *)buf = tls->first_byte; - tls->have_first_byte = False; + tls->have_first_byte = false; return 1; } @@ -213,7 +213,7 @@ static NTSTATUS tls_handshake(struct tls_context *tls) DEBUG(0,("TLS gnutls_handshake failed - %s\n", gnutls_strerror(ret))); return NT_STATUS_UNEXPECTED_NETWORK_ERROR; } - tls->done_handshake = True; + tls->done_handshake = true; return NT_STATUS_OK; } @@ -235,7 +235,7 @@ static NTSTATUS tls_interrupted(struct tls_context *tls) if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) { return STATUS_MORE_ENTRIES; } - tls->interrupted = False; + tls->interrupted = false; return NT_STATUS_OK; } @@ -274,15 +274,15 @@ static NTSTATUS tls_socket_recv(struct socket_context *sock, void *buf, status = socket_recv(tls->socket, &tls->first_byte, 1, nread); NT_STATUS_NOT_OK_RETURN(status); if (*nread == 0) return NT_STATUS_OK; - tls->tls_detect = False; + tls->tls_detect = false; /* look for the first byte of a valid HTTP operation */ if (strchr(tls->plain_chars, tls->first_byte)) { /* not a tls link */ - tls->tls_enabled = False; + tls->tls_enabled = false; *(uint8_t *)buf = tls->first_byte; return NT_STATUS_OK; } - tls->have_first_byte = True; + tls->have_first_byte = true; } if (!tls->tls_enabled) { @@ -300,7 +300,7 @@ static NTSTATUS tls_socket_recv(struct socket_context *sock, void *buf, if (gnutls_record_get_direction(tls->session) == 1) { EVENT_FD_WRITEABLE(tls->fde); } - tls->interrupted = True; + tls->interrupted = true; return STATUS_MORE_ENTRIES; } if (ret < 0) { @@ -336,7 +336,7 @@ static NTSTATUS tls_socket_send(struct socket_context *sock, if (gnutls_record_get_direction(tls->session) == 1) { EVENT_FD_WRITEABLE(tls->fde); } - tls->interrupted = True; + tls->interrupted = true; return STATUS_MORE_ENTRIES; } if (ret < 0) { @@ -371,7 +371,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) } if (!lp_tls_enabled(global_loadparm) || keyfile == NULL || *keyfile == 0) { - params->tls_enabled = False; + params->tls_enabled = false; talloc_free(tmp_ctx); return params; } @@ -438,14 +438,14 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) gnutls_certificate_set_dh_params(params->x509_cred, params->dh_params); - params->tls_enabled = True; + params->tls_enabled = true; talloc_free(tmp_ctx); return params; init_failed: DEBUG(0,("GNUTLS failed to initialise - %s\n", gnutls_strerror(ret))); - params->tls_enabled = False; + params->tls_enabled = false; talloc_free(tmp_ctx); return params; } @@ -510,16 +510,16 @@ struct socket_context *tls_init_server(struct tls_params *params, tls->plain_chars = plain_chars; if (plain_chars) { - tls->tls_detect = True; + tls->tls_detect = true; } else { - tls->tls_detect = False; + tls->tls_detect = false; } - tls->output_pending = False; - tls->done_handshake = False; - tls->have_first_byte = False; - tls->tls_enabled = True; - tls->interrupted = False; + tls->output_pending = false; + tls->done_handshake = false; + tls->have_first_byte = false; + tls->tls_enabled = true; + tls->interrupted = false; new_sock->state = SOCKET_STATE_SERVER_CONNECTED; @@ -586,13 +586,13 @@ struct socket_context *tls_init_client(struct socket_context *socket, gnutls_transport_set_pull_function(tls->session, (gnutls_pull_func)tls_pull); gnutls_transport_set_push_function(tls->session, (gnutls_push_func)tls_push); gnutls_transport_set_lowat(tls->session, 0); - tls->tls_detect = False; + tls->tls_detect = false; - tls->output_pending = False; - tls->done_handshake = False; - tls->have_first_byte = False; - tls->tls_enabled = True; - tls->interrupted = False; + tls->output_pending = false; + tls->done_handshake = false; + tls->have_first_byte = false; + tls->tls_enabled = true; + tls->interrupted = false; new_sock->state = SOCKET_STATE_CLIENT_CONNECTED; @@ -600,7 +600,7 @@ struct socket_context *tls_init_client(struct socket_context *socket, failed: DEBUG(0,("TLS init connection failed - %s\n", gnutls_strerror(ret))); - tls->tls_enabled = False; + tls->tls_enabled = false; return new_sock; } @@ -649,7 +649,7 @@ static const struct socket_ops tls_socket_ops = { .fn_get_fd = tls_socket_get_fd }; -BOOL tls_support(struct tls_params *params) +bool tls_support(struct tls_params *params) { return params->tls_enabled; } @@ -685,9 +685,9 @@ struct socket_context *tls_init_client(struct socket_context *socket, return NULL; } -BOOL tls_support(struct tls_params *params) +bool tls_support(struct tls_params *params) { - return False; + return false; } #endif -- cgit From bbdfbf8d9d486aee51117976b8f825759a4c4a37 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 00:28:22 +0100 Subject: r26238: Add a loadparm context parameter to torture_context, remove more uses of global_loadparm. (This used to be commit a33a5530545086b81a3b205aa109dff11c546926) --- source4/lib/tls/tls.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) (limited to 'source4/lib/tls/tls.c') diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 4a8357d93b..b298fb10cf 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -352,16 +352,16 @@ static NTSTATUS tls_socket_send(struct socket_context *sock, /* initialise global tls state */ -struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) +struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) { struct tls_params *params; int ret; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - const char *keyfile = private_path(tmp_ctx, global_loadparm, lp_tls_keyfile(global_loadparm)); - const char *certfile = private_path(tmp_ctx, global_loadparm, lp_tls_certfile(global_loadparm)); - const char *cafile = private_path(tmp_ctx, global_loadparm, lp_tls_cafile(global_loadparm)); - const char *crlfile = private_path(tmp_ctx, global_loadparm, lp_tls_crlfile(global_loadparm)); - const char *dhpfile = private_path(tmp_ctx, global_loadparm, lp_tls_dhpfile(global_loadparm)); + const char *keyfile = private_path(tmp_ctx, lp_ctx, lp_tls_keyfile(lp_ctx)); + const char *certfile = private_path(tmp_ctx, lp_ctx, lp_tls_certfile(lp_ctx)); + const char *cafile = private_path(tmp_ctx, lp_ctx, lp_tls_cafile(lp_ctx)); + const char *crlfile = private_path(tmp_ctx, lp_ctx, lp_tls_crlfile(lp_ctx)); + const char *dhpfile = private_path(tmp_ctx, lp_ctx, lp_tls_dhpfile(lp_ctx)); void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); params = talloc(mem_ctx, struct tls_params); @@ -370,7 +370,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) return NULL; } - if (!lp_tls_enabled(global_loadparm) || keyfile == NULL || *keyfile == 0) { + if (!lp_tls_enabled(lp_ctx) || keyfile == NULL || *keyfile == 0) { params->tls_enabled = false; talloc_free(tmp_ctx); return params; @@ -536,7 +536,8 @@ failed: setup for a new client connection */ struct socket_context *tls_init_client(struct socket_context *socket, - struct fd_event *fde) + struct fd_event *fde, + const char *ca_path) { struct tls_context *tls; int ret = 0; @@ -565,16 +566,10 @@ struct socket_context *tls_init_client(struct socket_context *socket, } new_sock->private_data = tls; - cafile = private_path(tls, global_loadparm, lp_tls_cafile(global_loadparm)); - if (!cafile || !*cafile) { - goto failed; - } - gnutls_global_init(); gnutls_certificate_allocate_credentials(&tls->xcred); gnutls_certificate_set_x509_trust_file(tls->xcred, cafile, GNUTLS_X509_FMT_PEM); - talloc_free(cafile); TLSCHECK(gnutls_init(&tls->session, GNUTLS_CLIENT)); TLSCHECK(gnutls_set_default_priority(tls->session)); gnutls_certificate_type_set_priority(tls->session, cert_type_priority); @@ -659,7 +654,7 @@ bool tls_support(struct tls_params *params) /* for systems without tls we just fail the operations, and the caller * will retain the original socket */ -struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) +struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) { return talloc_new(mem_ctx); } @@ -680,7 +675,8 @@ struct socket_context *tls_init_server(struct tls_params *params, setup for a new client connection */ struct socket_context *tls_init_client(struct socket_context *socket, - struct fd_event *fde) + struct fd_event *fde, + const char *ca_path) { return NULL; } -- cgit