diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2015-07-20 11:22:46 +1200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2015-07-20 03:08:26 +0200 |
| commit | 374d73617d71abf594cc92d335cd8bc60c10a1b7 (patch) | |
| tree | bdc8d12c63c28c7db33a95426a274776f9c52aba | |
| parent | 1a8c1bd952c0f373b8a47448906852f13a6dad1b (diff) | |
| download | samba-374d73617d71abf594cc92d335cd8bc60c10a1b7.tar.gz | |
lib/tls: Add new 'tls priority' option
This adds a new option to the smb.conf to allow administrators to disable
TLS protocols in GnuTLS without changing the code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | docs-xml/smbdotconf/security/tlspriority.xml | 18 | ||||
| -rw-r--r-- | lib/param/loadparm.c | 1 | ||||
| -rw-r--r-- | lib/param/param_table.c | 8 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 1 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_server.c | 1 | ||||
| -rw-r--r-- | source4/lib/tls/tls.h | 2 | ||||
| -rw-r--r-- | source4/lib/tls/tls_tstream.c | 31 | ||||
| -rw-r--r-- | source4/libcli/ldap/ldap_client.c | 3 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc_roh.c | 2 |
9 files changed, 62 insertions, 5 deletions
diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml new file mode 100644 index 00000000000..345f0302764 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlspriority.xml @@ -0,0 +1,18 @@ +<samba:parameter name="tls priority" + type="string" + context="G" + constant="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>This option can be set to a string describing the TLS protocols + to be supported in the parts of Samba that use GnuTLS, specifically + the AD DC. + </para> + <para>The valid options are described in the + <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS + Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink> + </para> + </description> + + <value type="default">NORMAL</value> +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 0e114288e22..1a0d45908d6 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2541,6 +2541,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem"); lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem"); lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem"); + lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL"); lpcfg_do_global_parameter(lp_ctx, "prefork children:smb", "4"); lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc"); diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 0fdd50dad19..3a0247c066f 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -3997,6 +3997,14 @@ struct parm_struct parm_table[] = { .special = NULL, .enum_list = NULL }, + { + .label = "tls priority", + .type = P_STRING, + .p_class = P_GLOBAL, + .offset = GLOBAL_VAR(tls_priority), + .special = NULL, + .enum_list = NULL + }, {NULL, P_BOOL, P_NONE, 0, NULL, NULL, 0} }; diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 7dd8786ae39..fb66eaa39a9 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -872,6 +872,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem"); string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem"); string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem"); + string_set(Globals.ctx, &Globals.tls_priority, "NORMAL"); string_set(Globals.ctx, &Globals.share_backend, "classic"); diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index 691266cfabf..d849ed30bcc 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -934,6 +934,7 @@ static void ldapsrv_task_init(struct task_server *task) lpcfg_tls_cafile(ldap_service, task->lp_ctx), lpcfg_tls_crlfile(ldap_service, task->lp_ctx), lpcfg_tls_dhpfile(ldap_service, task->lp_ctx), + lpcfg_tls_priority(task->lp_ctx), &ldap_service->tls_params); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("ldapsrv failed tstream_tls_params_server - %s\n", diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h index 3ff009d1ee6..e6c27f3e6f5 100644 --- a/source4/lib/tls/tls.h +++ b/source4/lib/tls/tls.h @@ -71,6 +71,7 @@ struct tstream_tls_params; NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx, const char *ca_file, const char *crl_file, + const char *tls_priority, struct tstream_tls_params **_tlsp); NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, @@ -81,6 +82,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, const char *ca_file, const char *crl_file, const char *dhp_file, + const char *tls_priority, struct tstream_tls_params **_params); bool tstream_tls_params_enabled(struct tstream_tls_params *params); diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c index 9dea4f23c77..188a3b801bf 100644 --- a/source4/lib/tls/tls_tstream.c +++ b/source4/lib/tls/tls_tstream.c @@ -868,6 +868,7 @@ struct tstream_tls_params { #if ENABLE_GNUTLS gnutls_certificate_credentials x509_cred; gnutls_dh_params dh_params; + const char *tls_priority; #endif /* ENABLE_GNUTLS */ bool tls_enabled; }; @@ -895,6 +896,7 @@ bool tstream_tls_params_enabled(struct tstream_tls_params *tlsp) NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx, const char *ca_file, const char *crl_file, + const char *tls_priority, struct tstream_tls_params **_tlsp) { #if ENABLE_GNUTLS @@ -943,6 +945,12 @@ NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx, } } + tlsp->tls_priority = talloc_strdup(tlsp, tls_priority); + if (tlsp->tls_priority == NULL) { + talloc_free(tlsp); + return NT_STATUS_NO_MEMORY; + } + tlsp->tls_enabled = true; *_tlsp = tlsp; @@ -964,6 +972,7 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx, { struct tevent_req *req; struct tstream_tls_connect_state *state; + const char *error_pos; #if ENABLE_GNUTLS struct tstream_tls *tlss; int ret; @@ -1002,9 +1011,12 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } - ret = gnutls_set_default_priority(tlss->tls_session); + ret = gnutls_priority_set_direct(tlss->tls_session, + tls_params->tls_priority, + &error_pos); if (ret != GNUTLS_E_SUCCESS) { - DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret))); + DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n", + __location__, gnutls_strerror(ret), error_pos)); tevent_req_error(req, EINVAL); return tevent_req_post(req, ev); } @@ -1070,6 +1082,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, const char *ca_file, const char *crl_file, const char *dhp_file, + const char *tls_priority, struct tstream_tls_params **_tlsp) { struct tstream_tls_params *tlsp; @@ -1200,6 +1213,12 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, gnutls_certificate_set_dh_params(tlsp->x509_cred, tlsp->dh_params); + tlsp->tls_priority = talloc_strdup(tlsp, tls_priority); + if (tlsp->tls_priority == NULL) { + talloc_free(tlsp); + return NT_STATUS_NO_MEMORY; + } + tlsp->tls_enabled = true; #else /* ENABLE_GNUTLS */ @@ -1226,6 +1245,7 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx, struct tevent_req *req; struct tstream_tls_accept_state *state; struct tstream_tls *tlss; + const char *error_pos; #if ENABLE_GNUTLS int ret; #endif /* ENABLE_GNUTLS */ @@ -1263,9 +1283,12 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } - ret = gnutls_set_default_priority(tlss->tls_session); + ret = gnutls_priority_set_direct(tlss->tls_session, + tlsp->tls_priority, + &error_pos); if (ret != GNUTLS_E_SUCCESS) { - DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret))); + DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n", + __location__, gnutls_strerror(ret), error_pos)); tevent_req_error(req, EINVAL); return tevent_req_post(req, ev); } diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index 68ebfcf1b56..94367a17c04 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -464,7 +464,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con if (conn->ldaps) { char *ca_file = lpcfg_tls_cafile(state, conn->lp_ctx); char *crl_file = lpcfg_tls_crlfile(state, conn->lp_ctx); - + const char *tls_priority = lpcfg_tls_priority(conn->lp_ctx); if (!ca_file || !*ca_file) { composite_error(result, NT_STATUS_INVALID_PARAMETER_MIX); @@ -474,6 +474,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con status = tstream_tls_params_client(state, ca_file, crl_file, + tls_priority, &state->tls_params); if (!NT_STATUS_IS_OK(status)) { composite_error(result, status); diff --git a/source4/librpc/rpc/dcerpc_roh.c b/source4/librpc/rpc/dcerpc_roh.c index 09072940f90..61a22a79944 100644 --- a/source4/librpc/rpc/dcerpc_roh.c +++ b/source4/librpc/rpc/dcerpc_roh.c @@ -31,6 +31,7 @@ #include "librpc/rpc/dcerpc.h" #include "librpc/rpc/dcerpc_roh.h" #include "librpc/rpc/dcerpc_proto.h" +#include "lib/param/param.h" static ssize_t tstream_roh_pending_bytes(struct tstream_context *stream); static struct tevent_req * tstream_roh_readv_send( @@ -185,6 +186,7 @@ struct tevent_req *dcerpc_pipe_open_roh_send(struct dcecli_connection *conn, /* Initialize TLS */ if (use_tls) { status = tstream_tls_params_client(state->roh, NULL, NULL, + lpcfg_tls_priority(lp_ctx), &state->tls_params); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("%s: Failed tstream_tls_params_client - %s\n", |