diff options
author | Andrew Bartlett <abartlet@samba.org> | 2015-07-20 11:22:46 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2015-07-20 03:08:26 +0200 |
commit | 374d73617d71abf594cc92d335cd8bc60c10a1b7 (patch) | |
tree | bdc8d12c63c28c7db33a95426a274776f9c52aba /source4/lib | |
parent | 1a8c1bd952c0f373b8a47448906852f13a6dad1b (diff) | |
download | samba-374d73617d71abf594cc92d335cd8bc60c10a1b7.tar.gz |
lib/tls: Add new 'tls priority' option
This adds a new option to the smb.conf to allow administrators to disable
TLS protocols in GnuTLS without changing the code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/lib')
-rw-r--r-- | source4/lib/tls/tls.h | 2 | ||||
-rw-r--r-- | source4/lib/tls/tls_tstream.c | 31 |
2 files changed, 29 insertions, 4 deletions
diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h index 3ff009d1ee6..e6c27f3e6f5 100644 --- a/source4/lib/tls/tls.h +++ b/source4/lib/tls/tls.h @@ -71,6 +71,7 @@ struct tstream_tls_params; NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx, const char *ca_file, const char *crl_file, + const char *tls_priority, struct tstream_tls_params **_tlsp); NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, @@ -81,6 +82,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, const char *ca_file, const char *crl_file, const char *dhp_file, + const char *tls_priority, struct tstream_tls_params **_params); bool tstream_tls_params_enabled(struct tstream_tls_params *params); diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c index 9dea4f23c77..188a3b801bf 100644 --- a/source4/lib/tls/tls_tstream.c +++ b/source4/lib/tls/tls_tstream.c @@ -868,6 +868,7 @@ struct tstream_tls_params { #if ENABLE_GNUTLS gnutls_certificate_credentials x509_cred; gnutls_dh_params dh_params; + const char *tls_priority; #endif /* ENABLE_GNUTLS */ bool tls_enabled; }; @@ -895,6 +896,7 @@ bool tstream_tls_params_enabled(struct tstream_tls_params *tlsp) NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx, const char *ca_file, const char *crl_file, + const char *tls_priority, struct tstream_tls_params **_tlsp) { #if ENABLE_GNUTLS @@ -943,6 +945,12 @@ NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx, } } + tlsp->tls_priority = talloc_strdup(tlsp, tls_priority); + if (tlsp->tls_priority == NULL) { + talloc_free(tlsp); + return NT_STATUS_NO_MEMORY; + } + tlsp->tls_enabled = true; *_tlsp = tlsp; @@ -964,6 +972,7 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx, { struct tevent_req *req; struct tstream_tls_connect_state *state; + const char *error_pos; #if ENABLE_GNUTLS struct tstream_tls *tlss; int ret; @@ -1002,9 +1011,12 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } - ret = gnutls_set_default_priority(tlss->tls_session); + ret = gnutls_priority_set_direct(tlss->tls_session, + tls_params->tls_priority, + &error_pos); if (ret != GNUTLS_E_SUCCESS) { - DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret))); + DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n", + __location__, gnutls_strerror(ret), error_pos)); tevent_req_error(req, EINVAL); return tevent_req_post(req, ev); } @@ -1070,6 +1082,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, const char *ca_file, const char *crl_file, const char *dhp_file, + const char *tls_priority, struct tstream_tls_params **_tlsp) { struct tstream_tls_params *tlsp; @@ -1200,6 +1213,12 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, gnutls_certificate_set_dh_params(tlsp->x509_cred, tlsp->dh_params); + tlsp->tls_priority = talloc_strdup(tlsp, tls_priority); + if (tlsp->tls_priority == NULL) { + talloc_free(tlsp); + return NT_STATUS_NO_MEMORY; + } + tlsp->tls_enabled = true; #else /* ENABLE_GNUTLS */ @@ -1226,6 +1245,7 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx, struct tevent_req *req; struct tstream_tls_accept_state *state; struct tstream_tls *tlss; + const char *error_pos; #if ENABLE_GNUTLS int ret; #endif /* ENABLE_GNUTLS */ @@ -1263,9 +1283,12 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } - ret = gnutls_set_default_priority(tlss->tls_session); + ret = gnutls_priority_set_direct(tlss->tls_session, + tlsp->tls_priority, + &error_pos); if (ret != GNUTLS_E_SUCCESS) { - DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret))); + DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n", + __location__, gnutls_strerror(ret), error_pos)); tevent_req_error(req, EINVAL); return tevent_req_post(req, ev); } |