lib/tls: Add new 'tls priority' option

This adds a new option to the smb.conf to allow administrators to disable TLS protocols in GnuTLS without changing the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
author: Andrew Bartlett <abartlet@samba.org> 2015-07-20 11:22:46 +1200
committer: Andrew Bartlett <abartlet@samba.org> 2015-07-20 03:08:26 +0200
commit: 374d73617d71abf594cc92d335cd8bc60c10a1b7 (patch)
tree: bdc8d12c63c28c7db33a95426a274776f9c52aba /source4/lib
parent: 1a8c1bd952c0f373b8a47448906852f13a6dad1b (diff)
download: samba-374d73617d71abf594cc92d335cd8bc60c10a1b7.tar.gz
2 files changed, 29 insertions, 4 deletions
diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h
index 3ff009d1ee6..e6c27f3e6f5 100644
--- a/source4/lib/tls/tls.h
+++ b/source4/lib/tls/tls.h
@@ -71,6 +71,7 @@ struct tstream_tls_params;
 NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
 				   const char *ca_file,
 				   const char *crl_file,
+				   const char *tls_priority,
 				   struct tstream_tls_params **_tlsp);
 
 NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
@@ -81,6 +82,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
 				   const char *ca_file,
 				   const char *crl_file,
 				   const char *dhp_file,
+				   const char *tls_priority,
 				   struct tstream_tls_params **_params);
 
 bool tstream_tls_params_enabled(struct tstream_tls_params *params);
diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index 9dea4f23c77..188a3b801bf 100644
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -868,6 +868,7 @@ struct tstream_tls_params {
 #if ENABLE_GNUTLS
 	gnutls_certificate_credentials x509_cred;
 	gnutls_dh_params dh_params;
+	const char *tls_priority;
 #endif /* ENABLE_GNUTLS */
 	bool tls_enabled;
 };
@@ -895,6 +896,7 @@ bool tstream_tls_params_enabled(struct tstream_tls_params *tlsp)
 NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
 				   const char *ca_file,
 				   const char *crl_file,
+				   const char *tls_priority,
 				   struct tstream_tls_params **_tlsp)
 {
 #if ENABLE_GNUTLS
@@ -943,6 +945,12 @@ NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
 		}
 	}
 
+	tlsp->tls_priority = talloc_strdup(tlsp, tls_priority);
+	if (tlsp->tls_priority == NULL) {
+		talloc_free(tlsp);
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	tlsp->tls_enabled = true;
 
 	*_tlsp = tlsp;
@@ -964,6 +972,7 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
 {
 	struct tevent_req *req;
 	struct tstream_tls_connect_state *state;
+	const char *error_pos;
 #if ENABLE_GNUTLS
 	struct tstream_tls *tlss;
 	int ret;
@@ -1002,9 +1011,12 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	ret = gnutls_set_default_priority(tlss->tls_session);
+	ret = gnutls_priority_set_direct(tlss->tls_session,
+					 tls_params->tls_priority,
+					 &error_pos);
 	if (ret != GNUTLS_E_SUCCESS) {
-		DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
+		DEBUG(0,("TLS %s - %s.  Check 'tls priority' option at '%s'\n",
+			 __location__, gnutls_strerror(ret), error_pos));
 		tevent_req_error(req, EINVAL);
 		return tevent_req_post(req, ev);
 	}
@@ -1070,6 +1082,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
 				   const char *ca_file,
 				   const char *crl_file,
 				   const char *dhp_file,
+				   const char *tls_priority,
 				   struct tstream_tls_params **_tlsp)
 {
 	struct tstream_tls_params *tlsp;
@@ -1200,6 +1213,12 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
 
 	gnutls_certificate_set_dh_params(tlsp->x509_cred, tlsp->dh_params);
 
+	tlsp->tls_priority = talloc_strdup(tlsp, tls_priority);
+	if (tlsp->tls_priority == NULL) {
+		talloc_free(tlsp);
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	tlsp->tls_enabled = true;
 
 #else /* ENABLE_GNUTLS */
@@ -1226,6 +1245,7 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx,
 	struct tevent_req *req;
 	struct tstream_tls_accept_state *state;
 	struct tstream_tls *tlss;
+	const char *error_pos;
 #if ENABLE_GNUTLS
 	int ret;
 #endif /* ENABLE_GNUTLS */
@@ -1263,9 +1283,12 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	ret = gnutls_set_default_priority(tlss->tls_session);
+	ret = gnutls_priority_set_direct(tlss->tls_session,
+					 tlsp->tls_priority,
+					 &error_pos);
 	if (ret != GNUTLS_E_SUCCESS) {
-		DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
+		DEBUG(0,("TLS %s - %s.  Check 'tls priority' option at '%s'\n",
+			 __location__, gnutls_strerror(ret), error_pos));
 		tevent_req_error(req, EINVAL);
 		return tevent_req_post(req, ev);
 	}
author	Andrew Bartlett <abartlet@samba.org>	2015-07-20 11:22:46 +1200
committer	Andrew Bartlett <abartlet@samba.org>	2015-07-20 03:08:26 +0200
commit	374d73617d71abf594cc92d335cd8bc60c10a1b7 (patch)
tree	bdc8d12c63c28c7db33a95426a274776f9c52aba /source4/lib
parent	1a8c1bd952c0f373b8a47448906852f13a6dad1b (diff)
download	samba-374d73617d71abf594cc92d335cd8bc60c10a1b7.tar.gz