sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-20 14:03:59 +03:00
Code
samba-mirror/source4/lib/tls/tls.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

136 lines
4.5 KiB
C
Raw Normal View History

r7742: abstracted out the tls code from the web server, so that our other servers can easily become tls enabled. This will be used to add support for ldaps (This used to be commit 950500f603725349d2a0e22878e83dd1b5975f9f)
2005-06-19 04:20:27 +00:00
/*
Unix SMB/CIFS implementation.
transport layer security handling code
Copyright (C) Andrew Tridgell 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 02:07:03 +00:00
the Free Software Foundation; either version 3 of the License, or
r7742: abstracted out the tls code from the web server, so that our other servers can easily become tls enabled. This will be used to add support for ldaps (This used to be commit 950500f603725349d2a0e22878e83dd1b5975f9f)
2005-06-19 04:20:27 +00:00
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 02:07:03 +00:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
r7742: abstracted out the tls code from the web server, so that our other servers can easily become tls enabled. This will be used to add support for ldaps (This used to be commit 950500f603725349d2a0e22878e83dd1b5975f9f)
2005-06-19 04:20:27 +00:00
*/
r11596: switched the libcli/raw/ code over to using the lib/stream/ generic packet parsing code. This simplifies the logic in the raw client library a fair bit (This used to be commit f8d43f1f67876360e1295d85a3c3702d1d60ed7b)
2005-11-09 08:13:41 +00:00
#ifndef _TLS_H_
#define _TLS_H_
r15829: we need to include socket.h before we can use enum socket_type this fixes a compiler warning metze (This used to be commit dbf82fff10f1b5c3894b9600d98f81ee10e3d876)
2006-05-23 04:41:09 +00:00
#include "lib/socket/socket.h"
r26238: Add a loadparm context parameter to torture_context, remove more uses of global_loadparm. (This used to be commit a33a5530545086b81a3b205aa109dff11c546926)
2007-12-03 00:28:22 +01:00
struct loadparm_context;
s4:lib/tls: add tls_cert_generate() prototype to tls.h This avoids compiler warnings... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-18 21:42:19 +01:00
void tls_cert_generate(TALLOC_CTX *mem_ctx,
const char *hostname,
const char *keyfile, const char *certfile,
const char *cafile);
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
struct tstream_context;
struct tstream_tls_params;
s4:lib/tls: add tstream_tls_sync_setup() This operates in a non-async fashion and may block in the push and pull function. It will be used to plug into openldap transport layer, this is needed in order to have access to the channel bindings. And also use the same configuration for all our gnutls based tls code. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-06 11:48:41 +01:00
struct tstream_tls_sync;
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-12-23 16:17:04 +01:00
enum tls_verify_peer_state {
TLS_VERIFY_PEER_NO_CHECK = 0,
#define TLS_VERIFY_PEER_NO_CHECK_STRING "no_check"
TLS_VERIFY_PEER_CA_ONLY = 10,
#define TLS_VERIFY_PEER_CA_ONLY_STRING "ca_only"
TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE = 20,
#define TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE_STRING \
"ca_and_name_if_available"
TLS_VERIFY_PEER_CA_AND_NAME = 30,
#define TLS_VERIFY_PEER_CA_AND_NAME_STRING "ca_and_name"
TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE = 9999,
#define TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE_STRING \
"as_strict_as_possible"
};
const char *tls_verify_peer_string(enum tls_verify_peer_state verify_peer);
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
s4:lib/tls: add support for gnutls_certificate_set_x509_{system_trust,trust_dir}() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-09 11:31:30 +01:00
bool system_cas,
const char * const *ca_dirs,
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
const char *ca_file,
const char *crl_file,
lib/tls: Add new 'tls priority' option This adds a new option to the smb.conf to allow administrators to disable TLS protocols in GnuTLS without changing the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 11:22:46 +12:00
const char *tls_priority,
CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-12-23 16:17:04 +01:00
enum tls_verify_peer_state verify_peer,
const char *peer_name,
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
struct tstream_tls_params **_tlsp);
s4:lib/tls: add tstream_tls_params_client_lpcfg() This will be able simplify the callers a lot... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-13 16:36:27 +01:00
NTSTATUS tstream_tls_params_client_lpcfg(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char *peer_name,
struct tstream_tls_params **tlsp);
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
const char *dns_host_name,
s4:lib/tls: fix enabled logic in tstream_tls_params_server() metze
2010-10-07 11:16:48 +02:00
bool enabled,
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
const char *key_file,
const char *cert_file,
const char *ca_file,
const char *crl_file,
const char *dhp_file,
lib/tls: Add new 'tls priority' option This adds a new option to the smb.conf to allow administrators to disable TLS protocols in GnuTLS without changing the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 11:22:46 +12:00
const char *tls_priority,
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
struct tstream_tls_params **_params);
bool tstream_tls_params_enabled(struct tstream_tls_params *params);
tstream_tls: Add tstream_tls_params_peer_name() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-07 10:48:52 +01:00
const char *tstream_tls_params_peer_name(
const struct tstream_tls_params *params);
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
s4:lib/tls: add tstream_tls_channel_bindings() This is based on GNUTLS_CB_TLS_SERVER_END_POINT and is the value that is required for channel bindings in LDAP of active directory domain controllers. For gnutls versions before 3.7.2 we basically copied the code from the GNUTLS_CB_TLS_SERVER_END_POINT implementation as it only uses public gnutls functions and it was easy to re-implement. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 12:34:35 +02:00
const DATA_BLOB *tstream_tls_channel_bindings(struct tstream_context *tls_tstream);
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct tstream_context *plain_stream,
struct tstream_tls_params *tls_params,
const char *location);
s4:lib/tls: fix tstream_tls_connect_send() define Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-19 12:26:55 +02:00
#define tstream_tls_connect_send(mem_ctx, ev, plain_stream, tls_params) \
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
_tstream_tls_connect_send(mem_ctx, ev, plain_stream, tls_params, __location__)
int tstream_tls_connect_recv(struct tevent_req *req,
int *perrno,
TALLOC_CTX *mem_ctx,
struct tstream_context **tls_stream);
struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct tstream_context *plain_stream,
struct tstream_tls_params *tls_params,
const char *location);
#define tstream_tls_accept_send(mem_ctx, ev, plain_stream, tls_params) \
_tstream_tls_accept_send(mem_ctx, ev, plain_stream, tls_params, __location__)
int tstream_tls_accept_recv(struct tevent_req *req,
int *perrno,
TALLOC_CTX *mem_ctx,
struct tstream_context **tls_stream);
s4:lib/tls: add tstream_tls_sync_setup() This operates in a non-async fashion and may block in the push and pull function. It will be used to plug into openldap transport layer, this is needed in order to have access to the channel bindings. And also use the same configuration for all our gnutls based tls code. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-06 11:48:41 +01:00
ssize_t tstream_tls_sync_read(struct tstream_tls_sync *tlsss,
void *buf, size_t len);
ssize_t tstream_tls_sync_write(struct tstream_tls_sync *tlsss,
const void *buf, size_t len);
size_t tstream_tls_sync_pending(struct tstream_tls_sync *tlsss);
NTSTATUS tstream_tls_sync_setup(struct tstream_tls_params *_tls_params,
void *io_private,
ssize_t (*io_send_fn)(void *io_private,
const uint8_t *buf,
size_t len),
ssize_t (*io_recv_fn)(void *io_private,
uint8_t *buf,
size_t len),
TALLOC_CTX *mem_ctx,
struct tstream_tls_sync **_tlsss);
const DATA_BLOB *tstream_tls_sync_channel_bindings(struct tstream_tls_sync *tlsss);
s4:lib/tls: add gnutls backend for tstream metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
2010-02-03 14:36:10 +01:00
#endif /* _TLS_H_ */
Copy Permalink