sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Code

s4:lib/tls: include a TLS server name indication in the client handshake

Browse Source 
This is not strictly needed, but it might be useful
for load balancers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-03-15 23:24:39 +01:00 committed by Andrew Bartlett
parent ecdd769191
commit 15fb8fcc7b
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
source4/lib/tls/tls_tstream.c
View File

@ -992,6 +992,7 @@ static NTSTATUS tstream_tls_prepare_gnutls(struct tstream_tls_params *_tlsp,
struct tstream_tls_params_internal *tlsp = NULL;
int ret;
unsigned int flags;
const char *hostname = NULL;
if (tlss->is_server) {
flags = GNUTLS_SERVER;
@ -1025,10 +1026,20 @@ static NTSTATUS tstream_tls_prepare_gnutls(struct tstream_tls_params *_tlsp,
tlss->verify_peer = tlsp->verify_peer;
if (tlsp->peer_name != NULL) {
bool ip = is_ipaddress(tlsp->peer_name);
tlss->peer_name = talloc_strdup(tlss, tlsp->peer_name);
if (tlss->peer_name == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (!ip) {
hostname = tlss->peer_name;
}
if (tlss->verify_peer < TLS_VERIFY_PEER_CA_AND_NAME) {
hostname = NULL;
}
}
if (tlss->current_ev != NULL) {
@ -1070,6 +1081,17 @@ static NTSTATUS tstream_tls_prepare_gnutls(struct tstream_tls_params *_tlsp,
NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
if (hostname != NULL) {
ret = gnutls_server_name_set(tlss->tls_session,
GNUTLS_NAME_DNS,
hostname,
strlen(hostname));
if (ret != GNUTLS_E_SUCCESS) {
return gnutls_error_to_ntstatus(ret,
NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
}
if (tlss->is_server) {
gnutls_certificate_server_set_request(tlss->tls_session,
GNUTLS_CERT_REQUEST);