sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00
Code

s4:lib/tls: add support for gnutls_certificate_set_x509_{system_trust,trust_dir}()

Browse Source 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-02-09 11:31:30 +01:00 committed by Andrew Bartlett
parent 0b84c97cf3
commit ca93631291
3 changed files with 62 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
source4/client/http_test.c
View File

@ -339,12 +339,16 @@ int main(int argc, const char *argv[])
http_info->server_addr, http_info->server_port, http_info->server_addr, http_info->server_port,
use_tls ? " with tls" : " without tls"); use_tls ? " with tls" : " without tls");
if (use_tls) { if (use_tls) {
bool system_cas = false;
const char * const *ca_dirs = NULL;
const char *crl_file = NULL; const char *crl_file = NULL;
const char *tls_priority = "NORMAL:-VERS-SSL3.0"; const char *tls_priority = "NORMAL:-VERS-SSL3.0";
enum tls_verify_peer_state verify_peer = enum tls_verify_peer_state verify_peer =
TLS_VERIFY_PEER_CA_ONLY; TLS_VERIFY_PEER_CA_ONLY;
status = tstream_tls_params_client(mem_ctx, status = tstream_tls_params_client(mem_ctx,
system_cas,
ca_dirs,
ca_file, ca_file,
crl_file, crl_file,
tls_priority, tls_priority,

2
source4/lib/tls/tls.h
View File

@ -56,6 +56,8 @@ enum tls_verify_peer_state {
const char *tls_verify_peer_string(enum tls_verify_peer_state verify_peer); const char *tls_verify_peer_string(enum tls_verify_peer_state verify_peer);
NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx, NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
bool system_cas,
const char * const *ca_dirs,
const char *ca_file, const char *ca_file,
const char *crl_file, const char *crl_file,
const char *tls_priority, const char *tls_priority,

61
source4/lib/tls/tls_tstream.c
View File

@ -950,6 +950,8 @@ const DATA_BLOB *tstream_tls_channel_bindings(struct tstream_context *tls_tstrea
} }
NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx, NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
bool system_cas,
const char * const *ca_dirs,
const char *ca_file, const char *ca_file,
const char *crl_file, const char *crl_file,
const char *tls_priority, const char *tls_priority,
@ -959,6 +961,8 @@ NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
{ {
struct tstream_tls_params *__tlsp = NULL; struct tstream_tls_params *__tlsp = NULL;
struct tstream_tls_params_internal *tlsp = NULL; struct tstream_tls_params_internal *tlsp = NULL;
bool got_ca = false;
size_t i;
int ret; int ret;
__tlsp = talloc_zero(mem_ctx, struct tstream_tls_params); __tlsp = talloc_zero(mem_ctx, struct tstream_tls_params);
@ -996,6 +1000,40 @@ NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
if (system_cas) {
ret = gnutls_certificate_set_x509_system_trust(tlsp->x509_cred);
if (ret < 0) {
DBG_ERR("gnutls_certificate_set_x509_system_trust() - %s\n",
gnutls_strerror(ret));
TALLOC_FREE(__tlsp);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
if (ret > 0) {
got_ca = true;
}
}
for (i = 0; ca_dirs != NULL && ca_dirs[i] != NULL; i++) {
const char *ca_dir = ca_dirs[i];
if (!directory_exist(ca_dir)) {
continue;
}
ret = gnutls_certificate_set_x509_trust_dir(tlsp->x509_cred,
ca_dir,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
DBG_ERR("gnutls_certificate_set_x509_trust_dir(%s) - %s\n",
ca_dir, gnutls_strerror(ret));
TALLOC_FREE(__tlsp);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
if (ret > 0) {
got_ca = true;
}
}
if (ca_file && *ca_file && file_exist(ca_file)) { if (ca_file && *ca_file && file_exist(ca_file)) {
ret = gnutls_certificate_set_x509_trust_file(tlsp->x509_cred, ret = gnutls_certificate_set_x509_trust_file(tlsp->x509_cred,
ca_file, ca_file,
@ -1006,11 +1044,17 @@ NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
TALLOC_FREE(__tlsp); TALLOC_FREE(__tlsp);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} }
} else if (tlsp->verify_peer >= TLS_VERIFY_PEER_CA_ONLY) { if (ret > 0) {
DEBUG(0,("TLS failed to missing cafile %s - " got_ca = true;
"with 'tls verify peer = %s'\n", }
ca_file, }
tls_verify_peer_string(tlsp->verify_peer)));
if (!got_ca && tlsp->verify_peer >= TLS_VERIFY_PEER_CA_ONLY) {
D_ERR("TLS: 'tls verify peer = %s' requires "
"'tls trust system cas', "
"'tls ca directories' or "
"'tls cafile'\n",
tls_verify_peer_string(tlsp->verify_peer));
TALLOC_FREE(__tlsp); TALLOC_FREE(__tlsp);
return NT_STATUS_INVALID_PARAMETER_MIX; return NT_STATUS_INVALID_PARAMETER_MIX;
} }
@ -1052,6 +1096,8 @@ NTSTATUS tstream_tls_params_client_lpcfg(TALLOC_CTX *mem_ctx,
struct tstream_tls_params **tlsp) struct tstream_tls_params **tlsp)
{ {
TALLOC_CTX *frame = talloc_stackframe(); TALLOC_CTX *frame = talloc_stackframe();
bool system_cas = false;
const char * const *ca_dirs = NULL;
const char *ptr = NULL; const char *ptr = NULL;
char *ca_file = NULL; char *ca_file = NULL;
char *crl_file = NULL; char *crl_file = NULL;
@ -1060,6 +1106,9 @@ NTSTATUS tstream_tls_params_client_lpcfg(TALLOC_CTX *mem_ctx,
TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
NTSTATUS status; NTSTATUS status;
system_cas = lpcfg_tls_trust_system_cas(lp_ctx);
ca_dirs = lpcfg_tls_ca_directories(lp_ctx);
ptr = lpcfg__tls_cafile(lp_ctx); ptr = lpcfg__tls_cafile(lp_ctx);
if (ptr != NULL) { if (ptr != NULL) {
ca_file = lpcfg_tls_cafile(frame, lp_ctx); ca_file = lpcfg_tls_cafile(frame, lp_ctx);
@ -1082,6 +1131,8 @@ NTSTATUS tstream_tls_params_client_lpcfg(TALLOC_CTX *mem_ctx,
verify_peer = lpcfg_tls_verify_peer(lp_ctx); verify_peer = lpcfg_tls_verify_peer(lp_ctx);
status = tstream_tls_params_client(mem_ctx, status = tstream_tls_params_client(mem_ctx,
system_cas,
ca_dirs,
ca_file, ca_file,
crl_file, crl_file,
tls_priority, tls_priority,