mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
This removes --with-ssl from Samba.
This option was badly maintained, useless and confused our users and
distirbutors. (its SSL, therfore it must be good...)
No windows client uses this protocol without help from an SSL tunnel.
I can't see any reason why setting up a unix-side SSL wrapper would
be any more difficult than the > 10 config options this mess added
to samba in any case.
On the Samba client end, I think the LIBSMB_PROG hack should be
sufficient to start stunnel on the unix side. We might extend this
to take %i and %p (IP and port) if there is demand.
Andrew Bartlett
(This used to be commit b04561d3fd
)
This commit is contained in:
parent
a64932dfc0
commit
eed5094264
@ -729,24 +729,6 @@
|
||||
<listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem>
|
||||
|
||||
<listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLCIPHERS"><parameter>ssl ciphers</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLREQUIRESERVERCERT"><parameter>ssl require servercert</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem>
|
||||
|
||||
<listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem>
|
||||
<listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem>
|
||||
@ -3387,9 +3369,9 @@
|
||||
This option is used to define whether or not Samba should
|
||||
use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap
|
||||
server</parameter></link>. This is <emphasis>NOT</emphasis> related to
|
||||
Samba SSL support which is enabled by specifying the
|
||||
Samba's previous SSL support which was enabled by specifying the
|
||||
<command>--with-ssl</command> option to the <filename>configure</filename>
|
||||
script (see <link linkend="SSL"><parameter>ssl</parameter></link>).
|
||||
script.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -7030,347 +7012,6 @@
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSL">ssl (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>This variable enables or disables the entire SSL mode. If
|
||||
it is set to <constant>no</constant>, the SSL-enabled Samba behaves
|
||||
exactly like the non-SSL Samba. If set to <constant>yes</constant>,
|
||||
it depends on the variables <link linkend="SSLHOSTS"><parameter>
|
||||
ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN">
|
||||
<parameter>ssl hosts resign</parameter></link> whether an SSL
|
||||
connection will be required.</para>
|
||||
|
||||
<para>Default: <command>ssl = no</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>This variable defines where to look up the Certification
|
||||
Authorities. The given directory should contain one file for
|
||||
each CA that Samba will trust. The file name must be the hash
|
||||
value over the "Distinguished Name" of the CA. How this directory
|
||||
is set up is explained later in this document. All files within the
|
||||
directory that don't fit into this naming scheme are ignored. You
|
||||
don't need this variable if you don't verify client certificates.</para>
|
||||
|
||||
<para>Default: <command>ssl CA certDir = /usr/local/ssl/certs
|
||||
</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>This variable is a second way to define the trusted CAs.
|
||||
The certificates of the trusted CAs are collected in one big
|
||||
file and this variable points to the file. You will probably
|
||||
only use one of the two ways to define your CAs. The first choice is
|
||||
preferable if you have many CAs or want to be flexible, the second
|
||||
is preferable if you only have one CA and want to keep things
|
||||
simple (you won't need to create the hashed file names). You
|
||||
don't need this variable if you don't verify client certificates.</para>
|
||||
|
||||
<para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
|
||||
</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLCIPHERS">ssl ciphers (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>This variable defines the ciphers that should be offered
|
||||
during SSL negotiation. You should not set this variable unless
|
||||
you know what you are doing.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>The certificate in this file is used by <ulink url="smbclient.1.html">
|
||||
<command>smbclient(1)</command></ulink> if it exists. It's needed
|
||||
if the server requires a client certificate.</para>
|
||||
|
||||
<para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem
|
||||
</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLCLIENTKEY">ssl client key (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>This is the private key for <ulink url="smbclient.1.html">
|
||||
<command>smbclient(1)</command></ulink>. It's only needed if the
|
||||
client should have a certificate. </para>
|
||||
|
||||
<para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem
|
||||
</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>This variable defines whether OpenSSL should be configured
|
||||
for bug compatibility with other SSL implementations. This is
|
||||
probably not desirable because currently no clients with SSL
|
||||
implementations other than OpenSSL exist.</para>
|
||||
|
||||
<para>Default: <command>ssl compatibility = no</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>
|
||||
This option is used to define the location of the communiation socket of
|
||||
an EGD or PRNGD daemon, from which entropy can be retrieved. This option
|
||||
can be used instead of or together with the <link
|
||||
linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link>
|
||||
directive. 255 bytes of entropy will be retrieved from the daemon.
|
||||
</para>
|
||||
|
||||
<para>Default: <emphasis>none</emphasis></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>
|
||||
This parameter is used to define the number of bytes which should
|
||||
be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy
|
||||
file</parameter></link> If a -1 is specified, the entire file will
|
||||
be read.
|
||||
</para>
|
||||
|
||||
<para>Default: <command>ssl entropy bytes = 255</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>
|
||||
This parameter is used to specify a file from which processes will
|
||||
read "random bytes" on startup. In order to seed the internal pseudo
|
||||
random number generator, entropy must be provided. On system with a
|
||||
<filename>/dev/urandom</filename> device file, the processes
|
||||
will retrieve its entropy from the kernel. On systems without kernel
|
||||
entropy support, a file can be supplied that will be read on startup
|
||||
and that will be used to seed the PRNG.
|
||||
</para>
|
||||
|
||||
<para>Default: <emphasis>none</emphasis></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLHOSTS">ssl hosts (G)</term>
|
||||
<listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter>
|
||||
ssl hosts resign</parameter></link>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>These two variables define whether Samba will go
|
||||
into SSL mode or not. If none of them is defined, Samba will
|
||||
allow only SSL connections. If the <link linkend="SSLHOSTS">
|
||||
<parameter>ssl hosts</parameter></link> variable lists
|
||||
hosts (by IP-address, IP-address range, net group or name),
|
||||
only these hosts will be forced into SSL mode. If the <parameter>
|
||||
ssl hosts resign</parameter> variable lists hosts, only these
|
||||
hosts will <emphasis>NOT</emphasis> be forced into SSL mode. The syntax for these two
|
||||
variables is the same as for the <link linkend="HOSTSALLOW"><parameter>
|
||||
hosts allow</parameter></link> and <link linkend="HOSTSDENY">
|
||||
<parameter>hosts deny</parameter></link> pair of variables, only
|
||||
that the subject of the decision is different: It's not the access
|
||||
right but whether SSL is used or not. </para>
|
||||
|
||||
<para>The example below requires SSL connections from all hosts
|
||||
outside the local net (which is 192.168.*.*).</para>
|
||||
|
||||
<para>Default: <command>ssl hosts = <empty string></command></para>
|
||||
<para><command>ssl hosts resign = <empty string></command></para>
|
||||
|
||||
<para>Example: <command>ssl hosts resign = 192.168.</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>If this variable is set to <constant>yes</constant>, the
|
||||
server will not tolerate connections from clients that don't
|
||||
have a valid certificate. The directory/file given in <link
|
||||
linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter>
|
||||
</link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile
|
||||
</parameter></link> will be used to look up the CAs that issued
|
||||
the client's certificate. If the certificate can't be verified
|
||||
positively, the connection will be terminated. If this variable
|
||||
is set to <constant>no</constant>, clients don't need certificates.
|
||||
Contrary to web applications you really <emphasis>should</emphasis>
|
||||
require client certificates. In the web environment the client's
|
||||
data is sensitive (credit card numbers) and the server must prove
|
||||
to be trustworthy. In a file server environment the server's data
|
||||
will be sensitive and the clients must prove to be trustworthy.</para>
|
||||
|
||||
<para>Default: <command>ssl require clientcert = no</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>If this variable is set to <constant>yes</constant>, the
|
||||
<ulink url="smbclient.1.html"><command>smbclient(1)</command>
|
||||
</ulink> will request a certificate from the server. Same as
|
||||
<link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require
|
||||
clientcert</parameter></link> for the server.</para>
|
||||
|
||||
<para>Default: <command>ssl require servercert = no</command>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLSERVERCERT">ssl server cert (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>This is the file containing the server's certificate.
|
||||
The server <emphasis>must</emphasis> have a certificate. The
|
||||
file may also contain the server's private key. See later for
|
||||
how certificates and private keys are created.</para>
|
||||
|
||||
<para>Default: <command>ssl server cert = <empty string>
|
||||
</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLSERVERKEY">ssl server key (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>This file contains the private key of the server. If
|
||||
this variable is not defined, the key is looked up in the
|
||||
certificate file (it may be appended to the certificate).
|
||||
The server <emphasis>must</emphasis> have a private key
|
||||
and the certificate <emphasis>must</emphasis>
|
||||
match this private key.</para>
|
||||
|
||||
<para>Default: <command>ssl server key = <empty string>
|
||||
</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="SSLVERSION">ssl version (G)</term>
|
||||
<listitem><para>This variable is part of SSL-enabled Samba. This
|
||||
is only available if the SSL libraries have been compiled on your
|
||||
system and the configure option <command>--with-ssl</command> was
|
||||
given at configure time.</para>
|
||||
|
||||
<para>This enumeration variable defines the versions of the
|
||||
SSL protocol that will be used. <constant>ssl2or3</constant> allows
|
||||
dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results
|
||||
in SSL v2, <constant>ssl3</constant> results in SSL v3 and
|
||||
<constant>tls1</constant> results in TLS v1. TLS (Transport Layer
|
||||
Security) is the new standard for SSL.</para>
|
||||
|
||||
<para>Default: <command>ssl version = "ssl2or3"</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="STATCACHE">stat cache (G)</term>
|
||||
<listitem><para>This parameter determines if <ulink
|
||||
|
@ -127,7 +127,7 @@ LIB_OBJ = lib/charcnv.o lib/debug.o lib/fault.o \
|
||||
lib/xfile.o lib/wins_srv.o \
|
||||
lib/util_str.o lib/util_sid.o \
|
||||
lib/util_unistr.o lib/util_file.o \
|
||||
lib/util.o lib/util_sock.o lib/util_sec.o smbd/ssl.o \
|
||||
lib/util.o lib/util_sock.o lib/util_sec.o \
|
||||
lib/talloc.o lib/hash.o lib/substitute.o lib/fsusage.o \
|
||||
lib/ms_fnmatch.o lib/select.o lib/error.o lib/messages.o \
|
||||
lib/tallocmsg.o lib/dmallocmsg.o \
|
||||
|
@ -58,8 +58,6 @@
|
||||
#undef HAVE_SET_AUTH_PARAMETERS
|
||||
#undef WITH_SYSLOG
|
||||
#undef WITH_PROFILE
|
||||
#undef WITH_SSL
|
||||
#undef SSL_DIR
|
||||
#undef WITH_PAM
|
||||
#undef WITH_NISPLUS_HOME
|
||||
#undef WITH_AUTOMOUNT
|
||||
|
@ -2635,10 +2635,6 @@ static void remember_query_host(const char *arg,
|
||||
}
|
||||
DEBUGLEVEL = old_debug;
|
||||
|
||||
#ifdef WITH_SSL
|
||||
sslutil_init(0);
|
||||
#endif
|
||||
|
||||
pstrcpy(workgroup,lp_workgroup());
|
||||
|
||||
load_interfaces();
|
||||
|
1696
source3/configure
vendored
1696
source3/configure
vendored
File diff suppressed because it is too large
Load Diff
@ -2191,74 +2191,6 @@ AC_ARG_WITH(nisplus-home,
|
||||
AC_MSG_RESULT(no)
|
||||
)
|
||||
|
||||
#################################################
|
||||
# check for the secure socket layer
|
||||
AC_MSG_CHECKING(whether to use SSL)
|
||||
AC_ARG_WITH(ssl,
|
||||
[ --with-ssl Include SSL support (default=no)
|
||||
--with-sslinc=DIR Where the SSL includes are (defaults to /usr/local/ssl/include)
|
||||
--with-ssllib=DIR Where the SSL libraries are (defaults to /usr/local/ssl/lib)],
|
||||
[ case "$withval" in
|
||||
yes)
|
||||
AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(WITH_SSL)
|
||||
withval="/usr/local/ssl" # default
|
||||
|
||||
if test "${with_sslinc+set}" = set; then
|
||||
|
||||
withval="$with_sslinc"
|
||||
case "$withval" in
|
||||
yes|no)
|
||||
echo "configure: warning: --with-sslinc called without argument - will use default" 1>&w
|
||||
CFLAGS="-I/usr/local/ssl/include $CFLAGS"
|
||||
;;
|
||||
* )
|
||||
CFLAGS="-I${withval} $CFLAGS"
|
||||
;;
|
||||
esac
|
||||
|
||||
else
|
||||
|
||||
CFLAGS="-I/usr/local/ssl/include $CFLAGS"
|
||||
|
||||
fi
|
||||
|
||||
if test "${with_ssllib+set}" = set; then
|
||||
|
||||
withval="$with_ssllib"
|
||||
case "$withval" in
|
||||
yes|no)
|
||||
echo "configure: warning: --with-ssllib called without argument - will use default" 1>&w
|
||||
LDFLAGS="-L/usr/local/ssl/lib $LDFLAGS"
|
||||
;;
|
||||
* )
|
||||
LDFLAGS="-L${withval}/lib $LDFLAGS"
|
||||
;;
|
||||
esac
|
||||
|
||||
else
|
||||
|
||||
LDFLAGS="-L/usr/local/ssl/lib $LDFLAGS"
|
||||
|
||||
fi
|
||||
|
||||
LIBS="-lssl -lcrypto $LIBS"
|
||||
|
||||
# if test ! -d ${withval}; then
|
||||
# echo "configure: error: called with --with-ssl, but ssl base directory ${withval} does not exist or is not a directory. Aborting config" 1>&2
|
||||
# exit 1
|
||||
# fi
|
||||
|
||||
CFLAGS="-DHAVE_CRYPT_DECL $CFLAGS" # Damn, SSLeay defines its own
|
||||
|
||||
;;
|
||||
*)
|
||||
AC_MSG_RESULT(no)
|
||||
;;
|
||||
esac ],
|
||||
AC_MSG_RESULT(no)
|
||||
)
|
||||
|
||||
#################################################
|
||||
# check for syslog logging
|
||||
AC_MSG_CHECKING(whether to use syslog logging)
|
||||
|
@ -124,8 +124,6 @@
|
||||
#undef HAVE_SET_AUTH_PARAMETERS
|
||||
#undef WITH_SYSLOG
|
||||
#undef WITH_PROFILE
|
||||
#undef WITH_SSL
|
||||
#undef SSL_DIR
|
||||
#undef WITH_PAM
|
||||
#undef WITH_NISPLUS_HOME
|
||||
#undef WITH_AUTOMOUNT
|
||||
|
@ -1346,11 +1346,6 @@ enum remote_arch_types {RA_UNKNOWN, RA_WFWG, RA_OS2, RA_WIN95, RA_WINNT, RA_WIN2
|
||||
/* case handling */
|
||||
enum case_handling {CASE_LOWER,CASE_UPPER};
|
||||
|
||||
#ifdef WITH_SSL
|
||||
/* SSL version options */
|
||||
enum ssl_version_enum {SMB_SSL_V2,SMB_SSL_V3,SMB_SSL_V23,SMB_SSL_TLS1};
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
/*
|
||||
* Global value meaing that the smb_uid field should be
|
||||
* ingored (in share level security and protocol level == CORE)
|
||||
|
@ -52,13 +52,6 @@
|
||||
#endif /* WITH_NISPLUS_HOME */
|
||||
#endif /* HAVE_NETGROUP && WITH_AUTOMOUNT */
|
||||
|
||||
#ifdef WITH_SSL
|
||||
#include <openssl/ssl.h>
|
||||
#undef Realloc /* SSLeay defines this and samba has a function of this name */
|
||||
extern SSL *ssl;
|
||||
extern int sslFd;
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
int Protocol = PROTOCOL_COREPLUS;
|
||||
|
||||
/* a default finfo structure to ensure all fields are sensible */
|
||||
|
@ -21,13 +21,6 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_SSL
|
||||
#include <openssl/ssl.h>
|
||||
#undef Realloc /* SSLeay defines this and samba has a function of this name */
|
||||
extern SSL *ssl;
|
||||
extern int sslFd;
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
/* the last IP received from */
|
||||
struct in_addr lastip;
|
||||
|
||||
@ -243,15 +236,7 @@ static ssize_t read_socket_with_timeout(int fd,char *buf,size_t mincnt,size_t ma
|
||||
if (mincnt == 0) mincnt = maxcnt;
|
||||
|
||||
while (nread < mincnt) {
|
||||
#ifdef WITH_SSL
|
||||
if (fd == sslFd) {
|
||||
readret = SSL_read(ssl, buf + nread, maxcnt - nread);
|
||||
} else {
|
||||
readret = sys_read(fd, buf + nread, maxcnt - nread);
|
||||
}
|
||||
#else /* WITH_SSL */
|
||||
readret = sys_read(fd, buf + nread, maxcnt - nread);
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (readret == 0) {
|
||||
DEBUG(5,("read_socket_with_timeout: blocking read. EOF from client.\n"));
|
||||
@ -300,15 +285,7 @@ static ssize_t read_socket_with_timeout(int fd,char *buf,size_t mincnt,size_t ma
|
||||
return -1;
|
||||
}
|
||||
|
||||
#ifdef WITH_SSL
|
||||
if (fd == sslFd) {
|
||||
readret = SSL_read(ssl, buf + nread, maxcnt - nread);
|
||||
}else{
|
||||
readret = sys_read(fd, buf + nread, maxcnt - nread);
|
||||
}
|
||||
#else /* WITH_SSL */
|
||||
readret = sys_read(fd, buf+nread, maxcnt-nread);
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (readret == 0) {
|
||||
/* we got EOF on the file descriptor */
|
||||
@ -353,15 +330,7 @@ ssize_t read_with_timeout(int fd, char *buf, size_t mincnt, size_t maxcnt,
|
||||
if (mincnt == 0) mincnt = maxcnt;
|
||||
|
||||
while (nread < mincnt) {
|
||||
#ifdef WITH_SSL
|
||||
if(fd == sslFd){
|
||||
readret = SSL_read(ssl, buf + nread, maxcnt - nread);
|
||||
}else{
|
||||
readret = sys_read(fd, buf + nread, maxcnt - nread);
|
||||
}
|
||||
#else /* WITH_SSL */
|
||||
readret = sys_read(fd, buf + nread, maxcnt - nread);
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (readret <= 0)
|
||||
return readret;
|
||||
@ -383,15 +352,7 @@ ssize_t read_with_timeout(int fd, char *buf, size_t mincnt, size_t maxcnt,
|
||||
if(selrtn <= 0)
|
||||
return selrtn;
|
||||
|
||||
#ifdef WITH_SSL
|
||||
if(fd == sslFd){
|
||||
readret = SSL_read(ssl, buf + nread, maxcnt - nread);
|
||||
}else{
|
||||
readret = sys_read(fd, buf + nread, maxcnt - nread);
|
||||
}
|
||||
#else /* WITH_SSL */
|
||||
readret = sys_read(fd, buf+nread, maxcnt-nread);
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (readret <= 0)
|
||||
return readret;
|
||||
@ -429,15 +390,7 @@ ssize_t read_data(int fd,char *buffer,size_t N)
|
||||
smb_read_error = 0;
|
||||
|
||||
while (total < N) {
|
||||
#ifdef WITH_SSL
|
||||
if(fd == sslFd){
|
||||
ret = SSL_read(ssl, buffer + total, N - total);
|
||||
}else{
|
||||
ret = sys_read(fd,buffer + total,N - total);
|
||||
}
|
||||
#else /* WITH_SSL */
|
||||
ret = sys_read(fd,buffer + total,N - total);
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (ret == 0) {
|
||||
DEBUG(10,("read_data: read of %d returned 0. Error = %s\n", (int)(N - total), strerror(errno) ));
|
||||
@ -467,15 +420,7 @@ static ssize_t read_socket_data(int fd,char *buffer,size_t N)
|
||||
smb_read_error = 0;
|
||||
|
||||
while (total < N) {
|
||||
#ifdef WITH_SSL
|
||||
if(fd == sslFd){
|
||||
ret = SSL_read(ssl, buffer + total, N - total);
|
||||
}else{
|
||||
ret = sys_read(fd,buffer + total,N - total);
|
||||
}
|
||||
#else /* WITH_SSL */
|
||||
ret = sys_read(fd,buffer + total,N - total);
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (ret == 0) {
|
||||
DEBUG(10,("read_socket_data: recv of %d returned 0. Error = %s\n", (int)(N - total), strerror(errno) ));
|
||||
@ -503,15 +448,7 @@ ssize_t write_data(int fd,char *buffer,size_t N)
|
||||
ssize_t ret;
|
||||
|
||||
while (total < N) {
|
||||
#ifdef WITH_SSL
|
||||
if(fd == sslFd){
|
||||
ret = SSL_write(ssl,buffer + total,N - total);
|
||||
}else{
|
||||
ret = sys_write(fd,buffer + total,N - total);
|
||||
}
|
||||
#else /* WITH_SSL */
|
||||
ret = sys_write(fd,buffer + total,N - total);
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (ret == -1) {
|
||||
DEBUG(0,("write_data: write failure. Error = %s\n", strerror(errno) ));
|
||||
@ -535,15 +472,7 @@ ssize_t write_socket_data(int fd,char *buffer,size_t N)
|
||||
ssize_t ret;
|
||||
|
||||
while (total < N) {
|
||||
#ifdef WITH_SSL
|
||||
if(fd == sslFd){
|
||||
ret = SSL_write(ssl,buffer + total,N - total);
|
||||
}else{
|
||||
ret = sys_send(fd,buffer + total,N - total, 0);
|
||||
}
|
||||
#else /* WITH_SSL */
|
||||
ret = sys_send(fd,buffer + total,N - total,0);
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (ret == -1) {
|
||||
DEBUG(0,("write_socket_data: write failure. Error = %s\n", strerror(errno) ));
|
||||
|
@ -920,10 +920,6 @@ BOOL cli_session_request(struct cli_state *cli,
|
||||
_smb_setlen(cli->outbuf,len);
|
||||
SCVAL(cli->outbuf,0,0x81);
|
||||
|
||||
#ifdef WITH_SSL
|
||||
retry:
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
cli_send_smb(cli);
|
||||
DEBUG(5,("Sent session request\n"));
|
||||
|
||||
@ -969,15 +965,6 @@ retry:
|
||||
}
|
||||
} /* C. Hoch 9/14/95 End */
|
||||
|
||||
#ifdef WITH_SSL
|
||||
if (CVAL(cli->inbuf,0) == 0x83 && CVAL(cli->inbuf,4) == 0x8e){ /* use ssl */
|
||||
if (!sslutil_fd_is_ssl(cli->fd)){
|
||||
if (sslutil_connect(cli->fd) == 0)
|
||||
goto retry;
|
||||
}
|
||||
}
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (CVAL(cli->inbuf,0) != 0x82) {
|
||||
/* This is the wrong place to put the error... JRA. */
|
||||
cli->rap_error = CVAL(cli->inbuf,4);
|
||||
|
@ -247,10 +247,6 @@ void cli_shutdown(struct cli_state *cli)
|
||||
if (cli->mem_ctx)
|
||||
talloc_destroy(cli->mem_ctx);
|
||||
|
||||
#ifdef WITH_SSL
|
||||
if (cli->fd != -1)
|
||||
sslutil_disconnect(cli->fd);
|
||||
#endif /* WITH_SSL */
|
||||
if (cli->fd != -1)
|
||||
close(cli->fd);
|
||||
allocated = cli->allocated;
|
||||
|
@ -212,25 +212,6 @@ typedef struct
|
||||
char *szLdapFilter;
|
||||
char *szLdapAdminDn;
|
||||
#endif /* WITH_LDAP_SAM */
|
||||
#ifdef WITH_SSL
|
||||
int sslVersion;
|
||||
char **sslHostsRequire;
|
||||
char **sslHostsResign;
|
||||
char *sslCaCertDir;
|
||||
char *sslCaCertFile;
|
||||
char *sslServerCert;
|
||||
char *sslServerPrivKey;
|
||||
char *sslClientCert;
|
||||
char *sslClientPrivKey;
|
||||
char *sslCiphers;
|
||||
char *sslEgdSocket;
|
||||
char *sslEntropyFile;
|
||||
int sslEntropyBytes;
|
||||
BOOL sslEnabled;
|
||||
BOOL sslReqClientCert;
|
||||
BOOL sslReqServerCert;
|
||||
BOOL sslCompatibility;
|
||||
#endif /* WITH_SSL */
|
||||
BOOL bMsAddPrinterWizard;
|
||||
BOOL bDNSproxy;
|
||||
BOOL bWINSsupport;
|
||||
@ -679,16 +660,6 @@ static struct enum_list enum_map_to_guest[] = {
|
||||
{-1, NULL}
|
||||
};
|
||||
|
||||
#ifdef WITH_SSL
|
||||
static struct enum_list enum_ssl_version[] = {
|
||||
{SMB_SSL_V2, "ssl2"},
|
||||
{SMB_SSL_V3, "ssl3"},
|
||||
{SMB_SSL_V23, "ssl2or3"},
|
||||
{SMB_SSL_TLS1, "tls1"},
|
||||
{-1, NULL}
|
||||
};
|
||||
#endif
|
||||
|
||||
/* note that we do not initialise the defaults union - it is not allowed in ANSI C */
|
||||
static struct parm_struct parm_table[] = {
|
||||
{"Base Options", P_SEP, P_SEPARATOR},
|
||||
@ -789,28 +760,6 @@ static struct parm_struct parm_table[] = {
|
||||
{"hosts deny", P_LIST, P_LOCAL, &sDefault.szHostsdeny, NULL, NULL, FLAG_GLOBAL | FLAG_BASIC | FLAG_SHARE | FLAG_PRINT},
|
||||
{"deny hosts", P_LIST, P_LOCAL, &sDefault.szHostsdeny, NULL, NULL, 0},
|
||||
|
||||
#ifdef WITH_SSL
|
||||
{"Secure Socket Layer Options", P_SEP, P_SEPARATOR},
|
||||
{"ssl", P_BOOL, P_GLOBAL, &Globals.sslEnabled, NULL, NULL, 0},
|
||||
|
||||
{"ssl hosts", P_LIST, P_GLOBAL, &Globals.sslHostsRequire, NULL, NULL, 0},
|
||||
{"ssl hosts resign", P_LIST, P_GLOBAL, &Globals.sslHostsResign, NULL, NULL, 0},
|
||||
{"ssl CA certDir", P_STRING, P_GLOBAL, &Globals.sslCaCertDir, NULL, NULL, 0},
|
||||
{"ssl CA certFile", P_STRING, P_GLOBAL, &Globals.sslCaCertFile, NULL, NULL, 0},
|
||||
{"ssl server cert", P_STRING, P_GLOBAL, &Globals.sslServerCert, NULL, NULL, 0},
|
||||
{"ssl server key", P_STRING, P_GLOBAL, &Globals.sslServerPrivKey, NULL, NULL, 0},
|
||||
{"ssl client cert", P_STRING, P_GLOBAL, &Globals.sslClientCert, NULL, NULL, 0},
|
||||
{"ssl client key", P_STRING, P_GLOBAL, &Globals.sslClientPrivKey, NULL, NULL, 0},
|
||||
{"ssl egd socket", P_STRING, P_GLOBAL, &Globals.sslEgdSocket, NULL, NULL, 0},
|
||||
{"ssl entropy file", P_STRING, P_GLOBAL, &Globals.sslEntropyFile, NULL, NULL, 0},
|
||||
{"ssl entropy bytes", P_INTEGER, P_GLOBAL, &Globals.sslEntropyBytes, NULL, NULL, 0},
|
||||
{"ssl require clientcert", P_BOOL, P_GLOBAL, &Globals.sslReqClientCert, NULL, NULL, 0},
|
||||
{"ssl require servercert", P_BOOL, P_GLOBAL, &Globals.sslReqServerCert, NULL, NULL, 0},
|
||||
{"ssl ciphers", P_STRING, P_GLOBAL, &Globals.sslCiphers, NULL, NULL, 0},
|
||||
{"ssl version", P_ENUM, P_GLOBAL, &Globals.sslVersion, NULL, enum_ssl_version, 0},
|
||||
{"ssl compatibility", P_BOOL, P_GLOBAL, &Globals.sslCompatibility, NULL, NULL, 0},
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
{"Logging Options", P_SEP, P_SEPARATOR},
|
||||
|
||||
{"admin log", P_BOOL, P_GLOBAL, &Globals.bAdminLog, NULL, NULL, 0},
|
||||
@ -1376,26 +1325,6 @@ static void init_globals(void)
|
||||
Globals.ldap_ssl = LDAP_SSL_ON;
|
||||
#endif /* WITH_LDAP_SAM */
|
||||
|
||||
#ifdef WITH_SSL
|
||||
Globals.sslVersion = SMB_SSL_V23;
|
||||
/* Globals.sslHostsRequire = NULL;
|
||||
Globals.sslHostsResign = NULL; */
|
||||
string_set(&Globals.sslCaCertDir, "");
|
||||
string_set(&Globals.sslCaCertFile, "");
|
||||
string_set(&Globals.sslServerCert, "");
|
||||
string_set(&Globals.sslServerPrivKey, "");
|
||||
string_set(&Globals.sslClientCert, "");
|
||||
string_set(&Globals.sslClientPrivKey, "");
|
||||
string_set(&Globals.sslCiphers, "");
|
||||
string_set(&Globals.sslEgdSocket, "");
|
||||
string_set(&Globals.sslEntropyFile, "");
|
||||
Globals.sslEntropyBytes = 256;
|
||||
Globals.sslEnabled = False;
|
||||
Globals.sslReqClientCert = False;
|
||||
Globals.sslReqServerCert = False;
|
||||
Globals.sslCompatibility = False;
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
/* these parameters are set to defaults that are more appropriate
|
||||
for the increasing samba install base:
|
||||
|
||||
@ -1603,26 +1532,6 @@ FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
|
||||
FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
|
||||
FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand)
|
||||
|
||||
#ifdef WITH_SSL
|
||||
FN_GLOBAL_INTEGER(lp_ssl_version, &Globals.sslVersion)
|
||||
FN_GLOBAL_LIST(lp_ssl_hosts, &Globals.sslHostsRequire)
|
||||
FN_GLOBAL_LIST(lp_ssl_hosts_resign, &Globals.sslHostsResign)
|
||||
FN_GLOBAL_STRING(lp_ssl_cacertdir, &Globals.sslCaCertDir)
|
||||
FN_GLOBAL_STRING(lp_ssl_cacertfile, &Globals.sslCaCertFile)
|
||||
FN_GLOBAL_STRING(lp_ssl_server_cert, &Globals.sslServerCert)
|
||||
FN_GLOBAL_STRING(lp_ssl_server_privkey, &Globals.sslServerPrivKey)
|
||||
FN_GLOBAL_STRING(lp_ssl_client_cert, &Globals.sslClientCert)
|
||||
FN_GLOBAL_STRING(lp_ssl_client_privkey, &Globals.sslClientPrivKey)
|
||||
FN_GLOBAL_STRING(lp_ssl_ciphers, &Globals.sslCiphers)
|
||||
FN_GLOBAL_STRING(lp_ssl_egdsocket, &Globals.sslEgdSocket)
|
||||
FN_GLOBAL_STRING(lp_ssl_entropyfile, &Globals.sslEntropyFile)
|
||||
FN_GLOBAL_INTEGER(lp_ssl_entropybytes, &Globals.sslEntropyBytes)
|
||||
FN_GLOBAL_BOOL(lp_ssl_enabled, &Globals.sslEnabled)
|
||||
FN_GLOBAL_BOOL(lp_ssl_reqClientCert, &Globals.sslReqClientCert)
|
||||
FN_GLOBAL_BOOL(lp_ssl_reqServerCert, &Globals.sslReqServerCert)
|
||||
FN_GLOBAL_BOOL(lp_ssl_compatibility, &Globals.sslCompatibility)
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
FN_GLOBAL_BOOL(lp_ms_add_printer_wizard, &Globals.bMsAddPrinterWizard)
|
||||
FN_GLOBAL_BOOL(lp_dns_proxy, &Globals.bDNSproxy)
|
||||
FN_GLOBAL_BOOL(lp_wins_support, &Globals.bWINSsupport)
|
||||
|
@ -113,12 +113,6 @@ void build_options(BOOL screen)
|
||||
#ifdef WITH_NISPLUS_HOME
|
||||
output(screen," WITH_NISPLUS_HOME\n");
|
||||
#endif
|
||||
#ifdef WITH_SSL
|
||||
output(screen," WITH_SSL\n");
|
||||
#endif
|
||||
#ifdef SSL_DIR
|
||||
output(screen," SSL_DIR: %s\n",SSL_DIR);
|
||||
#endif
|
||||
#ifdef WITH_SYSLOG
|
||||
output(screen," WITH_SYSLOG\n");
|
||||
#endif
|
||||
|
@ -829,10 +829,6 @@ set. Ignoring max smbd restriction.\n"));
|
||||
****************************************************************************/
|
||||
void process_smb(char *inbuf, char *outbuf)
|
||||
{
|
||||
#ifdef WITH_SSL
|
||||
extern BOOL sslEnabled; /* don't use function for performance reasons */
|
||||
static int sslConnected = 0;
|
||||
#endif /* WITH_SSL */
|
||||
static int trans_num;
|
||||
int msg_type = CVAL(inbuf,0);
|
||||
int32 len = smb_len(inbuf);
|
||||
@ -860,18 +856,6 @@ void process_smb(char *inbuf, char *outbuf)
|
||||
DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type, len ) );
|
||||
DEBUG( 3, ( "Transaction %d of length %d\n", trans_num, nread ) );
|
||||
|
||||
#ifdef WITH_SSL
|
||||
if(sslEnabled && !sslConnected){
|
||||
sslConnected = sslutil_negotiate_ssl(smbd_server_fd(), msg_type);
|
||||
if(sslConnected < 0){ /* an error occured */
|
||||
exit_server("SSL negotiation failed");
|
||||
}else if(sslConnected){
|
||||
trans_num++;
|
||||
return;
|
||||
}
|
||||
}
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
if (msg_type == 0)
|
||||
show_msg(inbuf);
|
||||
else if(msg_type == SMBkeepalive)
|
||||
|
@ -782,15 +782,6 @@ static void usage(char *pname)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef WITH_SSL
|
||||
{
|
||||
extern BOOL sslEnabled;
|
||||
sslEnabled = lp_ssl_enabled();
|
||||
if(sslEnabled)
|
||||
sslutil_init(True);
|
||||
}
|
||||
#endif /* WITH_SSL */
|
||||
|
||||
fstrcpy(global_myworkgroup, lp_workgroup());
|
||||
|
||||
DEBUG(3,( "loaded services\n"));
|
||||
|
@ -1,286 +0,0 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
SSLeay utility functions
|
||||
Copyright (C) Christian Starkjohann <cs@obdev.at> 1998
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
*/
|
||||
|
||||
/*
|
||||
* since includes.h pulls in config.h which is were WITH_SSL will be
|
||||
* defined, we want to include includes.h before testing for WITH_SSL
|
||||
* RJS 26-Jan-1999
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_SSL /* should always be defined if this module is compiled */
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
BOOL sslEnabled;
|
||||
SSL *ssl = NULL;
|
||||
int sslFd = -1;
|
||||
static SSL_CTX *sslContext = NULL;
|
||||
extern int DEBUGLEVEL;
|
||||
|
||||
static int ssl_verify_cb(int ok, X509_STORE_CTX *ctx)
|
||||
{
|
||||
char buffer[256];
|
||||
|
||||
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
|
||||
buffer, sizeof(buffer));
|
||||
if(ok){
|
||||
DEBUG(0, ("SSL: Certificate OK: %s\n", buffer));
|
||||
}else{
|
||||
switch (ctx->error){
|
||||
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
||||
DEBUG(0, ("SSL: Cert error: CA not known: %s\n", buffer));
|
||||
break;
|
||||
case X509_V_ERR_CERT_NOT_YET_VALID:
|
||||
DEBUG(0, ("SSL: Cert error: Cert not yet valid: %s\n", buffer));
|
||||
break;
|
||||
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
|
||||
DEBUG(0, ("SSL: Cert error: illegal \'not before\' field: %s\n",
|
||||
buffer));
|
||||
break;
|
||||
case X509_V_ERR_CERT_HAS_EXPIRED:
|
||||
DEBUG(0, ("SSL: Cert error: Cert expired: %s\n", buffer));
|
||||
break;
|
||||
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
|
||||
DEBUG(0, ("SSL: Cert error: invalid \'not after\' field: %s\n",
|
||||
buffer));
|
||||
break;
|
||||
default:
|
||||
DEBUG(0, ("SSL: Cert error: unknown error %d in %s\n", ctx->error,
|
||||
buffer));
|
||||
break;
|
||||
}
|
||||
}
|
||||
return ok;
|
||||
}
|
||||
|
||||
static RSA *ssl_temp_rsa_cb(SSL *ssl, int is_export, int keylength)
|
||||
{
|
||||
static RSA *rsa = NULL;
|
||||
|
||||
if(rsa == NULL)
|
||||
rsa = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
|
||||
return rsa;
|
||||
}
|
||||
|
||||
/* This is called before we fork. It should ask the user for the pass phrase
|
||||
* if necessary. Error output can still go to stderr because the process
|
||||
* has a terminal.
|
||||
*/
|
||||
int sslutil_init(int isServer)
|
||||
{
|
||||
int err, entropybytes;
|
||||
char *certfile, *keyfile, *ciphers, *cacertDir, *cacertFile;
|
||||
char *egdsocket, *entropyfile;
|
||||
|
||||
SSL_load_error_strings();
|
||||
SSLeay_add_ssl_algorithms();
|
||||
egdsocket = lp_ssl_egdsocket();
|
||||
if (egdsocket != NULL && *egdsocket != 0)
|
||||
RAND_egd(egdsocket);
|
||||
entropyfile = lp_ssl_entropyfile();
|
||||
entropybytes = lp_ssl_entropybytes();
|
||||
if (entropyfile != NULL && *entropyfile != 0)
|
||||
RAND_load_file(entropyfile, entropybytes);
|
||||
switch(lp_ssl_version()){
|
||||
case SMB_SSL_V2: sslContext = SSL_CTX_new(SSLv2_method()); break;
|
||||
case SMB_SSL_V3: sslContext = SSL_CTX_new(SSLv3_method()); break;
|
||||
default:
|
||||
case SMB_SSL_V23: sslContext = SSL_CTX_new(SSLv23_method()); break;
|
||||
case SMB_SSL_TLS1: sslContext = SSL_CTX_new(TLSv1_method()); break;
|
||||
}
|
||||
if(sslContext == NULL){
|
||||
err = ERR_get_error();
|
||||
fprintf(stderr, "SSL: Error allocating context: %s\n",
|
||||
ERR_error_string(err, NULL));
|
||||
exit(1);
|
||||
}
|
||||
if(lp_ssl_compatibility()){
|
||||
SSL_CTX_set_options(sslContext, SSL_OP_ALL);
|
||||
}
|
||||
certfile = isServer ? lp_ssl_server_cert() : lp_ssl_client_cert();
|
||||
if((certfile == NULL || *certfile == 0) && isServer){
|
||||
fprintf(stderr, "SSL: No cert file specified in config file!\n");
|
||||
fprintf(stderr, "The server MUST have a certificate!\n");
|
||||
exit(1);
|
||||
}
|
||||
keyfile = isServer ? lp_ssl_server_privkey() : lp_ssl_client_privkey();
|
||||
if(keyfile == NULL || *keyfile == 0)
|
||||
keyfile = certfile;
|
||||
if(certfile != NULL && *certfile != 0){
|
||||
if(!SSL_CTX_use_certificate_chain_file(sslContext, certfile)){
|
||||
err = ERR_get_error();
|
||||
fprintf(stderr, "SSL: error reading certificate from file %s: %s\n",
|
||||
certfile, ERR_error_string(err, NULL));
|
||||
exit(1);
|
||||
}
|
||||
if(!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)){
|
||||
err = ERR_get_error();
|
||||
fprintf(stderr, "SSL: error reading private key from file %s: %s\n",
|
||||
keyfile, ERR_error_string(err, NULL));
|
||||
exit(1);
|
||||
}
|
||||
if(!SSL_CTX_check_private_key(sslContext)){
|
||||
err = ERR_get_error();
|
||||
fprintf(stderr, "SSL: Private key does not match public key in cert!\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
cacertDir = lp_ssl_cacertdir();
|
||||
cacertFile = lp_ssl_cacertfile();
|
||||
if(cacertDir != NULL && *cacertDir == 0)
|
||||
cacertDir = NULL;
|
||||
if(cacertFile != NULL && *cacertFile == 0)
|
||||
cacertFile = NULL;
|
||||
if(!SSL_CTX_load_verify_locations(sslContext, cacertFile, cacertDir)){
|
||||
err = ERR_get_error();
|
||||
if (cacertFile || cacertDir) {
|
||||
fprintf(stderr, "SSL: Error error setting CA cert locations: %s\n",
|
||||
ERR_error_string(err, NULL));
|
||||
fprintf(stderr, "trying default locations.\n");
|
||||
}
|
||||
cacertFile = cacertDir = NULL;
|
||||
if(!SSL_CTX_set_default_verify_paths(sslContext)){
|
||||
err = ERR_get_error();
|
||||
fprintf(stderr, "SSL: Error error setting default CA cert location: %s\n",
|
||||
ERR_error_string(err, NULL));
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb);
|
||||
if((ciphers = lp_ssl_ciphers()) != NULL && *ciphers != 0)
|
||||
SSL_CTX_set_cipher_list(sslContext, ciphers);
|
||||
if((isServer && lp_ssl_reqClientCert()) || (!isServer && lp_ssl_reqServerCert())){
|
||||
SSL_CTX_set_verify(sslContext,
|
||||
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb);
|
||||
}else{
|
||||
SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, ssl_verify_cb);
|
||||
}
|
||||
#if 1 /* don't know what this is good for, but s_server in SSLeay does it, too */
|
||||
if(isServer){
|
||||
SSL_CTX_set_client_CA_list(sslContext, SSL_load_client_CA_file(certfile));
|
||||
}
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
int sslutil_accept(int fd)
|
||||
{
|
||||
int err;
|
||||
|
||||
if(ssl != NULL){
|
||||
DEBUG(0, ("SSL: internal error: more than one SSL connection (server)\n"));
|
||||
return -1;
|
||||
}
|
||||
if((ssl = SSL_new(sslContext)) == NULL){
|
||||
err = ERR_get_error();
|
||||
DEBUG(0, ("SSL: Error allocating handle: %s\n",
|
||||
ERR_error_string(err, NULL)));
|
||||
return -1;
|
||||
}
|
||||
SSL_set_fd(ssl, fd);
|
||||
sslFd = fd;
|
||||
if(SSL_accept(ssl) <= 0){
|
||||
err = ERR_get_error();
|
||||
DEBUG(0, ("SSL: Error accepting on socket: %s\n",
|
||||
ERR_error_string(err, NULL)));
|
||||
return -1;
|
||||
}
|
||||
DEBUG(0, ("SSL: negotiated cipher: %s\n", SSL_get_cipher(ssl)));
|
||||
return 0;
|
||||
}
|
||||
|
||||
int sslutil_fd_is_ssl(int fd)
|
||||
{
|
||||
return fd == sslFd;
|
||||
}
|
||||
|
||||
int sslutil_connect(int fd)
|
||||
{
|
||||
int err;
|
||||
|
||||
if(ssl != NULL){
|
||||
DEBUG(0, ("SSL: internal error: more than one SSL connection (client)\n"));
|
||||
return -1;
|
||||
}
|
||||
if((ssl = SSL_new(sslContext)) == NULL){
|
||||
err = ERR_get_error();
|
||||
DEBUG(0, ("SSL: Error allocating handle: %s\n",
|
||||
ERR_error_string(err, NULL)));
|
||||
return -1;
|
||||
}
|
||||
SSL_set_fd(ssl, fd);
|
||||
sslFd = fd;
|
||||
if(SSL_connect(ssl) <= 0){
|
||||
err = ERR_get_error();
|
||||
DEBUG(0, ("SSL: Error conencting socket: %s\n",
|
||||
ERR_error_string(err, NULL)));
|
||||
return -1;
|
||||
}
|
||||
DEBUG(0, ("SSL: negotiated cipher: %s\n", SSL_get_cipher(ssl)));
|
||||
return 0;
|
||||
}
|
||||
|
||||
int sslutil_disconnect(int fd)
|
||||
{
|
||||
if(fd == sslFd && ssl != NULL){
|
||||
SSL_free(ssl);
|
||||
ssl = NULL;
|
||||
sslFd = -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int sslutil_negotiate_ssl(int fd, int msg_type)
|
||||
{
|
||||
unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
|
||||
char *reqHosts, *resignHosts;
|
||||
|
||||
reqHosts = lp_ssl_hosts();
|
||||
resignHosts = lp_ssl_hosts_resign();
|
||||
if(!allow_access(resignHosts, reqHosts, get_socket_name(fd), get_socket_addr(fd))){
|
||||
sslEnabled = False;
|
||||
return 0;
|
||||
}
|
||||
if(msg_type != 0x81){ /* first packet must be a session request */
|
||||
DEBUG( 0, ( "Client %s did not use session setup; access denied\n",
|
||||
client_addr() ) );
|
||||
if (!send_smb(fd, (char *)buf))
|
||||
DEBUG(0, ("sslutil_negotiate_ssl: send_smb failed.\n"));
|
||||
return -1;
|
||||
}
|
||||
buf[4] = 0x8e; /* negative session response: use SSL */
|
||||
if (!send_smb(fd, (char *)buf)) {
|
||||
DEBUG(0,("sslutil_negotiate_ssl: send_smb failed.\n"));
|
||||
return -1;
|
||||
}
|
||||
if(sslutil_accept(fd) != 0){
|
||||
DEBUG( 0, ( "Client %s failed SSL negotiation!\n", client_addr() ) );
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
#else /* WITH_SSL */
|
||||
void ssl_dummy(void);
|
||||
void ssl_dummy(void) {;} /* So some compilers don't complain. */
|
||||
#endif /* WITH_SSL */
|
Loading…
Reference in New Issue
Block a user