1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
Stefan Metzmacher 64a9cd2a38 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00

88 lines
3.9 KiB
Python

#!/usr/bin/env python
import Options
from optparse import SUPPRESS_HELP
def set_options(opt):
# allow users to disable gnutls
opt.add_option('--enable-gnutls',
help=("Enable use of gnutls"),
action="store_true", dest='enable_gnutls', default=True)
opt.add_option('--disable-gnutls', help=SUPPRESS_HELP, action="store_false", dest='enable_gnutls')
def configure(conf):
conf.env.enable_gnutls = Options.options.enable_gnutls
if not conf.env.enable_gnutls:
conf.SET_TARGET_TYPE('gnutls', 'DISABLED')
conf.SET_TARGET_TYPE('gcrypt', 'DISABLED')
conf.SET_TARGET_TYPE('gpg-error', 'DISABLED')
if 'AD_DC_BUILD_IS_ENABLED' in conf.env:
conf.fatal("--disable-gnutls given: Building the AD DC requires GnuTLS (eg libgnutls-dev, gnutls-devel) for ldaps:// support and for the BackupKey protocol")
return
if Options.options.with_system_mitkrb5 and conf.env.AD_DC_BUILD_IS_ENABLED:
conf.CHECK_CFG(package='gnutls',
args='"gnutls >= 3.4.7" --cflags --libs',
msg='Checking for gnutls >= 3.4.7',
mandatory=True)
conf.DEFINE('HAVE_GNUTLS_3_4_7', 1)
conf.DEFINE('HAVE_GNUTLS3', 1)
else:
if conf.CHECK_CFG(package='gnutls',
args='"gnutls >= 3.4.7" --cflags --libs',
msg='Checking for gnutls >= 3.4.7',
mandatory=False):
conf.DEFINE('HAVE_GNUTLS_3_4_7', 1)
conf.DEFINE('HAVE_GNUTLS3', 1)
elif conf.CHECK_CFG(package='gnutls',
args='"gnutls >= 3.0.0" --cflags --libs',
msg='Checking for gnutls >= 3.0.0s', mandatory=False):
conf.DEFINE('HAVE_GNUTLS3', 1)
else:
conf.CHECK_CFG(package='gnutls',
args='"gnutls >= 1.4.0 gnutls != 2.2.4 gnutls != 2.8.0 gnutls != 2.8.1" --cflags --libs',
msg='Checking for gnutls >= 1.4.0 and broken versions', mandatory=False)
if 'HAVE_GNUTLS' in conf.env:
conf.DEFINE('ENABLE_GNUTLS', 1)
else:
if 'AD_DC_BUILD_IS_ENABLED' in conf.env:
conf.fatal("Building the AD DC requires GnuTLS (eg libgnutls-dev, gnutls-devel) for ldaps:// support and for the BackupKey protocol")
conf.CHECK_FUNCS_IN('gnutls_global_init', 'gnutls',
headers='gnutls/gnutls.h')
conf.CHECK_FUNCS_IN('gnutls_certificate_verify_peers3', 'gnutls',
headers='gnutls/gnutls.h')
conf.CHECK_DECLS('GNUTLS_CERT_EXPIRED GNUTLS_CERT_NOT_ACTIVATED GNUTLS_CERT_UNEXPECTED_OWNER',
headers='gnutls/gnutls.h gnutls/x509.h')
conf.CHECK_VARIABLE('gnutls_x509_crt_set_version',
headers='gnutls/gnutls.h gnutls/x509.h',
define='HAVE_GNUTLS_X509_CRT_SET_VERSION',
lib='gnutls')
conf.CHECK_VARIABLE('gnutls_x509_crt_set_subject_key_id',
headers='gnutls/gnutls.h gnutls/x509.h',
define='HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID',
lib='gnutls')
# check for gnutls_datum types
conf.CHECK_TYPES('gnutls_datum gnutls_datum_t',
headers='gnutls/gnutls.h', lib='gnutls')
# GnuTLS3 moved to libnettle, so only do this in the < 3.0 case
if not 'HAVE_GNUTLS3' in conf.env:
conf.CHECK_FUNCS_IN('gcry_control', 'gcrypt', headers='gcrypt.h')
conf.CHECK_FUNCS_IN('gpg_err_code_from_errno', 'gpg-error')
else:
conf.SET_TARGET_TYPE('gcrypt', 'DISABLED')
conf.SET_TARGET_TYPE('gpg-error', 'DISABLED')
def build(bld):
bld.SAMBA_SUBSYSTEM('LIBTLS',
source='tls.c tlscert.c tls_tstream.c',
public_deps='talloc gnutls gcrypt samba-hostconfig samba_socket LIBTSOCKET tevent tevent-util'
)