search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-smbd: Create a shortcut for building the token of a user by SID for posix_acls
[Samba/gebeck_regimport.git] / source4 / lib / tls / tls_tstream.c
blob6bb68fb34c0a9e606fec5130bf8cdbb8b9aac948
1 /*
2 Unix SMB/CIFS implementation.
3
4 Copyright (C) Stefan Metzmacher 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/network.h"
22 #include "../util/tevent_unix.h"
23 #include "../lib/tsocket/tsocket.h"
24 #include "../lib/tsocket/tsocket_internal.h"
25 #include "lib/tls/tls.h"
26
27 #if ENABLE_GNUTLS
28 #include <gnutls/gnutls.h>
29
30 #define DH_BITS 1024
31
32 #if defined(HAVE_GNUTLS_DATUM) && !defined(HAVE_GNUTLS_DATUM_T)
33 typedef gnutls_datum gnutls_datum_t;
34 #endif
35
36 #endif /* ENABLE_GNUTLS */
37
38 static const struct tstream_context_ops tstream_tls_ops;
39
40 struct tstream_tls {
41 struct tstream_context *plain_stream;
42 int error;
43
44 #if ENABLE_GNUTLS
45 gnutls_session tls_session;
46 #endif /* ENABLE_GNUTLS */
47
48 struct tevent_context *current_ev;
49
50 struct tevent_immediate *retry_im;
51
52 struct {
53 uint8_t *buf;
54 off_t ofs;
55 struct iovec iov;
56 struct tevent_req *subreq;
57 struct tevent_immediate *im;
58 } push;
59
60 struct {
61 uint8_t *buf;
62 struct iovec iov;
63 struct tevent_req *subreq;
64 } pull;
65
66 struct {
67 struct tevent_req *req;
68 } handshake;
69
70 struct {
71 off_t ofs;
72 size_t left;
73 uint8_t buffer[1024];
74 struct tevent_req *req;
75 } write;
76
77 struct {
78 off_t ofs;
79 size_t left;
80 uint8_t buffer[1024];
81 struct tevent_req *req;
82 } read;
83
84 struct {
85 struct tevent_req *req;
86 } disconnect;
87 };
88
89 static void tstream_tls_retry_handshake(struct tstream_context *stream);
90 static void tstream_tls_retry_read(struct tstream_context *stream);
91 static void tstream_tls_retry_write(struct tstream_context *stream);
92 static void tstream_tls_retry_disconnect(struct tstream_context *stream);
93 static void tstream_tls_retry_trigger(struct tevent_context *ctx,
94 struct tevent_immediate *im,
95 void *private_data);
96
97 static void tstream_tls_retry(struct tstream_context *stream, bool deferred)
98 {
99
100 struct tstream_tls *tlss =
101 tstream_context_data(stream,
102 struct tstream_tls);
103
104 if (tlss->disconnect.req) {
105 tstream_tls_retry_disconnect(stream);
106 return;
107 }
108
109 if (tlss->handshake.req) {
110 tstream_tls_retry_handshake(stream);
111 return;
112 }
113
114 if (tlss->write.req && tlss->read.req && !deferred) {
115 tevent_schedule_immediate(tlss->retry_im, tlss->current_ev,
116 tstream_tls_retry_trigger,
117 stream);
118 }
119
120 if (tlss->write.req) {
121 tstream_tls_retry_write(stream);
122 return;
123 }
124
125 if (tlss->read.req) {
126 tstream_tls_retry_read(stream);
127 return;
128 }
129 }
130
131 static void tstream_tls_retry_trigger(struct tevent_context *ctx,
132 struct tevent_immediate *im,
133 void *private_data)
134 {
135 struct tstream_context *stream =
136 talloc_get_type_abort(private_data,
137 struct tstream_context);
138
139 tstream_tls_retry(stream, true);
140 }
141
142 #if ENABLE_GNUTLS
143 static void tstream_tls_push_trigger_write(struct tevent_context *ev,
144 struct tevent_immediate *im,
145 void *private_data);
146
147 static ssize_t tstream_tls_push_function(gnutls_transport_ptr ptr,
148 const void *buf, size_t size)
149 {
150 struct tstream_context *stream =
151 talloc_get_type_abort(ptr,
152 struct tstream_context);
153 struct tstream_tls *tlss =
154 tstream_context_data(stream,
155 struct tstream_tls);
156 uint8_t *nbuf;
157 size_t len;
158
159 if (tlss->error != 0) {
160 errno = tlss->error;
161 return -1;
162 }
163
164 if (tlss->push.subreq) {
165 errno = EAGAIN;
166 return -1;
167 }
168
169 len = MIN(size, UINT16_MAX - tlss->push.ofs);
170
171 if (len == 0) {
172 errno = EAGAIN;
173 return -1;
174 }
175
176 nbuf = talloc_realloc(tlss, tlss->push.buf,
177 uint8_t, tlss->push.ofs + len);
178 if (nbuf == NULL) {
179 if (tlss->push.buf) {
180 errno = EAGAIN;
181 return -1;
182 }
183
184 return -1;
185 }
186 tlss->push.buf = nbuf;
187
188 memcpy(tlss->push.buf + tlss->push.ofs, buf, len);
189
190 if (tlss->push.im == NULL) {
191 tlss->push.im = tevent_create_immediate(tlss);
192 if (tlss->push.im == NULL) {
193 errno = ENOMEM;
194 return -1;
195 }
196 }
197
198 if (tlss->push.ofs == 0) {
199 /*
200 * We'll do start the tstream_writev
201 * in the next event cycle.
202 *
203 * This way we can batch all push requests,
204 * if they fit into a UINT16_MAX buffer.
205 *
206 * This is important as gnutls_handshake()
207 * had a bug in some versions e.g. 2.4.1
208 * and others (See bug #7218) and it doesn't
209 * handle EAGAIN.
210 */
211 tevent_schedule_immediate(tlss->push.im,
212 tlss->current_ev,
213 tstream_tls_push_trigger_write,
214 stream);
215 }
216
217 tlss->push.ofs += len;
218 return len;
219 }
220
221 static void tstream_tls_push_done(struct tevent_req *subreq);
222
223 static void tstream_tls_push_trigger_write(struct tevent_context *ev,
224 struct tevent_immediate *im,
225 void *private_data)
226 {
227 struct tstream_context *stream =
228 talloc_get_type_abort(private_data,
229 struct tstream_context);
230 struct tstream_tls *tlss =
231 tstream_context_data(stream,
232 struct tstream_tls);
233 struct tevent_req *subreq;
234
235 if (tlss->push.subreq) {
236 /* nothing todo */
237 return;
238 }
239
240 tlss->push.iov.iov_base = (char *)tlss->push.buf;
241 tlss->push.iov.iov_len = tlss->push.ofs;
242
243 subreq = tstream_writev_send(tlss,
244 tlss->current_ev,
245 tlss->plain_stream,
246 &tlss->push.iov, 1);
247 if (subreq == NULL) {
248 tlss->error = ENOMEM;
249 tstream_tls_retry(stream, false);
250 return;
251 }
252 tevent_req_set_callback(subreq, tstream_tls_push_done, stream);
253
254 tlss->push.subreq = subreq;
255 }
256
257 static void tstream_tls_push_done(struct tevent_req *subreq)
258 {
259 struct tstream_context *stream =
260 tevent_req_callback_data(subreq,
261 struct tstream_context);
262 struct tstream_tls *tlss =
263 tstream_context_data(stream,
264 struct tstream_tls);
265 int ret;
266 int sys_errno;
267
268 tlss->push.subreq = NULL;
269 ZERO_STRUCT(tlss->push.iov);
270 TALLOC_FREE(tlss->push.buf);
271 tlss->push.ofs = 0;
272
273 ret = tstream_writev_recv(subreq, &sys_errno);
274 TALLOC_FREE(subreq);
275 if (ret == -1) {
276 tlss->error = sys_errno;
277 tstream_tls_retry(stream, false);
278 return;
279 }
280
281 tstream_tls_retry(stream, false);
282 }
283
284 static void tstream_tls_pull_done(struct tevent_req *subreq);
285
286 static ssize_t tstream_tls_pull_function(gnutls_transport_ptr ptr,
287 void *buf, size_t size)
288 {
289 struct tstream_context *stream =
290 talloc_get_type_abort(ptr,
291 struct tstream_context);
292 struct tstream_tls *tlss =
293 tstream_context_data(stream,
294 struct tstream_tls);
295 struct tevent_req *subreq;
296 size_t len;
297
298 if (tlss->error != 0) {
299 errno = tlss->error;
300 return -1;
301 }
302
303 if (tlss->pull.subreq) {
304 errno = EAGAIN;
305 return -1;
306 }
307
308 if (tlss->pull.iov.iov_base) {
309 uint8_t *b;
310 size_t n;
311
312 b = (uint8_t *)tlss->pull.iov.iov_base;
313
314 n = MIN(tlss->pull.iov.iov_len, size);
315 memcpy(buf, b, n);
316
317 tlss->pull.iov.iov_len -= n;
318 b += n;
319 tlss->pull.iov.iov_base = (char *)b;
320 if (tlss->pull.iov.iov_len == 0) {
321 tlss->pull.iov.iov_base = NULL;
322 TALLOC_FREE(tlss->pull.buf);
323 }
324
325 return n;
326 }
327
328 if (size == 0) {
329 return 0;
330 }
331
332 len = MIN(size, UINT16_MAX);
333
334 tlss->pull.buf = talloc_array(tlss, uint8_t, len);
335 if (tlss->pull.buf == NULL) {
336 return -1;
337 }
338
339 tlss->pull.iov.iov_base = (char *)tlss->pull.buf;
340 tlss->pull.iov.iov_len = len;
341
342 subreq = tstream_readv_send(tlss,
343 tlss->current_ev,
344 tlss->plain_stream,
345 &tlss->pull.iov, 1);
346 if (subreq == NULL) {
347 errno = ENOMEM;
348 return -1;
349 }
350 tevent_req_set_callback(subreq, tstream_tls_pull_done, stream);
351
352 tlss->pull.subreq = subreq;
353 errno = EAGAIN;
354 return -1;
355 }
356
357 static void tstream_tls_pull_done(struct tevent_req *subreq)
358 {
359 struct tstream_context *stream =
360 tevent_req_callback_data(subreq,
361 struct tstream_context);
362 struct tstream_tls *tlss =
363 tstream_context_data(stream,
364 struct tstream_tls);
365 int ret;
366 int sys_errno;
367
368 tlss->pull.subreq = NULL;
369
370 ret = tstream_readv_recv(subreq, &sys_errno);
371 TALLOC_FREE(subreq);
372 if (ret == -1) {
373 tlss->error = sys_errno;
374 tstream_tls_retry(stream, false);
375 return;
376 }
377
378 tstream_tls_retry(stream, false);
379 }
380 #endif /* ENABLE_GNUTLS */
381
382 static int tstream_tls_destructor(struct tstream_tls *tlss)
383 {
384 #if ENABLE_GNUTLS
385 if (tlss->tls_session) {
386 gnutls_deinit(tlss->tls_session);
387 tlss->tls_session = NULL;
388 }
389 #endif /* ENABLE_GNUTLS */
390 return 0;
391 }
392
393 static ssize_t tstream_tls_pending_bytes(struct tstream_context *stream)
394 {
395 struct tstream_tls *tlss =
396 tstream_context_data(stream,
397 struct tstream_tls);
398 size_t ret;
399
400 if (tlss->error != 0) {
401 errno = tlss->error;
402 return -1;
403 }
404
405 #if ENABLE_GNUTLS
406 ret = gnutls_record_check_pending(tlss->tls_session);
407 ret += tlss->read.left;
408 #else /* ENABLE_GNUTLS */
409 errno = ENOSYS;
410 ret = -1;
411 #endif /* ENABLE_GNUTLS */
412 return ret;
413 }
414
415 struct tstream_tls_readv_state {
416 struct tstream_context *stream;
417
418 struct iovec *vector;
419 int count;
420
421 int ret;
422 };
423
424 static void tstream_tls_readv_crypt_next(struct tevent_req *req);
425
426 static struct tevent_req *tstream_tls_readv_send(TALLOC_CTX *mem_ctx,
427 struct tevent_context *ev,
428 struct tstream_context *stream,
429 struct iovec *vector,
430 size_t count)
431 {
432 struct tstream_tls *tlss =
433 tstream_context_data(stream,
434 struct tstream_tls);
435 struct tevent_req *req;
436 struct tstream_tls_readv_state *state;
437
438 tlss->read.req = NULL;
439 tlss->current_ev = ev;
440
441 req = tevent_req_create(mem_ctx, &state,
442 struct tstream_tls_readv_state);
443 if (req == NULL) {
444 return NULL;
445 }
446
447 state->stream = stream;
448 state->ret = 0;
449
450 if (tlss->error != 0) {
451 tevent_req_error(req, tlss->error);
452 return tevent_req_post(req, ev);
453 }
454
455 /*
456 * we make a copy of the vector so we can change the structure
457 */
458 state->vector = talloc_array(state, struct iovec, count);
459 if (tevent_req_nomem(state->vector, req)) {
460 return tevent_req_post(req, ev);
461 }
462 memcpy(state->vector, vector, sizeof(struct iovec) * count);
463 state->count = count;
464
465 tstream_tls_readv_crypt_next(req);
466 if (!tevent_req_is_in_progress(req)) {
467 return tevent_req_post(req, ev);
468 }
469
470 return req;
471 }
472
473 static void tstream_tls_readv_crypt_next(struct tevent_req *req)
474 {
475 struct tstream_tls_readv_state *state =
476 tevent_req_data(req,
477 struct tstream_tls_readv_state);
478 struct tstream_tls *tlss =
479 tstream_context_data(state->stream,
480 struct tstream_tls);
481
482 /*
483 * copy the pending buffer first
484 */
485 while (tlss->read.left > 0 && state->count > 0) {
486 uint8_t *base = (uint8_t *)state->vector[0].iov_base;
487 size_t len = MIN(tlss->read.left, state->vector[0].iov_len);
488
489 memcpy(base, tlss->read.buffer + tlss->read.ofs, len);
490
491 base += len;
492 state->vector[0].iov_base = (char *) base;
493 state->vector[0].iov_len -= len;
494
495 tlss->read.ofs += len;
496 tlss->read.left -= len;
497
498 if (state->vector[0].iov_len == 0) {
499 state->vector += 1;
500 state->count -= 1;
501 }
502
503 state->ret += len;
504 }
505
506 if (state->count == 0) {
507 tevent_req_done(req);
508 return;
509 }
510
511 tlss->read.req = req;
512 tstream_tls_retry_read(state->stream);
513 }
514
515 static void tstream_tls_retry_read(struct tstream_context *stream)
516 {
517 struct tstream_tls *tlss =
518 tstream_context_data(stream,
519 struct tstream_tls);
520 struct tevent_req *req = tlss->read.req;
521 #if ENABLE_GNUTLS
522 int ret;
523
524 if (tlss->error != 0) {
525 tevent_req_error(req, tlss->error);
526 return;
527 }
528
529 tlss->read.left = 0;
530 tlss->read.ofs = 0;
531
532 ret = gnutls_record_recv(tlss->tls_session,
533 tlss->read.buffer,
534 sizeof(tlss->read.buffer));
535 if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
536 return;
537 }
538
539 tlss->read.req = NULL;
540
541 if (gnutls_error_is_fatal(ret) != 0) {
542 DEBUG(1,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
543 tlss->error = EIO;
544 tevent_req_error(req, tlss->error);
545 return;
546 }
547
548 if (ret == 0) {
549 tlss->error = EPIPE;
550 tevent_req_error(req, tlss->error);
551 return;
552 }
553
554 tlss->read.left = ret;
555 tstream_tls_readv_crypt_next(req);
556 #else /* ENABLE_GNUTLS */
557 tevent_req_error(req, ENOSYS);
558 #endif /* ENABLE_GNUTLS */
559 }
560
561 static int tstream_tls_readv_recv(struct tevent_req *req,
562 int *perrno)
563 {
564 struct tstream_tls_readv_state *state =
565 tevent_req_data(req,
566 struct tstream_tls_readv_state);
567 struct tstream_tls *tlss =
568 tstream_context_data(state->stream,
569 struct tstream_tls);
570 int ret;
571
572 tlss->read.req = NULL;
573
574 ret = tsocket_simple_int_recv(req, perrno);
575 if (ret == 0) {
576 ret = state->ret;
577 }
578
579 tevent_req_received(req);
580 return ret;
581 }
582
583 struct tstream_tls_writev_state {
584 struct tstream_context *stream;
585
586 struct iovec *vector;
587 int count;
588
589 int ret;
590 };
591
592 static void tstream_tls_writev_crypt_next(struct tevent_req *req);
593
594 static struct tevent_req *tstream_tls_writev_send(TALLOC_CTX *mem_ctx,
595 struct tevent_context *ev,
596 struct tstream_context *stream,
597 const struct iovec *vector,
598 size_t count)
599 {
600 struct tstream_tls *tlss =
601 tstream_context_data(stream,
602 struct tstream_tls);
603 struct tevent_req *req;
604 struct tstream_tls_writev_state *state;
605
606 tlss->write.req = NULL;
607 tlss->current_ev = ev;
608
609 req = tevent_req_create(mem_ctx, &state,
610 struct tstream_tls_writev_state);
611 if (req == NULL) {
612 return NULL;
613 }
614
615 state->stream = stream;
616 state->ret = 0;
617
618 if (tlss->error != 0) {
619 tevent_req_error(req, tlss->error);
620 return tevent_req_post(req, ev);
621 }
622
623 /*
624 * we make a copy of the vector so we can change the structure
625 */
626 state->vector = talloc_array(state, struct iovec, count);
627 if (tevent_req_nomem(state->vector, req)) {
628 return tevent_req_post(req, ev);
629 }
630 memcpy(state->vector, vector, sizeof(struct iovec) * count);
631 state->count = count;
632
633 tstream_tls_writev_crypt_next(req);
634 if (!tevent_req_is_in_progress(req)) {
635 return tevent_req_post(req, ev);
636 }
637
638 return req;
639 }
640
641 static void tstream_tls_writev_crypt_next(struct tevent_req *req)
642 {
643 struct tstream_tls_writev_state *state =
644 tevent_req_data(req,
645 struct tstream_tls_writev_state);
646 struct tstream_tls *tlss =
647 tstream_context_data(state->stream,
648 struct tstream_tls);
649
650 tlss->write.left = sizeof(tlss->write.buffer);
651 tlss->write.ofs = 0;
652
653 /*
654 * first fill our buffer
655 */
656 while (tlss->write.left > 0 && state->count > 0) {
657 uint8_t *base = (uint8_t *)state->vector[0].iov_base;
658 size_t len = MIN(tlss->write.left, state->vector[0].iov_len);
659
660 memcpy(tlss->write.buffer + tlss->write.ofs, base, len);
661
662 base += len;
663 state->vector[0].iov_base = (char *) base;
664 state->vector[0].iov_len -= len;
665
666 tlss->write.ofs += len;
667 tlss->write.left -= len;
668
669 if (state->vector[0].iov_len == 0) {
670 state->vector += 1;
671 state->count -= 1;
672 }
673
674 state->ret += len;
675 }
676
677 if (tlss->write.ofs == 0) {
678 tevent_req_done(req);
679 return;
680 }
681
682 tlss->write.left = tlss->write.ofs;
683 tlss->write.ofs = 0;
684
685 tlss->write.req = req;
686 tstream_tls_retry_write(state->stream);
687 }
688
689 static void tstream_tls_retry_write(struct tstream_context *stream)
690 {
691 struct tstream_tls *tlss =
692 tstream_context_data(stream,
693 struct tstream_tls);
694 struct tevent_req *req = tlss->write.req;
695 #if ENABLE_GNUTLS
696 int ret;
697
698 if (tlss->error != 0) {
699 tevent_req_error(req, tlss->error);
700 return;
701 }
702
703 ret = gnutls_record_send(tlss->tls_session,
704 tlss->write.buffer + tlss->write.ofs,
705 tlss->write.left);
706 if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
707 return;
708 }
709
710 tlss->write.req = NULL;
711
712 if (gnutls_error_is_fatal(ret) != 0) {
713 DEBUG(1,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
714 tlss->error = EIO;
715 tevent_req_error(req, tlss->error);
716 return;
717 }
718
719 if (ret == 0) {
720 tlss->error = EPIPE;
721 tevent_req_error(req, tlss->error);
722 return;
723 }
724
725 tlss->write.ofs += ret;
726 tlss->write.left -= ret;
727
728 if (tlss->write.left > 0) {
729 tlss->write.req = req;
730 tstream_tls_retry_write(stream);
731 return;
732 }
733
734 tstream_tls_writev_crypt_next(req);
735 #else /* ENABLE_GNUTLS */
736 tevent_req_error(req, ENOSYS);
737 #endif /* ENABLE_GNUTLS */
738 }
739
740 static int tstream_tls_writev_recv(struct tevent_req *req,
741 int *perrno)
742 {
743 struct tstream_tls_writev_state *state =
744 tevent_req_data(req,
745 struct tstream_tls_writev_state);
746 struct tstream_tls *tlss =
747 tstream_context_data(state->stream,
748 struct tstream_tls);
749 int ret;
750
751 tlss->write.req = NULL;
752
753 ret = tsocket_simple_int_recv(req, perrno);
754 if (ret == 0) {
755 ret = state->ret;
756 }
757
758 tevent_req_received(req);
759 return ret;
760 }
761
762 struct tstream_tls_disconnect_state {
763 uint8_t _dummy;
764 };
765
766 static struct tevent_req *tstream_tls_disconnect_send(TALLOC_CTX *mem_ctx,
767 struct tevent_context *ev,
768 struct tstream_context *stream)
769 {
770 struct tstream_tls *tlss =
771 tstream_context_data(stream,
772 struct tstream_tls);
773 struct tevent_req *req;
774 struct tstream_tls_disconnect_state *state;
775
776 tlss->disconnect.req = NULL;
777 tlss->current_ev = ev;
778
779 req = tevent_req_create(mem_ctx, &state,
780 struct tstream_tls_disconnect_state);
781 if (req == NULL) {
782 return NULL;
783 }
784
785 if (tlss->error != 0) {
786 tevent_req_error(req, tlss->error);
787 return tevent_req_post(req, ev);
788 }
789
790 tlss->disconnect.req = req;
791 tstream_tls_retry_disconnect(stream);
792 if (!tevent_req_is_in_progress(req)) {
793 return tevent_req_post(req, ev);
794 }
795
796 return req;
797 }
798
799 static void tstream_tls_retry_disconnect(struct tstream_context *stream)
800 {
801 struct tstream_tls *tlss =
802 tstream_context_data(stream,
803 struct tstream_tls);
804 struct tevent_req *req = tlss->disconnect.req;
805 #if ENABLE_GNUTLS
806 int ret;
807
808 if (tlss->error != 0) {
809 tevent_req_error(req, tlss->error);
810 return;
811 }
812
813 ret = gnutls_bye(tlss->tls_session, GNUTLS_SHUT_WR);
814 if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
815 return;
816 }
817
818 tlss->disconnect.req = NULL;
819
820 if (gnutls_error_is_fatal(ret) != 0) {
821 DEBUG(1,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
822 tlss->error = EIO;
823 tevent_req_error(req, tlss->error);
824 return;
825 }
826
827 if (ret != GNUTLS_E_SUCCESS) {
828 DEBUG(1,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
829 tlss->error = EIO;
830 tevent_req_error(req, tlss->error);
831 return;
832 }
833
834 tevent_req_done(req);
835 #else /* ENABLE_GNUTLS */
836 tevent_req_error(req, ENOSYS);
837 #endif /* ENABLE_GNUTLS */
838 }
839
840 static int tstream_tls_disconnect_recv(struct tevent_req *req,
841 int *perrno)
842 {
843 int ret;
844
845 ret = tsocket_simple_int_recv(req, perrno);
846
847 tevent_req_received(req);
848 return ret;
849 }
850
851 static const struct tstream_context_ops tstream_tls_ops = {
852 .name = "tls",
853
854 .pending_bytes = tstream_tls_pending_bytes,
855
856 .readv_send = tstream_tls_readv_send,
857 .readv_recv = tstream_tls_readv_recv,
858
859 .writev_send = tstream_tls_writev_send,
860 .writev_recv = tstream_tls_writev_recv,
861
862 .disconnect_send = tstream_tls_disconnect_send,
863 .disconnect_recv = tstream_tls_disconnect_recv,
864 };
865
866 struct tstream_tls_params {
867 #if ENABLE_GNUTLS
868 gnutls_certificate_credentials x509_cred;
869 gnutls_dh_params dh_params;
870 #endif /* ENABLE_GNUTLS */
871 bool tls_enabled;
872 };
873
874 static int tstream_tls_params_destructor(struct tstream_tls_params *tlsp)
875 {
876 #if ENABLE_GNUTLS
877 if (tlsp->x509_cred) {
878 gnutls_certificate_free_credentials(tlsp->x509_cred);
879 tlsp->x509_cred = NULL;
880 }
881 if (tlsp->dh_params) {
882 gnutls_dh_params_deinit(tlsp->dh_params);
883 tlsp->dh_params = NULL;
884 }
885 #endif /* ENABLE_GNUTLS */
886 return 0;
887 }
888
889 bool tstream_tls_params_enabled(struct tstream_tls_params *tlsp)
890 {
891 return tlsp->tls_enabled;
892 }
893
894 NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
895 const char *ca_file,
896 const char *crl_file,
897 struct tstream_tls_params **_tlsp)
898 {
899 #if ENABLE_GNUTLS
900 struct tstream_tls_params *tlsp;
901 int ret;
902
903 ret = gnutls_global_init();
904 if (ret != GNUTLS_E_SUCCESS) {
905 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
906 return NT_STATUS_NOT_SUPPORTED;
907 }
908
909 tlsp = talloc_zero(mem_ctx, struct tstream_tls_params);
910 NT_STATUS_HAVE_NO_MEMORY(tlsp);
911
912 talloc_set_destructor(tlsp, tstream_tls_params_destructor);
913
914 ret = gnutls_certificate_allocate_credentials(&tlsp->x509_cred);
915 if (ret != GNUTLS_E_SUCCESS) {
916 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
917 talloc_free(tlsp);
918 return NT_STATUS_NO_MEMORY;
919 }
920
921 if (ca_file && *ca_file) {
922 ret = gnutls_certificate_set_x509_trust_file(tlsp->x509_cred,
923 ca_file,
924 GNUTLS_X509_FMT_PEM);
925 if (ret < 0) {
926 DEBUG(0,("TLS failed to initialise cafile %s - %s\n",
927 ca_file, gnutls_strerror(ret)));
928 talloc_free(tlsp);
929 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
930 }
931 }
932
933 if (crl_file && *crl_file) {
934 ret = gnutls_certificate_set_x509_crl_file(tlsp->x509_cred,
935 crl_file,
936 GNUTLS_X509_FMT_PEM);
937 if (ret < 0) {
938 DEBUG(0,("TLS failed to initialise crlfile %s - %s\n",
939 crl_file, gnutls_strerror(ret)));
940 talloc_free(tlsp);
941 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
942 }
943 }
944
945 tlsp->tls_enabled = true;
946
947 *_tlsp = tlsp;
948 return NT_STATUS_OK;
949 #else /* ENABLE_GNUTLS */
950 return NT_STATUS_NOT_IMPLEMENTED;
951 #endif /* ENABLE_GNUTLS */
952 }
953
954 struct tstream_tls_connect_state {
955 struct tstream_context *tls_stream;
956 };
957
958 struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
959 struct tevent_context *ev,
960 struct tstream_context *plain_stream,
961 struct tstream_tls_params *tls_params,
962 const char *location)
963 {
964 struct tevent_req *req;
965 struct tstream_tls_connect_state *state;
966 #if ENABLE_GNUTLS
967 struct tstream_tls *tlss;
968 int ret;
969 static const int cert_type_priority[] = {
970 GNUTLS_CRT_X509,
971 GNUTLS_CRT_OPENPGP,
972 0
973 };
974 #endif /* ENABLE_GNUTLS */
975
976 req = tevent_req_create(mem_ctx, &state,
977 struct tstream_tls_connect_state);
978 if (req == NULL) {
979 return NULL;
980 }
981
982 #if ENABLE_GNUTLS
983 state->tls_stream = tstream_context_create(state,
984 &tstream_tls_ops,
985 &tlss,
986 struct tstream_tls,
987 location);
988 if (tevent_req_nomem(state->tls_stream, req)) {
989 return tevent_req_post(req, ev);
990 }
991 ZERO_STRUCTP(tlss);
992 talloc_set_destructor(tlss, tstream_tls_destructor);
993
994 tlss->plain_stream = plain_stream;
995
996 tlss->current_ev = ev;
997 tlss->retry_im = tevent_create_immediate(tlss);
998 if (tevent_req_nomem(tlss->retry_im, req)) {
999 return tevent_req_post(req, ev);
1000 }
1001
1002 ret = gnutls_init(&tlss->tls_session, GNUTLS_CLIENT);
1003 if (ret != GNUTLS_E_SUCCESS) {
1004 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1005 tevent_req_error(req, EINVAL);
1006 return tevent_req_post(req, ev);
1007 }
1008
1009 ret = gnutls_set_default_priority(tlss->tls_session);
1010 if (ret != GNUTLS_E_SUCCESS) {
1011 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1012 tevent_req_error(req, EINVAL);
1013 return tevent_req_post(req, ev);
1014 }
1015
1016 gnutls_certificate_type_set_priority(tlss->tls_session, cert_type_priority);
1017
1018 ret = gnutls_credentials_set(tlss->tls_session,
1019 GNUTLS_CRD_CERTIFICATE,
1020 tls_params->x509_cred);
1021 if (ret != GNUTLS_E_SUCCESS) {
1022 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1023 tevent_req_error(req, EINVAL);
1024 return tevent_req_post(req, ev);
1025 }
1026
1027 gnutls_transport_set_ptr(tlss->tls_session, (gnutls_transport_ptr)state->tls_stream);
1028 gnutls_transport_set_pull_function(tlss->tls_session,
1029 (gnutls_pull_func)tstream_tls_pull_function);
1030 gnutls_transport_set_push_function(tlss->tls_session,
1031 (gnutls_push_func)tstream_tls_push_function);
1032 #if GNUTLS_VERSION_MAJOR < 3
1033 gnutls_transport_set_lowat(tlss->tls_session, 0);
1034 #endif
1035
1036 tlss->handshake.req = req;
1037 tstream_tls_retry_handshake(state->tls_stream);
1038 if (!tevent_req_is_in_progress(req)) {
1039 return tevent_req_post(req, ev);
1040 }
1041
1042 return req;
1043 #else /* ENABLE_GNUTLS */
1044 tevent_req_error(req, ENOSYS);
1045 return tevent_req_post(req, ev);
1046 #endif /* ENABLE_GNUTLS */
1047 }
1048
1049 int tstream_tls_connect_recv(struct tevent_req *req,
1050 int *perrno,
1051 TALLOC_CTX *mem_ctx,
1052 struct tstream_context **tls_stream)
1053 {
1054 struct tstream_tls_connect_state *state =
1055 tevent_req_data(req,
1056 struct tstream_tls_connect_state);
1057
1058 if (tevent_req_is_unix_error(req, perrno)) {
1059 tevent_req_received(req);
1060 return -1;
1061 }
1062
1063 *tls_stream = talloc_move(mem_ctx, &state->tls_stream);
1064 tevent_req_received(req);
1065 return 0;
1066 }
1067
1068 extern void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *, const char *);
1069
1070 /*
1071 initialise global tls state
1072 */
1073 NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
1074 const char *dns_host_name,
1075 bool enabled,
1076 const char *key_file,
1077 const char *cert_file,
1078 const char *ca_file,
1079 const char *crl_file,
1080 const char *dhp_file,
1081 struct tstream_tls_params **_tlsp)
1082 {
1083 struct tstream_tls_params *tlsp;
1084 #if ENABLE_GNUTLS
1085 int ret;
1086
1087 if (!enabled || key_file == NULL || *key_file == 0) {
1088 tlsp = talloc_zero(mem_ctx, struct tstream_tls_params);
1089 NT_STATUS_HAVE_NO_MEMORY(tlsp);
1090 talloc_set_destructor(tlsp, tstream_tls_params_destructor);
1091 tlsp->tls_enabled = false;
1092
1093 *_tlsp = tlsp;
1094 return NT_STATUS_OK;
1095 }
1096
1097 ret = gnutls_global_init();
1098 if (ret != GNUTLS_E_SUCCESS) {
1099 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1100 return NT_STATUS_NOT_SUPPORTED;
1101 }
1102
1103 tlsp = talloc_zero(mem_ctx, struct tstream_tls_params);
1104 NT_STATUS_HAVE_NO_MEMORY(tlsp);
1105
1106 talloc_set_destructor(tlsp, tstream_tls_params_destructor);
1107
1108 if (!file_exist(ca_file)) {
1109 tls_cert_generate(tlsp, dns_host_name,
1110 key_file, cert_file, ca_file);
1111 }
1112
1113 ret = gnutls_certificate_allocate_credentials(&tlsp->x509_cred);
1114 if (ret != GNUTLS_E_SUCCESS) {
1115 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1116 talloc_free(tlsp);
1117 return NT_STATUS_NO_MEMORY;
1118 }
1119
1120 if (ca_file && *ca_file) {
1121 ret = gnutls_certificate_set_x509_trust_file(tlsp->x509_cred,
1122 ca_file,
1123 GNUTLS_X509_FMT_PEM);
1124 if (ret < 0) {
1125 DEBUG(0,("TLS failed to initialise cafile %s - %s\n",
1126 ca_file, gnutls_strerror(ret)));
1127 talloc_free(tlsp);
1128 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1129 }
1130 }
1131
1132 if (crl_file && *crl_file) {
1133 ret = gnutls_certificate_set_x509_crl_file(tlsp->x509_cred,
1134 crl_file,
1135 GNUTLS_X509_FMT_PEM);
1136 if (ret < 0) {
1137 DEBUG(0,("TLS failed to initialise crlfile %s - %s\n",
1138 crl_file, gnutls_strerror(ret)));
1139 talloc_free(tlsp);
1140 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1141 }
1142 }
1143
1144 ret = gnutls_certificate_set_x509_key_file(tlsp->x509_cred,
1145 cert_file, key_file,
1146 GNUTLS_X509_FMT_PEM);
1147 if (ret != GNUTLS_E_SUCCESS) {
1148 DEBUG(0,("TLS failed to initialise certfile %s and keyfile %s - %s\n",
1149 cert_file, key_file, gnutls_strerror(ret)));
1150 talloc_free(tlsp);
1151 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1152 }
1153
1154 ret = gnutls_dh_params_init(&tlsp->dh_params);
1155 if (ret != GNUTLS_E_SUCCESS) {
1156 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1157 talloc_free(tlsp);
1158 return NT_STATUS_NO_MEMORY;
1159 }
1160
1161 if (dhp_file && *dhp_file) {
1162 gnutls_datum_t dhparms;
1163 size_t size;
1164
1165 dhparms.data = (uint8_t *)file_load(dhp_file, &size, 0, tlsp);
1166
1167 if (!dhparms.data) {
1168 DEBUG(0,("TLS failed to read DH Parms from %s - %d:%s\n",
1169 dhp_file, errno, strerror(errno)));
1170 talloc_free(tlsp);
1171 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1172 }
1173 dhparms.size = size;
1174
1175 ret = gnutls_dh_params_import_pkcs3(tlsp->dh_params,
1176 &dhparms,
1177 GNUTLS_X509_FMT_PEM);
1178 if (ret != GNUTLS_E_SUCCESS) {
1179 DEBUG(0,("TLS failed to import pkcs3 %s - %s\n",
1180 dhp_file, gnutls_strerror(ret)));
1181 talloc_free(tlsp);
1182 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1183 }
1184 } else {
1185 ret = gnutls_dh_params_generate2(tlsp->dh_params, DH_BITS);
1186 if (ret != GNUTLS_E_SUCCESS) {
1187 DEBUG(0,("TLS failed to generate dh_params - %s\n",
1188 gnutls_strerror(ret)));
1189 talloc_free(tlsp);
1190 return NT_STATUS_INTERNAL_ERROR;
1191 }
1192 }
1193
1194 gnutls_certificate_set_dh_params(tlsp->x509_cred, tlsp->dh_params);
1195
1196 tlsp->tls_enabled = true;
1197
1198 #else /* ENABLE_GNUTLS */
1199 tlsp = talloc_zero(mem_ctx, struct tstream_tls_params);
1200 NT_STATUS_HAVE_NO_MEMORY(tlsp);
1201 talloc_set_destructor(tlsp, tstream_tls_params_destructor);
1202 tlsp->tls_enabled = false;
1203 #endif /* ENABLE_GNUTLS */
1204
1205 *_tlsp = tlsp;
1206 return NT_STATUS_OK;
1207 }
1208
1209 struct tstream_tls_accept_state {
1210 struct tstream_context *tls_stream;
1211 };
1212
1213 struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx,
1214 struct tevent_context *ev,
1215 struct tstream_context *plain_stream,
1216 struct tstream_tls_params *tlsp,
1217 const char *location)
1218 {
1219 struct tevent_req *req;
1220 struct tstream_tls_accept_state *state;
1221 struct tstream_tls *tlss;
1222 #if ENABLE_GNUTLS
1223 int ret;
1224 #endif /* ENABLE_GNUTLS */
1225
1226 req = tevent_req_create(mem_ctx, &state,
1227 struct tstream_tls_accept_state);
1228 if (req == NULL) {
1229 return NULL;
1230 }
1231
1232 state->tls_stream = tstream_context_create(state,
1233 &tstream_tls_ops,
1234 &tlss,
1235 struct tstream_tls,
1236 location);
1237 if (tevent_req_nomem(state->tls_stream, req)) {
1238 return tevent_req_post(req, ev);
1239 }
1240 ZERO_STRUCTP(tlss);
1241 talloc_set_destructor(tlss, tstream_tls_destructor);
1242
1243 #if ENABLE_GNUTLS
1244 tlss->plain_stream = plain_stream;
1245
1246 tlss->current_ev = ev;
1247 tlss->retry_im = tevent_create_immediate(tlss);
1248 if (tevent_req_nomem(tlss->retry_im, req)) {
1249 return tevent_req_post(req, ev);
1250 }
1251
1252 ret = gnutls_init(&tlss->tls_session, GNUTLS_SERVER);
1253 if (ret != GNUTLS_E_SUCCESS) {
1254 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1255 tevent_req_error(req, EINVAL);
1256 return tevent_req_post(req, ev);
1257 }
1258
1259 ret = gnutls_set_default_priority(tlss->tls_session);
1260 if (ret != GNUTLS_E_SUCCESS) {
1261 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1262 tevent_req_error(req, EINVAL);
1263 return tevent_req_post(req, ev);
1264 }
1265
1266 ret = gnutls_credentials_set(tlss->tls_session, GNUTLS_CRD_CERTIFICATE,
1267 tlsp->x509_cred);
1268 if (ret != GNUTLS_E_SUCCESS) {
1269 DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1270 tevent_req_error(req, EINVAL);
1271 return tevent_req_post(req, ev);
1272 }
1273
1274 gnutls_certificate_server_set_request(tlss->tls_session,
1275 GNUTLS_CERT_REQUEST);
1276 gnutls_dh_set_prime_bits(tlss->tls_session, DH_BITS);
1277
1278 gnutls_transport_set_ptr(tlss->tls_session, (gnutls_transport_ptr)state->tls_stream);
1279 gnutls_transport_set_pull_function(tlss->tls_session,
1280 (gnutls_pull_func)tstream_tls_pull_function);
1281 gnutls_transport_set_push_function(tlss->tls_session,
1282 (gnutls_push_func)tstream_tls_push_function);
1283 #if GNUTLS_VERSION_MAJOR < 3
1284 gnutls_transport_set_lowat(tlss->tls_session, 0);
1285 #endif
1286
1287 tlss->handshake.req = req;
1288 tstream_tls_retry_handshake(state->tls_stream);
1289 if (!tevent_req_is_in_progress(req)) {
1290 return tevent_req_post(req, ev);
1291 }
1292
1293 return req;
1294 #else /* ENABLE_GNUTLS */
1295 tevent_req_error(req, ENOSYS);
1296 return tevent_req_post(req, ev);
1297 #endif /* ENABLE_GNUTLS */
1298 }
1299
1300 static void tstream_tls_retry_handshake(struct tstream_context *stream)
1301 {
1302 struct tstream_tls *tlss =
1303 tstream_context_data(stream,
1304 struct tstream_tls);
1305 struct tevent_req *req = tlss->handshake.req;
1306 #if ENABLE_GNUTLS
1307 int ret;
1308
1309 if (tlss->error != 0) {
1310 tevent_req_error(req, tlss->error);
1311 return;
1312 }
1313
1314 ret = gnutls_handshake(tlss->tls_session);
1315 if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
1316 return;
1317 }
1318
1319 tlss->handshake.req = NULL;
1320
1321 if (gnutls_error_is_fatal(ret) != 0) {
1322 DEBUG(1,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1323 tlss->error = EIO;
1324 tevent_req_error(req, tlss->error);
1325 return;
1326 }
1327
1328 if (ret != GNUTLS_E_SUCCESS) {
1329 DEBUG(1,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
1330 tlss->error = EIO;
1331 tevent_req_error(req, tlss->error);
1332 return;
1333 }
1334
1335 tevent_req_done(req);
1336 #else /* ENABLE_GNUTLS */
1337 tevent_req_error(req, ENOSYS);
1338 #endif /* ENABLE_GNUTLS */
1339 }
1340
1341 int tstream_tls_accept_recv(struct tevent_req *req,
1342 int *perrno,
1343 TALLOC_CTX *mem_ctx,
1344 struct tstream_context **tls_stream)
1345 {
1346 struct tstream_tls_accept_state *state =
1347 tevent_req_data(req,
1348 struct tstream_tls_accept_state);
1349
1350 if (tevent_req_is_unix_error(req, perrno)) {
1351 tevent_req_received(req);
1352 return -1;
1353 }
1354
1355 *tls_stream = talloc_move(mem_ctx, &state->tls_stream);
1356 tevent_req_received(req);
1357 return 0;
1358 }
reg import