svn commit: samba r17379 - in branches/SAMBA_4_0/source: lib/tls param script/tests

Thu Aug 3 08:02:55 GMT 2006

Author: abartlet
Date: 2006-08-03 08:02:54 +0000 (Thu, 03 Aug 2006)
New Revision: 17379

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17379

Log:
Pre-generate DH parameters, to avoid doing this at runtime in our testsuite.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/lib/tls/tls.c
   branches/SAMBA_4_0/source/param/loadparm.c
   branches/SAMBA_4_0/source/script/tests/mktestsetup.sh


Changeset:
Modified: branches/SAMBA_4_0/source/lib/tls/tls.c
===================================================================

--- branches/SAMBA_4_0/source/lib/tls/tls.c	2006-08-03 01:49:14 UTC (rev 17378)
+++ branches/SAMBA_4_0/source/lib/tls/tls.c	2006-08-03 08:02:54 UTC (rev 17379)
@@ -356,6 +356,7 @@
 	const char *certfile = private_path(tmp_ctx, lp_tls_certfile());
 	const char *cafile = private_path(tmp_ctx, lp_tls_cafile());
 	const char *crlfile = private_path(tmp_ctx, lp_tls_crlfile());
+	const char *dhpfile = private_path(tmp_ctx, lp_tls_dhpfile());
 	void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *);
 
 	params = talloc(mem_ctx, struct tls_params);
@@ -408,12 +409,25 @@
 		goto init_failed;
 	}
 	
+	
 	ret = gnutls_dh_params_init(&params->dh_params);
 	if (ret < 0) goto init_failed;
 
-	ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS);
-	if (ret < 0) goto init_failed;
+	if (dhpfile) {
+		gnutls_datum_t dhparms;
+		dhparms.data = (uint8_t *)file_load(dhpfile, &dhparms.size, mem_ctx);
 
+		if (!dhparms.data) {
+			goto init_failed;
+		}
+			
+		ret = gnutls_dh_params_import_pkcs3(params->dh_params, &dhparms, GNUTLS_X509_FMT_PEM);
+		if (ret < 0) goto init_failed;
+	} else {
+		ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS);
+		if (ret < 0) goto init_failed;
+	}
+		
 	gnutls_certificate_set_dh_params(params->x509_cred, params->dh_params);
 
 	params->tls_enabled = True;

Modified: branches/SAMBA_4_0/source/param/loadparm.c
===================================================================
--- branches/SAMBA_4_0/source/param/loadparm.c	2006-08-03 01:49:14 UTC (rev 17378)
+++ branches/SAMBA_4_0/source/param/loadparm.c	2006-08-03 08:02:54 UTC (rev 17379)
@@ -139,6 +139,7 @@
 	char *tls_certfile;
 	char *tls_cafile;
 	char *tls_crlfile;
+	char *tls_dhpfile;
 	int max_mux;
 	int max_xmit;
 	int pwordlevel;
@@ -451,6 +452,7 @@
 	{"tls certfile", P_STRING, P_GLOBAL, &Globals.tls_certfile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"tls cafile", P_STRING, P_GLOBAL, &Globals.tls_cafile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"tls crlfile", P_STRING, P_GLOBAL, &Globals.tls_crlfile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+	{"tls dh params file", P_STRING, P_GLOBAL, &Globals.tls_dhpfile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"swat directory", P_STRING, P_GLOBAL, &Globals.swat_directory, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"large readwrite", P_BOOL, P_GLOBAL, &Globals.bLargeReadwrite, NULL, NULL, FLAG_DEVELOPER},
 	{"server max protocol", P_ENUM, P_GLOBAL, &Globals.srv_maxprotocol, NULL, enum_protocol, FLAG_DEVELOPER},
@@ -830,6 +832,7 @@
 _PUBLIC_ FN_GLOBAL_STRING(lp_tls_certfile, &Globals.tls_certfile)
 _PUBLIC_ FN_GLOBAL_STRING(lp_tls_cafile, &Globals.tls_cafile)
 _PUBLIC_ FN_GLOBAL_STRING(lp_tls_crlfile, &Globals.tls_crlfile)
+_PUBLIC_ FN_GLOBAL_STRING(lp_tls_dhpfile, &Globals.tls_dhpfile)
 _PUBLIC_ FN_GLOBAL_STRING(lp_unix_charset, &Globals.unix_charset)
 _PUBLIC_ FN_GLOBAL_STRING(lp_display_charset, &Globals.display_charset)
 _PUBLIC_ FN_GLOBAL_STRING(lp_configfile, &Globals.szConfigFile)

Modified: branches/SAMBA_4_0/source/script/tests/mktestsetup.sh
===================================================================
--- branches/SAMBA_4_0/source/script/tests/mktestsetup.sh	2006-08-03 01:49:14 UTC (rev 17378)
+++ branches/SAMBA_4_0/source/script/tests/mktestsetup.sh	2006-08-03 08:02:54 UTC (rev 17379)
@@ -47,6 +47,7 @@
 NCALRPCDIR=$PREFIX_ABS/ncalrpc
 LOCKDIR=$PREFIX_ABS/lockdir
 TLSDIR=$PRIVATEDIR/tls
+DHFILE=$TLSDIR/dhparms.pem
 WINBINDD_SOCKET_DIR=$PREFIX_ABS/winbind_socket
 CONFIGURATION="--configfile=$CONFFILE"
 export CONFIGURATION
@@ -71,6 +72,7 @@
 	name resolve order = bcast
 	interfaces = 127.0.0.1/8
 	tls enabled = $TLS_ENABLED
+        tls dh params file = $DHFILE
 	panic action = $SRCDIR/script/gdb_backtrace %PID% %PROG%
 	wins support = yes
 	server role = pdc
@@ -112,6 +114,15 @@
  .samba.example.com = SAMBA.EXAMPLE.COM
 EOF
 
+cat >$DHFILE<<EOF 
+-----BEGIN DH PARAMETERS-----
+MGYCYQC/eWD2xkb7uELmqLi+ygPMKyVcpHUo2yCluwnbPutEueuxrG/Cys8j8wLO
+svCN/jYNyR2NszOmg7ZWcOC/4z/4pWDVPUZr8qrkhj5MRKJc52MncfaDglvEdJrv
+YX70obsCAQI=
+-----END DH PARAMETERS-----
+
+EOF
+
 export KRB5_CONFIG
 
 $srcdir/bin/smbscript $srcdir/setup/provision $CONFIGURATION --host-name=$NETBIOSNAME --host-ip=127.0.0.1 \

