const char *certfile = private_path(tmp_ctx, lp_tls_certfile());
const char *cafile = private_path(tmp_ctx, lp_tls_cafile());
const char *crlfile = private_path(tmp_ctx, lp_tls_crlfile());
+ const char *dhpfile = private_path(tmp_ctx, lp_tls_dhpfile());
void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *);
params = talloc(mem_ctx, struct tls_params);
goto init_failed;
}
+
ret = gnutls_dh_params_init(¶ms->dh_params);
if (ret < 0) goto init_failed;
- ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS);
- if (ret < 0) goto init_failed;
+ if (dhpfile) {
+ gnutls_datum_t dhparms;
+ dhparms.data = (uint8_t *)file_load(dhpfile, &dhparms.size, mem_ctx);
+ if (!dhparms.data) {
+ goto init_failed;
+ }
+
+ ret = gnutls_dh_params_import_pkcs3(params->dh_params, &dhparms, GNUTLS_X509_FMT_PEM);
+ if (ret < 0) goto init_failed;
+ } else {
+ ret = gnutls_dh_params_generate2(params->dh_params, DH_BITS);
+ if (ret < 0) goto init_failed;
+ }
+
gnutls_certificate_set_dh_params(params->x509_cred, params->dh_params);
params->tls_enabled = True;
char *tls_certfile;
char *tls_cafile;
char *tls_crlfile;
+ char *tls_dhpfile;
int max_mux;
int max_xmit;
int pwordlevel;
{"tls certfile", P_STRING, P_GLOBAL, &Globals.tls_certfile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"tls cafile", P_STRING, P_GLOBAL, &Globals.tls_cafile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"tls crlfile", P_STRING, P_GLOBAL, &Globals.tls_crlfile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"tls dh params file", P_STRING, P_GLOBAL, &Globals.tls_dhpfile, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"swat directory", P_STRING, P_GLOBAL, &Globals.swat_directory, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"large readwrite", P_BOOL, P_GLOBAL, &Globals.bLargeReadwrite, NULL, NULL, FLAG_DEVELOPER},
{"server max protocol", P_ENUM, P_GLOBAL, &Globals.srv_maxprotocol, NULL, enum_protocol, FLAG_DEVELOPER},
_PUBLIC_ FN_GLOBAL_STRING(lp_tls_certfile, &Globals.tls_certfile)
_PUBLIC_ FN_GLOBAL_STRING(lp_tls_cafile, &Globals.tls_cafile)
_PUBLIC_ FN_GLOBAL_STRING(lp_tls_crlfile, &Globals.tls_crlfile)
+_PUBLIC_ FN_GLOBAL_STRING(lp_tls_dhpfile, &Globals.tls_dhpfile)
_PUBLIC_ FN_GLOBAL_STRING(lp_unix_charset, &Globals.unix_charset)
_PUBLIC_ FN_GLOBAL_STRING(lp_display_charset, &Globals.display_charset)
_PUBLIC_ FN_GLOBAL_STRING(lp_configfile, &Globals.szConfigFile)
NCALRPCDIR=$PREFIX_ABS/ncalrpc
LOCKDIR=$PREFIX_ABS/lockdir
TLSDIR=$PRIVATEDIR/tls
+DHFILE=$TLSDIR/dhparms.pem
WINBINDD_SOCKET_DIR=$PREFIX_ABS/winbind_socket
CONFIGURATION="--configfile=$CONFFILE"
export CONFIGURATION
name resolve order = bcast
interfaces = 127.0.0.1/8
tls enabled = $TLS_ENABLED
+ tls dh params file = $DHFILE
panic action = $SRCDIR/script/gdb_backtrace %PID% %PROG%
wins support = yes
server role = pdc
.samba.example.com = SAMBA.EXAMPLE.COM
EOF
+cat >$DHFILE<<EOF
+-----BEGIN DH PARAMETERS-----
+MGYCYQC/eWD2xkb7uELmqLi+ygPMKyVcpHUo2yCluwnbPutEueuxrG/Cys8j8wLO
+svCN/jYNyR2NszOmg7ZWcOC/4z/4pWDVPUZr8qrkhj5MRKJc52MncfaDglvEdJrv
+YX70obsCAQI=
+-----END DH PARAMETERS-----
+
+EOF
+
export KRB5_CONFIG
$srcdir/bin/smbscript $srcdir/setup/provision $CONFIGURATION --host-name=$NETBIOSNAME --host-ip=127.0.0.1 \