s4:tls: Fix generating TLS RSA certs with FIPS140-2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 9379ab094d1bd6e0bc53a8dfadda3305296fbffc..36482e3aaaf2285ad1f304d8db2cb8ac01b7112f 100644 (file)
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -29,7 +29,9 @@
 #define CA_NAME           "Samba - temporary autogenerated CA certificate"
 #define UNIT_NAME         "Samba - temporary autogenerated HOST certificate"
 #define LIFETIME          700*24*60*60
-#define RSA_BITS          4096
+
+/* FIPS140-2 only allows 2048 or 3072 prime sizes. */
+#define RSA_BITS gnutls_fips140_mode_enabled() ? 3072 : 4096
 
 /* 
    auto-generate a set of self signed certificates