#include "includes.h"
#if ENABLE_GNUTLS
-#include "gnutls/gnutls.h"
-#include "gnutls/x509.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#if HAVE_GCRYPT_H
+#include <gcrypt.h>
+#endif
#define ORGANISATION_NAME "Samba Administration"
#define UNIT_NAME "Samba - temporary autogenerated certificate"
-#define COMMON_NAME "Samba"
#define LIFETIME 700*24*60*60
#define DH_BITS 1024
-void tls_cert_generate(TALLOC_CTX *mem_ctx,
- const char *keyfile, const char *certfile,
- const char *cafile);
-
/*
auto-generate a set of self signed certificates
*/
void tls_cert_generate(TALLOC_CTX *mem_ctx,
+ const char *hostname,
const char *keyfile, const char *certfile,
const char *cafile)
{
TLSCHECK(gnutls_global_init());
- DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n"));
+ DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n",
+ hostname));
+#ifdef HAVE_GCRYPT_H
+ DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
+ gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+#endif
+
DEBUG(3,("Generating private key\n"));
TLSCHECK(gnutls_x509_privkey_init(&key));
TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, DH_BITS, 0));
UNIT_NAME, strlen(UNIT_NAME)));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
GNUTLS_OID_X520_COMMON_NAME, 0,
- COMMON_NAME, strlen(COMMON_NAME)));
+ hostname, strlen(hostname)));
TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
UNIT_NAME, strlen(UNIT_NAME)));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
GNUTLS_OID_X520_COMMON_NAME, 0,
- COMMON_NAME, strlen(COMMON_NAME)));
+ hostname, strlen(hostname)));
TLSCHECK(gnutls_x509_crt_set_key(crt, key));
TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
bufsize = sizeof(buf);
TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
- file_save(certfile, buf, bufsize);
+ if (!file_save(certfile, buf, bufsize)) {
+ DEBUG(0,("Unable to save certificate in %s parent dir exists ?\n", certfile));
+ goto failed;
+ }
bufsize = sizeof(buf);
TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
- file_save(cafile, buf, bufsize);
+ if (!file_save(cafile, buf, bufsize)) {
+ DEBUG(0,("Unable to save ca cert in %s parent dir exists ?\n", cafile));
+ goto failed;
+ }
bufsize = sizeof(buf);
TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
- file_save(keyfile, buf, bufsize);
+ if (!file_save(keyfile, buf, bufsize)) {
+ DEBUG(0,("Unable to save privatekey in %s parent dir exists ?\n", keyfile));
+ goto failed;
+ }
gnutls_x509_privkey_deinit(key);
gnutls_x509_privkey_deinit(cakey);