fixed some of the TLS problems

author Andrew Tridgell <tridge@samba.org>

Wed, 18 Feb 2009 03:46:57 +0000 (14:46 +1100)

committer Andrew Tridgell <tridge@samba.org>

Wed, 18 Feb 2009 03:46:57 +0000 (14:46 +1100)
author Andrew Tridgell <tridge@samba.org>
Wed, 18 Feb 2009 03:46:57 +0000 (14:46 +1100)
committer Andrew Tridgell <tridge@samba.org>
Wed, 18 Feb 2009 03:46:57 +0000 (14:46 +1100)
diff --git a/source4/lib/tls/config.m4 b/source4/lib/tls/config.m4

index 74c6bd1d44f1dae88b7dc7c490717fc8389e3480..0bafc5ddf14d035fd558c64547403720526ec7e1 100644 (file)
--- a/source4/lib/tls/config.m4
+++ b/source4/lib/tls/config.m4
@@ -39,4 +39,5 @@ if test x$use_gnutls = xyes; then
         AC_CHECK_TYPES([gnutls_datum],,,[#include "gnutls/gnutls.h"])
         AC_CHECK_TYPES([gnutls_datum_t],,,[#include "gnutls/gnutls.h"])
         AC_DEFINE(ENABLE_GNUTLS,1,[Whether we have gnutls support (SSL)])
+       AC_CHECK_HEADERS(gcrypt.h)
  fi
diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c

index 99a15059ad3f517bc1b0c4047db45f0ab1dfef09..1014ab07a8a672757f1e186c2e17200d4edfd3ea 100644 (file)
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -362,7 +362,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
         const char *cafile = lp_tls_cafile(tmp_ctx, lp_ctx);
         const char *crlfile = lp_tls_crlfile(tmp_ctx, lp_ctx);
         const char *dhpfile = lp_tls_dhpfile(tmp_ctx, lp_ctx);
-       void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *);
+       void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *, const char *);
         params = talloc(mem_ctx, struct tls_params);
         if (params == NULL) {
                 talloc_free(tmp_ctx);
@@ -376,7 +376,13 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
         }
  
         if (!file_exist(cafile)) {
-               tls_cert_generate(params, keyfile, certfile, cafile);
+               char *hostname = talloc_asprintf(mem_ctx, "%s.%s",
+                                                lp_netbios_name(lp_ctx), lp_realm(lp_ctx));
+               if (hostname == NULL) {
+                       goto init_failed;
+               }
+               tls_cert_generate(params, hostname, keyfile, certfile, cafile);
+               talloc_free(hostname);
         }
  
         ret = gnutls_global_init();
diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c

index f2e79f2a8964ce8c935d59872881a9c3160f688a..62e7a72240d6f9b33e062efd59929b61660fbd01 100644 (file)
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -24,21 +24,20 @@
  #if ENABLE_GNUTLS
  #include "gnutls/gnutls.h"
  #include "gnutls/x509.h"
+#if HAVE_GCRYPT_H
+#include <gcrypt.h>
+#endif
  
  #define ORGANISATION_NAME "Samba Administration"
  #define UNIT_NAME         "Samba - temporary autogenerated certificate"
-#define COMMON_NAME       "Samba"
  #define LIFETIME          700*24*60*60
  #define DH_BITS                  1024
  
-void tls_cert_generate(TALLOC_CTX *mem_ctx, 
-                      const char *keyfile, const char *certfile,
-                      const char *cafile);
-
  /* 
     auto-generate a set of self signed certificates
  */
  void tls_cert_generate(TALLOC_CTX *mem_ctx, 
+                      const char *hostname, 
                        const char *keyfile, const char *certfile,
                        const char *cafile)
  {
@@ -67,8 +66,14 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
  
         TLSCHECK(gnutls_global_init());
  
-       DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n"));
+       DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", 
+                hostname));
         
+#ifdef HAVE_GCRYPT_H
+       DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
+       gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+#endif
+
         DEBUG(3,("Generating private key\n"));
         TLSCHECK(gnutls_x509_privkey_init(&key));
         TLSCHECK(gnutls_x509_privkey_generate(key,   GNUTLS_PK_RSA, DH_BITS, 0));
@@ -87,7 +92,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
                                       UNIT_NAME, strlen(UNIT_NAME)));
         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
                                       GNUTLS_OID_X520_COMMON_NAME, 0,
-                                     COMMON_NAME, strlen(COMMON_NAME)));
+                                     hostname, strlen(hostname)));
         TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
         TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
         TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
@@ -113,7 +118,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
                                       UNIT_NAME, strlen(UNIT_NAME)));
         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
                                       GNUTLS_OID_X520_COMMON_NAME, 0,
-                                     COMMON_NAME, strlen(COMMON_NAME)));
+                                     hostname, strlen(hostname)));
         TLSCHECK(gnutls_x509_crt_set_key(crt, key));
         TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
         TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
author	Andrew Tridgell <tridge@samba.org>
	Wed, 18 Feb 2009 03:46:57 +0000 (14:46 +1100)
committer	Andrew Tridgell <tridge@samba.org>
	Wed, 18 Feb 2009 03:46:57 +0000 (14:46 +1100)
source4/lib/tls/config.m4		patch \| blob \| history
source4/lib/tls/tls.c		patch \| blob \| history
source4/lib/tls/tlscert.c		patch \| blob \| history