diff options
| author | Andrew Tridgell <tridge@samba.org> | 2009-02-18 14:46:57 +1100 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2009-02-18 14:46:57 +1100 |
| commit | b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302 (patch) | |
| tree | 425441cc5230695a522d9a316d954dcc6a29207c /source4 | |
| parent | 0281166bb9bdf0015085b4f0a3049e7bf5036da2 (diff) | |
| download | samba-b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302.tar.gz samba-b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302.tar.bz2 samba-b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302.zip | |
fixed some of the TLS problems
This fixes two things in the TLS support for Samba4. The first is to
use a somewhat more correct hostname instead of 'Samba' when
generating the test certificates. That allows TLS test clients (such
as gnutls-cli) to connect to Samba4 using auto-generated certificates.
The second fix is to add a call to gcry_control() to tell gcrypt to
use /dev/urandom instead of /dev/random (on systems that support
that). That means that test certificate generation is now very fast,
which was previously an impediment to putting the TLS tests on the
build farm.
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/lib/tls/config.m4 | 1 | ||||
| -rw-r--r-- | source4/lib/tls/tls.c | 10 | ||||
| -rw-r--r-- | source4/lib/tls/tlscert.c | 21 |
3 files changed, 22 insertions, 10 deletions
diff --git a/source4/lib/tls/config.m4 b/source4/lib/tls/config.m4 index 74c6bd1d44..0bafc5ddf1 100644 --- a/source4/lib/tls/config.m4 +++ b/source4/lib/tls/config.m4 @@ -39,4 +39,5 @@ if test x$use_gnutls = xyes; then AC_CHECK_TYPES([gnutls_datum],,,[#include "gnutls/gnutls.h"]) AC_CHECK_TYPES([gnutls_datum_t],,,[#include "gnutls/gnutls.h"]) AC_DEFINE(ENABLE_GNUTLS,1,[Whether we have gnutls support (SSL)]) + AC_CHECK_HEADERS(gcrypt.h) fi diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 99a15059ad..1014ab07a8 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -362,7 +362,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context * const char *cafile = lp_tls_cafile(tmp_ctx, lp_ctx); const char *crlfile = lp_tls_crlfile(tmp_ctx, lp_ctx); const char *dhpfile = lp_tls_dhpfile(tmp_ctx, lp_ctx); - void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); + void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *, const char *); params = talloc(mem_ctx, struct tls_params); if (params == NULL) { talloc_free(tmp_ctx); @@ -376,7 +376,13 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context * } if (!file_exist(cafile)) { - tls_cert_generate(params, keyfile, certfile, cafile); + char *hostname = talloc_asprintf(mem_ctx, "%s.%s", + lp_netbios_name(lp_ctx), lp_realm(lp_ctx)); + if (hostname == NULL) { + goto init_failed; + } + tls_cert_generate(params, hostname, keyfile, certfile, cafile); + talloc_free(hostname); } ret = gnutls_global_init(); diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c index f2e79f2a89..62e7a72240 100644 --- a/source4/lib/tls/tlscert.c +++ b/source4/lib/tls/tlscert.c @@ -24,21 +24,20 @@ #if ENABLE_GNUTLS #include "gnutls/gnutls.h" #include "gnutls/x509.h" +#if HAVE_GCRYPT_H +#include <gcrypt.h> +#endif #define ORGANISATION_NAME "Samba Administration" #define UNIT_NAME "Samba - temporary autogenerated certificate" -#define COMMON_NAME "Samba" #define LIFETIME 700*24*60*60 #define DH_BITS 1024 -void tls_cert_generate(TALLOC_CTX *mem_ctx, - const char *keyfile, const char *certfile, - const char *cafile); - /* auto-generate a set of self signed certificates */ void tls_cert_generate(TALLOC_CTX *mem_ctx, + const char *hostname, const char *keyfile, const char *certfile, const char *cafile) { @@ -67,8 +66,14 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, TLSCHECK(gnutls_global_init()); - DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n")); + DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", + hostname)); +#ifdef HAVE_GCRYPT_H + DEBUG(3,("Enabling QUICK mode in gcrypt\n")); + gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); +#endif + DEBUG(3,("Generating private key\n")); TLSCHECK(gnutls_x509_privkey_init(&key)); TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, DH_BITS, 0)); @@ -87,7 +92,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, UNIT_NAME, strlen(UNIT_NAME))); TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, GNUTLS_OID_X520_COMMON_NAME, 0, - COMMON_NAME, strlen(COMMON_NAME))); + hostname, strlen(hostname))); TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey)); TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial))); TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation)); @@ -113,7 +118,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, UNIT_NAME, strlen(UNIT_NAME))); TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0, - COMMON_NAME, strlen(COMMON_NAME))); + hostname, strlen(hostname))); TLSCHECK(gnutls_x509_crt_set_key(crt, key)); TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial))); TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation)); |