diff options
| -rw-r--r-- | source4/lib/tls/config.m4 | 1 | ||||
| -rw-r--r-- | source4/lib/tls/tls.c | 10 | ||||
| -rw-r--r-- | source4/lib/tls/tlscert.c | 21 |
3 files changed, 22 insertions, 10 deletions
diff --git a/source4/lib/tls/config.m4 b/source4/lib/tls/config.m4 index 74c6bd1d44..0bafc5ddf1 100644 --- a/source4/lib/tls/config.m4 +++ b/source4/lib/tls/config.m4 @@ -39,4 +39,5 @@ if test x$use_gnutls = xyes; then AC_CHECK_TYPES([gnutls_datum],,,[#include "gnutls/gnutls.h"]) AC_CHECK_TYPES([gnutls_datum_t],,,[#include "gnutls/gnutls.h"]) AC_DEFINE(ENABLE_GNUTLS,1,[Whether we have gnutls support (SSL)]) + AC_CHECK_HEADERS(gcrypt.h) fi diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 99a15059ad..1014ab07a8 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -362,7 +362,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context * const char *cafile = lp_tls_cafile(tmp_ctx, lp_ctx); const char *crlfile = lp_tls_crlfile(tmp_ctx, lp_ctx); const char *dhpfile = lp_tls_dhpfile(tmp_ctx, lp_ctx); - void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *); + void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *, const char *); params = talloc(mem_ctx, struct tls_params); if (params == NULL) { talloc_free(tmp_ctx); @@ -376,7 +376,13 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context * } if (!file_exist(cafile)) { - tls_cert_generate(params, keyfile, certfile, cafile); + char *hostname = talloc_asprintf(mem_ctx, "%s.%s", + lp_netbios_name(lp_ctx), lp_realm(lp_ctx)); + if (hostname == NULL) { + goto init_failed; + } + tls_cert_generate(params, hostname, keyfile, certfile, cafile); + talloc_free(hostname); } ret = gnutls_global_init(); diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c index f2e79f2a89..62e7a72240 100644 --- a/source4/lib/tls/tlscert.c +++ b/source4/lib/tls/tlscert.c @@ -24,21 +24,20 @@ #if ENABLE_GNUTLS #include "gnutls/gnutls.h" #include "gnutls/x509.h" +#if HAVE_GCRYPT_H +#include <gcrypt.h> +#endif #define ORGANISATION_NAME "Samba Administration" #define UNIT_NAME "Samba - temporary autogenerated certificate" -#define COMMON_NAME "Samba" #define LIFETIME 700*24*60*60 #define DH_BITS 1024 -void tls_cert_generate(TALLOC_CTX *mem_ctx, - const char *keyfile, const char *certfile, - const char *cafile); - /* auto-generate a set of self signed certificates */ void tls_cert_generate(TALLOC_CTX *mem_ctx, + const char *hostname, const char *keyfile, const char *certfile, const char *cafile) { @@ -67,8 +66,14 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, TLSCHECK(gnutls_global_init()); - DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n")); + DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", + hostname)); +#ifdef HAVE_GCRYPT_H + DEBUG(3,("Enabling QUICK mode in gcrypt\n")); + gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); +#endif + DEBUG(3,("Generating private key\n")); TLSCHECK(gnutls_x509_privkey_init(&key)); TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, DH_BITS, 0)); @@ -87,7 +92,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, UNIT_NAME, strlen(UNIT_NAME))); TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, GNUTLS_OID_X520_COMMON_NAME, 0, - COMMON_NAME, strlen(COMMON_NAME))); + hostname, strlen(hostname))); TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey)); TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial))); TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation)); @@ -113,7 +118,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, UNIT_NAME, strlen(UNIT_NAME))); TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0, - COMMON_NAME, strlen(COMMON_NAME))); + hostname, strlen(hostname))); TLSCHECK(gnutls_x509_crt_set_key(crt, key)); TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial))); TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation)); |