From b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Wed, 18 Feb 2009 14:46:57 +1100
Subject: fixed some of the TLS problems

This fixes two things in the TLS support for Samba4. The first is to
use a somewhat more correct hostname instead of 'Samba' when
generating the test certificates. That allows TLS test clients (such
as gnutls-cli) to connect to Samba4 using auto-generated certificates.

The second fix is to add a call to gcry_control() to tell gcrypt to
use /dev/urandom instead of /dev/random (on systems that support
that). That means that test certificate generation is now very fast,
which was previously an impediment to putting the TLS tests on the
build farm.
---
 source4/lib/tls/tlscert.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

(limited to 'source4/lib/tls/tlscert.c')

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index f2e79f2a89..62e7a72240 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -24,21 +24,20 @@
 #if ENABLE_GNUTLS
 #include "gnutls/gnutls.h"
 #include "gnutls/x509.h"
+#if HAVE_GCRYPT_H
+#include <gcrypt.h>
+#endif
 
 #define ORGANISATION_NAME "Samba Administration"
 #define UNIT_NAME         "Samba - temporary autogenerated certificate"
-#define COMMON_NAME       "Samba"
 #define LIFETIME          700*24*60*60
 #define DH_BITS 		  1024
 
-void tls_cert_generate(TALLOC_CTX *mem_ctx, 
-		       const char *keyfile, const char *certfile,
-		       const char *cafile);
-
 /* 
    auto-generate a set of self signed certificates
 */
 void tls_cert_generate(TALLOC_CTX *mem_ctx, 
+		       const char *hostname, 
 		       const char *keyfile, const char *certfile,
 		       const char *cafile)
 {
@@ -67,8 +66,14 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 
 	TLSCHECK(gnutls_global_init());
 
-	DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n"));
+	DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", 
+		 hostname));
 	
+#ifdef HAVE_GCRYPT_H
+	DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
+	gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+#endif
+
 	DEBUG(3,("Generating private key\n"));
 	TLSCHECK(gnutls_x509_privkey_init(&key));
 	TLSCHECK(gnutls_x509_privkey_generate(key,   GNUTLS_PK_RSA, DH_BITS, 0));
@@ -87,7 +92,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 				      UNIT_NAME, strlen(UNIT_NAME)));
 	TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
 				      GNUTLS_OID_X520_COMMON_NAME, 0,
-				      COMMON_NAME, strlen(COMMON_NAME)));
+				      hostname, strlen(hostname)));
 	TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
 	TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
 	TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
@@ -113,7 +118,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 				      UNIT_NAME, strlen(UNIT_NAME)));
 	TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
 				      GNUTLS_OID_X520_COMMON_NAME, 0,
-				      COMMON_NAME, strlen(COMMON_NAME)));
+				      hostname, strlen(hostname)));
 	TLSCHECK(gnutls_x509_crt_set_key(crt, key));
 	TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
 	TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
-- 
cgit