The branch, master has been updated
       via  b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302 (commit)
      from  0281166bb9bdf0015085b4f0a3049e7bf5036da2 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302
Author: Andrew Tridgell <[email protected]>
Date:   Wed Feb 18 14:46:57 2009 +1100

    fixed some of the TLS problems
    
    This fixes two things in the TLS support for Samba4. The first is to
    use a somewhat more correct hostname instead of 'Samba' when
    generating the test certificates. That allows TLS test clients (such
    as gnutls-cli) to connect to Samba4 using auto-generated certificates.
    
    The second fix is to add a call to gcry_control() to tell gcrypt to
    use /dev/urandom instead of /dev/random (on systems that support
    that). That means that test certificate generation is now very fast,
    which was previously an impediment to putting the TLS tests on the
    build farm.

-----------------------------------------------------------------------

Summary of changes:
 source4/lib/tls/config.m4 |    1 +
 source4/lib/tls/tls.c     |   10 ++++++++--
 source4/lib/tls/tlscert.c |   21 +++++++++++++--------
 3 files changed, 22 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/lib/tls/config.m4 b/source4/lib/tls/config.m4
index 74c6bd1..0bafc5d 100644
--- a/source4/lib/tls/config.m4
+++ b/source4/lib/tls/config.m4
@@ -39,4 +39,5 @@ if test x$use_gnutls = xyes; then
        AC_CHECK_TYPES([gnutls_datum],,,[#include "gnutls/gnutls.h"])
        AC_CHECK_TYPES([gnutls_datum_t],,,[#include "gnutls/gnutls.h"])
        AC_DEFINE(ENABLE_GNUTLS,1,[Whether we have gnutls support (SSL)])
+       AC_CHECK_HEADERS(gcrypt.h)
 fi
diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index 99a1505..1014ab0 100644
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -362,7 +362,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, 
struct loadparm_context *
        const char *cafile = lp_tls_cafile(tmp_ctx, lp_ctx);
        const char *crlfile = lp_tls_crlfile(tmp_ctx, lp_ctx);
        const char *dhpfile = lp_tls_dhpfile(tmp_ctx, lp_ctx);
-       void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const 
char *);
+       void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const 
char *, const char *);
        params = talloc(mem_ctx, struct tls_params);
        if (params == NULL) {
                talloc_free(tmp_ctx);
@@ -376,7 +376,13 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, 
struct loadparm_context *
        }
 
        if (!file_exist(cafile)) {
-               tls_cert_generate(params, keyfile, certfile, cafile);
+               char *hostname = talloc_asprintf(mem_ctx, "%s.%s",
+                                                lp_netbios_name(lp_ctx), 
lp_realm(lp_ctx));
+               if (hostname == NULL) {
+                       goto init_failed;
+               }
+               tls_cert_generate(params, hostname, keyfile, certfile, cafile);
+               talloc_free(hostname);
        }
 
        ret = gnutls_global_init();
diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index f2e79f2..62e7a72 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -24,21 +24,20 @@
 #if ENABLE_GNUTLS
 #include "gnutls/gnutls.h"
 #include "gnutls/x509.h"
+#if HAVE_GCRYPT_H
+#include <gcrypt.h>
+#endif
 
 #define ORGANISATION_NAME "Samba Administration"
 #define UNIT_NAME         "Samba - temporary autogenerated certificate"
-#define COMMON_NAME       "Samba"
 #define LIFETIME          700*24*60*60
 #define DH_BITS                  1024
 
-void tls_cert_generate(TALLOC_CTX *mem_ctx, 
-                      const char *keyfile, const char *certfile,
-                      const char *cafile);
-
 /* 
    auto-generate a set of self signed certificates
 */
 void tls_cert_generate(TALLOC_CTX *mem_ctx, 
+                      const char *hostname, 
                       const char *keyfile, const char *certfile,
                       const char *cafile)
 {
@@ -67,8 +66,14 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 
        TLSCHECK(gnutls_global_init());
 
-       DEBUG(0,("Attempting to autogenerate TLS self-signed keys for 
https\n"));
+       DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for 
hostname '%s'\n", 
+                hostname));
        
+#ifdef HAVE_GCRYPT_H
+       DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
+       gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+#endif
+
        DEBUG(3,("Generating private key\n"));
        TLSCHECK(gnutls_x509_privkey_init(&key));
        TLSCHECK(gnutls_x509_privkey_generate(key,   GNUTLS_PK_RSA, DH_BITS, 
0));
@@ -87,7 +92,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
                                      UNIT_NAME, strlen(UNIT_NAME)));
        TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
                                      GNUTLS_OID_X520_COMMON_NAME, 0,
-                                     COMMON_NAME, strlen(COMMON_NAME)));
+                                     hostname, strlen(hostname)));
        TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
        TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
        TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
@@ -113,7 +118,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
                                      UNIT_NAME, strlen(UNIT_NAME)));
        TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
                                      GNUTLS_OID_X520_COMMON_NAME, 0,
-                                     COMMON_NAME, strlen(COMMON_NAME)));
+                                     hostname, strlen(hostname)));
        TLSCHECK(gnutls_x509_crt_set_key(crt, key));
        TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
        TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));


-- 
Samba Shared Repository

Reply via email to