[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-953-gb1ff79d

Andrew Tridgell tridge at samba.org
Wed Feb 18 03:47:34 GMT 2009 

The branch, master has been updated
       via  b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302 (commit)
      from  0281166bb9bdf0015085b4f0a3049e7bf5036da2 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b1ff79dbb246e717fc4a62c7a615ca7ce9ccc302
Author: Andrew Tridgell <tridge at samba.org>
Date:   Wed Feb 18 14:46:57 2009 +1100

    fixed some of the TLS problems
    
    This fixes two things in the TLS support for Samba4. The first is to
    use a somewhat more correct hostname instead of 'Samba' when
    generating the test certificates. That allows TLS test clients (such
    as gnutls-cli) to connect to Samba4 using auto-generated certificates.
    
    The second fix is to add a call to gcry_control() to tell gcrypt to
    use /dev/urandom instead of /dev/random (on systems that support
    that). That means that test certificate generation is now very fast,
    which was previously an impediment to putting the TLS tests on the
    build farm.

-----------------------------------------------------------------------

Summary of changes:
 source4/lib/tls/config.m4 |    1 +
 source4/lib/tls/tls.c     |   10 ++++++++--
 source4/lib/tls/tlscert.c |   21 +++++++++++++--------
 3 files changed, 22 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/lib/tls/config.m4 b/source4/lib/tls/config.m4
index 74c6bd1..0bafc5d 100644
--- a/source4/lib/tls/config.m4
+++ b/source4/lib/tls/config.m4
@@ -39,4 +39,5 @@ if test x$use_gnutls = xyes; then
 	AC_CHECK_TYPES([gnutls_datum],,,[#include "gnutls/gnutls.h"])
 	AC_CHECK_TYPES([gnutls_datum_t],,,[#include "gnutls/gnutls.h"])
 	AC_DEFINE(ENABLE_GNUTLS,1,[Whether we have gnutls support (SSL)])
+	AC_CHECK_HEADERS(gcrypt.h)
 fi
diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index 99a1505..1014ab0 100644
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -362,7 +362,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
 	const char *cafile = lp_tls_cafile(tmp_ctx, lp_ctx);
 	const char *crlfile = lp_tls_crlfile(tmp_ctx, lp_ctx);
 	const char *dhpfile = lp_tls_dhpfile(tmp_ctx, lp_ctx);
-	void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *);
+	void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *, const char *);
 	params = talloc(mem_ctx, struct tls_params);
 	if (params == NULL) {
 		talloc_free(tmp_ctx);
@@ -376,7 +376,13 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
 	}
 
 	if (!file_exist(cafile)) {
-		tls_cert_generate(params, keyfile, certfile, cafile);
+		char *hostname = talloc_asprintf(mem_ctx, "%s.%s",
+						 lp_netbios_name(lp_ctx), lp_realm(lp_ctx));
+		if (hostname == NULL) {
+			goto init_failed;
+		}
+		tls_cert_generate(params, hostname, keyfile, certfile, cafile);
+		talloc_free(hostname);
 	}
 
 	ret = gnutls_global_init();
diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index f2e79f2..62e7a72 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -24,21 +24,20 @@
 #if ENABLE_GNUTLS
 #include "gnutls/gnutls.h"
 #include "gnutls/x509.h"
+#if HAVE_GCRYPT_H
+#include <gcrypt.h>
+#endif
 
 #define ORGANISATION_NAME "Samba Administration"
 #define UNIT_NAME         "Samba - temporary autogenerated certificate"
-#define COMMON_NAME       "Samba"
 #define LIFETIME          700*24*60*60
 #define DH_BITS 		  1024
 
-void tls_cert_generate(TALLOC_CTX *mem_ctx, 
-		       const char *keyfile, const char *certfile,
-		       const char *cafile);
-
 /* 
    auto-generate a set of self signed certificates
 */
 void tls_cert_generate(TALLOC_CTX *mem_ctx, 
+		       const char *hostname, 
 		       const char *keyfile, const char *certfile,
 		       const char *cafile)
 {
@@ -67,8 +66,14 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 
 	TLSCHECK(gnutls_global_init());
 
-	DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n"));
+	DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", 
+		 hostname));
 	
+#ifdef HAVE_GCRYPT_H
+	DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
+	gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+#endif
+
 	DEBUG(3,("Generating private key\n"));
 	TLSCHECK(gnutls_x509_privkey_init(&key));
 	TLSCHECK(gnutls_x509_privkey_generate(key,   GNUTLS_PK_RSA, DH_BITS, 0));
@@ -87,7 +92,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 				      UNIT_NAME, strlen(UNIT_NAME)));
 	TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
 				      GNUTLS_OID_X520_COMMON_NAME, 0,
-				      COMMON_NAME, strlen(COMMON_NAME)));
+				      hostname, strlen(hostname)));
 	TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
 	TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
 	TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
@@ -113,7 +118,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 				      UNIT_NAME, strlen(UNIT_NAME)));
 	TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
 				      GNUTLS_OID_X520_COMMON_NAME, 0,
-				      COMMON_NAME, strlen(COMMON_NAME)));
+				      hostname, strlen(hostname)));
 	TLSCHECK(gnutls_x509_crt_set_key(crt, key));
 	TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
 	TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));


-- 
Samba Shared Repository

More information about the samba-cvs mailing list