CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with...
[samba.git] / source4 / lib / tls / tlscert.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    auto-generate self signed TLS certificates
5
6    Copyright (C) Andrew Tridgell 2005
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "lib/tls/tls.h"
24
25 #if ENABLE_GNUTLS
26 #include <gnutls/gnutls.h>
27 #include <gnutls/x509.h>
28 #if defined(HAVE_GCRYPT_H) && !defined(HAVE_GNUTLS3)
29 #include <gcrypt.h>
30 #endif
31
32 #define ORGANISATION_NAME "Samba Administration"
33 #define CA_NAME           "Samba - temporary autogenerated CA certificate"
34 #define UNIT_NAME         "Samba - temporary autogenerated HOST certificate"
35 #define LIFETIME          700*24*60*60
36 #define RSA_BITS          4096
37
38 /* 
39    auto-generate a set of self signed certificates
40 */
41 void tls_cert_generate(TALLOC_CTX *mem_ctx, 
42                        const char *hostname, 
43                        const char *keyfile, const char *certfile,
44                        const char *cafile)
45 {
46         gnutls_x509_crt cacrt, crt;
47         gnutls_x509_privkey key, cakey;
48         uint32_t serial = (uint32_t)time(NULL);
49         unsigned char keyid[100];
50         char buf[4096];
51         size_t bufsize;
52         size_t keyidsize = sizeof(keyid);
53         time_t activation = time(NULL), expiry = activation + LIFETIME;
54         int ret;
55
56         if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
57                 DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
58                 return;
59         }
60
61 #define TLSCHECK(call) do { \
62         ret = call; \
63         if (ret < 0) { \
64                 DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
65                 goto failed; \
66         } \
67 } while (0)
68
69         TLSCHECK(gnutls_global_init());
70
71         DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", 
72                  hostname));
73         
74 #if defined(HAVE_GCRYPT_H) && !defined(HAVE_GNUTLS3)
75         DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
76         gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
77 #endif
78
79         DEBUG(3,("Generating private key\n"));
80         TLSCHECK(gnutls_x509_privkey_init(&key));
81         TLSCHECK(gnutls_x509_privkey_generate(key,   GNUTLS_PK_RSA, RSA_BITS, 0));
82
83         DEBUG(3,("Generating CA private key\n"));
84         TLSCHECK(gnutls_x509_privkey_init(&cakey));
85         TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, RSA_BITS, 0));
86
87         DEBUG(3,("Generating CA certificate\n"));
88         TLSCHECK(gnutls_x509_crt_init(&cacrt));
89         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, 
90                                       GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
91                                       ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
92         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, 
93                                       GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
94                                       CA_NAME, strlen(CA_NAME)));
95         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
96                                       GNUTLS_OID_X520_COMMON_NAME, 0,
97                                       hostname, strlen(hostname)));
98         TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
99         TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
100         TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
101         TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
102         TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 1));
103         TLSCHECK(gnutls_x509_crt_set_key_usage(cacrt, GNUTLS_KEY_KEY_CERT_SIGN | GNUTLS_KEY_CRL_SIGN));
104         TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3));
105         TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize));
106 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
107         TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
108 #endif
109         TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey));
110
111         DEBUG(3,("Generating TLS certificate\n"));
112         TLSCHECK(gnutls_x509_crt_init(&crt));
113         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, 
114                                       GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
115                                       ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
116         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, 
117                                       GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
118                                       UNIT_NAME, strlen(UNIT_NAME)));
119         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
120                                       GNUTLS_OID_X520_COMMON_NAME, 0,
121                                       hostname, strlen(hostname)));
122         TLSCHECK(gnutls_x509_crt_set_key(crt, key));
123         TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
124         TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
125         TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry));
126         TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0));
127 #ifdef GNUTLS_KP_TLS_WWW_SERVER
128         TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0));
129 #endif
130         TLSCHECK(gnutls_x509_crt_set_version(crt, 3));
131         TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize));
132 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
133         TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
134 #endif
135         TLSCHECK(gnutls_x509_crt_sign(crt, crt, key));
136         TLSCHECK(gnutls_x509_crt_sign(crt, cacrt, cakey));
137
138         DEBUG(3,("Exporting TLS keys\n"));
139
140         bufsize = sizeof(buf);
141         TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
142         if (!file_save(certfile, buf, bufsize)) {
143                 DEBUG(0,("Unable to save certificate in %s parent dir exists ?\n", certfile));
144                 goto failed;
145         }
146
147         bufsize = sizeof(buf);
148         TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
149         if (!file_save(cafile, buf, bufsize)) {
150                 DEBUG(0,("Unable to save ca cert in %s parent dir exists ?\n", cafile));
151                 goto failed;
152         }
153
154         bufsize = sizeof(buf);
155         TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
156         if (!file_save_mode(keyfile, buf, bufsize, 0600)) {
157                 DEBUG(0,("Unable to save privatekey in %s parent dir exists ?\n", keyfile));
158                 goto failed;
159         }
160
161         gnutls_x509_privkey_deinit(key);
162         gnutls_x509_privkey_deinit(cakey);
163         gnutls_x509_crt_deinit(cacrt);
164         gnutls_x509_crt_deinit(crt);
165         gnutls_global_deinit();
166
167         DEBUG(0,("TLS self-signed keys generated OK\n"));
168         return;
169
170 failed:
171         DEBUG(0,("TLS certificate generation failed\n"));
172 }
173
174 #else
175 void tls_cert_dummy(void) {}
176 #endif