CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with...

The generated ca cert (in ca.pem) was completely useless,
it could be replaced by cert.pem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 8eab04a1fb7d0de6eca3d61d4d9cf3e41c13e2f3..f1808d7cfd947141edb2fe03e1cb15413252ead0 100644 (file)
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -30,9 +30,10 @@
 #endif
 
 #define ORGANISATION_NAME "Samba Administration"
-#define UNIT_NAME         "Samba - temporary autogenerated certificate"
+#define CA_NAME           "Samba - temporary autogenerated CA certificate"
+#define UNIT_NAME         "Samba - temporary autogenerated HOST certificate"
 #define LIFETIME          700*24*60*60
-#define DH_BITS                  1024
+#define RSA_BITS          4096
 
 /* 
    auto-generate a set of self signed certificates
@@ -77,11 +78,11 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 
        DEBUG(3,("Generating private key\n"));
        TLSCHECK(gnutls_x509_privkey_init(&key));
-       TLSCHECK(gnutls_x509_privkey_generate(key,   GNUTLS_PK_RSA, DH_BITS, 0));
+       TLSCHECK(gnutls_x509_privkey_generate(key,   GNUTLS_PK_RSA, RSA_BITS, 0));
 
        DEBUG(3,("Generating CA private key\n"));
        TLSCHECK(gnutls_x509_privkey_init(&cakey));
-       TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, DH_BITS, 0));
+       TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, RSA_BITS, 0));
 
        DEBUG(3,("Generating CA certificate\n"));
        TLSCHECK(gnutls_x509_crt_init(&cacrt));
@@ -90,7 +91,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
                                      ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
        TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, 
                                      GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
-                                     UNIT_NAME, strlen(UNIT_NAME)));
+                                     CA_NAME, strlen(CA_NAME)));
        TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
                                      GNUTLS_OID_X520_COMMON_NAME, 0,
                                      hostname, strlen(hostname)));
@@ -98,10 +99,8 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
        TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
        TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
        TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
-       TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 0));
-#ifdef GNUTLS_KP_TLS_WWW_SERVER
-       TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt, GNUTLS_KP_TLS_WWW_SERVER, 0));
-#endif
+       TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 1));
+       TLSCHECK(gnutls_x509_crt_set_key_usage(cacrt, GNUTLS_KEY_KEY_CERT_SIGN | GNUTLS_KEY_CRL_SIGN));
        TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3));
        TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize));
 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
@@ -134,6 +133,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
        TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
 #endif
        TLSCHECK(gnutls_x509_crt_sign(crt, crt, key));
+       TLSCHECK(gnutls_x509_crt_sign(crt, cacrt, cakey));
 
        DEBUG(3,("Exporting TLS keys\n"));