From: Andreas Schneider <asn@samba.org>
Date: Fri, 13 Mar 2020 14:32:27 +0000 (+0100)
Subject: s4:tls: Fix generating TLS RSA certs with FIPS140-2
X-Git-Tag: ldb-2.2.0~969
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ab3394f9f5af71ab904617147dc2e24de77ebcec;p=thirdparty%2Fsamba.git

s4:tls: Fix generating TLS RSA certs with FIPS140-2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 9379ab094d1..36482e3aaaf 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -29,7 +29,9 @@
 #define CA_NAME           "Samba - temporary autogenerated CA certificate"
 #define UNIT_NAME         "Samba - temporary autogenerated HOST certificate"
 #define LIFETIME          700*24*60*60
-#define RSA_BITS          4096
+
+/* FIPS140-2 only allows 2048 or 3072 prime sizes. */
+#define RSA_BITS gnutls_fips140_mode_enabled() ? 3072 : 4096
 
 /* 
    auto-generate a set of self signed certificates