diff --git a/samba-4.16-waf-crypto.patch b/samba-4.16-waf-crypto.patch new file mode 100644 index 0000000..337be97 --- /dev/null +++ b/samba-4.16-waf-crypto.patch @@ -0,0 +1,77 @@ +From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:24:04 +0200 +Subject: [PATCH 1/2] waf: Check for GnuTLS earlier + +As GnuTLS is an essential part we need to check for it early so we can react on +GnuTLS features in other wscripts. + +Signed-off-by: Andreas Schneider +--- + wscript | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wscript b/wscript +index d8220b35095..5b85d9a1682 100644 +--- a/wscript ++++ b/wscript +@@ -189,6 +189,8 @@ def configure(conf): + conf.RECURSE('dynconfig') + conf.RECURSE('selftest') + ++ conf.PROCESS_SEPARATE_RULE('system_gnutls') ++ + conf.CHECK_CFG(package='zlib', minversion='1.2.3', + args='--cflags --libs', + mandatory=True) +@@ -297,8 +299,6 @@ def configure(conf): + if not conf.CONFIG_GET('KRB5_VENDOR'): + conf.PROCESS_SEPARATE_RULE('embedded_heimdal') + +- conf.PROCESS_SEPARATE_RULE('system_gnutls') +- + conf.RECURSE('source4/dsdb/samdb/ldb_modules') + conf.RECURSE('source4/ntvfs/sysdep') + conf.RECURSE('lib/util') +-- +2.35.1 + + +From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:25:31 +0200 +Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS + provides the cipher + +Signed-off-by: Andreas Schneider +--- + third_party/wscript | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/third_party/wscript b/third_party/wscript +index 1f4bc1ce1d7..a17c15bcaa7 100644 +--- a/third_party/wscript ++++ b/third_party/wscript +@@ -5,7 +5,8 @@ from waflib import Options + def configure(conf): + conf.RECURSE('cmocka') + conf.RECURSE('popt') +- conf.RECURSE('aesni-intel') ++ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ conf.RECURSE('aesni-intel') + if conf.CONFIG_GET('ENABLE_SELFTEST'): + conf.RECURSE('socket_wrapper') + conf.RECURSE('nss_wrapper') +@@ -18,7 +19,8 @@ def configure(conf): + def build(bld): + bld.RECURSE('cmocka') + bld.RECURSE('popt') +- bld.RECURSE('aesni-intel') ++ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ bld.RECURSE('aesni-intel') + if bld.CONFIG_GET('SOCKET_WRAPPER'): + bld.RECURSE('socket_wrapper') + if bld.CONFIG_GET('NSS_WRAPPER'): +-- +2.35.1 + diff --git a/samba.spec b/samba.spec index e3a5d28..889a960 100644 --- a/samba.spec +++ b/samba.spec @@ -204,6 +204,8 @@ Source14: samba.pamd Source201: README.downgrade Patch0: samba-s4u.patch +# https://gitlab.com/samba-team/samba/-/merge_requests/2477 +Patch1: samba-4.16-waf-crypto.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -1062,6 +1064,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %autosetup -n samba-%{version}%{pre_release} -p1 +# Ensure we rely on GnuTLS and do not build any other crypto code shipping with +# the sources. +rm -rf third_party/{aesni-intel,heimdal} +rm -f lib/crypto/{aes,rijndael}*.c + %build %if %{with includelibs} %global _talloc_lib ,talloc,pytalloc,pytalloc-util