From 5533ff7a7cdc304b30f46d896c6e708449270406 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 4 Apr 2022 11:32:12 +0200 Subject: [PATCH] Make sure we do not build Heimdal or crypto code As we need to rely on GnuTLS for FIPS, remove heimdal and other unused crypto code to ensure we do not build it! --- samba-4.16-waf-crypto.patch | 77 +++++++++++++++++++++++++++++++++++++ samba.spec | 7 ++++ 2 files changed, 84 insertions(+) create mode 100644 samba-4.16-waf-crypto.patch diff --git a/samba-4.16-waf-crypto.patch b/samba-4.16-waf-crypto.patch new file mode 100644 index 0000000..337be97 --- /dev/null +++ b/samba-4.16-waf-crypto.patch @@ -0,0 +1,77 @@ +From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:24:04 +0200 +Subject: [PATCH 1/2] waf: Check for GnuTLS earlier + +As GnuTLS is an essential part we need to check for it early so we can react on +GnuTLS features in other wscripts. + +Signed-off-by: Andreas Schneider +--- + wscript | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wscript b/wscript +index d8220b35095..5b85d9a1682 100644 +--- a/wscript ++++ b/wscript +@@ -189,6 +189,8 @@ def configure(conf): + conf.RECURSE('dynconfig') + conf.RECURSE('selftest') + ++ conf.PROCESS_SEPARATE_RULE('system_gnutls') ++ + conf.CHECK_CFG(package='zlib', minversion='1.2.3', + args='--cflags --libs', + mandatory=True) +@@ -297,8 +299,6 @@ def configure(conf): + if not conf.CONFIG_GET('KRB5_VENDOR'): + conf.PROCESS_SEPARATE_RULE('embedded_heimdal') + +- conf.PROCESS_SEPARATE_RULE('system_gnutls') +- + conf.RECURSE('source4/dsdb/samdb/ldb_modules') + conf.RECURSE('source4/ntvfs/sysdep') + conf.RECURSE('lib/util') +-- +2.35.1 + + +From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:25:31 +0200 +Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS + provides the cipher + +Signed-off-by: Andreas Schneider +--- + third_party/wscript | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/third_party/wscript b/third_party/wscript +index 1f4bc1ce1d7..a17c15bcaa7 100644 +--- a/third_party/wscript ++++ b/third_party/wscript +@@ -5,7 +5,8 @@ from waflib import Options + def configure(conf): + conf.RECURSE('cmocka') + conf.RECURSE('popt') +- conf.RECURSE('aesni-intel') ++ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ conf.RECURSE('aesni-intel') + if conf.CONFIG_GET('ENABLE_SELFTEST'): + conf.RECURSE('socket_wrapper') + conf.RECURSE('nss_wrapper') +@@ -18,7 +19,8 @@ def configure(conf): + def build(bld): + bld.RECURSE('cmocka') + bld.RECURSE('popt') +- bld.RECURSE('aesni-intel') ++ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ bld.RECURSE('aesni-intel') + if bld.CONFIG_GET('SOCKET_WRAPPER'): + bld.RECURSE('socket_wrapper') + if bld.CONFIG_GET('NSS_WRAPPER'): +-- +2.35.1 + diff --git a/samba.spec b/samba.spec index e3a5d28..889a960 100644 --- a/samba.spec +++ b/samba.spec @@ -204,6 +204,8 @@ Source14: samba.pamd Source201: README.downgrade Patch0: samba-s4u.patch +# https://gitlab.com/samba-team/samba/-/merge_requests/2477 +Patch1: samba-4.16-waf-crypto.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -1062,6 +1064,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %autosetup -n samba-%{version}%{pre_release} -p1 +# Ensure we rely on GnuTLS and do not build any other crypto code shipping with +# the sources. +rm -rf third_party/{aesni-intel,heimdal} +rm -f lib/crypto/{aes,rijndael}*.c + %build %if %{with includelibs} %global _talloc_lib ,talloc,pytalloc,pytalloc-util