From 8eda48756017db6202fe4ec8a27df0a28a403052 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 9 Mar 2015 21:08:44 +0100 Subject: [PATCH 1/3] s4-backupkey: This has been migrated to GnuTLS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135 Signed-off-by: Andreas Schneider --- source4/rpc_server/wscript_build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build index c79c1827..b8679bb 100755 --- a/source4/rpc_server/wscript_build +++ b/source4/rpc_server/wscript_build @@ -115,7 +115,7 @@ bld.SAMBA_MODULE('dcerpc_backupkey', autoproto='backupkey/proto.h', subsystem='dcerpc_server', init_function='dcerpc_server_backupkey_init', - deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY krb5 hx509 hcrypto' + deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY krb5 gnutls' ) -- 2.3.2 From 56cf638ac0d575854ea84c6db23fc4e321ab95b8 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 9 Mar 2015 21:08:04 +0100 Subject: [PATCH 2/3] s4-tls: Always require gnutls. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135 Signed-off-by: Andreas Schneider --- source4/lib/tls/tlscert.c | 5 ----- source4/lib/tls/wscript | 23 ----------------------- wscript | 1 - 3 files changed, 29 deletions(-) diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c index 8a19e0a..21c12bf 100644 --- a/source4/lib/tls/tlscert.c +++ b/source4/lib/tls/tlscert.c @@ -21,7 +21,6 @@ #include "includes.h" -#if ENABLE_GNUTLS #include #include #if HAVE_GCRYPT_H @@ -169,7 +168,3 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, failed: DEBUG(0,("TLS certificate generation failed\n")); } - -#else -void tls_cert_dummy(void) {} -#endif diff --git a/source4/lib/tls/wscript b/source4/lib/tls/wscript index ae96395..5a8679f 100644 --- a/source4/lib/tls/wscript +++ b/source4/lib/tls/wscript @@ -3,32 +3,11 @@ import Options from optparse import SUPPRESS_HELP -def set_options(opt): - # allow users to disable gnutls - opt.add_option('--enable-gnutls', - help=("Enable use of gnutls"), - action="store_true", dest='enable_gnutls', default=True) - opt.add_option('--disable-gnutls', help=SUPPRESS_HELP, action="store_false", dest='enable_gnutls') - - def configure(conf): - conf.env.enable_gnutls = Options.options.enable_gnutls - if not conf.env.enable_gnutls: - conf.SET_TARGET_TYPE('gnutls', 'DISABLED') - conf.SET_TARGET_TYPE('gcrypt', 'DISABLED') - conf.SET_TARGET_TYPE('gpg-error', 'DISABLED') - return - conf.check_cfg(package='gnutls', args='"gnutls >= 1.4.0 gnutls != 2.2.4 gnutls != 2.8.0 gnutls != 2.8.1" --cflags --libs', msg='Checking for gnutls >= 1.4.0 and broken versions', mandatory=False) - if 'HAVE_GNUTLS' in conf.env: - conf.DEFINE('ENABLE_GNUTLS', 1) - else: - if 'AD_DC_BUILD_IS_ENABLED' in conf.env: - conf.fatal("Building the AD DC requires GnuTLS (eg libgnutls-dev, gnutls-devel) for ldaps:// support and for the BackupKey protocol") - conf.CHECK_FUNCS_IN('gnutls_global_init', 'gnutls', headers='gnutls/gnutls.h') @@ -46,8 +25,6 @@ def configure(conf): headers='gnutls/gnutls.h', lib='gnutls') conf.CHECK_FUNCS_IN('gcry_control', 'gcrypt', headers='gcrypt.h') - conf.CHECK_FUNCS_IN('gpg_err_code_from_errno', 'gpg-error') - def build(bld): bld.SAMBA_SUBSYSTEM('LIBTLS', diff --git a/wscript b/wscript index f1d2e97..b0ea7f4 100644 --- a/wscript +++ b/wscript @@ -39,7 +39,6 @@ def set_options(opt): opt.RECURSE('lib/ldb') opt.RECURSE('lib/ntdb') opt.RECURSE('selftest') - opt.RECURSE('source4/lib/tls') opt.RECURSE('pidl') opt.RECURSE('source3') opt.RECURSE('lib/util') -- 2.3.2 From 83a7fa33334c3034c7952e32114e0d95f61e43c3 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 9 Mar 2015 21:14:19 +0100 Subject: [PATCH 3/3] s4-tls: Remove obsolete gcrypt support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135 Since GnuTLS 3.0 nettle is used instead of gcrypt. Signed-off-by: Andreas Schneider --- lib/replace/wscript | 2 +- source4/lib/tls/tlscert.c | 8 -------- source4/lib/tls/wscript | 4 +--- source4/rpc_server/backupkey/dcesrv_backupkey.c | 9 +-------- 4 files changed, 3 insertions(+), 20 deletions(-) diff --git a/lib/replace/wscript b/lib/replace/wscript index f8a0179..1949448 100644 --- a/lib/replace/wscript +++ b/lib/replace/wscript @@ -53,7 +53,7 @@ def configure(conf): conf.CHECK_HEADERS('sys/uio.h ifaddrs.h direct.h dirent.h') conf.CHECK_HEADERS('windows.h winsock2.h ws2tcpip.h') conf.CHECK_HEADERS('errno.h') - conf.CHECK_HEADERS('gcrypt.h getopt.h iconv.h') + conf.CHECK_HEADERS('getopt.h iconv.h') conf.CHECK_HEADERS('memory.h nss.h sasl/sasl.h') conf.CHECK_FUNCS_IN('inotify_init', 'inotify', checklibc=True, diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c index 21c12bf..453be2f 100644 --- a/source4/lib/tls/tlscert.c +++ b/source4/lib/tls/tlscert.c @@ -23,9 +23,6 @@ #include #include -#if HAVE_GCRYPT_H -#include -#endif #define ORGANISATION_NAME "Samba Administration" #define UNIT_NAME "Samba - temporary autogenerated certificate" @@ -67,11 +64,6 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", hostname)); - -#ifdef HAVE_GCRYPT_H - DEBUG(3,("Enabling QUICK mode in gcrypt\n")); - gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); -#endif DEBUG(3,("Generating private key\n")); TLSCHECK(gnutls_x509_privkey_init(&key)); diff --git a/source4/lib/tls/wscript b/source4/lib/tls/wscript index 5a8679f..840ed64 100644 --- a/source4/lib/tls/wscript +++ b/source4/lib/tls/wscript @@ -24,11 +24,9 @@ def configure(conf): conf.CHECK_TYPES('gnutls_datum gnutls_datum_t', headers='gnutls/gnutls.h', lib='gnutls') - conf.CHECK_FUNCS_IN('gcry_control', 'gcrypt', headers='gcrypt.h') - def build(bld): bld.SAMBA_SUBSYSTEM('LIBTLS', source='tls.c tlscert.c tls_tstream.c', allow_warnings=True, - public_deps='talloc gnutls gcrypt samba-hostconfig samba_socket LIBTSOCKET tevent tevent-util' + public_deps='talloc gnutls samba-hostconfig samba_socket LIBTSOCKET tevent tevent-util' ) diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c index 04308bc..8fd4737 100644 --- a/source4/rpc_server/backupkey/dcesrv_backupkey.c +++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c @@ -43,10 +43,6 @@ #include "lib/crypto/arcfour.h" #include #include -#if HAVE_GCRYPT_H -#include -#endif - static const unsigned rsa_with_var_num[] = { 1, 2, 840, 113549, 1, 1, 1 }; /* Equivalent to asn1_oid_id_pkcs1_rsaEncryption*/ @@ -809,10 +805,7 @@ static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx, *rsa = NULL; gnutls_global_init(); -#ifdef HAVE_GCRYPT_H - DEBUG(3,("Enabling QUICK mode in gcrypt\n")); - gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); -#endif + ret = gnutls_x509_privkey_init(>ls_key); if (ret != 0) { gnutls_global_deinit(); -- 2.3.2