From 469bdd40824909af36e54a2e969d5ca0bb909b09 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 12 Mar 2015 17:01:05 +1300
Subject: [PATCH 1/2] lib/tls: Fix behaviour of --disable-gnutls and remove
 link to gcrypt

We no longer link against gcrypt if gnutls > 3.0.0 is found, as these versions use libnettle.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/lib/tls/tlscert.c                       |  4 ++--
 source4/lib/tls/wscript                         | 22 +++++++++++++++++-----
 source4/rpc_server/backupkey/dcesrv_backupkey.c |  4 ++--
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 8a19e0a..b44d46b 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -24,7 +24,7 @@
 #if ENABLE_GNUTLS
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
-#if HAVE_GCRYPT_H
+#if defined(HAVE_GCRYPT_H) && !defined(HAVE_GNUTLS3)
 #include <gcrypt.h>
 #endif
 
@@ -69,7 +69,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 	DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", 
 		 hostname));
 	
-#ifdef HAVE_GCRYPT_H
+#if defined(HAVE_GCRYPT_H) && !defined(HAVE_GNUTLS3)
 	DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
 	gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
 #endif
diff --git a/source4/lib/tls/wscript b/source4/lib/tls/wscript
index ae96395..cbba87d 100644
--- a/source4/lib/tls/wscript
+++ b/source4/lib/tls/wscript
@@ -17,11 +17,18 @@ def configure(conf):
         conf.SET_TARGET_TYPE('gnutls', 'DISABLED')
         conf.SET_TARGET_TYPE('gcrypt', 'DISABLED')
         conf.SET_TARGET_TYPE('gpg-error', 'DISABLED')
+        if 'AD_DC_BUILD_IS_ENABLED' in conf.env:
+            conf.fatal("--disable-gnutls given: Building the AD DC requires GnuTLS (eg libgnutls-dev, gnutls-devel) for ldaps:// support and for the BackupKey protocol")
         return
 
-    conf.check_cfg(package='gnutls',
-                   args='"gnutls >= 1.4.0 gnutls != 2.2.4 gnutls != 2.8.0 gnutls != 2.8.1" --cflags --libs',
-                   msg='Checking for gnutls >= 1.4.0 and broken versions', mandatory=False)
+    if conf.check_cfg(package='gnutls',
+                      args='"gnutls >= 3.0.0" --cflags --libs',
+                      msg='Checking for gnutls >= 3.0.0s', mandatory=False):
+        conf.DEFINE('HAVE_GNUTLS3', 1)
+    else:
+        conf.check_cfg(package='gnutls',
+                       args='"gnutls >= 1.4.0 gnutls != 2.2.4 gnutls != 2.8.0 gnutls != 2.8.1" --cflags --libs',
+                       msg='Checking for gnutls >= 1.4.0 and broken versions', mandatory=False)
 
     if 'HAVE_GNUTLS' in conf.env:
         conf.DEFINE('ENABLE_GNUTLS', 1)
@@ -45,8 +52,13 @@ def configure(conf):
     conf.CHECK_TYPES('gnutls_datum gnutls_datum_t',
                      headers='gnutls/gnutls.h', lib='gnutls')
 
-    conf.CHECK_FUNCS_IN('gcry_control', 'gcrypt', headers='gcrypt.h')
-    conf.CHECK_FUNCS_IN('gpg_err_code_from_errno', 'gpg-error')
+    # GnuTLS3 moved to libnettle, so only do this in the < 3.0 case
+    if not 'HAVE_GNUTLS3' in conf.env:
+        conf.CHECK_FUNCS_IN('gcry_control', 'gcrypt', headers='gcrypt.h')
+        conf.CHECK_FUNCS_IN('gpg_err_code_from_errno', 'gpg-error')
+    else:
+        conf.SET_TARGET_TYPE('gcrypt', 'DISABLED')
+        conf.SET_TARGET_TYPE('gpg-error', 'DISABLED')
 
 
 def build(bld):
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 04308bc..749e48b 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -43,7 +43,7 @@
 #include "lib/crypto/arcfour.h"
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
-#if HAVE_GCRYPT_H
+#if defined(HAVE_GCRYPT_H) && !defined(HAVE_GNUTLS3)
 #include <gcrypt.h>
 #endif
 
@@ -809,7 +809,7 @@ static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx,
 	*rsa = NULL;
 
 	gnutls_global_init();
-#ifdef HAVE_GCRYPT_H
+#if defined(HAVE_GCRYPT_H) && !defined(HAVE_GNUTLS3)
 	DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
 	gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
 #endif
-- 
1.9.3


From eba77d80da2c855a846cc389f3ad13b64919a6da Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 12 Mar 2015 17:05:50 +1300
Subject: [PATCH 2/2] backupkey: Explicitly link to gnutls and gcrypt

The gcrypt link will be disabled if gnutls is > 3.0.0

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/rpc_server/wscript_build | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index c79c1827..55f45c7 100755
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -115,7 +115,7 @@ bld.SAMBA_MODULE('dcerpc_backupkey',
 	autoproto='backupkey/proto.h',
 	subsystem='dcerpc_server',
 	init_function='dcerpc_server_backupkey_init',
-	deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY krb5 hx509 hcrypto'
+	deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY krb5 hx509 hcrypto gnutls gcrypt'
 	)
 
 
-- 
1.9.3