Bug 13276 - configure aborts without libnettle/gnutls
Summary: configure aborts without libnettle/gnutls
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Build (show other bugs)
Version: 4.8.0rc2
Hardware: All All
: P5 regression (vote)
Target Milestone: 4.8
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-02-16 09:14 UTC by Björn Jacke
Modified: 2018-04-02 09:00 UTC (History)
7 users (show)

See Also:

patch that checks for AD_DC_BUILD_IS_ENABLED (1.03 KB, patch)
2018-02-21 00:12 UTC, Stefan Metzmacher
no flags Details
Patch for 4.8 cherry-picked from master (23.03 KB, patch)
2018-02-27 11:02 UTC, Ralph Böhme
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2018-02-16 09:14:06 UTC
trying to run configure on a machine with --without-ad-dc fails whern no gnutls and no nettle is availble with the recent change in source4/dsdb/samdb/ldb_modules/wscript, even though all that is not needed for a built without ad-dc.

It good if nice if the wscript files in paths only needed by the ad-dc built would be skipped in a --without-ad-dc built. In any case there should be no fatal tests for that build szenario.
Comment 1 Björn Jacke 2018-02-20 09:28:08 UTC
Gary, can you look into this? It would be great to get this solved before 4.8 is final because it is a build regression from previous versions. Shouldn't we use the existing AES functions that we already have in our code instead of nettle also?
Comment 2 Stefan Metzmacher 2018-02-20 10:20:16 UTC
I'd prefer to only use gnutls or our own function.
Comment 3 Gary Lockyer 2018-02-20 22:03:40 UTC
      agree that using only gnutls would be preferable. However the gnutls on Centos 6 does not contain the required functionality. And as writing a new crypto was out of scope, we used nettle as an existing and available library.

      will add an appropriate if statement to ensure it builds with 
Comment 4 Stefan Metzmacher 2018-02-21 00:10:02 UTC
(In reply to Gary Lockyer from comment #3)

lib/crypto/aes_gcm_128.h should be able to provide what you need or am I missing something?
Comment 5 Stefan Metzmacher 2018-02-21 00:12:30 UTC
Created attachment 13973 [details]
patch that checks for AD_DC_BUILD_IS_ENABLED

This would be the minimal patch to fix the --without-ad-dc build,
but I think we should also fix the build with ad-dc support.
Comment 6 Andrew Bartlett 2018-02-21 01:24:55 UTC
(In reply to Stefan Metzmacher from comment #5)
That doesn't look like the AEAD mode, and in general we need to be doing less, not more in-tree crypto.

While I certainly appreciate the difficult spot the file server is in with regard to the increasing need for good crypto (from SMB3) yet broad platform requirements, we shouldn't add more in-tree crypto for the AD DC.
Comment 7 Björn Jacke 2018-02-21 01:41:06 UTC
aes gcm, what metze pointed out, certainly is aead mode. and we don't need additional dependencies to crypto libraries which do the same job that we already do. there is a reason why that is currently still in-tree, see the crypto discussion threads from the mailing lists.
Comment 8 Andrew Bartlett 2018-02-21 02:24:04 UTC
OK.  I'll take the discussion of in-tree vs out of tree crypto to the mailing list.
Comment 9 Björn Jacke 2018-02-26 10:05:52 UTC
Gary: any update on this?
Comment 10 Gary Lockyer 2018-02-26 17:46:10 UTC
Patch by Metze to fix this has landed in master commit 07844a9a13506b4ca9181cfde05d9e4170208f88.

And I'd like to thank Metze for sorting this out.
Comment 11 Ralph Böhme 2018-02-27 11:02:48 UTC
Created attachment 14003 [details]
Patch for 4.8 cherry-picked from master
Comment 12 Stefan Metzmacher 2018-02-27 16:09:04 UTC
Pushed to autobuild-v4-8-test.
Comment 13 Stefan Metzmacher 2018-02-28 16:12:30 UTC
(In reply to Stefan Metzmacher from comment #12)

Pushed to v4-8-test.