trying to run configure on a machine with --without-ad-dc fails whern no gnutls and no nettle is availble with the recent change in source4/dsdb/samdb/ldb_modules/wscript, even though all that is not needed for a built without ad-dc. It good if nice if the wscript files in paths only needed by the ad-dc built would be skipped in a --without-ad-dc built. In any case there should be no fatal tests for that build szenario.
Gary, can you look into this? It would be great to get this solved before 4.8 is final because it is a build regression from previous versions. Shouldn't we use the existing AES functions that we already have in our code instead of nettle also?
I'd prefer to only use gnutls or our own function.
Metze, agree that using only gnutls would be preferable. However the gnutls on Centos 6 does not contain the required functionality. And as writing a new crypto was out of scope, we used nettle as an existing and available library. Bjorn, will add an appropriate if statement to ensure it builds with --without-ad-dc
(In reply to Gary Lockyer from comment #3) lib/crypto/aes_gcm_128.h should be able to provide what you need or am I missing something?
Created attachment 13973 [details] patch that checks for AD_DC_BUILD_IS_ENABLED This would be the minimal patch to fix the --without-ad-dc build, but I think we should also fix the build with ad-dc support.
(In reply to Stefan Metzmacher from comment #5) That doesn't look like the AEAD mode, and in general we need to be doing less, not more in-tree crypto. While I certainly appreciate the difficult spot the file server is in with regard to the increasing need for good crypto (from SMB3) yet broad platform requirements, we shouldn't add more in-tree crypto for the AD DC.
aes gcm, what metze pointed out, certainly is aead mode. and we don't need additional dependencies to crypto libraries which do the same job that we already do. there is a reason why that is currently still in-tree, see the crypto discussion threads from the mailing lists.
OK. I'll take the discussion of in-tree vs out of tree crypto to the mailing list.
Gary: any update on this?
Patch by Metze to fix this has landed in master commit 07844a9a13506b4ca9181cfde05d9e4170208f88. And I'd like to thank Metze for sorting this out.
Created attachment 14003 [details] Patch for 4.8 cherry-picked from master
Pushed to autobuild-v4-8-test.
(In reply to Stefan Metzmacher from comment #12) Pushed to v4-8-test.