Make sure we do not build Heimdal or crypto code

As we need to rely on GnuTLS for FIPS, remove heimdal and other unused crypto code to ensure we do not build it!
2022-04-04 11:32:12 +02:00 · 2022-04-04 11:32:12 +02:00 · 5533ff7a7c
parent 92f6ae3986
commit 5533ff7a7c
2 changed files with 84 additions and 0 deletions
--- a/samba-4.16-waf-crypto.patch
+++ b/samba-4.16-waf-crypto.patch
@ -0,0 +1,77 @@
+From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 4 Apr 2022 11:24:04 +0200
+Subject: [PATCH 1/2] waf: Check for GnuTLS earlier
+
+As GnuTLS is an essential part we need to check for it early so we can react on
+GnuTLS features in other wscripts.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ wscript | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wscript b/wscript
+index d8220b35095..5b85d9a1682 100644
+--- a/wscript
+++ b/wscript
+@@ -189,6 +189,8 @@ def configure(conf):
+     conf.RECURSE('dynconfig')
+     conf.RECURSE('selftest')
+ 
+    conf.PROCESS_SEPARATE_RULE('system_gnutls')
+
+     conf.CHECK_CFG(package='zlib', minversion='1.2.3',
+                    args='--cflags --libs',
+                    mandatory=True)
+@@ -297,8 +299,6 @@ def configure(conf):
+     if not conf.CONFIG_GET('KRB5_VENDOR'):
+         conf.PROCESS_SEPARATE_RULE('embedded_heimdal')
+ 
+-    conf.PROCESS_SEPARATE_RULE('system_gnutls')
+-
+     conf.RECURSE('source4/dsdb/samdb/ldb_modules')
+     conf.RECURSE('source4/ntvfs/sysdep')
+     conf.RECURSE('lib/util')
+-- 
+2.35.1
+
+
+From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 4 Apr 2022 11:25:31 +0200
+Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS
+ provides the cipher
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ third_party/wscript | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/third_party/wscript b/third_party/wscript
+index 1f4bc1ce1d7..a17c15bcaa7 100644
+--- a/third_party/wscript
+++ b/third_party/wscript
+@@ -5,7 +5,8 @@ from waflib import Options
+ def configure(conf):
+     conf.RECURSE('cmocka')
+     conf.RECURSE('popt')
+-    conf.RECURSE('aesni-intel')
+    if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
+        conf.RECURSE('aesni-intel')
+     if conf.CONFIG_GET('ENABLE_SELFTEST'):
+         conf.RECURSE('socket_wrapper')
+         conf.RECURSE('nss_wrapper')
+@@ -18,7 +19,8 @@ def configure(conf):
+ def build(bld):
+     bld.RECURSE('cmocka')
+     bld.RECURSE('popt')
+-    bld.RECURSE('aesni-intel')
+    if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
+        bld.RECURSE('aesni-intel')
+     if bld.CONFIG_GET('SOCKET_WRAPPER'):
+         bld.RECURSE('socket_wrapper')
+     if bld.CONFIG_GET('NSS_WRAPPER'):
+-- 
+2.35.1
+
--- a/samba.spec
+++ b/samba.spec
@ -204,6 +204,8 @@ Source14:       samba.pamd
 Source201:      README.downgrade

 Patch0:         samba-s4u.patch
+# https://gitlab.com/samba-team/samba/-/merge_requests/2477
+Patch1:         samba-4.16-waf-crypto.patch

 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@ -1062,6 +1064,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB
 xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
 %autosetup -n samba-%{version}%{pre_release} -p1

+# Ensure we rely on GnuTLS and do not build any other crypto code shipping with
+# the sources.
+rm -rf third_party/{aesni-intel,heimdal}
+rm -f lib/crypto/{aes,rijndael}*.c
+
 %build
 %if %{with includelibs}
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util