Make sure we do not build Heimdal or crypto code

As we need to rely on GnuTLS for FIPS, remove heimdal and other unused
crypto code to ensure we do not build it!
This commit is contained in:
Andreas Schneider 2022-04-04 11:32:12 +02:00
parent 92f6ae3986
commit 5533ff7a7c
2 changed files with 84 additions and 0 deletions

View File

@ -0,0 +1,77 @@
From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 4 Apr 2022 11:24:04 +0200
Subject: [PATCH 1/2] waf: Check for GnuTLS earlier
As GnuTLS is an essential part we need to check for it early so we can react on
GnuTLS features in other wscripts.
Signed-off-by: Andreas Schneider <asn@samba.org>
---
wscript | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/wscript b/wscript
index d8220b35095..5b85d9a1682 100644
--- a/wscript
+++ b/wscript
@@ -189,6 +189,8 @@ def configure(conf):
conf.RECURSE('dynconfig')
conf.RECURSE('selftest')
+ conf.PROCESS_SEPARATE_RULE('system_gnutls')
+
conf.CHECK_CFG(package='zlib', minversion='1.2.3',
args='--cflags --libs',
mandatory=True)
@@ -297,8 +299,6 @@ def configure(conf):
if not conf.CONFIG_GET('KRB5_VENDOR'):
conf.PROCESS_SEPARATE_RULE('embedded_heimdal')
- conf.PROCESS_SEPARATE_RULE('system_gnutls')
-
conf.RECURSE('source4/dsdb/samdb/ldb_modules')
conf.RECURSE('source4/ntvfs/sysdep')
conf.RECURSE('lib/util')
--
2.35.1
From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 4 Apr 2022 11:25:31 +0200
Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS
provides the cipher
Signed-off-by: Andreas Schneider <asn@samba.org>
---
third_party/wscript | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/third_party/wscript b/third_party/wscript
index 1f4bc1ce1d7..a17c15bcaa7 100644
--- a/third_party/wscript
+++ b/third_party/wscript
@@ -5,7 +5,8 @@ from waflib import Options
def configure(conf):
conf.RECURSE('cmocka')
conf.RECURSE('popt')
- conf.RECURSE('aesni-intel')
+ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
+ conf.RECURSE('aesni-intel')
if conf.CONFIG_GET('ENABLE_SELFTEST'):
conf.RECURSE('socket_wrapper')
conf.RECURSE('nss_wrapper')
@@ -18,7 +19,8 @@ def configure(conf):
def build(bld):
bld.RECURSE('cmocka')
bld.RECURSE('popt')
- bld.RECURSE('aesni-intel')
+ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
+ bld.RECURSE('aesni-intel')
if bld.CONFIG_GET('SOCKET_WRAPPER'):
bld.RECURSE('socket_wrapper')
if bld.CONFIG_GET('NSS_WRAPPER'):
--
2.35.1

View File

@ -204,6 +204,8 @@ Source14: samba.pamd
Source201: README.downgrade
Patch0: samba-s4u.patch
# https://gitlab.com/samba-team/samba/-/merge_requests/2477
Patch1: samba-4.16-waf-crypto.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@ -1062,6 +1064,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB
xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
%autosetup -n samba-%{version}%{pre_release} -p1
# Ensure we rely on GnuTLS and do not build any other crypto code shipping with
# the sources.
rm -rf third_party/{aesni-intel,heimdal}
rm -f lib/crypto/{aes,rijndael}*.c
%build
%if %{with includelibs}
%global _talloc_lib ,talloc,pytalloc,pytalloc-util