Make sure we do not build Heimdal or crypto code
As we need to rely on GnuTLS for FIPS, remove heimdal and other unused crypto code to ensure we do not build it!
This commit is contained in:
parent
92f6ae3986
commit
5533ff7a7c
77
samba-4.16-waf-crypto.patch
Normal file
77
samba-4.16-waf-crypto.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 4 Apr 2022 11:24:04 +0200
|
||||
Subject: [PATCH 1/2] waf: Check for GnuTLS earlier
|
||||
|
||||
As GnuTLS is an essential part we need to check for it early so we can react on
|
||||
GnuTLS features in other wscripts.
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
wscript | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/wscript b/wscript
|
||||
index d8220b35095..5b85d9a1682 100644
|
||||
--- a/wscript
|
||||
+++ b/wscript
|
||||
@@ -189,6 +189,8 @@ def configure(conf):
|
||||
conf.RECURSE('dynconfig')
|
||||
conf.RECURSE('selftest')
|
||||
|
||||
+ conf.PROCESS_SEPARATE_RULE('system_gnutls')
|
||||
+
|
||||
conf.CHECK_CFG(package='zlib', minversion='1.2.3',
|
||||
args='--cflags --libs',
|
||||
mandatory=True)
|
||||
@@ -297,8 +299,6 @@ def configure(conf):
|
||||
if not conf.CONFIG_GET('KRB5_VENDOR'):
|
||||
conf.PROCESS_SEPARATE_RULE('embedded_heimdal')
|
||||
|
||||
- conf.PROCESS_SEPARATE_RULE('system_gnutls')
|
||||
-
|
||||
conf.RECURSE('source4/dsdb/samdb/ldb_modules')
|
||||
conf.RECURSE('source4/ntvfs/sysdep')
|
||||
conf.RECURSE('lib/util')
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 4 Apr 2022 11:25:31 +0200
|
||||
Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS
|
||||
provides the cipher
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
third_party/wscript | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/third_party/wscript b/third_party/wscript
|
||||
index 1f4bc1ce1d7..a17c15bcaa7 100644
|
||||
--- a/third_party/wscript
|
||||
+++ b/third_party/wscript
|
||||
@@ -5,7 +5,8 @@ from waflib import Options
|
||||
def configure(conf):
|
||||
conf.RECURSE('cmocka')
|
||||
conf.RECURSE('popt')
|
||||
- conf.RECURSE('aesni-intel')
|
||||
+ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
|
||||
+ conf.RECURSE('aesni-intel')
|
||||
if conf.CONFIG_GET('ENABLE_SELFTEST'):
|
||||
conf.RECURSE('socket_wrapper')
|
||||
conf.RECURSE('nss_wrapper')
|
||||
@@ -18,7 +19,8 @@ def configure(conf):
|
||||
def build(bld):
|
||||
bld.RECURSE('cmocka')
|
||||
bld.RECURSE('popt')
|
||||
- bld.RECURSE('aesni-intel')
|
||||
+ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
|
||||
+ bld.RECURSE('aesni-intel')
|
||||
if bld.CONFIG_GET('SOCKET_WRAPPER'):
|
||||
bld.RECURSE('socket_wrapper')
|
||||
if bld.CONFIG_GET('NSS_WRAPPER'):
|
||||
--
|
||||
2.35.1
|
||||
|
@ -204,6 +204,8 @@ Source14: samba.pamd
|
||||
Source201: README.downgrade
|
||||
|
||||
Patch0: samba-s4u.patch
|
||||
# https://gitlab.com/samba-team/samba/-/merge_requests/2477
|
||||
Patch1: samba-4.16-waf-crypto.patch
|
||||
|
||||
Requires(pre): /usr/sbin/groupadd
|
||||
Requires(post): systemd
|
||||
@ -1062,6 +1064,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB
|
||||
xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
|
||||
%autosetup -n samba-%{version}%{pre_release} -p1
|
||||
|
||||
# Ensure we rely on GnuTLS and do not build any other crypto code shipping with
|
||||
# the sources.
|
||||
rm -rf third_party/{aesni-intel,heimdal}
|
||||
rm -f lib/crypto/{aes,rijndael}*.c
|
||||
|
||||
%build
|
||||
%if %{with includelibs}
|
||||
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
|
||||
|
Loading…
Reference in New Issue
Block a user