[PATCH] Crypto use in Samba (was: Re: SMB3 encryption performance)

Simo simo at samba.org
Tue Feb 17 12:38:58 MST 2015


On Tue, 2015-02-17 at 15:45 +0100, Volker Lendecke wrote:
> On Tue, Feb 17, 2015 at 09:36:25AM -0500, Michael Ledford wrote:
> > > Ok, I believe then we should postpone this whole effort to the point
> > > when Debian and RHEL by default ship GnuTLS versions that do all we need.
> > 
> > That's a shame.
> 
> Well, so is the state of crypto libraries in Unix it seems.  Nothing that
> we can change. OpenSSL is screwed due to the License issue, GnuTLS is
> not up to par feature-wise, and I don't want to go down the path of some
> obscure library that we get dissed over in Debian again. Happened to us
> with iniparser, won't go there again.
> 
> > It looks like GnuTLS is aiming for a march release of 3.4
> 
> This means we have to wait for RHEL8 and Debian next until we can
> reasonably make use of this in the field, in case both happen to pick
> it up in time.

We can start using ifdefs, so that we are ready to pick it up, distros
w/o a recent enough library will just have less features or fall back to
non accelerated versions (if we happen to already have crypto functions
lieing around).

> > <http://nmav.gnutls.org/2014/12/a-quick-overview-of-gnutls-development.html>
> > which as Andrew pointed out, thank you for looking I totally missed
> > it, does have the support needed.
> > 
> > Is there anything that could be done to move this forward in the meantime?
> 
> Even if we don't ship anything in Samba upstream because we can't afford
> to do crypto on our own, I would be happy to review/test/host appropriate
> patches somewhere external for interested OEMs and people who can
> compile Samba on their own.

Indeed we can ship with ifdefs on GnuTLS or whatever, OEMs/people can
drag in the appropriate version on their own if they need the latest
crypto features.

Simo.

-- 
Simo Sorce



More information about the samba-technical mailing list