[PATCH] Crypto use in Samba (was: Re: SMB3 encryption performance)

Michael Ledford michael at ledford.cc
Thu Feb 19 12:32:24 MST 2015 

On Tue, Feb 17, 2015 at 7:24 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> On Tue, Feb 17, 2015 at 1:48 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> > GnuTLS is still looking like the best option on the research so far.  If
>> > we can find a reliable way to build gnutls in a private prefix, then I
>> > think that by the time a release with this support is made (later this
>> > year), a good number of users will be able to take advantage of it one
>> > way or the other.
>>
>> I don't think I quite understood what were saying. Are you suggesting
>> to find a way to prefix all of GnuTLS' methods so they live in its own
>> namespace? Or simply building a version of GnuTLS in a way that it's
>> not actually included in the Samba source tree?
>
> I just mean installing it in or under /usr/local/samba (like we do with
> the install_with_python.sh script) and linking against it with -rpath.
>
>> > If I ever get time to finish updating Heimdal, then the next step for me
>> > in that area is to build only with upstream, getting it out of our tree
>> > and build system.  I would replacing that with a script to build it
>> > using it's own build system, privately.
>> >
>> > Doing the same (automated private build) with GnuTLS would be a good
>> > first step to demonstrating that this is a viable option.
>>
>> How would you propose that this automated private build occur? It
>> seems like you have ideas.
>
> A script or part of our waf build system would shell out to the
> existing, unmodified build system of the GnuTLS project, and install it
> in the right place, ready for us to use.
>
> We could, as we do with other libraries under third_party, build using
> our waf, but I would like to try an alternate approach, as that tends to
> be a lot of work long-term.
>
>> > I think the next step is to see what the interfaces look like when used
>> > in practice.
>>
>> I assume this would be actually integrating GnuTLS into parts of Samba
>> to see what problems or changes would need to take place, if any, to
>> accommodate it?
>
> All this about how to get access to GnuTLS is pretty academic if the
> code either doesn't work, isn't accelerated or is too painful to use (as
> was suggested of libgcrypt).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Here is a patch to include Nettle's supported algorithms in the
REQUIREMENTS document.

Is there a reason not to use Nettle provides everything GnuTLS does
and then some?

Cheers,
Michael

n.b. - This is my first patch so please let me know if I need to do
anything differently.
-------------- next part --------------
From 153ba90073e54c2eeaa5f3137088f50acf161520 Mon Sep 17 00:00:00 2001
From: Michael Ledford <michael at ledford.cc>
Date: Thu, 19 Feb 2015 14:27:28 -0500
Subject: [PATCH] lib/crypto: Document nettle supported crypto

---
 lib/crypto/REQUIREMENTS | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS
index d0b175f..308586c 100644
--- a/lib/crypto/REQUIREMENTS
+++ b/lib/crypto/REQUIREMENTS
@@ -2,6 +2,7 @@ A list of the crypto operations that we require, and what uses them.
 
 This list is to allow research into using external crypto libraries.
 Those possibly supported in the git version of GnuTLS are indicated as '# GNUTLS'
+Those possibly supported in the git version of nettle are indicated as '# NETTLE'
 
 ARCFOUR (RC4)
  - the old SamOEMHash
@@ -11,6 +12,7 @@ ARCFOUR (RC4)
  - genrate_random_data()
 
  # GNUTLS
+ # NETTLE
 
 DES
  - NTLM challenge-response
@@ -19,9 +21,13 @@ DES
  - ServerGetTrustInfo returned passwords
  - RID encryption of passwords
 
+ # NETTLE
+
 3DES
  - NETLOGON Credentials
 
+ # NETTLE
+
 CRC32
  - DRSUAPI replication replicated secrets
 
@@ -32,13 +38,19 @@ AES CFB8
 AES 128
  - SMB VFS traffic analyzer
 
+ # NETTLE
+
 AES128 CCM
  - SMB2 2.24 SMB encryption
+
  # GNUTLS
+ # NETTLE
 
 AES128 GCM
  - SMB2 3.10 SMB encryption
+
  # GNUTLS
+ # NETTLE
 
 AES128 CMAC
  - SMB2 0x224 SMB Signing
@@ -47,6 +59,8 @@ MD4
  - NTLM password hash
  - genrate_random_number()
 
+ # NETTLE
+
 MD5
  - NTLM2
  - SCHANNEL
@@ -62,36 +76,43 @@ MD5
  - NTP ntp_signd
 
  # GNUTLS
+ # NETTLE
 
 HMAC-MD5
  - NTLMv2
 
  # GNUTLS
+ # NETTLE
 
 HMACSHA256
  - SMB2 < 2.24 SMB signing
  - SMB2 Key derivation
 
  # GNUTLS
+ # NETTLE
 
 HMACSHA1
  - BackupKey ServerWrap
 
  # GNUTLS
+ # NETTLE
 
 SHA256
  - Security Descriptor hash for vfs_acl_xattr
  - oLschema2ldif
 
  # GNUTLS
+ # NETTLE
 
 SHA512
  - SMB2 Pre-auth integrity verification
  - BackupKey ClientWrap
 
  # GNUTLS
+ # NETTLE
 
 RSA
  - BackupKey ClientWrap
 
  # GNUTLS
+ # NETTLE
-- 
2.2.1

More information about the samba-technical mailing list