Samba vs LDAP/SSL ans SHA256 cert on NetBSD

Emmanuel Dreyfus manu at
Fri May 29 03:40:14 MDT 2015


I encountered problems with Samba 3.6.25 being unable to connect
to a LDAP/SSL directory that has a SHA256 certificate. I tracked 
it down to a clash between Samba and netBSD's libc SHA256_Update.

Attached is a fix that rename the function when Samba builds on 
NetBSD, so that the clash does not happen.

Emmanuel Dreyfus
manu at
-------------- next part --------------
>From a9739c041a7eeff2a5d524498f3e1fccd2a39653 Mon Sep 17 00:00:00 2001
From: Emmanuel Dreyfus <manu at>
Date: Fri, 29 May 2015 11:27:28 +0200
Subject: [PATCH] Fix Samba ability to connect to LDAP/SSL with SHA256 cert on

NetBSD's libc and Samba both provide SHA2 functions with the
same protoype but with incompatible private context structures.
This causes connexions to LDAPS/SSL with a SHA256 certificate to
fail, because the LDAP BIND goes through libldap/libssl/libcrypto
and here Samba's SHA256_Update() is used when NetBSD's libc flavor
is expected. This produce this error in smbd logs:
error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib

We fix this by renaming Samba SHA256 functions on NetBSD so that
libc flavor is always used.
 lib/crypto/sha256.h | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/crypto/sha256.h b/lib/crypto/sha256.h
index 7ee8fac..59561ca 100644
--- a/lib/crypto/sha256.h
+++ b/lib/crypto/sha256.h
@@ -42,7 +42,18 @@
 #define HEIM_SHA_H 1
-#if 0
+ * NetBSD has sha1/sha2 functions built-in libc. The prototype
+ * are the same, but the private context are not. Samba-provided
+ * version must be renamed so that they are not used instead of 
+ * the libc-expected version when going through 
+ * libldap/libssl/libcrypto for ldaps:// connexions.
+ * 
+ * Without this, Samba cannot connect to a LDAP directory that
+ * has a SHA256 certificate. This rather cryptic error is raised:
+ * error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
+ */
+#if defined(__NetBSD__)
 /* symbol renaming */
 #define SHA1_Init hc_SHA1_Init
 #define SHA1_Update hc_SHA1_Update

More information about the samba-technical mailing list