Samba vs LDAP/SSL ans SHA256 cert on NetBSD
manu at netbsd.org
Fri May 29 03:40:14 MDT 2015
I encountered problems with Samba 3.6.25 being unable to connect
to a LDAP/SSL directory that has a SHA256 certificate. I tracked
it down to a clash between Samba and netBSD's libc SHA256_Update.
Attached is a fix that rename the function when Samba builds on
NetBSD, so that the clash does not happen.
manu at netbsd.org
-------------- next part --------------
>From a9739c041a7eeff2a5d524498f3e1fccd2a39653 Mon Sep 17 00:00:00 2001
From: Emmanuel Dreyfus <manu at netbsd.org>
Date: Fri, 29 May 2015 11:27:28 +0200
Subject: [PATCH] Fix Samba ability to connect to LDAP/SSL with SHA256 cert on
NetBSD's libc and Samba both provide SHA2 functions with the
same protoype but with incompatible private context structures.
This causes connexions to LDAPS/SSL with a SHA256 certificate to
fail, because the LDAP BIND goes through libldap/libssl/libcrypto
and here Samba's SHA256_Update() is used when NetBSD's libc flavor
is expected. This produce this error in smbd logs:
error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
We fix this by renaming Samba SHA256 functions on NetBSD so that
libc flavor is always used.
lib/crypto/sha256.h | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/lib/crypto/sha256.h b/lib/crypto/sha256.h
index 7ee8fac..59561ca 100644
@@ -42,7 +42,18 @@
#define HEIM_SHA_H 1
+ * NetBSD has sha1/sha2 functions built-in libc. The prototype
+ * are the same, but the private context are not. Samba-provided
+ * version must be renamed so that they are not used instead of
+ * the libc-expected version when going through
+ * libldap/libssl/libcrypto for ldaps:// connexions.
+ * Without this, Samba cannot connect to a LDAP directory that
+ * has a SHA256 certificate. This rather cryptic error is raised:
+ * error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
/* symbol renaming */
#define SHA1_Init hc_SHA1_Init
#define SHA1_Update hc_SHA1_Update
More information about the samba-technical