Getting Samba out of crypto

Andrew Bartlett abartlet at
Fri Feb 23 01:59:19 UTC 2018

On Thu, 2018-02-22 at 16:41 -0800, Jeremy Allison via samba-technical
> On Thu, Feb 22, 2018 at 04:36:40PM +0100, Stefan Metzmacher via samba-technical wrote:
> > 
> > Please find a patch that replaces our nettle usage with using the samba
> > implementation.
> > 
> > I first just replaced the decrypt function and checked that
> > make -j test TESTS="samba4.dsdb.samdb.ldb_modules.encryed_secrets"
> > still worked.
> >  ...
> > If there's no good alternative, it might be fine, e.g. I think we should
> > not try to implement SSL/TLS on our own.
> > 
> > But if we already have the alternative internally, we can easily avoid
> > such frustration for our users.
> > 
> > Please review and push:-)
> Went through this one really carefully, including looking
> inside the nettle source code to make sure it's doing the
> same thing :-).
> Great work Metze - thanks for reducing our direct dependencies.
> One more step towards getting us out of the crypto business
> altogether, which I'm heartily looking forward to :-).
> Reviewed-by: Jeremy Allison <jra at>

Thanks for doing that.  I certainly understand the desire to not
require an additional library for no particularly good reason, but I'm
still confused, how does making us use the in-tree crypto help us get
out of the crypto business?

Because that would be the opposite, porting Samba's use of internal
libraries to widely available external libs one call at a time, till we
can remove the internal code. 

GnuTLS appears to be the long term option, but it is really long term,
like 5 years away, being the time between the tickets being resolved
into commits and that being included in Fedora, then RHEL, then being
actually deployed widely enough that we can rely on it. 

On the flip side, this call is in libnettle now and that is in EPEL for

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

More information about the samba-technical mailing list