Getting Samba out of crypto
jra at samba.org
Fri Feb 23 16:24:13 UTC 2018
On Fri, Feb 23, 2018 at 02:59:19PM +1300, Andrew Bartlett wrote:
> On Thu, 2018-02-22 at 16:41 -0800, Jeremy Allison via samba-technical
> > On Thu, Feb 22, 2018 at 04:36:40PM +0100, Stefan Metzmacher via samba-technical wrote:
> > >
> > > Please find a patch that replaces our nettle usage with using the samba
> > > implementation.
> > >
> > > I first just replaced the decrypt function and checked that
> > > make -j test TESTS="samba4.dsdb.samdb.ldb_modules.encryed_secrets"
> > > still worked.
> > > ...
> > > If there's no good alternative, it might be fine, e.g. I think we should
> > > not try to implement SSL/TLS on our own.
> > >
> > > But if we already have the alternative internally, we can easily avoid
> > > such frustration for our users.
> > >
> > > Please review and push:-)
> > Went through this one really carefully, including looking
> > inside the nettle source code to make sure it's doing the
> > same thing :-).
> > Great work Metze - thanks for reducing our direct dependencies.
> > One more step towards getting us out of the crypto business
> > altogether, which I'm heartily looking forward to :-).
> > Reviewed-by: Jeremy Allison <jra at samba.org>
> Thanks for doing that. I certainly understand the desire to not
> require an additional library for no particularly good reason, but I'm
> still confused, how does making us use the in-tree crypto help us get
> out of the crypto business?
Well previously we depended on in-tree, gnutls and nettle.
Now we only depend on in-tree and gnutls.
Eventually we'll get to just gnutls, hopefully with
Red Hat help.
More information about the samba-technical