The road to removing Samba's internal copy of AES (and perhaps DES?)
Andreas Schneider
asn at samba.org
Wed Oct 2 08:20:24 UTC 2019
On Monday, 2 September 2019 04:03:57 CEST Andrew Bartlett via samba-technical
wrote:
> G'Day,
>
> I wanted to write to update the list on where we at at with removing
> cryptographic code from Samba.
>
> We now absolutely rely on GnuTLS 3.4.7 or later, which has allowed use
> to delete a great deal of such duplicate code.
>
> We do still have AES code, for the AES CFB8 and CMAC functions.
>
> These could probably be open-coded against raw AES routines from
> GnuTLS, but for now I would rather not go down that route.
>
> The operating systems that do not supply that[1], in our CI system are:
> - CentOS7
> - Ubuntu 16.04
> - Ubuntu 18.04
> - Debian 9
>
> By April 2020 we should have a new Ubuntu LTS, Debian 10 is already out
> and CentOS8 will be available. (And we already backport GnuTLS for
> CentOS7 regardless).
>
> So I would propose we remove the fallback internal code after Ubuntu
> 20.04 is released, or discuss it earlier if we can get a newer backport
> package for the above.
>
> On a related note, I plan to experiment with implementing our DES code
> via GnuTLS using the CBC-DES cipher and an all-zero IV. That may let
> us remove that code as well, becoming essentially crypto-free and
> therefore honouring FIPS mode correctly in all cases. Do let me know
> if you happen to experiment in this area so I don't double-up!
That's an interesting idea!
I'm currently working on further performance improvements for SMB3 encryption.
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list