The road to removing Samba's internal copy of AES (and perhaps DES?)

Isaac Boukris iboukris at
Thu Oct 3 07:26:47 UTC 2019


On Wed, Oct 2, 2019 at 7:20 PM Alexander Bokovoy <ab at> wrote:
> On ma, 02 syys 2019, Andrew Bartlett via samba-technical wrote:
> >
> > On a related note, I plan to experiment with implementing our DES code
> > via GnuTLS using the CBC-DES cipher and an all-zero IV.  That may let
> > us remove that code as well, becoming essentially crypto-free and
> > therefore honouring FIPS mode correctly in all cases.  Do let me know
> > if you happen to experiment in this area so I don't double-up!
> But there are other parts where DES is used via libkrb5. They affect
> Samba AD deployment, domain join, tests, etc as MIT Kerberos 1.17
> removed DES support.
> Isaac has created WIP branch
> which passes autobuilds.

Right, it ifdefs the places where samba generates DES keys, i've
turned it into wip merge-request for better visibility:

I was meaning to consult about this, with the removal of single DES
enctypes from upstream MIT, would it be ok to remove their usage from
samba too ? That would make the UAC flag USE_DES_KEY_ONLY
non-functional but I guess that's fine, any other considerations ?


More information about the samba-technical mailing list