The road to removing Samba's internal copy of AES (and perhaps DES?)
Isaac Boukris
iboukris at gmail.com
Thu Oct 3 07:26:47 UTC 2019
Hi
On Wed, Oct 2, 2019 at 7:20 PM Alexander Bokovoy <ab at samba.org> wrote:
>
> On ma, 02 syys 2019, Andrew Bartlett via samba-technical wrote:
> >
> > On a related note, I plan to experiment with implementing our DES code
> > via GnuTLS using the CBC-DES cipher and an all-zero IV. That may let
> > us remove that code as well, becoming essentially crypto-free and
> > therefore honouring FIPS mode correctly in all cases. Do let me know
> > if you happen to experiment in this area so I don't double-up!
>
> But there are other parts where DES is used via libkrb5. They affect
> Samba AD deployment, domain join, tests, etc as MIT Kerberos 1.17
> removed DES support.
>
> Isaac has created WIP branch
> https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118
> which passes autobuilds.
Right, it ifdefs the places where samba generates DES keys, i've
turned it into wip merge-request for better visibility:
https://gitlab.com/samba-team/samba/merge_requests/829
I was meaning to consult about this, with the removal of single DES
enctypes from upstream MIT, would it be ok to remove their usage from
samba too ? That would make the UAC flag USE_DES_KEY_ONLY
non-functional but I guess that's fine, any other considerations ?
Thanks!
More information about the samba-technical
mailing list