Samba vs LDAP/SSL ans SHA256 cert on NetBSD

Simo simo at samba.org
Tue Jun 2 12:15:42 MDT 2015 

On Tue, 2015-06-02 at 10:18 -0700, Jeremy Allison wrote:
> On Sat, May 30, 2015 at 05:36:19AM +0000, Emmanuel Dreyfus wrote:
> > On Fri, May 29, 2015 at 02:37:03PM -0700, Jeremy Allison wrote:
> > > Yes, that looks right !
> > 
> > Attached is an updated patch. 
> > 
> > I tested the configure part and correct macro are set in 
> > bin/default/include/config.h 
> > 
> > However I was not able to build because of missing python modules. 
> > (your new build system is too modern :-)
> > I assume this config.h will be included by sha256.c -> sha256.h -> replace.h
> > -> config.h ?
> 
> Reviewed-by: Jeremy Allison <jra at samba.org>
> 
> Can I get a second Team reviewer ?

We need to stop using our own, but for the time being +1

Simo.

> > >From 8c17d95a27bf8b519d25ebe2b676917219519239 Mon Sep 17 00:00:00 2001
> > From: Emmanuel Dreyfus <manu at netbsd.org>
> > Date: Sat, 30 May 2015 07:31:01 +0200
> > Subject: [PATCH 3/3] Prevent clashes between system and Samba SHA functions
> > 
> > Samba provides its own set of SHA function, which would replace
> > libc-provided flavors. This is a problem because while the prototypes
> > are the same, the context structure are different. As a result,
> > when connecting to a LDAP/SSL directory, we go through
> > libldap/libssl/libcrypto and there libcrypto expects to call libc
> > SHA functions, not Samba's.
> > 
> > The fix is to check for SHA function presence and rename Samba's
> > version to avoid a clash.
> > ---
> >  lib/crypto/sha256.h          | 5 ++++-
> >  lib/crypto/sha512.h          | 2 +-
> >  lib/crypto/wscript_configure | 7 +++++++
> >  3 files changed, 12 insertions(+), 2 deletions(-)
> > 
> > diff --git a/lib/crypto/sha256.h b/lib/crypto/sha256.h
> > index 7ee8fac..010dbff 100644
> > --- a/lib/crypto/sha256.h
> > +++ b/lib/crypto/sha256.h
> > @@ -42,11 +42,14 @@
> >   */
> >  #define HEIM_SHA_H 1
> >  
> > -#if 0
> > +#if SHA1_RENAME_NEEDED
> >  /* symbol renaming */
> >  #define SHA1_Init hc_SHA1_Init
> >  #define SHA1_Update hc_SHA1_Update
> >  #define SHA1_Final hc_SHA1_Final
> > +#endif
> > +#if SHA256_RENAME_NEEDED
> > +/* symbol renaming */
> >  #define SHA256_Init hc_SHA256_Init
> >  #define SHA256_Update hc_SHA256_Update
> >  #define SHA256_Final hc_SHA256_Final
> > diff --git a/lib/crypto/sha512.h b/lib/crypto/sha512.h
> > index dc394fd..509fd95 100644
> > --- a/lib/crypto/sha512.h
> > +++ b/lib/crypto/sha512.h
> > @@ -36,7 +36,7 @@
> >  #ifndef HEIM_SHA_H
> >  #define HEIM_SHA_H 1
> >  
> > -#if 0
> > +#if SHA512_RENAME_NEEDED
> >  /* symbol renaming */
> >  #define SHA512_Init hc_SHA512_Init
> >  #define SHA512_Update hc_SHA512_Update
> > diff --git a/lib/crypto/wscript_configure b/lib/crypto/wscript_configure
> > index 21ec566..130acec 100644
> > --- a/lib/crypto/wscript_configure
> > +++ b/lib/crypto/wscript_configure
> > @@ -6,3 +6,10 @@ if not conf.CHECK_FUNCS_IN('MD5Init', 'bsd', headers='bsd/md5.h',
> >                          checklibc=True)
> >  conf.CHECK_FUNCS_IN('CC_MD5_Init', '', headers='CommonCrypto/CommonDigest.h',
> >      checklibc=True)
> > +
> > +if conf.CHECK_FUNCS('SHA1_Update'):
> > +	conf.DEFINE('SHA1_RENAME_NEEDED', 1)
> > +if conf.CHECK_FUNCS('SHA256_Update'):
> > +	conf.DEFINE('SHA256_RENAME_NEEDED', 1)
> > +if conf.CHECK_FUNCS('SHA512_Update'):
> > +	conf.DEFINE('SHA512_RENAME_NEEDED', 1)
> > -- 
> > 2.3.2
> > 


-- 
Simo Sorce

More information about the samba-technical mailing list