From 2b49e8b7ad0166048bdd6c94eb288d95e6f60420 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 22 Feb 2018 15:56:45 +0100 Subject: [PATCH] dsdb/encrypted_secrets: remove dependency to libnettle and use our own aes_gcm_128_*() We already rely on gnutls in order to implement SSL/TLS, so using that to speed up crypto like aes gcm 128 is fine, but as we already have code for that algorithm, we should use that instead of adding a new dependency to libnettle. Some (I guess newer versions) of gnutls use nettle internally, so we may end up using that code, but we should not have a direct dependency. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13276 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Reviewed-by: Andrew Bartlett (cherry picked from commit 07844a9a13506b4ca9181cfde05d9e4170208f88) --- source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 278 +++++++-------------- .../ldb_modules/tests/test_encrypted_secrets.c | 54 ++-- source4/dsdb/samdb/ldb_modules/wscript | 22 -- source4/dsdb/samdb/ldb_modules/wscript_build | 1 - .../dsdb/samdb/ldb_modules/wscript_build_server | 1 - 5 files changed, 111 insertions(+), 245 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c index 226f62f641e..34c44c7bd9f 100644 --- a/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c +++ b/source4/dsdb/samdb/ldb_modules/encrypted_secrets.c @@ -27,8 +27,8 @@ * to protect the key. * * Data is encrypted with AES 128 GCM. The encryption uses gnutls where - * available and if it supports AES 128 GCM AEAD modes, otherwise nettle is - * used. + * available and if it supports AES 128 GCM AEAD modes, otherwise the + * samba internal implementation is used. * */ @@ -40,17 +40,15 @@ #include "dsdb/samdb/ldb_modules/util.h" #ifdef TEST_ENCRYPTED_SECRETS - #ifdef HAVE_NETTLE_AES_GCM - #define BUILD_WITH_NETTLE_AES_GCM - #endif + #define BUILD_WITH_SAMBA_AES_GCM #ifdef HAVE_GNUTLS_AEAD #define BUILD_WITH_GNUTLS_AEAD #endif #else #ifdef HAVE_GNUTLS_AEAD #define BUILD_WITH_GNUTLS_AEAD - #elif defined HAVE_NETTLE_AES_GCM - #define BUILD_WITH_NETTLE_AES_GCM + #else + #define BUILD_WITH_SAMBA_AES_GCM #endif #endif @@ -59,9 +57,9 @@ #include #endif /* BUILD_WITH_GNUTLS_AEAD */ -#ifdef BUILD_WITH_NETTLE_AES_GCM - #include -#endif /* BUILD_WITH_NETTLE_AES_GCM */ +#ifdef BUILD_WITH_SAMBA_AES_GCM + #include "lib/crypto/crypto.h" +#endif /* BUILD_WITH_SAMBA_AES_GCM */ static const char * const secret_attributes[] = {DSDB_SECRET_ATTRIBUTES}; static const size_t num_secret_attributes = ARRAY_SIZE(secret_attributes); @@ -72,85 +70,6 @@ static const size_t num_secret_attributes = ARRAY_SIZE(secret_attributes); #define SECRETS_KEY_FILE "encrypted_secrets.key" -#ifdef BUILD_WITH_NETTLE_AES_GCM -/* - * Details of a nettle encryption algorithm - */ - -#ifndef AES128_KEY_SIZE - #define AES128_KEY_SIZE 16 - #define NETTLE_SIZE_TYPE unsigned -#else - #define NETTLE_SIZE_TYPE size_t -#endif -#ifndef GCM_DIGEST_SIZE - #define GCM_DIGEST_SIZE 16 -#endif -struct nettle_details { - size_t context_size; /* Size of the nettle encryption context */ - size_t block_size; /* Cipher block size */ - size_t key_size; /* Size of the key */ - size_t iv_size; /* Size of the initialisation routine */ - size_t tag_size; /* Size of the aead tag */ - /* - * Function to load the encryption key into the context - */ - void (*set_key)(struct gcm_aes_ctx *, - NETTLE_SIZE_TYPE, - const uint8_t *); - /* - * Function to load the initialisation vector into the context - */ - void (*set_iv)(struct gcm_aes_ctx *, NETTLE_SIZE_TYPE, const uint8_t *); - /* - * Function to encrypt data - */ - void (*encrypt) - (struct gcm_aes_ctx *, - NETTLE_SIZE_TYPE, - uint8_t *, - const uint8_t *); - /* - * Function to decrypt data - */ - void (*decrypt) - (struct gcm_aes_ctx *, - NETTLE_SIZE_TYPE, - uint8_t *, - const uint8_t *); - /* - * Function to add extra authentication data to the context. - */ - void (*update)(struct gcm_aes_ctx *, NETTLE_SIZE_TYPE, const uint8_t *); - /* - * Function returning the authentication tag data - */ - void (*digest)(struct gcm_aes_ctx *, NETTLE_SIZE_TYPE, uint8_t *); -}; - -/* - * Configuration of the supported nettle algorithms - */ -static struct nettle_details nettle_algorithms[] = { - /* Algorithms are numbered from 1, so element 0 is empty */ - {}, - /* AES-GCM 128 */ - { - .context_size = sizeof(struct gcm_aes_ctx), - .block_size = GCM_BLOCK_SIZE, - .key_size = AES128_KEY_SIZE, - .iv_size = GCM_IV_SIZE, - .tag_size = GCM_DIGEST_SIZE, - .set_key = gcm_aes_set_key, - .set_iv = gcm_aes_set_iv, - .encrypt = gcm_aes_encrypt, - .decrypt = gcm_aes_decrypt, - .update = gcm_aes_update, - .digest = gcm_aes_digest, - } -}; -#endif /* BUILD_WITH_NETTLE_AES_GCM*/ - struct es_data { /* * Should secret attributes be encrypted and decrypted? @@ -379,6 +298,7 @@ static bool should_encrypt(const struct ldb_message_element *el) * * @return Size rounded up to the nearest multiple of block_size */ +#ifdef BUILD_WITH_GNUTLS_AEAD static size_t round_to_block_size(size_t block_size, size_t size) { if ((size % block_size) == 0) { @@ -387,6 +307,7 @@ static size_t round_to_block_size(size_t block_size, size_t size) return ((int)(size/block_size) + 1) * block_size; } } +#endif /* BUILD_WITH_GNUTLS_AEAD */ /* * @brief Create an new EncryptedSecret owned by the supplied talloc context. @@ -453,11 +374,11 @@ static DATA_BLOB makePlainText(TALLOC_CTX *ctx, return pt; } -#ifdef BUILD_WITH_NETTLE_AES_GCM +#ifdef BUILD_WITH_SAMBA_AES_GCM /* * @brief Encrypt an ldb value using an aead algorithm. * - * This function uses lib nettle directly to perform the encryption. However + * This function uses the samba internal implementation to perform the encryption. However * the encrypted data and tag are stored in a manner compatible with gnutls, * so the gnutls aead functions can be used to decrypt and verify the data. * @@ -472,22 +393,19 @@ static DATA_BLOB makePlainText(TALLOC_CTX *ctx, * * @return The encrypted ldb_val, or data_blob_null if there was an error. */ -static struct ldb_val nettle_encrypt_aead(int *err, - TALLOC_CTX *ctx, - struct ldb_context *ldb, - const struct ldb_val val, - const struct es_data *data) +static struct ldb_val samba_encrypt_aead(int *err, + TALLOC_CTX *ctx, + struct ldb_context *ldb, + const struct ldb_val val, + const struct es_data *data) { + struct aes_gcm_128_context cctx; struct EncryptedSecret *es = NULL; DATA_BLOB pt = data_blob_null; - const struct nettle_details *ntl = NULL; - void *ntl_ctx = NULL; struct ldb_val enc = data_blob_null; DATA_BLOB key_blob = data_blob_null; int rc; - TALLOC_CTX *frame = talloc_stackframe(); - ntl = &nettle_algorithms[SECRET_ENCRYPTION_ALGORITHM]; es = makeEncryptedSecret(ldb, frame); if (es == NULL) { @@ -499,73 +417,61 @@ static struct ldb_val nettle_encrypt_aead(int *err, goto error_exit; } - ntl_ctx = talloc_zero_size(frame, ntl->context_size); - if (ntl_ctx == NULL) { - ldb_set_errstring(ldb, - "Out of memory allocating nettle " - "encryption context\n"); - goto error_exit; - } - /* * Set the encryption key */ key_blob = get_key(data); - if (key_blob.length != ntl->key_size) { + if (key_blob.length != AES_BLOCK_SIZE) { ldb_asprintf_errstring(ldb, "Invalid EncryptedSecrets key size, " - "expected %zu bytes and is %zu bytes\n", - ntl->key_size, + "expected %u bytes and is %zu bytes\n", + AES_BLOCK_SIZE, key_blob.length); goto error_exit; } - ntl->set_key(ntl_ctx, key_blob.length, key_blob.data); /* * Set the initialisation vector */ { - uint8_t *iv = talloc_zero_size(frame, ntl->iv_size); + uint8_t *iv = talloc_zero_size(frame, AES_GCM_128_IV_SIZE); if (iv == NULL) { ldb_set_errstring(ldb, "Out of memory allocating iv\n"); goto error_exit; } - generate_random_buffer(iv, ntl->iv_size); + generate_random_buffer(iv, AES_GCM_128_IV_SIZE); - es->iv.length = ntl->iv_size; + es->iv.length = AES_GCM_128_IV_SIZE; es->iv.data = iv; - ntl->set_iv(ntl_ctx, es->iv.length, es->iv.data); } /* - * Set the extra authentication data - */ - ntl->update(ntl_ctx, - sizeof(struct EncryptedSecretHeader), - (uint8_t *)&es->header); - - /* * Encrypt the value, and append the GCM digest to the encrypted * data so that it can be decrypted and validated by the * gnutls aead decryption routines. */ { - const unsigned tag_size = ntl->tag_size; - const size_t ed_size = round_to_block_size( - ntl->block_size, - sizeof(struct PlaintextSecret) + val.length); - const size_t en_size = ed_size + tag_size; - uint8_t *ct = talloc_zero_size(frame, en_size); - - ntl->encrypt(ntl_ctx, pt.length, ct, pt.data); - ntl->digest(ntl_ctx, tag_size, &ct[pt.length]); + uint8_t *ct = talloc_zero_size(frame, pt.length + AES_BLOCK_SIZE); + if (ct == NULL) { + ldb_oom(ldb); + goto error_exit; + } - es->encrypted.length = pt.length + tag_size; + memcpy(ct, pt.data, pt.length); + es->encrypted.length = pt.length + AES_BLOCK_SIZE; es->encrypted.data = ct; } + aes_gcm_128_init(&cctx, key_blob.data, es->iv.data); + aes_gcm_128_updateA(&cctx, + (uint8_t *)&es->header, + sizeof(struct EncryptedSecretHeader)); + aes_gcm_128_crypt(&cctx, es->encrypted.data, pt.length); + aes_gcm_128_updateC(&cctx, es->encrypted.data, pt.length); + aes_gcm_128_digest(&cctx, &es->encrypted.data[pt.length]); + rc = ndr_push_struct_blob(&enc, ctx, es, @@ -589,7 +495,7 @@ static struct ldb_val nettle_encrypt_aead(int *err, * @brief Decrypt data encrypted using an aead algorithm. * * Decrypt the data in ed and insert it into ev. The data was encrypted - * with one of the nettle aead compatable algorithms. + * with the samba aes gcm implementation. * * @param err Pointer to an error code, set to: * LDB_SUCESS If the value was successfully decrypted @@ -603,53 +509,53 @@ static struct ldb_val nettle_encrypt_aead(int *err, * * @return ev is updated with the unencrypted data. */ -static void nettle_decrypt_aead(int *err, - TALLOC_CTX *ctx, - struct ldb_context *ldb, - struct EncryptedSecret *es, - struct PlaintextSecret *ps, - const struct es_data *data) +static void samba_decrypt_aead(int *err, + TALLOC_CTX *ctx, + struct ldb_context *ldb, + struct EncryptedSecret *es, + struct PlaintextSecret *ps, + const struct es_data *data) { - - const struct nettle_details *ntl = - &nettle_algorithms[es->header.algorithm]; - const unsigned tag_size = ntl->tag_size; - void *ntl_ctx = NULL; + struct aes_gcm_128_context cctx; DATA_BLOB pt = data_blob_null; DATA_BLOB key_blob = data_blob_null; + uint8_t sig[AES_BLOCK_SIZE] = {0, }; int rc; - + int cmp; TALLOC_CTX *frame = talloc_stackframe(); - - ntl_ctx = talloc_zero_size(frame, ntl->context_size); - if (ntl_ctx == NULL) { - ldb_set_errstring(ldb, - "Out of memory allocating nettle " - "encryption context\n"); - goto error_exit; - } - /* * Set the encryption key */ key_blob = get_key(data); - if (key_blob.length != ntl->key_size) { + if (key_blob.length != AES_BLOCK_SIZE) { ldb_asprintf_errstring(ldb, "Invalid EncryptedSecrets key size, " - "expected %zu bytes and is %zu bytes\n", - ntl->key_size, + "expected %u bytes and is %zu bytes\n", + AES_BLOCK_SIZE, key_blob.length); goto error_exit; } - ntl->set_key(ntl_ctx, key_blob.length, key_blob.data); - ntl->set_iv(ntl_ctx, es->iv.length, es->iv.data); - ntl->update(ntl_ctx, - sizeof(struct EncryptedSecretHeader), - (uint8_t *)&es->header); + if (es->iv.length < AES_GCM_128_IV_SIZE) { + ldb_asprintf_errstring(ldb, + "Invalid EncryptedSecrets iv size, " + "expected %u bytes and is %zu bytes\n", + AES_GCM_128_IV_SIZE, + es->iv.length); + goto error_exit; + } + + if (es->encrypted.length < AES_BLOCK_SIZE) { + ldb_asprintf_errstring(ldb, + "Invalid EncryptedData size, " + "expected %u bytes and is %zu bytes\n", + AES_BLOCK_SIZE, + es->encrypted.length); + goto error_exit; + } - pt.length = es->encrypted.length - tag_size; + pt.length = es->encrypted.length - AES_BLOCK_SIZE; pt.data = talloc_zero_size(ctx, pt.length); if (pt.data == NULL) { ldb_set_errstring(ldb, @@ -657,29 +563,25 @@ static void nettle_decrypt_aead(int *err, "plain text\n"); goto error_exit; } - ntl->decrypt(ntl_ctx, pt.length, pt.data, es->encrypted.data); + memcpy(pt.data, es->encrypted.data, pt.length); + + aes_gcm_128_init(&cctx, key_blob.data, es->iv.data); + aes_gcm_128_updateA(&cctx, + (uint8_t *)&es->header, + sizeof(struct EncryptedSecretHeader)); + aes_gcm_128_updateC(&cctx, pt.data, pt.length); + aes_gcm_128_crypt(&cctx, pt.data, pt.length); + aes_gcm_128_digest(&cctx, sig); /* * Check the authentication tag */ - { - uint8_t *tag = talloc_zero_size(frame, tag_size); - if (tag == NULL) { - ldb_set_errstring(ldb, - "Out of memory allocating tag\n"); - goto error_exit; - } - - ntl->digest(ntl_ctx, tag_size, tag); - if (memcmp(&es->encrypted.data[pt.length], - tag, - tag_size) != 0) { - - ldb_set_errstring(ldb, - "Tag does not match, " - "data corrupted or altered\n"); - goto error_exit; - } + cmp = memcmp(&es->encrypted.data[pt.length], sig, AES_BLOCK_SIZE); + if (cmp != 0) { + ldb_set_errstring(ldb, + "Tag does not match, " + "data corrupted or altered\n"); + goto error_exit; } rc = ndr_pull_struct_blob(&pt, @@ -702,7 +604,7 @@ static void nettle_decrypt_aead(int *err, TALLOC_FREE(frame); return; } -#endif /* BUILD_WITH_NETTLE_AES_GCM */ +#endif /* BUILD_WITH_SAMBA_AES_GCM */ #ifdef BUILD_WITH_GNUTLS_AEAD @@ -1071,8 +973,8 @@ static struct ldb_val encrypt_value(int *err, { #ifdef BUILD_WITH_GNUTLS_AEAD return gnutls_encrypt_aead(err, ctx, ldb, val, data); -#elif defined BUILD_WITH_NETTLE_AES_GCM - return nettle_encrypt_aead(err, ctx, ldb, val, data); +#elif defined BUILD_WITH_SAMBA_AES_GCM + return samba_encrypt_aead(err, ctx, ldb, val, data); #endif } @@ -1305,8 +1207,8 @@ static struct ldb_val decrypt_value(int *err, } #ifdef BUILD_WITH_GNUTLS_AEAD gnutls_decrypt_aead(err, frame, ldb, &es, &ps, data); -#elif defined BUILD_WITH_NETTLE_AES_GCM - nettle_decrypt_aead(err, frame, ldb, &es, &ps, data); +#elif defined BUILD_WITH_SAMBA_AES_GCM + samba_decrypt_aead(err, frame, ldb, &es, &ps, data); #endif if (*err != LDB_SUCCESS) { diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c index 7c1363156c4..4aa325635ce 100644 --- a/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c +++ b/source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c @@ -392,11 +392,10 @@ static void test_gnutls_value_encryption(void **state) &plain_text)); } -#ifdef HAVE_NETTLE_AES_GCM { struct PlaintextSecret *decrypted = talloc_zero(test_ctx, struct PlaintextSecret); - nettle_decrypt_aead( + samba_decrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -412,7 +411,6 @@ static void test_gnutls_value_encryption(void **state) &decrypted->cleartext, &plain_text)); } -#endif /* HAVE_NETTLE_AES_GCM */ } #endif /* HAVE_GNUTLS_AEAD */ @@ -616,11 +614,10 @@ static void test_gnutls_altered_iv(void **state) } } #endif /* HAVE_GNUTLS_AEAD */ -#ifdef HAVE_NETTLE_AES_GCM /* - * Test nettle encryption and decryption and decryption. + * Test samba encryption and decryption and decryption. */ -static void test_nettle_value_encryption(void **state) +static void test_samba_value_encryption(void **state) { struct ldbtest_ctx *test_ctx = talloc_get_type_abort(*state, struct ldbtest_ctx); @@ -635,7 +632,7 @@ static void test_nettle_value_encryption(void **state) int rc; plain_text = data_blob_string_const("A text value"); - cipher_text = nettle_encrypt_aead( + cipher_text = samba_encrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -677,7 +674,7 @@ static void test_nettle_value_encryption(void **state) { struct PlaintextSecret *decrypted = talloc_zero(test_ctx, struct PlaintextSecret); - nettle_decrypt_aead( + samba_decrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -695,10 +692,8 @@ static void test_nettle_value_encryption(void **state) } } -#endif /* HAVE_NETTLE_AES_GCM */ -#ifdef HAVE_NETTLE_AES_GCM -static void test_nettle_altered_header(void **state) +static void test_samba_altered_header(void **state) { struct ldbtest_ctx *test_ctx = talloc_get_type_abort(*state, struct ldbtest_ctx); @@ -713,7 +708,7 @@ static void test_nettle_altered_header(void **state) int rc; plain_text = data_blob_string_const("A text value"); - cipher_text = nettle_encrypt_aead( + cipher_text = samba_encrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -732,7 +727,7 @@ static void test_nettle_altered_header(void **state) { struct PlaintextSecret *decrypted = talloc_zero(test_ctx, struct PlaintextSecret); - nettle_decrypt_aead( + samba_decrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -752,7 +747,7 @@ static void test_nettle_altered_header(void **state) { struct PlaintextSecret *decrypted = talloc_zero(test_ctx, struct PlaintextSecret); - nettle_decrypt_aead( + samba_decrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -762,10 +757,8 @@ static void test_nettle_altered_header(void **state) assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); } } -#endif /* HAVE_NETTLE_AES_GCM */ -#ifdef HAVE_NETTLE_AES_GCM -static void test_nettle_altered_data(void **state) +static void test_samba_altered_data(void **state) { struct ldbtest_ctx *test_ctx = talloc_get_type_abort(*state, struct ldbtest_ctx); @@ -780,7 +773,7 @@ static void test_nettle_altered_data(void **state) int rc; plain_text = data_blob_string_const("A text value"); - cipher_text = nettle_encrypt_aead( + cipher_text = samba_encrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -799,7 +792,7 @@ static void test_nettle_altered_data(void **state) { struct PlaintextSecret *decrypted = talloc_zero(test_ctx, struct PlaintextSecret); - nettle_decrypt_aead( + samba_decrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -819,7 +812,7 @@ static void test_nettle_altered_data(void **state) { struct PlaintextSecret *decrypted = talloc_zero(test_ctx, struct PlaintextSecret); - nettle_decrypt_aead( + samba_decrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -829,10 +822,8 @@ static void test_nettle_altered_data(void **state) assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); } } -#endif /* HAVE_NETTLE_AES_GCM */ -#ifdef HAVE_NETTLE_AES_GCM -static void test_nettle_altered_iv(void **state) +static void test_samba_altered_iv(void **state) { struct ldbtest_ctx *test_ctx = talloc_get_type_abort(*state, struct ldbtest_ctx); @@ -847,7 +838,7 @@ static void test_nettle_altered_iv(void **state) int rc; plain_text = data_blob_string_const("A text value"); - cipher_text = nettle_encrypt_aead( + cipher_text = samba_encrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -866,7 +857,7 @@ static void test_nettle_altered_iv(void **state) { struct PlaintextSecret *decrypted = talloc_zero(test_ctx, struct PlaintextSecret); - nettle_decrypt_aead( + samba_decrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -886,7 +877,7 @@ static void test_nettle_altered_iv(void **state) { struct PlaintextSecret *decrypted = talloc_zero(test_ctx, struct PlaintextSecret); - nettle_decrypt_aead( + samba_decrypt_aead( &err, test_ctx, test_ctx->ldb, @@ -896,7 +887,6 @@ static void test_nettle_altered_iv(void **state) assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err); } } -#endif /* HAVE_NETTLE_AES_GCM */ /* * Test message encryption. @@ -1153,24 +1143,22 @@ int main(void) { setup_with_key, teardown), #endif /* HAVE_GNUTLS_AEAD */ -#ifdef HAVE_NETTLE_AES_GCM cmocka_unit_test_setup_teardown( - test_nettle_value_encryption, + test_samba_value_encryption, setup_with_key, teardown), cmocka_unit_test_setup_teardown( - test_nettle_altered_header, + test_samba_altered_header, setup_with_key, teardown), cmocka_unit_test_setup_teardown( - test_nettle_altered_data, + test_samba_altered_data, setup_with_key, teardown), cmocka_unit_test_setup_teardown( - test_nettle_altered_iv, + test_samba_altered_iv, setup_with_key, teardown), -#endif /* HAVE_NETTLE_AES_GCM */ cmocka_unit_test_setup_teardown( test_message_encryption_decryption, setup_with_key, diff --git a/source4/dsdb/samdb/ldb_modules/wscript b/source4/dsdb/samdb/ldb_modules/wscript index e2f2cda3312..91edbcb2594 100644 --- a/source4/dsdb/samdb/ldb_modules/wscript +++ b/source4/dsdb/samdb/ldb_modules/wscript @@ -12,23 +12,6 @@ import samba3 return def configure(conf): - conf.SET_TARGET_TYPE('nettle', 'EMPTY') - if conf.CHECK_CFG( - package="nettle", - args="--cflags --libs", - msg='Checking for nettle support'): - - if conf.CHECK_FUNCS_IN( - 'nettle_gcm_aes_encrypt', - 'nettle', - headers='nettle/gcm.h'): - - conf.DEFINE('HAVE_NETTLE_AES_GCM', '1') - else: - Logs.warn('No nettle support for AES GCM') - else: - Logs.warn('No nettle encryption libraries') - if conf.env.HAVE_GNUTLS: if conf.CHECK_FUNCS_IN( 'gnutls_aead_cipher_init', @@ -39,11 +22,6 @@ import samba3 else: Logs.warn('No gnutls support for AEAD encryption') - if not conf.env.HAVE_GNUTLS_AEAD and not conf.env.HAVE_NETTLE_AES_GCM: - conf.fatal("No AES GCM AEAD support" - "Try installing gnutls if that does not support AEAD " - "try installing nettle-dev or nettle-devel") - conf.SET_TARGET_TYPE('gpgme', 'EMPTY') if Options.options.with_gpgme != False: diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build index 0ff94711763..9e0ac281cc6 100644 --- a/source4/dsdb/samdb/ldb_modules/wscript_build +++ b/source4/dsdb/samdb/ldb_modules/wscript_build @@ -36,7 +36,6 @@ bld.SAMBA_BINARY('test_encrypted_secrets', samdb-common samdb cmocka - nettle gnutls DSDB_MODULE_HELPERS ''', diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build_server b/source4/dsdb/samdb/ldb_modules/wscript_build_server index 71af9b27278..368260afe09 100644 --- a/source4/dsdb/samdb/ldb_modules/wscript_build_server +++ b/source4/dsdb/samdb/ldb_modules/wscript_build_server @@ -422,7 +422,6 @@ bld.SAMBA_MODULE('ldb_encrypted_secrets', samdb-common DSDB_MODULE_HELPERS samdb - nettle gnutls ''' ) -- 2.13.6