The branch, master has been updated via bfb9cd8b9b3 waf: Check correctly if gnutls has been compiled with fips mode support from d5759794d6d add .gitlab-ci-coverage.yml for a scheduled build
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit bfb9cd8b9b32f60475e8a654b77ea1b6b057d4ad Author: Andreas Schneider <a...@samba.org> Date: Tue Apr 13 17:48:21 2021 +0200 waf: Check correctly if gnutls has been compiled with fips mode support Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue Apr 13 19:17:56 UTC 2021 on sn-devel-184 ----------------------------------------------------------------------- Summary of changes: source4/selftest/tests.py | 6 +++--- wscript_configure_system_gnutls | 29 ++++++++++++++++++++++++++--- 2 files changed, 29 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 223a1139d6c..866e7632d19 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -86,7 +86,7 @@ finally: f.close() have_heimdal_support = ("SAMBA4_USES_HEIMDAL" in config_hash) -have_gnutls_crypto_policies = ("HAVE_GNUTLS_CRYPTO_POLICIES" in config_hash) +have_gnutls_fips_mode_support = ("HAVE_GNUTLS_FIPS_MODE_SUPPORTED" in config_hash) for options in ['-U"$USERNAME%$PASSWORD"']: plantestsuite("samba4.ldb.ldaps with options %s(ad_dc_ntvfs)" % options, "ad_dc_ntvfs", @@ -567,7 +567,7 @@ plantestsuite("samba4.blackbox.net_ads_dns_async(ad_member:local)", '$REALM']) plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID']) -if have_gnutls_crypto_policies: +if have_gnutls_fips_mode_support: plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) for env in ["ad_dc_fips", "ad_member_fips"]: @@ -722,7 +722,7 @@ def planoldpythontestsuite(env, module, name=None, extra_path=[], environ={}, ex name = module plantestsuite_loadlist(name, env, args) -if have_gnutls_crypto_policies: +if have_gnutls_fips_mode_support: planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'}) planoldpythontestsuite("ad_dc_fips", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'}) diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls index 2ec217fb9dc..28abd29f964 100644 --- a/wscript_configure_system_gnutls +++ b/wscript_configure_system_gnutls @@ -1,4 +1,5 @@ from waflib import Options +import os def parse_version(v): return tuple(map(int, (v.split(".")))) @@ -35,9 +36,31 @@ conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls') if (parse_version(gnutls_version) > parse_version('3.6.14')): conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls') -# Check if we have support for crypto policies -if conf.CHECK_FUNCS_IN('gnutls_get_system_config_file', 'gnutls'): - conf.DEFINE('HAVE_GNUTLS_CRYPTO_POLICIES', 1) +# Check if gnutls has fips mode support +# gnutls_fips140_mode_enabled() is available since 3.3.0 +fragment = ''' +#include <gnutls/gnutls.h> +#include <stdlib.h> + +int main(void) +{ + unsigned int ok; + + ok = gnutls_fips140_mode_enabled(); + + return !ok; +} +''' + +os.environ['GNUTLS_FORCE_FIPS_MODE'] = '1' +conf.CHECK_CODE(fragment, + 'HAVE_GNUTLS_FIPS_MODE_SUPPORTED', + execute=True, + addmain=False, + add_headers=False, + lib='gnutls', + msg='Checking for gnutls fips mode support') +del os.environ['GNUTLS_FORCE_FIPS_MODE'] if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'): conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1) -- Samba Shared Repository