The Samba-Bugzilla – Attachment 13062 Details for
Bug 12690
Include samba.crypto Python module to 4.6
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.6 branch
samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch (text/plain), 5.41 KB, created by
Alexander Bokovoy
on 2017-03-15 10:16:29 UTC
(
hide
)
Description:
patch for 4.6 branch
Filename:
MIME Type:
Creator:
Alexander Bokovoy
Created:
2017-03-15 10:16:29 UTC
Size:
5.41 KB
patch
obsolete
>From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Fri, 10 Mar 2017 16:20:06 +0200 >Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4 >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Implement a small Python module that exposes arcfour_crypt_blob() >function widely used in Samba C code. > >When Samba Python bindings are used to call LSA CreateTrustedDomainEx2, >there is a need to encrypt trusted credentials with RC4 cipher. > >Current Samba Python code relies on Python runtime to provide RC4 >cipher. However, in FIPS 140-2 mode system crypto libraries do not >provide access RC4 cipher at all. According to Microsoft dochelp team, >Windows is treating AuthenticationInformation blob encryption as 'plain >text' in terms of FIPS 140-2, thus doing application-level encryption. > >Replace samba.arcfour_encrypt() implementation with a call to >samba.crypto.arcfour_crypt_blob(). > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Simo Sorce <idra@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> > >Autobuild-User(master): Günther Deschner <gd@samba.org> >Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144 > >(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c) >--- > lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ > lib/crypto/wscript_build | 7 ++++ > python/samba/__init__.py | 16 ++------- > 3 files changed, 99 insertions(+), 14 deletions(-) > create mode 100644 lib/crypto/py_crypto.c > >diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c >new file mode 100644 >index 0000000..bf7f9f4 >--- /dev/null >+++ b/lib/crypto/py_crypto.c >@@ -0,0 +1,90 @@ >+/* >+ Unix SMB/CIFS implementation. >+ Samba crypto functions >+ >+ Copyright (C) Alexander Bokovoy <ab@samba.org> 2017 >+ >+ This program is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 3 of the License, or >+ (at your option) any later version. >+ >+ This program is distributed in the hope that it will be useful, >+ but WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ GNU General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with this program. If not, see <http://www.gnu.org/licenses/>. >+*/ >+ >+#include <Python.h> >+#include "includes.h" >+#include "python/py3compat.h" >+#include "lib/crypto/arcfour.h" >+ >+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs) >+{ >+ DATA_BLOB data, key; >+ PyObject *py_data, *py_key, *result; >+ TALLOC_CTX *ctx; >+ >+ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key)) >+ return NULL; >+ >+ if (!PyBytes_Check(py_data)) { >+ PyErr_Format(PyExc_TypeError, "bytes expected"); >+ return NULL; >+ } >+ >+ if (!PyBytes_Check(py_key)) { >+ PyErr_Format(PyExc_TypeError, "bytes expected"); >+ return NULL; >+ } >+ >+ ctx = talloc_new(NULL); >+ >+ data.length = PyBytes_Size(py_data); >+ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length); >+ if (!data.data) { >+ talloc_free(ctx); >+ return PyErr_NoMemory(); >+ } >+ >+ key.data = (uint8_t *)PyBytes_AsString(py_key); >+ key.length = PyBytes_Size(py_key); >+ >+ arcfour_crypt_blob(data.data, data.length, &key); >+ >+ result = PyBytes_FromStringAndSize((const char*) data.data, data.length); >+ talloc_free(ctx); >+ return result; >+} >+ >+ >+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n" >+ "Encrypt the data with RC4 algorithm using the key"; >+ >+static PyMethodDef py_crypto_methods[] = { >+ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc }, >+ { NULL }, >+}; >+ >+static struct PyModuleDef moduledef = { >+ PyModuleDef_HEAD_INIT, >+ .m_name = "crypto", >+ .m_doc = "Crypto functions required for SMB", >+ .m_size = -1, >+ .m_methods = py_crypto_methods, >+}; >+ >+MODULE_INIT_FUNC(crypto) >+{ >+ PyObject *m; >+ >+ m = PyModule_Create(&moduledef); >+ if (m == NULL) >+ return NULL; >+ >+ return m; >+} >diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build >index 7f94532..d1f152e 100644 >--- a/lib/crypto/wscript_build >+++ b/lib/crypto/wscript_build >@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', > autoproto='test_proto.h', > deps='LIBCRYPTO' > ) >+ >+for env in bld.gen_python_environments(): >+ bld.SAMBA_PYTHON('python_crypto', >+ source='py_crypto.c', >+ deps='LIBCRYPTO', >+ realname='samba/crypto.so' >+ ) >diff --git a/python/samba/__init__.py b/python/samba/__init__.py >index 19d5e38..fa4244a 100644 >--- a/python/samba/__init__.py >+++ b/python/samba/__init__.py >@@ -371,20 +371,8 @@ def string_to_byte_array(string): > return blob > > def arcfour_encrypt(key, data): >- try: >- from Crypto.Cipher import ARC4 >- c = ARC4.new(key) >- return c.encrypt(data) >- except ImportError as e: >- pass >- try: >- from M2Crypto.RC4 import RC4 >- c = RC4(key) >- return c.update(data) >- except ImportError as e: >- pass >- raise Exception("arcfour_encrypt() requires " + >- "python*-crypto or python*-m2crypto or m2crypto") >+ from samba.crypto import arcfour_crypt_blob >+ return arcfour_crypt_blob(data, key) > > import _glue > version = _glue.version >-- >2.9.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gd
:
review+
Actions:
View
Attachments on
bug 12690
: 13062