Attachment 13062 Details for Bug 12690 – patch for 4.6 branch

[patch] patch for 4.6 branch

samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch (text/plain), 5.41 KB, created by Alexander Bokovoy on 2017-03-15 10:16:29 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Alexander Bokovoy

Created: 2017-03-15 10:16:29 UTC

Size: 5.41 KB

patch

obsolete

>From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001
>From: Alexander Bokovoy <ab@samba.org>
>Date: Fri, 10 Mar 2017 16:20:06 +0200
>Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>Implement a small Python module that exposes arcfour_crypt_blob()
>function widely used in Samba C code.
>
>When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
>there is a need to encrypt trusted credentials with RC4 cipher.
>
>Current Samba Python code relies on Python runtime to provide RC4
>cipher. However, in FIPS 140-2 mode system crypto libraries do not
>provide access RC4 cipher at all. According to Microsoft dochelp team,
>Windows is treating AuthenticationInformation blob encryption as 'plain
>text' in terms of FIPS 140-2, thus doing application-level encryption.
>
>Replace samba.arcfour_encrypt() implementation with a call to
>samba.crypto.arcfour_crypt_blob().
>
>Signed-off-by: Alexander Bokovoy <ab@samba.org>
>Reviewed-by: Simo Sorce <idra@samba.org>
>Reviewed-by: Guenther Deschner <gd@samba.org>
>
>Autobuild-User(master): GÃ¼nther Deschner <gd@samba.org>
>Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
>
>(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
>---
> lib/crypto/py_crypto.c   | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
> lib/crypto/wscript_build |  7 ++++
> python/samba/__init__.py | 16 ++-------
> 3 files changed, 99 insertions(+), 14 deletions(-)
> create mode 100644 lib/crypto/py_crypto.c
>
>diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
>new file mode 100644
>index 0000000..bf7f9f4
>--- /dev/null
>+++ b/lib/crypto/py_crypto.c
>@@ -0,0 +1,90 @@
>+/*
>+   Unix SMB/CIFS implementation.
>+   Samba crypto functions
>+
>+   Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
>+
>+   This program is free software; you can redistribute it and/or modify
>+   it under the terms of the GNU General Public License as published by
>+   the Free Software Foundation; either version 3 of the License, or
>+   (at your option) any later version.
>+
>+   This program is distributed in the hope that it will be useful,
>+   but WITHOUT ANY WARRANTY; without even the implied warranty of
>+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>+   GNU General Public License for more details.
>+
>+   You should have received a copy of the GNU General Public License
>+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
>+*/
>+
>+#include <Python.h>
>+#include "includes.h"
>+#include "python/py3compat.h"
>+#include "lib/crypto/arcfour.h"
>+
>+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
>+{
>+	DATA_BLOB data, key;
>+	PyObject *py_data, *py_key, *result;
>+	TALLOC_CTX *ctx;
>+
>+	if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
>+		return NULL;
>+
>+	if (!PyBytes_Check(py_data)) {
>+		PyErr_Format(PyExc_TypeError, "bytes expected");
>+		return NULL;
>+	}
>+
>+	if (!PyBytes_Check(py_key)) {
>+		PyErr_Format(PyExc_TypeError, "bytes expected");
>+		return NULL;
>+	}
>+
>+	ctx = talloc_new(NULL);
>+
>+	data.length = PyBytes_Size(py_data);
>+	data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
>+	if (!data.data) {
>+		talloc_free(ctx);
>+		return PyErr_NoMemory();
>+	}
>+
>+	key.data = (uint8_t *)PyBytes_AsString(py_key);
>+	key.length = PyBytes_Size(py_key);
>+
>+	arcfour_crypt_blob(data.data, data.length, &key);
>+
>+	result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
>+	talloc_free(ctx);
>+	return result;
>+}
>+
>+
>+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
>+					 "Encrypt the data with RC4 algorithm using the key";
>+
>+static PyMethodDef py_crypto_methods[] = {
>+	{ "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
>+	{ NULL },
>+};
>+
>+static struct PyModuleDef moduledef = {
>+	PyModuleDef_HEAD_INIT,
>+	.m_name = "crypto",
>+	.m_doc = "Crypto functions required for SMB",
>+	.m_size = -1,
>+	.m_methods = py_crypto_methods,
>+};
>+
>+MODULE_INIT_FUNC(crypto)
>+{
>+	PyObject *m;
>+
>+	m = PyModule_Create(&moduledef);
>+	if (m == NULL)
>+		return NULL;
>+
>+	return m;
>+}
>diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
>index 7f94532..d1f152e 100644
>--- a/lib/crypto/wscript_build
>+++ b/lib/crypto/wscript_build
>@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
>         autoproto='test_proto.h',
>         deps='LIBCRYPTO'
>         )
>+
>+for env in bld.gen_python_environments():
>+	bld.SAMBA_PYTHON('python_crypto',
>+		source='py_crypto.c',
>+		deps='LIBCRYPTO',
>+		realname='samba/crypto.so'
>+		)
>diff --git a/python/samba/__init__.py b/python/samba/__init__.py
>index 19d5e38..fa4244a 100644
>--- a/python/samba/__init__.py
>+++ b/python/samba/__init__.py
>@@ -371,20 +371,8 @@ def string_to_byte_array(string):
>     return blob
> 
> def arcfour_encrypt(key, data):
>-    try:
>-        from Crypto.Cipher import ARC4
>-        c = ARC4.new(key)
>-        return c.encrypt(data)
>-    except ImportError as e:
>-        pass
>-    try:
>-        from M2Crypto.RC4 import RC4
>-        c = RC4(key)
>-        return c.update(data)
>-    except ImportError as e:
>-        pass
>-    raise Exception("arcfour_encrypt() requires " +
>-                    "python*-crypto or python*-m2crypto or m2crypto")
>+    from samba.crypto import arcfour_crypt_blob
>+    return arcfour_crypt_blob(data, key)
> 
> import _glue
> version = _glue.version
>-- 
>2.9.3
>

Flags:

gd: review+

Actions: View

Attachments on bug 12690: 13062