This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes:
>>> from M2Crypto import RC4 >>> from ipaserver.dcerpc import arcfour_encrypt >>> RC4.RC4(b'key').update(b'data') 'o\r@\x8c' >>> arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >>> arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' >>> RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148
From da4aa9baa932e335ad0bd0f3cfe2551667c7ca76 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Tue, 21 Jul 2015 15:18:40 +0200 Subject: [PATCH] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: >>> from M2Crypto import RC4 >>> from ipaserver.dcerpc import arcfour_encrypt >>> RC4.RC4(b'key').update(b'data') 'o\r@\x8c' >>> arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >>> arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' >>> RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 --- freeipa.spec.in | 1 + ipaserver/dcerpc.py | 15 ++++++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1f7e6fde9b90851a2686e515a6a779f954..afae22430515a9f15eced9e16e0a6e192400e6e2 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -150,6 +150,7 @@ Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 Requires: python-kdcproxy >= 0.3 +Requires: python-cryptography Requires: zip Requires: policycoreutils >= 2.1.12-5 Requires: tar diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 4de5afb540e880e8948749c2cfa9a019eb807c47..578b3ee209ee988bca4d75bd5b898f339625236c 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -42,7 +42,8 @@ from samba.ndr import ndr_pack, ndr_print from samba import net import samba import random -from M2Crypto import RC4 +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms +from cryptography.hazmat.backends import default_backend try: from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401 except ImportError: @@ -120,6 +121,14 @@ def assess_dcerpc_exception(num=None,message=None): message "%(message)s" (both may be "None")''') % dict(num=num, message=message) return errors.RemoteRetrieveError(reason=reason) + +def arcfour_encrypt(key, data): + algorithm = algorithms.ARC4(key) + cipher = Cipher(algorithm, mode=None, backend=default_backend()) + encryptor = cipher.encryptor() + return encryptor.update(data) + + class ExtendedDNControl(LDAPControl): # This class attempts to implement LDAP control that would work # with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties @@ -910,10 +919,6 @@ class TrustDomainInstance(object): self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY) def generate_auth(self, trustdom_secret): - def arcfour_encrypt(key, data): - c = RC4.RC4(key) - return c.update(data) - password_blob = string_to_array(trustdom_secret.encode('utf-16-le')) clear_value = drsblobs.AuthInfoClear() -- 2.4.3
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code