On 2015-07-23 11:06, Alexander Bokovoy wrote: > On Thu, 23 Jul 2015, Christian Heimes wrote: >> This patch removes the dependency on M2Crypto in favor for cryptography. >> Cryptography is more strict about the key size and doesn't support >> non-standard key sizes: >> >>>>> from M2Crypto import RC4 >>>>> from ipaserver.dcerpc import arcfour_encrypt >>>>> RC4.RC4(b'key').update(b'data') >> 'o\r@\x8c' >>>>> arcfour_encrypt(b'key', b'data') >> Traceback (most recent call last): >> ... >> ValueError: Invalid key size (24) for RC4. >> >> Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >> >>>>> arcfour_encrypt(b'key12', b'data') >> '\xcd\xf80d' >>>>> RC4.RC4(b'key12').update(b'data') >> '\xcd\xf80d' > Note that we are using NTLMv2 or Kerberos user session keys which are > 128 bit long in this context. > > And please rework the spec file change as Honza noted.
Thanks for the feedback regarding the key size, 128bit works. Is RC4 really the only supported algorithm for session keys? RC4 is insecure, especially the first few bytes have a high bias. It may not be much of an issue for short-lived session keys, though. Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
