[Freeipa-devel] [PATCH] 0095 Trusts: replace use of python-crypto by m2crypto

[Alexander Bokovoy]

Hi,

attached patch replaces use of python-crypto by m2crypto. We only need
either one for RC4 encryption implementation and python-crypto is not
available everywhere.

Originally we thought to extend python-krbV to provide access to
krb5_c_encrypt() but m2crypto is a simpler replacement.

Using this patch I was able to re-establish trusts with Windows 2008R2
without any trouble and verified that it worked afterwards for resolving
remote users since the code that searches Global Catalog is using the trust
auth blob for obtaining Kerberos ticket against AD KDC.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 41bf34a4d6e32a3ae26206a8fe0d088c8b0b95d9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 21 Nov 2012 18:33:49 +0200
Subject: [PATCH] trusts: replace use of python-crypto by m2crypto

python-crypto package is not available everywhere, use m2crypto instead.

Originally we thought to extend python-krbV to provide krb5_c_encrypt()
wrapper but m2crypto is readily available.

https://fedorahosted.org/freeipa/ticket/3271
---
 freeipa.spec.in     | 7 +++++--
 ipaserver/dcerpc.py | 6 +++---
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 50e743d809c8e499738c7fe67f853c4c9cea195c..43f4a3af2cb7e00aa19f57da1319a77018bee5e0 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -67,7 +67,7 @@ BuildRequires:  sssd >= 1.8.0
 BuildRequires:  python-lxml
 BuildRequires:  python-pyasn1 >= 0.0.9a
 BuildRequires:  python-dns
-BuildRequires:  python-crypto
+BuildRequires:  m2crypto
 BuildRequires:  check
 BuildRequires:  libsss_idmap-devel
 
@@ -181,7 +181,7 @@ daemons included in freeipa-server
 Summary: Virtual package to install packages required for Active Directory trusts
 Group: System Environment/Base
 Requires: %{name}-server = %version-%release
-Requires: python-crypto
+Requires: m2crypto
 %if 0%{?fedora} >= 18
 Requires: samba-python
 Requires: samba
@@ -733,6 +733,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Wed Nov 21 2012 Alexander Bokovoy <abokovoy at redhat.com> - 3.0.99-6
+- Replace python-crypto by m2crypto dependency
+
 * Fri Nov 16 2012 Rob Crittenden <rcritten at redhat.com> - 3.0.99-5
 - Bump minimum version of slapi-nis to 0.44
 
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 4eddbcdc304de9e50c5ccb9a71808fb71cf5b844..68b5ad52873753b6c78840c558636c16ea2dd803 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -41,7 +41,7 @@ from samba.ndr import ndr_pack
 from samba import net
 import samba
 import random
-from Crypto.Cipher import ARC4
+from M2Crypto import RC4
 try:
     from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401
 except ImportError:
@@ -526,8 +526,8 @@ class TrustDomainInstance(object):
 
     def generate_auth(self, trustdom_secret):
         def arcfour_encrypt(key, data):
-            c = ARC4.new(key)
-            return c.encrypt(data)
+            c = RC4.RC4(key)
+            return c.update(data)
         def string_to_array(what):
             blob = [0] * len(what)
 
-- 
1.8.0