[Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4

Alexander Bokovoy abokovoy at redhat.com
Thu Jul 23 08:54:46 UTC 2015 

On Thu, 23 Jul 2015, Christian Heimes wrote:
>This patch removes the dependency on M2Crypto in favor for cryptography.
>Cryptography is more strict about the key size and doesn't support
>non-standard key sizes:
>
>>>> from M2Crypto import RC4
>>>> from ipaserver.dcerpc import arcfour_encrypt
>>>> RC4.RC4(b'key').update(b'data')
>'o\r@\x8c'
>>>> arcfour_encrypt(b'key', b'data')
>Traceback (most recent call last):
>...
>ValueError: Invalid key size (24) for RC4.
>
>Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported:
>
>>>> arcfour_encrypt(b'key12', b'data')
>'\xcd\xf80d'
>>>> RC4.RC4(b'key12').update(b'data')
>'\xcd\xf80d'
>
>http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4
>https://fedorahosted.org/freeipa/ticket/5148

>From da4aa9baa932e335ad0bd0f3cfe2551667c7ca76 Mon Sep 17 00:00:00 2001
>From: Christian Heimes <cheimes at redhat.com>
>Date: Tue, 21 Jul 2015 15:18:40 +0200
>Subject: [PATCH] [py3] Replace M2Crypto RC4 with python-cryptography ARC4
>
>This patch removes the dependency on M2Crypto in favor for cryptography.
>Cryptography is more strict about the key size and doesn't support
>non-standard key sizes:
>
>>>> from M2Crypto import RC4
>>>> from ipaserver.dcerpc import arcfour_encrypt
>>>> RC4.RC4(b'key').update(b'data')
>'o\r@\x8c'
>>>> arcfour_encrypt(b'key', b'data')
>Traceback (most recent call last):
>...
>ValueError: Invalid key size (24) for RC4.
>
>Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported:
>
>>>> arcfour_encrypt(b'key12', b'data')
>'\xcd\xf80d'
>>>> RC4.RC4(b'key12').update(b'data')
>'\xcd\xf80d'
>
>http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4
>https://fedorahosted.org/freeipa/ticket/5148
>---
> freeipa.spec.in     |  1 +
> ipaserver/dcerpc.py | 15 ++++++++++-----
> 2 files changed, 11 insertions(+), 5 deletions(-)
>
>diff --git a/freeipa.spec.in b/freeipa.spec.in
>index fef20e1f7e6fde9b90851a2686e515a6a779f954..afae22430515a9f15eced9e16e0a6e192400e6e2 100644
>--- a/freeipa.spec.in
>+++ b/freeipa.spec.in
>@@ -150,6 +150,7 @@ Requires(preun): python systemd-units
> Requires(postun): python systemd-units
> Requires: python-dns >= 1.11.1
> Requires: python-kdcproxy >= 0.3
>+Requires: python-cryptography
> Requires: zip
> Requires: policycoreutils >= 2.1.12-5
> Requires: tar
>diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
>index 4de5afb540e880e8948749c2cfa9a019eb807c47..578b3ee209ee988bca4d75bd5b898f339625236c 100644
>--- a/ipaserver/dcerpc.py
>+++ b/ipaserver/dcerpc.py
>@@ -42,7 +42,8 @@ from samba.ndr import ndr_pack, ndr_print
> from samba import net
> import samba
> import random
>-from M2Crypto import RC4
>+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
>+from cryptography.hazmat.backends import default_backend
> try:
>     from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401
> except ImportError:
>@@ -120,6 +121,14 @@ def assess_dcerpc_exception(num=None,message=None):
>                   message "%(message)s" (both may be "None")''') % dict(num=num, message=message)
>     return errors.RemoteRetrieveError(reason=reason)
> 
>+
>+def arcfour_encrypt(key, data):
>+    algorithm = algorithms.ARC4(key)
>+    cipher = Cipher(algorithm, mode=None, backend=default_backend())
>+    encryptor = cipher.encryptor()
>+    return encryptor.update(data)
>+
>+
> class ExtendedDNControl(LDAPControl):
>     # This class attempts to implement LDAP control that would work
>     # with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties
>@@ -910,10 +919,6 @@ class TrustDomainInstance(object):
>         self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY)
> 
>     def generate_auth(self, trustdom_secret):
>-        def arcfour_encrypt(key, data):
>-            c = RC4.RC4(key)
>-            return c.update(data)
>-
>         password_blob = string_to_array(trustdom_secret.encode('utf-16-le'))
> 
>         clear_value = drsblobs.AuthInfoClear()
>-- 
>2.4.3
>
ACK. Tested by re-establishing trust to AD.


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list