Replace M2Crypto RC4 with python-cryptography ARC4

This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: >>> from M2Crypto import RC4 >>> from ipaserver.dcerpc import arcfour_encrypt >>> RC4.RC4(b'key').update(b'data') 'o\r@\x8c' >>> arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >>> arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' >>> RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-07-21 15:18:40 +02:00 · 2015-07-21 15:18:40 +02:00 · a908be2785
commit a908be2785
parent 4e18a62dd5
2 changed files with 10 additions and 7 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -84,7 +84,6 @@ BuildRequires:  python-lxml
 BuildRequires:  python-pyasn1 >= 0.0.9a
 BuildRequires:  python-qrcode-core >= 5.0.0
 BuildRequires:  python-dns >= 1.11.1
-BuildRequires:  m2crypto
 BuildRequires:  check
 BuildRequires:  libsss_idmap-devel
 BuildRequires:  libsss_nss_idmap-devel >= 1.12.2
@ -218,7 +217,6 @@ Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
 Summary: Virtual package to install packages required for Active Directory trusts
 Group: System Environment/Base
 Requires: %{name}-server = %version-%release
-Requires: m2crypto
 Requires: samba-python
 Requires: samba >= %{samba_version}
 Requires: samba-winbind
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@ -42,7 +42,8 @@ from samba.ndr import ndr_pack, ndr_print
 from samba import net
 import samba
 import random
-from M2Crypto import RC4
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
+from cryptography.hazmat.backends import default_backend
 try:
    from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401
 except ImportError:
@ -128,6 +129,14 @@ def assess_dcerpc_exception(num=None,message=None):
                  message "%(message)s" (both may be "None")''') % dict(num=num, message=message)
    return errors.RemoteRetrieveError(reason=reason)

+
+def arcfour_encrypt(key, data):
+    algorithm = algorithms.ARC4(key)
+    cipher = Cipher(algorithm, mode=None, backend=default_backend())
+    encryptor = cipher.encryptor()
+    return encryptor.update(data)
+
+
 class ExtendedDNControl(LDAPControl):
    # This class attempts to implement LDAP control that would work
    # with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties
@ -941,10 +950,6 @@ class TrustDomainInstance(object):
        self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY)

    def generate_auth(self, trustdom_secret):
-        def arcfour_encrypt(key, data):
-            c = RC4.RC4(key)
-            return c.update(data)
-
        password_blob = string_to_array(trustdom_secret.encode('utf-16-le'))

        clear_value = drsblobs.AuthInfoClear()