From 4e54b3526ae140a419fc50eae3a2e30e25373529 Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Tue, 21 May 2019 09:31:02 +0200

Subject: [PATCH 204/208] lib:crypto: Allow py_crypto to use RC4 in FIPS mode

This is a public functions, so it can be consumed by others. E.g.

FreeIPA is using it to establish trusts. Not sure if this is

a problem with FIPS.

Signed-off-by: Andreas Schneider <asn@samba.org>

---

 lib/crypto/py_crypto.c | 9 ++++++++-

 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c

index c85cd2c13d2..f4b5b745daf 100644

--- a/lib/crypto/py_crypto.c

+++ b/lib/crypto/py_crypto.c

@@ -22,7 +22,7 @@

 #include "includes.h"

 #include "python/py3compat.h"

-#include <gnutls/gnutls.h>

+#include "gnutls_helpers.h"

 #include <gnutls/crypto.h>

 static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)

@@ -61,11 +61,15 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)

 		.size = PyBytes_Size(py_key),

 	};

+	GNUTLS_FIPS140_SET_LAX_MODE();

+

 	rc = gnutls_cipher_init(&cipher_hnd,

 				GNUTLS_CIPHER_ARCFOUR_128,

 				&key,

 				NULL);

 	if (rc < 0) {

+		GNUTLS_FIPS140_SET_STRICT_MODE();

+

 		talloc_free(ctx);

 		PyErr_Format(PyExc_OSError, "encryption failed");

 		return NULL;

@@ -74,6 +78,9 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)

 				   data.data,

 				   data.length);

 	gnutls_cipher_deinit(cipher_hnd);

+

+	GNUTLS_FIPS140_SET_STRICT_MODE();

+

 	if (rc < 0) {

 		talloc_free(ctx);

 		PyErr_Format(PyExc_OSError, "encryption failed");

-- 

2.23.0