From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <ab@samba.org>

Date: Fri, 10 Mar 2017 16:20:06 +0200

Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Implement a small Python module that exposes arcfour_crypt_blob()

function widely used in Samba C code.

When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,

there is a need to encrypt trusted credentials with RC4 cipher.

Current Samba Python code relies on Python runtime to provide RC4

cipher. However, in FIPS 140-2 mode system crypto libraries do not

provide access RC4 cipher at all. According to Microsoft dochelp team,

Windows is treating AuthenticationInformation blob encryption as 'plain

text' in terms of FIPS 140-2, thus doing application-level encryption.

Replace samba.arcfour_encrypt() implementation with a call to

samba.crypto.arcfour_crypt_blob().

Signed-off-by: Alexander Bokovoy <ab@samba.org>

Reviewed-by: Simo Sorce <idra@samba.org>

Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>

Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144

(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)

---

 lib/crypto/py_crypto.c   | 90 ++++++++++++++++++++++++++++++++++++++++++++++++

 lib/crypto/wscript_build |  7 ++++

 python/samba/__init__.py | 16 ++-------

 3 files changed, 99 insertions(+), 14 deletions(-)

 create mode 100644 lib/crypto/py_crypto.c

diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c

new file mode 100644

index 0000000..bf7f9f4

--- /dev/null

+++ b/lib/crypto/py_crypto.c

@@ -0,0 +1,90 @@

+/*

+   Unix SMB/CIFS implementation.

+   Samba crypto functions

+

+   Copyright (C) Alexander Bokovoy <ab@samba.org> 2017

+

+   This program is free software; you can redistribute it and/or modify

+   it under the terms of the GNU General Public License as published by

+   the Free Software Foundation; either version 3 of the License, or

+   (at your option) any later version.

+

+   This program is distributed in the hope that it will be useful,

+   but WITHOUT ANY WARRANTY; without even the implied warranty of

+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+   GNU General Public License for more details.

+

+   You should have received a copy of the GNU General Public License

+   along with this program.  If not, see <http://www.gnu.org/licenses/>.

+*/

+

+#include <Python.h>

+#include "includes.h"

+#include "python/py3compat.h"

+#include "lib/crypto/arcfour.h"

+

+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)

+{

+	DATA_BLOB data, key;

+	PyObject *py_data, *py_key, *result;

+	TALLOC_CTX *ctx;

+

+	if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))

+		return NULL;

+

+	if (!PyBytes_Check(py_data)) {

+		PyErr_Format(PyExc_TypeError, "bytes expected");

+		return NULL;

+	}

+

+	if (!PyBytes_Check(py_key)) {

+		PyErr_Format(PyExc_TypeError, "bytes expected");

+		return NULL;

+	}

+

+	ctx = talloc_new(NULL);

+

+	data.length = PyBytes_Size(py_data);

+	data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);

+	if (!data.data) {

+		talloc_free(ctx);

+		return PyErr_NoMemory();

+	}

+

+	key.data = (uint8_t *)PyBytes_AsString(py_key);

+	key.length = PyBytes_Size(py_key);

+

+	arcfour_crypt_blob(data.data, data.length, &key);

+

+	result = PyBytes_FromStringAndSize((const char*) data.data, data.length);

+	talloc_free(ctx);

+	return result;

+}

+

+

+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"

+					 "Encrypt the data with RC4 algorithm using the key";

+

+static PyMethodDef py_crypto_methods[] = {

+	{ "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },

+	{ NULL },

+};

+

+static struct PyModuleDef moduledef = {

+	PyModuleDef_HEAD_INIT,

+	.m_name = "crypto",

+	.m_doc = "Crypto functions required for SMB",

+	.m_size = -1,

+	.m_methods = py_crypto_methods,

+};

+

+MODULE_INIT_FUNC(crypto)

+{

+	PyObject *m;

+

+	m = PyModule_Create(&moduledef);

+	if (m == NULL)

+		return NULL;

+

+	return m;

+}

diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build

index 7f94532..d1f152e 100644

--- a/lib/crypto/wscript_build

+++ b/lib/crypto/wscript_build

@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',

         autoproto='test_proto.h',

         deps='LIBCRYPTO'

         )

+

+for env in bld.gen_python_environments():

+	bld.SAMBA_PYTHON('python_crypto',

+		source='py_crypto.c',

+		deps='LIBCRYPTO',

+		realname='samba/crypto.so'

+		)

diff --git a/python/samba/__init__.py b/python/samba/__init__.py

index 19d5e38..fa4244a 100644

--- a/python/samba/__init__.py

+++ b/python/samba/__init__.py

@@ -371,20 +371,8 @@ def string_to_byte_array(string):

     return blob

 def arcfour_encrypt(key, data):

-    try:

-        from Crypto.Cipher import ARC4

-        c = ARC4.new(key)

-        return c.encrypt(data)

-    except ImportError as e:

-        pass

-    try:

-        from M2Crypto.RC4 import RC4

-        c = RC4(key)

-        return c.update(data)

-    except ImportError as e:

-        pass

-    raise Exception("arcfour_encrypt() requires " +

-                    "python*-crypto or python*-m2crypto or m2crypto")

+    from samba.crypto import arcfour_crypt_blob

+    return arcfour_crypt_blob(data, key)

 import _glue

 version = _glue.version

-- 

2.9.3