From 4e54b3526ae140a419fc50eae3a2e30e25373529 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 May 2019 09:31:02 +0200
Subject: [PATCH 204/208] lib:crypto: Allow py_crypto to use RC4 in FIPS mode

This is a public functions, so it can be consumed by others. E.g.
FreeIPA is using it to establish trusts. Not sure if this is
a problem with FIPS.

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 lib/crypto/py_crypto.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
index c85cd2c13d2..f4b5b745daf 100644
--- a/lib/crypto/py_crypto.c
+++ b/lib/crypto/py_crypto.c
@@ -22,7 +22,7 @@
 #include "includes.h"
 #include "python/py3compat.h"
 
-#include <gnutls/gnutls.h>
+#include "gnutls_helpers.h"
 #include <gnutls/crypto.h>
 
 static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
@@ -61,11 +61,15 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
 		.size = PyBytes_Size(py_key),
 	};
 
+	GNUTLS_FIPS140_SET_LAX_MODE();
+
 	rc = gnutls_cipher_init(&cipher_hnd,
 				GNUTLS_CIPHER_ARCFOUR_128,
 				&key,
 				NULL);
 	if (rc < 0) {
+		GNUTLS_FIPS140_SET_STRICT_MODE();
+
 		talloc_free(ctx);
 		PyErr_Format(PyExc_OSError, "encryption failed");
 		return NULL;
@@ -74,6 +78,9 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
 				   data.data,
 				   data.length);
 	gnutls_cipher_deinit(cipher_hnd);
+
+	GNUTLS_FIPS140_SET_STRICT_MODE();
+
 	if (rc < 0) {
 		talloc_free(ctx);
 		PyErr_Format(PyExc_OSError, "encryption failed");
-- 
2.23.0