From 563829e681b9845325e7223c13c2e7b517f7e0df Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 15 Mar 2017 13:47:49 +0200
Subject: [PATCH] export arcfour_crypt_blob to Python as
 samba.crypto.arcfour_encrypt

---
 ...ment-samba.crypto-Python-module-for-.patch | 179 ++++++++++++++++++
 samba.spec                                    |   7 +-
 2 files changed, 185 insertions(+), 1 deletion(-)
 create mode 100644 samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch

diff --git a/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch b/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
new file mode 100644
index 0000000..73c72cd
--- /dev/null
+++ b/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
@@ -0,0 +1,179 @@
+From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 10 Mar 2017 16:20:06 +0200
+Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Implement a small Python module that exposes arcfour_crypt_blob()
+function widely used in Samba C code.
+
+When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
+there is a need to encrypt trusted credentials with RC4 cipher.
+
+Current Samba Python code relies on Python runtime to provide RC4
+cipher. However, in FIPS 140-2 mode system crypto libraries do not
+provide access RC4 cipher at all. According to Microsoft dochelp team,
+Windows is treating AuthenticationInformation blob encryption as 'plain
+text' in terms of FIPS 140-2, thus doing application-level encryption.
+
+Replace samba.arcfour_encrypt() implementation with a call to
+samba.crypto.arcfour_crypt_blob().
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
+
+(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
+---
+ lib/crypto/py_crypto.c   | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/crypto/wscript_build |  7 ++++
+ python/samba/__init__.py | 16 ++-------
+ 3 files changed, 99 insertions(+), 14 deletions(-)
+ create mode 100644 lib/crypto/py_crypto.c
+
+diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
+new file mode 100644
+index 0000000..bf7f9f4
+--- /dev/null
++++ b/lib/crypto/py_crypto.c
+@@ -0,0 +1,90 @@
++/*
++   Unix SMB/CIFS implementation.
++   Samba crypto functions
++
++   Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
++
++   This program is free software; you can redistribute it and/or modify
++   it under the terms of the GNU General Public License as published by
++   the Free Software Foundation; either version 3 of the License, or
++   (at your option) any later version.
++
++   This program is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++   GNU General Public License for more details.
++
++   You should have received a copy of the GNU General Public License
++   along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <Python.h>
++#include "includes.h"
++#include "python/py3compat.h"
++#include "lib/crypto/arcfour.h"
++
++static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
++{
++	DATA_BLOB data, key;
++	PyObject *py_data, *py_key, *result;
++	TALLOC_CTX *ctx;
++
++	if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
++		return NULL;
++
++	if (!PyBytes_Check(py_data)) {
++		PyErr_Format(PyExc_TypeError, "bytes expected");
++		return NULL;
++	}
++
++	if (!PyBytes_Check(py_key)) {
++		PyErr_Format(PyExc_TypeError, "bytes expected");
++		return NULL;
++	}
++
++	ctx = talloc_new(NULL);
++
++	data.length = PyBytes_Size(py_data);
++	data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
++	if (!data.data) {
++		talloc_free(ctx);
++		return PyErr_NoMemory();
++	}
++
++	key.data = (uint8_t *)PyBytes_AsString(py_key);
++	key.length = PyBytes_Size(py_key);
++
++	arcfour_crypt_blob(data.data, data.length, &key);
++
++	result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
++	talloc_free(ctx);
++	return result;
++}
++
++
++static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
++					 "Encrypt the data with RC4 algorithm using the key";
++
++static PyMethodDef py_crypto_methods[] = {
++	{ "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
++	{ NULL },
++};
++
++static struct PyModuleDef moduledef = {
++	PyModuleDef_HEAD_INIT,
++	.m_name = "crypto",
++	.m_doc = "Crypto functions required for SMB",
++	.m_size = -1,
++	.m_methods = py_crypto_methods,
++};
++
++MODULE_INIT_FUNC(crypto)
++{
++	PyObject *m;
++
++	m = PyModule_Create(&moduledef);
++	if (m == NULL)
++		return NULL;
++
++	return m;
++}
+diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
+index 7f94532..d1f152e 100644
+--- a/lib/crypto/wscript_build
++++ b/lib/crypto/wscript_build
+@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
+         autoproto='test_proto.h',
+         deps='LIBCRYPTO'
+         )
++
++for env in bld.gen_python_environments():
++	bld.SAMBA_PYTHON('python_crypto',
++		source='py_crypto.c',
++		deps='LIBCRYPTO',
++		realname='samba/crypto.so'
++		)
+diff --git a/python/samba/__init__.py b/python/samba/__init__.py
+index 19d5e38..fa4244a 100644
+--- a/python/samba/__init__.py
++++ b/python/samba/__init__.py
+@@ -371,20 +371,8 @@ def string_to_byte_array(string):
+     return blob
+ 
+ def arcfour_encrypt(key, data):
+-    try:
+-        from Crypto.Cipher import ARC4
+-        c = ARC4.new(key)
+-        return c.encrypt(data)
+-    except ImportError as e:
+-        pass
+-    try:
+-        from M2Crypto.RC4 import RC4
+-        c = RC4(key)
+-        return c.update(data)
+-    except ImportError as e:
+-        pass
+-    raise Exception("arcfour_encrypt() requires " +
+-                    "python*-crypto or python*-m2crypto or m2crypto")
++    from samba.crypto import arcfour_crypt_blob
++    return arcfour_crypt_blob(data, key)
+ 
+ import _glue
+ version = _glue.version
+-- 
+2.9.3
+
diff --git a/samba.spec b/samba.spec
index d33b292..9e48137 100644
--- a/samba.spec
+++ b/samba.spec
@@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering
 
-%define main_release 3
+%define main_release 4
 
 %define samba_version 4.6.0
 %define talloc_version 2.1.9
@@ -109,6 +109,7 @@ Source201: README.downgrade
 
 Patch0: samba-v4.6-gss_krb5_import_cred.patch
 Patch1: samba-v4.6-credentials-fix-realm.patch
+Patch2: samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -2629,6 +2630,10 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
+* Wed Mar 15 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-4
+- Export arcfour_crypt_blob to Python as samba.crypto.arcfour_encrypt
+- Makes possible to run trust to AD in FreeIPA in FIPS mode
+
 * Thu Mar 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-3
 - auth/credentials: Always set the the realm if we set the principal from the ccache
 - resolves: #1430761 - credentials_crb5: use gss_acquire_cred for client-side GSSAPI use case