Make python arcfour_crypt more portable
Alexander Bokovoy
ab at samba.org
Mon Feb 1 08:00:46 UTC 2016
On Sun, 31 Jan 2016, Stefan Metzmacher wrote:
> Hi,
>
> here're some fixed for https://bugzilla.samba.org/show_bug.cgi?id=11699
>
> Crypto.Cipher.ARC4 (from python-crypto) is not available on
> all platforms.
>
> We now fallback to use M2Crypto.RC4.RC4 (from python*-]m2crypto)
> which is should be available when python-crypto is not, e.g.
> on RHEL (at least 6?).
>
> Please review and push.
It is actually a bit more complex.
RHEL6 has M2Crypto, RHEL7 has python-cryptography and we want to get rid
of M2Crypto there. However, python-cryptography until very recently
played badly with SELinux due to writable anonymous memory allocations,
so we had to come with a combination like this to be able to support
both Python 2 and Python 3:
+# Some versions of python-cryptography depend on python-cffi callbacks which
+# are built on top of libffi's closure API. The closures require writeable
+# and executable anonymous memory mappings, which violate SELinux execmem
+# rules such as 'httpd_execmem'. Prefer M2Crypto on Python 2.
+try:
+ from M2Crypto import RC4
+except ImportError:
+ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
+ from cryptography.hazmat.backends import default_backend
+
+ def arcfour_encrypt(key, data):
+ """RC4 with python-cryptography"""
+ algorithm = algorithms.ARC4(key)
+ cipher = Cipher(algorithm, mode=None, backend=default_backend())
+ encryptor = cipher.encryptor()
+ return encryptor.update(data)
+else:
+ def arcfour_encrypt(key, data):
+ """RC4 with M2Crypto"""
+ c = RC4.RC4(key)
+ return c.update(data)
+
I'll be busy and travelling for the next 1.5 weeks so maybe we can
improve the code you have after that, but ideally I'd like Python crypto
code be ready for Python3 use as well, even though the rest of the code
isn't ready yet.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list