Make python arcfour_crypt more portable

Alexander Bokovoy ab at samba.org
Tue Feb 2 11:37:55 UTC 2016


On Tue, 02 Feb 2016, Stefan Metzmacher wrote:
> Hi Alexander,
> 
> >> here're some fixed for https://bugzilla.samba.org/show_bug.cgi?id=11699
> >>
> >> Crypto.Cipher.ARC4 (from python-crypto) is not available on
> >> all platforms.
> >>
> >> We now fallback to use M2Crypto.RC4.RC4 (from python*-]m2crypto)
> >> which is should be available when python-crypto is not, e.g.
> >> on RHEL (at least 6?).
> >>
> >> Please review and push.
> > It is actually a bit more complex.
> > 
> > RHEL6 has M2Crypto, RHEL7 has python-cryptography and we want to get rid
> > of M2Crypto there. However, python-cryptography until very recently
> > played badly with SELinux due to writable anonymous memory allocations,
> > so we had to come with a combination like this to be able to support
> > both Python 2 and Python 3:
> 
> I was wrong, python-crypto is available on debian*, ubuntu*, SLES* and
> RHEL6.
> RHEL7 is the only one that doesn't have it.
Correct. Python community decided to have python-cryptography going
forward as their primary source of cryptography primitives.

> RHEL7 has only m2crypto.
> And I see python-cryptography only on SLE12.
No, python-cryptography is in RHEL7, starting with 7.2, and we are
trying to avoid using m2crypto and standardize on python-cryptography.
python-cryptography is a way froward to support both Python2 and
Python3 upstream-wise.

> As my code is better than the current state, I'd suppose that
> we take it as is. This fixes a bug and should be backported to 4.3
> and 4.4.
> 
> We can do any further improvement later e.g. for python3 support later
> in master.
I agree with this, however, I'll come up with additional patches for
4.3/4.4 for python-cryptography as well by the time Samba will be
rebased in RHEL7.


-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list