#6697 [Tracker] FIPS mode for trust to AD feature
Closed: fixed 7 years ago Opened 7 years ago by abbra.

In FIPS mode trust to AD dcerpc.py uses RC4 cipher at application level to encrypt trusted domain object credentials. The key for encryption is the key of RPC transport session which is encrypted by itself.

Currently we use RC4 support provided by Python runtime. If Python runtime will disable RC4 cipher in FIPS mode, we need to find other source for it. Samba already has RC4 implementation but it is not exposed to Python bindings we use. Thus, best solution would be to expose encryption and decryption of the TDO credentials in Samba Python bindings.

Once this is done, switch to use Samba-provided encryption/decryption of TDO credentials in dcerpc.py


Would cffi/ctypes wrapper be acceptable?
Or there is a plan to provide python bindings in samba and use them.

Samba has already arcfour implementation (in libsamba-util.so). It also has samba.arcfour_encrypt Python function which is a wrapper around system-provided ones. However, this one will fail in FIPS mode, so we need to use the one from libsamba-util.so.

Perhaps, a best way would be to add a cffi/ctypes wrapper into samba.arcfour_encrypt() as a fallback in case all system-provided ones failed.

Metadata Update from @abbra:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue close_status updated to: None
- Issue priority set to: 1 (was: 3)
- Issue set to the milestone: FreeIPA 4.5 (was: 0.0 NEEDS_TRIAGE)

7 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Issue assigned to abbra (was: someone)

7 years ago

The switch to samba's implementation of arcfour encryption was pushed to:

master:

  • 7657754 ipaserver/dcerpc.py: use arcfour_encrypt from samba

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

7 years ago

@stlaz Could you send a patch to bump version of samba or if already done, update this with commit id and close?

Metadata Update from @pvoborni:
- Issue assigned to stlaz (was: abbra)

7 years ago

AFAIK, it should be Fedora's 4.6.0-4 according to:

* Wed Mar 15 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-4 
- Export arcfour_crypt_blob to Python as samba.crypto.arcfour_encrypt 
- Makes possible to run trust to AD in FreeIPA in FIPS mode

When done, also close #6671 which requires bump to lower version of samba than this ticket.

ipa-4-5:

  • 41ff57b Bump samba version for FIPS and priv. separation
    master:

  • b7ae336 Bump samba version for FIPS and priv. separation

ipa-4-5:

  • 41ff57b Bump samba version for FIPS and priv. separation
    master:

  • b7ae336 Bump samba version for FIPS and priv. separation

Metadata Update from @pvomacka:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436342

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436342

7 years ago

Log in to comment on this ticket.

Metadata