In FIPS mode trust to AD dcerpc.py uses RC4 cipher at application level to encrypt trusted domain object credentials. The key for encryption is the key of RPC transport session which is encrypted by itself.
Currently we use RC4 support provided by Python runtime. If Python runtime will disable RC4 cipher in FIPS mode, we need to find other source for it. Samba already has RC4 implementation but it is not exposed to Python bindings we use. Thus, best solution would be to expose encryption and decryption of the TDO credentials in Samba Python bindings.
Once this is done, switch to use Samba-provided encryption/decryption of TDO credentials in dcerpc.py
Would cffi/ctypes wrapper be acceptable? Or there is a plan to provide python bindings in samba and use them.
Samba has already arcfour implementation (in libsamba-util.so). It also has samba.arcfour_encrypt Python function which is a wrapper around system-provided ones. However, this one will fail in FIPS mode, so we need to use the one from libsamba-util.so.
Perhaps, a best way would be to add a cffi/ctypes wrapper into samba.arcfour_encrypt() as a fallback in case all system-provided ones failed.
Metadata Update from @abbra: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @pvoborni: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue close_status updated to: None - Issue priority set to: 1 (was: 3) - Issue set to the milestone: FreeIPA 4.5 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @pvoborni: - Custom field affects_doc reset - Issue assigned to abbra (was: someone)
The switch to samba's implementation of arcfour encryption was pushed to:
master:
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
@stlaz Could you send a patch to bump version of samba or if already done, update this with commit id and close?
Metadata Update from @pvoborni: - Issue assigned to stlaz (was: abbra)
AFAIK, it should be Fedora's 4.6.0-4 according to:
* Wed Mar 15 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-4 - Export arcfour_crypt_blob to Python as samba.crypto.arcfour_encrypt - Makes possible to run trust to AD in FreeIPA in FIPS mode
When done, also close #6671 which requires bump to lower version of samba than this ticket.
ipa-4-5:
41ff57b Bump samba version for FIPS and priv. separation master:
b7ae336 Bump samba version for FIPS and priv. separation
Metadata Update from @pvomacka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436342
Issue linked to bug 1436342
Log in to comment on this ticket.