lib/crypto: implement samba.crypto Python module for RC4

Implement a small Python module that exposes arcfour_crypt_blob()
function widely used in Samba C code.

When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
there is a need to encrypt trusted credentials with RC4 cipher.

Current Samba Python code relies on Python runtime to provide RC4
cipher. However, in FIPS 140-2 mode system crypto libraries do not
provide access RC4 cipher at all. According to Microsoft dochelp team,
Windows is treating AuthenticationInformation blob encryption as 'plain
text' in terms of FIPS 140-2, thus doing application-level encryption.

Replace samba.arcfour_encrypt() implementation with a call to
samba.crypto.arcfour_crypt_blob().

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144

2 files changed, 97 insertions, 0 deletions

diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
new file mode 100644
index 00000000000..bf7f9f4481c
--- /dev/null
+++ b/lib/crypto/py_crypto.c
@@ -0,0 +1,90 @@
+/*
+   Unix SMB/CIFS implementation.
+   Samba crypto functions
+
+   Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <Python.h>
+#include "includes.h"
+#include "python/py3compat.h"
+#include "lib/crypto/arcfour.h"
+
+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
+{
+	DATA_BLOB data, key;
+	PyObject *py_data, *py_key, *result;
+	TALLOC_CTX *ctx;
+
+	if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
+		return NULL;
+
+	if (!PyBytes_Check(py_data)) {
+		PyErr_Format(PyExc_TypeError, "bytes expected");
+		return NULL;
+	}
+
+	if (!PyBytes_Check(py_key)) {
+		PyErr_Format(PyExc_TypeError, "bytes expected");
+		return NULL;
+	}
+
+	ctx = talloc_new(NULL);
+
+	data.length = PyBytes_Size(py_data);
+	data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
+	if (!data.data) {
+		talloc_free(ctx);
+		return PyErr_NoMemory();
+	}
+
+	key.data = (uint8_t *)PyBytes_AsString(py_key);
+	key.length = PyBytes_Size(py_key);
+
+	arcfour_crypt_blob(data.data, data.length, &key);
+
+	result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
+	talloc_free(ctx);
+	return result;
+}
+
+
+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
+					 "Encrypt the data with RC4 algorithm using the key";
+
+static PyMethodDef py_crypto_methods[] = {
+	{ "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
+	{ NULL },
+};
+
+static struct PyModuleDef moduledef = {
+	PyModuleDef_HEAD_INIT,
+	.m_name = "crypto",
+	.m_doc = "Crypto functions required for SMB",
+	.m_size = -1,
+	.m_methods = py_crypto_methods,
+};
+
+MODULE_INIT_FUNC(crypto)
+{
+	PyObject *m;
+
+	m = PyModule_Create(&moduledef);
+	if (m == NULL)
+		return NULL;
+
+	return m;
+}
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index 7f9453252c1..d1f152ebcf1 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
         autoproto='test_proto.h',
         deps='LIBCRYPTO'
         )
+
+for env in bld.gen_python_environments():
+	bld.SAMBA_PYTHON('python_crypto',
+		source='py_crypto.c',
+		deps='LIBCRYPTO',
+		realname='samba/crypto.so'
+		)