Bug 1190303

Summary: Key strength validation is not performed for RC4 algorithm
Product: Red Hat Enterprise Linux 6 Reporter: Matthew Harmsen <mharmsen>
Component: jssAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.7CC: aakkiang, cfu, edewata, extras-qa, gsterlin, jdennis, mharmsen, nkinder, rmeggins, rpattath
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: jss-4.2.6-35.el6 Doc Type: Bug Fix
Doc Text:
Prior to this update, the source code for JSS was missing a condition for validating the key strength for the RC4 software stream cipher. As a consequence, JSS did not validate the key strength properly. A patch has been applied to fix this bug, and JSS now performs key strength validation checks as expected. (BZ#1190303)
Story Points: ---
Clone Of: 1133718 Environment:
Last Closed: 2015-07-22 06:28:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1133717, 1133718    
Bug Blocks:    
Attachments:
Description Flags
Patch to verify RC4 strength none

Comment 1 Matthew Harmsen 2015-02-13 17:30:51 UTC
Created attachment 991449 [details]
Patch to verify RC4 strength

Comment 3 Roshni 2015-04-13 19:09:17 UTC
Need more information on how this bug can be verified on RHEL 6.7

Comment 4 Nathan Kinder 2015-04-14 19:34:05 UTC
(In reply to Roshni from comment #3)
> Need more information on how this bug can be verified on RHEL 6.7

You would have to write a custom client for JSS, as the RHCS REST interface that was used to find this issue does not exist on RHEL 6.x.  It should be sufficient to validate this as sanity only by applications that use JSS.

Comment 5 Roshni 2015-04-14 20:42:46 UTC
I downloaded and extracted the src files from jss-4.2.6-35.el6.src.rpm and verified the code for the changes for this bug. 

public static final KeyGenAlgorithm
    RC4 = new KeyGenAlgorithm(CKM_RC4_KEY_GEN, "RC4",
            new KeyStrengthValidator() {
                public boolean isValidKeyStrength(int strength) {
                    return true;
                }
            }, null, null);

The expected is:

public static final KeyGenAlgorithm
    RC4 = new KeyGenAlgorithm(CKM_RC4_KEY_GEN, "RC4",
            new KeyStrengthValidator() {
                public boolean isValidKeyStrength(int strength) {
                    return strength>=40 && strength <= (256*8);
                }
            }, null, null);

Comment 6 Christina Fu 2015-04-14 20:49:15 UTC
Roshni,
How did you look at the source?  JSS is built with the rpmbuild patching system where patches are patched in during the build.  For example, this particular patch is called something like:
jss-RC4-strengh-verify.patch

You will have to rpmbuild it to look.  Was that what you did?

Comment 7 Roshni 2015-04-15 17:03:21 UTC
OK, I was looking at mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java. I checked jss-RC4-strengh-verify.patch and I see the change there.

I was able to verify https://bugzilla.redhat.com/show_bug.cgi?id=1167470 and https://bugzilla.redhat.com/show_bug.cgi?id=1190302 which are application that use jss. So verifying this bug are sanity only.

Comment 9 errata-xmlrpc 2015-07-22 06:28:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1315.html