Bug 1190303
Summary: | Key strength validation is not performed for RC4 algorithm | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Matthew Harmsen <mharmsen> | ||||
Component: | jss | Assignee: | Christina Fu <cfu> | ||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.7 | CC: | aakkiang, cfu, edewata, extras-qa, gsterlin, jdennis, mharmsen, nkinder, rmeggins, rpattath | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | jss-4.2.6-35.el6 | Doc Type: | Bug Fix | ||||
Doc Text: |
Prior to this update, the source code for JSS was missing a condition for validating the key strength for the RC4 software stream cipher. As a consequence, JSS did not validate the key strength properly. A patch has been applied to fix this bug, and JSS now performs key strength validation checks as expected. (BZ#1190303)
|
Story Points: | --- | ||||
Clone Of: | 1133718 | Environment: | |||||
Last Closed: | 2015-07-22 06:28:50 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1133717, 1133718 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Need more information on how this bug can be verified on RHEL 6.7 (In reply to Roshni from comment #3) > Need more information on how this bug can be verified on RHEL 6.7 You would have to write a custom client for JSS, as the RHCS REST interface that was used to find this issue does not exist on RHEL 6.x. It should be sufficient to validate this as sanity only by applications that use JSS. I downloaded and extracted the src files from jss-4.2.6-35.el6.src.rpm and verified the code for the changes for this bug. public static final KeyGenAlgorithm RC4 = new KeyGenAlgorithm(CKM_RC4_KEY_GEN, "RC4", new KeyStrengthValidator() { public boolean isValidKeyStrength(int strength) { return true; } }, null, null); The expected is: public static final KeyGenAlgorithm RC4 = new KeyGenAlgorithm(CKM_RC4_KEY_GEN, "RC4", new KeyStrengthValidator() { public boolean isValidKeyStrength(int strength) { return strength>=40 && strength <= (256*8); } }, null, null); Roshni, How did you look at the source? JSS is built with the rpmbuild patching system where patches are patched in during the build. For example, this particular patch is called something like: jss-RC4-strengh-verify.patch You will have to rpmbuild it to look. Was that what you did? OK, I was looking at mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java. I checked jss-RC4-strengh-verify.patch and I see the change there. I was able to verify https://bugzilla.redhat.com/show_bug.cgi?id=1167470 and https://bugzilla.redhat.com/show_bug.cgi?id=1190302 which are application that use jss. So verifying this bug are sanity only. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1315.html |
Created attachment 991449 [details] Patch to verify RC4 strength