Bug 1718933

Summary: utils: sss_hmac_sha1() function implementation is not FIPS140 compliant
Product: Red Hat Enterprise Linux 8 Reporter: Alexey Tikhonov <atikhono>
Component: sssdAssignee: Alexey Tikhonov <atikhono>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, sgoveas, thalman, tscherf
Target Milestone: rc   
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.2.3-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:56:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Tikhonov 2019-06-10 14:49:11 UTC 
util/crypto/libcrypto: sss_hmac_sha1() function implementation breaks "No Algorithm decomposition" / "Do not implement own crypto" rules.

(As a side note: usage of SHA1 itself is eligible.)
Comment 1 Alexey Tikhonov 2019-06-10 15:54:51 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4022
Comment 2 Jakub Hrozek 2019-06-17 11:04:49 UTC 
* master: 6839e6720a84bd4127efc15ed1b0b974794b30ae
Comment 3 Jakub Hrozek 2019-06-25 20:21:34 UTC 
Related commits:
 * master: 6839e67
 * master: ee23b8e

(The second commit is not stricly needed as it fixes a compatibility issue with older OpenSSL releases but IMO it is worth it to stay as close to upstream as possible)
Comment 8 Niranjan Mallapadi Raghavender 2020-02-17 09:46:42 UTC 
Versions:

sssd-client-2.2.3-15.el8.x86_64
sssd-krb5-common-2.2.3-15.el8.x86_64
sssd-krb5-2.2.3-15.el8.x86_64
sssd-client-debuginfo-2.2.3-14.el8.ptrhash_refactor_2.x86_64
sssd-common-2.2.3-15.el8.x86_64
sssd-proxy-2.2.3-15.el8.x86_64
sssd-common-pac-2.2.3-15.el8.x86_64
sssd-2.2.3-15.el8.x86_64

Ran basic fips sanity and ssh responder sanity tests 

test_krb_fips.py::Testkrbfips::test_fips_login PASSED               [ 14%]
test_krb_fips.py::Testkrbfips::test_fips_as_req PASSED              [ 28%]
test_krb_fips.py::Testkrbfips::test_fips_as_rep PASSED              [ 42%]
test_krb_fips.py::Testkrbfips::test_login_fips_weak_crypto PASSED   [ 57%]
test_krb_fips.py::Testkrbfips::test_ldap_gssapi PASSED              [ 71%]
test_krb_fips.py::Testkrbfips::test_tgs_nonfips PASSED              [ 85%]
test_ssh_authorizedkeys.py::TestSSHkeys::test_0001_bz1137013 PASSED [100%]
Comment 10 errata-xmlrpc 2020-04-28 16:56:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863