Bug 695694

Summary: [libgcrypt] bind mounts allow FIPS mode checks to be bypassed
Product: [Fedora] Fedora Reporter: Bryn M. Reeves <bmr>
Component: libgcryptAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 19CC: jorton, nalin, rdieter, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 695693 Environment:
Last Closed: 2013-07-26 11:47:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Bryn M. Reeves 2011-04-12 12:49:29 UTC 
+++ This bug was initially created as a clone of Bug #695693 +++

Description of problem:
The procfs file /proc/sys/crypto/fips_enabled is used to gate FIPS-compliant behaviour in userspace cryptography libraries.

When set to '1' during boot the kernel will reject attempts to write to this file as it is created with mode 0444.

A malicious administrator can bind mount a file containing a single '0' over this path causing userspace libraries to incorrectly behave as though FIPS was not enabled.

Version-Release number of selected component (if applicable):
libgcrypt-1.4.6-1.fc16 and earlier

How reproducible:
100%

Steps to Reproduce:
1. echo 0 > /tmp/my_fips_enabled
2. mount --bind /tmp/my_fips_enabled /proc/sys/crypto/fips_enabled
3. cat /proc/sys/crypto/fips_enabled
4. <do something forbidden in FIPS e.g. openssl md5 digest>
  
Actual results:
3. # cat /proc/sys/crypto/fips_enabled
0
4. FIPS forbidden operations work

Expected results:
4. FIPS forbidden operations fail

Additional info:
Comment 1 Tomas Mraz 2011-04-12 13:36:14 UTC 
I do not think this is something that the library can guard against. There is a
myriad of ways how to bypass the FIPS mode if especially (but not exclusively)
the administrator wants to.
Comment 2 Bryn M. Reeves 2011-04-12 16:26:54 UTC 
Agreed - I noticed this last week (while testing FIPS changes for sos) and mentioned it to sgrubb who asked me to file a bug. Apparently since then it's been discussed on the FIPS list with the conclusion that this is hard if not impossible to avoid. Am happy with whatever disposition the relevant folks have for this bz ;)
Comment 3 Fedora End Of Life 2013-04-03 18:24:05 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19