Bug 1660177 - FIPS-140: Tracker for compliance in .NET Core packages
Summary: FIPS-140: Tracker for compliance in .NET Core packages
Keywords:
Status: CLOSED EOL
Alias: None
Product: dotNET
Classification: Red Hat
Component: rh-dotnet60
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ga
: 6.0
Assignee: Omair Majid
QA Contact: jiri vanek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-17 17:29 UTC by David Mulford
Modified: 2025-01-20 14:55 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2025-01-20 14:55:52 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description David Mulford 2018-12-17 17:29:28 UTC
This bug is a tracker for the FIPS-140 compliance in the Red Hat .NET Core packages. As of now, we've discussed internally with the following summary.

.NET Core calls out to OpenSSL for all but the following crypto algorithms.

  - RSA-PSS
  - RSA-OEAP
  - IDEA

Some work with Microsoft is needed here, as there has been discussions to move more implementations within the .NET framework.

Comment 1 David Mulford 2019-01-23 14:45:19 UTC
Any update on this? The upstream issue [1] seems to also have gone silent, so let me know if there is anything needed from me to push this forward.

[1] https://github.com/dotnet/corefx/issues/29417

Comment 4 Omair Majid 2020-01-24 15:20:45 UTC
.NET Core 2.2 has gone EOL.

I am re-targeting the bug to the latest version, .NET Core 3.1.

Comment 6 Omair Majid 2022-06-07 13:30:31 UTC
(In reply to David Mulford from comment #0)
> .NET Core calls out to OpenSSL for all but the following crypto algorithms.
> 
>   - RSA-PSS
>   - RSA-OEAP
>   - IDEA

With recent versions of .NET:

- It's my understanding that RSA-PSS and RSA-OEAP are only used on the fallback code paths, if OpenSSL is missing these features. These code paths shouldn't get executed on RHEL.

- The IDEA implementation is a unit test case. It's not part of the .NET product itself. The only IDEA implementation that .NET applications can make use of is the OpenSSL-based one.

Comment 8 Omair Majid 2024-06-06 14:14:58 UTC
We have noticed that .NET allows using MD5 (but not HMAC-MD5) even in FIPS configuration: https://github.com/dotnet/runtime/pull/94934. This is .NET explicitly telling OpenSSL that it wants to use MD5 for a use-case that's not security relevant. But an application running on .NET can go ahead and use MD5 through .NET for something security relevant, violating the intent.

In other words, .NET does make some non-FIPS compliant algorithms available to applications even in FIPS mode. It seems it is up to applications to not to use those algorithms in a security-relevant context in FIPS mode.

Comment 12 Omair Majid 2025-01-20 14:55:52 UTC
.NET 6 reached its End of Life in 2024: https://access.redhat.com/support/policy/updates/net-core


Note You need to log in before you can comment on or make changes to this bug.