971589 – DES enabled in sunrpc even with FIPS enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 971589 - DES enabled in sunrpc even with FIPS enabled

Summary: DES enabled in sunrpc even with FIPS enabled

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	glibc
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Carlos O'Donell
QA Contact:	Arjun Shankar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	717789 839624
TreeView+	depends on / blocked

Reported:	2013-06-06 20:55 UTC by Alexandre Oliva
Modified:	2016-11-24 15:06 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:25:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Alexandre Oliva 2013-06-06 20:55:51 UTC

As part of the fix for bug 811753, we modified crypt (used for password hashing) in glibc so that it wouldn't use the DES algorithm if FIPS mode was enabled.

Another implementation of DES is present in glibc, part of the sunrpc implementation, that can be optionally enabled for Remote Procedure Calls that should be encrypted.

The ability to select this form of encryption should probably be disabled as well, when FIPS mode is enabled, but that would do away with the only form of encryption available in RPC.

Comment 2 Carlos O'Donell 2013-06-07 15:39:36 UTC

I figure we'll have to disable AUTH_DES and AUTH_KERB (which uses DES) in FIPS compliance mode. Leaving it up to the application to do something else if it needed AUTH_DES or AUT_KERB.

Comment 4 Steve Grubb 2013-07-08 20:43:22 UTC

Does DES get used to protect the confidentiality of user data or allow system access?

Comment 6 Carlos O'Donell 2013-07-09 13:32:58 UTC

(In reply to Steve Grubb from comment #4)
> Does DES get used to protect the confidentiality of user data or allow
> system access?

In AUTH_DES and AUTH_KERB the DES routines are used during authentication to ensure the identity of the accessing user. Any further RPC communication is authenticated, but not encrypted, using the DES key.

In response to your question I assume it would be "To allow system access." 

The actual SunRPC communication is not encrypted itself so confidentiality of user data is not ensured by the protocol. To ensure confidentiality of user data you would have to tunnel inside a secure protocol.

I am not sufficiently familiar with FIPS to know if this makes a difference in the requirements that library must follow.

Comment 7 Steve Grubb 2013-07-09 19:48:08 UTC

There probably isn't a big need to change sunrpc to be fips compliant. If SUN never run into problems with government customers and therefore submit RFC's for new algorithms, we probably won't either. It can simply be pointed out in any documentation that use of sunrpc is known to not be fips compliant due to ancient authentication methods and persuade a move to tirpc as soon as convenient.

Comment 11 Carlos O'Donell 2013-09-12 15:55:59 UTC

I'm sending a patch upstream today and I'll put this in RHEL-7.0 right now.

Comment 12 Carlos O'Donell 2013-09-13 07:14:29 UTC

commit cd3aaac1d25f8d39a92a2a68b40cfcc84a3c13cc
Author: Carlos O'Donell <carlos>
Date:   Fri Sep 13 03:12:29 2013 -0400

    Resolves: #971589
    
    - Document FIPS compliance issues with SunRPC and AUTH_DES (#971589).

Comment 14 Ludek Smid 2014-06-13 12:25:29 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.