Red Hat Bugzilla – Bug 971589
DES enabled in sunrpc even with FIPS enabled
Last modified: 2016-11-24 10:06:51 EST
As part of the fix for bug 811753, we modified crypt (used for password hashing) in glibc so that it wouldn't use the DES algorithm if FIPS mode was enabled.
Another implementation of DES is present in glibc, part of the sunrpc implementation, that can be optionally enabled for Remote Procedure Calls that should be encrypted.
The ability to select this form of encryption should probably be disabled as well, when FIPS mode is enabled, but that would do away with the only form of encryption available in RPC.
I figure we'll have to disable AUTH_DES and AUTH_KERB (which uses DES) in FIPS compliance mode. Leaving it up to the application to do something else if it needed AUTH_DES or AUT_KERB.
Does DES get used to protect the confidentiality of user data or allow system access?
(In reply to Steve Grubb from comment #4)
> Does DES get used to protect the confidentiality of user data or allow
> system access?
In AUTH_DES and AUTH_KERB the DES routines are used during authentication to ensure the identity of the accessing user. Any further RPC communication is authenticated, but not encrypted, using the DES key.
In response to your question I assume it would be "To allow system access."
The actual SunRPC communication is not encrypted itself so confidentiality of user data is not ensured by the protocol. To ensure confidentiality of user data you would have to tunnel inside a secure protocol.
I am not sufficiently familiar with FIPS to know if this makes a difference in the requirements that library must follow.
There probably isn't a big need to change sunrpc to be fips compliant. If SUN never run into problems with government customers and therefore submit RFC's for new algorithms, we probably won't either. It can simply be pointed out in any documentation that use of sunrpc is known to not be fips compliant due to ancient authentication methods and persuade a move to tirpc as soon as convenient.
I'm sending a patch upstream today and I'll put this in RHEL-7.0 right now.
Author: Carlos O'Donell <firstname.lastname@example.org>
Date: Fri Sep 13 03:12:29 2013 -0400
- Document FIPS compliance issues with SunRPC and AUTH_DES (#971589).
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.