Bug 971589 - DES enabled in sunrpc even with FIPS enabled
DES enabled in sunrpc even with FIPS enabled
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: glibc (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Carlos O'Donell
Arjun Shankar
Depends On:
Blocks: 717789 839624
  Show dependency treegraph
Reported: 2013-06-06 16:55 EDT by Alexandre Oliva
Modified: 2016-11-24 10:06 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-13 08:25:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alexandre Oliva 2013-06-06 16:55:51 EDT
As part of the fix for bug 811753, we modified crypt (used for password hashing) in glibc so that it wouldn't use the DES algorithm if FIPS mode was enabled.

Another implementation of DES is present in glibc, part of the sunrpc implementation, that can be optionally enabled for Remote Procedure Calls that should be encrypted.

The ability to select this form of encryption should probably be disabled as well, when FIPS mode is enabled, but that would do away with the only form of encryption available in RPC.
Comment 2 Carlos O'Donell 2013-06-07 11:39:36 EDT
I figure we'll have to disable AUTH_DES and AUTH_KERB (which uses DES) in FIPS compliance mode. Leaving it up to the application to do something else if it needed AUTH_DES or AUT_KERB.
Comment 4 Steve Grubb 2013-07-08 16:43:22 EDT
Does DES get used to protect the confidentiality of user data or allow system access?
Comment 6 Carlos O'Donell 2013-07-09 09:32:58 EDT
(In reply to Steve Grubb from comment #4)
> Does DES get used to protect the confidentiality of user data or allow
> system access?

In AUTH_DES and AUTH_KERB the DES routines are used during authentication to ensure the identity of the accessing user. Any further RPC communication is authenticated, but not encrypted, using the DES key.

In response to your question I assume it would be "To allow system access." 

The actual SunRPC communication is not encrypted itself so confidentiality of user data is not ensured by the protocol. To ensure confidentiality of user data you would have to tunnel inside a secure protocol.

I am not sufficiently familiar with FIPS to know if this makes a difference in the requirements that library must follow.
Comment 7 Steve Grubb 2013-07-09 15:48:08 EDT
There probably isn't a big need to change sunrpc to be fips compliant. If SUN never run into problems with government customers and therefore submit RFC's for new algorithms, we probably won't either. It can simply be pointed out in any documentation that use of sunrpc is known to not be fips compliant due to ancient authentication methods and persuade a move to tirpc as soon as convenient.
Comment 11 Carlos O'Donell 2013-09-12 11:55:59 EDT
I'm sending a patch upstream today and I'll put this in RHEL-7.0 right now.
Comment 12 Carlos O'Donell 2013-09-13 03:14:29 EDT
commit cd3aaac1d25f8d39a92a2a68b40cfcc84a3c13cc
Author: Carlos O'Donell <carlos@redhat.com>
Date:   Fri Sep 13 03:12:29 2013 -0400

    Resolves: #971589
    - Document FIPS compliance issues with SunRPC and AUTH_DES (#971589).
Comment 14 Ludek Smid 2014-06-13 08:25:29 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.