Issue #4038: p11_child::sign_data() function implementation is not FIPS140 compliant - sssd

SSSD / sssd

#4038 p11_child::sign_data() function implementation is not FIPS140 compliant

Closed: duplicate 4 years ago by sbose. Opened 4 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1711318

There are two problems with implementation of p11_child::sign_data() function
in regards of FIPS140 compliance:


(1) Usage of SHA-1.

SHA-1 is used in a signature for integrity protection which means it is a
sensitive use. Thus it falls under FIPS requirements.
Also the way it is used can't be considered "used in HMAC".
Thus code must be reworked to avoid usage of SHA-1 whenever possible, i.e.
implementation should lookup list of supported by Smart Card alternatives and
choose more modern/FIPS approved option if available.

For Smart Cards that do not support approved alternatives this change will make
impossible its usage in FIPS mode. This is expected behaviour.

Presumably "manual" hashing in case of ECC key may be dropped at all but (2)
must be taken in to account.


(2) The way signature verification is implemented breaks "No Algorithm
decomposition" rule from "FIPS140 Compliance Checklist":
"When applying signatures do not Hash the content on your own and then call the
raw signature API, instead call the API that compute hash and signature in one
shot by reading the whole message"

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1711318

4 years ago

jjelen commented 4 years ago

This looks like it is addressed by 7f0a8f5 and it looks like a duplicate of #4039 (not sure how did it happen).

I was just about to fill similar issue since I got a card that is not willing to sign using SHA1-RSA-PKCS mechanism and which would break here. Seeing this is already handled and on the way to the next release is great news. Thank you.

sbose commented 4 years ago

Hi @jjelen,

yes, this is a duplicate and it looks like @jhrozek and I cloned the bugzilla ticket at the same time. I'll close this a duplicate.

bye,
Sumit

Metadata Update from @sbose:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

4 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5007

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1711318

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#4038 p11_child::sign_data() function implementation is not FIPS140 compliant Closed: duplicate 4 years ago by sbose. Opened 4 years ago by sbose.

Metadata

#4038 p11_child::sign_data() function implementation is not FIPS140 compliant

Closed: duplicate 4 years ago by sbose. Opened 4 years ago by sbose.