We need to rework FIPS mode in Samba

Andrew Bartlett abartlet at samba.org
Fri Mar 18 00:38:59 UTC 2022

I was hoping to hook onto Samba's FIPS mode for my 'no NT hash' mode,
but I've done some testing.  Despite the GNUTLS_FORCE_FIPS_MODE being
available in GnuTLS since version 3.4.0 per their git history, it isn't
available on Ubuntu 20.04.

I'm assuming that is because it isn't compiled with FIPS-140 mode. 

We need a mode in samba, controlled from smb.conf, to disable weak
cryptography and other similar things, and flip things the other way

We should check lpcfg_weak_crypto() before doing any 'weak' crypto,
including things not implemented with GnuTLS (eg our mdfour()
function), rather than asking GnuTLS if it will allow weak

I don't mind if it defaults to auto, which in turn defaults to the
FIPS-140 mode from GnuTLS, but we can't have fundamental Samba security
modes depending on the compile options of a system library. 

I do find it curious that we don't have any tests that noticed that
setting GNUTLS_FORCE_FIPS_MODE actually does nothing on our main test
platform.  While GitLab CI is great, we can't safely implement more
security strengthening features if the tests of them can't run in
autobuild on sn-devel, as that is where stable branches are tested. 

I would note that we are, particularly if we can move to a 'secure by
default' approach really close to passing things like the OpenSSF
(previously Core Infrastructure Initiative) best practices badge.


We are actually really close on that - perhaps we would pass if
we disabled the LSA QuerySecret API.

Andrew Bartlett
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list