We need to rework FIPS mode in Samba

Aleksandar Kostadinov akostadinov at gmail.com
Fri Mar 18 10:07:14 UTC 2022

How can samba be FIPS compliant on a non-FIPS compliant operating system?
Might be easier to just run the tests in a FIPS compliant environment.

On Fri, Mar 18, 2022 at 2:40 AM Andrew Bartlett via samba-technical <
samba-technical at lists.samba.org> wrote:

> I was hoping to hook onto Samba's FIPS mode for my 'no NT hash' mode,
> but I've done some testing.  Despite the GNUTLS_FORCE_FIPS_MODE being
> available in GnuTLS since version 3.4.0 per their git history, it isn't
> available on Ubuntu 20.04.
> I'm assuming that is because it isn't compiled with FIPS-140 mode.
> We need a mode in samba, controlled from smb.conf, to disable weak
> cryptography and other similar things, and flip things the other way
> around.
> We should check lpcfg_weak_crypto() before doing any 'weak' crypto,
> including things not implemented with GnuTLS (eg our mdfour()
> function), rather than asking GnuTLS if it will allow weak
> cryptography.
> I don't mind if it defaults to auto, which in turn defaults to the
> FIPS-140 mode from GnuTLS, but we can't have fundamental Samba security
> modes depending on the compile options of a system library.
> I do find it curious that we don't have any tests that noticed that
> setting GNUTLS_FORCE_FIPS_MODE actually does nothing on our main test
> platform.  While GitLab CI is great, we can't safely implement more
> security strengthening features if the tests of them can't run in
> autobuild on sn-devel, as that is where stable branches are tested.
> I would note that we are, particularly if we can move to a 'secure by
> default' approach really close to passing things like the OpenSSF
> (previously Core Infrastructure Initiative) best practices badge.
> https://bestpractices.coreinfrastructure.org/en/projects/200
> We are actually really close on that - perhaps we would pass if
> we disabled the LSA QuerySecret API.
> Andrew Bartlett
> --
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions

More information about the samba-technical mailing list