We need to rework FIPS mode in Samba
Aleksandar Kostadinov
akostadinov at gmail.com
Fri Mar 18 10:07:14 UTC 2022
How can samba be FIPS compliant on a non-FIPS compliant operating system?
Might be easier to just run the tests in a FIPS compliant environment.
On Fri, Mar 18, 2022 at 2:40 AM Andrew Bartlett via samba-technical <
samba-technical at lists.samba.org> wrote:
> I was hoping to hook onto Samba's FIPS mode for my 'no NT hash' mode,
> but I've done some testing. Despite the GNUTLS_FORCE_FIPS_MODE being
> available in GnuTLS since version 3.4.0 per their git history, it isn't
> available on Ubuntu 20.04.
>
> I'm assuming that is because it isn't compiled with FIPS-140 mode.
>
> We need a mode in samba, controlled from smb.conf, to disable weak
> cryptography and other similar things, and flip things the other way
> around.
>
> We should check lpcfg_weak_crypto() before doing any 'weak' crypto,
> including things not implemented with GnuTLS (eg our mdfour()
> function), rather than asking GnuTLS if it will allow weak
> cryptography.
>
> I don't mind if it defaults to auto, which in turn defaults to the
> FIPS-140 mode from GnuTLS, but we can't have fundamental Samba security
> modes depending on the compile options of a system library.
>
> I do find it curious that we don't have any tests that noticed that
> setting GNUTLS_FORCE_FIPS_MODE actually does nothing on our main test
> platform. While GitLab CI is great, we can't safely implement more
> security strengthening features if the tests of them can't run in
> autobuild on sn-devel, as that is where stable branches are tested.
>
> I would note that we are, particularly if we can move to a 'secure by
> default' approach really close to passing things like the OpenSSF
> (previously Core Infrastructure Initiative) best practices badge.
>
> https://bestpractices.coreinfrastructure.org/en/projects/200
>
> We are actually really close on that - perhaps we would pass if
> we disabled the LSA QuerySecret API.
>
> Andrew Bartlett
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
>
>
More information about the samba-technical
mailing list