We need to rework "allow weak crypto" mode in Samba

Alexander Bokovoy ab at samba.org
Sat Mar 19 09:40:26 UTC 2022 

On la, 19 maalis 2022, Andrew Bartlett via samba-technical wrote:
> Fair enough, and largely my point. Samba doesn't really have a FIPS
> mode (given it is applied inconsistently), we have a "allow weak
> crypto" switch currently controlled by the GnuTLS detection of the
> system FIPS
> mode.   
> We should have better global control of weaker crypto, to allow
> organisational policy guides to be written, that is beyond the
> GnuTLSFIPS mode.

If you'd want to simulate and enforce restrictions through GnuTLS like
in FIPS mode, I think it is better to define configuration for crypto
libraries that used during the testing.

Judging by Debian's gnutls build configuration, it does not override
defaults, so /etc/gnutls/config is the file with a default
configuration. In Fedora and RHEL-alike it uses
/etc/crypto-policies/back-ends/gnutls.config, allowing an easy switch
with 'update-crypto-policies' tool.

If you want to test with a GnuTLS configuration similar to FIPS mode as
seen by CentOS 9 Stream (it tracks FIPS 140-3 right now), then expected
configuration files can be found in
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/tree/master/tests/outputs,
for example, https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/master/tests/outputs/FIPS-gnutls.txt
for GnuTLS.

That is not enough, though. Samba AD is built against a Kerberos
library, be it Heimdal or MIT Kerberos. Both link against OpenSSL, so
you'd need to have a way to limit those configurations too.

Here we come to another problem. Both Debian and Ubuntu distributions do
not really have a normalized way of switching configurations for crypto
libraries. It means you'd need to apply the same logic to default
openssl config and you'd need to modify a system one. Here is what it would look like:
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/master/tests/outputs/FIPS-opensslcnf.txt

Same with krb5 libraries. Looks like neither Heimdal nor MIT Kerberos
builds in Debian provide a configuration file by default. We may just
extend our own template to force configuration like 
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/master/tests/outputs/FIPS-krb5.txt

Note, though, if you'd follow strictly FIPS 140-3 (or even FIPS 140-2)
requirements, krb5kdf function is not FIPS-compliant, so aes256-sha1 and
aes128-sha1 encryption types could not be used in FIPS mode. Active
Directory has no support for RFC 8009 types (aes256-sha2 and
aes128-sha2), so in a strict following of a FIPS 140-3 environment,
there is simply no way to interoperate with Microsoft Windows clients in
Active Directory. I believe Samba AD has no support for these encryption
types either even though underlying MIT Kerberos and Heimdal do support
them.



> Andrew,
> On Fri, 2022-03-18 at 21:00 +0200, Aleksandar Kostadinov wrote:
> > It is good for samba to have some switch for enabling only secure
> > algorithms. But I don't think it has to be implemented by the FIPS
> > mode. Some newer secure ciphers can yet be unaccepted in a FIPS
> > standard. FIPS doesn't mean highest security. It just means the FIPS
> > standard.
> > 
> > On Fri, Mar 18, 2022 at 8:36 PM Andrew Bartlett <abartlet at samba.org>
> > wrote:
> > > Correct, Samba can't be FIPS compliant, but we can avoid using
> > > known
> > > 
> > > poor cryptography not for certification purposes, but for sensible
> > > 
> > > 'secure by default' or at least 'can be configured to be sensibly
> > > 
> > > secure' design principles. 
> > > 
> > > 
> > > 
> > > Just as you wouldn't offer SSLv3 even when the host is not FIPS-140
> > > 
> > > certified.
> > > 
> > > 
> > > 
> > > Samba's CI system runs on a Ubuntu 20.04 base for the majority of
> > > the
> > > 
> > > tests (as mentioned, we run a tiny number of tests in a Fedora 35
> > > 
> > > environment to test "FIPS mode"), but most importantly the final
> > > 
> > > autobuild is under the Ubuntu 20.04 platform, so we should ensure
> > > that
> > > 
> > > our tests are run there when possible.
> > > 
> > > 
> > > 
> > > I'm quite disappointed at the "FIPS mode" in GnuTLS is optional in
> > > this
> > > 
> > > way - also denying any application or administrator the opportunity
> > > to
> > > 
> > > opt out of weak ciphers on a per-app basis - but that is life.
> > > 
> > > 
> > > 
> > > Andrew Bartlett
> > > 
> > > 
> > > 
> > > On Fri, 2022-03-18 at 12:07 +0200, Aleksandar Kostadinov via samba-
> > > 
> > > technical wrote:
> > > 
> > > > How can samba be FIPS compliant on a non-FIPS compliant operating
> > > system?
> > > 
> > > > Might be easier to just run the tests in a FIPS compliant
> > > environment.
> > > 
> > > 
> > > 
> -- 
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
> Samba Development and Support, Catalyst IT - Expert Open SourceSolutions

-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list