This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] manual/crypt.texi: Mention FIPS 140-2 compliance and Secure RPC.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Alexandre Oliva <aoliva at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Wed, 02 Oct 2013 22:55:01 -0400
- Subject: [PATCH] manual/crypt.texi: Mention FIPS 140-2 compliance and Secure RPC.
- Authentication-results: sourceware.org; auth=none
Community,
The Secure RPC implementation in glibc uses DES encryption
during authentication of the user. This use of DES means
that anyone using Sun RPC will likely not be compliant
with FIPS 140-2 which forbids the use of DES.
One solution to the compliance issue is to disable AUTH_DES
and AUTH_KERB, both use DES, when in FIPS compliance mode.
This is not a good idea because it disables all of the even
mildly secure methods of authentication allowing only plain
text methods.
Instead we leave AUTH_DES and AUTH_KERB enabled in FIPS
compliance mode and document the compliance issue in the
manual. FIPS allows this, that is to say that if you can't
fix it you must document the non-compliance.
I add the comments to the crypt.texi in the section
"DES encryption and password handling" since this is related
to DES encryption and authentication handling for Sun RPC.
I also add a cindex for FIPS 46-3 information.
If nobody objects I'll check this in by the end of the week.
2013-09-13 Carlos O'Donell <carlos@redhat.com>
* manual/crypt.texi (Cryptographic Functions): Using SunRPC and
AUTH_DES will prevent FIPS 140-2 compliance. Add cindex for
AUTH_DES and FIPS 140-2.
(DES Encryption): Add cindex FIPS 46-3.
diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..a6779ca 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -30,8 +30,15 @@ message-digest algorithm that is compatible with modern BSD systems,
and the other based on the Data Encryption Standard (DES) that is
compatible with Unix systems.
+@cindex AUTH_DES
+@cindex FIPS 140-2
It also provides support for Secure RPC, and some library functions that
-can be used to perform normal DES encryption.
+can be used to perform normal DES encryption. The use of DES when
+using @code{AUTH_DES} in Secure RPC for authentication as provided by
+@theglibc{} is not FIPS 140-2 compliant nor is any other use of DES
+within @theglibc{}. It is recommended that Secure RPC should not be used
+for systems that need to be FIPS 140-2 compliant since all forms of
+supported authentication use normal DES.
@menu
* Legal Problems:: This software can get you locked up, or worse.
@@ -203,6 +210,7 @@ header @file{crypt.h}.
@node DES Encryption
@section DES Encryption
+@cindex FIPS 46-3
The Data Encryption Standard is described in the US Government Federal
Information Processing Standards (FIPS) 46-3 published by the National
Institute of Standards and Technology. The DES has been very thoroughly
---