This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.18-318-g3d7dc51
- From: carlos at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 19 Oct 2013 04:14:29 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.18-318-g3d7dc51
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 3d7dc513b782407bd397b13771a631d9080d3aac (commit)
from 484c12fb1e3664fb434291234ea5787c5e3df4f5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3d7dc513b782407bd397b13771a631d9080d3aac
commit 3d7dc513b782407bd397b13771a631d9080d3aac
Author: Carlos O'Donell <carlos@redhat.com>
Date: Sat Oct 19 00:11:31 2013 -0400
Mention FIPS 140-2 compliance and Sun RPC.
The Secure RPC implementation in glibc uses DES encryption
during authentication of the user. This use of DES means
that anyone using Sun RPC will likely not be compliant
with FIPS 140-2 which forbids the use of DES.
One solution to the compliance issue is to disable AUTH_DES
and AUTH_KERB, both use DES, when in FIPS compliance mode.
This is not a good idea because it disables all of the even
mildly secure methods of authentication allowing only plain
text methods.
Instead we leave AUTH_DES and AUTH_KERB enabled in FIPS
compliance mode and document the compliance issue in the
manual. FIPS allows this, that is to say that if you can't
fix it you must document the non-compliance.
This commit adds documentation to that effect in the
"DES encryption and password handling" section of the
manual.
diff --git a/ChangeLog b/ChangeLog
index c72611e..d2de84a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2013-10-18 Carlos O'Donell <carlos@redhat.com>
+ * manual/crypt.texi (Cryptographic Functions): Using SunRPC and
+ AUTH_DES will prevent FIPS 140-2 compliance. Add vindex for
+ AUTH_DES and cindex for FIPS 140-2.
+ (DES Encryption): Add cindex FIPS 46-3.
+
* locale/locarchive.h (struct locarhandle): Add fname.
* locale/programs/localedef.c (main): Pass ARGV[remaining]
if an optional argument was specified to --list-archive,
diff --git a/manual/crypt.texi b/manual/crypt.texi
index ef90590..9c65b95 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -30,8 +30,15 @@ message-digest algorithm that is compatible with modern BSD systems,
and the other based on the Data Encryption Standard (DES) that is
compatible with Unix systems.
+@vindex AUTH_DES
+@cindex FIPS 140-2
It also provides support for Secure RPC, and some library functions that
-can be used to perform normal DES encryption.
+can be used to perform normal DES encryption. The @code{AUTH_DES}
+authentication flavor in Secure RPC, as provided by @theglibc{},
+uses DES and does not comply with FIPS 140-2 nor does any other use of DES
+within @theglibc{}. It is recommended that Secure RPC should not be used
+for systems that need to comply with FIPS 140-2 since all flavors of
+encrypted authentication use normal DES.
@menu
* Legal Problems:: This software can get you locked up, or worse.
@@ -203,6 +210,7 @@ header @file{crypt.h}.
@node DES Encryption
@section DES Encryption
+@cindex FIPS 46-3
The Data Encryption Standard is described in the US Government Federal
Information Processing Standards (FIPS) 46-3 published by the National
Institute of Standards and Technology. The DES has been very thoroughly
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 5 +++++
manual/crypt.texi | 10 +++++++++-
2 files changed, 14 insertions(+), 1 deletions(-)
hooks/post-receive
--
GNU C Library master sources