about summary refs log tree commit diff
path: root/ChangeLog
diff options
context:
space:
mode:
authorCarlos O'Donell <carlos@redhat.com>2013-10-19 00:11:31 -0400
committerCarlos O'Donell <carlos@redhat.com>2013-10-19 00:11:31 -0400
commit3d7dc513b782407bd397b13771a631d9080d3aac (patch)
treefac59ee8199751f14f52ddb09782fa701bd96c87 /ChangeLog
parent484c12fb1e3664fb434291234ea5787c5e3df4f5 (diff)
downloadglibc-3d7dc513b782407bd397b13771a631d9080d3aac.tar.gz
glibc-3d7dc513b782407bd397b13771a631d9080d3aac.tar.xz
glibc-3d7dc513b782407bd397b13771a631d9080d3aac.zip
Mention FIPS 140-2 compliance and Sun RPC.
The Secure RPC implementation in glibc uses DES encryption
during authentication of the user. This use of DES means
that anyone using Sun RPC will likely not be compliant
with FIPS 140-2 which forbids the use of DES.

One solution to the compliance issue is to disable AUTH_DES
and AUTH_KERB, both use DES, when in FIPS compliance mode.
This is not a good idea because it disables all of the even
mildly secure methods of authentication allowing only plain
text methods.

Instead we leave AUTH_DES and AUTH_KERB enabled in FIPS
compliance mode and document the compliance issue in the
manual. FIPS allows this, that is to say that if you can't
fix it you must document the non-compliance.

This commit adds documentation to that effect in the
"DES encryption and password handling" section of the
manual.
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog5
1 files changed, 5 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index c72611ef3f..d2de84ab22 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2013-10-18  Carlos O'Donell  <carlos@redhat.com>
 
+	* manual/crypt.texi (Cryptographic Functions): Using SunRPC and
+	AUTH_DES will prevent FIPS 140-2 compliance. Add vindex for
+	AUTH_DES and cindex for FIPS 140-2.
+	(DES Encryption): Add cindex FIPS 46-3.
+
 	* locale/locarchive.h (struct locarhandle): Add fname.
 	* locale/programs/localedef.c (main): Pass ARGV[remaining]
 	if an optional argument was specified to --list-archive,