Bug 8331 - Local drive doesn't work on FIPS systems
Summary: Local drive doesn't work on FIPS systems
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Local drive redirection (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
Depends on:
Reported: 2024-03-28 13:03 CET by Adam Halim
Modified: 2024-04-09 13:06 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Adam Halim cendio 2024-03-28 13:03:28 CET
On FIPS enforcing systems that prohibit the use of MD5, tl-mount-localdrives
won't work. I tested this on a RHEL 9 machine with FIPS mode enabled using
server build 3537 and client build 3435.

Creating a session with a shared local drive will crash tl-mount-localdrives
with the following in xinit.log:
> Running /opt/thinlinc/etc/xstartup.d/40-tl-mount-localdrives (Mounting local drives)
> Traceback (most recent call last):
>   File "/opt/thinlinc/etc/xstartup.d/40-tl-mount-localdrives", line 402, in <module>
>     I1iO0OOOOoO0o ( )
>   File "/opt/thinlinc/etc/xstartup.d/40-tl-mount-localdrives", line 379, in I1iO0OOOOoO0o
>     Ii1i11 = ii1iII1II1I . get_otp ( o0o ) . encode ( 'utf-8' )
>   File "/opt/thinlinc/etc/xstartup.d/40-tl-mount-localdrives", line 125, in get_otp
>     ooooo = hashlib . md5 ( Ii1iI1111Iii1 + password ) . hexdigest ( )
> ValueError: [digital envelope routines] unsupported
It seems like unfs3 uses MD5 digests for one-time passwords [1].

I had a brief look at our codebase and found places where we use hashlib.md5()
* poppler/regtest/__init__.py
    - Not sure how/where this is used, and if it can affect us.
* Cheetah/CacheRegion.py
    - md5 is used in the function getCacheItem() [2]. It doesn't look like we
      use caches in our templates.

[1] https://github.com/unfs3/unfs3/blob/9ed6a635fafc43fd97d8977a9ea4f075dde8c96e/password.c#L107
[2] https://cheetahtemplate.org/api/Cheetah.CacheRegion.html
Comment 1 Samuel Mannehed cendio 2024-03-28 16:26:43 CET
Works well on a fips-enabled Ubuntu 22.04.


Note You need to log in before you can comment on or make changes to this bug.