decryption not happening on OS in FIPS compliant mode

[jessvcs]

Environment details: RHEL 8.6, transcrypt v2.2.3, git version 2.31.1, OpenSSL 1.1.1k FIPS - no issue; files get decrypted RHEL 8.7, transcrypt v2.2.3, git version 2.31.1, OpenSSL 1.1.1k FIPS - ISSUE HAPPENS; files are not decrypted I have also tried transcrypt v2.3.0-pre (initialized against a brand new clone of the repo) with no change in results

Steps to reproduce:

1. On a RHEL 8.7 system, clone an already-configured repository.
2. Initialize transcrypt on the repo as follows:

   
   [root@server1 proj1]# transcrypt -c aes-256-cbc -p '<redacted>'

Repository metadata:

GIT_WORK_TREE: /home/user/proj1 GIT_DIR: /home/user/proj1/.git GIT_ATTRIBUTES: /home/user/proj1/.gitattributes

The following configuration will be saved:

CONTEXT: default CIPHER: aes-256-cbc PASSWORD:

Does this look correct? [Y/n]

The repository has been successfully configured by transcrypt. [root@server1 proj1]#

3. Notice that the typical `*** WARNING : deprecated key derivation used.` messages for each file managed by transcrypt were not displayed.
4. Notice that `transcrypt -l` indeed lists all the files managed by transcrypt.
5. Notice that cat'ing a file managed by transcrypt shows the [encrypted] ciphertext, not the plaintext.

I'm not well-versed in debugging bash/git issues. I don't see SELinux denies. Am willing to run/attempt whatever steps would be suggested.

[jmurty]

Hi @jessvcs I've had a quick go at reproducing a problem on RHEL 8.7 in a Docker container but it's working for me. Using the Transcrypt repository itself as a test case:

bash-4.4# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.7 (Ootpa)

bash-4.4# ./transcrypt --version
transcrypt 2.2.3

bash-4.4# git --version
git version 2.31.1

bash-4.4# openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

bash-4.4# ./transcrypt -c aes-256-cbc -p 'correct horse battery staple' --yes
The repository has been successfully configured by transcrypt.

bash-4.4# head -2 sensitive_file 
We're no strangers to love
You know the rules and so do I

Can you confirm that the transcrypt settings are as expect in your repo's git config? E.g:

# git config --local --get-regexp transcrypt\.
transcrypt.version 2.2.3
transcrypt.cipher aes-256-cbc
transcrypt.password correct horse battery staple
transcrypt.openssl-path openssl

You could try running just the smudge (decrypt) operation to see if it gives any useful feedback or warnings. For example to decrypt a file called _sensitivefile:

Show raw encrypted file contents
# git show :sensitive_file

Decrypt file contents using smudge operation (git_smudge function in Transcrypt)
# git show :sensitive_file | ./transcrypt smudge

If that doesn't give you any clues you could try running the underlying openssl command from the git_smudge function directly in the terminal.

This would look something like:

# git show :sensitive_file | ENC_PASS="correct horse battery staple" openssl enc -d -aes-256-cbc -md MD5 -pass env:ENC_PASS -a

[jessvcs]

Hi @jmurty, these commands helped!

Looks like the issue is that my RHEL 8.7 system is running in FIPS compliant mode, and thus the MD5 message digest algorithm that transcrypt is currently hard-coded to use, will not work since MD5 is not FIPS compliant.

Not sure what your thoughts are on adding support to transcrypt for something like SHA256?

Here's some output for good measure:

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.7 (Ootpa)

# cat /proc/sys/crypto/fips_enabled
1

# git show :sensitive_file | ENC_PASS="correct horse battery staple" openssl enc -d -aes-256-cbc -md MD5 -pass env:ENC_PASS -a
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
EVP_BytesToKey failed
140204729194304:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:
#

Regardless, thanks for your excellent support of transcrypt this tool is great.

[jmurty]

Ah, that FIPS stuff is pretty strict.

We are planning to update the encryption to much better modern approaches, including better SHA2 hashing, and there are some PRs along these lines. But it's a big job to do it well with a usable upgrade path, so I don't know when it will happen.

In the meantime you could try the PBKDF2 fork version, or perhaps customise your own script to replace all the md5 references with sha512 or similar.

The specific transcrypt script you run is applied (copied into) the repository's git config, so using a forked script copy instead of a system-installed one is tractable if you also commit it to the repo so you can easily use the same script elsewhere.

[jessvcs]

Thanks.

I assume this is PBKDF2 fork version you're thinking of https://github.com/manexpa/transcrypt, but if not, let me know.

I also agree that using our own forked and modified copy is probably manageable.

[jmurty]

Hi @jessvcs sorry no, I meant the PR #136 in this repository. I mis-spoke when I typed "fork".

From a quick look at the fork you linked I'd advise against using that, because it doesn't deal with salting weaknesses discussed in a document that is part of the PR: https://github.com/elasticdog/transcrypt/blob/76f00e1ef1f4db026f0b018dbb07af58b601e435/docs/algorithm.rst

[jmurty]

Hi @jessvcs if you're interested in being a guinea pig, I'd appreciate help testing and proving the new PR #162 which will greatly improve transcrypt's security – and remove all the pesky hard-coded MD5 hashing.

[jessvcs]

Hi @jmurty - absolutely I will test and try to help how I can - I'll respond back with results.