Bug 1513765

Summary: Clarify support of pbkdf2 for fips
Product: Red Hat Enterprise Linux 7 Reporter: wibrown <wibrown>
Component: nssAssignee: Bob Relyea <rrelyea>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.5CC: abokovoy, dueno, mgrepl, nmavrogi, rrelyea, tmraz, wibrown
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-05 14:12:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wibrown@redhat.com 2017-11-15 22:41:27 UTC 
Description of problem:

NSS claims fips mode does not support PBKDF2. However, these sources indicate otherwise:

PBKDF2 is just multiround SHA, which is fips approved. According to this, it's allowed at l1

https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2261.pdf

This doc indicates likelihood that PBKDF2_SHA256 is fips allowed,

https://godoc.org/golang.org/x/crypto/pbkdf2

And openssl are supporting pbkdf2 in their fips module.

https://wiki.openssl.org/index.php/FIPS_module_3.0

NIST recommends PBKDF2 and if I interpret section 5.3 correctly, they approve it for fips provided the hmac is approved (sha256 is approved). 

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf


As we support pbkdf2 in Directory Server, we want to clarify this, as it's important for us to understand NSS' support for this feature, and to clarify that today, in fips mode NSS may not correctly be support supporting PBKDF2 which is a valid FIPS algorithm.
Comment 2 Stanislav Zidek 2018-03-27 14:03:26 UTC 
Do I get it right that this is some kind of documentation bug?
Comment 3 Nikos Mavrogiannopoulos 2018-10-05 13:19:28 UTC 
Could you provide more info on where does NSS claim that pbkdf2 is not allowed in FIPS140 mode? Which document did you follow?
Comment 4 Alexander Bokovoy 2018-12-05 13:58:07 UTC 
Nikos,

we now see RHEL IdM failing to install in FIPS mode because 389-ds defaults to use of PBKDF2_SHA256. We need clarification for this.

https://bugzilla.redhat.com/show_bug.cgi?id=1656418