Bug 1779685
| Summary: | PBKDF2 hashing does not work in FIPS mode | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Matus Honek <mhonek> | |
| Component: | 389-ds-base | Assignee: | Simon Pichugin <spichugi> | |
| Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> | |
| Severity: | unspecified | Docs Contact: | Zuzana Zoubkova <zzoubkov> | |
| Priority: | unspecified | |||
| Version: | 9.0 | CC: | ldap-maint, mreynolds, nkinder, pasik, sgouvern, spichugi, tbordaz, tmihinto, vashirov, zzoubkov | |
| Target Milestone: | rc | Keywords: | Reopened, Triaged | |
| Target Release: | 9.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | 389-ds-base-2.0.11-1.el9 | Doc Type: | Bug Fix | |
| Doc Text: |
.Authenticating to Directory Server in FIPS mode with passwords hashed with the PBKDF2 algorithm now works as expected
When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the `PK11_ExtractKeyValue()` function is not available. As a consequence, prior to this update, users with a password hashed with the password-based key derivation function 2 (PBKDF2) algorithm were not able to authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the `PK11_Decrypt()` function to get the password hash data. As a result, authentication with passwords hashed with the PBKDF2 algorithm now works as expected.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2033398 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-17 12:31:11 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2033398 | |||
|
Description
Matus Honek
2019-12-04 14:00:50 UTC
Moving to RHEL 8.4 After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. Password related tests were run in FIPS mode : [root@ci-rhel9-99 389-ds-base]# PYTHONPATH=src/lib389/ py.test -v dirsrvtests/tests/suites/password/ --disable-warnings ============================================================================ test session starts ============================================================================ platform linux -- Python 3.9.9, pytest-6.2.5, py-1.11.0, pluggy-1.0.0 -- /usr/bin/python3 cachedir: .pytest_cache 389-ds-base: 2.0.11-3.el9 nss: 3.71.0-3.el9 nspr: 4.32.0-2.el9 openldap: 2.4.57-8.el9 cyrus-sasl: not installed FIPS: enabled rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini collected 131 items dirsrvtests/tests/suites/password/password_policy_test.py::test_password_change_section PASSED [ 0%] dirsrvtests/tests/suites/password/password_policy_test.py::test_password_syntax_section PASSED [ 1%] dirsrvtests/tests/suites/password/password_policy_test.py::test_password_history_section PASSED [ 2%] dirsrvtests/tests/suites/password/password_policy_test.py::test_password_minimum_age_section PASSED [ 3%] dirsrvtests/tests/suites/password/password_policy_test.py::test_account_lockout_and_lockout_duration_section PASSED [ 3%] dirsrvtests/tests/suites/password/password_policy_test.py::test_grace_limit_section PASSED [ 4%] dirsrvtests/tests/suites/password/password_policy_test.py::test_additional_corner_cases PASSED [ 5%] dirsrvtests/tests/suites/password/password_test.py::test_password_delete_specific_password PASSED [ 6%] dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py::test_pbkdf2_upgrade PASSED [ 6%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_bypass PASSED [ 7%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_no_admin PASSED [ 8%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_modify PASSED [ 9%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_group PASSED [ 9%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_config_validation PASSED [ 10%] dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_different_operation PASSED [ 11%] dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_password_policy PASSED [ 12%] dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_subsuffix PASSED [ 12%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwdReset_by_user_DM PASSED [ 13%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_reset PASSED [ 14%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-off-UNWILLING_TO_PERFORM] PASSED [ 15%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-off-UNWILLING_TO_PERFORM] PASSED [ 16%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-on-False] PASSED [ 16%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-on-False] PASSED [ 17%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_min_age PASSED [ 18%] dirsrvtests/tests/suites/password/pwdPolicy_controls_sequence_test.py::test_controltype_expired_grace_limit PASSED [ 19%] dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_must_change PASSED [ 19%] dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expired_grace_limit PASSED [ 20%] dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_warning PASSED [ 21%] dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_no_warning PASSED [ 22%] dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-off] PASSED [ 22%] dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[on-off] PASSED [ 23%] dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-on] PASSED [ 24%] dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_restrictions PASSED [ 25%] dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_basic PASSED [ 25%] dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_user_attributes PASSED [ 26%] dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_bad_words PASSED [ 27%] dirsrvtests/tests/suites/password/pwdPolicy_token_test.py::test_token_lengths PASSED [ 28%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[ ] PASSED [ 29%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[junk123] PASSED [ 29%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[on] PASSED [ 30%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[off] PASSED [ 31%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_expiry_time PASSED [ 32%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_warning[passwordWarning-3600] PASSED [ 33%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_different_password_states PASSED [ 34%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_default_behavior PASSED [ 35%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_when_maxage_and_warning_are_the_same PASSED [ 35%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_local_policy PASSED [ 36%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_search_shadowWarning_when_passwordWarning_is_lower PASSED [ 37%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_expire_works PASSED [ 38%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CLEAR] PASSED [ 38%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT] PASSED [ 39%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-MD5] PASSED [ 40%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA256] PASSED [ 41%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA512] PASSED [ 41%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[MD5] PASSED [ 42%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA] PASSED [ 43%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA256] PASSED [ 44%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA384] PASSED [ 45%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA512] PASSED [ 45%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SMD5] PASSED [ 46%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA] PASSED [ 47%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA256] PASSED [ 48%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA384] PASSED [ 48%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA512] PASSED [ 49%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2_SHA256] PASSED [ 50%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[DEFAULT] PASSED [ 51%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA1] PASSED [ 51%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA256] PASSED [ 52%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA512] PASSED [ 53%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[GOST_YESCRYPT] PASSED [ 54%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pbkdf2_algo PASSED [ 54%] dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py::test_password_crypt_asterisk_is_rejected PASSED [ 55%] dirsrvtests/tests/suites/password/pwd_lockout_bypass_test.py::test_lockout_bypass PASSED [ 56%] dirsrvtests/tests/suites/password/pwd_log_test.py::test_hide_unhashed_pwd PASSED [ 57%] dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade PASSED [ 58%] dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_clearcrypt PASSED [ 58%] dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_disable PASSED [ 59%] dirsrvtests/tests/suites/password/pwp_gracel_test.py::test_password_gracelimit_section PASSED [ 60%] dirsrvtests/tests/suites/password/pwp_history_test.py::test_history_is_not_overwritten PASSED [ 61%] dirsrvtests/tests/suites/password/pwp_history_test.py::test_basic PASSED [ 61%] dirsrvtests/tests/suites/password/pwp_test.py::test_passwordchange_to_no PASSED [ 62%] dirsrvtests/tests/suites/password/pwp_test.py::test_password_check_syntax PASSED [ 63%] dirsrvtests/tests/suites/password/pwp_test.py::test_too_big_password PASSED [ 64%] dirsrvtests/tests/suites/password/pwp_test.py::test_pwminage PASSED [ 64%] dirsrvtests/tests/suites/password/pwp_test.py::test_invalid_credentials PASSED [ 65%] dirsrvtests/tests/suites/password/pwp_test.py::test_expiration_date FAILED [ 66%] dirsrvtests/tests/suites/password/pwp_test.py::test_passwordlockout FAILED [ 67%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_local_password_policy PASSED [ 67%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_passwordexpirationtime_attribute PASSED [ 68%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_admin_group_to_modify_password PASSED [ 69%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_max_failure_should_lockout_password PASSED [ 70%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_pwd_update_time_attribute PASSED [ 70%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_track_update_time PASSED [ 71%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_signal_11 PASSED [ 72%] dirsrvtests/tests/suites/password/regression_test.py::test_pwp_local_unlock PASSED [ 73%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1] PASSED [ 74%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[SNpwtest1] PASSED [ 74%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[UIDpwtest1] PASSED [ 75%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[MAILpwtest1] PASSED [ 76%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[GNpwtest1] PASSED [ 77%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZZ] PASSED [ 77%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZCNpwtest1] PASSED [ 78%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1] PASSED [ 79%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1Z] PASSED [ 80%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1Z] PASSED [ 80%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1] PASSED [ 81%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZ] PASSED [ 82%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1ZZ] PASSED [ 83%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1] PASSED [ 83%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZ] PASSED [ 84%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1ZZZ] PASSED [ 85%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED [ 86%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1] PASSED [ 87%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[SNpwtest1] PASSED [ 87%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[UIDpwtest1] PASSED [ 88%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[MAILpwtest1] PASSED [ 89%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[GNpwtest1] PASSED [ 90%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZZ] PASSED [ 90%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZCNpwtest1] PASSED [ 91%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1] PASSED [ 92%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1Z] PASSED [ 93%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1Z] PASSED [ 93%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1] PASSED [ 94%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZ] PASSED [ 95%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1ZZ] PASSED [ 96%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1] PASSED [ 96%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZ] PASSED [ 97%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1ZZZ] PASSED [ 98%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED [ 99%] dirsrvtests/tests/suites/password/regression_test.py::test_unhashed_pw_switch PASSED [100%] The 2 failing tests are tests problems, in the process of being fixed. Marking as verified:tested / VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: 389-ds-base), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2327 |