Bug 2033398
| Summary: | PBKDF2 hashing does not work in FIPS mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | mreynolds |
| Component: | 389-ds-base | Assignee: | Simon Pichugin <spichugi> |
| Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> |
| Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | unspecified | ||
| Version: | 8.6 | CC: | aadhikar, ds-qe-bugs, ldap-maint, mhonek, mreynolds, msauton, nkinder, pasik, sgouvern, spichugi, tbordaz, tmihinto, vashirov |
| Target Milestone: | rc | Keywords: | Reopened, Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.4.3.28-2.module+el8.6.0 | Doc Type: | Bug Fix |
| Doc Text: |
.Authenticating to Directory Server in FIPS mode with PBKDF2-hashed passwords now works as expected
When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the `PK11_ExtractKeyValue()` function is not available. As a consequence, users with a password-based key derivation function 2 (PBKDF2) hashed password could not authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the `PK11_Decrypt()` function to get the password hash data. As a result, authenticating to Directory Server in FIPS mode now works for users with PBKDF2-hashed passwords.
|
Story Points: | --- |
| Clone Of: | 1779685 | Environment: | |
| Last Closed: | 2022-05-10 13:43:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1779685 | ||
| Bug Blocks: | |||
============================================================================ test session starts =================================================================
platform linux -- Python 3.6.8, pytest-6.2.5, py-1.11.0, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-359.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '6.2.5', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'ignore-flaky': '2.0.0'}}
389-ds-base: 1.4.3.28-3.module+el8.6.0+13706+e2f14737
nss: 3.67.0-7.el8_5
nspr: 4.32.0-1.el8_4
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: enabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, ignore-flaky-2.0.0
collected 138 items / 135 deselected / 3 selected
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_local_policy PASSED [ 33%]
dirsrvtests/tests/suites/password/pwp_test.py::test_expiration_date PASSED [ 66%]
dirsrvtests/tests/suites/password/pwp_test.py::test_passwordlockout PASSED [100%]
============================================================== 3 passed, 135 deselected, 26 warnings in 54.60s ==================================================
Failing test cases are passed, Marking as verified: Tested.
As per (https://bugzilla.redhat.com/show_bug.cgi?id=2033398#c7) Marking as VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1815 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days |
============================================================================ test session starts ================================================================ platform linux -- Python 3.6.8, pytest-6.2.5, py-1.11.0, pluggy-1.0.0 -- /usr/bin/python3.6 cachedir: .pytest_cache metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-356.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '6.2.5', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'ignore-flaky': '2.0.0'}} 389-ds-base: 1.4.3.28-3.module+el8.6.0+13706+e2f14737 nss: 3.67.0-7.el8_5 nspr: 4.32.0-1.el8_4 openldap: 2.4.46-18.el8 cyrus-sasl: not installed FIPS: enabled rootdir: /workspace/ds/dirsrvtests, configfile: pytest.ini plugins: metadata-1.11.0, html-3.1.1, ignore-flaky-2.0.0 collected 118 items dirsrvtests/tests/suites/password/password_test.py::test_password_delete_specific_password PASSED [ 0%] dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py::test_pbkdf2_upgrade PASSED [ 1%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_bypass PASSED [ 2%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_no_admin PASSED [ 3%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_modify PASSED [ 4%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_group PASSED [ 5%] dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_config_validation PASSED [ 5%] dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_different_operation PASSED [ 6%] dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_password_policy PASSED [ 7%] dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_subsuffix PASSED [ 8%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_reset PASSED [ 9%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-off-UNWILLING_TO_PERFORM] PASSED [ 10%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-off-UNWILLING_TO_PERFORM] PASSED [ 11%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-on-False] PASSED [ 11%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-on-False] PASSED [ 12%] dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_min_age PASSED [ 13%] dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_must_change PASSED [ 14%] dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expired_grace_limit PASSED [ 15%] dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_warning PASSED [ 16%] dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_no_warning PASSED [ 16%] dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-off] PASSED [ 17%] dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[on-off] PASSED [ 18%] dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-on] PASSED [ 19%] dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_restrictions PASSED [ 20%] dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_basic PASSED [ 21%] dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_user_attributes PASSED [ 22%] dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_bad_words PASSED [ 22%] dirsrvtests/tests/suites/password/pwdPolicy_token_test.py::test_token_lengths PASSED [ 23%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[ ] PASSED [ 24%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[junk123] PASSED [ 25%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[on] PASSED [ 26%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[off] PASSED [ 27%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_expiry_time PASSED [ 27%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_warning[passwordSendExpiringTime-off] PASSED [ 28%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_warning[passwordWarning-3600] PASSED [ 29%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_different_password_states PASSED [ 30%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_default_behavior PASSED [ 31%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_when_maxage_and_warning_are_the_same PASSED [ 32%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_local_policy FAILED [ 33%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_search_shadowWarning_when_passwordWarning_is_lower PASSED [ 33%] dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_expire_works PASSED [ 34%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CLEAR] PASSED [ 35%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT] PASSED [ 36%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-MD5] PASSED [ 37%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA256] PASSED [ 38%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA512] PASSED [ 38%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[MD5] PASSED [ 39%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA] PASSED [ 40%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA256] PASSED [ 41%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA384] PASSED [ 42%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA512] PASSED [ 43%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SMD5] PASSED [ 44%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA] PASSED [ 44%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA256] PASSED [ 45%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA384] PASSED [ 46%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA512] PASSED [ 47%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2_SHA256] PASSED [ 48%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[DEFAULT] PASSED [ 49%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[GOST_YESCRYPT] FAILED [ 50%] dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pbkdf2_algo PASSED [ 50%] dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py::test_password_crypt_asterisk_is_rejected PASSED [ 51%] dirsrvtests/tests/suites/password/pwd_lockout_bypass_test.py::test_lockout_bypass PASSED [ 52%] dirsrvtests/tests/suites/password/pwd_log_test.py::test_hide_unhashed_pwd PASSED [ 53%] dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade PASSED [ 54%] dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_clearcrypt PASSED [ 55%] dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_disable PASSED [ 55%] dirsrvtests/tests/suites/password/pwp_gracel_test.py::test_password_gracelimit_section PASSED [ 56%] dirsrvtests/tests/suites/password/pwp_history_test.py::test_basic PASSED [ 57%] dirsrvtests/tests/suites/password/pwp_test.py::test_passwordchange_to_no PASSED [ 58%] dirsrvtests/tests/suites/password/pwp_test.py::test_password_check_syntax PASSED [ 59%] dirsrvtests/tests/suites/password/pwp_test.py::test_too_big_password PASSED [ 60%] dirsrvtests/tests/suites/password/pwp_test.py::test_pwminage PASSED [ 61%] dirsrvtests/tests/suites/password/pwp_test.py::test_invalid_credentials PASSED [ 61%] dirsrvtests/tests/suites/password/pwp_test.py::test_expiration_date FAILED [ 62%] dirsrvtests/tests/suites/password/pwp_test.py::test_passwordlockout FAILED [ 63%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_local_password_policy PASSED [ 64%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_passwordexpirationtime_attribute PASSED [ 65%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_admin_group_to_modify_password PASSED [ 66%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_max_failure_should_lockout_password PASSED [ 66%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_pwd_update_time_attribute PASSED [ 67%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_track_update_time PASSED [ 68%] dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_signal_11 PASSED [ 69%] dirsrvtests/tests/suites/password/regression_test.py::test_pwp_local_unlock PASSED [ 70%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1] PASSED [ 71%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[SNpwtest1] PASSED [ 72%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[UIDpwtest1] PASSED [ 72%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[MAILpwtest1] PASSED [ 73%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[GNpwtest1] PASSED [ 74%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZZ] PASSED [ 75%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZCNpwtest1] PASSED [ 76%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1] PASSED [ 77%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1Z] PASSED [ 77%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1Z] PASSED [ 78%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1] PASSED [ 79%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZ] PASSED [ 80%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1ZZ] PASSED [ 81%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1] PASSED [ 82%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZ] PASSED [ 83%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1ZZZ] PASSED [ 83%] dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED [ 84%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1] PASSED [ 85%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[SNpwtest1] PASSED [ 86%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[UIDpwtest1] PASSED [ 87%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[MAILpwtest1] PASSED [ 88%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[GNpwtest1] PASSED [ 88%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZZ] PASSED [ 89%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZCNpwtest1] PASSED [ 90%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1] PASSED [ 91%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1Z] PASSED [ 92%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1Z] PASSED [ 93%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1] PASSED [ 94%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZ] PASSED [ 94%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1ZZ] PASSED [ 95%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1] PASSED [ 96%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZ] PASSED [ 97%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1ZZZ] PASSED [ 98%] dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED [ 99%] dirsrvtests/tests/suites/password/regression_test.py::test_unhashed_pw_switch PASSED [100%] ========================================================== 4 failed, 114 passed, 341 warnings in 743.02s (0:12:23) ==============================================