Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1570782 - CRYPT, CRYPT-MD5 and PBKDF2_SHA256 are not accepted as password storage schemes in FIPS mode
Summary: CRYPT, CRYPT-MD5 and PBKDF2_SHA256 are not accepted as password storage schem...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-23 12:08 UTC by Viktor Ashirov
Modified: 2018-04-23 13:36 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-23 13:36:33 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Viktor Ashirov 2018-04-23 12:08:12 UTC
Description of problem:
In FIPS mode the following tests are failing:
suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT] FAILED
suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-MD5] FAILED
suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2_SHA256] FAILED

E         ldap.UNWILLING_TO_PERFORM: {'desc': 'Server is unwilling to perform', 'info': 'Unable to store attribute "userPassword" correctly\n'}

Version-Release number of selected component (if applicable):
389-ds-base: 1.3.7.5-18.el7
nss: 3.34.0-4.el7


How reproducible:
always

Steps to Reproduce:
1. Enable FIPS mode
2.  py.test -v suites/password/pwd_algo_test.py

Comment 1 mreynolds 2018-04-23 12:35:29 UTC
I know FIPS does NOT support PBKDF2, and it looks like its not supporting CRYPT either.  So perhaps this a doc bug?

Comment 2 Viktor Ashirov 2018-04-23 12:49:49 UTC
CRYPT-SHA256 and CRYPT-SHA512 are accepted though. If that's not a bug, then we'll update the tests to check if we're running in FIPS mode.

Comment 3 mreynolds 2018-04-23 13:18:53 UTC
(In reply to Viktor Ashirov from comment #2)
> CRYPT-SHA256 and CRYPT-SHA512 are accepted though. If that's not a bug, then
> we'll update the tests to check if we're running in FIPS mode.

I know FIPS does not accept weak hashing algos.  So maybe that's why CRYPT-SHA256 and CRYPT-SHA512 work, but the other CRYPTs are not.  PBKDF2 I think it just too new and FIPS has not caught up with it yet (I know its officially not supported).  I'll ask the security guys to confirm the CRYPT issues though.

Comment 4 mreynolds 2018-04-23 13:32:36 UTC
Okay so looking at the FIPS docs 

https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf

I think this explains the behavior.  We support SHA256 & SHA512 - and that's why FIPS supports CRYPT-"SHA256", etc, but not CRYPT-"MD5".

Comment 5 Viktor Ashirov 2018-04-23 13:36:33 UTC
Makes sense, thanks Mark!

Closing as NOTABUG.


Note You need to log in before you can comment on or make changes to this bug.