RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1779685 - PBKDF2 hashing does not work in FIPS mode
Summary: PBKDF2 hashing does not work in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: 389-ds-base
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 9.0
Assignee: Simon Pichugin
QA Contact: RHDS QE
Zuzana Zoubkova
URL:
Whiteboard:
Depends On:
Blocks: 2033398
TreeView+ depends on / blocked
 
Reported: 2019-12-04 14:00 UTC by Matus Honek
Modified: 2022-05-17 12:44 UTC (History)
10 users (show)

Fixed In Version: 389-ds-base-2.0.11-1.el9
Doc Type: Bug Fix
Doc Text:
.Authenticating to Directory Server in FIPS mode with passwords hashed with the PBKDF2 algorithm now works as expected When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the `PK11_ExtractKeyValue()` function is not available. As a consequence, prior to this update, users with a password hashed with the password-based key derivation function 2 (PBKDF2) algorithm were not able to authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the `PK11_Decrypt()` function to get the password hash data. As a result, authentication with passwords hashed with the PBKDF2 algorithm now works as expected.
Clone Of:
: 2033398 (view as bug list)
Environment:
Last Closed: 2022-05-17 12:31:11 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 3584 0 None closed PBKDF2 hashing does not work in FIPS mode 2022-04-21 07:19:08 UTC
Red Hat Issue Tracker IDMDS-1801 0 None None None 2021-11-18 15:49:00 UTC
Red Hat Product Errata RHBA-2022:2327 0 None None None 2022-05-17 12:31:33 UTC

Description Matus Honek 2019-12-04 14:00:50 UTC
Description of problem:
When NSS is run in FIPS mode (either Level 1 - the internal token is FIPS, or Level 2 - the NSS database is set to FIPS mode), it is not possible to extract the produced hash using PK11_ExtractKeyValue().

Version-Release number of selected component (if applicable):
1.4.el8

How reproducible:
always

Steps to Reproduce:
1. Run in FIPS mode.
2. Trigger the pbkdf2_sha256_hash function, e.g. by trying to bind with a password that's stored with PBKDF2.
3. The code trips over PK11_ExtractKeyValue call.

Actual results:
The function fails.

Expected results:
The hash (i.e. key value) is correctly extracted.

Additional info:
https://pagure.io/389-ds-base/issue/50528

Comment 1 mreynolds 2020-06-26 15:23:12 UTC
Moving to RHEL 8.4

Comment 8 RHEL Program Management 2021-06-04 07:29:48 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Comment 15 sgouvern 2022-01-11 14:17:13 UTC
Password related tests were run in FIPS mode :

[root@ci-rhel9-99 389-ds-base]# PYTHONPATH=src/lib389/ py.test -v dirsrvtests/tests/suites/password/ --disable-warnings
============================================================================ test session starts ============================================================================
platform linux -- Python 3.9.9, pytest-6.2.5, py-1.11.0, pluggy-1.0.0 -- /usr/bin/python3
cachedir: .pytest_cache
389-ds-base: 2.0.11-3.el9
nss: 3.71.0-3.el9
nspr: 4.32.0-2.el9
openldap: 2.4.57-8.el9
cyrus-sasl: not installed
FIPS: enabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
collected 131 items                                                                                                                                                        
 
dirsrvtests/tests/suites/password/password_policy_test.py::test_password_change_section PASSED                                                              [  0%]
dirsrvtests/tests/suites/password/password_policy_test.py::test_password_syntax_section PASSED                                                              [  1%]
dirsrvtests/tests/suites/password/password_policy_test.py::test_password_history_section PASSED                                                             [  2%]
dirsrvtests/tests/suites/password/password_policy_test.py::test_password_minimum_age_section PASSED                                                         [  3%]
dirsrvtests/tests/suites/password/password_policy_test.py::test_account_lockout_and_lockout_duration_section PASSED                                         [  3%]
dirsrvtests/tests/suites/password/password_policy_test.py::test_grace_limit_section PASSED                                                                  [  4%]
dirsrvtests/tests/suites/password/password_policy_test.py::test_additional_corner_cases PASSED                                                              [  5%]
dirsrvtests/tests/suites/password/password_test.py::test_password_delete_specific_password PASSED                                                           [  6%]
dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py::test_pbkdf2_upgrade PASSED                                                                 [  6%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_bypass PASSED                                                                             [  7%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_no_admin PASSED                                                                           [  8%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_modify PASSED                                                                             [  9%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_group PASSED                                                                              [  9%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_config_validation PASSED                                                                  [ 10%]
dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_different_operation PASSED                                                        [ 11%]
dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_password_policy PASSED                                                            [ 12%]
dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_subsuffix PASSED                                                                  [ 12%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwdReset_by_user_DM PASSED                                                              [ 13%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_reset PASSED                                                                        [ 14%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-off-UNWILLING_TO_PERFORM] PASSED                                          [ 15%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-off-UNWILLING_TO_PERFORM] PASSED                                         [ 16%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-on-False] PASSED                                                         [ 16%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-on-False] PASSED                                                          [ 17%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_min_age PASSED                                                                      [ 18%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_sequence_test.py::test_controltype_expired_grace_limit PASSED                                          [ 19%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_must_change PASSED                                                                   [ 19%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expired_grace_limit PASSED                                                           [ 20%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_warning PASSED                                                         [ 21%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_no_warning PASSED                                                      [ 22%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-off] PASSED                                          [ 22%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[on-off] PASSED                                           [ 23%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-on] PASSED                                           [ 24%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_restrictions PASSED                                                      [ 25%]
dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_basic PASSED                                                                               [ 25%]
dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_user_attributes PASSED                                                      [ 26%]
dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_bad_words PASSED                                                            [ 27%]
dirsrvtests/tests/suites/password/pwdPolicy_token_test.py::test_token_lengths PASSED                                                                        [ 28%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[ ] PASSED                                                                [ 29%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[junk123] PASSED                                                          [ 29%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[on] PASSED                                                               [ 30%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[off] PASSED                                                              [ 31%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_expiry_time PASSED                                                                        [ 32%]                     
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_warning[passwordWarning-3600] PASSED                                             [ 33%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_different_password_states PASSED                                                     [ 34%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_default_behavior PASSED                                                                   [ 35%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_when_maxage_and_warning_are_the_same PASSED                                               [ 35%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_local_policy PASSED                                                                  [ 36%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_search_shadowWarning_when_passwordWarning_is_lower PASSED                                 [ 37%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_expire_works PASSED                                                              [ 38%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CLEAR] PASSED                                                                        [ 38%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT] PASSED                                                                        [ 39%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-MD5] PASSED                                                                    [ 40%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA256] PASSED                                                                 [ 41%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA512] PASSED                                                                 [ 41%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[MD5] PASSED                                                                          [ 42%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA] PASSED                                                                          [ 43%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA256] PASSED                                                                       [ 44%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA384] PASSED                                                                       [ 45%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA512] PASSED                                                                       [ 45%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SMD5] PASSED                                                                         [ 46%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA] PASSED                                                                         [ 47%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA256] PASSED                                                                      [ 48%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA384] PASSED                                                                      [ 48%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA512] PASSED                                                                      [ 49%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2_SHA256] PASSED                                                                [ 50%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[DEFAULT] PASSED                                                                      [ 51%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA1] PASSED                                                                  [ 51%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA256] PASSED                                                                [ 52%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA512] PASSED                                                                [ 53%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[GOST_YESCRYPT] PASSED                                                                [ 54%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pbkdf2_algo PASSED                                                                                 [ 54%]
dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py::test_password_crypt_asterisk_is_rejected PASSED                                               [ 55%]
dirsrvtests/tests/suites/password/pwd_lockout_bypass_test.py::test_lockout_bypass PASSED                                                                    [ 56%]
dirsrvtests/tests/suites/password/pwd_log_test.py::test_hide_unhashed_pwd PASSED                                                                            [ 57%]
dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade PASSED                                                         [ 58%]
dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_clearcrypt PASSED                                              [ 58%]
dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_disable PASSED                                                 [ 59%]
dirsrvtests/tests/suites/password/pwp_gracel_test.py::test_password_gracelimit_section PASSED                                                               [ 60%]
dirsrvtests/tests/suites/password/pwp_history_test.py::test_history_is_not_overwritten PASSED                                                               [ 61%]
dirsrvtests/tests/suites/password/pwp_history_test.py::test_basic PASSED                                                                                    [ 61%]
dirsrvtests/tests/suites/password/pwp_test.py::test_passwordchange_to_no PASSED                                                                             [ 62%]
dirsrvtests/tests/suites/password/pwp_test.py::test_password_check_syntax PASSED                                                                            [ 63%]
dirsrvtests/tests/suites/password/pwp_test.py::test_too_big_password PASSED                                                                                 [ 64%]
dirsrvtests/tests/suites/password/pwp_test.py::test_pwminage PASSED                                                                                         [ 64%]
dirsrvtests/tests/suites/password/pwp_test.py::test_invalid_credentials PASSED                                                                              [ 65%]
dirsrvtests/tests/suites/password/pwp_test.py::test_expiration_date FAILED                                                                                  [ 66%]
dirsrvtests/tests/suites/password/pwp_test.py::test_passwordlockout FAILED                                                                                  [ 67%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_local_password_policy PASSED                                                             [ 67%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_passwordexpirationtime_attribute PASSED                                                  [ 68%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_admin_group_to_modify_password PASSED                                                    [ 69%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_max_failure_should_lockout_password PASSED                                      [ 70%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_pwd_update_time_attribute PASSED                                                         [ 70%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_track_update_time PASSED                                                        [ 71%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_signal_11 PASSED                                                                         [ 72%]
dirsrvtests/tests/suites/password/regression_test.py::test_pwp_local_unlock PASSED                                                                          [ 73%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1] PASSED                                                            [ 74%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[SNpwtest1] PASSED                                                            [ 74%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[UIDpwtest1] PASSED                                                           [ 75%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[MAILpwtest1] PASSED                                               [ 76%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[GNpwtest1] PASSED                                                            [ 77%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZZ] PASSED                                                        [ 77%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZCNpwtest1] PASSED                                                       [ 78%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1] PASSED                                                           [ 79%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1Z] PASSED                                                           [ 80%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1Z] PASSED                                                          [ 80%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1] PASSED                                                          [ 81%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZ] PASSED                                                          [ 82%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1ZZ] PASSED                                                        [ 83%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1] PASSED                                                         [ 83%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZ] PASSED                                                         [ 84%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1ZZZ] PASSED                                                      [ 85%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED                                              [ 86%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1] PASSED                                                                [ 87%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[SNpwtest1] PASSED                                                                [ 87%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[UIDpwtest1] PASSED                                                               [ 88%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[MAILpwtest1] PASSED                                                   [ 89%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[GNpwtest1] PASSED                                                                [ 90%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZZ] PASSED                                                            [ 90%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZCNpwtest1] PASSED                                                           [ 91%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1] PASSED                                                               [ 92%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1Z] PASSED                                                               [ 93%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1Z] PASSED                                                              [ 93%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1] PASSED                                                              [ 94%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZ] PASSED                                                              [ 95%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1ZZ] PASSED                                                            [ 96%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1] PASSED                                                             [ 96%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZ] PASSED                                                             [ 97%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1ZZZ] PASSED                                                          [ 98%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED                                                  [ 99%]
dirsrvtests/tests/suites/password/regression_test.py::test_unhashed_pw_switch PASSED                                                                        [100%]

The 2 failing tests are tests problems, in the process of being fixed.
Marking as verified:tested / VERIFIED

Comment 19 errata-xmlrpc 2022-05-17 12:31:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: 389-ds-base), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2327


Note You need to log in before you can comment on or make changes to this bug.