RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2033398 - PBKDF2 hashing does not work in FIPS mode
Summary: PBKDF2 hashing does not work in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Simon Pichugin
QA Contact: RHDS QE
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1779685
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-16 16:52 UTC by mreynolds
Modified: 2023-09-15 01:50 UTC (History)
13 users (show)

Fixed In Version: 389-ds-base-1.4.3.28-2.module+el8.6.0
Doc Type: Bug Fix
Doc Text:
.Authenticating to Directory Server in FIPS mode with PBKDF2-hashed passwords now works as expected When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the `PK11_ExtractKeyValue()` function is not available. As a consequence, users with a password-based key derivation function 2 (PBKDF2) hashed password could not authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the `PK11_Decrypt()` function to get the password hash data. As a result, authenticating to Directory Server in FIPS mode now works for users with PBKDF2-hashed passwords.
Clone Of: 1779685
Environment:
Last Closed: 2022-05-10 13:43:24 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 3584 0 None open PBKDF2 hashing does not work in FIPS mode 2021-12-21 13:44:09 UTC
Red Hat Issue Tracker IDMDS-1887 0 None None None 2021-12-16 17:06:55 UTC
Red Hat Issue Tracker IDMDS-1888 0 None None None 2021-12-16 17:15:11 UTC
Red Hat Issue Tracker RHELPLAN-106038 0 None None None 2021-12-16 17:03:41 UTC
Red Hat Product Errata RHBA-2022:1815 0 None None None 2022-05-10 13:43:52 UTC

Comment 6 Akshay Adhikari 2021-12-28 08:18:42 UTC
============================================================================ test session starts ================================================================
platform linux -- Python 3.6.8, pytest-6.2.5, py-1.11.0, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-356.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '6.2.5', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'ignore-flaky': '2.0.0'}}
389-ds-base: 1.4.3.28-3.module+el8.6.0+13706+e2f14737
nss: 3.67.0-7.el8_5
nspr: 4.32.0-1.el8_4
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: enabled
rootdir: /workspace/ds/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, ignore-flaky-2.0.0
collected 118 items                                                                                                                                                         

dirsrvtests/tests/suites/password/password_test.py::test_password_delete_specific_password PASSED                                                                     [  0%]
dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py::test_pbkdf2_upgrade PASSED                                                                           [  1%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_bypass PASSED                                                                                       [  2%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_no_admin PASSED                                                                                     [  3%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_modify PASSED                                                                                       [  4%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_group PASSED                                                                                        [  5%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_config_validation PASSED                                                                            [  5%]
dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_different_operation PASSED                                                                  [  6%]
dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_password_policy PASSED                                                                      [  7%]
dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_subsuffix PASSED                                                                            [  8%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_reset PASSED                                                                                  [  9%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-off-UNWILLING_TO_PERFORM] PASSED                                                    [ 10%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-off-UNWILLING_TO_PERFORM] PASSED                                                   [ 11%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-on-False] PASSED                                                                   [ 11%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-on-False] PASSED                                                                    [ 12%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_min_age PASSED                                                                                [ 13%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_must_change PASSED                                                                             [ 14%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expired_grace_limit PASSED                                                                     [ 15%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_warning PASSED                                                                   [ 16%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_no_warning PASSED                                                                [ 16%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-off] PASSED                                                    [ 17%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[on-off] PASSED                                                     [ 18%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-on] PASSED                                                     [ 19%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_restrictions PASSED                                                                [ 20%]
dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_basic PASSED                                                                                         [ 21%]
dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_user_attributes PASSED                                                                [ 22%]
dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_bad_words PASSED                                                                      [ 22%]
dirsrvtests/tests/suites/password/pwdPolicy_token_test.py::test_token_lengths PASSED                                                                                  [ 23%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[ ] PASSED                                                                          [ 24%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[junk123] PASSED                                                                    [ 25%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[on] PASSED                                                                         [ 26%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[off] PASSED                                                                        [ 27%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_expiry_time PASSED                                                                                  [ 27%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_warning[passwordSendExpiringTime-off] PASSED                                               [ 28%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_warning[passwordWarning-3600] PASSED                                                       [ 29%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_different_password_states PASSED                                                               [ 30%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_default_behavior PASSED                                                                             [ 31%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_when_maxage_and_warning_are_the_same PASSED                                                         [ 32%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_local_policy FAILED                                                                            [ 33%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_search_shadowWarning_when_passwordWarning_is_lower PASSED                                           [ 33%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_expire_works PASSED                                                                        [ 34%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CLEAR] PASSED                                                                                  [ 35%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT] PASSED                                                                                  [ 36%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-MD5] PASSED                                                                              [ 37%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA256] PASSED                                                                           [ 38%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA512] PASSED                                                                           [ 38%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[MD5] PASSED                                                                                    [ 39%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA] PASSED                                                                                    [ 40%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA256] PASSED                                                                                 [ 41%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA384] PASSED                                                                                 [ 42%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA512] PASSED                                                                                 [ 43%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SMD5] PASSED                                                                                   [ 44%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA] PASSED                                                                                   [ 44%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA256] PASSED                                                                                [ 45%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA384] PASSED                                                                                [ 46%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA512] PASSED                                                                                [ 47%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2_SHA256] PASSED                                                                          [ 48%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[DEFAULT] PASSED                                                                                [ 49%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[GOST_YESCRYPT] FAILED                                                                          [ 50%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pbkdf2_algo PASSED                                                                                           [ 50%]
dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py::test_password_crypt_asterisk_is_rejected PASSED                                                         [ 51%]
dirsrvtests/tests/suites/password/pwd_lockout_bypass_test.py::test_lockout_bypass PASSED                                                                              [ 52%]
dirsrvtests/tests/suites/password/pwd_log_test.py::test_hide_unhashed_pwd PASSED                                                                                      [ 53%]
dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade PASSED                                                                   [ 54%]
dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_clearcrypt PASSED                                                        [ 55%]
dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_disable PASSED                                                           [ 55%]
dirsrvtests/tests/suites/password/pwp_gracel_test.py::test_password_gracelimit_section PASSED                                                                         [ 56%]
dirsrvtests/tests/suites/password/pwp_history_test.py::test_basic PASSED                                                                                              [ 57%]
dirsrvtests/tests/suites/password/pwp_test.py::test_passwordchange_to_no PASSED                                                                                       [ 58%]
dirsrvtests/tests/suites/password/pwp_test.py::test_password_check_syntax PASSED                                                                                      [ 59%]
dirsrvtests/tests/suites/password/pwp_test.py::test_too_big_password PASSED                                                                                           [ 60%]
dirsrvtests/tests/suites/password/pwp_test.py::test_pwminage PASSED                                                                                                   [ 61%]
dirsrvtests/tests/suites/password/pwp_test.py::test_invalid_credentials PASSED                                                                                        [ 61%]
dirsrvtests/tests/suites/password/pwp_test.py::test_expiration_date FAILED                                                                                            [ 62%]
dirsrvtests/tests/suites/password/pwp_test.py::test_passwordlockout FAILED                                                                                            [ 63%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_local_password_policy PASSED                                                                       [ 64%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_passwordexpirationtime_attribute PASSED                                                            [ 65%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_admin_group_to_modify_password PASSED                                                              [ 66%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_max_failure_should_lockout_password PASSED                                                [ 66%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_pwd_update_time_attribute PASSED                                                                   [ 67%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_track_update_time PASSED                                                                  [ 68%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_signal_11 PASSED                                                                                   [ 69%]
dirsrvtests/tests/suites/password/regression_test.py::test_pwp_local_unlock PASSED                                                                                    [ 70%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1] PASSED                                                                      [ 71%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[SNpwtest1] PASSED                                                                      [ 72%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[UIDpwtest1] PASSED                                                                     [ 72%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[MAILpwtest1] PASSED                                                         [ 73%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[GNpwtest1] PASSED                                                                      [ 74%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZZ] PASSED                                                                  [ 75%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZCNpwtest1] PASSED                                                                 [ 76%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1] PASSED                                                                     [ 77%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1Z] PASSED                                                                     [ 77%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1Z] PASSED                                                                    [ 78%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1] PASSED                                                                    [ 79%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZ] PASSED                                                                    [ 80%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1ZZ] PASSED                                                                  [ 81%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1] PASSED                                                                   [ 82%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZ] PASSED                                                                   [ 83%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1ZZZ] PASSED                                                                [ 83%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED                                                        [ 84%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1] PASSED                                                                          [ 85%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[SNpwtest1] PASSED                                                                          [ 86%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[UIDpwtest1] PASSED                                                                         [ 87%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[MAILpwtest1] PASSED                                                             [ 88%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[GNpwtest1] PASSED                                                                          [ 88%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZZ] PASSED                                                                      [ 89%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZCNpwtest1] PASSED                                                                     [ 90%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1] PASSED                                                                         [ 91%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1Z] PASSED                                                                         [ 92%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1Z] PASSED                                                                        [ 93%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1] PASSED                                                                        [ 94%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZ] PASSED                                                                        [ 94%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1ZZ] PASSED                                                                      [ 95%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1] PASSED                                                                       [ 96%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZ] PASSED                                                                       [ 97%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1ZZZ] PASSED                                                                    [ 98%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED                                                            [ 99%]
dirsrvtests/tests/suites/password/regression_test.py::test_unhashed_pw_switch PASSED                                                                                  [100%]

========================================================== 4 failed, 114 passed, 341 warnings in 743.02s (0:12:23) ==============================================

Comment 7 Akshay Adhikari 2022-01-19 14:44:15 UTC
============================================================================ test session starts =================================================================
platform linux -- Python 3.6.8, pytest-6.2.5, py-1.11.0, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-359.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '6.2.5', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'ignore-flaky': '2.0.0'}}
389-ds-base: 1.4.3.28-3.module+el8.6.0+13706+e2f14737
nss: 3.67.0-7.el8_5
nspr: 4.32.0-1.el8_4
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: enabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, ignore-flaky-2.0.0
collected 138 items / 135 deselected / 3 selected                                                                                                                           

dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_local_policy PASSED                                                                            [ 33%]
dirsrvtests/tests/suites/password/pwp_test.py::test_expiration_date PASSED                                                                                            [ 66%]
dirsrvtests/tests/suites/password/pwp_test.py::test_passwordlockout PASSED                                                                                            [100%]

============================================================== 3 passed, 135 deselected, 26 warnings in 54.60s ==================================================

Failing test cases are passed, Marking as verified: Tested.

Comment 8 Akshay Adhikari 2022-01-19 14:50:31 UTC
As per (https://bugzilla.redhat.com/show_bug.cgi?id=2033398#c7) Marking as VERIFIED

Comment 16 errata-xmlrpc 2022-05-10 13:43:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1815

Comment 17 Red Hat Bugzilla 2023-09-15 01:50:38 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days


Note You need to log in before you can comment on or make changes to this bug.