Bug 2033398 - PBKDF2 hashing does not work in FIPS mode [NEEDINFO]
Summary: PBKDF2 hashing does not work in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Simon Pichugin
QA Contact: RHDS QE
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1779685
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-16 16:52 UTC by mreynolds
Modified: 2022-05-10 14:12 UTC (History)
13 users (show)

Fixed In Version: 389-ds-base-1.4.3.28-2.module+el8.6.0
Doc Type: Bug Fix
Doc Text:
.Authenticating to Directory Server in FIPS mode with PBKDF2-hashed passwords now works as expected When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the `PK11_ExtractKeyValue()` function is not available. As a consequence, users with a password-based key derivation function 2 (PBKDF2) hashed password could not authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the `PK11_Decrypt()` function to get the password hash data. As a result, authenticating to Directory Server in FIPS mode now works for users with PBKDF2-hashed passwords.
Clone Of: 1779685
Environment:
Last Closed: 2022-05-10 13:43:24 UTC
Type: Bug
Target Upstream Version:
tbordaz: needinfo? (msauton)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 3584 0 None open PBKDF2 hashing does not work in FIPS mode 2021-12-21 13:44:09 UTC
Red Hat Issue Tracker IDMDS-1887 0 None None None 2021-12-16 17:06:55 UTC
Red Hat Issue Tracker IDMDS-1888 0 None None None 2021-12-16 17:15:11 UTC
Red Hat Issue Tracker RHELPLAN-106038 0 None None None 2021-12-16 17:03:41 UTC
Red Hat Product Errata RHBA-2022:1815 0 None None None 2022-05-10 13:43:52 UTC

Comment 6 Akshay Adhikari 2021-12-28 08:18:42 UTC 
============================================================================ test session starts ================================================================
platform linux -- Python 3.6.8, pytest-6.2.5, py-1.11.0, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-356.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '6.2.5', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'ignore-flaky': '2.0.0'}}
389-ds-base: 1.4.3.28-3.module+el8.6.0+13706+e2f14737
nss: 3.67.0-7.el8_5
nspr: 4.32.0-1.el8_4
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: enabled
rootdir: /workspace/ds/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, ignore-flaky-2.0.0
collected 118 items                                                                                                                                                         

dirsrvtests/tests/suites/password/password_test.py::test_password_delete_specific_password PASSED                                                                     [  0%]
dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py::test_pbkdf2_upgrade PASSED                                                                           [  1%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_bypass PASSED                                                                                       [  2%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_no_admin PASSED                                                                                     [  3%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_modify PASSED                                                                                       [  4%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_group PASSED                                                                                        [  5%]
dirsrvtests/tests/suites/password/pwdAdmin_test.py::test_pwdAdmin_config_validation PASSED                                                                            [  5%]
dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_different_operation PASSED                                                                  [  6%]
dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_password_policy PASSED                                                                      [  7%]
dirsrvtests/tests/suites/password/pwdModify_test.py::test_pwd_modify_with_subsuffix PASSED                                                                            [  8%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_reset PASSED                                                                                  [  9%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-off-UNWILLING_TO_PERFORM] PASSED                                                    [ 10%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-off-UNWILLING_TO_PERFORM] PASSED                                                   [ 11%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[off-on-False] PASSED                                                                   [ 11%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_change_pwd[on-on-False] PASSED                                                                    [ 12%]
dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_min_age PASSED                                                                                [ 13%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_must_change PASSED                                                                             [ 14%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expired_grace_limit PASSED                                                                     [ 15%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_warning PASSED                                                                   [ 16%]
dirsrvtests/tests/suites/password/pwdPolicy_controls_test.py::test_pwd_expiring_with_no_warning PASSED                                                                [ 16%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-off] PASSED                                                    [ 17%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[on-off] PASSED                                                     [ 18%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-on] PASSED                                                     [ 19%]
dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_restrictions PASSED                                                                [ 20%]
dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_basic PASSED                                                                                         [ 21%]
dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_user_attributes PASSED                                                                [ 22%]
dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py::test_config_set_few_bad_words PASSED                                                                      [ 22%]
dirsrvtests/tests/suites/password/pwdPolicy_token_test.py::test_token_lengths PASSED                                                                                  [ 23%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[ ] PASSED                                                                          [ 24%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[junk123] PASSED                                                                    [ 25%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[on] PASSED                                                                         [ 26%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_different_values[off] PASSED                                                                        [ 27%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_expiry_time PASSED                                                                                  [ 27%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_warning[passwordSendExpiringTime-off] PASSED                                               [ 28%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_warning[passwordWarning-3600] PASSED                                                       [ 29%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_different_password_states PASSED                                                               [ 30%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_default_behavior PASSED                                                                             [ 31%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_when_maxage_and_warning_are_the_same PASSED                                                         [ 32%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_local_policy FAILED                                                                            [ 33%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_search_shadowWarning_when_passwordWarning_is_lower PASSED                                           [ 33%]
dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_password_expire_works PASSED                                                                        [ 34%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CLEAR] PASSED                                                                                  [ 35%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT] PASSED                                                                                  [ 36%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-MD5] PASSED                                                                              [ 37%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA256] PASSED                                                                           [ 38%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA512] PASSED                                                                           [ 38%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[MD5] PASSED                                                                                    [ 39%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA] PASSED                                                                                    [ 40%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA256] PASSED                                                                                 [ 41%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA384] PASSED                                                                                 [ 42%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SHA512] PASSED                                                                                 [ 43%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SMD5] PASSED                                                                                   [ 44%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA] PASSED                                                                                   [ 44%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA256] PASSED                                                                                [ 45%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA384] PASSED                                                                                [ 46%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[SSHA512] PASSED                                                                                [ 47%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2_SHA256] PASSED                                                                          [ 48%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[DEFAULT] PASSED                                                                                [ 49%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pwd_algo_test[GOST_YESCRYPT] FAILED                                                                          [ 50%]
dirsrvtests/tests/suites/password/pwd_algo_test.py::test_pbkdf2_algo PASSED                                                                                           [ 50%]
dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py::test_password_crypt_asterisk_is_rejected PASSED                                                         [ 51%]
dirsrvtests/tests/suites/password/pwd_lockout_bypass_test.py::test_lockout_bypass PASSED                                                                              [ 52%]
dirsrvtests/tests/suites/password/pwd_log_test.py::test_hide_unhashed_pwd PASSED                                                                                      [ 53%]
dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade PASSED                                                                   [ 54%]
dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_clearcrypt PASSED                                                        [ 55%]
dirsrvtests/tests/suites/password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_disable PASSED                                                           [ 55%]
dirsrvtests/tests/suites/password/pwp_gracel_test.py::test_password_gracelimit_section PASSED                                                                         [ 56%]
dirsrvtests/tests/suites/password/pwp_history_test.py::test_basic PASSED                                                                                              [ 57%]
dirsrvtests/tests/suites/password/pwp_test.py::test_passwordchange_to_no PASSED                                                                                       [ 58%]
dirsrvtests/tests/suites/password/pwp_test.py::test_password_check_syntax PASSED                                                                                      [ 59%]
dirsrvtests/tests/suites/password/pwp_test.py::test_too_big_password PASSED                                                                                           [ 60%]
dirsrvtests/tests/suites/password/pwp_test.py::test_pwminage PASSED                                                                                                   [ 61%]
dirsrvtests/tests/suites/password/pwp_test.py::test_invalid_credentials PASSED                                                                                        [ 61%]
dirsrvtests/tests/suites/password/pwp_test.py::test_expiration_date FAILED                                                                                            [ 62%]
dirsrvtests/tests/suites/password/pwp_test.py::test_passwordlockout FAILED                                                                                            [ 63%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_local_password_policy PASSED                                                                       [ 64%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_passwordexpirationtime_attribute PASSED                                                            [ 65%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_admin_group_to_modify_password PASSED                                                              [ 66%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_max_failure_should_lockout_password PASSED                                                [ 66%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_pwd_update_time_attribute PASSED                                                                   [ 67%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_password_track_update_time PASSED                                                                  [ 68%]
dirsrvtests/tests/suites/password/regression_of_bugs_test.py::test_signal_11 PASSED                                                                                   [ 69%]
dirsrvtests/tests/suites/password/regression_test.py::test_pwp_local_unlock PASSED                                                                                    [ 70%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1] PASSED                                                                      [ 71%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[SNpwtest1] PASSED                                                                      [ 72%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[UIDpwtest1] PASSED                                                                     [ 72%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[MAILpwtest1] PASSED                                                         [ 73%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[GNpwtest1] PASSED                                                                      [ 74%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZZ] PASSED                                                                  [ 75%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZCNpwtest1] PASSED                                                                 [ 76%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1] PASSED                                                                     [ 77%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1Z] PASSED                                                                     [ 77%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZCNpwtest1Z] PASSED                                                                    [ 78%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1] PASSED                                                                    [ 79%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZ] PASSED                                                                    [ 80%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZCNpwtest1ZZ] PASSED                                                                  [ 81%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1] PASSED                                                                   [ 82%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[CNpwtest1ZZZ] PASSED                                                                   [ 83%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZCNpwtest1ZZZ] PASSED                                                                [ 83%]
dirsrvtests/tests/suites/password/regression_test.py::test_trivial_passw_check[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED                                                        [ 84%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1] PASSED                                                                          [ 85%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[SNpwtest1] PASSED                                                                          [ 86%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[UIDpwtest1] PASSED                                                                         [ 87%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[MAILpwtest1] PASSED                                                             [ 88%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[GNpwtest1] PASSED                                                                          [ 88%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZZ] PASSED                                                                      [ 89%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZCNpwtest1] PASSED                                                                     [ 90%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1] PASSED                                                                         [ 91%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1Z] PASSED                                                                         [ 92%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZCNpwtest1Z] PASSED                                                                        [ 93%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1] PASSED                                                                        [ 94%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZ] PASSED                                                                        [ 94%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZCNpwtest1ZZ] PASSED                                                                      [ 95%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1] PASSED                                                                       [ 96%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[CNpwtest1ZZZ] PASSED                                                                       [ 97%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZCNpwtest1ZZZ] PASSED                                                                    [ 98%]
dirsrvtests/tests/suites/password/regression_test.py::test_global_vs_local[ZZZZZZCNpwtest1ZZZZZZZZ] PASSED                                                            [ 99%]
dirsrvtests/tests/suites/password/regression_test.py::test_unhashed_pw_switch PASSED                                                                                  [100%]

========================================================== 4 failed, 114 passed, 341 warnings in 743.02s (0:12:23) ==============================================
Comment 7 Akshay Adhikari 2022-01-19 14:44:15 UTC 
============================================================================ test session starts =================================================================
platform linux -- Python 3.6.8, pytest-6.2.5, py-1.11.0, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-359.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '6.2.5', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'ignore-flaky': '2.0.0'}}
389-ds-base: 1.4.3.28-3.module+el8.6.0+13706+e2f14737
nss: 3.67.0-7.el8_5
nspr: 4.32.0-1.el8_4
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: enabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, ignore-flaky-2.0.0
collected 138 items / 135 deselected / 3 selected                                                                                                                           

dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py::test_with_local_policy PASSED                                                                            [ 33%]
dirsrvtests/tests/suites/password/pwp_test.py::test_expiration_date PASSED                                                                                            [ 66%]
dirsrvtests/tests/suites/password/pwp_test.py::test_passwordlockout PASSED                                                                                            [100%]

============================================================== 3 passed, 135 deselected, 26 warnings in 54.60s ==================================================

Failing test cases are passed, Marking as verified: Tested.
Comment 8 Akshay Adhikari 2022-01-19 14:50:31 UTC 
As per (https://bugzilla.redhat.com/show_bug.cgi?id=2033398#c7) Marking as VERIFIED
Comment 16 errata-xmlrpc 2022-05-10 13:43:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1815
Note You need to log in before you can comment on or make changes to this bug.