enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #11031
[Bug 2125685] Re: pbkdf2 module not make iterations configurable and FIPS 140-3
Hi Filippo! I've added the stable update template above, please check if the test instructions seem reasonable :)
Then we can proceed to backport up to 22.04.
** Description changed:
+ [ Impact ]
+
+ Add configurable rounds for pw-pbkdf2.so module
+
+ Without the ability to configure the iteration count, it is not possible
+ to meet current security best practices or achieve compliance with FIPS
+ 140-3, which requires configurable and sufficiently high iteration
+ counts for PBKDF2.
+
+ [ Test Plan ]
+
+ * install slapd and slapd-contrib
+ * only supports hardcoded 10000 rounds:
+ slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512}
+ * after update, any round number can be configured:
+ slappasswd -o module-load="pw-pbkdf2.so 1337" -h {PBKDF2-SHA512}
+
+ [ Where problems could occur ]
+
+ * pbkdf2 password validation/hashing could get a regression
+ * Due to the configurable number amount, old passwords could become invalid due do different round counts
+
+ [ Other Info ]
+
+ * Anything else you think is useful to include
+
+ * Make sure to explain any deviation from the norm, to save the SRU
+ reviewer from having to infer your reasoning, possibly incorrectly.
+ This should also help reduce review iterations, particularly when the
+ reason for the deviation is not obvious.
+
+ * Anticipate questions from users, SRU, +1 maintenance, security teams
+ and the Technical Board and address these questions in advance
+
+ [ Original Report ]
+
On Ubuntu 24.04, the OpenLDAP package ships with the library /usr/lib/ldap/pw-pbkdf2.so.
While this module works for generating PBKDF2-SHA512 password hashes, it does not provide an option to configure the number of iterations.
For example:
slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512}
generates a hash with a fixed iteration count (e.g. 10000) and does not
accept parameters to increase it.
In contrast, the upstream contrib module passwd/pbkdf2 on
https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-
modules/passwd/pbkdf2
supports the iteration count option and allows administrators to
configure it.
moduleload pw-pbkdf2.so [iterations]
Steps to reproduce:
Install OpenLDAP on Ubuntu 24.04. (slapd and slapd-contrib pakages)
Run
slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
{PBKDF2}10000$ZvU8GRSybbefW48n8BeyuA$XE1t4W09ZP0z8zmLVb/SbwaOl2Y
-
- Expected behavior:
- The pw-pbkdf2.so module should support configuration of the iteration count, as provided in the upstream passwd/pbkdf2 contrib module.
-
- Actual behavior:
- Iteration count is hardcoded (default: 10000), and cannot be changed.
-
- Impact:
- Without the ability to configure the iteration count, it is not possible to meet current security best practices or achieve compliance with FIPS 140-3, which requires configurable and sufficiently high iteration counts for PBKDF2.
** Changed in: openldap (Ubuntu Jammy)
Status: Won't Fix => In Progress
** Merge proposal linked:
https://code.launchpad.net/~jj/ubuntu/+source/openldap/+git/openldap/+merge/493050
** Merge proposal linked:
https://code.launchpad.net/~jj/ubuntu/+source/openldap/+git/openldap/+merge/493221
** Merge proposal linked:
https://code.launchpad.net/~jj/ubuntu/+source/openldap/+git/openldap/+merge/493230
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to openldap in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2125685
Title:
pbkdf2 module not make iterations configurable and FIPS 140-3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2125685/+subscriptions
References
