Fix 500 login errors in Ubuntu 22.04 FIPS hosts
What does this MR do and why?
On FIPS hosts, encrypted user passwords are hashed with PBKDF2 instead of bcrypt. The Ubuntu 22.04 FIPS implementation requires that:
- The input plaintext is at least 8 bytes.
- The salt is at least 16 bytes.
If the input plaintext is shorter than 8 bytes, OpenSSL raises an exception:
PKCS5_PBKDF2_HMAC: invalid key length (OpenSSL::KDF::KDFError)If the salt is too short, OpenSSL raises:
PKCS5_PBKDF2_HMAC: invalid salt length (OpenSSL::KDF::KDFError)The first exception can easily be triggered if a user logs
in with 2FA because SessionsController#complete_identity_verification
attempts to validate a blank password.
The second exception was happening when activating 2FA because the previous salt was too short.
Fix these problems by:
- Ensuring a password is present.
- Checking the password is at least 8 bytes before attempting to compare against the encrypted password.
- Generating a salt length of at least 16 bytes.
References
Relates to https://gitlab.com/gitlab-com/request-for-help/-/issues/3526
How to set up and validate locally
- Spin up a VM with Ubuntu 22.04 FIPS (see https://gitlab.com/gitlab-com/request-for-help/-/issues/3526#note_2805288170). I did with an AWS AMI, which appeared to subscribe to Ubuntu Pro without having to enter in a token.
- Install GitLab EE package.
- Set up 2FA with both the QR code and a WebAuthn device.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.