Bug 1020395
| Summary: | Allow Level 1 FIPS mode if the nss db has no password | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Elio Maldonado Batiz <emaldona> | ||||
| Component: | nss-softokn | Assignee: | Elio Maldonado Batiz <emaldona> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondrej Moriš <omoris> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | emaldona, kdudka, ksrot, omoris, rrelyea | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | nss-softokn-3.15.2-2.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-16 08:23:39 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 852023 | ||||||
| Attachments: |
|
||||||
|
Description
Elio Maldonado Batiz
2013-10-17 15:10:15 UTC
See attachment #662399 [details] for a testing script ... and the following comments for its expected output: bug #852023 comment #83 bug #852023 comment #84 Unfortunately I really cannot reproduce the issue -
* Should it fail with empty password?
* What is meant by 'no password'?
Empty password (ie. typing enter twice during nss db creation?
Empty password file?
I am using the following packages:
nss-softokn-3.15.1-3.el7.x86_64
nss-softokn-devel-3.15.1-3.el7.x86_64
nss-util-3.15.1-2.el7.x86_64
nss-softokn-freebl-3.15.1-3.el7.x86_64
nss-util-devel-3.15.1-2.el7.x86_64
nss-pam-ldapd-0.8.13-8.el7.x86_64
nss-sysinit-3.15.1-3.el7.x86_64
nss-softokn-freebl-devel-3.15.1-3.el7.x86_64
nss-devel-3.15.1-3.el7.x86_64
nss-tools-3.15.1-3.el7.x86_64
nss-3.15.1-3.el7.x86_64
nss-pkcs11-devel-3.15.1-3.el7.x86_64
From what I understand the following steps should fail in the end (in fips mode):
# mkdir /tmp/tnssdb
# touch /tmp/foo
# certutil -N -d /tmp/tnssdb -f /tmp/foo
password file contains no data
# ls /tmp/tnssdb/
cert8.db key3.db secmod.db
# certutil -L -d /tmp/tnssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
# modutil -dbdir /tmp/tnssdb/ -fips true
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
FIPS mode enabled.
# certutil -S -k rsa -n mycaaa -m "0" -s "CN=mycaaa" -t "C,C,C" -v 13 -x -d /tmp/tnssdb/
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
# echo $?
0
Ondrej, Could it be because you are using nss-softokn-3.15.1-3.el7.x86_64 but this is marked as Fixed in Version: nss-softokn-3.15.2-2.el7? No, I am using the old version intentionally to reproduce the problem. With the fixed version of nss-softokn (nss-softokn-3.15.2-2.el7 or higher) it should be possible to operate on L1 FIPS mode with and empty password (is that equal to have "no password"?). It works but... It also works with older versions of nss-softokn (nss-softokn-3.15.1-3.el7), even with this old version I can easily switch nss db into FIPS mode, generate keypairs and so on with an empty nss db password. Therefore I am not sure what was not working actually? Elio, do you have any scenario which was failing before this issue was fixed? May be "empty password" != "no password" or I am using wrong nss db operation to test the issue...? Elio, could you please reply on #c8? (In reply to Ondrej Moriš from comment #8) > should be possible to operate on L1 FIPS mode with and empty password (is > that equal to have "no password"?). It works but... No password should be equivalent to empty password according to what I have seen tn the code where NULL strings get tranformed into empty strings. > > It also works with older versions of nss-softokn (nss-softokn-3.15.1-3.el7), > even with this old version I can easily switch nss db into FIPS mode, > generate keypairs and so on with an empty nss db password. > > Therefore I am not sure what was not working actually? Elio, do you have any > scenario which was failing before this issue was fixed? May be "empty > password" != "no password" or I am using wrong nss db operation to test the > issue...? The only thing is what was provides in Bug 852023. One problem I have is that in my rhel-7.0 VM I can no longer downgrade nss-softoken to old nss-softokn-3.15.1-3.el7 version to try and reproduce it. I was able to reproduce it using the simple reproducer from Bug 852023. I had to use a VM based on rhel-7 Alpha3 so the nss-softoke version was old enough. To set the sytem in fips mode I follow the steps from https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html and modify them for rhel 7. Installing dracut-fips was tricky so I had use an internal rhel-7 nightly repo as this is a pre-beta system. [root@fipstest emaldona]# cd /home/emaldona/fipsmode/ [root@fipstest fipsmode]# ls fipsmode fipsmode.c Makefile [root@fipstest fipsmode]# rpm -q nss nss-softokn nss-util nss-3.14.1-3.el7.x86_64 nss-softokn-3.14-5.el7.x86_64 nss-util-3.14.1-2.el7.x86_64 Method 1: [root@fipstest fipsmode]# cat /proc/sys/crypto/fips_enabled 1 Method2: [root@fipstest fipsmode]# ./fipsmode FIPS mode is disabled. Contradicts the previous answer. Sorry, I should have run the steps on Comment 6. So there is always a password on the database. Sometimes that password is the NULL string "". Here's the chart on how softoken treats the NULL string. ------------------ old softoken, non-fips mode: Softoken reports no password is it has a NULL string "". old softoken, fips mode: Softoken reports the need for a password. You must explicitly login in using "" as a password. ------------------ new softoken, non-fips mode: Softoken reports no password is it has a NULL string "". new softoken, fips mode: Softoken reports no password is it has a NULL string "". ------------------ Old apps using new softoken will either 1) start working when they didn't before, or 2) no change. Thank you both. OK, I can confirm that NSS DB with empty password (ie. NULL string) with: A: new nss-softokn in non-fips system[1] with non-fips db[2] does not require login B: new nss-softokn in non-fips system with fips db does not require login but C: new nss-softokn in fips system with fips db does require login [1] fips-system <=> booted with fips=0 kernel parameter and other steps from [*]. [2] fips db <=> modutil -fips true <DB> [*] https://access.redhat.com/site/solutions/137833 Details of C follows: # rm /tmp/tnssdb/ -rf # mkdir /tmp/tnssdb # certutil -N -d /tmp/tnssdb -f /tmp/foo password file contains no data # modutil -list -dbdir /tmp/tnssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 1 slot attached status: loaded slot: NSS FIPS 140-2 User Private Key Services token: NSS FIPS 140-2 Certificate DB ----------------------------------------------------------- # modutil -list "NSS Internal PKCS #11 Module" -dbdir /tmp/tnssdb/ ----------------------------------------------------------- Name: NSS Internal PKCS #11 Module Library file: **Internal ONLY module** Manufacturer: Mozilla Foundation Description: NSS Internal Crypto Services PKCS #11 Version 2.20 Library Version: 3.15 Cipher Enable Flags: None Default Mechanism Flags: None Slot: NSS FIPS 140-2 User Private Key Services Slot Mechanism Flags: None Manufacturer: Mozilla Foundation Type: Software Version Number: 3.15 Firmware Version: 0.0 Status: Enabled Token Name: NSS FIPS 140-2 Certificate DB Token Manufacturer: Mozilla Foundation Token Model: NSS 3 Token Serial Number: 0000000000000000 Token Version: 0.0 Token Firmware Version: 0.0 Access: NOT Write Protected Login Type: Login required User Pin: NOT Initialized ----------------------------------------------------------- # modutil -fips true -dbdir /tmp/tnssdb/ WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: FIPS mode already enabled. (^^^ just to make sure that DB is in fips mode) nss-3.15.4-2.el7.x86_64 nss-util-3.15.4-2.el7.x86_64 nss-softokn-freebl-3.15.4-2.el7.x86_64 nss-sysinit-3.15.4-2.el7.x86_64 nss-tools-3.15.4-2.el7.x86_64 nss-softokn-3.15.4-2.el7.x86_64 In other words, if a system is not in FIPS mode (ie. no fips=1 kernel paramater in particular), it works as expected but in FIPS mode, it still requires login even with an empty password which is not correct as far as I can understand. What do you think? > OK, I can confirm that NSS DB with empty password (ie. NULL string) with: > A: new nss-softokn in non-fips system[1] with non-fips db[2] does not require login > B: new nss-softokn in non-fips system with fips db does not require login but > C: new nss-softokn in fips system with fips db does require login That is very weird, but there shouldn't be any difference between a new nss-softokn in FIPS mode because the db is in fips mode and a new nss-softokn in FIPS mode because the system is in FIPS mode. What happens if the new nss-softoken is in fips system and the database is non-fips? That's the main case we care about in RHEL-7.0. bob (In reply to Bob Relyea from comment #16) > ...What happens if > the new nss-softoken is in fips system and the database is non-fips? That's > the main case we care about in RHEL-7.0. Hi Bob, that combination is not possible AFAIK, once one has "fips-system" (booted with fips=1 boot=... kernel parameters), db is always is true-fips, isn't it? # cat /proc/sys/crypto/fips_enabled 1 # rm /tmp/tnssdb/ -rf # mkdir /tmp/tnssdb # touch /tmp/foo # certutil -N -d /tmp/tnssdb -f /tmp/foo password file contains no data # modutil -list -dbdir /tmp/tnssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 1 slot attached status: loaded slot: NSS FIPS 140-2 User Private Key Services token: NSS FIPS 140-2 Certificate DB ----------------------------------------------------------- # modutil -list "NSS Internal PKCS #11 Module" -dbdir /tmp/tnssdb/ ----------------------------------------------------------- Name: NSS Internal PKCS #11 Module Library file: **Internal ONLY module** Manufacturer: Mozilla Foundation Description: NSS Internal Crypto Services PKCS #11 Version 2.20 Library Version: 3.15 Cipher Enable Flags: None Default Mechanism Flags: None Slot: NSS FIPS 140-2 User Private Key Services Slot Mechanism Flags: None Manufacturer: Mozilla Foundation Type: Software Version Number: 3.15 Firmware Version: 0.0 Status: Enabled Token Name: NSS FIPS 140-2 Certificate DB Token Manufacturer: Mozilla Foundation Token Model: NSS 3 Token Serial Number: 0000000000000000 Token Version: 0.0 Token Firmware Version: 0.0 Access: NOT Write Protected Login Type: Login required User Pin: NOT Initialized ----------------------------------------------------------- # modutil -fips false -dbdir /tmp/tnssdb/ WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: PKCS #11 module could not be removed because it is still in use. ERROR: Unable to switch FIPS modes. # rpm -qa | grep "^nss" nss-softokn-freebl-3.15.4-2.el7.x86_64 nss-tools-3.15.4-6.el7.x86_64 nss-3.15.4-6.el7.x86_64 nss-util-3.15.4-2.el7.x86_64 nss-softokn-3.15.4-2.el7.x86_64 nss-sysinit-3.15.4-6.el7.x86_64 In other words, in "fips-system", db is "true-fips" and that state cannot be changed - which is perfectly fine from my point of view. But unfortunately login is required (see above). The database has fips and non-fips fips mode. The Tools will always see fips mode when the system is in fips mode. I've very confused on why this happens because there should be no difference (there isn't any different code path). Anyway it looks like you've identified an issue. Elio is setting up a test machine now for me to dig into it. bob OK, this is RHEL-6 not RHEL-5. The patch appears to have been added simply to deal with running local tests inside nss and not in any code that actually ships. Upstream has updated softoken so it's not necessary to explicitly turn it off (though we should get back to wtc and suggest that we still want to be able to do it). Turning off AES_HW is fine because it's just the NSS tests, not the softoken tests (which run separately). The confusion seems to come because we still have a full softoken in the tree even though we don't ship with it. bob Bob, I suspect you intended this comment to be added to Bug 1099619. yes... This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |