Bug 1411346

Summary: OpenLDAP doesn't work in FIPS mode in RHEL-6
Product: Red Hat Enterprise Linux 6 Reporter: Hubert Kario <hkario>
Component: nss-softoknAssignee: nss-nspr-maint <nss-nspr-maint>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.8CC: kengert
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-08 16:34:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1387811    
Bug Blocks:    

Description Hubert Kario 2017-01-09 14:29:26 UTC 
Description of problem:
When OpenLDAP server is configured with a NSS database set up in FIPS mode, it is unable to process client requests.

Version-Release number of selected component (if applicable):
nss-softokn-3.14.3-23.3.el6_8


How reproducible:
Always

Steps to Reproduce:
1. Set up OpenLDAP with NSS database configured to FIPS mode
2. Try connecting to it using TLS
3.

Actual results:
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error.

Expected results:
TLS connection established

Additional info:
 Matus Honek traced it down to 
> #0  sftk_fipsCheck (hSession=18446744071562067969, pTemplate=0x7ffff2d4c680, ulCount=2, phObject=0x7ffff2d4c6b8) at fipstokn.c:200
> #1  FC_CreateObject (hSession=18446744071562067969, pTemplate=0x7ffff2d4c680, ulCount=2, phObject=0x7ffff2d4c6b8) at fipstokn.c:764
> #2  0x00007ffff6424bca in PK11_CreateNewObject (slot=0x7fffe4029a60, session=18446744071562067969, theTemplate=<value optimized out>, count=2, token=0, objectID=<value optimized out>) at pk11obj.c:381
> #3  0x00007ffff6434f46 in secmod_UserDBOp (slot=0x7fffe4029a60, objClass=3461563221, sendSpec=<value optimized out>, needlock=1) at pk11util.c:1281
> #4  0x00007ffff643573a in SECMOD_OpenNewSlot (mod=0x7fffe400d230, moduleSpec=<value optimized out>) at pk11util.c:1403
> #5  0x00007ffff79c1ba9 in tlsm_init_open_certdb (arg=0x7ffff83a3a30) at tls_m.c:1739
> #6  tlsm_deferred_init (arg=0x7ffff83a3a30) at tls_m.c:1854
> #7  tlsm_deferred_ctx_init (arg=0x7ffff83a3a30) at tls_m.c:2280
> #8  0x00007ffff5b83fc5 in PR_CallOnceWithArg (once=0x7ffff83a3a80, func=<value optimized out>, arg=<value optimized out>) at ../../../nspr/pr/src/misc/prinit.c:807
> #9  0x00007ffff79bf19b in tlsm_session_new (ctx=0x7ffff83a3a30, is_server=1) at tls_m.c:2667
> #10 0x00007ffff79bd8f4 in alloc_handle (ctx_arg=<value optimized out>, is_server=<value optimized out>) at tls2.c:296
> #11 0x00007ffff79bdf45 in ldap_pvt_tls_accept (sb=0x7fffe40008c0, ctx_arg=0x7ffff83a3a30) at tls2.c:418
> #12 0x00007ffff7e4b3a3 in connection_read (ctx=0x7ffff2d4cb70, argv=0x11) at ../../../servers/slapd/connection.c:1372
> #13 connection_read_thread (ctx=0x7ffff2d4cb70, argv=0x11) at ../../../servers/slapd/connection.c:1284
> #14 0x00007ffff7995ce8 in ldap_int_thread_pool_wrapper (xpool=0x7ffff82e2c40) at ../../../libraries/libldap_r/tpool.c:688
> #15 0x00007ffff5953aa1 in start_thread (arg=0x7ffff2d4d700) at pthread_create.c:301
> #16 0x00007ffff5495aad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
where the frame #0 seems to return CKR_USER_NOT_LOGGED_IN when checking for !isLoggedIn, which is 0 (zero). Why it is so I have no clue.

Bob has proposed a patch to fix it: attachment 1225994 [details]
Comment 1 Kai Engert (:kaie) (inactive account) 2017-01-11 14:14:40 UTC 
Adding a bit more context.

Details can be found in bug 1387811.

I believe the intention of this bug is to be a tracker, because the patch requires a change to softokn, but it's unknown when we might be able to update nss-softokn in RHEL 6.