Bug 829088

Summary: nss-softokn sha224 self-test fails in fips mode
Product: [Fedora] Fedora Reporter: Alexandre Oliva <aoliva>
Component: nss-softoknAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: aoliva, emaldona, fche, jakub, kengert, law, mtoman, omoris, pwouters, rrelyea, schwab, sgrubb, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-softokn-3.13.4-3.fc18, nss-softokn-3.13.4-3.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 811753 Environment:
Last Closed: 2012-07-19 09:13:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717789, 811753, 867144    
Attachments:
Description Flags
nss test sample C file
none
minimalist bug reproducer
none
nss-softokn sha224 fips self test fix
none
patch as it was checked in - same as applied upstream none

Description Alexandre Oliva 2012-06-05 22:34:08 UTC 
+++ This bug was initially created as a clone of Bug #811753 +++

Description of problem:
crypt() returns NULL in fipsmode 

crypt returned NULL for salt $6$FOOBAR
crypt returned NULL for salt $5$FOOBAR

Expected results:
$6$FOOBAR$yPOQuPE1ruwOrYiApWDYw9BxeLk/oIjajCgzubzO0PYEos/vnqpTnNI12VIdiUF8hiHT9bMslahk/0Oikb.nA.
$5$FOOBAR$cDCnc4lB6JRog7XV9JxxoKiWTHbH09P9xkfnf237ke7

--- Additional comment from aoliva on 2012-06-05 18:14:33 EDT ---

FWIW, I've managed to duplicate the problem on a F16-ish box, with glibc master (with or without my patches) and nss-softokn-{freebl,debuginfo}-3.13.4-1.fc16.x86_64

I didn't have FIPS enabled, so I used gdb to pretend it was enabled, setting a breakpoint on nsslowhash.c:305 and setting d to '1' before proceeding (that's where it tests what it read from /proc/sys/crypto/fips_enabled).

Then I stepped into freebl_fips_SHA_PowerUpSelfTest, only run when FIPS is enabled, and noticed the problem was that the SHA224 self-test was failing: SHA224_HashBuf set sha_computed_digest to a bitstream completely different from sha224_known_digest.

I'm not sufficiently familiar with these crypto algorithms to tell whether it is the test or the implementation that is broken, but I'm pretty sure that once either of them is fixed, SHA256 and SHA512 password crypto is going to work with glibc's crypt() build with --enable-nss-crypt.

So, I'm going to clone this bug and assign the clone to nss-softokn, so that this one remains about the glibc crypt changes.
Comment 1 Elio Maldonado Batiz 2012-06-06 19:26:03 UTC 
Though we can't currently enable system wide fips mode by doing a buildwith tis change
-    if (!post && nsslow_GetFIPSEnabled()) {
+    if (!post && (1 || nsslow_GetFIPSEnabled())) { /* force the test to be run always */
 	crv = freebl_fipsPowerUpSelfTest();
 	if (crv != CKR_OK) {
 	    post_failed = 1;
that forces execution of the powerup slef-tests regradless I can reproduce the problem. I booted in single user mode okay and when to run level 3 where authetication of root failed, likewise on run level 5 I could gogin as regular user. I checkd the expected anwser and it matches a value from
http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA224.pdf
so the computed value is indeed wrong. I'll work on this and log the corresponding bug.
Comment 2 Paul Wouters 2012-06-07 16:03:32 UTC 
Created attachment 590229 [details]
nss test sample C file

I'm confused then. The attached nss-example.c runs fine in fips mode. If the fips self test is supposed to fail over the bad sha2 selftest, why does this example run fine in fips mode?
Comment 3 Bob Relyea 2012-06-07 17:26:43 UTC 
The problem isn't in softoken. Softoken in Fips mode works fine. The problem is in the direct to freebl interface in FIPS mode (think libgcrypt).

bob
Comment 4 Bob Relyea 2012-06-07 17:37:35 UTC 
It also only affects softoken 3.13.x, so there is no issue with RHEL5 or RHEL6.

bob
Comment 5 Elio Maldonado Batiz 2012-06-13 02:20:03 UTC 
Created attachment 591327 [details]
minimalist bug reproducer

See the comments at the top of the file wit the steps to reproduce it. Since fedora isn't quite ready for fips mode I turn it on and off by devious means.
Proceed with care. I followed the steps and traced execition with gdb and saw the sha224 power-up self-test fail the compare. I have submitted a patch to the upstream bug and along with it a full test suite for the nss low hash api.
Comment 6 Paul Wouters 2012-06-13 05:40:06 UTC 
Created attachment 591352 [details]
nss-softokn sha224 fips self test fix

This patch does fix my issue, and nss works properly in fips mode
Comment 7 Paul Wouters 2012-06-13 05:41:30 UTC 
It also properly handles the crypt() calls now via freebl for $5$ and $6$ salts.
Comment 8 Elio Maldonado Batiz 2012-06-13 14:39:51 UTC 
Thank you Paul for verifiying the fix and attaching a downstream version of the upstream patch - they are effectively the same. The fix consists of using for the nss lowhash self-tests the same expected value as used in softoken .
Comment 9 Elio Maldonado Batiz 2012-06-13 21:37:58 UTC 
Created attachment 591641 [details]
patch as it was checked in - same as applied upstream
Comment 10 Fedora Update System 2012-07-08 22:51:56 UTC 
nspr-4.9.1-1.fc17,nss-util-3.13.5-1.fc17,nss-softokn-3.13.5-1.fc17,nss-3.13.5-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/nspr-4.9.1-1.fc17,nss-util-3.13.5-1.fc17,nss-softokn-3.13.5-1.fc17,nss-3.13.5-1.fc17
Comment 11 Fedora Update System 2012-07-10 16:31:51 UTC 
Package nspr-4.9.1-1.fc17, nss-util-3.13.5-1.fc17, nss-softokn-3.13.5-1.fc17, nss-3.13.5-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nspr-4.9.1-1.fc17 nss-util-3.13.5-1.fc17 nss-softokn-3.13.5-1.fc17 nss-3.13.5-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10451/nspr-4.9.1-1.fc17,nss-util-3.13.5-1.fc17,nss-softokn-3.13.5-1.fc17,nss-3.13.5-1.fc17
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2012-07-12 18:57:45 UTC 
Package nspr-4.9.1-2.fc17, nss-util-3.13.5-1.fc17, nss-softokn-3.13.5-1.fc17, nss-3.13.5-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nspr-4.9.1-2.fc17 nss-util-3.13.5-1.fc17 nss-softokn-3.13.5-1.fc17 nss-3.13.5-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10451/nspr-4.9.1-2.fc17,nss-util-3.13.5-1.fc17,nss-softokn-3.13.5-1.fc17,nss-3.13.5-1.fc17
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-07-12 20:15:01 UTC 
nspr-4.9.1-2.fc16,nss-util-3.13.5-1.fc16,nss-softokn-3.13.5-1.fc16,nss-3.13.5-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/nspr-4.9.1-2.fc16,nss-util-3.13.5-1.fc16,nss-softokn-3.13.5-1.fc16,nss-3.13.5-1.fc16
Comment 14 Paul Wouters 2012-07-18 00:09:42 UTC 
confirmed working on f16 and f17. Thanks!
Comment 15 Fedora Update System 2012-07-19 09:13:49 UTC 
nspr-4.9.1-2.fc17, nss-util-3.13.5-1.fc17, nss-softokn-3.13.5-1.fc17, nss-3.13.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2012-07-30 22:24:20 UTC 
nspr-4.9.1-2.fc16, nss-util-3.13.5-1.fc16, nss-softokn-3.13.5-1.fc16, nss-3.13.5-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Miroslav Lichvar 2013-01-24 17:45:16 UTC 
*** Bug 903144 has been marked as a duplicate of this bug. ***