See attachment #662399 [details] for a testing script

... and the following comments for its expected output:

    bug #852023 comment #83

    bug #852023 comment #84

Unfortunately I really cannot reproduce the issue -

* Should it fail with empty password?

* What is meant by 'no password'? 
  Empty password (ie. typing enter twice during nss db creation? 
  Empty password file?

I am using the following packages:

nss-softokn-3.15.1-3.el7.x86_64
nss-softokn-devel-3.15.1-3.el7.x86_64
nss-util-3.15.1-2.el7.x86_64
nss-softokn-freebl-3.15.1-3.el7.x86_64
nss-util-devel-3.15.1-2.el7.x86_64
nss-pam-ldapd-0.8.13-8.el7.x86_64
nss-sysinit-3.15.1-3.el7.x86_64
nss-softokn-freebl-devel-3.15.1-3.el7.x86_64
nss-devel-3.15.1-3.el7.x86_64
nss-tools-3.15.1-3.el7.x86_64
nss-3.15.1-3.el7.x86_64
nss-pkcs11-devel-3.15.1-3.el7.x86_64

From what I understand the following steps should fail in the end (in fips mode):

# mkdir /tmp/tnssdb
# touch /tmp/foo
# certutil -N -d /tmp/tnssdb -f /tmp/foo
password file contains no data
# ls /tmp/tnssdb/
cert8.db  key3.db  secmod.db
# certutil -L -d /tmp/tnssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
# modutil -dbdir /tmp/tnssdb/ -fips true

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

FIPS mode enabled.
# certutil -S -k rsa -n mycaaa -m "0" -s "CN=mycaaa" -t "C,C,C" -v 13 -x -d /tmp/tnssdb/
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: 


Generating key.  This may take a few moments...

# echo $?
0

Ondrej, Could it be because you are using nss-softokn-3.15.1-3.el7.x86_64 but this is marked as Fixed in Version: nss-softokn-3.15.2-2.el7?

No, I am using the old version intentionally to reproduce the problem. With the fixed version of nss-softokn (nss-softokn-3.15.2-2.el7 or higher) it should be possible to operate on L1 FIPS mode with and empty password (is that equal to have "no password"?). It works but...

It also works with older versions of nss-softokn (nss-softokn-3.15.1-3.el7), even with this old version I can easily switch nss db into FIPS mode, generate keypairs and so on with an empty nss db password. 

Therefore I am not sure what was not working actually? Elio, do you have any scenario which was failing before this issue was fixed? May be "empty password" != "no password" or I am using wrong nss db operation to test the issue...?

Elio, could you please reply on #c8?

(In reply to Ondrej Moriš from comment #8)
> should be possible to operate on L1 FIPS mode with and empty password (is
> that equal to have "no password"?). It works but...

No password should be equivalent to empty password according to what I have seen tn the code where NULL strings get tranformed into empty strings.

> 
> It also works with older versions of nss-softokn (nss-softokn-3.15.1-3.el7),
> even with this old version I can easily switch nss db into FIPS mode,
> generate keypairs and so on with an empty nss db password. 
> 
> Therefore I am not sure what was not working actually? Elio, do you have any
> scenario which was failing before this issue was fixed? May be "empty
> password" != "no password" or I am using wrong nss db operation to test the
> issue...?
The only thing is what was provides in Bug 852023. 

One problem I have is that in my rhel-7.0 VM I can no longer downgrade nss-softoken to old nss-softokn-3.15.1-3.el7 version to try and reproduce it.

I was able to reproduce it using the simple reproducer from Bug 852023. 
I had to use a VM based on rhel-7 Alpha3 so the nss-softoke version was old enough. To set the sytem in fips mode I follow the steps from https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html and modify them for rhel 7.
Installing dracut-fips was tricky so I had use an internal rhel-7 nightly repo as this is a pre-beta system.

[root@fipstest emaldona]# cd /home/emaldona/fipsmode/
[root@fipstest fipsmode]# ls
fipsmode  fipsmode.c  Makefile

[root@fipstest fipsmode]# rpm -q nss nss-softokn nss-util
nss-3.14.1-3.el7.x86_64
nss-softokn-3.14-5.el7.x86_64
nss-util-3.14.1-2.el7.x86_64

Method 1:
[root@fipstest fipsmode]# cat /proc/sys/crypto/fips_enabled 
1

Method2:
[root@fipstest fipsmode]# ./fipsmode 
FIPS mode is disabled.

Contradicts the previous answer.

Sorry, I should have run the steps on Comment 6.

So there is always a password on the database. Sometimes that password is the NULL string "". Here's the chart on how softoken treats the NULL string.

------------------
old softoken, non-fips mode: Softoken reports no password is it has a NULL string "".
old softoken, fips mode: Softoken reports the need for a password. You must explicitly login in using "" as a password.
------------------
new softoken, non-fips mode: Softoken reports no password is it has a NULL string "".
new softoken, fips mode: Softoken reports no password is it has a NULL string "".
------------------


Old apps using new softoken will either 1) start working when they didn't before, or 2) no change.

Thank you both. 

OK, I can confirm that NSS DB with empty password (ie. NULL string) with:

A: new nss-softokn in non-fips system[1] with non-fips db[2] does not require login
B: new nss-softokn in non-fips system    with     fips db    does not require login

but

C: new nss-softokn in     fips system    with     fips db    does     require login

[1] fips-system <=> booted with fips=0 kernel parameter and other steps from [*].
[2] fips db <=> modutil -fips true <DB>
[*] https://access.redhat.com/site/solutions/137833

Details of C follows:

# rm /tmp/tnssdb/ -rf
# mkdir /tmp/tnssdb
# certutil -N -d /tmp/tnssdb -f /tmp/foo 
password file contains no data
# modutil -list -dbdir /tmp/tnssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 1 slot attached
	status: loaded

	 slot: NSS FIPS 140-2 User Private Key Services
	token: NSS FIPS 140-2 Certificate DB
-----------------------------------------------------------
# modutil -list "NSS Internal PKCS #11 Module" -dbdir /tmp/tnssdb/

-----------------------------------------------------------
Name: NSS Internal PKCS #11 Module
Library file: **Internal ONLY module**
Manufacturer: Mozilla Foundation              
Description: NSS Internal Crypto Services    
PKCS #11 Version 2.20
Library Version: 3.15
Cipher Enable Flags: None
Default Mechanism Flags: None

  Slot: NSS FIPS 140-2 User Private Key Services
  Slot Mechanism Flags: None
  Manufacturer: Mozilla Foundation              
  Type: Software
  Version Number: 3.15
  Firmware Version: 0.0
  Status: Enabled
  Token Name: NSS FIPS 140-2 Certificate DB   
  Token Manufacturer: Mozilla Foundation              
  Token Model: NSS 3           
  Token Serial Number: 0000000000000000
  Token Version: 0.0
  Token Firmware Version: 0.0
  Access: NOT Write Protected
  Login Type: Login required
  User Pin: NOT Initialized

-----------------------------------------------------------
# modutil -fips true -dbdir /tmp/tnssdb/

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

FIPS mode already enabled.

(^^^ just to make sure that DB is in fips mode)

nss-3.15.4-2.el7.x86_64
nss-util-3.15.4-2.el7.x86_64
nss-softokn-freebl-3.15.4-2.el7.x86_64
nss-sysinit-3.15.4-2.el7.x86_64
nss-tools-3.15.4-2.el7.x86_64
nss-softokn-3.15.4-2.el7.x86_64

In other words, if a system is not in FIPS mode (ie. no fips=1 kernel paramater in particular), it works as expected but in FIPS mode, it still requires login even with an empty password which is not correct as far as I can understand.

What do you think?

> OK, I can confirm that NSS DB with empty password (ie. NULL string) with:

> A: new nss-softokn in non-fips system[1] with non-fips db[2] does not require login
> B: new nss-softokn in non-fips system    with     fips db    does not require login

but

> C: new nss-softokn in     fips system    with     fips db    does     require login

That is very weird, but there shouldn't be any difference between a new nss-softokn in FIPS mode because the db is in fips mode and a new nss-softokn in FIPS mode because the system is in FIPS mode. What happens if the new nss-softoken is in fips system and the database is non-fips? That's the main case we care about in RHEL-7.0.

bob

(In reply to Bob Relyea from comment #16)
> ...What happens if
> the new nss-softoken is in fips system and the database is non-fips? That's
> the main case we care about in RHEL-7.0.

Hi Bob, that combination is not possible AFAIK, once one has "fips-system" (booted with fips=1 boot=... kernel parameters), db is always is true-fips, isn't it?

# cat /proc/sys/crypto/fips_enabled
1
# rm /tmp/tnssdb/ -rf
# mkdir /tmp/tnssdb
# touch /tmp/foo
# certutil -N -d /tmp/tnssdb -f /tmp/foo 
password file contains no data
# modutil -list -dbdir /tmp/tnssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 1 slot attached
	status: loaded

	 slot: NSS FIPS 140-2 User Private Key Services
	token: NSS FIPS 140-2 Certificate DB
-----------------------------------------------------------
#  modutil -list "NSS Internal PKCS #11 Module" -dbdir /tmp/tnssdb/

-----------------------------------------------------------
Name: NSS Internal PKCS #11 Module
Library file: **Internal ONLY module**
Manufacturer: Mozilla Foundation              
Description: NSS Internal Crypto Services    
PKCS #11 Version 2.20
Library Version: 3.15
Cipher Enable Flags: None
Default Mechanism Flags: None

  Slot: NSS FIPS 140-2 User Private Key Services
  Slot Mechanism Flags: None
  Manufacturer: Mozilla Foundation              
  Type: Software
  Version Number: 3.15
  Firmware Version: 0.0
  Status: Enabled
  Token Name: NSS FIPS 140-2 Certificate DB   
  Token Manufacturer: Mozilla Foundation              
  Token Model: NSS 3           
  Token Serial Number: 0000000000000000
  Token Version: 0.0
  Token Firmware Version: 0.0
  Access: NOT Write Protected
  Login Type: Login required
  User Pin: NOT Initialized

-----------------------------------------------------------
# modutil -fips false -dbdir /tmp/tnssdb/

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

PKCS #11 module could not be removed because it is still in use.
ERROR: Unable to switch FIPS modes.

# rpm -qa | grep "^nss"
nss-softokn-freebl-3.15.4-2.el7.x86_64
nss-tools-3.15.4-6.el7.x86_64
nss-3.15.4-6.el7.x86_64
nss-util-3.15.4-2.el7.x86_64
nss-softokn-3.15.4-2.el7.x86_64
nss-sysinit-3.15.4-6.el7.x86_64

In other words, in "fips-system", db is "true-fips" and that state cannot be changed - which is perfectly fine from my point of view. But unfortunately login is required (see above).

The database has fips and non-fips fips mode. The Tools will always see fips mode when the system is in fips mode.

I've very confused on why this happens because there should be no difference (there isn't any different code path).

Anyway it looks like you've identified an issue. Elio is setting up a test machine now for me to dig into it.

bob

OK, this is RHEL-6 not RHEL-5. The patch appears to have been added simply to deal with running local tests inside nss and not in any code that actually ships.
Upstream has updated softoken so it's not necessary to explicitly turn it off (though we should get back to wtc and suggest that we still want to be able to do it). 

Turning off AES_HW is fine because it's just the NSS tests, not the softoken tests (which run separately).

The confusion seems to come because we still have a full softoken in the tree even though we don't ship with it.

bob

Bob, I suspect you intended this comment to be added to Bug 1099619.

yes...

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.