Bug 1411346 - OpenLDAP doesn't work in FIPS mode in RHEL-6
Summary: OpenLDAP doesn't work in FIPS mode in RHEL-6
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss-softokn
Version: 6.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: nss-nspr-maint
QA Contact: BaseOS QE Security Team
Depends On: 1387811
TreeView+ depends on / blocked
Reported: 2017-01-09 14:29 UTC by Hubert Kario
Modified: 2017-11-08 16:34 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-11-08 16:34:13 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Hubert Kario 2017-01-09 14:29:26 UTC
Description of problem:
When OpenLDAP server is configured with a NSS database set up in FIPS mode, it is unable to process client requests.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up OpenLDAP with NSS database configured to FIPS mode
2. Try connecting to it using TLS

Actual results:
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error.

Expected results:
TLS connection established

Additional info:
 Matus Honek traced it down to 
> #0  sftk_fipsCheck (hSession=18446744071562067969, pTemplate=0x7ffff2d4c680, ulCount=2, phObject=0x7ffff2d4c6b8) at fipstokn.c:200
> #1  FC_CreateObject (hSession=18446744071562067969, pTemplate=0x7ffff2d4c680, ulCount=2, phObject=0x7ffff2d4c6b8) at fipstokn.c:764
> #2  0x00007ffff6424bca in PK11_CreateNewObject (slot=0x7fffe4029a60, session=18446744071562067969, theTemplate=<value optimized out>, count=2, token=0, objectID=<value optimized out>) at pk11obj.c:381
> #3  0x00007ffff6434f46 in secmod_UserDBOp (slot=0x7fffe4029a60, objClass=3461563221, sendSpec=<value optimized out>, needlock=1) at pk11util.c:1281
> #4  0x00007ffff643573a in SECMOD_OpenNewSlot (mod=0x7fffe400d230, moduleSpec=<value optimized out>) at pk11util.c:1403
> #5  0x00007ffff79c1ba9 in tlsm_init_open_certdb (arg=0x7ffff83a3a30) at tls_m.c:1739
> #6  tlsm_deferred_init (arg=0x7ffff83a3a30) at tls_m.c:1854
> #7  tlsm_deferred_ctx_init (arg=0x7ffff83a3a30) at tls_m.c:2280
> #8  0x00007ffff5b83fc5 in PR_CallOnceWithArg (once=0x7ffff83a3a80, func=<value optimized out>, arg=<value optimized out>) at ../../../nspr/pr/src/misc/prinit.c:807
> #9  0x00007ffff79bf19b in tlsm_session_new (ctx=0x7ffff83a3a30, is_server=1) at tls_m.c:2667
> #10 0x00007ffff79bd8f4 in alloc_handle (ctx_arg=<value optimized out>, is_server=<value optimized out>) at tls2.c:296
> #11 0x00007ffff79bdf45 in ldap_pvt_tls_accept (sb=0x7fffe40008c0, ctx_arg=0x7ffff83a3a30) at tls2.c:418
> #12 0x00007ffff7e4b3a3 in connection_read (ctx=0x7ffff2d4cb70, argv=0x11) at ../../../servers/slapd/connection.c:1372
> #13 connection_read_thread (ctx=0x7ffff2d4cb70, argv=0x11) at ../../../servers/slapd/connection.c:1284
> #14 0x00007ffff7995ce8 in ldap_int_thread_pool_wrapper (xpool=0x7ffff82e2c40) at ../../../libraries/libldap_r/tpool.c:688
> #15 0x00007ffff5953aa1 in start_thread (arg=0x7ffff2d4d700) at pthread_create.c:301
> #16 0x00007ffff5495aad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
where the frame #0 seems to return CKR_USER_NOT_LOGGED_IN when checking for !isLoggedIn, which is 0 (zero). Why it is so I have no clue.

Bob has proposed a patch to fix it: attachment 1225994 [details]

Comment 1 Kai Engert (:kaie) (inactive account) 2017-01-11 14:14:40 UTC
Adding a bit more context.

Details can be found in bug 1387811.

I believe the intention of this bug is to be a tracker, because the patch requires a change to softokn, but it's unknown when we might be able to update nss-softokn in RHEL 6.

Note You need to log in before you can comment on or make changes to this bug.