1411346 – OpenLDAP doesn't work in FIPS mode in RHEL-6

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1411346 - OpenLDAP doesn't work in FIPS mode in RHEL-6

Summary: OpenLDAP doesn't work in FIPS mode in RHEL-6

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nss-softokn
Sub Component:
Version:	6.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	nss-nspr-maint
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1387811
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-09 14:29 UTC by Hubert Kario
Modified:	2017-11-08 16:34 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-08 16:34:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Hubert Kario 2017-01-09 14:29:26 UTC

Description of problem:
When OpenLDAP server is configured with a NSS database set up in FIPS mode, it is unable to process client requests.

Version-Release number of selected component (if applicable):
nss-softokn-3.14.3-23.3.el6_8


How reproducible:
Always

Steps to Reproduce:
1. Set up OpenLDAP with NSS database configured to FIPS mode
2. Try connecting to it using TLS
3.

Actual results:
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error.

Expected results:
TLS connection established

Additional info:
 Matus Honek traced it down to 
> #0  sftk_fipsCheck (hSession=18446744071562067969, pTemplate=0x7ffff2d4c680, ulCount=2, phObject=0x7ffff2d4c6b8) at fipstokn.c:200
> #1  FC_CreateObject (hSession=18446744071562067969, pTemplate=0x7ffff2d4c680, ulCount=2, phObject=0x7ffff2d4c6b8) at fipstokn.c:764
> #2  0x00007ffff6424bca in PK11_CreateNewObject (slot=0x7fffe4029a60, session=18446744071562067969, theTemplate=<value optimized out>, count=2, token=0, objectID=<value optimized out>) at pk11obj.c:381
> #3  0x00007ffff6434f46 in secmod_UserDBOp (slot=0x7fffe4029a60, objClass=3461563221, sendSpec=<value optimized out>, needlock=1) at pk11util.c:1281
> #4  0x00007ffff643573a in SECMOD_OpenNewSlot (mod=0x7fffe400d230, moduleSpec=<value optimized out>) at pk11util.c:1403
> #5  0x00007ffff79c1ba9 in tlsm_init_open_certdb (arg=0x7ffff83a3a30) at tls_m.c:1739
> #6  tlsm_deferred_init (arg=0x7ffff83a3a30) at tls_m.c:1854
> #7  tlsm_deferred_ctx_init (arg=0x7ffff83a3a30) at tls_m.c:2280
> #8  0x00007ffff5b83fc5 in PR_CallOnceWithArg (once=0x7ffff83a3a80, func=<value optimized out>, arg=<value optimized out>) at ../../../nspr/pr/src/misc/prinit.c:807
> #9  0x00007ffff79bf19b in tlsm_session_new (ctx=0x7ffff83a3a30, is_server=1) at tls_m.c:2667
> #10 0x00007ffff79bd8f4 in alloc_handle (ctx_arg=<value optimized out>, is_server=<value optimized out>) at tls2.c:296
> #11 0x00007ffff79bdf45 in ldap_pvt_tls_accept (sb=0x7fffe40008c0, ctx_arg=0x7ffff83a3a30) at tls2.c:418
> #12 0x00007ffff7e4b3a3 in connection_read (ctx=0x7ffff2d4cb70, argv=0x11) at ../../../servers/slapd/connection.c:1372
> #13 connection_read_thread (ctx=0x7ffff2d4cb70, argv=0x11) at ../../../servers/slapd/connection.c:1284
> #14 0x00007ffff7995ce8 in ldap_int_thread_pool_wrapper (xpool=0x7ffff82e2c40) at ../../../libraries/libldap_r/tpool.c:688
> #15 0x00007ffff5953aa1 in start_thread (arg=0x7ffff2d4d700) at pthread_create.c:301
> #16 0x00007ffff5495aad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
where the frame #0 seems to return CKR_USER_NOT_LOGGED_IN when checking for !isLoggedIn, which is 0 (zero). Why it is so I have no clue.

Bob has proposed a patch to fix it: attachment 1225994 [details]

Comment 1 Kai Engert (:kaie) (inactive account) 2017-01-11 14:14:40 UTC

Adding a bit more context.

Details can be found in bug 1387811.

I believe the intention of this bug is to be a tracker, because the patch requires a change to softokn, but it's unknown when we might be able to update nss-softokn in RHEL 6.

Note You need to log in before you can comment on or make changes to this bug.