1539785 – modutil rejects new empty password in FIPS mode on clean database

Bug 1539785 - modutil rejects new empty password in FIPS mode on clean database

Summary: modutil rejects new empty password in FIPS mode on clean database

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daiki Ueno
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1508581
Blocks:	1566472 1730687
TreeView+	depends on / blocked

Reported:	2018-01-29 15:40 UTC by Hubert Kario
Modified:	2019-07-17 11:08 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1508581
Clones:	1566472 1730687 (view as bug list)
Environment:
Last Closed:	2018-11-09 14:40:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Mozilla Foundation	1415847	--	RESOLVED	modutil -changepw shouldn't prompt for old password if it's the empty string	2020-02-06 13:47:00 UTC
Mozilla Foundation	1453408	--	RESOLVED	modutil -changepw fails in FIPS mode if password is an empty string	2020-02-06 13:47:00 UTC

Description Hubert Kario 2018-01-29 15:40:01 UTC

Description of problem:


I am seeing a difference in behaviour with regard to modutil in RHEL7.5.


RHEL7.5
===========
Red Hat Enterprise Linux release 7.5 Beta (Maipo)

Version: nss-3.34.0-4.el7.x86_64


$ mkdir abc

$ cd abc
$ modutil -dbdir . -create -force
$ modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null
Enter old password:



RHEL7.4.z
=========
Red Hat Enterprise Linux Server release 7.4 (Maipo)
version: nss-3.28.4-15.el7_4.x86_64

[root@server-3294 abc]# modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null
[root@server-3294 abc]#



Version-Release number of selected component (if applicable):
nss-tools-3.34.0-0.1.beta1.el7.x86_64

Actual results:
 modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null 

The above command prompts for password



Expected results:

 modutil -changepw "NSS FIPS 140-2 Certificate DB" -newpwfile <(echo) -force -dbdir . >/dev/null

The above command should not prompt for old password. 

Additional info:

Note You need to log in before you can comment on or make changes to this bug.