Closed Bug 1558025 Opened 6 years ago Closed 5 years ago

Copying a profile between machines leaves behind an invalid pkcs11.txt, breaking the login manager.

Categories

(Firefox :: Sync, defect, P5)

Product:
Firefox
Component:
Sync
Version:
67 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1564284

People

(Reporter: kontakt, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

Hi, get this error on FF 67.0.1, not using a master password.

1560076336270	Sync.LogManager	DEBUG	Flushing file log
1560076336271	FirefoxAccounts	TRACE	not checking freshness of profile as it remains recent
1560076336292	Services.Common.RESTRequest	TRACE	local time, offset: 1560076336291, -810
1560076336294	Services.Common.RESTRequest	DEBUG	GET request to https://api.accounts.firefox.com/v1/account/device/commands?index=0
1560076336295	Services.Common.RESTRequest	TRACE	HTTP Header authorization: ***** (suppressed)
1560076336295	Services.Common.RESTRequest	TRACE	HTTP Header content-type: text/plain
1560076336295	Services.Common.RESTRequest	TRACE	HTTP Header accept-language: en-US, en
1560076336302	Sync.LogManager	DEBUG	Log cleanup threshold time: 1559212336302
1560076336512	Services.Common.RESTRequest	TRACE	onStartRequest: GET https://api.accounts.firefox.com/v1/account/device/commands?index=0
1560076336513	Services.Common.RESTRequest	TRACE	Channel for GET https://api.accounts.firefox.com/v1/account/device/commands?index=0 returned status code 0
1560076336513	Services.Common.RESTRequest	DEBUG	GET https://api.accounts.firefox.com/v1/account/device/commands?index=0 200
1560076336513	Hawk	DEBUG	(Response) /account/device/commands?index=0: code: 200 - Status text: OK
1560076336513	Services.Common.RESTResponse	TRACE	Processing response headers.
1560076336514	Hawk	DEBUG	Clock offset vs https://api.accounts.firefox.com/v1: -514
1560076337133	Sync.LogManager	DEBUG	Done deleting files.
1560077126173	FirefoxAccounts	INFO	Polling device commands.
1560077126173	Sync.Service	DEBUG	User-Agent: Firefox/67.0.1 (Linux x86_64) FxSync/1.69.0.20190530094359.desktop
1560077126174	Sync.Service	INFO	Starting sync at 2019-06-09 10:45:26 in browser session htolVx4gUvJx
1560077126174	Sync.Service	DEBUG	In sync: should login.
1560077126174	Sync.Service	INFO	User logged in successfully - verifying login.
1560077126177	Sync.BrowserIDManager	DEBUG	unlockAndVerifyAuthState: user declined to unlock master-password
1560077126177	Sync.Status	DEBUG	Status.login: service.master_password_locked => service.master_password_locked
1560077126177	Sync.Status	DEBUG	Status.service: error.login.failed => error.login.failed
1560077126177	Sync.Service	DEBUG	Fetching unlocked auth state returned service.master_password_locked
1560077126178	Sync.ErrorHandler	ERROR	Sync encountered a login error
1560077126178	Sync.SyncScheduler	DEBUG	Clearing sync triggers and the global score.
1560077126179	Sync.SyncScheduler	DEBUG	Couldn't log in: master password is locked.
1560077126179	Sync.SyncScheduler	DEBUG	Starting client-initiated backoff. Next sync in 900000 ms.
1560077126179	Sync.SyncScheduler	DEBUG	Next sync in 900000 ms. (why=client-backoff-schedule)
1560077126184	Sync.Service	DEBUG	Exception calling WrappedLock: Error: Login failed: service.master_password_locked(resource://services-sync/service.js:869:15) JS Stack trace: onNotify@service.js:869:15
1560077126186	Sync.Service	DEBUG	Not syncing: login returned false.

Any ideas what might be wrong?

Regards.

Component: Untriaged → Sync

Thanks for the report! This is pretty strange, Sync seems to think you have master password enabled even though you do not.

For completeness, could you please double-check under "options -> privacy and security -> logins and passwords" that the checkbox for "Use a master password" is indeed unchecked?

I'm not very familiar with the code paths here, but I do notice that the failing function here ("unlockAndVerifyAuthState") makes a call to "ensureMPUnlocked" which will error out if it fails to encrypt a test value. But that function doesn't seem to check whether or not the presence of a master password was the cause of the failure; we have a separate function "mpLocked" for checking this but the login codepath doesn't seem to call it.

I wonder if there are other reasons why "ensureMPUnlocked" and we are mis-reporting it as a master-password error. (say, corrupted keys3.db file?)

(In reply to Ryan Kelly [:rfkelly] from comment #1)

I wonder if there are other reasons why "ensureMPUnlocked" and we are mis-reporting it as a master-password error. (say, corrupted keys3.db file?)

Yes, I suspect that's the actual problem. To test this, you could take a copy of key3.db (although it's probably key4.db on Linux IIUC) and logins.json from your profile dir, remove them from the profile dir and start the browser - they will be recreated. Note however that this will cause all of your logins to be deleted, but if key*.db is corrupt you probably have already lost them anyway. They are likely to be on the sync server though, where it will be easy to get them back if they are.

(In reply to Ryan Kelly [:rfkelly] from comment #1)

Thanks for the report! This is pretty strange, Sync seems to think you have master password enabled even though you do not.

For completeness, could you please double-check under "options -> privacy and security -> logins and passwords" that the checkbox for "Use a master password" is indeed unchecked?

I'm not very familiar with the code paths here, but I do notice that the failing function here ("unlockAndVerifyAuthState") makes a call to "ensureMPUnlocked" which will error out if it fails to encrypt a test value. But that function doesn't seem to check whether or not the presence of a master password was the cause of the failure; we have a separate function "mpLocked" for checking this but the login codepath doesn't seem to call it.

I wonder if there are other reasons why "ensureMPUnlocked" and we are mis-reporting it as a master-password error. (say, corrupted keys3.db file?)

My pleasure. :)

It is indeed unchecked. Have never used a master password.

Looking in the profile folder now, and there's "key3.db.old", "key4.db.old", "key4.db" and "logins.json.old", but no "logins.json".
(Not using the built in password manager)

I might have tried to rename them in the past, as this has been a problem for quite a while.

On initial syncing with a new profile, everything works as expected, then this issue arises.

I haven't checked the logs on the other devices, but they fail to sync as well. (Laptop/smart phones)
(Using https://github.com/mozilla-services/syncserver on Debian 9 with nginx reverse proxy)

I'll try to rename the "key4.db" and see what happens.

Thanks.

Okay, closed FF, renamed "key4.db" to "key4.db.bak", started FF again, tried to manually sync, still same error.

"key4.db" was not re-created. 🤔

Is there anything in the "browser console" which might be relevant? It sounds a little like NSS is failing to initialize

(In reply to Mark Hammond [:markh] from comment #5)

Is there anything in the "browser console" which might be relevant? It sounds a little like NSS is failing to initialize

Hmm, nothing that i can see.

Are there any way to test if NSS is working properly?

Missing libraries perhaps?

Idk. 🤔

Tried just now to sync on a Debian 9 VM, FF 60.6.1esr (64-bit), no problems at all.

1560155136306	Sync.Status	DEBUG	Status.sync: success.sync => success.sync
1560155136306	Sync.Status	DEBUG	Status.service: success.status_ok => success.status_ok
1560155136308	Sync.Synchronizer	INFO	Sync completed at 2019-06-10 08:25:36 after 304.12 secs.

My desktop is Ubuntu 18.10.

Okay, i created a fresh profile, signed in to sync (had to manually export/import bookmarks), no errors so far.

Must be something with the old profile that is causing the error.

Weird stuff.

Try delete pkcs11.txt from your old profile folder

(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #8)

Try delete pkcs11.txt from your old profile folder

Hi, i did just now, and the error went away!

This is a profile migrated from my old windows 10 installation.

library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:C:\\Users\\Tommy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\0GF0ZV~1.DEF' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''  manufacturerID='Mozilla.org' libraryDescription='PSM interne kryptotjenester' cryptoTokenDescription='generiske kryptotjenester' dbTokenDescription='programvare sikkerhetsmodul' cryptoSlotDescription='PSM interne kryptotjenester' dbSlotDescription='PSM privatnøkler' FIPSSlotDescription='FIPS 140 kryptografisk, nøkkel- og sertifikatstjeneste' FIPSTokenDescription='Programsikkerhetsenheten (FIPS)' minPS=0
NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical

From the new profile:

library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/tommy/.mozilla/firefox/629kt4o7.Tommy' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

No wonder it wasn't working then?

Anyways, I'm settled in with the new profile now, so i guess I'll keep it. 😅

Thanks!

The priority flag is not set for this bug.
:markh, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(markh)

I don't think copying profiles like this is supported, but I'll leave it open in-case some brave soul wants to take this on.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(markh)
Priority: -- → P5
Summary: Couldn't log in: master password is locked → Copying a profile between machines leaves behind an invalid pkcs11.txt, breaking the login manager.
See Also: → 1453372
See Also: → 1564284

A patch was created in BUG 1564284.
I believe this BUG could be closed now, but as it is classified outside the NSS, I would like a confirmation.

Could somebody confirm if this was solved, please?

Flags: needinfo?(kontakt)

(In reply to Marcus Burghardt from comment #12)

A patch was created in BUG 1564284.
I believe this BUG could be closed now, but as it is classified outside the NSS, I would like a confirmation.

Could somebody confirm if this was solved, please?

I haven't confirmed it, but the symptoms are identical, so I think it's safe to dupe this over - thanks!

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(kontakt)
Resolution: --- → DUPLICATE

hi,
I've read all circumstance that confusing for this txt came at firefox when you open or open again after deleted it!
pkcs11.txt it's ,
Let determined you something this is a security devices that might as well you use lockwise to fill password with firefox to login so this master password will came if you set password at security devices at firefox options under certificate in security tab, but if you not set password there will be no master password came out when you open firefox or login to mozilla and firefox again.
This all setting about your activity at update certificate or password at any web as store to be key and also an id is an certicate id you get for yourself.
But some reason flags and cipher and params is a treetab at frame at your browser to be set true if it not set when you change firefox to beta or developer edition.
please don't change this text perhaps you can set a space beetween in it to get in line like .ini file
ex:

library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:C:\Users\ALWIN\AppData\Roaming\Mozilla\Firefox\Profiles\ASFM9F~1.DEV'
certPrefix=''
keyPrefix=''
secmod='secmod.db'
flags=optimizeSpace
updatedir=''
updateCertPrefix=''
updateKeyPrefix=''
updateid=''
updateTokenDescription=''
NSS=
Flags=internal,critical
trustOrder=75
cipherOrder=100
slotParams=(1={slotFlags[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]askpw=any,timeout=30})

pkcs11.txt it's made strongly anomaly for network if it has been change or deleted so wait about 5 minutes for goes another tab then back to came what you browsing about, and also if you had NSS at your cerficate id you can add it your self and other things secure stuff and sniff.
So the last but not least i would say get the firefox dev edition and some ios for win 10 at your pc.

trully yours,
ALWIN

You need to log in before you can comment on or make changes to this bug.