b=106587 FIPS enabled mode fails when Master PWD is not set.

r=javi/cotter sr=shaver

security/manager/pki/resources/content/device_manager.js

@@ -411,6 +411,23 @@ function showTokenInfo()
 
 function toggleFIPS()
 {
+  if (!secmoddb.isFIPSEnabled) {
+    // A restriction of FIPS mode is, the password must be set
+    // In FIPS mode the password must be non-empty.
+    // This is different from what we allow in NON-Fips mode.
+
+    var tokendb = Components.classes[nsPK11TokenDB].getService(nsIPK11TokenDB);
+    var internal_token = tokendb.getInternalKeyToken(); // nsIPK11Token
+    var slot = secmoddb.findSlotByName(internal_token.tokenName);
+    switch (slot.status) {
+      case nsIPKCS11Slot.SLOT_UNINITIALIZED:
+      case nsIPKCS11Slot.SLOT_READY:
+        // Token has either no or an empty password.
+        alert(bundle.GetStringFromName("fips_nonempty_password_required"));
+        return;
+    }
+  }
+  
   secmoddb.toggleFIPSMode();
   //Remove the existing listed modules so that re-fresh doesn't 
   //display the module that just changed.

security/manager/pki/resources/content/password.js

@@ -176,16 +176,26 @@ function setPassword()
           // This makes no sense that we arrive here, 
           // we reached a case that should have been prevented by checkPasswords.
         } else {
-          token.changePassword(oldpw, pw1.value);
           if (pw1.value == "") {
-            alert(bundle.GetStringFromName("pw_erased_ok")
-                  + " "
-                  + bundle.GetStringFromName("pw_empty_warning"));
-          } else {
-            alert(bundle.GetStringFromName("pw_change_ok")); 
+            var secmoddb = Components.classes[nsPKCS11ModuleDB].getService(nsIPKCS11ModuleDB);
+            if (secmoddb.isFIPSEnabled) {
+              // empty passwords are not allowed in FIPS mode
+              alert(bundle.GetStringFromName("pw_change2empty_in_fips_mode"));
+              passok = 0;
+            }
+          }
+          if (passok) {
+            token.changePassword(oldpw, pw1.value);
+            if (pw1.value == "") {
+              alert(bundle.GetStringFromName("pw_erased_ok")
+                    + " "
+                    + bundle.GetStringFromName("pw_empty_warning"));
+            } else {
+              alert(bundle.GetStringFromName("pw_change_ok")); 
+            }
+            success = true;
           }
         }
-        success = true;
       } else {
         oldpwbox.focus();
         oldpwbox.setAttribute("value", "");

security/manager/pki/resources/locale/en-US/pippki.properties

@@ -122,6 +122,7 @@ pw_change_ok=Master Password successfully changed.
 pw_erased_ok=Warning! You have deleted your Master Password. 
 pw_not_wanted=Warning! You have decided not to use a Master Password.
 pw_empty_warning=Your stored web and email passwords, form data, and private keys will not be protected.
+pw_change2empty_in_fips_mode=You are currently in FIPS mode. FIPS requires a non-empty Master Password.
 login_failed=Failed to Login
 loadPK11TokenDialog=Choose a PKCS#11 device to load
 devinfo_modname=Module
@@ -141,6 +142,7 @@ devinfo_stat_loggedin=Logged In
 devinfo_stat_ready=Ready
 enable_fips=Enable FIPS
 disable_fips=Disable FIPS
+fips_nonempty_password_required=FIPS mode requires that you have a Master Password set for each security device. Please set the password before trying to enable FIPS mode.
 
 certmgr.verified=Verified
 certmgr.verifiedNoOCSP=Verified (No OCSP)