Closed Bug 1419721 Opened 2 years ago Closed 2 years ago

SECMOD_CanDeleteInternalModule() should return false when build doesn't support FIPS

Categories

(NSS :: Libraries, enhancement)

enhancement
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ttaubert, Assigned: ttaubert)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

PSM uses SECMOD_CanDeleteInternalModule() to check whether FIPS can be toggled or not. If the NSS build doesn't support FIPS (as is the case with the one that we ship) this should always return false.

There is no point in trying to remove the internal module only to fail and then switch back. We only support removing the internal module to switch between FIPS and non-FIPS mode.
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Comment on attachment 8930861 [details]
Bug 1419721 - SECMOD_CanDeleteInternalModule() should return false when build doesn't support FIPS r?franziskus

Franziskus Kiefer [:fkiefer or :franziskus] has approved the revision.

https://phabricator.services.mozilla.com/D271#6624
Attachment #8930861 - Flags: review+
https://hg.mozilla.org/projects/nss/rev/0171941266e8
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.35
This is going to prevent NSS from landing in Firefox because of this:

https://dxr.mozilla.org/mozilla-central/rev/960f50c2e0a991ab2ab313132e69fb2c96cb7866/security/manager/ssl/tests/unit/test_pkcs11_module.js#126

Do we have to disable that test?
Flags: needinfo?(ttaubert)
Yeah, we hit that in bug 1420060 already. Franziskus has a simple fix though:

https://hg.mozilla.org/try/rev/d9c8a082eac8387df85f9553d8b7b9822ea256d9
Blocks: 1420060
Flags: needinfo?(ttaubert)
You need to log in before you can comment on or make changes to this bug.