SECMOD_CanDeleteInternalModule() should return false when build doesn't support FIPS

RESOLVED FIXED in 3.35

Status

NSS
Libraries
RESOLVED FIXED
2 months ago
2 months ago

People

(Reporter: ttaubert, Assigned: ttaubert)

Tracking

(Blocks: 2 bugs)

trunk
3.35
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

2 months ago
PSM uses SECMOD_CanDeleteInternalModule() to check whether FIPS can be toggled or not. If the NSS build doesn't support FIPS (as is the case with the one that we ship) this should always return false.

There is no point in trying to remove the internal module only to fail and then switch back. We only support removing the internal module to switch between FIPS and non-FIPS mode.
(Assignee)

Updated

2 months ago
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Comment on attachment 8930861 [details]
Bug 1419721 - SECMOD_CanDeleteInternalModule() should return false when build doesn't support FIPS r?franziskus

Franziskus Kiefer [:fkiefer or :franziskus] has approved the revision.

https://phabricator.services.mozilla.com/D271#6624
Attachment #8930861 - Flags: review+
(Assignee)

Comment 2

2 months ago
https://hg.mozilla.org/projects/nss/rev/0171941266e8
Status: ASSIGNED → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 3.35

Comment 3

2 months ago
This is going to prevent NSS from landing in Firefox because of this:

https://dxr.mozilla.org/mozilla-central/rev/960f50c2e0a991ab2ab313132e69fb2c96cb7866/security/manager/ssl/tests/unit/test_pkcs11_module.js#126

Do we have to disable that test?
Flags: needinfo?(ttaubert)
(Assignee)

Comment 4

2 months ago
Yeah, we hit that in bug 1420060 already. Franziskus has a simple fix though:

https://hg.mozilla.org/try/rev/d9c8a082eac8387df85f9553d8b7b9822ea256d9
Blocks: 1420060
Flags: needinfo?(ttaubert)
Duplicate of this bug: 1418878
You need to log in before you can comment on or make changes to this bug.