Closed Bug 1531267 Opened 5 years ago Closed 5 years ago

FIPS mode should be enabled automatically if the system is in FIPS mode

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ueno, Assigned: ueno)

Details

Attachments

(1 file)

nss-enable-fips-from-system.patch
3.31 KB, patch
jcj
: review+
mt
: review+
Details | Diff | Splinter Review

On Linux, even if /proc/sys/crypto/fips_enabled is 1, one needs to enable database's FIPS mode with modutil. This could be automated in the library as RHEL packages already do:
https://bugzilla.redhat.com/show_bug.cgi?id=852023

I am attaching Bob's patch from:
https://bugzilla.redhat.com/show_bug.cgi?id=852023#c39

Assignee: nobody → dueno
Attachment #9047310 - Flags: review?(jjones)
Comment on attachment 9047310 [details] [diff] [review]
nss-enable-fips-from-system.patch

Review of attachment 9047310 [details] [diff] [review]:
-----------------------------------------------------------------

This looks fine to me, but I'd like Martin to take a quick look, too.
Attachment #9047310 - Flags: review?(martin.thomson)
Attachment #9047310 - Flags: review?(jjones)
Attachment #9047310 - Flags: review+
Comment on attachment 9047310 [details] [diff] [review]
nss-enable-fips-from-system.patch

Review of attachment 9047310 [details] [diff] [review]:
-----------------------------------------------------------------

::: lib/pk11wrap/pk11util.c
@@ +101,5 @@
> +    char d;
> +    size_t size;
> +
> +    f = fopen("/proc/sys/crypto/fips_enabled", "r");
> +    if (!f)

Braces sure would be nice.

@@ +104,5 @@
> +    f = fopen("/proc/sys/crypto/fips_enabled", "r");
> +    if (!f)
> +        return 0;
> +
> +    size = fread(&d, 1, 1, f);

size = fread(&d, 1, sizeof(d), f);

@@ +106,5 @@
> +        return 0;
> +
> +    size = fread(&d, 1, 1, f);
> +    fclose(f);
> +    if (size != 1)

sizeof(d) here too

::: lib/pk11wrap/secmodi.h
@@ +119,5 @@
> +/* NSS uses this to force FIPS mode if the system bit is on. Applications which
> + * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
> + * from FIPS mode will automatically be told that they can't swith out of FIPS
> + * mode */
> +int SECMOD_GetSystemFIPSEnabled();

This should be lowercase: secmod_GetSystemFIPSEnabled().  We're not exporting this.
Attachment #9047310 - Flags: review?(martin.thomson) → review+

Thank you for the review; pushed as:
https://hg.mozilla.org/projects/nss/rev/536fd7c9db5a

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.43
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: