Closed Bug 1531267 Opened 7 years ago Closed 7 years ago

FIPS mode should be enabled automatically if the system is in FIPS mode

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ueno, Assigned: ueno)

Details

Attachments

(1 file)

nss-enable-fips-from-system.patch
3.31 KB, patch
jcj
: review+
mt
: review+
Details | Diff | Splinter Review

On Linux, even if /proc/sys/crypto/fips_enabled is 1, one needs to enable database's FIPS mode with modutil. This could be automated in the library as RHEL packages already do:
https://bugzilla.redhat.com/show_bug.cgi?id=852023

I am attaching Bob's patch from:
https://bugzilla.redhat.com/show_bug.cgi?id=852023#c39

Assignee: nobody → dueno
Attachment #9047310 - Flags: review?(jjones)
Comment on attachment 9047310 [details] [diff] [review] nss-enable-fips-from-system.patch Review of attachment 9047310 [details] [diff] [review]: ----------------------------------------------------------------- This looks fine to me, but I'd like Martin to take a quick look, too.
Attachment #9047310 - Flags: review?(martin.thomson)
Attachment #9047310 - Flags: review?(jjones)
Attachment #9047310 - Flags: review+
Comment on attachment 9047310 [details] [diff] [review] nss-enable-fips-from-system.patch Review of attachment 9047310 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/pk11wrap/pk11util.c @@ +101,5 @@ > + char d; > + size_t size; > + > + f = fopen("/proc/sys/crypto/fips_enabled", "r"); > + if (!f) Braces sure would be nice. @@ +104,5 @@ > + f = fopen("/proc/sys/crypto/fips_enabled", "r"); > + if (!f) > + return 0; > + > + size = fread(&d, 1, 1, f); size = fread(&d, 1, sizeof(d), f); @@ +106,5 @@ > + return 0; > + > + size = fread(&d, 1, 1, f); > + fclose(f); > + if (size != 1) sizeof(d) here too ::: lib/pk11wrap/secmodi.h @@ +119,5 @@ > +/* NSS uses this to force FIPS mode if the system bit is on. Applications which > + * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or > + * from FIPS mode will automatically be told that they can't swith out of FIPS > + * mode */ > +int SECMOD_GetSystemFIPSEnabled(); This should be lowercase: secmod_GetSystemFIPSEnabled(). We're not exporting this.
Attachment #9047310 - Flags: review?(martin.thomson) → review+

Thank you for the review; pushed as:
https://hg.mozilla.org/projects/nss/rev/536fd7c9db5a

Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.43
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: