528758 - FIPS mode broken in RC1 on Windows

Status: VERIFIED FIXED

(Thunderbird :: Build Config, defect)

Description

[Bobby Johnson [:rjohnson19]]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2b3pre) Gecko/20091114 Namoroka/3.6b3pre Firefox/3.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091112 Thunderbird/3.0

I think this is the same issue as Firefox bug 521878. FIPS mode does not work because nssdbm3.dll is digitally signed.

Reproducible: Always

Steps to Reproduce:
1. Set a Master Password in Tools -> Options -> Security -> Passwords
2. Go to Options -> Advanced -> Certificates -> Security Devices
3. Press the Enable FIPS button.
Actual Results:  
Nothing happens visibly, and this error appears in the Error Console:
Error: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIPKCS11ModuleDB.toggleFIPSMode]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://pippki/content/device_manager.js :: toggleFIPS :: line 545"  data: no]

Expected Results:  
The Enable FIPS mode button becomes disabled to indicate you are now in FIPS mode.

Comment 1

[Wayne Mery (:wsmwk)]

I did not find a litmus test for FIPS

Comment 2

[Mark Banner (:standard8)]

gozer, this feels a bit like bug 521878 - what version of the release tools did we use for build/signing (I couldn't see it on the wiki).

Comment 3

[Ludovic Hirlimann [:Usul]]

(In reply to comment #1)
> I did not find a litmus test for FIPS

Just added https://litmus.mozilla.org/show_test.cgi?id=9705 to cover this bug. I'd need to read more docs to add more.

THe bug is WFM on Mac os X

Comment 4

[Ludovic Hirlimann [:Usul]]

(In reply to comment #3)
 
> THe bug is WFM on Mac os X

But I can't disable FIPS after enabling it.

Comment 5

[Henrik Skupin [:whimboo][⌚️UTC+1]]

(In reply to comment #3)
> > I did not find a litmus test for FIPS
> 
> Just added https://litmus.mozilla.org/show_test.cgi?id=9705 to cover this bug.
> I'd need to read more docs to add more.
> 
> THe bug is WFM on Mac os X

Marcia wanted to add some FIPS tests to Litmus when those things have been fixed.

Comment 6

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Huh, sorry. That's Thunderbird. :/ Reopening.

Comment 7

[Philippe M. Chiasson (:gozer)]

(In reply to comment #2)
> gozer, this feels a bit like bug 521878 - what version of the release tools did
> we use for build/signing (I couldn't see it on the wiki).

Most certainly must be it. Looking at the signing logs, I can see clearly that nssdbm3.dll was authenticode signed.

The version of the release tools used for signing was the same one as for beta 4. The signing automation updates a bunch of things, except for itself, that it has to be done manually. I failed to do that, so we are indeed missing http://hg.mozilla.org/build/tools/rev/115349b92de8.

This only affects Win32 binaries, and they could easily be re-signed from the unsigned files.

Comment 8

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Just to note on OS X current nightly builds will crash when you try to enable the FIPS mode. That crash is covered by bug 503418.

Comment 9

[Philippe M. Chiasson (:gozer)]

Tagged hg.mozilla.org/build/tools tip as THUNDERBIRD_3_0rc1_RELEASE for build2 signinig.

Comment 10

[Mark Banner (:standard8)]

This is in litmus, not currently planning on doing a testsuite for it.