Re: NSS_Context and FIPS

[Robert Relyea]

On 10/21/2016 01:59 PM, Rob Crittenden wrote:
Robert Relyea wrote:
On 10/21/2016 07:04 AM, Rob Crittenden wrote:
I'm trying to figure out how to dynamically enable FIPS support for
NSS Contexts.
I started with multinit.c and initialize FIPS right after calling
NSS_InitContext() using this:

So you can't change the state of an already open database. NSS will
switch all new databases that are opened, and idle the old ones
(basically they are open, but not really accessible).



    if (!PK11_IsFIPS()) {
        fprintf(stderr, "Initializing FIPS\n");
        SECMODModule *mod = SECMOD_GetInternalModule();
        if (!mod) {
            fprintf(stderr, "No module!?\n");
            exit(1);
        }
        char * internal_name = PR_smprintf("%s",
            SECMOD_GetInternalModule()->commonName);

        if ((SECMOD_DeleteInternalModule(internal_name) != 
SECSuccess) ||
         !PK11_IsFIPS()) {
                 fprintf(stderr, "Unable to enable FIPS mode on
certificate database\n");
                 exit(1);
        }

I'm executing it like this, initializing only db1 and db2 as contexts:

So when you do an initcontext, you're main database is usually not the
same as the main database when you open NSS, so it won't get
automatically switched.

Is there a reason you are trying to do a dynamic switch to FIPS mode
from within a library? (I'd like to know the use case).

I'm converting mod_nss to use contexts. I previously had an option to 
switch on FIPS mode which turned it on in NSS, did some sanity 
checking on the cipher options and required a password.
Did you know if it was used much?

I'd be ok requiring an all or nothing with the FIPS databases if that 
simplifies thiungs.
That's probably the best. NSS allows mixed FIPS/non-fips to a point, but 
really only to add the transition from one to another. Only one is 
usefully active at once.


So things are acting as I would expect. your other lib will likely need
to shutdown it's database and reopen it.

I'm still a little unclear. So if I open all the databases, and THEN 
set FIPS mode, that will do the trick? I was pretty sure I tried that 
but who knows.
No, you need to switch to FIPS mode first. It's the databases that were 
opened before you got into FIPS mode that's the issue.

(NOTE: when you swith from FIPS to non-fips, you are actually switching 
modules. The old modules and their slots hang around only as long as 
there are references to them. Everthing you open before you switch to 
FIPS mode will be on the old module which will go defunct after the switch).



bob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto