On 01/22/2016 06:42 AM, jonetsu wrote:
Robert Relyea wrote:The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The dance to programatically is to call SECMOD_DeleteInternalModule(), which toggles the module between FIPS and non-FIPS modes.Thanks. I will try it. When are the self-tests run, from an application perspective ? I presume they are when FIPS mode is put in effect using modutils. Would that be the only time they are run ? For instance, would they be called before returning from PK11_IsFIPS() ? Is there a way to force-run those self-tests from an application ?
That answer is a little different depending on version. In RHEL 5, 6, and 7:They are ran when softoken is loaded (whether or not NSS is in FIPS mode). If NSS returns PK11_IsFIPS = true, you can know that the post tests ran successfully at library load time. Failure of the post tests will prevent the softoken from initializing in FIPS mode, which will prevent NSS_Initialize (in all of it's flavors from initializing).
Eventually this code will be pushed upstream and will wind up in Fedora. Currently upstream and they way it used to work in RHEL:It was ran at C_Initialize time, which happens at NSS_Initialize. If NSS isn't in FIPS mode, switching to FIPS mode will cause the code to run immediately.
On RHEL 7, NSS looks at the system flag for FIPS mode. If the system is in FIPS mode, NSS will force softoken to be in FIPS mode even if it would not have been otherwise. If the system is not in FIPS mode, NSS softoken can still be placed in FIPS mode with it's traditional switch.
The main difference between FIPS mode and non-FIPS mode for softoken actually involves Level 2 issues. CPS are not allowed to leave softoken, so calls that extract keys (for instance) will fail. The token also requires authentication whenever to do an operation that accesses CPS's (like encrypt/decrypt/hmac/sign). So if the browser is in FIPS mode, it will authenticate to the database before it does a simple SSL operation, for instance, even though you may not be accessing private keys.
I just meant that Firefox has code you can look at to switch into FIPS mode as an example.Firefox has a button to flip to FIPS mode.I should have mentioned that the application is in C and is by no way related to Firefox.
Comments much appreciated, cheers. -- View this message in context: http://mozilla.6506.n7.nabble.com/Using-NSS-in-FIPS-mode-tp350446p350498.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
