Initializing FIPS mode

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Initializing FIPS mode

jonetsu
Hello !

Please let me know if this is not the right place to ask the following.

I am used to OpenSSL and GnuTLS, both of which have an explicit method for enabling FIPS and at the same time run the FIPS self-tests.  This method is called very near the start of the code, for instance. 

I would like to use NSS with FIPS support.  I am browsing the code (3.17.4) and although there are a few methods for doing various checks, such as sftk_fipsPowerUpSelfTest() and various power on self tests, the file fipstest.c seems to happily delve in testing without doing any FIPS initialization at all.  Now, NSS was appropriately set externaly froma ny code in FIPS mode by doing:

modutil -force -fips true -dbdir <directory>

And then checking it out with:

modutil -chkfips false -dbdir <directory>

Is that all that's needed, assuming that any application using NSS will now work with a FIPS-enabled NSS ?

Then what would be the way for an application to first verify that indeed NSS is in FIPS mode ?  What woudl be the preferred method for doing so ?  Are the methods inside fipstokn.c such as sftk_fipsCheck() available for applications ?  Finally, and simple example code out there that checks FIPS mode and perhaps do a simple operation ?

Thanks, any comments much appreciated.




_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Initializing FIPS mode

Daniel Veditz-2
On Wed, Jan 20, 2016 at 3:06 PM, jonetsu <[hidden email]> wrote:

> Hello !
>
> Please let me know if this is not the right place to ask the following.
>

​for technical NSS issues please ask the folks in mozilla.dev.tech.crypto
https://www.mozilla.org/en-US/about/forums/#dev-tech-crypto

-Dan Veditz
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security