Using NSS in FIPS mode

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Using NSS in FIPS mode

jonetsu
Hello,

Please let me know if this is not the right place to ask about the
following...

I am new to NSS and would like to use it in FIPS mode.  I do know
about OpenSSL and GnuTLS, both of them having explicit calls to
enabled FIPS mode.  With NSS, so far I have seen that the modutil
non-programmatical utility is used to set FIPS mode, as in:

% modutil -force -fips true -dbdir <directory>

How does an application assures that NSS is in FIPS mode ?  Are calls
such as sftk_fipsCheck() and sftk_fipsPowerUpSelfTest() in the
softtoken module (fipstokn.c) available to applications ?

What is the behaviour of NSS if an application tries to use a
non-approved algorithm ?

Finally, is there any example code out there that uses NSS in FIPS
mode ?

Any comments, suggestions appreciated, thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

Robert Relyea
On 01/21/2016 07:33 AM, jonetsu wrote:
> Hello,
>
> Please let me know if this is not the right place to ask about the
> following...
This is the right place.
>
> I am new to NSS and would like to use it in FIPS mode.  I do know
> about OpenSSL and GnuTLS, both of them having explicit calls to
> enabled FIPS mode.  With NSS, so far I have seen that the modutil
> non-programmatical utility is used to set FIPS mode, as in:
>
> % modutil -force -fips true -dbdir <directory>
>
> How does an application assures that NSS is in FIPS mode ?
FIPS is a mode in softoken. Usually when softoken is in FIPS mode, NSS
itself is said to be in FIPS mode.

The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The
dance to programatically is to call
SECMOD_DeleteInternalModule(), which toggles the module between FIPS and
non-FIPS modes.
>   Are calls
> such as sftk_fipsCheck() and sftk_fipsPowerUpSelfTest() in the
> softtoken module (fipstokn.c) available to applications ?
No.
>
> What is the behaviour of NSS if an application tries to use a
> non-approved algorithm ?
Currently NSS does not restrict you from using non-approved algorithms.
Officially going to FIPS mode requires the application to turn off any
uses of non-FIPS algorithms itself. In the SSL code the
SSLCipherSuiteInfo includes an isFIPS bit applications can use to
manually turn off non-FIPS algorithms.
>
> Finally, is there any example code out there that uses NSS in FIPS
> mode ?
Firefox has a button to flip to FIPS mode. For the most part the only
issue applications may have in FIPS mode is if the application tries to
access key material directly (or if the application doesn't handle
authentication well). An Example of going into FIPS mode can also be
found in the nss source tree under the cmd/modutil directory.

bob

>
> Any comments, suggestions appreciated, thanks.
>
>
>
>
>
> --
> View this message in context: http://mozilla.6506.n7.nabble.com/Using-NSS-in-FIPS-mode-tp350446.html
> Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

Paul Wouters
On Thu, 21 Jan 2016, Robert Relyea wrote:

> The call PK11_IsFIPS() returns true if softoken is in FIPS mode.

Oh, I did not know about this one. I guess once we (the application)
detect the system is in FIPS mode, we could verify that NSS is as well.

>>  Finally, is there any example code out there that uses NSS in FIPS
>>  mode ?

libreswan uses NSS and supports a FIPS mode.

Paul
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

jonetsu
In reply to this post by Robert Relyea
Robert Relyea wrote:

> The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The
> dance to programatically is to call SECMOD_DeleteInternalModule(),
> which toggles the module between FIPS and non-FIPS modes.

Thanks.  I will try it.

When are the self-tests run, from an application perspective ?  I presume they are when FIPS mode is put in effect using modutils. Would that be the only time they are run ?  For instance, would they be called before returning from PK11_IsFIPS() ?  Is there a way to force-run those self-tests from an application ?

> Firefox has a button to flip to FIPS mode.

I should have mentioned that the application is in C and is by no way related to Firefox.

Comments much appreciated, cheers.
Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

jonetsu
In reply to this post by Paul Wouters
Paul Wouters wrote:

> Oh, I did not know about this one. I guess once we (the application)
> detect the system is in FIPS mode, we could verify that NSS is as
> well.

>>  Finally, is there any example code out there that uses NSS in FIPS
>>  mode ?

> libreswan uses NSS and supports a FIPS mode.

I know.  I wouldn't call libreswan 'example code', though :)

I have browsed the code although did not find what I was looking for,
which is exactly what you mentioned above.  In our systems we have to
verify that 'everything' is in FIPS mode at boot, before applications
are kicking off.

Cheers.
Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

Paul Wouters
On Fri, 22 Jan 2016, jonetsu wrote:

>> libreswan uses NSS and supports a FIPS mode.
>
> I know.  I wouldn't call libreswan 'example code', though :)
>
> I have browsed the code although did not find what I was looking for,
> which is exactly what you mentioned above.  In our systems we have to
> verify that 'everything' is in FIPS mode at boot, before applications
> are kicking off.

How is a library in FIPS mode when it hasn't yet initialised because the
application has not kicked of yet? Do you actually initialise them using
a test program?

So at most you can check the preconditions for full FIPS mode, which for
RHEL are:

- Are we a FIPS product (does /etc/system-fips exist?)
- Is the kernel in FIPS mode (does /proc/sys/crypto/fips_enabled contain
   the value 1)

I personally wished NSS would lock out non-FIPS algorithms, so the
applications don't need any of that logic. Now I have to read the
FIPS documents too :P

Paul
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

jonetsu
Paul Wouters wrote:

> How is a library in FIPS mode when it hasn't yet initialised because
> the application has not kicked of yet? Do you actually initialise
> them using a test program?

Yes.  This is the case for OpenSSL and GnuTLS.  For NSS, as we have seen, the FIPS initialisation is done externally, by using modutils. And as we have recently seen, libreswan assumes NSS is in FIPS mode :)

> - Are we a FIPS product (does /etc/system-fips exist?)

> - Is the kernel in FIPS mode (does /proc/sys/crypto/fips_enabled
>   contain the value 1)

These are also part of the verification, as well as integrity of the binaries on the system, for instance.

> I personally wished NSS would lock out non-FIPS algorithms, so the
> applications don't need any of that logic. Now I have to read the
> FIPS documents too :P

It seems so far that FIPS mode for NSS consists of enabling the self-tests.  No restrictions on algorithms, etc, are applied.

Hmmm... Do you mean that the current libreswan does not fully support FIPS ? :)

Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

Paul Wouters
On Fri, 22 Jan 2016, jonetsu wrote:

> Paul Wouters wrote:
>
>> How is a library in FIPS mode when it hasn't yet initialised because
>> the application has not kicked of yet? Do you actually initialise
>> them using a test program?
>
> Yes.  This is the case for OpenSSL and GnuTLS.  For NSS, as we have seen,
> the FIPS initialisation is done externally, by using modutils. And as we
> have recently seen, libreswan assumes NSS is in FIPS mode :)

Yes. Of course, if the system is running in FIPS mode, meaning libreswan
is running in FIPS mode, means unless there is a bug in NSS, it is also
in FIPS mode. So while I just added a check, it should be completely
redundant.

>> - Are we a FIPS product (does /etc/system-fips exist?)
>
>> - Is the kernel in FIPS mode (does /proc/sys/crypto/fips_enabled
>>   contain the value 1)
>
> These are also part of the verification, as well as integrity of the
> binaries on the system, for instance.

Those are done within the libraries and applications. Libreswan has its
own file list check, but does not check the NSS files. That's the job
of NSS itself on its initialisation phase.

>> I personally wished NSS would lock out non-FIPS algorithms, so the
>> applications don't need any of that logic. Now I have to read the
>> FIPS documents too :P
>
> It seems so far that FIPS mode for NSS consists of enabling the self-tests.
> No restrictions on algorithms, etc, are applied.

It also refuses some export operations, which actually affected
libreswan's RFC test vector self-test on bootup :)

> Hmmm... Do you mean that the current libreswan does not fully support FIPS ?
> :)

It has passed FIPS certification in a very recent past, and is in the
process of another couple of certifications right now. I think we're
good :)

Paul
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

jonetsu
Paul Wouters wrote:

> So while I just added a check, it should be completely redundant.

Depends.  I'd be wary of a system that proclaims itself FIPS enabled without 'seeing it with my own eyes'.  So I am not convinced this is redundant.

> Those are done within the libraries and applications. Libreswan has
> its own file list check, but does not check the NSS files. That's
> the job of NSS itself on its initialisation phase.

Yes, although the system perspective is a bit different.  While we all benefit from crypto libraries and applications that support FIPS mode, none of them are integrated into any specific system.

For instance if the system at boot finds a FIPS-related error then it should stop everything.  For instance binary integrity failure. Report using one of the FIPS logical interfaces and reboot. No library or application will do that.  At runtime, at the service and protocol level, an error would be surfaced, and there also a link to assure a predictable system behaviour in that case has to be established. Which would be basically the same.  Stop everything, report, reboot. In simple one-binary-firmware embedded systems it can be simple.  In a unit using OpenSource components, a detailed approach has to be
developed.

It is still a Wish that OpenSource applications and libraries in general should log errors in a standardized way, thus providing not only error-free runtime parsing of log messages, but assurance that critical errors do get logged.  OpenSSL for instance will abort if an app tries to use a non-FIPS algorithm while running in FIPS mode.

> It has passed FIPS certification in a very recent past, and is in
> the process of another couple of certifications right now. I think
> we're good :)

Excellent ! :)

Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

Robert Relyea
In reply to this post by jonetsu
On 01/22/2016 06:42 AM, jonetsu wrote:

> Robert Relyea wrote:
>
>> The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The
>> dance to programatically is to call SECMOD_DeleteInternalModule(),
>> which toggles the module between FIPS and non-FIPS modes.
> Thanks.  I will try it.
>
> When are the self-tests run, from an application perspective ?  I presume
> they are when FIPS mode is put in effect using modutils. Would that be the
> only time they are run ?  For instance, would they be called before
> returning from PK11_IsFIPS() ?  Is there a way to force-run those self-tests
> from an application ?
That answer is a little different depending on version.

In RHEL 5, 6, and 7:

They are ran when softoken is loaded (whether or not NSS is in FIPS
mode). If NSS returns PK11_IsFIPS = true, you can know that the post
tests ran successfully at library load time. Failure of the post tests
will prevent the softoken from initializing in FIPS mode, which will
prevent NSS_Initialize (in all of it's flavors from initializing).

Eventually this code will be pushed upstream and will wind up in Fedora.

Currently upstream and they way it used to work in RHEL:

It was ran at C_Initialize time, which happens at NSS_Initialize. If NSS
isn't in FIPS mode, switching to FIPS mode will cause the code to run
immediately.

On RHEL 7, NSS looks at the system flag for FIPS mode. If the system is
in FIPS mode, NSS will force softoken to be in FIPS mode even if it
would not have been otherwise. If the system is not in FIPS mode, NSS
softoken can still be placed in FIPS mode with it's traditional switch.

The main difference between FIPS mode and non-FIPS mode for softoken
actually involves Level 2 issues. CPS are not allowed to leave softoken,
so calls that extract keys (for instance) will fail. The token also
requires authentication whenever to do an operation that accesses CPS's
(like encrypt/decrypt/hmac/sign). So if the browser is in FIPS mode, it
will authenticate to the database before it does a simple SSL operation,
for instance, even though you may not be accessing private keys.

>
>> Firefox has a button to flip to FIPS mode.
> I should have mentioned that the application is in C and is by no way
> related to Firefox.
I just meant that Firefox has code you can look at to switch into FIPS
mode as an example.
>
> Comments much appreciated, cheers.
>
>
>
>
> --
> View this message in context: http://mozilla.6506.n7.nabble.com/Using-NSS-in-FIPS-mode-tp350446p350498.html
> Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.



--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

Paul Wouters-2
In reply to this post by jonetsu
On Fri, 22 Jan 2016, jonetsu wrote:

> For instance if the system at boot finds a FIPS-related error then it should
> stop everything.  For instance binary integrity failure. Report using one of
> the FIPS logical interfaces and reboot. No library or application will do
> that.

Why would that be the right choice? In the case of libreswan, the ideal
case is actually that it starts up, notices the problem, and ensures
there remains a packet block in place for all known VPN endpoints to
prevent packet leaks. Aborting (like we currently do) actually could
cause packet leaks. I'm sure every application could have their own
things that it prefers to do. Rebooting the machine might actually also
be making things worse.

> It is still a Wish that OpenSource applications and libraries in general
> should log errors in a standardized way, thus providing not only error-free
> runtime parsing of log messages, but assurance that critical errors do get
> logged.  OpenSSL for instance will abort if an app tries to use a non-FIPS
> algorithm while running in FIPS mode.

The audit kernel subsystem (that libreswan also supports) is such an
attempt.

Paul
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Using NSS in FIPS mode

jonetsu
Paul Wouters wrote:

> Why would that be the right choice?

Because this is the FIPS/CC way.  Moreover, our FIPS/CC consultant have made it clear.

This being said, a difference must be established between a unit, a hardware unit, and software components running inside.  It might very well be that my use of "system" was not totally clear. By "system" I meant a hardware unit as a whole.  A complete system made of various SW components.  In the case of using OpenSource components, there are two very distinct domains of knowledge.  One domain is the hardware unit.  The other is the realm of the OpenSource components.  They do not know each other. It is not possible to ask to OpenSource components to add behaviour for specific products.  This is a dedicated hardware product.  It could very well not compare to a general purpose system such RHEL FIPS.

So the perspective is different.  The behaviour I have described is one of a product, a "system".  The behaviour in case of error at boot will be documented in a FIPS user guide.  The behaviour in case of any FIPS-related error will be documented.

> In the case of libreswan, the ideal case is actually that it
> starts up, notices the problem, and ensures there remains a
> packet block in place for all known VPN endpoints to prevent
> packet leaks. Aborting (like we currently do) actually could
> cause packet leaks. I'm sure every application could have their
> own things that it prefers to do. Rebooting the machine might
> actually also be making things worse.

In the end, it could be a FIPS standard specifying what software should so, and as such, be validated in labs regarding this.
Half joking.  For the time being the current method is the one I shortly described.  In any event there will have to be an
intervention from a responsible person.  From the system perspective any failure leads to the same behaviour.  A unit
cannot run 85% FIPS.  If there is a failure detected by libreswan regarding the crypto aspects, the system will know and the
procedure will be followed.

>> It is still a Wish that OpenSource applications and libraries
>> in general should log errors in a standardized way,

> The audit kernel subsystem (that libreswan also supports) is such an
> attempt.

Interesting.