Bug 173537 - Can not enable FIPS mode, mozilla-nss is missing file libsoftokn3.chk
Can not enable FIPS mode, mozilla-nss is missing file libsoftokn3.chk
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: firefox (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Aillon
: Desktop
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-17 19:02 EST by Kai Engert (:kaie)
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.5.0.3-0.2.EL4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-10 14:46:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch v1 (5.47 KB, patch)
2006-02-22 09:58 EST, Kai Engert (:kaie)
no flags Details | Diff

  None (edit)
Description Kai Engert (:kaie) 2005-11-17 19:02:37 EST
Description of problem:
Mozilla Firefox' internal crypto system can operate in two different modes. The
standard mode, and a FIPS mode.


Version-Release number of selected component (if applicable):
Wan-Teh saw this problem on RHEL 4, I don't know which version of Firefox he used.
However, this bug might be present on a variety of software versions, with
Firefox 1.0.7 installed on FC3 I can reproduce the problem, too.


Steps to Reproduce:
Start Firefox
Open Edit / Preferences, open Privacy, Saved Passwords, click Set Master Password.
Set a password
With the preferences still open, go to Advanced, Certificates, click "manage
security devices", in the window that shows up click "enable FIPS".

  
Actual results:
Nothing happens when you click the "enable FIPS" button.


Expected results:
The button changes its text to "Disable FIPS", the button changes to disabled
(FYI because you'll have to restart before you can switch it back on), and on
the left you should see the text "NSS Internal FIPS PKCS #11 Module".


Additional info:
Package mozilla-nss include and install file /usr/lib/libsoftokn3.chk alongside
libsoftokn3.so.
Comment 1 Wan-Teh Chang 2005-11-17 19:29:48 EST
The fix is to make sure that for everyone copy of
libsoftokn3.so, there is a libsoftokn3.chk file in
the same directory.  We need to find out why the
mozilla-nss package doesn't install libsoftokn3.chk
in /usr/lib alongside libsoftokn3.so.
Comment 2 Kai Engert (:kaie) 2005-12-27 11:03:41 EST
The packaging list files do not mention libsoftokn3.chk, that's why it's not
being included.

The .src.rpm contains a patch file mozilla-nspr-packages.patch, which does list
libsoftokn3.so - we should add a .chk line to that patch.

Wan-Teh, you have requested to fix this in RHEL 4.

Do you agree we should fix it in RHEL 3, too?
(RHEL 3 uses Mozilla 1.7.10 - I assume the NSS version included there requires
the chk file, too.)
Comment 3 Wan-Teh Chang 2006-01-03 19:12:26 EST
We should fix it in RHEL 3, too, but with a lower priority.
(The NSS version in Mozilla 1.7.10 also needs the .chk file.)
Depending on the policy for RHEL 3 updates, the priority of
this bug may not be high enough to be included in a RHEL 3
update.
Comment 4 Kai Engert (:kaie) 2006-02-22 09:46:34 EST
RHEL Update Criteria

This is a bug fix. As of today, users of RHEL 3 and RHEL 4 are not able to use
Mozilla in deployments that require the FIPS security mode (like in US
government deployments).

The fix is to include one additional file, created during the build process
already, in the RPM package. This is simple and risk free.
Comment 5 Kai Engert (:kaie) 2006-02-22 09:48:51 EST
Proposing inclusion in RHEL 4 U4 and RHEL 3 U8.
Comment 6 Kai Engert (:kaie) 2006-02-22 09:52:24 EST
I tested that adding a line
 bin/libsoftokn3.chk
next to line
 bin/libsoftokn3.so
in file
 mozilla/xpinstall/packager/packages-unix
by extending patch
 mozilla-nspr-packages.patch
fixes the problem and the resulting RPM contains the missing file.
Comment 7 Kai Engert (:kaie) 2006-02-22 09:58:15 EST
Created attachment 125034 [details]
Patch v1

Chris, this patch could be applied to cvs.devel/dist/mozilla
It fixes FC-4, devel, RHEL-4 and RHEL-3,
it adds the chk file entry to the existing patch file.
Comment 11 Kai Engert (:kaie) 2006-08-10 14:46:34 EDT
Looking at the firefox rpm file from the RHEL 4 Update 4 release, I believe this
bug should be fixed now.

$ rpm -qlp firefox-1.5.0.3-0.2.EL4.i386.rpm | grep libsoft
/usr/lib/firefox-1.5.0.3/libsoftokn3.chk
/usr/lib/firefox-1.5.0.3/libsoftokn3.so

Maybe somebody with access to a RHEL 4 machine could verify this is fixed?
Comment 12 Kai Engert (:kaie) 2006-08-10 14:49:27 EDT
Looking at the seamonkey rpm file from the RHEL 3 Update 8 release, I believe
this bug should be fixed there as well.

$ rpm -qlp seamonkey-nss-1.0.1-0.1.9.EL3.i386.rpm |grep libsoft
/usr/lib/libsoftokn3.chk
/usr/lib/libsoftokn3.so

Note You need to log in before you can comment on or make changes to this bug.