Skip to content

Make code work using NSS in FIPS-mode #774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Make code work using NSS in FIPS-mode #774

wants to merge 6 commits into from

Conversation

@msirringhaus
Copy link

@msirringhaus msirringhaus commented Nov 12, 2025

This is part of an effort to make webRTC calls work under FIPS in Firefox. (See here and more specifically here)

How to test:

meson setup -Dcrypto-library=nss build
export NSS_FIPS=1
meson test -C build

Half the tests fail without this patch and all work with it (tests also work with unset NSS_FIPS).

PK11_ImportSymKey() is not allowed to be used under FIPS, but there can be a workaroud to still be able to import raw key material, by encrypting it first and then unwrapping it (which is in the end a NO-OP, but satisfies the API under FIPS).

nils-ohlmeier
nils-ohlmeier reviewed Nov 12, 2025
View reviewed changes
Copy link
Contributor

@nils-ohlmeier nils-ohlmeier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look good to me, but I think we need a review with crypto expertise like @bifurcation here.

pabuhler
pabuhler reviewed Nov 13, 2025
View reviewed changes
@pabuhler
Copy link
Member

pabuhler commented Nov 26, 2025

@msirringhaus you can ignore the fuzzing test for now, but please fix the other failures so we can get a review and move forward. Thanks

@msirringhaus
Copy link
Author

msirringhaus commented Nov 26, 2025

Sorry, I pushed to early and had to fix the formatting again.

@pabuhler
Copy link
Member

pabuhler commented Nov 26, 2025

Sorry, I pushed to early and had to fix the formatting again.

and I approved to quickly :)

@bifurcation bifurcation mentioned this pull request Dec 2, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pabuhler pabuhler pabuhler approved these changes

@bifurcation bifurcation Awaiting requested review from bifurcation

+1 more reviewer

@nils-ohlmeier nils-ohlmeier nils-ohlmeier left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@msirringhaus @pabuhler @nils-ohlmeier