Attachment 662578 Details for Bug 852023 – Enable FIPS mode if the system FIPS mode flag is set.

[patch] Enable FIPS mode if the system FIPS mode flag is set.

patch (text/plain), 3.36 KB, created by Bob Relyea on 2012-12-12 19:25:43 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Bob Relyea

Created: 2012-12-12 19:25:43 UTC

Size: 3.36 KB

patch

obsolete

>Index: security/nss/lib/pk11wrap/pk11pars.c
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11pars.c,v
>retrieving revision 1.29
>diff -u -p -r1.29 pk11pars.c
>--- security/nss/lib/pk11wrap/pk11pars.c	26 Jun 2012 22:27:30 -0000	1.29
>+++ security/nss/lib/pk11wrap/pk11pars.c	12 Dec 2012 19:16:51 -0000
>@@ -150,6 +150,10 @@ SECMOD_CreateModule(const char *library,
>     }
>     mod->internal   = NSSUTIL_ArgHasFlag("flags","internal",nssc);
>     mod->isFIPS     = NSSUTIL_ArgHasFlag("flags","FIPS",nssc);
>+    /* if the system FIPS mode is enabled, force FIPS to be on */
>+    if (SECMOD_GetSystemFIPSEnabled()) {
>+	mod->isFIPS = PR_TRUE;
>+    }
>     mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc);
>     slotParams      = NSSUTIL_ArgGetParamValue("slotParams",nssc);
>     mod->slotInfo   = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams,
>Index: security/nss/lib/pk11wrap/pk11util.c
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11util.c,v
>retrieving revision 1.65
>diff -u -p -r1.65 pk11util.c
>--- security/nss/lib/pk11wrap/pk11util.c	28 Nov 2012 01:47:17 -0000	1.65
>+++ security/nss/lib/pk11wrap/pk11util.c	12 Dec 2012 19:16:51 -0000
>@@ -95,6 +95,25 @@ SECMOD_Shutdown() 
>     return SECSuccess;
> }
> 
>+int SECMOD_GetSystemFIPSEnabled(void) {
>+#ifdef LINUX
>+    FILE *f;
>+    char d;
>+    size_t size;
>+
>+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
>+    if (!f)
>+        return 0;
>+
>+    size = fread(&d, 1, 1, f);
>+    fclose(f);
>+    if (size != 1)
>+        return 0;
>+    if (d == '1')
>+        return 1;
>+#endif
>+    return 0;
>+}
> 
> /*
>  * retrieve the internal module
>@@ -407,6 +426,8 @@ SECMOD_DeleteModule(const char *name, in
>     return SECMOD_DeleteModuleEx(name, NULL, type, PR_TRUE);
> }
> 
>+
>+
> /*
>  * find a module by name and delete it off the module list
>  */
>@@ -417,7 +438,7 @@ SECMOD_DeleteInternalModule(const char *
>     SECMODModuleList **mlpp;
>     SECStatus rv = SECFailure;
> 
>-    if (pendingModule) {
>+    if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
> 	PORT_SetError(SEC_ERROR_MODULE_STUCK);
> 	return rv;
>     }
>@@ -888,7 +909,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis
> PRBool
> SECMOD_CanDeleteInternalModule(void)
> {
>-    return (PRBool) (pendingModule == NULL);
>+    return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled()); 
> }
> 
> /*
>Index: security/nss/lib/pk11wrap/secmodi.h
>===================================================================
>RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/secmodi.h,v
>retrieving revision 1.36
>diff -u -p -r1.36 secmodi.h
>--- security/nss/lib/pk11wrap/secmodi.h	26 Jun 2012 22:27:30 -0000	1.36
>+++ security/nss/lib/pk11wrap/secmodi.h	12 Dec 2012 19:16:51 -0000
>@@ -116,7 +116,12 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
> CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
>                    SECItem **param, SECItem *pwd, PRBool faulty3DES);
> 
>-
>+/* Get the state of the system FIPS mode */
>+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
>+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
>+ * from FIPS mode will automatically be told that they can't swith out of FIPS
>+ * mode */
>+int SECMOD_GetSystemFIPSEnabled();
> 
> extern void pk11sdr_Init(void);
> extern void pk11sdr_Shutdown(void);

Actions: View | Diff

Attachments on bug 852023: 607184 | 662399 | 662578 | 771970 | 781788 | 811443 | 852443