|
 |
1dc743 |
diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c
|
|
|
1dc743 |
--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
|
|
|
1dc743 |
+++ nss/lib/pk11wrap/pk11pars.c 2018-03-09 17:24:39.815838810 +0100
|
|
|
1dc743 |
@@ -671,6 +671,10 @@ SECMOD_CreateModuleEx(const char *librar
|
|
|
1dc743 |
|
|
|
1dc743 |
mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
|
|
|
1dc743 |
mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
|
|
|
1dc743 |
+ /* if the system FIPS mode is enabled, force FIPS to be on */
|
|
|
1dc743 |
+ if (SECMOD_GetSystemFIPSEnabled()) {
|
|
|
1dc743 |
+ mod->isFIPS = PR_TRUE;
|
|
|
1dc743 |
+ }
|
|
|
1dc743 |
mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
|
|
|
1dc743 |
slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
|
|
|
1dc743 |
mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
|
|
|
1dc743 |
diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c
|
|
|
1dc743 |
--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
|
|
|
1dc743 |
+++ nss/lib/pk11wrap/pk11util.c 2018-03-09 17:25:46.804347730 +0100
|
|
|
1dc743 |
@@ -95,6 +95,26 @@ SECMOD_Shutdown()
|
|
|
1dc743 |
return SECSuccess;
|
|
|
1dc743 |
}
|
|
|
1dc743 |
|
|
|
1dc743 |
+int SECMOD_GetSystemFIPSEnabled(void) {
|
|
|
1dc743 |
+#ifdef LINUX
|
|
|
1dc743 |
+ FILE *f;
|
|
|
1dc743 |
+ char d;
|
|
|
1dc743 |
+ size_t size;
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
|
|
|
1dc743 |
+ if (!f)
|
|
|
1dc743 |
+ return 0;
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ size = fread(&d, 1, 1, f);
|
|
|
1dc743 |
+ fclose(f);
|
|
|
1dc743 |
+ if (size != 1)
|
|
|
1dc743 |
+ return 0;
|
|
|
1dc743 |
+ if (d == '1')
|
|
|
1dc743 |
+ return 1;
|
|
|
1dc743 |
+#endif
|
|
|
1dc743 |
+ return 0;
|
|
|
1dc743 |
+}
|
|
|
1dc743 |
+
|
|
|
1dc743 |
/*
|
|
|
1dc743 |
* retrieve the internal module
|
|
|
1dc743 |
*/
|
|
|
1dc743 |
@@ -428,7 +448,7 @@ SECMOD_DeleteInternalModule(const char *
|
|
|
1dc743 |
SECMODModuleList **mlpp;
|
|
|
1dc743 |
SECStatus rv = SECFailure;
|
|
|
1dc743 |
|
|
|
1dc743 |
- if (pendingModule) {
|
|
|
1dc743 |
+ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
|
|
|
1dc743 |
PORT_SetError(SEC_ERROR_MODULE_STUCK);
|
|
|
1dc743 |
return rv;
|
|
|
1dc743 |
}
|
|
|
1dc743 |
@@ -963,7 +983,7 @@ SECMOD_CanDeleteInternalModule(void)
|
|
|
1dc743 |
#ifdef NSS_FIPS_DISABLED
|
|
|
1dc743 |
return PR_FALSE;
|
|
|
1dc743 |
#else
|
|
|
1dc743 |
- return (PRBool)(pendingModule == NULL);
|
|
|
1dc743 |
+ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
|
|
|
1dc743 |
#endif
|
|
|
1dc743 |
}
|
|
|
1dc743 |
|
|
|
1dc743 |
diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h
|
|
|
1dc743 |
--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
|
|
|
1dc743 |
+++ nss/lib/pk11wrap/secmodi.h 2018-03-09 17:24:39.816838788 +0100
|
|
|
1dc743 |
@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
|
|
|
1dc743 |
CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
|
|
|
1dc743 |
SECItem **param, SECItem *pwd, PRBool faulty3DES);
|
|
|
1dc743 |
|
|
|
1dc743 |
+/* Get the state of the system FIPS mode */
|
|
|
1dc743 |
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
|
|
|
1dc743 |
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
|
|
|
1dc743 |
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
|
|
|
1dc743 |
+ * mode */
|
|
|
1dc743 |
+int SECMOD_GetSystemFIPSEnabled();
|
|
|
1dc743 |
+
|
|
|
1dc743 |
extern void pk11sdr_Init(void);
|
|
|
1dc743 |
extern void pk11sdr_Shutdown(void);
|
|
|
1dc743 |
|