Blame SOURCES/enable-fips-when-system-is-in-fips-mode.patch

5f1c2b
diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c
744490
--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode	2018-03-05 16:58:32.000000000 +0100
744490
+++ nss/lib/pk11wrap/pk11pars.c	2018-03-09 17:24:39.815838810 +0100
744490
@@ -671,6 +671,10 @@ SECMOD_CreateModuleEx(const char *librar
5f1c2b
 
5f1c2b
     mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
5f1c2b
     mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
f57139
+    /* if the system FIPS mode is enabled, force FIPS to be on */
f57139
+    if (SECMOD_GetSystemFIPSEnabled()) {
f57139
+	mod->isFIPS = PR_TRUE;
f57139
+    }
5f1c2b
     mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
5f1c2b
     slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
5f1c2b
     mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
5f1c2b
diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c
744490
--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode	2018-03-05 16:58:32.000000000 +0100
744490
+++ nss/lib/pk11wrap/pk11util.c	2018-03-09 17:25:46.804347730 +0100
744490
@@ -95,6 +95,26 @@ SECMOD_Shutdown()
f57139
     return SECSuccess;
f57139
 }
f57139
 
f57139
+int SECMOD_GetSystemFIPSEnabled(void) {
f57139
+#ifdef LINUX
f57139
+    FILE *f;
f57139
+    char d;
f57139
+    size_t size;
f57139
+
f57139
+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
f57139
+    if (!f)
f57139
+        return 0;
f57139
+
f57139
+    size = fread(&d, 1, 1, f);
f57139
+    fclose(f);
f57139
+    if (size != 1)
f57139
+        return 0;
f57139
+    if (d == '1')
f57139
+        return 1;
f57139
+#endif
f57139
+    return 0;
f57139
+}
5f1c2b
+
f57139
 /*
f57139
  * retrieve the internal module
1b6f66
  */
744490
@@ -428,7 +448,7 @@ SECMOD_DeleteInternalModule(const char *
f57139
     SECMODModuleList **mlpp;
f57139
     SECStatus rv = SECFailure;
f57139
 
f57139
-    if (pendingModule) {
f57139
+    if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
5f1c2b
         PORT_SetError(SEC_ERROR_MODULE_STUCK);
5f1c2b
         return rv;
1b6f66
     }
744490
@@ -963,7 +983,7 @@ SECMOD_CanDeleteInternalModule(void)
744490
 #ifdef NSS_FIPS_DISABLED
744490
     return PR_FALSE;
744490
 #else
5f1c2b
-    return (PRBool)(pendingModule == NULL);
1b6f66
+    return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
744490
 #endif
f57139
 }
f57139
 
5f1c2b
diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h
744490
--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode	2018-03-05 16:58:32.000000000 +0100
744490
+++ nss/lib/pk11wrap/secmodi.h	2018-03-09 17:24:39.816838788 +0100
5f1c2b
@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
f57139
 CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
5f1c2b
                                              SECItem **param, SECItem *pwd, PRBool faulty3DES);
f57139
 
f57139
+/* Get the state of the system FIPS mode */
f57139
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
f57139
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
f57139
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
f57139
+ * mode */
f57139
+int SECMOD_GetSystemFIPSEnabled();
5f1c2b
+
f57139
 extern void pk11sdr_Init(void);
f57139
 extern void pk11sdr_Shutdown(void);
1b6f66