rpms / nss

Clone
Source Code
GIT

Blame SOURCES/enable-fips-when-system-is-in-fips-mode.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c8 c8-beta c8-sig-altarch-armhfp c8s c9 c9-beta
  1.   f57139425e3147c5ef2a6c6461dbaa3b5b10546e
  2.   SOURCES
  3.   enable-fips-when-system-is-in-fips-mode.patch
Blob History Raw
f57139 
diff -up nss/lib/pk11wrap/pk11pars.c.fips nss/lib/pk11wrap/pk11pars.c
f57139 
--- nss/lib/pk11wrap/pk11pars.c.fips	2013-05-28 14:43:24.000000000 -0700
f57139 
+++ nss/lib/pk11wrap/pk11pars.c	2013-07-10 18:54:16.733465910 -0700
f57139 
@@ -150,6 +150,10 @@ SECMOD_CreateModule(const char *library,
f57139 
     }
f57139 
     mod->internal   = NSSUTIL_ArgHasFlag("flags","internal",nssc);
f57139 
     mod->isFIPS     = NSSUTIL_ArgHasFlag("flags","FIPS",nssc);
f57139 
+    /* if the system FIPS mode is enabled, force FIPS to be on */
f57139 
+    if (SECMOD_GetSystemFIPSEnabled()) {
f57139 
+	mod->isFIPS = PR_TRUE;
f57139 
+    }
f57139 
     mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc);
f57139 
     slotParams      = NSSUTIL_ArgGetParamValue("slotParams",nssc);
f57139 
     mod->slotInfo   = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams,
f57139 
diff -up nss/lib/pk11wrap/pk11util.c.fips nss/lib/pk11wrap/pk11util.c
f57139 
--- nss/lib/pk11wrap/pk11util.c.fips	2013-05-28 14:43:24.000000000 -0700
f57139 
+++ nss/lib/pk11wrap/pk11util.c	2013-07-10 18:54:16.734465927 -0700
f57139 
@@ -95,6 +95,25 @@ SECMOD_Shutdown()
f57139 
     return SECSuccess;
f57139 
 }
f57139
f57139 
+int SECMOD_GetSystemFIPSEnabled(void) {
f57139 
+#ifdef LINUX
f57139 
+    FILE *f;
f57139 
+    char d;
f57139 
+    size_t size;
f57139 
+
f57139 
+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
f57139 
+    if (!f)
f57139 
+        return 0;
f57139 
+
f57139 
+    size = fread(&d, 1, 1, f);
f57139 
+    fclose(f);
f57139 
+    if (size != 1)
f57139 
+        return 0;
f57139 
+    if (d == '1')
f57139 
+        return 1;
f57139 
+#endif
f57139 
+    return 0;
f57139 
+}
f57139
f57139 
 /*
f57139 
  * retrieve the internal module
f57139 
@@ -417,7 +436,7 @@ SECMOD_DeleteInternalModule(const char *
f57139 
     SECMODModuleList **mlpp;
f57139 
     SECStatus rv = SECFailure;
f57139
f57139 
-    if (pendingModule) {
f57139 
+    if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
f57139 
 	PORT_SetError(SEC_ERROR_MODULE_STUCK);
f57139 
 	return rv;
f57139 
     }
f57139 
@@ -888,7 +907,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis
f57139 
 PRBool
f57139 
 SECMOD_CanDeleteInternalModule(void)
f57139 
 {
f57139 
-    return (PRBool) (pendingModule == NULL);
f57139 
+    return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
f57139 
 }
f57139
f57139 
 /*
f57139 
diff -up nss/lib/pk11wrap/secmodi.h.fips nss/lib/pk11wrap/secmodi.h
f57139 
--- nss/lib/pk11wrap/secmodi.h.fips	2013-07-10 18:55:06.358298154 -0700
f57139 
+++ nss/lib/pk11wrap/secmodi.h	2013-07-10 18:56:52.050069372 -0700
f57139 
@@ -116,7 +116,12 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
f57139 
 CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
f57139 
                    SECItem **param, SECItem *pwd, PRBool faulty3DES);
f57139
f57139 
-
f57139 
+/* Get the state of the system FIPS mode */
f57139 
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
f57139 
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
f57139 
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
f57139 
+ * mode */
f57139 
+int SECMOD_GetSystemFIPSEnabled();
f57139
f57139 
 extern void pk11sdr_Init(void);
f57139 
 extern void pk11sdr_Shutdown(void);

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation