Bug 1635509 NSS needs to export the System FIPS state. r=kjacob
authorRobert Relyea <rrelyea@redhat.com>
Tue, 05 May 2020 16:10:10 -0700
changeset 15589 e3444f4cc63837751b3f3b0b7df94e28804500e7
parent 15588 ca48fb267a9dccb425b4d353cf96629576b402f4
child 15590 d30a6953b897a8c8beff5ac5e29c7d75d71530ff
push id3739
push userrrelyea@redhat.com
push dateFri, 08 May 2020 21:55:06 +0000
reviewerskjacob
bugs1635509
Bug 1635509 NSS needs to export the System FIPS state. r=kjacob Internally, NSS uses the system FIPS state to determine if it needs to go into FIPS mode independent of the database FIPS indication. Some applications need to know this value, particularly if the need to know the FIPS state before they call NSS_Init (NSS_IsFIPS() is only valid after init because it depends on the database indicator which is not known until NSS is intialized. Differential Revision: https://phabricator.services.mozilla.com/D73986
automation/abi-check/expected-report-libnss3.so.txt
lib/nss/nss.def
lib/pk11wrap/pk11pars.c
lib/pk11wrap/pk11pub.h
lib/pk11wrap/pk11util.c
lib/pk11wrap/secmodi.h
--- a/automation/abi-check/expected-report-libnss3.so.txt
+++ b/automation/abi-check/expected-report-libnss3.so.txt
@@ -0,0 +1,5 @@
+
+1 Added function:
+
+  [A] 'function PRBool SECMOD_GetSystemFIPSEnabled()'    {SECMOD_GetSystemFIPSEnabled@@NSS_3.53}
+
--- a/lib/nss/nss.def
+++ b/lib/nss/nss.def
@@ -1170,8 +1170,14 @@ PK11_GetCertsMatchingPrivateKey;
 PK11_AEADOp;
 PK11_AEADRawOp;
 PK11_GetObjectHandle;
 PK11_ReadRawAttributes;
 PK11_SymKeysToSameSlot;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.53 { 	# NSS 3.53 release
+;+    global:
+SECMOD_GetSystemFIPSEnabled;
+;+    local:
+;+       *;
+;+};
--- a/lib/pk11wrap/pk11pars.c
+++ b/lib/pk11wrap/pk11pars.c
@@ -813,17 +813,17 @@ SECMOD_CreateModuleEx(const char *librar
     /* new field */
     if (parameters) {
         mod->libraryParams = PORT_ArenaStrdup(mod->arena, parameters);
     }
 
     mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
     mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
     /* if the system FIPS mode is enabled, force FIPS to be on */
-    if (secmod_GetSystemFIPSEnabled()) {
+    if (SECMOD_GetSystemFIPSEnabled()) {
         mod->isFIPS = PR_TRUE;
     }
     mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
     slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
     mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
                                              &mod->slotInfoCount);
     if (slotParams)
         PORT_Free(slotParams);
--- a/lib/pk11wrap/pk11pub.h
+++ b/lib/pk11wrap/pk11pub.h
@@ -934,11 +934,22 @@ PK11_GetCertsMatchingPrivateKey(SECKEYPr
 SECItem *
 PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
                              CERTCertificate *cert, void *pwarg);
 SECItem *
 PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
 
 PRBool SECMOD_HasRootCerts(void);
 
+/**********************************************************************
+ * Other Utilities
+ **********************************************************************/
+/* 
+ * Get the state of the system FIPS mode -
+ *  NSS uses this to force FIPS mode if the system bit is on. This returns
+ *  the system state independent of the database state and can be called
+ *  before NSS initializes.
+ */
+int SECMOD_GetSystemFIPSEnabled();
+
 SEC_END_PROTOS
 
 #endif
--- a/lib/pk11wrap/pk11util.c
+++ b/lib/pk11wrap/pk11util.c
@@ -90,41 +90,41 @@ SECMOD_Shutdown()
 #endif
     if (secmod_PrivateModuleCount) {
         PORT_SetError(SEC_ERROR_BUSY);
         return SECFailure;
     }
     return SECSuccess;
 }
 
-int
-secmod_GetSystemFIPSEnabled(void)
+PRBool
+SECMOD_GetSystemFIPSEnabled(void)
 {
 #ifdef LINUX
 #ifndef NSS_FIPS_DISABLED
     FILE *f;
     char d;
     size_t size;
 
     f = fopen("/proc/sys/crypto/fips_enabled", "r");
     if (!f) {
-        return 0;
+        return PR_FALSE;
     }
 
     size = fread(&d, 1, sizeof(d), f);
     fclose(f);
     if (size != sizeof(d)) {
-        return 0;
+        return PR_FALSE;
     }
     if (d == '1') {
-        return 1;
+        return PR_TRUE;
     }
 #endif
 #endif
-    return 0;
+    return PR_FALSE;
 }
 
 /*
  * retrieve the internal module
  */
 SECMODModule *
 SECMOD_GetInternalModule(void)
 {
@@ -450,17 +450,17 @@ SECMOD_DeleteModule(const char *name, in
  */
 SECStatus
 SECMOD_DeleteInternalModule(const char *name)
 {
     SECMODModuleList *mlp;
     SECMODModuleList **mlpp;
     SECStatus rv = SECFailure;
 
-    if (secmod_GetSystemFIPSEnabled() || pendingModule) {
+    if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
         PORT_SetError(SEC_ERROR_MODULE_STUCK);
         return rv;
     }
     if (!moduleLock) {
         PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
         return rv;
     }
 
@@ -985,17 +985,17 @@ SECMOD_DestroyModuleList(SECMODModuleLis
 }
 
 PRBool
 SECMOD_CanDeleteInternalModule(void)
 {
 #ifdef NSS_FIPS_DISABLED
     return PR_FALSE;
 #else
-    return (PRBool)((pendingModule == NULL) && !secmod_GetSystemFIPSEnabled());
+    return (PRBool)((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
 #endif
 }
 
 /*
  * check to see if the module has added new slots. PKCS 11 v2.20 allows for
  * modules to add new slots, but never remove them. Slots cannot be added
  * between a call to C_GetSlotLlist(Flag, NULL, &count) and the subsequent
  * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
--- a/lib/pk11wrap/secmodi.h
+++ b/lib/pk11wrap/secmodi.h
@@ -110,23 +110,16 @@ SECStatus PBE_PK11ParamToAlgid(SECOidTag
 PK11SymKey *pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot,
                                                 CK_MECHANISM_TYPE type, SECItem *param, CK_KEY_TYPE keyType,
                                                 int keySize, SECItem *keyId, CK_FLAGS opFlags,
                                                 PK11AttrFlags attrFlags, void *wincx);
 
 CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
                                              SECItem **param, SECItem *pwd, PRBool faulty3DES);
 
-/* Get the state of the system FIPS mode */
-/* NSS uses this to force FIPS mode if the system bit is on. Applications which
- * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
- * from FIPS mode will automatically be told that they can't swith out of FIPS
- * mode */
-int secmod_GetSystemFIPSEnabled();
-
 extern void pk11sdr_Init(void);
 extern void pk11sdr_Shutdown(void);
 
 /*
  * Private to pk11wrap.
  */
 
 PRBool pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx);