1531267, enable FIPS mode if the system FIPS mode flag is set, r=jcj,mt

This patch forces NSS into FIPS mode if system fips mode bit is set.
 - If that bit is set, applications trying to switch out of FIPS mode will get and error code.
 - Applications that check to see if they can change modes (Like Firefox and Thunderbird) will be told it can't, so the firefox <Disable FIPS> button should be grayed out if the sytem fips mode bit is set.

If the bit is not set, NSS get's it's FIPS indication it's traditional way, so the Firefox 'Enable FIPS' button will be on as normal.

This but does not change NSS behavior WRT non-FIPS algorithms.

3 files changed, 38 insertions, 2 deletions

diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
index 3fc9bc8dc..d6a4464e2 100644
--- a/lib/pk11wrap/pk11pars.c
+++ b/lib/pk11wrap/pk11pars.c
@@ -815,6 +815,10 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName,
 
     mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
     mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
+    /* if the system FIPS mode is enabled, force FIPS to be on */
+    if (secmod_GetSystemFIPSEnabled()) {
+        mod->isFIPS = PR_TRUE;
+    }
     mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
     slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
     mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c
index e316f1f1a..502c4d00c 100644
--- a/lib/pk11wrap/pk11util.c
+++ b/lib/pk11wrap/pk11util.c
@@ -95,6 +95,31 @@ SECMOD_Shutdown()
     return SECSuccess;
 }
 
+int
+secmod_GetSystemFIPSEnabled(void)
+{
+#ifdef LINUX
+    FILE *f;
+    char d;
+    size_t size;
+
+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
+    if (!f) {
+        return 0;
+    }
+
+    size = fread(&d, 1, sizeof(d), f);
+    fclose(f);
+    if (size != sizeof(d)) {
+        return 0;
+    }
+    if (d == '1') {
+        return 1;
+    }
+#endif
+    return 0;
+}
+
 /*
  * retrieve the internal module
  */
@@ -428,7 +453,7 @@ SECMOD_DeleteInternalModule(const char *name)
     SECMODModuleList **mlpp;
     SECStatus rv = SECFailure;
 
-    if (pendingModule) {
+    if (secmod_GetSystemFIPSEnabled() || pendingModule) {
         PORT_SetError(SEC_ERROR_MODULE_STUCK);
         return rv;
     }
@@ -963,7 +988,7 @@ SECMOD_CanDeleteInternalModule(void)
 #ifdef NSS_FIPS_DISABLED
     return PR_FALSE;
 #else
-    return (PRBool)(pendingModule == NULL);
+    return (PRBool)((pendingModule == NULL) && !secmod_GetSystemFIPSEnabled());
 #endif
 }
 
diff --git a/lib/pk11wrap/secmodi.h b/lib/pk11wrap/secmodi.h
index 7ec77ced6..634b241bd 100644
--- a/lib/pk11wrap/secmodi.h
+++ b/lib/pk11wrap/secmodi.h
@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot,
 CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
                                              SECItem **param, SECItem *pwd, PRBool faulty3DES);
 
+/* Get the state of the system FIPS mode */
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
+ * mode */
+int secmod_GetSystemFIPSEnabled();
+
 extern void pk11sdr_Init(void);
 extern void pk11sdr_Shutdown(void);