Bug 1806010 FIPS-104-3 requires we restart post programmatically

FIPS -140-3 requires that we give applications a way to restart the Power On Self-Tests programmatically. Unloading the shared library is insufficient. Shutting down softoken and restarting it with a special flag is.

This path accomplishes this task by:
1) adding a new startup flag init argument flag called forcePost which is
parsed at FC_Initialize time.
2) Code which checks if the post ran properly takes a new Bool which tells the function whether or not to rerun the post operations. If post operations are to be rerun, all test flags are set to unknown or fail and the tests are rerun. The results are returned.
3) Public facing functions to verify integrity looks for a special non-valid character flag as the first character of the filename and uses that to decide if we should rerun post or not. Callers add the flag if post should be rerun.
4) pk11mode, the general FIPS test program makes sure we can turn on the forcePost flag.

Differential Revision: https://phabricator.services.mozilla.com/D165050

1 files changed, 9 insertions, 1 deletions

diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
index f05e31b92..6d24372d6 100644
--- a/lib/freebl/fipsfreebl.c
+++ b/lib/freebl/fipsfreebl.c
@@ -2216,7 +2216,7 @@ bl_startup_tests(void)
  * power on selftest failed.
  */
 SECStatus
-BL_FIPSEntryOK(PRBool freebl_only)
+BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun)
 {
 #ifdef NSS_NO_INIT_SUPPORT
     /* this should only be set on platforms that can't handle one of the INIT
@@ -2229,6 +2229,14 @@ BL_FIPSEntryOK(PRBool freebl_only)
         bl_startup_tests();
     }
 #endif
+    if (rerun) {
+        /* reset the flags */
+        self_tests_freebl_ran = PR_FALSE;
+        self_tests_success = PR_FALSE;
+        self_tests_success = PR_FALSE;
+        self_tests_freebl_success = PR_FALSE;
+        bl_startup_tests();
+    }
     /* if the general self tests succeeded, we're done */
     if (self_tests_success) {
         return SECSuccess;