Bug 1806010 FIPS-104-3 requires we restart post programmatically

FIPS -140-3 requires that we give applications a way to restart the Power On Self-Tests programmatically. Unloading the shared library is insufficient. Shutting down softoken and restarting it with a special flag is. This path accomplishes this task by: 1) adding a new startup flag init argument flag called forcePost which is parsed at FC_Initialize time. 2) Code which checks if the post ran properly takes a new Bool which tells the function whether or not to rerun the post operations. If post operations are to be rerun, all test flags are set to unknown or fail and the tests are rerun. The results are returned. 3) Public facing functions to verify integrity looks for a special non-valid character flag as the first character of the filename and uses that to decide if we should rerun post or not. Callers add the flag if post should be rerun. 4) pk11mode, the general FIPS test program makes sure we can turn on the forcePost flag. Differential Revision: https://phabricator.services.mozilla.com/D165050
author: Robert Relyea <rrelyea@redhat.com> 2023-04-12 08:19:35 -0700
committer: Robert Relyea <rrelyea@redhat.com> 2023-04-12 08:19:35 -0700
commit: 2386c64d2cf4194c8f63ae2e8d5b9e83544679eb (patch)
tree: ab0536e1141042e65242d1257534a8ae3f28f6ff /lib/softoken
parent: af6cccfbf3d14f62f86e322ea56b4c3a4e3fd5df (diff)
download: nss-hg-2386c64d2cf4194c8f63ae2e8d5b9e83544679eb.tar.gz
8 files changed, 47 insertions, 29 deletions
diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
index 01d66427c..6010a50d6 100644
--- a/lib/softoken/fipstest.c
+++ b/lib/softoken/fipstest.c
@@ -690,11 +690,11 @@ static PRBool sftk_self_tests_success = PR_FALSE;
  * This function is called at dll load time, the code tha makes this
  * happen is platform specific on defined above.
  */
-static void
-sftk_startup_tests(void)
+void
+sftk_startup_tests_with_rerun(PRBool rerun)
 {
     SECStatus rv;
-    const char *libraryName = SOFTOKEN_LIB_NAME;
+    const char *libraryName = rerun ? BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME : SOFTOKEN_LIB_NAME;
 
     PORT_Assert(!sftk_self_tests_ran);
     PORT_Assert(!sftk_self_tests_success);
@@ -752,13 +752,19 @@ sftk_startup_tests(void)
     sftk_self_tests_success = PR_TRUE;
 }
 
+static void
+sftk_startup_tests(void)
+{
+    sftk_startup_tests_with_rerun(PR_FALSE);
+}
+
 /*
  * this is called from nsc_Common_Initizialize entry points that gates access
  * to * all other pkcs11 functions. This prevents softoken operation if our
  * power on selftest failed.
  */
 CK_RV
-sftk_FIPSEntryOK()
+sftk_FIPSEntryOK(PRBool rerun)
 {
 #ifdef NSS_NO_INIT_SUPPORT
     /* this should only be set on platforms that can't handle one of the INIT
@@ -771,6 +777,11 @@ sftk_FIPSEntryOK()
         sftk_startup_tests();
     }
 #endif
+    if (rerun) {
+        sftk_self_tests_ran = PR_FALSE;
+        sftk_self_tests_success = PR_FALSE;
+        sftk_startup_tests_with_rerun(PR_TRUE);
+    }
     if (!sftk_self_tests_success) {
         return CKR_DEVICE_ERROR;
     }
diff --git a/lib/softoken/fipstokn.c b/lib/softoken/fipstokn.c
index 43e8c3847..cf5d73ce7 100644
--- a/lib/softoken/fipstokn.c
+++ b/lib/softoken/fipstokn.c
@@ -529,15 +529,22 @@ FC_Initialize(CK_VOID_PTR pReserved)
 {
     const char *envp;
     CK_RV crv;
+    PRBool rerun;
 
     if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) {
         sftk_audit_enabled = (atoi(envp) == 1);
     }
 
+    /* if we have the forcePOST flag on, rerun the integrity checks */
+    /* we need to know this before we fully parse the arguments in
+     * nsc_CommonInitialize, so read it now */
+    rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved);
+
     /* At this point we should have already done post and integrity checks.
      * if we haven't, it probably means the FIPS product has not been installed
-     * or the tests failed. Don't let an application try to enter FIPS mode */
-    crv = sftk_FIPSEntryOK();
+     * or the tests failed. Don't let an application try to enter FIPS mode. This
+     * also forces the tests to be rerun if forcePOST is set. */
+    crv = sftk_FIPSEntryOK(rerun);
     if (crv != CKR_OK) {
         sftk_fatalError = PR_TRUE;
         fc_log_init_error(crv);
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
index e9dc09acf..a730ba397 100644
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -2588,8 +2588,8 @@ sftk_getDefSlotName(CK_SLOT_ID slotID)
             break;
     }
     snprintf(buf, sizeof(buf),
-            "NSS Application Slot %08x                                   ",
-            (unsigned int)slotID);
+             "NSS Application Slot %08x                                   ",
+             (unsigned int)slotID);
     return buf;
 }
 
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
index 3116de831..e4719a8ee 100644
--- a/lib/softoken/pkcs11i.h
+++ b/lib/softoken/pkcs11i.h
@@ -874,6 +874,7 @@ NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
  */
 CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
 void sftk_freeParams(sftk_parameters *params);
+PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved);
 
 /*
  * narrow objects
diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
index 90d49304d..8542a2d56 100644
--- a/lib/softoken/sftkdb.c
+++ b/lib/softoken/sftkdb.c
@@ -256,8 +256,8 @@ sftkdb_getRawAttributeSignature(SFTKDBHandle *handle, SDB *db,
     CK_RV crv;
 
     snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE,
-            sftkdb_TypeString(handle),
-            (unsigned int)objectID, (unsigned int)type);
+             sftkdb_TypeString(handle),
+             (unsigned int)objectID, (unsigned int)type);
 
     crv = (*db->sdb_GetMetaData)(db, id, signText, NULL);
     return crv;
@@ -281,8 +281,8 @@ sftkdb_DestroyAttributeSignature(SFTKDBHandle *handle, SDB *db,
     CK_RV crv;
 
     snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE,
-            sftkdb_TypeString(handle),
-            (unsigned int)objectID, (unsigned int)type);
+             sftkdb_TypeString(handle),
+             (unsigned int)objectID, (unsigned int)type);
 
     crv = (*db->sdb_DestroyMetaData)(db, id);
     return crv;
@@ -307,8 +307,8 @@ sftkdb_PutAttributeSignature(SFTKDBHandle *handle, SDB *keyTarget,
     CK_RV crv;
 
     snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE,
-            sftkdb_TypeString(handle),
-            (unsigned int)objectID, (unsigned int)type);
+             sftkdb_TypeString(handle),
+             (unsigned int)objectID, (unsigned int)type);
 
     crv = (*keyTarget->sdb_PutMetaData)(keyTarget, id, signText, NULL);
     return crv;
diff --git a/lib/softoken/sftkpars.c b/lib/softoken/sftkpars.c
index 9c953b307..fdd08648f 100644
--- a/lib/softoken/sftkpars.c
+++ b/lib/softoken/sftkpars.c
@@ -253,3 +253,16 @@ sftk_freeParams(sftk_parameters *params)
     FREE_CLEAR(params->updatedir);
     FREE_CLEAR(params->updateID);
 }
+
+PRBool
+sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved)
+{
+    CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
+
+    /* if we don't have any params, the flag isn't set */
+    if ((!init_args || !init_args->LibraryParameters)) {
+        return PR_FALSE;
+    }
+
+    return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters);
+}
diff --git a/lib/softoken/sftkpars.h b/lib/softoken/sftkpars.h
deleted file mode 100644
index a7707fc2b..000000000
--- a/lib/softoken/sftkpars.h
+++ /dev/null
@@ -1,14 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "pkcs11i.h"
-#include "sftkdbt.h"
-
-/* parsing functions */
-char *sftk_argFetchValue(char *string, int *pcount);
-char *sftk_getSecmodName(char *param, SDBType *dbType, char **appName, char **filename, PRBool *rw);
-char *sftk_argStrip(char *c);
-CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
-void sftk_freeParams(sftk_parameters *params);
-const char *sftk_EvaluateConfigDir(const char *configdir, SDBType *dbType, char **app);
-char *sftk_argGetParamValue(char *paramName, char *parameters);
diff --git a/lib/softoken/softoken.h b/lib/softoken/softoken.h
index 30586fcf4..dfb42b4e0 100644
--- a/lib/softoken/softoken.h
+++ b/lib/softoken/softoken.h
@@ -57,7 +57,7 @@ extern unsigned char *CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf,
 ** Power-Up selftests are required for FIPS.
 */
 /* make sure Power-up selftests have been run. */
-extern CK_RV sftk_FIPSEntryOK(void);
+extern CK_RV sftk_FIPSEntryOK(PRBool rerun);
 
 /*
 ** make known fixed PKCS #11 key types to their sizes in bytes
author	Robert Relyea <rrelyea@redhat.com>	2023-04-12 08:19:35 -0700
committer	Robert Relyea <rrelyea@redhat.com>	2023-04-12 08:19:35 -0700
commit	2386c64d2cf4194c8f63ae2e8d5b9e83544679eb (patch)
tree	ab0536e1141042e65242d1257534a8ae3f28f6ff /lib/softoken
parent	af6cccfbf3d14f62f86e322ea56b4c3a4e3fd5df (diff)
download	nss-hg-2386c64d2cf4194c8f63ae2e8d5b9e83544679eb.tar.gz