diff options
Diffstat (limited to 'lib/softoken')
-rw-r--r-- | lib/softoken/fipstest.c | 19 | ||||
-rw-r--r-- | lib/softoken/fipstokn.c | 11 | ||||
-rw-r--r-- | lib/softoken/pkcs11.c | 4 | ||||
-rw-r--r-- | lib/softoken/pkcs11i.h | 1 | ||||
-rw-r--r-- | lib/softoken/sftkdb.c | 12 | ||||
-rw-r--r-- | lib/softoken/sftkpars.c | 13 | ||||
-rw-r--r-- | lib/softoken/sftkpars.h | 14 | ||||
-rw-r--r-- | lib/softoken/softoken.h | 2 |
8 files changed, 47 insertions, 29 deletions
diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c index 01d66427c..6010a50d6 100644 --- a/lib/softoken/fipstest.c +++ b/lib/softoken/fipstest.c @@ -690,11 +690,11 @@ static PRBool sftk_self_tests_success = PR_FALSE; * This function is called at dll load time, the code tha makes this * happen is platform specific on defined above. */ -static void -sftk_startup_tests(void) +void +sftk_startup_tests_with_rerun(PRBool rerun) { SECStatus rv; - const char *libraryName = SOFTOKEN_LIB_NAME; + const char *libraryName = rerun ? BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME : SOFTOKEN_LIB_NAME; PORT_Assert(!sftk_self_tests_ran); PORT_Assert(!sftk_self_tests_success); @@ -752,13 +752,19 @@ sftk_startup_tests(void) sftk_self_tests_success = PR_TRUE; } +static void +sftk_startup_tests(void) +{ + sftk_startup_tests_with_rerun(PR_FALSE); +} + /* * this is called from nsc_Common_Initizialize entry points that gates access * to * all other pkcs11 functions. This prevents softoken operation if our * power on selftest failed. */ CK_RV -sftk_FIPSEntryOK() +sftk_FIPSEntryOK(PRBool rerun) { #ifdef NSS_NO_INIT_SUPPORT /* this should only be set on platforms that can't handle one of the INIT @@ -771,6 +777,11 @@ sftk_FIPSEntryOK() sftk_startup_tests(); } #endif + if (rerun) { + sftk_self_tests_ran = PR_FALSE; + sftk_self_tests_success = PR_FALSE; + sftk_startup_tests_with_rerun(PR_TRUE); + } if (!sftk_self_tests_success) { return CKR_DEVICE_ERROR; } diff --git a/lib/softoken/fipstokn.c b/lib/softoken/fipstokn.c index 43e8c3847..cf5d73ce7 100644 --- a/lib/softoken/fipstokn.c +++ b/lib/softoken/fipstokn.c @@ -529,15 +529,22 @@ FC_Initialize(CK_VOID_PTR pReserved) { const char *envp; CK_RV crv; + PRBool rerun; if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) { sftk_audit_enabled = (atoi(envp) == 1); } + /* if we have the forcePOST flag on, rerun the integrity checks */ + /* we need to know this before we fully parse the arguments in + * nsc_CommonInitialize, so read it now */ + rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved); + /* At this point we should have already done post and integrity checks. * if we haven't, it probably means the FIPS product has not been installed - * or the tests failed. Don't let an application try to enter FIPS mode */ - crv = sftk_FIPSEntryOK(); + * or the tests failed. Don't let an application try to enter FIPS mode. This + * also forces the tests to be rerun if forcePOST is set. */ + crv = sftk_FIPSEntryOK(rerun); if (crv != CKR_OK) { sftk_fatalError = PR_TRUE; fc_log_init_error(crv); diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c index e9dc09acf..a730ba397 100644 --- a/lib/softoken/pkcs11.c +++ b/lib/softoken/pkcs11.c @@ -2588,8 +2588,8 @@ sftk_getDefSlotName(CK_SLOT_ID slotID) break; } snprintf(buf, sizeof(buf), - "NSS Application Slot %08x ", - (unsigned int)slotID); + "NSS Application Slot %08x ", + (unsigned int)slotID); return buf; } diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h index 3116de831..e4719a8ee 100644 --- a/lib/softoken/pkcs11i.h +++ b/lib/softoken/pkcs11i.h @@ -874,6 +874,7 @@ NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey); */ CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS); void sftk_freeParams(sftk_parameters *params); +PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved); /* * narrow objects diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c index 90d49304d..8542a2d56 100644 --- a/lib/softoken/sftkdb.c +++ b/lib/softoken/sftkdb.c @@ -256,8 +256,8 @@ sftkdb_getRawAttributeSignature(SFTKDBHandle *handle, SDB *db, CK_RV crv; snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE, - sftkdb_TypeString(handle), - (unsigned int)objectID, (unsigned int)type); + sftkdb_TypeString(handle), + (unsigned int)objectID, (unsigned int)type); crv = (*db->sdb_GetMetaData)(db, id, signText, NULL); return crv; @@ -281,8 +281,8 @@ sftkdb_DestroyAttributeSignature(SFTKDBHandle *handle, SDB *db, CK_RV crv; snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE, - sftkdb_TypeString(handle), - (unsigned int)objectID, (unsigned int)type); + sftkdb_TypeString(handle), + (unsigned int)objectID, (unsigned int)type); crv = (*db->sdb_DestroyMetaData)(db, id); return crv; @@ -307,8 +307,8 @@ sftkdb_PutAttributeSignature(SFTKDBHandle *handle, SDB *keyTarget, CK_RV crv; snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE, - sftkdb_TypeString(handle), - (unsigned int)objectID, (unsigned int)type); + sftkdb_TypeString(handle), + (unsigned int)objectID, (unsigned int)type); crv = (*keyTarget->sdb_PutMetaData)(keyTarget, id, signText, NULL); return crv; diff --git a/lib/softoken/sftkpars.c b/lib/softoken/sftkpars.c index 9c953b307..fdd08648f 100644 --- a/lib/softoken/sftkpars.c +++ b/lib/softoken/sftkpars.c @@ -253,3 +253,16 @@ sftk_freeParams(sftk_parameters *params) FREE_CLEAR(params->updatedir); FREE_CLEAR(params->updateID); } + +PRBool +sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved) +{ + CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved; + + /* if we don't have any params, the flag isn't set */ + if ((!init_args || !init_args->LibraryParameters)) { + return PR_FALSE; + } + + return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters); +} diff --git a/lib/softoken/sftkpars.h b/lib/softoken/sftkpars.h deleted file mode 100644 index a7707fc2b..000000000 --- a/lib/softoken/sftkpars.h +++ /dev/null @@ -1,14 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include "pkcs11i.h" -#include "sftkdbt.h" - -/* parsing functions */ -char *sftk_argFetchValue(char *string, int *pcount); -char *sftk_getSecmodName(char *param, SDBType *dbType, char **appName, char **filename, PRBool *rw); -char *sftk_argStrip(char *c); -CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS); -void sftk_freeParams(sftk_parameters *params); -const char *sftk_EvaluateConfigDir(const char *configdir, SDBType *dbType, char **app); -char *sftk_argGetParamValue(char *paramName, char *parameters); diff --git a/lib/softoken/softoken.h b/lib/softoken/softoken.h index 30586fcf4..dfb42b4e0 100644 --- a/lib/softoken/softoken.h +++ b/lib/softoken/softoken.h @@ -57,7 +57,7 @@ extern unsigned char *CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf, ** Power-Up selftests are required for FIPS. */ /* make sure Power-up selftests have been run. */ -extern CK_RV sftk_FIPSEntryOK(void); +extern CK_RV sftk_FIPSEntryOK(PRBool rerun); /* ** make known fixed PKCS #11 key types to their sizes in bytes |