8 files changed, 47 insertions, 29 deletions

diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
index 01d66427c..6010a50d6 100644
--- a/lib/softoken/fipstest.c
+++ b/lib/softoken/fipstest.c
@@ -690,11 +690,11 @@ static PRBool sftk_self_tests_success = PR_FALSE;
  * This function is called at dll load time, the code tha makes this
  * happen is platform specific on defined above.
  */
-static void
-sftk_startup_tests(void)
+void
+sftk_startup_tests_with_rerun(PRBool rerun)
 {
     SECStatus rv;
-    const char *libraryName = SOFTOKEN_LIB_NAME;
+    const char *libraryName = rerun ? BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME : SOFTOKEN_LIB_NAME;
 
     PORT_Assert(!sftk_self_tests_ran);
     PORT_Assert(!sftk_self_tests_success);
@@ -752,13 +752,19 @@ sftk_startup_tests(void)
     sftk_self_tests_success = PR_TRUE;
 }
 
+static void
+sftk_startup_tests(void)
+{
+    sftk_startup_tests_with_rerun(PR_FALSE);
+}
+
 /*
  * this is called from nsc_Common_Initizialize entry points that gates access
  * to * all other pkcs11 functions. This prevents softoken operation if our
  * power on selftest failed.
  */
 CK_RV
-sftk_FIPSEntryOK()
+sftk_FIPSEntryOK(PRBool rerun)
 {
 #ifdef NSS_NO_INIT_SUPPORT
     /* this should only be set on platforms that can't handle one of the INIT
@@ -771,6 +777,11 @@ sftk_FIPSEntryOK()
         sftk_startup_tests();
     }
 #endif
+    if (rerun) {
+        sftk_self_tests_ran = PR_FALSE;
+        sftk_self_tests_success = PR_FALSE;
+        sftk_startup_tests_with_rerun(PR_TRUE);
+    }
     if (!sftk_self_tests_success) {
         return CKR_DEVICE_ERROR;
     }
diff --git a/lib/softoken/fipstokn.c b/lib/softoken/fipstokn.c
index 43e8c3847..cf5d73ce7 100644
--- a/lib/softoken/fipstokn.c
+++ b/lib/softoken/fipstokn.c
@@ -529,15 +529,22 @@ FC_Initialize(CK_VOID_PTR pReserved)
 {
     const char *envp;
     CK_RV crv;
+    PRBool rerun;
 
     if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) {
         sftk_audit_enabled = (atoi(envp) == 1);
     }
 
+    /* if we have the forcePOST flag on, rerun the integrity checks */
+    /* we need to know this before we fully parse the arguments in
+     * nsc_CommonInitialize, so read it now */
+    rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved);
+
     /* At this point we should have already done post and integrity checks.
      * if we haven't, it probably means the FIPS product has not been installed
-     * or the tests failed. Don't let an application try to enter FIPS mode */
-    crv = sftk_FIPSEntryOK();
+     * or the tests failed. Don't let an application try to enter FIPS mode. This
+     * also forces the tests to be rerun if forcePOST is set. */
+    crv = sftk_FIPSEntryOK(rerun);
     if (crv != CKR_OK) {
         sftk_fatalError = PR_TRUE;
         fc_log_init_error(crv);
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
index e9dc09acf..a730ba397 100644
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -2588,8 +2588,8 @@ sftk_getDefSlotName(CK_SLOT_ID slotID)
             break;
     }
     snprintf(buf, sizeof(buf),
-            "NSS Application Slot %08x                                   ",
-            (unsigned int)slotID);
+             "NSS Application Slot %08x                                   ",
+             (unsigned int)slotID);
     return buf;
 }
 
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
index 3116de831..e4719a8ee 100644
--- a/lib/softoken/pkcs11i.h
+++ b/lib/softoken/pkcs11i.h
@@ -874,6 +874,7 @@ NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
  */
 CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
 void sftk_freeParams(sftk_parameters *params);
+PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved);
 
 /*
  * narrow objects
diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
index 90d49304d..8542a2d56 100644
--- a/lib/softoken/sftkdb.c
+++ b/lib/softoken/sftkdb.c
@@ -256,8 +256,8 @@ sftkdb_getRawAttributeSignature(SFTKDBHandle *handle, SDB *db,
     CK_RV crv;
 
     snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE,
-            sftkdb_TypeString(handle),
-            (unsigned int)objectID, (unsigned int)type);
+             sftkdb_TypeString(handle),
+             (unsigned int)objectID, (unsigned int)type);
 
     crv = (*db->sdb_GetMetaData)(db, id, signText, NULL);
     return crv;
@@ -281,8 +281,8 @@ sftkdb_DestroyAttributeSignature(SFTKDBHandle *handle, SDB *db,
     CK_RV crv;
 
     snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE,
-            sftkdb_TypeString(handle),
-            (unsigned int)objectID, (unsigned int)type);
+             sftkdb_TypeString(handle),
+             (unsigned int)objectID, (unsigned int)type);
 
     crv = (*db->sdb_DestroyMetaData)(db, id);
     return crv;
@@ -307,8 +307,8 @@ sftkdb_PutAttributeSignature(SFTKDBHandle *handle, SDB *keyTarget,
     CK_RV crv;
 
     snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE,
-            sftkdb_TypeString(handle),
-            (unsigned int)objectID, (unsigned int)type);
+             sftkdb_TypeString(handle),
+             (unsigned int)objectID, (unsigned int)type);
 
     crv = (*keyTarget->sdb_PutMetaData)(keyTarget, id, signText, NULL);
     return crv;
diff --git a/lib/softoken/sftkpars.c b/lib/softoken/sftkpars.c
index 9c953b307..fdd08648f 100644
--- a/lib/softoken/sftkpars.c
+++ b/lib/softoken/sftkpars.c
@@ -253,3 +253,16 @@ sftk_freeParams(sftk_parameters *params)
     FREE_CLEAR(params->updatedir);
     FREE_CLEAR(params->updateID);
 }
+
+PRBool
+sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved)
+{
+    CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
+
+    /* if we don't have any params, the flag isn't set */
+    if ((!init_args || !init_args->LibraryParameters)) {
+        return PR_FALSE;
+    }
+
+    return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters);
+}
diff --git a/lib/softoken/sftkpars.h b/lib/softoken/sftkpars.h
deleted file mode 100644
index a7707fc2b..000000000
--- a/lib/softoken/sftkpars.h
+++ /dev/null
@@ -1,14 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "pkcs11i.h"
-#include "sftkdbt.h"
-
-/* parsing functions */
-char *sftk_argFetchValue(char *string, int *pcount);
-char *sftk_getSecmodName(char *param, SDBType *dbType, char **appName, char **filename, PRBool *rw);
-char *sftk_argStrip(char *c);
-CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
-void sftk_freeParams(sftk_parameters *params);
-const char *sftk_EvaluateConfigDir(const char *configdir, SDBType *dbType, char **app);
-char *sftk_argGetParamValue(char *paramName, char *parameters);
diff --git a/lib/softoken/softoken.h b/lib/softoken/softoken.h
index 30586fcf4..dfb42b4e0 100644
--- a/lib/softoken/softoken.h
+++ b/lib/softoken/softoken.h
@@ -57,7 +57,7 @@ extern unsigned char *CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf,
 ** Power-Up selftests are required for FIPS.
 */
 /* make sure Power-up selftests have been run. */
-extern CK_RV sftk_FIPSEntryOK(void);
+extern CK_RV sftk_FIPSEntryOK(PRBool rerun);
 
 /*
 ** make known fixed PKCS #11 key types to their sizes in bytes