Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7275
Modified Files:
nss_engine_init.c nss_engine_pphrase.c
Log Message:
Make FIPS mode work. This fixes 2 problems:
1. In nss_init_SSLLibrary() the server config wasn't being set properly
for each virtual server so FIPS wasn't getting turned on.
2. There seem to be a problem in NSS_Shutdown() that makes subsequent
logins appear to succeed but they actually are skipped causing keys
and certs to not be available.
Also switch an error message to a warning related to FIPS ciphers.
Index: nss_engine_init.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- nss_engine_init.c 9 May 2008 14:17:38 -0000 1.31
+++ nss_engine_init.c 16 May 2008 15:16:02 -0000 1.32
@@ -148,9 +148,10 @@
const char * ocspurl = NULL;
const char * ocspname = NULL;
- sc = mySrvConfig(base_server);
for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+
if (sc->fips == TRUE) {
fipsenabled = TRUE;
}
@@ -802,7 +803,7 @@
if (mctx->sc->fips) {
for (i=0; i<ciphernum; i++) {
if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
"Cipher %s is enabled but this is not a FIPS cipher,
disabling.", ciphers_def[i].name);
cipher_state[i] = PR_FALSE;
}
Index: nss_engine_pphrase.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_pphrase.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- nss_engine_pphrase.c 22 Feb 2007 16:50:14 -0000 1.10
+++ nss_engine_pphrase.c 16 May 2008 15:16:02 -0000 1.11
@@ -62,6 +62,13 @@
{
PK11SlotInfo *slot = listEntry->slot;
+ /* This is needed to work around a bug in NSS while in FIPS mode.
+ * The first login will succeed but NSS_Shutdown() isn't cleaning
+ * something up causing subsequent logins to be skipped making
+ * keys and certs unavailable.
+ */
+ PK11_Logout(slot);
+
if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
if (slot == PK11_GetInternalKeySlot()) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
Show replies by thread