[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 95/156: Make FIPS mode work. This fixes 2 problems:
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:32 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit 70604635a44eecb3cb73303ed421e3006e4153b5
Author: rcritten <>
Date: Fri May 16 15:16:02 2008 +0000
Make FIPS mode work. This fixes 2 problems:
1. In nss_init_SSLLibrary() the server config wasn't being set properly
for each virtual server so FIPS wasn't getting turned on.
2. There seem to be a problem in NSS_Shutdown() that makes subsequent
logins appear to succeed but they actually are skipped causing keys
and certs to not be available.
Also switch an error message to a warning related to FIPS ciphers.
---
nss_engine_init.c | 5 +++--
nss_engine_pphrase.c | 7 +++++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index c83a4aa..c4e2d90 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -148,9 +148,10 @@ static void nss_init_SSLLibrary(server_rec *base_server)
const char * ocspurl = NULL;
const char * ocspname = NULL;
- sc = mySrvConfig(base_server);
for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+
if (sc->fips == TRUE) {
fipsenabled = TRUE;
}
@@ -802,7 +803,7 @@ static void nss_init_ctx_cipher_suite(server_rec *s,
if (mctx->sc->fips) {
for (i=0; i<ciphernum; i++) {
if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
"Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
cipher_state[i] = PR_FALSE;
}
diff --git a/nss_engine_pphrase.c b/nss_engine_pphrase.c
index 83005bf..8a77301 100644
--- a/nss_engine_pphrase.c
+++ b/nss_engine_pphrase.c
@@ -62,6 +62,13 @@ SECStatus nss_Init_Tokens(server_rec *s)
{
PK11SlotInfo *slot = listEntry->slot;
+ /* This is needed to work around a bug in NSS while in FIPS mode.
+ * The first login will succeed but NSS_Shutdown() isn't cleaning
+ * something up causing subsequent logins to be skipped making
+ * keys and certs unavailable.
+ */
+ PK11_Logout(slot);
+
if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
if (slot == PK11_GetInternalKeySlot()) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list