зеркало из https://github.com/mozilla/gecko-dev.git
Surface the Err codes if we fail to shift to FIPS mode.
Add new option to verify that we have shifted to FIPS mode.
This commit is contained in:
Родитель
9091d5b06d
Коммит
87a6506c3f
|
@ -58,6 +58,7 @@ typedef enum {
|
|||
LIST_COMMAND,
|
||||
RAW_LIST_COMMAND,
|
||||
RAW_ADD_COMMAND,
|
||||
CHKFIPS_COMMAND,
|
||||
UNDEFAULT_COMMAND
|
||||
} Command;
|
||||
|
||||
|
@ -76,6 +77,7 @@ static char *commandNames[] = {
|
|||
"-list",
|
||||
"-rawlist",
|
||||
"-rawadd",
|
||||
"-chkfips",
|
||||
"-undefault"
|
||||
};
|
||||
|
||||
|
@ -109,6 +111,7 @@ typedef enum {
|
|||
SECMOD_ARG,
|
||||
NOCERTDB_ARG,
|
||||
STRING_ARG,
|
||||
CHKFIPS_ARG,
|
||||
|
||||
NUM_ARGS /* must be last */
|
||||
} Arg;
|
||||
|
@ -142,6 +145,7 @@ static char *optionStrings[] = {
|
|||
"-secmod",
|
||||
"-nocertdb",
|
||||
"-string",
|
||||
"-chkfips",
|
||||
};
|
||||
|
||||
/* Increment i if doing so would have i still be less than j. If you
|
||||
|
@ -333,6 +337,18 @@ parse_args(int argc, char *argv[])
|
|||
}
|
||||
fipsArg = argv[i];
|
||||
break;
|
||||
case CHKFIPS_ARG:
|
||||
if(command != NO_COMMAND) {
|
||||
PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
|
||||
return MULTIPLE_COMMAND_ERR;
|
||||
}
|
||||
command = CHKFIPS_COMMAND;
|
||||
if(TRY_INC(i, argc)) {
|
||||
PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
|
||||
return OPTION_NEEDS_ARG_ERR;
|
||||
}
|
||||
fipsArg = argv[i];
|
||||
break;
|
||||
case FORCE_ARG:
|
||||
force = 1;
|
||||
break;
|
||||
|
@ -515,6 +531,7 @@ verify_params()
|
|||
case ENABLE_COMMAND:
|
||||
break;
|
||||
case FIPS_COMMAND:
|
||||
case CHKFIPS_COMMAND:
|
||||
if(PL_strcasecmp(fipsArg, "true") &&
|
||||
PL_strcasecmp(fipsArg, "false")) {
|
||||
PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
|
||||
|
@ -749,6 +766,8 @@ usage()
|
|||
" directory is used\n"
|
||||
"-list [MODULE] Lists information about the specified module\n"
|
||||
" or about all modules if none is specified\n"
|
||||
"-chkfips [ true | false ] If true, verify FIPS mode. If false,\n"
|
||||
" verify not FIPS mode\n"
|
||||
"-undefault MODULE The given module is NOT a default provider\n"
|
||||
" -mechanisms MECHANISM_LIST of the listed mechanisms\n"
|
||||
" [-slot SLOT] limit change to only the given slot\n"
|
||||
|
@ -836,7 +855,7 @@ main(int argc, char *argv[])
|
|||
|
||||
/* Set up crypto stuff */
|
||||
createdb = command==CREATE_COMMAND;
|
||||
readOnly = command==LIST_COMMAND;
|
||||
readOnly = ((command==LIST_COMMAND) || (command==CHKFIPS_COMMAND));
|
||||
|
||||
/* Make sure browser is not running if we're writing to a database */
|
||||
/* Do this before initializing crypto */
|
||||
|
@ -891,6 +910,9 @@ main(int argc, char *argv[])
|
|||
case FIPS_COMMAND:
|
||||
errcode = FipsMode(fipsArg);
|
||||
break;
|
||||
case CHKFIPS_COMMAND:
|
||||
errcode = ChkFipsMode(fipsArg);
|
||||
break;
|
||||
case JAR_COMMAND:
|
||||
Pk11Install_SetErrorHandler(install_error);
|
||||
errcode = Pk11Install_DoInstall(jarFile, installDir, tempDir,
|
||||
|
|
|
@ -50,6 +50,7 @@
|
|||
#include "error.h"
|
||||
|
||||
Error FipsMode(char *arg);
|
||||
Error ChkFipsMode(char *arg);
|
||||
Error AddModule(char *moduleName, char *libFile, char *ciphers,
|
||||
char *mechanisms, char* modparms);
|
||||
Error DeleteModule(char *moduleName);
|
||||
|
|
|
@ -60,6 +60,10 @@ FipsMode(char *arg)
|
|||
return FIPS_SWITCH_FAILED_ERR;
|
||||
}
|
||||
PR_smprintf_free(internal_name);
|
||||
if (!PK11_IsFIPS()) {
|
||||
PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
|
||||
return FIPS_SWITCH_FAILED_ERR;
|
||||
}
|
||||
PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
|
||||
} else {
|
||||
PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_ON_ERR]);
|
||||
|
@ -75,6 +79,10 @@ FipsMode(char *arg)
|
|||
return FIPS_SWITCH_FAILED_ERR;
|
||||
}
|
||||
PR_smprintf_free(internal_name);
|
||||
if (PK11_IsFIPS()) {
|
||||
PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
|
||||
return FIPS_SWITCH_FAILED_ERR;
|
||||
}
|
||||
PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
|
||||
} else {
|
||||
PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_OFF_ERR]);
|
||||
|
@ -88,6 +96,41 @@ FipsMode(char *arg)
|
|||
return SUCCESS;
|
||||
}
|
||||
|
||||
/*************************************************************************
|
||||
*
|
||||
* C h k F i p s M o d e
|
||||
* If arg=="true", verify FIPS mode is enabled on the internal module.
|
||||
* If arg=="false", verify FIPS mode is disabled on the internal module.
|
||||
*/
|
||||
Error
|
||||
ChkFipsMode(char *arg)
|
||||
{
|
||||
|
||||
char *internal_name;
|
||||
|
||||
if(!PORT_Strcasecmp(arg, "true")) {
|
||||
if (PK11_IsFIPS()) {
|
||||
PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
|
||||
} else {
|
||||
PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
|
||||
return FIPS_SWITCH_FAILED_ERR;
|
||||
}
|
||||
|
||||
} else if(!PORT_Strcasecmp(arg, "false")) {
|
||||
if(!PK11_IsFIPS()) {
|
||||
PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
|
||||
} else {
|
||||
PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
|
||||
return FIPS_SWITCH_FAILED_ERR;
|
||||
}
|
||||
} else {
|
||||
PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
|
||||
return INVALID_FIPS_ARG;
|
||||
}
|
||||
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
/************************************************************************
|
||||
* Cipher and Mechanism name-bitmask translation tables
|
||||
*/
|
||||
|
|
Загрузка…
Ссылка в новой задаче