[Fedora-directory-commits] mod_nss nss_engine_init.c, 1.31, 1.32 nss_engine_pphrase.c, 1.10, 1.11

Robert Crittenden (rcritten) fedora-directory-commits at redhat.com
Fri May 16 15:16:05 UTC 2008


Author: rcritten

Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7275

Modified Files:
	nss_engine_init.c nss_engine_pphrase.c 
Log Message:
Make FIPS mode work. This fixes 2 problems:

1. In nss_init_SSLLibrary() the server config wasn't being set properly
   for each virtual server so FIPS wasn't getting turned on.
2. There seem to be a problem in NSS_Shutdown() that makes subsequent
   logins appear to succeed but they actually are skipped causing keys
   and certs to not be available.

Also switch an error message to a warning related to FIPS ciphers.



Index: nss_engine_init.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- nss_engine_init.c	9 May 2008 14:17:38 -0000	1.31
+++ nss_engine_init.c	16 May 2008 15:16:02 -0000	1.32
@@ -148,9 +148,10 @@
     const char * ocspurl = NULL;
     const char * ocspname = NULL;
 
-    sc = mySrvConfig(base_server);
 
     for (s = base_server; s; s = s->next) {
+        sc = mySrvConfig(s);
+
         if (sc->fips == TRUE) {
             fipsenabled = TRUE;
         }
@@ -802,7 +803,7 @@
     if (mctx->sc->fips) {
         for (i=0; i<ciphernum; i++) {
             if (cipher_state[i] == PR_TRUE && fips_state[i] == PR_FALSE) {
-                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
                     "Cipher %s is enabled but this is not a FIPS cipher, disabling.", ciphers_def[i].name);
                 cipher_state[i] = PR_FALSE;
             }


Index: nss_engine_pphrase.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_pphrase.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- nss_engine_pphrase.c	22 Feb 2007 16:50:14 -0000	1.10
+++ nss_engine_pphrase.c	16 May 2008 15:16:02 -0000	1.11
@@ -62,6 +62,13 @@
     {
         PK11SlotInfo *slot = listEntry->slot;
 
+        /* This is needed to work around a bug in NSS while in FIPS mode.
+         * The first login will succeed but NSS_Shutdown() isn't cleaning
+         * something up causing subsequent logins to be skipped making
+         * keys and certs unavailable.
+         */
+        PK11_Logout(slot);
+
         if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
             if (slot == PK11_GetInternalKeySlot()) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,




More information about the Fedora-directory-commits mailing list