Fix for Bug 81322 r=mcgreer@netscape.com sr=blizzard@mozilla.org

Give users the ability to turn on FIPS mode when using PSM 2.0
2024-12-02 01:48:05 +00:00 · 2001-05-17 23:45:22 +00:00 · 2001-05-17 23:45:22 +00:00 · 4b3c672287
commit 4b3c672287
parent c3b71c612b
5 changed files with 61 additions and 0 deletions
--- a/security/manager/pki/resources/content/device_manager.js
+++ b/security/manager/pki/resources/content/device_manager.js
@ -71,6 +71,20 @@ function LoadModules()
      modules.next();
    } catch (e) { done = true; }
  }
+  /* Set the text on the fips button */
+  SetFIPSButtonText();
+}
+
+function SetFIPSButtonText()
+{
+  var fipsButton = document.getElementById("fipsbutton");
+  var label;
+  if (secmoddb.isFIPSEnabled) {
+   label = bundle.GetStringFromName("disable_fips"); 
+  } else {
+   label = bundle.GetStringFromName("enable_fips"); 
+  }
+  fipsButton.setAttribute("label", label);
 }

 /* Add a module to the tree.  slots is the array of slots in the module,
@ -351,3 +365,15 @@ function showTokenInfo()
  AddInfoRow(bundle.GetStringFromName("devinfo_fwversion"),
             selected_token.tokenFWVersion, "tok_fwv");
 }
+
+function toggleFIPS()
+{
+  secmoddb.toggleFIPSMode();
+  //Remove the existing listed modules so that re-fresh doesn't 
+  //display the module that just changed.
+  var device_list = document.getElementById("device_list");
+  while (device_list.firstChild)
+    device_list.removeChild(device_list.firstChild);
+
+  LoadModules();
+}
--- a/security/manager/pki/resources/content/device_manager.xul
+++ b/security/manager/pki/resources/content/device_manager.xul
@ -104,6 +104,7 @@
        <button id="unload_button" 
                label="&devmgr.button.unload.label;"
                onclick="doUnload();" disabled="true"/> 
+        <button id="fipsbutton" onclick="toggleFIPS();" />
      </vbox> <!-- / Buttons for manipulating devices -->
    </row>
    <row>
--- a/security/manager/pki/resources/locale/en-US/pippki.properties
+++ b/security/manager/pki/resources/locale/en-US/pippki.properties
@ -92,3 +92,5 @@ devinfo_stat_unitialized=Unitialized
 devinfo_stat_notloggedin=Not Logged In
 devinfo_stat_loggedin=Logged In
 devinfo_stat_ready=Ready
+enable_fips=Enable FIPS
+disable_fips=Disable FIPS
--- a/security/manager/ssl/public/nsIPKCS11Slot.idl
+++ b/security/manager/ssl/public/nsIPKCS11Slot.idl
@ -94,5 +94,8 @@ interface nsIPKCS11ModuleDB : nsISupports

  nsIEnumerator listModules();

+  void toggleFIPSMode();
+
+  readonly attribute boolean isFIPSEnabled;
 };

--- a/security/manager/ssl/src/nsPKCS11Slot.cpp
+++ b/security/manager/ssl/src/nsPKCS11Slot.cpp
@ -347,3 +347,32 @@ nsPKCS11ModuleDB::ListModules(nsIEnumerator **_retval)
  return rv;
 }

+/* void toggleFIPSMode (); */
+NS_IMETHODIMP nsPKCS11ModuleDB::ToggleFIPSMode()
+{
+  // The way to toggle FIPS mode in NSS is extremely obscure.
+  // Basically, we delete the internal module, and voila it
+  // gets replaced with the opposite module, ie if it was 
+  // FIPS before, then it becomes non-FIPS next.
+  SECMODModule *internal;
+
+  // This function returns us a pointer to a local copy of 
+  // the internal module stashed in NSS.  We don't want to
+  // delete it since it will cause much pain in NSS.
+  internal = SECMOD_GetInternalModule();
+  if (!internal)
+    return NS_ERROR_FAILURE;
+
+  SECStatus srv = SECMOD_DeleteInternalModule(internal->commonName);
+  if (srv != SECSuccess)
+    return NS_ERROR_FAILURE;
+
+  return NS_OK;
+}
+
+/* readonly attribute boolean isFIPSEnabled; */
+NS_IMETHODIMP nsPKCS11ModuleDB::GetIsFIPSEnabled(PRBool *aIsFIPSEnabled)
+{
+  *aIsFIPSEnabled = PK11_IsFIPS();
+  return NS_OK;
+}