Bug 1635509 NSS needs to export the System FIPS state. r=kjacob

Internally, NSS uses the system FIPS state to determine if it needs to go into FIPS mode independent of the database FIPS indication. Some applications need to know this value, particularly if the need to know the FIPS state before they call NSS_Init (NSS_IsFIPS() is only valid after init because it depends on the database indicator which is not known until NSS is intialized.

Differential Revision: https://phabricator.services.mozilla.com/D73986

automation/abi-check/expected-report-libnss3.so.txt

@@ -0,0 +1,5 @@
+
+1 Added function:
+
+  [A] 'function PRBool SECMOD_GetSystemFIPSEnabled()'    {SECMOD_GetSystemFIPSEnabled@@NSS_3.53}
+

lib/nss/nss.def

@@ -1175,3 +1175,9 @@ PK11_SymKeysToSameSlot;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.53 { 	# NSS 3.53 release
+;+    global:
+SECMOD_GetSystemFIPSEnabled;
+;+    local:
+;+       *;
+;+};

lib/pk11wrap/pk11pars.c

@@ -818,7 +818,7 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName,
     mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
     mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
     /* if the system FIPS mode is enabled, force FIPS to be on */
-    if (secmod_GetSystemFIPSEnabled()) {
+    if (SECMOD_GetSystemFIPSEnabled()) {
         mod->isFIPS = PR_TRUE;
     }
     mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);

lib/pk11wrap/pk11pub.h

@@ -939,6 +939,17 @@ PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
 
 PRBool SECMOD_HasRootCerts(void);
 
+/**********************************************************************
+ * Other Utilities
+ **********************************************************************/
+/* 
+ * Get the state of the system FIPS mode -
+ *  NSS uses this to force FIPS mode if the system bit is on. This returns
+ *  the system state independent of the database state and can be called
+ *  before NSS initializes.
+ */
+int SECMOD_GetSystemFIPSEnabled();
+
 SEC_END_PROTOS
 
 #endif

lib/pk11wrap/pk11util.c

@@ -95,8 +95,8 @@ SECMOD_Shutdown()
     return SECSuccess;
 }
 
-int
-secmod_GetSystemFIPSEnabled(void)
+PRBool
+SECMOD_GetSystemFIPSEnabled(void)
 {
 #ifdef LINUX
 #ifndef NSS_FIPS_DISABLED
@@ -106,20 +106,20 @@ secmod_GetSystemFIPSEnabled(void)
 
     f = fopen("/proc/sys/crypto/fips_enabled", "r");
     if (!f) {
-        return 0;
+        return PR_FALSE;
     }
 
     size = fread(&d, 1, sizeof(d), f);
     fclose(f);
     if (size != sizeof(d)) {
-        return 0;
+        return PR_FALSE;
     }
     if (d == '1') {
-        return 1;
+        return PR_TRUE;
     }
 #endif
 #endif
-    return 0;
+    return PR_FALSE;
 }
 
 /*
@@ -455,7 +455,7 @@ SECMOD_DeleteInternalModule(const char *name)
     SECMODModuleList **mlpp;
     SECStatus rv = SECFailure;
 
-    if (secmod_GetSystemFIPSEnabled() || pendingModule) {
+    if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
         PORT_SetError(SEC_ERROR_MODULE_STUCK);
         return rv;
     }
@@ -990,7 +990,7 @@ SECMOD_CanDeleteInternalModule(void)
 #ifdef NSS_FIPS_DISABLED
     return PR_FALSE;
 #else
-    return (PRBool)((pendingModule == NULL) && !secmod_GetSystemFIPSEnabled());
+    return (PRBool)((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
 #endif
 }
 

lib/pk11wrap/secmodi.h

@@ -115,13 +115,6 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot,
 CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
                                              SECItem **param, SECItem *pwd, PRBool faulty3DES);
 
-/* Get the state of the system FIPS mode */
-/* NSS uses this to force FIPS mode if the system bit is on. Applications which
- * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
- * from FIPS mode will automatically be told that they can't swith out of FIPS
- * mode */
-int secmod_GetSystemFIPSEnabled();
-
 extern void pk11sdr_Init(void);
 extern void pk11sdr_Shutdown(void);