Re: (nss-3.12.6) unable to engage FIPS mode: "security library: invalid arguments."

Thu, 10 Jun 2010 23:06:16 -0700 

On Fri, Jun 11, 2010 at 05:59:27AM +0000, Robin H. Johnson wrote:
> On Thu, Jun 10, 2010 at 10:45:03PM +0000, Robin H. Johnson wrote:
> > Testcase 2:
> > (see attached minimal C code, based on posts to the list and used in the
> > modutils source AND Mozilla).
> Bah, forgot the actual file.
> 
> The testcase has been run on Arch and Fedora now, and both of those
> cases it works fine.

Ah, no, this list is stripping my code.

//---------
//compile: gcc nss-fipstest.c $(pkg-config --cflags nss) $(pkg-config --libs 
nss) -o nss-fipstest
#include <nss.h>
#include <pk11pub.h>
#include <secmod.h>
/* Define to the default location of the NSS configuration directory. */
#define DEFAULT_CONFIG_DIR "/etc/pki/nssdb"
int main(int argc, char **argv) {
        const char* configdir = DEFAULT_CONFIG_DIR;
        int status;
        status = NSS_NoDB_Init(configdir);
        if (status != SECSuccess) {
                fprintf(stderr, "Error initializing NSS.\n");
                return status;
        }
  // The way to toggle FIPS mode in NSS is extremely obscure.
  // Basically, we delete the internal module, and voila it
  // gets replaced with the opposite module, ie if it was
  // FIPS before, then it becomes non-FIPS next.
  SECMODModule *internal;

  // This function returns us a pointer to a local copy of
  // the internal module stashed in NSS.  We don't want to
  // delete it since it will cause much pain in NSS.
  internal = SECMOD_GetInternalModule();
  if (!internal) {
          fprintf(stderr, "Failed to get internal module\n");
          return 1;
  }

  fprintf(stderr, "Got internal module: %s\n", internal->commonName);
  SECStatus srv = SECMOD_DeleteInternalModule(internal->commonName);
  if (srv != SECSuccess) {
          fprintf(stderr, "Failed to delete internal module (%s)\n", 
internal->commonName);
          return 1;
  }

  return 0;
}
//---------

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robb...@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

Attachment: pgpb1XBtRyxwO.pgp
Description: PGP signature

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to