mozilla-nss/nss-fips-detect-fips-mode-fixes.patch

# HG changeset patch
# User M. Sirringhaus <msirringhaus@suse.de>
# Date 1584305671 -3600
#      Sun Mar 15 21:54:31 2020 +0100
# Node ID 715834d4a258c535f3abbf116d69d5e77392593b
# Parent  4ddd7d49eeed4ea32850daf41a472ccb50dee45e
commit facacdb9078693d7a4219e84f73ea7b8f977ddc2
Author: Hans Petter Jansson <hpj@cl.no>
    Patch 32: nss-fips-detect-fips-mode-fixes.patch

Index: nss/lib/freebl/nsslowhash.c
===================================================================
--- nss.orig/lib/freebl/nsslowhash.c
+++ nss/lib/freebl/nsslowhash.c
@@ -2,9 +2,13 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#define _GNU_SOURCE 1
+#include <stdlib.h>
+
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
+
 #include "prtypes.h"
 #include "prenv.h"
 #include "secerr.h"
@@ -27,6 +31,22 @@ struct NSSLOWHASHContextStr {
 static NSSLOWInitContext dummyContext = { 0 };
 static PRBool post_failed = PR_TRUE;
 
+static PRBool
+getFIPSEnv(void)
+{
+    char *fipsEnv = secure_getenv("NSS_FIPS");
+    if (!fipsEnv) {
+        return PR_FALSE;
+    }
+    if ((strcasecmp(fipsEnv, "fips") == 0) ||
+        (strcasecmp(fipsEnv, "true") == 0) ||
+        (strcasecmp(fipsEnv, "on") == 0) ||
+        (strcasecmp(fipsEnv, "1") == 0)) {
+        return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
 NSSLOWInitContext *
 NSSLOW_Init(void)
 {
@@ -37,7 +57,7 @@ NSSLOW_Init(void)
 #ifndef NSS_FIPS_DISABLED
     /* make sure the FIPS product is installed if we are trying to
      * go into FIPS mode */
-    if (NSS_GetSystemFIPSEnabled()) {
+    if (NSS_GetSystemFIPSEnabled() || getFIPSEnv()) {
         if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             post_failed = PR_TRUE;
Index: nss/lib/sysinit/nsssysinit.c
===================================================================
--- nss.orig/lib/sysinit/nsssysinit.c
+++ nss/lib/sysinit/nsssysinit.c
@@ -185,9 +185,9 @@ getFIPSMode(void)
     size = fread(&d, 1, 1, f);
     fclose(f);
     if (size != 1)
-        return PR_FALSE;
+        return getFIPSEnv();
     if (d != '1')
-        return PR_FALSE;
+        return getFIPSEnv();
     return PR_TRUE;
 #else
     return PR_FALSE;
- update to NSS 3.104 * bmo#1910071 - Copy original corpus to heap-allocated buffer * bmo#1910079 - Fix min ssl version for DTLS client fuzzer * bmo#1908990 - Remove OS2 support just like we did on NSPR * bmo#1910605 - clang-format NSS improvements * bmo#1902078 - Adding basicutil.h to use HexString2SECItem function * bmo#1908990 - removing dirent.c from build * bmo#1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible * bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references * bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * bmo#1908990 - remove mentions of WIN95 * bmo#1908990 - remove mentions of WIN16 * bmo#1913750 - More explicit directory naming * bmo#1913755 - Add more options to TLS server fuzz target * bmo#1913675 - Add more options to TLS client fuzz target * bmo#1835240 - Use OSS-Fuzz corpus in NSS CI * bmo#1908012 - set nssckbi version number to 2.70. * bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert. * bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA. * bmo#1908006 - Add Cybertrust Japan Roots to NSS. * bmo#1908004 - Add Taiwan CA Roots to NSS. * bmo#1911354 - remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * bmo#1913132 - Fix tstclnt CI build failure * bmo#1913047 - vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * bmo#1912427 - Enable all supported protocol versions for UDP * bmo#1910361 - Actually use random PSK hash type OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=457 2024-09-28 13:15:50 +02:00			`# HG changeset patch`
			`# User M. Sirringhaus <msirringhaus@suse.de>`
			`# Date 1584305671 -3600`
			`# Sun Mar 15 21:54:31 2020 +0100`
			`# Node ID 715834d4a258c535f3abbf116d69d5e77392593b`
			`# Parent 4ddd7d49eeed4ea32850daf41a472ccb50dee45e`
			`commit facacdb9078693d7a4219e84f73ea7b8f977ddc2`
			`Author: Hans Petter Jansson <hpj@cl.no>`
			`Patch 32: nss-fips-detect-fips-mode-fixes.patch`

			`Index: nss/lib/freebl/nsslowhash.c`
			`===================================================================`
			`--- nss.orig/lib/freebl/nsslowhash.c`
			`+++ nss/lib/freebl/nsslowhash.c`
			`@@ -2,9 +2,13 @@`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this`
			`* file, You can obtain one at http://mozilla.org/MPL/2.0/. */`

			`+#define _GNU_SOURCE 1`
			`+#include <stdlib.h>`
			`+`
			`#ifdef FREEBL_NO_DEPEND`
			`#include "stubs.h"`
			`#endif`
			`+`
			`#include "prtypes.h"`
			`#include "prenv.h"`
			`#include "secerr.h"`
			`@@ -27,6 +31,22 @@ struct NSSLOWHASHContextStr {`
			`static NSSLOWInitContext dummyContext = { 0 };`
			`static PRBool post_failed = PR_TRUE;`

			`+static PRBool`
			`+getFIPSEnv(void)`
			`+{`
			`+ char *fipsEnv = secure_getenv("NSS_FIPS");`
			`+ if (!fipsEnv) {`
			`+ return PR_FALSE;`
			`+ }`
			`+ if ((strcasecmp(fipsEnv, "fips") == 0) \|\|`
			`+ (strcasecmp(fipsEnv, "true") == 0) \|\|`
			`+ (strcasecmp(fipsEnv, "on") == 0) \|\|`
			`+ (strcasecmp(fipsEnv, "1") == 0)) {`
			`+ return PR_TRUE;`
			`+ }`
			`+ return PR_FALSE;`
			`+}`
			`+`
			`NSSLOWInitContext *`
			`NSSLOW_Init(void)`
			`{`
			`@@ -37,7 +57,7 @@ NSSLOW_Init(void)`
			`#ifndef NSS_FIPS_DISABLED`
			`/* make sure the FIPS product is installed if we are trying to`
			`* go into FIPS mode */`
			`- if (NSS_GetSystemFIPSEnabled()) {`
			`+ if (NSS_GetSystemFIPSEnabled() \|\| getFIPSEnv()) {`
			`if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {`
			`PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);`
			`post_failed = PR_TRUE;`
			`Index: nss/lib/sysinit/nsssysinit.c`
			`===================================================================`
			`--- nss.orig/lib/sysinit/nsssysinit.c`
			`+++ nss/lib/sysinit/nsssysinit.c`
- update to NSS 3.105 * bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key * bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c * bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds * bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * bmo#1918767 - override default definition of KRML_MUSTINLINE * bmo#1916525 - libssl support for mlkem768x25519 * bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap * bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL * bmo#1911912 - Avoid misuse of ctype(3) functions * bmo#1917311 - part 2: run clang-format * bmo#1917311 - part 1: upgrade to clang-format 13 * bmo#1916953 - clang-format fuzz * bmo#1910370 - DTLS client message buffer may not empty be on retransmit * bmo#1916413 - Optionally print config for TLS client and server fuzz target * bmo#1916059 - Fix some simple documentation issues in NSS. * bmo#1915439 - improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=463 2024-10-28 13:29:57 +01:00			`@@ -185,9 +185,9 @@ getFIPSMode(void)`
- update to NSS 3.104 * bmo#1910071 - Copy original corpus to heap-allocated buffer * bmo#1910079 - Fix min ssl version for DTLS client fuzzer * bmo#1908990 - Remove OS2 support just like we did on NSPR * bmo#1910605 - clang-format NSS improvements * bmo#1902078 - Adding basicutil.h to use HexString2SECItem function * bmo#1908990 - removing dirent.c from build * bmo#1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible * bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references * bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * bmo#1908990 - remove mentions of WIN95 * bmo#1908990 - remove mentions of WIN16 * bmo#1913750 - More explicit directory naming * bmo#1913755 - Add more options to TLS server fuzz target * bmo#1913675 - Add more options to TLS client fuzz target * bmo#1835240 - Use OSS-Fuzz corpus in NSS CI * bmo#1908012 - set nssckbi version number to 2.70. * bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert. * bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA. * bmo#1908006 - Add Cybertrust Japan Roots to NSS. * bmo#1908004 - Add Taiwan CA Roots to NSS. * bmo#1911354 - remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * bmo#1913132 - Fix tstclnt CI build failure * bmo#1913047 - vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * bmo#1912427 - Enable all supported protocol versions for UDP * bmo#1910361 - Actually use random PSK hash type OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=457 2024-09-28 13:15:50 +02:00			`size = fread(&d, 1, 1, f);`
			`fclose(f);`
			`if (size != 1)`
			`- return PR_FALSE;`
			`+ return getFIPSEnv();`
			`if (d != '1')`
			`- return PR_FALSE;`
			`+ return getFIPSEnv();`
			`return PR_TRUE;`
			`#else`
			`return PR_FALSE;`