99b17fbdca
* bmo#1923285 - libclang-16 -> libclang-19
* bmo#1939086 - Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* bmo#1937332 - Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* bmo#1915902 - Remove SwissSign Silver CA – G2
* bmo#1938245 - Add D-Trust 2023 TLS Roots to NSS
* bmo#1942301 - fix fips test failure on windows
* bmo#1935925 - change default sensitivity of KEM keys
* bmo#1936001 - Part 1: Introduce frida hooks and script
* bmo#1942350 - add missing arm_neon.h include to gcm.c
* bmo#1831552 - ci: update windows workers to win2022
* bmo#1831552 - strip trailing carriage returns in tools tests
* bmo#1880256 - work around unix/windows path translation issues
in cert test script
* bmo#1831552 - ci: let the windows setup script work without $m
* bmo#1880255 - detect msys
* bmo#1936680 - add a specialized CTR_Update variant for AES-GCM
* bmo#1930807 - NSS policy updates
* bmo#1930806 - FIPS changes need to be upstreamed: FIPS 140-3 RNG
* bmo#1930806 - FIPS changes need to be upstreamed: Add SafeZero
* bmo#1930806 - FIPS changes need to be upstreamed - updated POST
* bmo#1933031 - Segmentation fault in SECITEM_Hash during pkcs12 processing
* bmo#1929922 - Extending NSS with LoadModuleFromFunction functionality
* bmo#1935984 - Ensure zero-initialization of collectArgs.cert
* bmo#1934526 - pkcs7 fuzz target use CERT_DestroyCertificate
* bmo#1915898 - Fix actual underlying ODR violations issue
* bmo#1184059 - mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=471
77 lines
2.2 KiB
Diff
77 lines
2.2 KiB
Diff
# HG changeset patch
|
|
# User M. Sirringhaus <msirringhaus@suse.de>
|
|
# Date 1584305671 -3600
|
|
# Sun Mar 15 21:54:31 2020 +0100
|
|
# Node ID 715834d4a258c535f3abbf116d69d5e77392593b
|
|
# Parent 4ddd7d49eeed4ea32850daf41a472ccb50dee45e
|
|
commit facacdb9078693d7a4219e84f73ea7b8f977ddc2
|
|
Author: Hans Petter Jansson <hpj@cl.no>
|
|
Patch 32: nss-fips-detect-fips-mode-fixes.patch
|
|
|
|
Index: nss/lib/freebl/nsslowhash.c
|
|
===================================================================
|
|
--- nss.orig/lib/freebl/nsslowhash.c
|
|
+++ nss/lib/freebl/nsslowhash.c
|
|
@@ -2,9 +2,13 @@
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
+#define _GNU_SOURCE 1
|
|
+#include <stdlib.h>
|
|
+
|
|
#ifdef FREEBL_NO_DEPEND
|
|
#include "stubs.h"
|
|
#endif
|
|
+
|
|
#include "prtypes.h"
|
|
#include "prenv.h"
|
|
#include "secerr.h"
|
|
@@ -27,6 +31,22 @@ struct NSSLOWHASHContextStr {
|
|
static NSSLOWInitContext dummyContext = { 0 };
|
|
static PRBool post_failed = PR_TRUE;
|
|
|
|
+static PRBool
|
|
+getFIPSEnv(void)
|
|
+{
|
|
+ char *fipsEnv = secure_getenv("NSS_FIPS");
|
|
+ if (!fipsEnv) {
|
|
+ return PR_FALSE;
|
|
+ }
|
|
+ if ((strcasecmp(fipsEnv, "fips") == 0) ||
|
|
+ (strcasecmp(fipsEnv, "true") == 0) ||
|
|
+ (strcasecmp(fipsEnv, "on") == 0) ||
|
|
+ (strcasecmp(fipsEnv, "1") == 0)) {
|
|
+ return PR_TRUE;
|
|
+ }
|
|
+ return PR_FALSE;
|
|
+}
|
|
+
|
|
NSSLOWInitContext *
|
|
NSSLOW_Init(void)
|
|
{
|
|
@@ -37,7 +57,7 @@ NSSLOW_Init(void)
|
|
#ifndef NSS_FIPS_DISABLED
|
|
/* make sure the FIPS product is installed if we are trying to
|
|
* go into FIPS mode */
|
|
- if (NSS_GetSystemFIPSEnabled()) {
|
|
+ if (NSS_GetSystemFIPSEnabled() || getFIPSEnv()) {
|
|
if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
|
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
|
post_failed = PR_TRUE;
|
|
Index: nss/lib/sysinit/nsssysinit.c
|
|
===================================================================
|
|
--- nss.orig/lib/sysinit/nsssysinit.c
|
|
+++ nss/lib/sysinit/nsssysinit.c
|
|
@@ -185,9 +185,9 @@ getFIPSMode(void)
|
|
size = fread(&d, 1, 1, f);
|
|
fclose(f);
|
|
if (size != 1)
|
|
- return PR_FALSE;
|
|
+ return getFIPSEnv();
|
|
if (d != '1')
|
|
- return PR_FALSE;
|
|
+ return getFIPSEnv();
|
|
return PR_TRUE;
|
|
#else
|
|
return PR_FALSE;
|