diff --git a/packages/security/nss/package.mk b/packages/security/nss/package.mk index 2cb6de4eab..954c3b81b4 100644 --- a/packages/security/nss/package.mk +++ b/packages/security/nss/package.mk @@ -14,6 +14,10 @@ PKG_LONGDESC="The Network Security Services (NSS) package is a set of libraries PKG_TOOLCHAIN="manual" PKG_BUILD_FLAGS="-parallel" +post_patch() { + echo "DEFINES += -DNSS_FIPS_DISABLED" >> ${PKG_BUILD}/nss/coreconf/config.mk +} + make_host() { cd ${PKG_BUILD}/nss diff --git a/packages/security/nss/patches/0001-Revert-Bug-1827303-Softoken-C_-calls-should-use-syst.patch b/packages/security/nss/patches/0001-Revert-Bug-1827303-Softoken-C_-calls-should-use-syst.patch deleted file mode 100644 index 63d70f1ab9..0000000000 --- a/packages/security/nss/patches/0001-Revert-Bug-1827303-Softoken-C_-calls-should-use-syst.patch +++ /dev/null @@ -1,329 +0,0 @@ -From 4d40ae4e120bf69e27f9f9331c3fedaf01a48edd Mon Sep 17 00:00:00 2001 -From: Rudi Heitbaum -Date: Tue, 3 Oct 2023 15:57:07 +0000 -Subject: [PATCH] Revert "Bug 1827303 Softoken C_ calls should use system FIPS - setting to select NSC_ or FC_ variants." - -This reverts commit e91f174eeb34e5acfa9f01bb194905168c82bef9. ---- - lib/freebl/nsslowhash.c | 32 ++++++++++++- - lib/freebl/stubs.c | 44 ------------------ - lib/freebl/stubs.h | 1 - - lib/pk11wrap/pk11util.c | 23 +++++++++- - lib/softoken/pkcs11.c | 35 -------------- - lib/util/nssutil.def | 6 --- - lib/util/secport.c | 46 ------------------- - lib/util/secport.h | 1 - - 9 files changed, 53 insertions(+), 140 deletions(-) - -diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c -index cf9e8ac52..7a22a357e 100644 ---- a/nss/lib/freebl/nsslowhash.c -+++ b/nss/lib/freebl/nsslowhash.c -@@ -23,6 +23,36 @@ struct NSSLOWHASHContextStr { - void *hashCtxt; - }; - -+#ifndef NSS_FIPS_DISABLED -+static int -+nsslow_GetFIPSEnabled(void) -+{ -+#ifdef LINUX -+ FILE *f; -+ char d; -+ size_t size; -+ const char *env; -+ -+ env = PR_GetEnvSecure("NSS_FIPS"); -+ if (env && (*env == 'y' || *env == 'f' || *env == '1' || *env == 't')) { -+ return 1; -+ } -+ -+ f = fopen("/proc/sys/crypto/fips_enabled", "r"); -+ if (!f) -+ return 0; -+ -+ size = fread(&d, 1, 1, f); -+ fclose(f); -+ if (size != 1) -+ return 0; -+ if (d != '1') -+ return 0; -+#endif /* LINUX */ -+ return 1; -+} -+#endif /* NSS_FIPS_DISABLED */ -+ - static NSSLOWInitContext dummyContext = { 0 }; - static PRBool post_failed = PR_TRUE; - -@@ -36,7 +66,7 @@ NSSLOW_Init(void) - #ifndef NSS_FIPS_DISABLED - /* make sure the FIPS product is installed if we are trying to - * go into FIPS mode */ -- if (NSS_GetSystemFIPSEnabled()) { -+ if (nsslow_GetFIPSEnabled()) { - if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - post_failed = PR_TRUE; -diff --git a/nss/lib/freebl/stubs.c b/nss/lib/freebl/stubs.c -index a79cf69a2..a20d7abf3 100644 ---- a/nss/lib/freebl/stubs.c -+++ b/nss/lib/freebl/stubs.c -@@ -182,9 +182,6 @@ STUB_DECLARE(SECOidTag, SECOID_FindOIDTag_Util, (const SECItem *oid)); - STUB_DECLARE(int, NSS_SecureMemcmp, (const void *a, const void *b, size_t n)); - STUB_DECLARE(unsigned int, NSS_SecureMemcmpZero, (const void *mem, size_t n)); - STUB_DECLARE(void, NSS_SecureSelect, (void *dest, const void *src0, const void *src1, size_t n, unsigned char b)); --#ifndef NSS_FIPS_DISABLED --STUB_DECLARE(PRBool, NSS_GetSystemFIPSEnabled, (void)); --#endif - - #define PORT_ZNew_stub(type) (type *)PORT_ZAlloc_stub(sizeof(type)) - #define PORT_New_stub(type) (type *)PORT_Alloc_stub(sizeof(type)) -@@ -715,47 +712,6 @@ NSS_SecureSelect_stub(void *dest, const void *src0, const void *src1, size_t n, - abort(); - } - --#ifndef NSS_FIPS_DISABLED --PRBool --NSS_GetSystemFIPSEnabled_stub(void) --{ -- STUB_SAFE_CALL0(NSS_GetSystemFIPSEnabled); -- const char *env; -- -- /* The environment variable is active for all platforms */ -- env = PR_GetEnvSecure_stub("NSS_FIPS"); -- /* we generally accept y, Y, 1, FIPS, TRUE, and ON as turning on FIPS -- * mode. Anything else is considered 'off' */ -- if (env && (*env == 'y' || *env == '1' || *env == 'Y' || -- (strcasecmp(env, "fips") == 0) || -- (strcasecmp(env, "true") == 0) || -- (strcasecmp(env, "on") == 0))) { -- return PR_TRUE; -- } -- --/* currently only Linux has a system FIPS indicator. Add others here -- * as they become available/known */ --#ifdef LINUX -- { -- FILE *f; -- char d; -- size_t size; -- f = fopen("/proc/sys/crypto/fips_enabled", "r"); -- if (!f) -- return PR_FALSE; -- -- size = fread(&d, 1, 1, f); -- fclose(f); -- if (size != 1) -- return PR_FALSE; -- if (d == '1') -- return PR_TRUE; -- } --#endif /* LINUX */ -- return PR_FALSE; --} --#endif /* NSS_FIPS_DISABLED = 0 */ -- - #ifdef FREEBL_NO_WEAK - - static const char *nsprLibName = SHLIB_PREFIX "nspr4." SHLIB_SUFFIX; -diff --git a/nss/lib/freebl/stubs.h b/nss/lib/freebl/stubs.h -index 58cb9d085..f773e1043 100644 ---- a/nss/lib/freebl/stubs.h -+++ b/nss/lib/freebl/stubs.h -@@ -43,7 +43,6 @@ - #define NSS_SecureMemcmp NSS_SecureMemcmp_stub - #define NSS_SecureMemcmpZero NSS_SecureMemcmpZero_stub - #define NSS_SecureSelect NSS_SecureSelect_stub --#define NSS_GetSystemFIPSEnabled NSS_GetSystemFIPSEnabled_stub - - #define PR_Assert PR_Assert_stub - #define PR_Access PR_Access_stub -diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c -index e15a0774e..2584ec3e8 100644 ---- a/nss/lib/pk11wrap/pk11util.c -+++ b/nss/lib/pk11wrap/pk11util.c -@@ -99,7 +99,28 @@ SECMOD_Shutdown() - PRBool - SECMOD_GetSystemFIPSEnabled(void) - { -- return NSS_GetSystemFIPSEnabled(); -+#ifdef LINUX -+#ifndef NSS_FIPS_DISABLED -+ FILE *f; -+ char d; -+ size_t size; -+ -+ f = fopen("/proc/sys/crypto/fips_enabled", "r"); -+ if (!f) { -+ return PR_FALSE; -+ } -+ -+ size = fread(&d, 1, sizeof(d), f); -+ fclose(f); -+ if (size != sizeof(d)) { -+ return PR_FALSE; -+ } -+ if (d == '1') { -+ return PR_TRUE; -+ } -+#endif -+#endif -+ return PR_FALSE; - } - - /* -diff --git a/nss/lib/softoken/pkcs11.c b/nss/lib/softoken/pkcs11.c -index 8e7872f8b..64b7892d0 100644 ---- a/nss/lib/softoken/pkcs11.c -+++ b/nss/lib/softoken/pkcs11.c -@@ -93,17 +93,6 @@ static PRIntervalTime loginWaitTime; - - #include "pkcs11f.h" - --#ifndef NSS_FIPS_DISABLE --/* ------------- forward declare all the FIPS functions ------------- */ --#undef CK_NEED_ARG_LIST --#undef CK_PKCS11_FUNCTION_INFO -- --#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F, name) --#define CK_NEED_ARG_LIST 1 -- --#include "pkcs11f.h" --#endif -- - /* build the crypto module table */ - static CK_FUNCTION_LIST_3_0 sftk_funcList = { - { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR }, -@@ -2508,15 +2497,7 @@ NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) - CK_RV - C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) - { --#ifdef NSS_FIPS_DISABLED - return NSC_GetFunctionList(pFunctionList); --#else -- if (NSS_GetSystemFIPSEnabled()) { -- return FC_GetFunctionList(pFunctionList); -- } else { -- return NSC_GetFunctionList(pFunctionList); -- } --#endif - } - - CK_RV -@@ -2537,15 +2518,7 @@ NSC_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount) - CK_RV - C_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount) - { --#ifdef NSS_FIPS_DISABLED - return NSC_GetInterfaceList(interfaces, pulCount); --#else -- if (NSS_GetSystemFIPSEnabled()) { -- return FC_GetInterfaceList(interfaces, pulCount); -- } else { -- return NSC_GetInterfaceList(interfaces, pulCount); -- } --#endif - } - - /* -@@ -2578,15 +2551,7 @@ CK_RV - C_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion, - CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags) - { --#ifdef NSS_FIPS_DISABLED - return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags); --#else -- if (NSS_GetSystemFIPSEnabled()) { -- return FC_GetInterface(pInterfaceName, pVersion, ppInterface, flags); -- } else { -- return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags); -- } --#endif - } - - static PLHashNumber -diff --git a/nss/lib/util/nssutil.def b/nss/lib/util/nssutil.def -index 01f362c2a..a48794e47 100644 ---- a/nss/lib/util/nssutil.def -+++ b/nss/lib/util/nssutil.def -@@ -354,9 +354,3 @@ NSS_SecureSelect; - ;+ local: - ;+ *; - ;+}; --;+NSSUTIL_3.94 { # NSS Utilities 3.94 release --;+ global: --NSS_GetSystemFIPSEnabled; --;+ local: --;+ *; --;+}; -diff --git a/nss/lib/util/secport.c b/nss/lib/util/secport.c -index 30215a80f..fb5223d64 100644 ---- a/nss/lib/util/secport.c -+++ b/nss/lib/util/secport.c -@@ -877,49 +877,3 @@ NSS_SecureSelect(void *dest, const void *src0, const void *src1, size_t n, unsig - ((unsigned char *)dest)[i] = s0i ^ (mask & (s0i ^ s1i)); - } - } -- --/* -- * consolidate all the calls to get the system FIPS status in one spot. -- * This function allows an environment variable to override what is returned. -- */ --PRBool --NSS_GetSystemFIPSEnabled(void) --{ --/* if FIPS is disabled in NSS, always return FALSE, even if the environment -- * variable is set, or the system is in FIPS mode */ --#ifndef NSS_FIPS_DISABLED -- const char *env; -- -- /* The environment variable is active for all platforms */ -- env = PR_GetEnvSecure("NSS_FIPS"); -- /* we generally accept y, Y, 1, FIPS, TRUE, and ON as turning on FIPS -- * mode. Anything else is considered 'off' */ -- if (env && (*env == 'y' || *env == '1' || *env == 'Y' || -- (PORT_Strcasecmp(env, "fips") == 0) || -- (PORT_Strcasecmp(env, "true") == 0) || -- (PORT_Strcasecmp(env, "on") == 0))) { -- return PR_TRUE; -- } -- --/* currently only Linux has a system FIPS indicator. Add others here -- * as they become available/known */ --#ifdef LINUX -- { -- FILE *f; -- char d; -- size_t size; -- f = fopen("/proc/sys/crypto/fips_enabled", "r"); -- if (!f) -- return PR_FALSE; -- -- size = fread(&d, 1, 1, f); -- fclose(f); -- if (size != 1) -- return PR_FALSE; -- if (d == '1') -- return PR_TRUE; -- } --#endif /* LINUX */ --#endif /* NSS_FIPS_DISABLED == 0 */ -- return PR_FALSE; --} -diff --git a/nss/lib/util/secport.h b/nss/lib/util/secport.h -index d58b3f2f9..fa587b28a 100644 ---- a/nss/lib/util/secport.h -+++ b/nss/lib/util/secport.h -@@ -262,7 +262,6 @@ extern int NSS_PutEnv(const char *envVarName, const char *envValue); - extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n); - extern unsigned int NSS_SecureMemcmpZero(const void *mem, size_t n); - extern void NSS_SecureSelect(void *dest, const void *src0, const void *src1, size_t n, unsigned char b); --extern PRBool NSS_GetSystemFIPSEnabled(void); - - /* - * Load a shared library called "newShLibName" in the same directory as --- -2.34.1 - diff --git a/packages/security/nss/patches/nss-09-gcc-warning-workaround.patch b/packages/security/nss/patches/nss-09-gcc-warning-workaround.patch deleted file mode 100644 index a3ef08dd29..0000000000 --- a/packages/security/nss/patches/nss-09-gcc-warning-workaround.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -r ab04fd73fd6d coreconf/nsinstall/nsinstall.c ---- a/nss/coreconf/nsinstall/nsinstall.c Mon Aug 24 22:52:43 2020 +0000 -+++ b/nss/coreconf/nsinstall/nsinstall.c Wed Aug 26 13:04:16 2020 +0200 -@@ -50,6 +50,7 @@ - extern int fchmod(int fildes, mode_t mode); - #endif - -+#define GETCWD_CANT_MALLOC 1 - - #ifdef GETCWD_CANT_MALLOC - /* diff --git a/packages/security/nss/patches/nss-11-allow-build-without-fips.patch b/packages/security/nss/patches/nss-11-allow-build-without-fips.patch new file mode 100644 index 0000000000..313baaaff9 --- /dev/null +++ b/packages/security/nss/patches/nss-11-allow-build-without-fips.patch @@ -0,0 +1,14 @@ +--- a/nss/lib/pk11wrap/pk11util.c 2024-08-24 05:50:25.083922373 +0000 ++++ b/nss/lib/pk11wrap/pk11util.c 2024-08-24 05:50:08.147128674 +0000 +@@ -99,7 +99,11 @@ + PRBool + SECMOD_GetSystemFIPSEnabled(void) + { ++#ifdef NSS_FIPS_DISABLED ++ return PR_FALSE; ++#else + return NSS_GetSystemFIPSEnabled(); ++#endif + } + + /*