[yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips

Hongxu Jia hongxu.jia at windriver.com
Sat Oct 12 01:17:10 PDT 2019 

Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips

...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.

$rpm -h
|error: Failed to initialize NSS library
...

Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
 .../nss/nss/0001-conditionally-enable-fips.patch   | 93 ++++++++++++++++++++++
 recipes-support/nss/nss_3.%.bbappend               |  4 +
 recipes-support/nss/nss_fips.inc                   |  4 +
 3 files changed, 101 insertions(+)
 create mode 100644 recipes-support/nss/nss/0001-conditionally-enable-fips.patch
 create mode 100644 recipes-support/nss/nss_3.%.bbappend
 create mode 100644 recipes-support/nss/nss_fips.inc

diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
new file mode 100644
index 0000000..d11db91
--- /dev/null
+++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
@@ -0,0 +1,93 @@
+From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia at windriver.com>
+Date: Sat, 12 Oct 2019 10:49:28 +0800
+Subject: [PATCH] conditionally enable fips
+
+Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
+macro limitaition to fips enable test, currently we are not ready
+to support nss fips
+
+...
+$ certutil -N -d sql:. --empty-password
+|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
+module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
+with the token or slot.
+
+$rpm -h
+|error: Failed to initialize NSS library
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
+---
+ nss/coreconf/config.mk       | 2 ++
+ nss/lib/freebl/nsslowhash.c  | 2 +-
+ nss/lib/pk11wrap/pk11util.c  | 2 +-
+ nss/lib/sysinit/nsssysinit.c | 4 ++++
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 60a0841..dcca87f 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -179,6 +179,8 @@ endif
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+ DEFINES += -DNSS_NO_INIT_SUPPORT
++else
++DEFINES += -DNSS_FORCE_FIPS
+ endif
+ 
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
+index 22f9781..baf71c3 100644
+--- a/nss/lib/freebl/nsslowhash.c
++++ b/nss/lib/freebl/nsslowhash.c
+@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
+ static int
+ nsslow_GetFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+     FILE *f;
+     char d;
+     size_t size;
+diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
+index 502c4d0..cd86270 100644
+--- a/nss/lib/pk11wrap/pk11util.c
++++ b/nss/lib/pk11wrap/pk11util.c
+@@ -98,7 +98,7 @@ SECMOD_Shutdown()
+ int
+ secmod_GetSystemFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+     FILE *f;
+     char d;
+     size_t size;
+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
+index bd0fac2..5c09e8d 100644
+--- a/nss/lib/sysinit/nsssysinit.c
++++ b/nss/lib/sysinit/nsssysinit.c
+@@ -168,6 +168,7 @@ getFIPSEnv(void)
+ static PRBool
+ getFIPSMode(void)
+ {
++#ifdef NSS_FORCE_FIPS
+     FILE *f;
+     char d;
+     size_t size;
+@@ -186,6 +187,9 @@ getFIPSMode(void)
+     if (d != '1')
+         return PR_FALSE;
+     return PR_TRUE;
++#else
++    return PR_FALSE;
++#endif
+ }
+ 
+ #define NSS_DEFAULT_FLAGS "flags=readonly"
+-- 
+2.7.4
+
diff --git a/recipes-support/nss/nss_3.%.bbappend b/recipes-support/nss/nss_3.%.bbappend
new file mode 100644
index 0000000..9608ca3
--- /dev/null
+++ b/recipes-support/nss/nss_3.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'nss_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
new file mode 100644
index 0000000..b183f55
--- /dev/null
+++ b/recipes-support/nss/nss_fips.inc
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
+SRC_URI += " \
+    file://0001-conditionally-enable-fips.patch \
+"
-- 
2.7.4

More information about the yocto mailing list