[yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips

Mark Hatle mark.hatle at kernel.crashing.org
Sat Oct 12 14:22:20 PDT 2019


The original goal of this work was to enable a FIPS-140-2 OpenSSL module.  Why
is NSS part of this?

Is something inside of the OpenSSL patches requesting NSS support, or is this a
different -- but related request?

--Mark

On 10/12/19 3:17 AM, Hongxu Jia wrote:
> Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
> macro limitaition to fips enable test, currently we are not ready
> to support nss fips
> 
> ...
> $ certutil -N -d sql:. --empty-password
> |certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
> module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
> with the token or slot.
> 
> $rpm -h
> |error: Failed to initialize NSS library
> ...
> 
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
>  .../nss/nss/0001-conditionally-enable-fips.patch   | 93 ++++++++++++++++++++++
>  recipes-support/nss/nss_3.%.bbappend               |  4 +
>  recipes-support/nss/nss_fips.inc                   |  4 +
>  3 files changed, 101 insertions(+)
>  create mode 100644 recipes-support/nss/nss/0001-conditionally-enable-fips.patch
>  create mode 100644 recipes-support/nss/nss_3.%.bbappend
>  create mode 100644 recipes-support/nss/nss_fips.inc
> 
> diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
> new file mode 100644
> index 0000000..d11db91
> --- /dev/null
> +++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
> @@ -0,0 +1,93 @@
> +From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
> +From: Hongxu Jia <hongxu.jia at windriver.com>
> +Date: Sat, 12 Oct 2019 10:49:28 +0800
> +Subject: [PATCH] conditionally enable fips
> +
> +Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
> +macro limitaition to fips enable test, currently we are not ready
> +to support nss fips
> +
> +...
> +$ certutil -N -d sql:. --empty-password
> +|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
> +module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
> +with the token or slot.
> +
> +$rpm -h
> +|error: Failed to initialize NSS library
> +...
> +
> +Upstream-Status: Inappropriate [oe specific]
> +
> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> +---
> + nss/coreconf/config.mk       | 2 ++
> + nss/lib/freebl/nsslowhash.c  | 2 +-
> + nss/lib/pk11wrap/pk11util.c  | 2 +-
> + nss/lib/sysinit/nsssysinit.c | 4 ++++
> + 4 files changed, 8 insertions(+), 2 deletions(-)
> +
> +diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
> +index 60a0841..dcca87f 100644
> +--- a/nss/coreconf/config.mk
> ++++ b/nss/coreconf/config.mk
> +@@ -179,6 +179,8 @@ endif
> + # executing the startup tests at library load time.
> + ifndef NSS_FORCE_FIPS
> + DEFINES += -DNSS_NO_INIT_SUPPORT
> ++else
> ++DEFINES += -DNSS_FORCE_FIPS
> + endif
> + 
> + ifdef NSS_SEED_ONLY_DEV_URANDOM
> +diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
> +index 22f9781..baf71c3 100644
> +--- a/nss/lib/freebl/nsslowhash.c
> ++++ b/nss/lib/freebl/nsslowhash.c
> +@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
> + static int
> + nsslow_GetFIPSEnabled(void)
> + {
> +-#ifdef LINUX
> ++#if defined LINUX && defined NSS_FORCE_FIPS
> +     FILE *f;
> +     char d;
> +     size_t size;
> +diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
> +index 502c4d0..cd86270 100644
> +--- a/nss/lib/pk11wrap/pk11util.c
> ++++ b/nss/lib/pk11wrap/pk11util.c
> +@@ -98,7 +98,7 @@ SECMOD_Shutdown()
> + int
> + secmod_GetSystemFIPSEnabled(void)
> + {
> +-#ifdef LINUX
> ++#if defined LINUX && defined NSS_FORCE_FIPS
> +     FILE *f;
> +     char d;
> +     size_t size;
> +diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
> +index bd0fac2..5c09e8d 100644
> +--- a/nss/lib/sysinit/nsssysinit.c
> ++++ b/nss/lib/sysinit/nsssysinit.c
> +@@ -168,6 +168,7 @@ getFIPSEnv(void)
> + static PRBool
> + getFIPSMode(void)
> + {
> ++#ifdef NSS_FORCE_FIPS
> +     FILE *f;
> +     char d;
> +     size_t size;
> +@@ -186,6 +187,9 @@ getFIPSMode(void)
> +     if (d != '1')
> +         return PR_FALSE;
> +     return PR_TRUE;
> ++#else
> ++    return PR_FALSE;
> ++#endif
> + }
> + 
> + #define NSS_DEFAULT_FLAGS "flags=readonly"
> +-- 
> +2.7.4
> +
> diff --git a/recipes-support/nss/nss_3.%.bbappend b/recipes-support/nss/nss_3.%.bbappend
> new file mode 100644
> index 0000000..9608ca3
> --- /dev/null
> +++ b/recipes-support/nss/nss_3.%.bbappend
> @@ -0,0 +1,4 @@
> +FIPSINC = ""
> +FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'nss_fips.inc'}"
> +
> +require ${FIPSINC}
> diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
> new file mode 100644
> index 0000000..b183f55
> --- /dev/null
> +++ b/recipes-support/nss/nss_fips.inc
> @@ -0,0 +1,4 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
> +SRC_URI += " \
> +    file://0001-conditionally-enable-fips.patch \
> +"
> 


More information about the yocto mailing list