0
0
mirror of https://github.com/libretro/Lakka-LibreELEC.git synced 2025-01-20 22:45:25 +00:00
Lakka-LibreELEC/packages/security/nss/patches/0001-Revert-Bug-1827303-Softoken-C_-calls-should-use-syst.patch
Rudi Heitbaum 72bf305f2f nss: update to 3.95
includes a revert of 1827303
upstream bug raised - https://bugzilla.mozilla.org/show_bug.cgi?id=1856668
2023-11-29 11:34:15 +00:00

330 lines
10 KiB
Diff

From 4d40ae4e120bf69e27f9f9331c3fedaf01a48edd Mon Sep 17 00:00:00 2001
From: Rudi Heitbaum <rudi@heitbaum.com>
Date: Tue, 3 Oct 2023 15:57:07 +0000
Subject: [PATCH] Revert "Bug 1827303 Softoken C_ calls should use system FIPS
setting to select NSC_ or FC_ variants."
This reverts commit e91f174eeb34e5acfa9f01bb194905168c82bef9.
---
lib/freebl/nsslowhash.c | 32 ++++++++++++-
lib/freebl/stubs.c | 44 ------------------
lib/freebl/stubs.h | 1 -
lib/pk11wrap/pk11util.c | 23 +++++++++-
lib/softoken/pkcs11.c | 35 --------------
lib/util/nssutil.def | 6 ---
lib/util/secport.c | 46 -------------------
lib/util/secport.h | 1 -
9 files changed, 53 insertions(+), 140 deletions(-)
diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
index cf9e8ac52..7a22a357e 100644
--- a/nss/lib/freebl/nsslowhash.c
+++ b/nss/lib/freebl/nsslowhash.c
@@ -23,6 +23,36 @@ struct NSSLOWHASHContextStr {
void *hashCtxt;
};
+#ifndef NSS_FIPS_DISABLED
+static int
+nsslow_GetFIPSEnabled(void)
+{
+#ifdef LINUX
+ FILE *f;
+ char d;
+ size_t size;
+ const char *env;
+
+ env = PR_GetEnvSecure("NSS_FIPS");
+ if (env && (*env == 'y' || *env == 'f' || *env == '1' || *env == 't')) {
+ return 1;
+ }
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (!f)
+ return 0;
+
+ size = fread(&d, 1, 1, f);
+ fclose(f);
+ if (size != 1)
+ return 0;
+ if (d != '1')
+ return 0;
+#endif /* LINUX */
+ return 1;
+}
+#endif /* NSS_FIPS_DISABLED */
+
static NSSLOWInitContext dummyContext = { 0 };
static PRBool post_failed = PR_TRUE;
@@ -36,7 +66,7 @@ NSSLOW_Init(void)
#ifndef NSS_FIPS_DISABLED
/* make sure the FIPS product is installed if we are trying to
* go into FIPS mode */
- if (NSS_GetSystemFIPSEnabled()) {
+ if (nsslow_GetFIPSEnabled()) {
if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
post_failed = PR_TRUE;
diff --git a/nss/lib/freebl/stubs.c b/nss/lib/freebl/stubs.c
index a79cf69a2..a20d7abf3 100644
--- a/nss/lib/freebl/stubs.c
+++ b/nss/lib/freebl/stubs.c
@@ -182,9 +182,6 @@ STUB_DECLARE(SECOidTag, SECOID_FindOIDTag_Util, (const SECItem *oid));
STUB_DECLARE(int, NSS_SecureMemcmp, (const void *a, const void *b, size_t n));
STUB_DECLARE(unsigned int, NSS_SecureMemcmpZero, (const void *mem, size_t n));
STUB_DECLARE(void, NSS_SecureSelect, (void *dest, const void *src0, const void *src1, size_t n, unsigned char b));
-#ifndef NSS_FIPS_DISABLED
-STUB_DECLARE(PRBool, NSS_GetSystemFIPSEnabled, (void));
-#endif
#define PORT_ZNew_stub(type) (type *)PORT_ZAlloc_stub(sizeof(type))
#define PORT_New_stub(type) (type *)PORT_Alloc_stub(sizeof(type))
@@ -715,47 +712,6 @@ NSS_SecureSelect_stub(void *dest, const void *src0, const void *src1, size_t n,
abort();
}
-#ifndef NSS_FIPS_DISABLED
-PRBool
-NSS_GetSystemFIPSEnabled_stub(void)
-{
- STUB_SAFE_CALL0(NSS_GetSystemFIPSEnabled);
- const char *env;
-
- /* The environment variable is active for all platforms */
- env = PR_GetEnvSecure_stub("NSS_FIPS");
- /* we generally accept y, Y, 1, FIPS, TRUE, and ON as turning on FIPS
- * mode. Anything else is considered 'off' */
- if (env && (*env == 'y' || *env == '1' || *env == 'Y' ||
- (strcasecmp(env, "fips") == 0) ||
- (strcasecmp(env, "true") == 0) ||
- (strcasecmp(env, "on") == 0))) {
- return PR_TRUE;
- }
-
-/* currently only Linux has a system FIPS indicator. Add others here
- * as they become available/known */
-#ifdef LINUX
- {
- FILE *f;
- char d;
- size_t size;
- f = fopen("/proc/sys/crypto/fips_enabled", "r");
- if (!f)
- return PR_FALSE;
-
- size = fread(&d, 1, 1, f);
- fclose(f);
- if (size != 1)
- return PR_FALSE;
- if (d == '1')
- return PR_TRUE;
- }
-#endif /* LINUX */
- return PR_FALSE;
-}
-#endif /* NSS_FIPS_DISABLED = 0 */
-
#ifdef FREEBL_NO_WEAK
static const char *nsprLibName = SHLIB_PREFIX "nspr4." SHLIB_SUFFIX;
diff --git a/nss/lib/freebl/stubs.h b/nss/lib/freebl/stubs.h
index 58cb9d085..f773e1043 100644
--- a/nss/lib/freebl/stubs.h
+++ b/nss/lib/freebl/stubs.h
@@ -43,7 +43,6 @@
#define NSS_SecureMemcmp NSS_SecureMemcmp_stub
#define NSS_SecureMemcmpZero NSS_SecureMemcmpZero_stub
#define NSS_SecureSelect NSS_SecureSelect_stub
-#define NSS_GetSystemFIPSEnabled NSS_GetSystemFIPSEnabled_stub
#define PR_Assert PR_Assert_stub
#define PR_Access PR_Access_stub
diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
index e15a0774e..2584ec3e8 100644
--- a/nss/lib/pk11wrap/pk11util.c
+++ b/nss/lib/pk11wrap/pk11util.c
@@ -99,7 +99,28 @@ SECMOD_Shutdown()
PRBool
SECMOD_GetSystemFIPSEnabled(void)
{
- return NSS_GetSystemFIPSEnabled();
+#ifdef LINUX
+#ifndef NSS_FIPS_DISABLED
+ FILE *f;
+ char d;
+ size_t size;
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (!f) {
+ return PR_FALSE;
+ }
+
+ size = fread(&d, 1, sizeof(d), f);
+ fclose(f);
+ if (size != sizeof(d)) {
+ return PR_FALSE;
+ }
+ if (d == '1') {
+ return PR_TRUE;
+ }
+#endif
+#endif
+ return PR_FALSE;
}
/*
diff --git a/nss/lib/softoken/pkcs11.c b/nss/lib/softoken/pkcs11.c
index 8e7872f8b..64b7892d0 100644
--- a/nss/lib/softoken/pkcs11.c
+++ b/nss/lib/softoken/pkcs11.c
@@ -93,17 +93,6 @@ static PRIntervalTime loginWaitTime;
#include "pkcs11f.h"
-#ifndef NSS_FIPS_DISABLE
-/* ------------- forward declare all the FIPS functions ------------- */
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F, name)
-#define CK_NEED_ARG_LIST 1
-
-#include "pkcs11f.h"
-#endif
-
/* build the crypto module table */
static CK_FUNCTION_LIST_3_0 sftk_funcList = {
{ CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR },
@@ -2508,15 +2497,7 @@ NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
CK_RV
C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
{
-#ifdef NSS_FIPS_DISABLED
return NSC_GetFunctionList(pFunctionList);
-#else
- if (NSS_GetSystemFIPSEnabled()) {
- return FC_GetFunctionList(pFunctionList);
- } else {
- return NSC_GetFunctionList(pFunctionList);
- }
-#endif
}
CK_RV
@@ -2537,15 +2518,7 @@ NSC_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount)
CK_RV
C_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount)
{
-#ifdef NSS_FIPS_DISABLED
return NSC_GetInterfaceList(interfaces, pulCount);
-#else
- if (NSS_GetSystemFIPSEnabled()) {
- return FC_GetInterfaceList(interfaces, pulCount);
- } else {
- return NSC_GetInterfaceList(interfaces, pulCount);
- }
-#endif
}
/*
@@ -2578,15 +2551,7 @@ CK_RV
C_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion,
CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags)
{
-#ifdef NSS_FIPS_DISABLED
return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags);
-#else
- if (NSS_GetSystemFIPSEnabled()) {
- return FC_GetInterface(pInterfaceName, pVersion, ppInterface, flags);
- } else {
- return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags);
- }
-#endif
}
static PLHashNumber
diff --git a/nss/lib/util/nssutil.def b/nss/lib/util/nssutil.def
index 01f362c2a..a48794e47 100644
--- a/nss/lib/util/nssutil.def
+++ b/nss/lib/util/nssutil.def
@@ -354,9 +354,3 @@ NSS_SecureSelect;
;+ local:
;+ *;
;+};
-;+NSSUTIL_3.94 { # NSS Utilities 3.94 release
-;+ global:
-NSS_GetSystemFIPSEnabled;
-;+ local:
-;+ *;
-;+};
diff --git a/nss/lib/util/secport.c b/nss/lib/util/secport.c
index 30215a80f..fb5223d64 100644
--- a/nss/lib/util/secport.c
+++ b/nss/lib/util/secport.c
@@ -877,49 +877,3 @@ NSS_SecureSelect(void *dest, const void *src0, const void *src1, size_t n, unsig
((unsigned char *)dest)[i] = s0i ^ (mask & (s0i ^ s1i));
}
}
-
-/*
- * consolidate all the calls to get the system FIPS status in one spot.
- * This function allows an environment variable to override what is returned.
- */
-PRBool
-NSS_GetSystemFIPSEnabled(void)
-{
-/* if FIPS is disabled in NSS, always return FALSE, even if the environment
- * variable is set, or the system is in FIPS mode */
-#ifndef NSS_FIPS_DISABLED
- const char *env;
-
- /* The environment variable is active for all platforms */
- env = PR_GetEnvSecure("NSS_FIPS");
- /* we generally accept y, Y, 1, FIPS, TRUE, and ON as turning on FIPS
- * mode. Anything else is considered 'off' */
- if (env && (*env == 'y' || *env == '1' || *env == 'Y' ||
- (PORT_Strcasecmp(env, "fips") == 0) ||
- (PORT_Strcasecmp(env, "true") == 0) ||
- (PORT_Strcasecmp(env, "on") == 0))) {
- return PR_TRUE;
- }
-
-/* currently only Linux has a system FIPS indicator. Add others here
- * as they become available/known */
-#ifdef LINUX
- {
- FILE *f;
- char d;
- size_t size;
- f = fopen("/proc/sys/crypto/fips_enabled", "r");
- if (!f)
- return PR_FALSE;
-
- size = fread(&d, 1, 1, f);
- fclose(f);
- if (size != 1)
- return PR_FALSE;
- if (d == '1')
- return PR_TRUE;
- }
-#endif /* LINUX */
-#endif /* NSS_FIPS_DISABLED == 0 */
- return PR_FALSE;
-}
diff --git a/nss/lib/util/secport.h b/nss/lib/util/secport.h
index d58b3f2f9..fa587b28a 100644
--- a/nss/lib/util/secport.h
+++ b/nss/lib/util/secport.h
@@ -262,7 +262,6 @@ extern int NSS_PutEnv(const char *envVarName, const char *envValue);
extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
extern unsigned int NSS_SecureMemcmpZero(const void *mem, size_t n);
extern void NSS_SecureSelect(void *dest, const void *src0, const void *src1, size_t n, unsigned char b);
-extern PRBool NSS_GetSystemFIPSEnabled(void);
/*
* Load a shared library called "newShLibName" in the same directory as
--
2.34.1