- ship .chk files instead of running shlibsign at install time

- include .chk file in softokn-freebl subpackage
- add patch for upstream nss bug 488350
This commit is contained in:
Kai Engert 2009-04-14 22:21:51 +00:00
parent 79bf6c1c6e
commit c713a53f6e
2 changed files with 59 additions and 7 deletions

42
nss-freebl-kernelfipsmode Normal file
View File

@ -0,0 +1,42 @@
diff -up ./mozilla/security/nss/lib/freebl/nsslowhash.c.kernelfipsmode ./mozilla/security/nss/lib/freebl/nsslowhash.c
--- ./mozilla/security/nss/lib/freebl/nsslowhash.c.kernelfipsmode 2008-11-27 16:20:44.000000000 +0100
+++ ./mozilla/security/nss/lib/freebl/nsslowhash.c 2009-04-14 22:58:19.000000000 +0200
@@ -267,6 +267,27 @@ struct NSSLOWHASHContextStr {
};
+static int nsslow_GetFIPSEnabled(void) {
+#ifdef LINUX
+ FILE *f;
+ char d;
+ size_t size;
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (!f)
+ return 0;
+
+ size = fread(&d, 1, 1, f);
+ fclose(f);
+ if (size != 1)
+ return 0;
+ if (d != '1')
+ return 0;
+#endif
+ return 1;
+}
+
+
static int post = 0;
static NSSLOWInitContext dummyContext = { 0 };
@@ -284,7 +305,9 @@ NSSLOW_Init(void)
if (!post) {
- crv = freebl_fipsPowerUpSelfTest();
+ crv = CKR_OK;
+ if (nsslow_GetFIPSEnabled())
+ crv = freebl_fipsPowerUpSelfTest();
if (crv != CKR_OK) {
return NULL;
}

View File

@ -4,7 +4,7 @@
Summary: Network Security Services Summary: Network Security Services
Name: nss Name: nss
Version: 3.12.3 Version: 3.12.3
Release: 2%{?dist} Release: 3%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -36,6 +36,7 @@ Patch4: nss-pem-bug483855.patch
Patch5: nss-pem-bug429175.patch Patch5: nss-pem-bug429175.patch
Patch6: nss-enable-pem.patch Patch6: nss-enable-pem.patch
Patch7: nss-disable-freebl-execstack.patch Patch7: nss-disable-freebl-execstack.patch
Patch8: nss-freebl-kernelfipsmode
%description %description
Network Security Services (NSS) is a set of libraries designed to Network Security Services (NSS) is a set of libraries designed to
@ -107,6 +108,7 @@ low level services.
%patch5 -p0 -b .429175 %patch5 -p0 -b .429175
%patch6 -p0 -b .libpem %patch6 -p0 -b .libpem
%patch7 -p1 %patch7 -p1
%patch8 -p1
%build %build
@ -230,6 +232,14 @@ killall $RANDSERV || :
#fi #fi
#echo "test suite completed" #echo "test suite completed"
# Produce .chk files for the final stripped binaries
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libsoftokn3.so \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \
%{nil}
%install %install
@ -248,11 +258,9 @@ do
ln -sf ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file ln -sf ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file
done done
# These ghost files will be generated in the post step
# Make sure chk files can be found in both places # Make sure chk files can be found in both places
for file in libsoftokn3.chk libfreebl3.chk for file in libsoftokn3.chk libfreebl3.chk
do do
touch $RPM_BUILD_ROOT/%{_lib}/$file
ln -s ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file ln -s ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file
done done
@ -295,8 +303,6 @@ done
%post %post
/sbin/ldconfig >/dev/null 2>/dev/null /sbin/ldconfig >/dev/null 2>/dev/null
%{unsupported_tools_directory}/shlibsign -i /%{_lib}/libsoftokn3.so >/dev/null 2>/dev/null
%{unsupported_tools_directory}/shlibsign -i /%{_lib}/libfreebl3.so >/dev/null 2>/dev/null
%postun %postun
@ -311,11 +317,10 @@ done
/%{_lib}/libssl3.so /%{_lib}/libssl3.so
/%{_lib}/libsmime3.so /%{_lib}/libsmime3.so
/%{_lib}/libsoftokn3.so /%{_lib}/libsoftokn3.so
/%{_lib}/libsoftokn3.chk
/%{_lib}/libnssckbi.so /%{_lib}/libnssckbi.so
/%{_lib}/libnsspem.so /%{_lib}/libnsspem.so
%{unsupported_tools_directory}/shlibsign %{unsupported_tools_directory}/shlibsign
%ghost /%{_lib}/libsoftokn3.chk
%ghost /%{_lib}/libfreebl3.chk
%dir %{_libdir}/nss %dir %{_libdir}/nss
%dir %{unsupported_tools_directory} %dir %{unsupported_tools_directory}
%dir %{_sysconfdir}/pki/nssdb %dir %{_sysconfdir}/pki/nssdb
@ -327,6 +332,7 @@ done
%files softokn-freebl %files softokn-freebl
/%{_lib}/libfreebl3.so /%{_lib}/libfreebl3.so
/%{_lib}/libfreebl3.chk
%files tools %files tools
%defattr(-,root,root) %defattr(-,root,root)
@ -470,6 +476,10 @@ done
%changelog %changelog
* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-3
- ship .chk files instead of running shlibsign at install time
- include .chk file in softokn-freebl subpackage
- add patch for upstream nss bug 488350
* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-2 * Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-2
- Update to NSS 3.12.3 - Update to NSS 3.12.3
* Mon Apr 06 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-7 * Mon Apr 06 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-7