323871 – dev-libs/nss: FIPS mode not available due to stripping without regen of CHK files

Bug 323871 - dev-libs/nss: FIPS mode not available due to stripping without regen of CHK files

Summary: dev-libs/nss: FIPS mode not available due to stripping without regen of CHK f...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Library (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Mozilla Gentoo Team

URL:	http://www.mozilla.org/projects/secur...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-06-13 23:58 UTC by Robin Johnson
Modified:	2010-06-16 18:52 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
nss-3.12.6-r1-postinst-chk-fixup.patch (nss-3.12.6-r1-postinst-chk-fixup.patch,3.57 KB, patch) 2010-06-14 04:15 UTC, Robin Johnson	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robin Johnson archtester

2010-06-13 23:58:27 UTC

I was trying to figure out why FIPS mode was failing to activate, and after a discussion on the upstream mailing list, I noted that we are stripping the FIPS libraries and not regenerating the .chk files afterwards.

This causes the FIPS validation to fail outright. app-crypt/hmaccalc requires FIPS mode to operate.

Find attached a patch that:
- includes more of the utilities.
- add the fips libraries to PRELINK_PATH_MASK.
- does NOT install the chk files generated during build.
- generates the chk files as part of postinst.
- removes dangling/stale chk files as part of postrm.

Comment 1 Robin Johnson archtester

2010-06-14 04:15:24 UTC

Created attachment 235225 [details, diff]
nss-3.12.6-r1-postinst-chk-fixup.patch

Comment 2 Jory A. Pratt gentoo-dev

2010-06-15 00:40:51 UTC

Robin please feel free to land.

Comment 3 Robin Johnson archtester

2010-06-16 18:52:51 UTC

committed as nss-3.12.6-r2 in ~arch.