Attachment #235225 for bug #323871

View | Details | Raw Unified | Return to bug 323871
Collapse All | Expand All




	emake -j1 CC="$(tc-getCC)" || die "nss make failed"
}

# Altering these 3 libraries breaks the CHK verification.
# All of the following cause it to break:
# - stripping
# - prelink
# - ELF signing
# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
# Either we have to NOT strip them, or we have to forcibly resign after
# stripping.
#local_libdir="$(get_libdir)"
#export STRIP_MASK="
#	*/${local_libdir}/libfreebl3.so*
#	*/${local_libdir}/libnssdbm3.so*
#	*/${local_libdir}/libsoftokn3.so*"

export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"

generate_chk() {
	local shlibsign="$1"
	local libdir="$2"
	einfo "Resigning core NSS libraries for FIPS validation"
	shift 2
	for i in ${NSS_CHK_SIGN_LIBS} ; do
		local libname=lib${i}.so
		local chkname=lib${i}.chk
		"${shlibsign}" \
			-i "${libdir}"/${libname} \
			-o "${libdir}"/${chkname}.tmp \
		&& mv -f \
			"${libdir}"/${chkname}.tmp \
			"${libdir}"/${chkname} \
		|| die "Failed to sign ${libname}"
	done
}

cleanup_chk() {
	local libdir="$1"
	shift 1
	for i in ${NSS_CHK_SIGN_LIBS} ; do
		local libfname="${libdir}/lib${i}.so"
		# If the major version has changed, then we have old chk files.
		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
			&& rm -f "${libfname}.chk"
	done
}

src_install () {
	MINOR_VERSION=12
	cd "${S}"/mozilla/security/dist

	dodir /usr/$(get_libdir)
	cp -L */lib/*.so "${D}"/usr/$(get_libdir) || die "copying shared libs failed"
	# We generate these after stripping the libraries, else they don't match.
	#cp -L */lib/*.chk "${D}"/usr/$(get_libdir) || die "copying chk files failed"
	cp -L */lib/libcrmf.a "${D}"/usr/$(get_libdir) || die "copying libs failed"

	# Install nss-config and pkgconfig file

		ln -s ${file}.${MINOR_VERSION} ${file}
	done

	local nssutils
	# Always enabled because we need it for chk generation.
	nssutils="shlibsign"
	if use utils; then
		# The tests we do not need to install.
		#nssutils_test="bltest crmftest dbtest dertimetest 
		#fipstest remtest sdrtest"
		nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
		cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
		nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
		pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
		symkeyutil tstclnt vfychain vfyserv"
	fi
	cd "${S}"/mozilla/security/dist/*/bin/
	for f in $nssutils; do
		dobin ${f}
	done
	
	# Prelink breaks the CHK files. We don't have any reliable way to run
	# shlibsign after prelink.
	declare -a libs
	for l in ${NSS_CHK_SIGN_LIBS} ; do	
		libs+=("/usr/$(get_libdir)/lib${l}.so")
	done
	OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}"
	echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss"
	unset libs liblist
	doenvd "${T}/90nss"
}

pkg_postinst() {

	elog "not run please re-emerge package to ensure it properly"
	elog " links after upgrade."
	elog
	# We must re-sign the libraries AFTER they are stripped.
	generate_chk "${ROOT}"/usr/bin/shlibsign "${ROOT}"/usr/$(get_libdir)
}

pkg_postrm() {
	cleanup_chk "${ROOT}"/usr/$(get_libdir)
}


Return to bug 323871

Lines 69-81 Link Here

(-)nss-3.12.6-r1.ebuild (-8 / +80 lines)
69	emake -j1 CC="$(tc-getCC)" \|\| die "nss make failed"	69	emake -j1 CC="$(tc-getCC)" \|\| die "nss make failed"
70	}	70	}
71		71
		72	# Altering these 3 libraries breaks the CHK verification.
		73	# All of the following cause it to break:
		74	# - stripping
		75	# - prelink
		76	# - ELF signing
		77	# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
		78	# Either we have to NOT strip them, or we have to forcibly resign after
		79	# stripping.
		80	#local_libdir="$(get_libdir)"
		81	#export STRIP_MASK="
		82	# /${local_libdir}/libfreebl3.so
		83	# /${local_libdir}/libnssdbm3.so
		84	# /${local_libdir}/libsoftokn3.so"
		85
		86	export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
		87
		88	generate_chk() {
		89	local shlibsign="$1"
		90	local libdir="$2"
		91	einfo "Resigning core NSS libraries for FIPS validation"
		92	shift 2
		93	for i in ${NSS_CHK_SIGN_LIBS} ; do
		94	local libname=lib${i}.so
		95	local chkname=lib${i}.chk
		96	"${shlibsign}" \
		97	-i "${libdir}"/${libname} \
		98	-o "${libdir}"/${chkname}.tmp \
		99	&& mv -f \
		100	"${libdir}"/${chkname}.tmp \
		101	"${libdir}"/${chkname} \
		102	\|\| die "Failed to sign ${libname}"
		103	done
		104	}
		105
		106	cleanup_chk() {
		107	local libdir="$1"
		108	shift 1
		109	for i in ${NSS_CHK_SIGN_LIBS} ; do
		110	local libfname="${libdir}/lib${i}.so"
		111	# If the major version has changed, then we have old chk files.
		112	[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
		113	&& rm -f "${libfname}.chk"
		114	done
		115	}
		116
72	src_install () {	117	src_install () {
73	MINOR_VERSION=12	118	MINOR_VERSION=12
74	cd "${S}"/mozilla/security/dist	119	cd "${S}"/mozilla/security/dist
75		120
76	dodir /usr/$(get_libdir)	121	dodir /usr/$(get_libdir)
77	cp -L /lib/.so "${D}"/usr/$(get_libdir) \|\| die "copying shared libs failed"	122	cp -L /lib/.so "${D}"/usr/$(get_libdir) \|\| die "copying shared libs failed"
78	cp -L /lib/.chk "${D}"/usr/$(get_libdir) \|\| die "copying chk files failed"	123	# We generate these after stripping the libraries, else they don't match.
		124	#cp -L /lib/.chk "${D}"/usr/$(get_libdir) \|\| die "copying chk files failed"
79	cp -L */lib/libcrmf.a "${D}"/usr/$(get_libdir) \|\| die "copying libs failed"	125	cp -L */lib/libcrmf.a "${D}"/usr/$(get_libdir) \|\| die "copying libs failed"
80		126
81	# Install nss-config and pkgconfig file	127	# Install nss-config and pkgconfig file
Lines 93-107 Link Here
93	ln -s ${file}.${MINOR_VERSION} ${file}	139	ln -s ${file}.${MINOR_VERSION} ${file}
94	done	140	done
95		141
		142	local nssutils
		143	# Always enabled because we need it for chk generation.
		144	nssutils="shlibsign"
96	if use utils; then	145	if use utils; then
97	local nssutils	146	# The tests we do not need to install.
98	nssutils="certutil crlutil cmsutil modutil pk12util signtool signver ssltap addbuiltin"	147	#nssutils_test="bltest crmftest dbtest dertimetest
99		148	#fipstest remtest sdrtest"
100	cd "${S}"/mozilla/security/dist/*/bin/	149	nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
101	for f in $nssutils; do	150	cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
102	dobin ${f}	151	nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
103	done	152	pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
		153	symkeyutil tstclnt vfychain vfyserv"
104	fi	154	fi
		155	cd "${S}"/mozilla/security/dist/*/bin/
		156	for f in $nssutils; do
		157	dobin ${f}
		158	done
		159
		160	# Prelink breaks the CHK files. We don't have any reliable way to run
		161	# shlibsign after prelink.
		162	declare -a libs
		163	for l in ${NSS_CHK_SIGN_LIBS} ; do
		164	libs+=("/usr/$(get_libdir)/lib${l}.so")
		165	done
		166	OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}"
		167	echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss"
		168	unset libs liblist
		169	doenvd "${T}/90nss"
105	}	170	}
106		171
107	pkg_postinst() {	172	pkg_postinst() {
Lines 111-114 Link Here
111	elog "not run please re-emerge package to ensure it properly"	176	elog "not run please re-emerge package to ensure it properly"
112	elog " links after upgrade."	177	elog " links after upgrade."
113	elog	178	elog
		179	# We must re-sign the libraries AFTER they are stripped.
		180	generate_chk "${ROOT}"/usr/bin/shlibsign "${ROOT}"/usr/$(get_libdir)
114	}	181	}
		182
		183	pkg_postrm() {
		184	cleanup_chk "${ROOT}"/usr/$(get_libdir)
		185	}
		186