Lines 69-81
Link Here
|
69 |
emake -j1 CC="$(tc-getCC)" || die "nss make failed" |
69 |
emake -j1 CC="$(tc-getCC)" || die "nss make failed" |
70 |
} |
70 |
} |
71 |
|
71 |
|
|
|
72 |
# Altering these 3 libraries breaks the CHK verification. |
73 |
# All of the following cause it to break: |
74 |
# - stripping |
75 |
# - prelink |
76 |
# - ELF signing |
77 |
# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html |
78 |
# Either we have to NOT strip them, or we have to forcibly resign after |
79 |
# stripping. |
80 |
#local_libdir="$(get_libdir)" |
81 |
#export STRIP_MASK=" |
82 |
# */${local_libdir}/libfreebl3.so* |
83 |
# */${local_libdir}/libnssdbm3.so* |
84 |
# */${local_libdir}/libsoftokn3.so*" |
85 |
|
86 |
export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3" |
87 |
|
88 |
generate_chk() { |
89 |
local shlibsign="$1" |
90 |
local libdir="$2" |
91 |
einfo "Resigning core NSS libraries for FIPS validation" |
92 |
shift 2 |
93 |
for i in ${NSS_CHK_SIGN_LIBS} ; do |
94 |
local libname=lib${i}.so |
95 |
local chkname=lib${i}.chk |
96 |
"${shlibsign}" \ |
97 |
-i "${libdir}"/${libname} \ |
98 |
-o "${libdir}"/${chkname}.tmp \ |
99 |
&& mv -f \ |
100 |
"${libdir}"/${chkname}.tmp \ |
101 |
"${libdir}"/${chkname} \ |
102 |
|| die "Failed to sign ${libname}" |
103 |
done |
104 |
} |
105 |
|
106 |
cleanup_chk() { |
107 |
local libdir="$1" |
108 |
shift 1 |
109 |
for i in ${NSS_CHK_SIGN_LIBS} ; do |
110 |
local libfname="${libdir}/lib${i}.so" |
111 |
# If the major version has changed, then we have old chk files. |
112 |
[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \ |
113 |
&& rm -f "${libfname}.chk" |
114 |
done |
115 |
} |
116 |
|
72 |
src_install () { |
117 |
src_install () { |
73 |
MINOR_VERSION=12 |
118 |
MINOR_VERSION=12 |
74 |
cd "${S}"/mozilla/security/dist |
119 |
cd "${S}"/mozilla/security/dist |
75 |
|
120 |
|
76 |
dodir /usr/$(get_libdir) |
121 |
dodir /usr/$(get_libdir) |
77 |
cp -L */lib/*.so "${D}"/usr/$(get_libdir) || die "copying shared libs failed" |
122 |
cp -L */lib/*.so "${D}"/usr/$(get_libdir) || die "copying shared libs failed" |
78 |
cp -L */lib/*.chk "${D}"/usr/$(get_libdir) || die "copying chk files failed" |
123 |
# We generate these after stripping the libraries, else they don't match. |
|
|
124 |
#cp -L */lib/*.chk "${D}"/usr/$(get_libdir) || die "copying chk files failed" |
79 |
cp -L */lib/libcrmf.a "${D}"/usr/$(get_libdir) || die "copying libs failed" |
125 |
cp -L */lib/libcrmf.a "${D}"/usr/$(get_libdir) || die "copying libs failed" |
80 |
|
126 |
|
81 |
# Install nss-config and pkgconfig file |
127 |
# Install nss-config and pkgconfig file |
Lines 93-107
Link Here
|
93 |
ln -s ${file}.${MINOR_VERSION} ${file} |
139 |
ln -s ${file}.${MINOR_VERSION} ${file} |
94 |
done |
140 |
done |
95 |
|
141 |
|
|
|
142 |
local nssutils |
143 |
# Always enabled because we need it for chk generation. |
144 |
nssutils="shlibsign" |
96 |
if use utils; then |
145 |
if use utils; then |
97 |
local nssutils |
146 |
# The tests we do not need to install. |
98 |
nssutils="certutil crlutil cmsutil modutil pk12util signtool signver ssltap addbuiltin" |
147 |
#nssutils_test="bltest crmftest dbtest dertimetest |
99 |
|
148 |
#fipstest remtest sdrtest" |
100 |
cd "${S}"/mozilla/security/dist/*/bin/ |
149 |
nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert |
101 |
for f in $nssutils; do |
150 |
cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit |
102 |
dobin ${f} |
151 |
nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode |
103 |
done |
152 |
pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt |
|
|
153 |
symkeyutil tstclnt vfychain vfyserv" |
104 |
fi |
154 |
fi |
|
|
155 |
cd "${S}"/mozilla/security/dist/*/bin/ |
156 |
for f in $nssutils; do |
157 |
dobin ${f} |
158 |
done |
159 |
|
160 |
# Prelink breaks the CHK files. We don't have any reliable way to run |
161 |
# shlibsign after prelink. |
162 |
declare -a libs |
163 |
for l in ${NSS_CHK_SIGN_LIBS} ; do |
164 |
libs+=("/usr/$(get_libdir)/lib${l}.so") |
165 |
done |
166 |
OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}" |
167 |
echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss" |
168 |
unset libs liblist |
169 |
doenvd "${T}/90nss" |
105 |
} |
170 |
} |
106 |
|
171 |
|
107 |
pkg_postinst() { |
172 |
pkg_postinst() { |
Lines 111-114
Link Here
|
111 |
elog "not run please re-emerge package to ensure it properly" |
176 |
elog "not run please re-emerge package to ensure it properly" |
112 |
elog " links after upgrade." |
177 |
elog " links after upgrade." |
113 |
elog |
178 |
elog |
|
|
179 |
# We must re-sign the libraries AFTER they are stripped. |
180 |
generate_chk "${ROOT}"/usr/bin/shlibsign "${ROOT}"/usr/$(get_libdir) |
114 |
} |
181 |
} |
|
|
182 |
|
183 |
pkg_postrm() { |
184 |
cleanup_chk "${ROOT}"/usr/$(get_libdir) |
185 |
} |
186 |
|