--- nss-3.12.6-r1.ebuild 2010-06-13 14:10:53.000000000 -0700 +++ nss-3.12.6-r1.ebuild 2010-06-13 17:04:29.000000000 -0700 @@ -69,13 +69,59 @@ emake -j1 CC="$(tc-getCC)" || die "nss make failed" } +# Altering these 3 libraries breaks the CHK verification. +# All of the following cause it to break: +# - stripping +# - prelink +# - ELF signing +# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html +# Either we have to NOT strip them, or we have to forcibly resign after +# stripping. +#local_libdir="$(get_libdir)" +#export STRIP_MASK=" +# */${local_libdir}/libfreebl3.so* +# */${local_libdir}/libnssdbm3.so* +# */${local_libdir}/libsoftokn3.so*" + +export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3" + +generate_chk() { + local shlibsign="$1" + local libdir="$2" + einfo "Resigning core NSS libraries for FIPS validation" + shift 2 + for i in ${NSS_CHK_SIGN_LIBS} ; do + local libname=lib${i}.so + local chkname=lib${i}.chk + "${shlibsign}" \ + -i "${libdir}"/${libname} \ + -o "${libdir}"/${chkname}.tmp \ + && mv -f \ + "${libdir}"/${chkname}.tmp \ + "${libdir}"/${chkname} \ + || die "Failed to sign ${libname}" + done +} + +cleanup_chk() { + local libdir="$1" + shift 1 + for i in ${NSS_CHK_SIGN_LIBS} ; do + local libfname="${libdir}/lib${i}.so" + # If the major version has changed, then we have old chk files. + [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \ + && rm -f "${libfname}.chk" + done +} + src_install () { MINOR_VERSION=12 cd "${S}"/mozilla/security/dist dodir /usr/$(get_libdir) cp -L */lib/*.so "${D}"/usr/$(get_libdir) || die "copying shared libs failed" - cp -L */lib/*.chk "${D}"/usr/$(get_libdir) || die "copying chk files failed" + # We generate these after stripping the libraries, else they don't match. + #cp -L */lib/*.chk "${D}"/usr/$(get_libdir) || die "copying chk files failed" cp -L */lib/libcrmf.a "${D}"/usr/$(get_libdir) || die "copying libs failed" # Install nss-config and pkgconfig file @@ -93,15 +139,34 @@ ln -s ${file}.${MINOR_VERSION} ${file} done + local nssutils + # Always enabled because we need it for chk generation. + nssutils="shlibsign" if use utils; then - local nssutils - nssutils="certutil crlutil cmsutil modutil pk12util signtool signver ssltap addbuiltin" - - cd "${S}"/mozilla/security/dist/*/bin/ - for f in $nssutils; do - dobin ${f} - done + # The tests we do not need to install. + #nssutils_test="bltest crmftest dbtest dertimetest + #fipstest remtest sdrtest" + nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert + cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit + nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode + pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt + symkeyutil tstclnt vfychain vfyserv" fi + cd "${S}"/mozilla/security/dist/*/bin/ + for f in $nssutils; do + dobin ${f} + done + + # Prelink breaks the CHK files. We don't have any reliable way to run + # shlibsign after prelink. + declare -a libs + for l in ${NSS_CHK_SIGN_LIBS} ; do + libs+=("/usr/$(get_libdir)/lib${l}.so") + done + OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}" + echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss" + unset libs liblist + doenvd "${T}/90nss" } pkg_postinst() { @@ -111,4 +176,11 @@ elog "not run please re-emerge package to ensure it properly" elog " links after upgrade." elog + # We must re-sign the libraries AFTER they are stripped. + generate_chk "${ROOT}"/usr/bin/shlibsign "${ROOT}"/usr/$(get_libdir) } + +pkg_postrm() { + cleanup_chk "${ROOT}"/usr/$(get_libdir) +} +