diff --git a/nss-freebl-kernelfipsmode b/nss-freebl-kernelfipsmode new file mode 100644 index 0000000..1ddcd13 --- /dev/null +++ b/nss-freebl-kernelfipsmode @@ -0,0 +1,42 @@ +diff -up ./mozilla/security/nss/lib/freebl/nsslowhash.c.kernelfipsmode ./mozilla/security/nss/lib/freebl/nsslowhash.c +--- ./mozilla/security/nss/lib/freebl/nsslowhash.c.kernelfipsmode 2008-11-27 16:20:44.000000000 +0100 ++++ ./mozilla/security/nss/lib/freebl/nsslowhash.c 2009-04-14 22:58:19.000000000 +0200 +@@ -267,6 +267,27 @@ struct NSSLOWHASHContextStr { + + }; + ++static int nsslow_GetFIPSEnabled(void) { ++#ifdef LINUX ++ FILE *f; ++ char d; ++ size_t size; ++ ++ f = fopen("/proc/sys/crypto/fips_enabled", "r"); ++ if (!f) ++ return 0; ++ ++ size = fread(&d, 1, 1, f); ++ fclose(f); ++ if (size != 1) ++ return 0; ++ if (d != '1') ++ return 0; ++#endif ++ return 1; ++} ++ ++ + static int post = 0; + + static NSSLOWInitContext dummyContext = { 0 }; +@@ -284,7 +305,9 @@ NSSLOW_Init(void) + + + if (!post) { +- crv = freebl_fipsPowerUpSelfTest(); ++ crv = CKR_OK; ++ if (nsslow_GetFIPSEnabled()) ++ crv = freebl_fipsPowerUpSelfTest(); + if (crv != CKR_OK) { + return NULL; + } diff --git a/nss.spec b/nss.spec index 7e116c3..edadf00 100644 --- a/nss.spec +++ b/nss.spec @@ -4,7 +4,7 @@ Summary: Network Security Services Name: nss Version: 3.12.3 -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -36,6 +36,7 @@ Patch4: nss-pem-bug483855.patch Patch5: nss-pem-bug429175.patch Patch6: nss-enable-pem.patch Patch7: nss-disable-freebl-execstack.patch +Patch8: nss-freebl-kernelfipsmode %description Network Security Services (NSS) is a set of libraries designed to @@ -107,6 +108,7 @@ low level services. %patch5 -p0 -b .429175 %patch6 -p0 -b .libpem %patch7 -p1 +%patch8 -p1 %build @@ -230,6 +232,14 @@ killall $RANDSERV || : #fi #echo "test suite completed" +# Produce .chk files for the final stripped binaries +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libsoftokn3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \ +%{nil} %install @@ -248,11 +258,9 @@ do ln -sf ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file done -# These ghost files will be generated in the post step # Make sure chk files can be found in both places for file in libsoftokn3.chk libfreebl3.chk do - touch $RPM_BUILD_ROOT/%{_lib}/$file ln -s ../../%{_lib}/$file $RPM_BUILD_ROOT/%{_libdir}/$file done @@ -295,8 +303,6 @@ done %post /sbin/ldconfig >/dev/null 2>/dev/null -%{unsupported_tools_directory}/shlibsign -i /%{_lib}/libsoftokn3.so >/dev/null 2>/dev/null -%{unsupported_tools_directory}/shlibsign -i /%{_lib}/libfreebl3.so >/dev/null 2>/dev/null %postun @@ -311,11 +317,10 @@ done /%{_lib}/libssl3.so /%{_lib}/libsmime3.so /%{_lib}/libsoftokn3.so +/%{_lib}/libsoftokn3.chk /%{_lib}/libnssckbi.so /%{_lib}/libnsspem.so %{unsupported_tools_directory}/shlibsign -%ghost /%{_lib}/libsoftokn3.chk -%ghost /%{_lib}/libfreebl3.chk %dir %{_libdir}/nss %dir %{unsupported_tools_directory} %dir %{_sysconfdir}/pki/nssdb @@ -327,6 +332,7 @@ done %files softokn-freebl /%{_lib}/libfreebl3.so +/%{_lib}/libfreebl3.chk %files tools %defattr(-,root,root) @@ -470,6 +476,10 @@ done %changelog +* Tue Apr 14 2009 Kai Engert - 3.12.3-3 +- ship .chk files instead of running shlibsign at install time +- include .chk file in softokn-freebl subpackage +- add patch for upstream nss bug 488350 * Tue Apr 14 2009 Kai Engert - 3.12.3-2 - Update to NSS 3.12.3 * Mon Apr 06 2009 Kai Engert - 3.12.2.99.3-7