[nss-softokn/f16: 11/12] - Bug 757005 Build nss-softokn for rhel 7
Elio Maldonado
emaldonado at fedoraproject.org
Wed Dec 7 00:30:58 UTC 2011
commit 3f48075dc9fbdcdc6a0999999495a98d06249801
Author: Elio Maldonado <emaldona at redhat.com>
Date: Tue Dec 6 16:02:26 2011 -0800
- Bug 757005 Build nss-softokn for rhel 7
- Make it as similar to nss-softokn-3.12.9 from rhel 6.2 as possible
- Add a patch so we can build with Linux 3 and higher
- It is meant to work with nss and nss-util 3.1.3.1
- Download only the 3.12.9 sources from the lookaside cache
.gitignore | 1 -
add-relro-linker-option.patch | 16 ++
drbg.patch | 481 +++++++++++++++++++++++++++++++++++++
linux3.patch | 31 +++
nss-softokn-3.12.4-fips-fix.patch | 11 +
nss-softokn-3.12.4-prelink.patch | 290 +++++++++++++++++++++--
nss-softokn-710298.patch | 14 +
nss-softokn-748524.patch | 157 ++++++++++++
nss-softokn.spec | 72 ++++--
nss-split-softokn.sh | 98 +++-----
sources | 1 -
11 files changed, 1069 insertions(+), 103 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 8cffd6d..dc1007b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
nss-softokn-3.12.9-stripped.tar.bz2
-nss-softokn-3.13.1-stripped.tar.bz2
diff --git a/add-relro-linker-option.patch b/add-relro-linker-option.patch
new file mode 100644
index 0000000..05758f7
--- /dev/null
+++ b/add-relro-linker-option.patch
@@ -0,0 +1,16 @@
+diff -up mozilla/security/coreconf/Linux.mk.relro mozilla/security/coreconf/Linux.mk
+--- mozilla/security/coreconf/Linux.mk.relro 2010-08-12 18:32:29.000000000 -0700
++++ mozilla/security/coreconf/Linux.mk 2011-09-27 16:12:22.234743170 -0700
+@@ -179,6 +179,12 @@ FREEBL_NO_DEPEND = 1
+ endif
+ endif
+
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS += -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+
diff --git a/drbg.patch b/drbg.patch
new file mode 100644
index 0000000..9f120d1
--- /dev/null
+++ b/drbg.patch
@@ -0,0 +1,481 @@
+Index: ./mozilla/security/nss/lib/freebl/drbg.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/freebl/drbg.c,v
+retrieving revision 1.9
+diff -u -p -r1.9 drbg.c
+--- ./mozilla/security/nss/lib/freebl/drbg.c 10 Jun 2009 03:24:01 -0000 1.9
++++ ./mozilla/security/nss/lib/freebl/drbg.c 24 Oct 2011 23:59:03 -0000
+@@ -67,7 +67,6 @@ static const PRInt64 PRNG_MAX_ADDITIONAL
+ * PRNG_MAX_ADDITIONAL_BYTES
+ */
+
+-
+ /* RESEED_COUNT is how many calls to the prng before we need to reseed
+ * under normal NIST rules, you must return an error. In the NSS case, we
+ * self-reseed with RNG_SystemRNG(). Count can be a large number. For code
+@@ -192,8 +191,14 @@ prng_Hash_df(PRUint8 *requested_bytes, u
+ * normal operation, NSS calculates them all together in a single call.
+ */
+ static SECStatus
+-prng_instantiate(RNGContext *rng, PRUint8 *bytes, unsigned int len)
++prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len)
+ {
++ if (len < PRNG_SEEDLEN) {
++ /* if the seedlen is to small, it's probably because we failed to get
++ * enough random data */
++ PORT_SetError(SEC_ERROR_NEED_RANDOM);
++ return SECFailure;
++ }
+ prng_Hash_df(V(rng), VSize(rng), bytes, len, NULL, 0);
+ rng->V_type = prngCGenerateType;
+ prng_Hash_df(rng->C,sizeof rng->C,rng->V_Data,sizeof rng->V_Data,NULL,0);
+@@ -209,8 +214,7 @@ prng_instantiate(RNGContext *rng, PRUint
+ *
+ * If entropy is NULL, it is fetched from the noise generator.
+ */
+-static
+-SECStatus
++static SECStatus
+ prng_reseed(RNGContext *rng, const PRUint8 *entropy, unsigned int entropy_len,
+ const PRUint8 *additional_input, unsigned int additional_input_len)
+ {
+@@ -233,6 +237,12 @@ prng_reseed(RNGContext *rng, const PRUin
+ PORT_Memcpy(&noise[sizeof rng->V_Data],entropy, entropy_len);
+ }
+
++ if (entropy_len < 256/PR_BITS_PER_BYTE) {
++ /* noise == &noiseData[0] at this point, so nothing to free */
++ PORT_SetError(SEC_ERROR_NEED_RANDOM);
++ return SECFailure;
++ }
++
+ rng->V_type = prngReseedType;
+ PORT_Memcpy(noise, rng->V_Data, sizeof rng->V_Data);
+ prng_Hash_df(V(rng), VSize(rng), noise, (sizeof rng->V_Data) + entropy_len,
+@@ -249,6 +259,29 @@ prng_reseed(RNGContext *rng, const PRUin
+ return SECSuccess;
+ }
+
++SECStatus PRNGTEST_RunHealthTests();
++
++/*
++ * SP 800-90 requires we rerun our health tests on reseed
++ */
++static SECStatus
++prng_reseed_test(RNGContext *rng, const PRUint8 *entropy,
++ unsigned int entropy_len, const PRUint8 *additional_input,
++ unsigned int additional_input_len)
++{
++ SECStatus rv;
++
++ /* do health checks in FIPS mode */
++ rv = PRNGTEST_RunHealthTests();
++ if (rv != SECSuccess) {
++ /* error set by PRNGTEST_RunHealTests() */
++ rng->isValid = PR_FALSE;
++ return SECFailure;
++ }
++ return prng_reseed(rng, entropy, entropy_len,
++ additional_input, additional_input_len);
++}
++
+ /*
+ * build some fast inline functions for adding.
+ */
+@@ -380,6 +413,8 @@ static PRStatus rng_init(void)
+ {
+ PRUint8 bytes[PRNG_SEEDLEN*2]; /* entropy + nonce */
+ unsigned int numBytes;
++ SECStatus rv = SECSuccess;
++
+ if (globalrng == NULL) {
+ /* bytes needs to have enough space to hold
+ * a SHA256 hash value. Blow up at compile time if this isn't true */
+@@ -403,9 +438,9 @@ static PRStatus rng_init(void)
+ * prng_instantiate gets a new clean state, we want to mix
+ * any previous entropy we may have collected */
+ if (V(globalrng)[0] == 0) {
+- prng_instantiate(globalrng, bytes, numBytes);
++ rv = prng_instantiate(globalrng, bytes, numBytes);
+ } else {
+- prng_reseed(globalrng, bytes, numBytes, NULL, 0);
++ rv = prng_reseed_test(globalrng, bytes, numBytes, NULL, 0);
+ }
+ memset(bytes, 0, numBytes);
+ } else {
+@@ -414,6 +449,10 @@ static PRStatus rng_init(void)
+ globalrng = NULL;
+ return PR_FAILURE;
+ }
++
++ if (rv != SECSuccess) {
++ return PR_FAILURE;
++ }
+ /* the RNG is in a valid state */
+ globalrng->isValid = PR_TRUE;
+
+@@ -520,7 +559,7 @@ RNG_RandomUpdate(const void *data, size_
+ /* if we're passed more than our additionalDataCache, simply
+ * call reseed with that data */
+ if (bytes > sizeof (globalrng->additionalDataCache)) {
+- rv = prng_reseed(globalrng, NULL, 0, data, (unsigned int) bytes);
++ rv = prng_reseed_test(globalrng, NULL, 0, data, (unsigned int) bytes);
+ /* if we aren't going to fill or overflow the buffer, just cache it */
+ } else if (bytes < ((sizeof globalrng->additionalDataCache)
+ - globalrng->additionalAvail)) {
+@@ -545,7 +584,8 @@ RNG_RandomUpdate(const void *data, size_
+ bytes -= bufRemain;
+ }
+ /* reseed from buffer */
+- rv = prng_reseed(globalrng, NULL, 0, globalrng->additionalDataCache,
++ rv = prng_reseed_test(globalrng, NULL, 0,
++ globalrng->additionalDataCache,
+ sizeof globalrng->additionalDataCache);
+
+ /* copy the rest into the cache */
+@@ -584,7 +624,7 @@ prng_GenerateGlobalRandomBytes(RNGContex
+ * don't produce any data.
+ */
+ if (rng->reseed_counter[0] >= RESEED_VALUE) {
+- rv = prng_reseed(rng, NULL, 0, NULL, 0);
++ rv = prng_reseed_test(rng, NULL, 0, NULL, 0);
+ PZ_Unlock(rng->lock);
+ if (rv != SECSuccess) {
+ return rv;
+@@ -641,7 +681,7 @@ RNG_RNGShutdown(void)
+ PORT_Assert(globalrng != NULL);
+ if (globalrng == NULL) {
+ /* Should set a "not initialized" error code. */
+- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return;
+ }
+ /* clear */
+@@ -669,9 +709,17 @@ PRNGTEST_Instantiate(const PRUint8 *entr
+ const PRUint8 *personal_string, unsigned int ps_len)
+ {
+ int bytes_len = entropy_len + nonce_len + ps_len;
+- PRUint8 *bytes = PORT_Alloc(bytes_len);
++ PRUint8 *bytes = NULL;
++ SECStatus rv;
+
++ if (entropy_len < 256/PR_BITS_PER_BYTE) {
++ PORT_SetError(SEC_ERROR_NEED_RANDOM);
++ return SECFailure;
++ }
++
++ bytes = PORT_Alloc(bytes_len);
+ if (bytes == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ /* concatenate the various inputs, internally NSS only instantiates with
+@@ -687,9 +735,12 @@ PRNGTEST_Instantiate(const PRUint8 *entr
+ } else {
+ PORT_Assert(ps_len == 0);
+ }
+- prng_instantiate(&testContext, bytes, bytes_len);
+- testContext.isValid = PR_TRUE;
++ rv = prng_instantiate(&testContext, bytes, bytes_len);
+ PORT_ZFree(bytes, bytes_len);
++ if (rv == SECFailure) {
++ return SECFailure;
++ }
++ testContext.isValid = PR_TRUE;
+ return SECSuccess;
+ }
+
+@@ -701,6 +752,13 @@ PRNGTEST_Reseed(const PRUint8 *entropy,
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
++ /* This magic input tells us to set the reseed count to it's max count,
++ * so we can simulate PRNGTEST_Generate reaching max reseed count */
++ if ((entropy == NULL) && (entropy_len == 0) &&
++ (additional == NULL) && (additional_len == 0)) {
++ testContext.reseed_counter[0] = RESEED_VALUE;
++ return SECSuccess;
++ }
+ return prng_reseed(&testContext, entropy, entropy_len, additional,
+ additional_len);
+
+@@ -710,10 +768,18 @@ SECStatus
+ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
+ const PRUint8 *additional, unsigned int additional_len)
+ {
++ SECStatus rv;
+ if (!testContext.isValid) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
++ /* replicate reseed test from prng_GenerateGlobalRandomBytes */
++ if (testContext.reseed_counter[0] >= RESEED_VALUE) {
++ rv = prng_reseed(&testContext, NULL, 0, NULL, 0);
++ if (rv != SECSuccess) {
++ return rv;
++ }
++ }
+ return prng_generateNewBytes(&testContext, bytes, bytes_len,
+ additional, additional_len);
+
+@@ -722,8 +788,165 @@ PRNGTEST_Generate(PRUint8 *bytes, unsign
+ SECStatus
+ PRNGTEST_Uninstantiate()
+ {
++ if (!testContext.isValid) {
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
+ PORT_Memset(&testContext, 0, sizeof testContext);
+ return SECSuccess;
+ }
+
++SECStatus
++PRNGTEST_RunHealthTests()
++{
++ static const PRUint8 entropy[] = {
++ 0x8e,0x9c,0x0d,0x25,0x75,0x22,0x04,0xf9,
++ 0xc5,0x79,0x10,0x8b,0x23,0x79,0x37,0x14,
++ 0x9f,0x2c,0xc7,0x0b,0x39,0xf8,0xee,0xef,
++ 0x95,0x0c,0x97,0x59,0xfc,0x0a,0x85,0x41,
++ 0x76,0x9d,0x6d,0x67,0x00,0x4e,0x19,0x12,
++ 0x02,0x16,0x53,0xea,0xf2,0x73,0xd7,0xd6,
++ 0x7f,0x7e,0xc8,0xae,0x9c,0x09,0x99,0x7d,
++ 0xbb,0x9e,0x48,0x7f,0xbb,0x96,0x46,0xb3,
++ 0x03,0x75,0xf8,0xc8,0x69,0x45,0x3f,0x97,
++ 0x5e,0x2e,0x48,0xe1,0x5d,0x58,0x97,0x4c };
++ static const PRUint8 rng_known_result[] = {
++ 0x16,0xe1,0x8c,0x57,0x21,0xd8,0xf1,0x7e,
++ 0x5a,0xa0,0x16,0x0b,0x7e,0xa6,0x25,0xb4,
++ 0x24,0x19,0xdb,0x54,0xfa,0x35,0x13,0x66,
++ 0xbb,0xaa,0x2a,0x1b,0x22,0x33,0x2e,0x4a,
++ 0x14,0x07,0x9d,0x52,0xfc,0x73,0x61,0x48,
++ 0xac,0xc1,0x22,0xfc,0xa4,0xfc,0xac,0xa4,
++ 0xdb,0xda,0x5b,0x27,0x33,0xc4,0xb3 };
++ static const PRUint8 reseed_entropy[] = {
++ 0xc6,0x0b,0x0a,0x30,0x67,0x07,0xf4,0xe2,
++ 0x24,0xa7,0x51,0x6f,0x5f,0x85,0x3e,0x5d,
++ 0x67,0x97,0xb8,0x3b,0x30,0x9c,0x7a,0xb1,
++ 0x52,0xc6,0x1b,0xc9,0x46,0xa8,0x62,0x79 };
++ static const PRUint8 additional_input[] = {
++ 0x86,0x82,0x28,0x98,0xe7,0xcb,0x01,0x14,
++ 0xae,0x87,0x4b,0x1d,0x99,0x1b,0xc7,0x41,
++ 0x33,0xff,0x33,0x66,0x40,0x95,0x54,0xc6,
++ 0x67,0x4d,0x40,0x2a,0x1f,0xf9,0xeb,0x65 };
++ static const PRUint8 rng_reseed_result[] = {
++ 0x02,0x0c,0xc6,0x17,0x86,0x49,0xba,0xc4,
++ 0x7b,0x71,0x35,0x05,0xf0,0xdb,0x4a,0xc2,
++ 0x2c,0x38,0xc1,0xa4,0x42,0xe5,0x46,0x4a,
++ 0x7d,0xf0,0xbe,0x47,0x88,0xb8,0x0e,0xc6,
++ 0x25,0x2b,0x1d,0x13,0xef,0xa6,0x87,0x96,
++ 0xa3,0x7d,0x5b,0x80,0xc2,0x38,0x76,0x61,
++ 0xc7,0x80,0x5d,0x0f,0x05,0x76,0x85 };
++ static const PRUint8 rng_no_reseed_result[] = {
++ 0xc4,0x40,0x41,0x8c,0xbf,0x2f,0x70,0x23,
++ 0x88,0xf2,0x7b,0x30,0xc3,0xca,0x1e,0xf3,
++ 0xef,0x53,0x81,0x5d,0x30,0xed,0x4c,0xf1,
++ 0xff,0x89,0xa5,0xee,0x92,0xf8,0xc0,0x0f,
++ 0x88,0x53,0xdf,0xb6,0x76,0xf0,0xaa,0xd3,
++ 0x2e,0x1d,0x64,0x37,0x3e,0xe8,0x4a,0x02,
++ 0xff,0x0a,0x7f,0xe5,0xe9,0x2b,0x6d };
++
++ SECStatus rng_status = SECSuccess;
++ PR_STATIC_ASSERT(sizeof(rng_known_result) >= sizeof(rng_reseed_result));
++ PRUint8 result[sizeof(rng_known_result)];
++
++ /********************************************/
++ /* First test instantiate error path. */
++ /* In this case we supply enough entropy, */
++ /* but not enough seed. This will trigger */
++ /* the code that checks for a entropy */
++ /* source failure. */
++ /********************************************/
++ rng_status = PRNGTEST_Instantiate(entropy, 256/PR_BITS_PER_BYTE,
++ NULL, 0, NULL, 0);
++ if (rng_status == SECSuccess) {
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) {
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ /* we failed with the proper error code, we can continue */
+
++ /********************************************/
++ /* Generate random bytes with a known seed. */
++ /********************************************/
++ rng_status = PRNGTEST_Instantiate(entropy, sizeof entropy,
++ NULL, 0, NULL, 0);
++ if (rng_status != SECSuccess) {
++ /* Error set by PRNGTEST_Instantiate */
++ return SECFailure;
++ }
++ rng_status = PRNGTEST_Generate(result, sizeof rng_known_result, NULL, 0);
++ if ( ( rng_status != SECSuccess) ||
++ ( PORT_Memcmp( result, rng_known_result,
++ sizeof rng_known_result ) != 0 ) ) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ rng_status = PRNGTEST_Reseed(reseed_entropy, sizeof reseed_entropy,
++ additional_input, sizeof additional_input);
++ if (rng_status != SECSuccess) {
++ /* Error set by PRNG_Reseed */
++ PRNGTEST_Uninstantiate();
++ return SECFailure;
++ }
++ rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0);
++ if ( ( rng_status != SECSuccess) ||
++ ( PORT_Memcmp( result, rng_reseed_result,
++ sizeof rng_reseed_result ) != 0 ) ) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ /* This magic forces the reseed count to it's max count, so we can see if
++ * PRNGTEST_Generate will actually when it reaches it's count */
++ rng_status = PRNGTEST_Reseed(NULL, 0, NULL, 0);
++ if (rng_status != SECSuccess) {
++ PRNGTEST_Uninstantiate();
++ /* Error set by PRNG_Reseed */
++ return SECFailure;
++ }
++ /* This generate should now reseed */
++ rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0);
++ if ( ( rng_status != SECSuccess) ||
++ /* NOTE we fail if the result is equal to the no_reseed_result.
++ * no_reseed_result is the value we would have gotten if we didn't
++ * do an automatic reseed in PRNGTEST_Generate */
++ ( PORT_Memcmp( result, rng_no_reseed_result,
++ sizeof rng_no_reseed_result ) == 0 ) ) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ /* make sure reseed fails when we don't supply enough entropy */
++ rng_status = PRNGTEST_Reseed(reseed_entropy, 4, NULL, 0);
++ if (rng_status == SECSuccess) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ rng_status = PRNGTEST_Uninstantiate();
++ if (rng_status != SECSuccess) {
++ /* Error set by PRNG_Uninstantiate */
++ return rng_status;
++ }
++ /* make sure uninstantiate fails if the contest is not initiated (also tests
++ * if the context was cleared in the previous Uninstantiate) */
++ rng_status = PRNGTEST_Uninstantiate();
++ if (rng_status == SECSuccess) {
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ if (PORT_GetError() != SEC_ERROR_LIBRARY_FAILURE) {
++ return rng_status;
++ }
++
++ return SECSuccess;
++}
+Index: ./mozilla/security/nss/lib/softoken/fipstest.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/softoken/fipstest.c,v
+retrieving revision 1.27
+diff -u -p -r1.27 fipstest.c
+--- ./mozilla/security/nss/lib/softoken/fipstest.c 19 Jun 2009 23:05:48 -0000 1.27
++++ ./mozilla/security/nss/lib/softoken/fipstest.c 24 Oct 2011 23:59:05 -0000
+@@ -1963,6 +1963,15 @@ sftk_fips_RNG_PowerUpSelfTest( void )
+ 0x25,0x2b,0x1d,0x13,0xef,0xa6,0x87,0x96,
+ 0xa3,0x7d,0x5b,0x80,0xc2,0x38,0x76,0x61,
+ 0xc7,0x80,0x5d,0x0f,0x05,0x76,0x85 };
++ static const PRUint8 rng_no_reseed_result[] = {
++ 0xc4,0x40,0x41,0x8c,0xbf,0x2f,0x70,0x23,
++ 0x88,0xf2,0x7b,0x30,0xc3,0xca,0x1e,0xf3,
++ 0xef,0x53,0x81,0x5d,0x30,0xed,0x4c,0xf1,
++ 0xff,0x89,0xa5,0xee,0x92,0xf8,0xc0,0x0f,
++ 0x88,0x53,0xdf,0xb6,0x76,0xf0,0xaa,0xd3,
++ 0x2e,0x1d,0x64,0x37,0x3e,0xe8,0x4a,0x02,
++ 0xff,0x0a,0x7f,0xe5,0xe9,0x2b,0x6d };
++
+ static const PRUint8 Q[] = {
+ 0x85,0x89,0x9c,0x77,0xa3,0x79,0xff,0x1a,
+ 0x86,0x6f,0x2f,0x3e,0x2e,0xf9,0x8c,0x9c,
+@@ -1986,6 +1995,23 @@ sftk_fips_RNG_PowerUpSelfTest( void )
+ PRUint8 DSAX[FIPS_DSA_SUBPRIME_LENGTH];
+
+ /********************************************/
++ /* First test instantiate error path. */
++ /* In this case we supply enough entropy, */
++ /* but not enough seed. This will trigger */
++ /* the code that checks for a entropy */
++ /* source failure. */
++ /********************************************/
++ rng_status = PRNGTEST_Instantiate(entropy, 256/PR_BITS_PER_BYTE,
++ NULL, 0, NULL, 0);
++ if (rng_status == SECSuccess) {
++ return (CKR_DEVICE_ERROR);
++ }
++ if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) {
++ return (CKR_DEVICE_ERROR);
++ }
++ /* we failed with the proper error code, we can continue */
++
++ /********************************************/
+ /* Generate random bytes with a known seed. */
+ /********************************************/
+ rng_status = PRNGTEST_Instantiate(entropy, sizeof entropy,
+@@ -2013,10 +2039,47 @@ sftk_fips_RNG_PowerUpSelfTest( void )
+ PRNGTEST_Uninstantiate();
+ return ( CKR_DEVICE_ERROR );
+ }
++ /* This magic forces the reseed count to it's max count, so we can see if
++ * PRNGTEST_Generate will actually when it reaches it's count */
++ rng_status = PRNGTEST_Reseed(NULL, 0, NULL, 0);
++ if (rng_status != SECSuccess) {
++ PRNGTEST_Uninstantiate();
++ return ( CKR_DEVICE_ERROR );
++ }
++ /* This generate should now reseed */
++ rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0);
++ if ( ( rng_status != SECSuccess) ||
++ /* NOTE we fail if the result is equal to the no_reseed_result.
++ * no_reseed_result is the value we would have gotten if we didn't
++ * do an automatic reseed in PRNGTEST_Generate */
++ ( PORT_Memcmp( result, rng_no_reseed_result,
++ sizeof rng_no_reseed_result ) == 0 ) ) {
++ PRNGTEST_Uninstantiate();
++ return ( CKR_DEVICE_ERROR );
++ }
++ /* make sure reseed fails when we don't supply enough entropy */
++ rng_status = PRNGTEST_Reseed(reseed_entropy, 4, NULL, 0);
++ if (rng_status == SECSuccess) {
++ PRNGTEST_Uninstantiate();
++ return ( CKR_DEVICE_ERROR );
++ }
++ if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) {
++ PRNGTEST_Uninstantiate();
++ return (CKR_DEVICE_ERROR);
++ }
+ rng_status = PRNGTEST_Uninstantiate();
+ if (rng_status != SECSuccess) {
+ return ( CKR_DEVICE_ERROR );
+ }
++ /* make sure uninstantiate fails if the contest is not initiated (also tests
++ * if the context was cleared in the previous Uninstantiate) */
++ rng_status = PRNGTEST_Uninstantiate();
++ if (rng_status == SECSuccess) {
++ return ( CKR_DEVICE_ERROR );
++ }
++ if (PORT_GetError() != SEC_ERROR_LIBRARY_FAILURE) {
++ return ( CKR_DEVICE_ERROR );
++ }
+
+ /*******************************************/
+ /* Generate DSAX fow given Q. */
diff --git a/linux3.patch b/linux3.patch
new file mode 100644
index 0000000..c09ed08
--- /dev/null
+++ b/linux3.patch
@@ -0,0 +1,31 @@
+diff -up ./mozilla/security/coreconf/config.mk.linux3 ./mozilla/security/coreconf/config.mk
+--- ./mozilla/security/coreconf/config.mk.linux3 2011-12-02 08:55:14.583384570 -0800
++++ ./mozilla/security/coreconf/config.mk 2011-12-02 08:55:46.116383662 -0800
+@@ -63,7 +63,7 @@ endif
+ #######################################################################
+
+ TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
+- AIX RISCOS WINNT WIN95 WINCE
++ AIX RISCOS WINNT WIN95 WINCE Linux
+
+ ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
+ include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
+diff -up ./mozilla/security/coreconf/Linux.mk.linux3 ./mozilla/security/coreconf/Linux.mk
+--- ./mozilla/security/coreconf/Linux.mk.linux3 2011-12-02 08:53:47.271386407 -0800
++++ ./mozilla/security/coreconf/Linux.mk 2011-12-02 08:54:48.356384973 -0800
+@@ -198,3 +198,15 @@ RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/pr
+ endif
+ endif
+
++OS_REL_CFLAGS += -DLINUX2_1
++MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
++
++ifdef MAPFILE
++ MKSHLIB += -Wl,--version-script,$(MAPFILE)
++endif
++PROCESS_MAP_FILE = grep -v ';-' $< | \
++ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
++
++ifeq ($(OS_RELEASE),2.4)
++DEFINES += -DNO_FORK_CHECK
++endif
diff --git a/nss-softokn-3.12.4-fips-fix.patch b/nss-softokn-3.12.4-fips-fix.patch
new file mode 100644
index 0000000..05ae9cb
--- /dev/null
+++ b/nss-softokn-3.12.4-fips-fix.patch
@@ -0,0 +1,11 @@
+--- ./mozilla/security/nss/lib/freebl/nsslowhash.c 2010-05-08 18:02:39.592248982 +0300
++++ ./mozilla/security/nss/lib/freebl/nsslowhash.c.fix 2010-05-08 18:01:45.564454513 +0300
+@@ -275,7 +275,7 @@ static int nsslow_GetFIPSEnabled(void) {
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (!f)
+- return 1;
++ return 0;
+
+ size = fread(&d, 1, 1, f);
+ fclose(f);
diff --git a/nss-softokn-3.12.4-prelink.patch b/nss-softokn-3.12.4-prelink.patch
index 07358c6..5f2e46f 100644
--- a/nss-softokn-3.12.4-prelink.patch
+++ b/nss-softokn-3.12.4-prelink.patch
@@ -1,18 +1,250 @@
-diff -up mozilla/security/nss/lib/freebl/stubs.c.prelink mozilla/security/nss/lib/freebl/stubs.c
---- mozilla/security/nss/lib/freebl/stubs.c.prelink 2011-03-29 18:20:12.000000000 -0700
-+++ mozilla/security/nss/lib/freebl/stubs.c 2011-10-07 10:02:54.851452105 -0700
-@@ -156,6 +156,7 @@ STUB_DECLARE(void,PR_DestroyCondVar,(PRC
- STUB_DECLARE(void,PR_Free,(void *ptr));
- STUB_DECLARE(char * ,PR_GetLibraryFilePathname,(const char *name,
- PRFuncPtr addr));
+diff -up ./mozilla/security/nss/lib/freebl/Makefile.prelink ./mozilla/security/nss/lib/freebl/Makefile
+--- ./mozilla/security/nss/lib/freebl/Makefile.prelink 2010-09-04 14:13:58.846327263 -0700
++++ ./mozilla/security/nss/lib/freebl/Makefile 2010-09-04 14:15:11.544326993 -0700
+@@ -82,6 +82,12 @@ ifeq ($(FREEBL_NO_DEPEND),1)
+ else
+ MAPFILE_SOURCE = freebl.def
+ endif
++ifdef FREEBL_USE_PRELINK
++ DEFINES += -DFREEBL_USE_PRELINK
++endif
++ifdef FREEBL_PRELINK_COMMAND
++ DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\"
++endif
+ # NSS_X86 means the target is a 32-bits x86 CPU architecture
+ # NSS_X64 means the target is a 64-bits x64 CPU architecture
+ # NSS_X86_OR_X64 means the target is either x86 or x64
+diff -up ./mozilla/security/nss/lib/freebl/shvfy.c.prelink ./mozilla/security/nss/lib/freebl/shvfy.c
+--- ./mozilla/security/nss/lib/freebl/shvfy.c.prelink 2010-09-04 14:16:01.518326988 -0700
++++ ./mozilla/security/nss/lib/freebl/shvfy.c 2010-09-04 14:25:44.770326384 -0700
+@@ -48,6 +48,168 @@
+ #include "stdio.h"
+ #include "prmem.h"
+
++#ifdef FREEBL_USE_PRELINK
++#ifndef FREELB_PRELINK_COMMAND
++#define FREEBL_PRELINK_COMMAND "/usr/sbin/prelink -u -o -"
++#endif
++#include "private/pprio.h"
++
++#include <stdlib.h>
++#include <unistd.h>
++#include <fcntl.h>
++#include <sys/wait.h>
++#include <sys/stat.h>
++
++PRFileDesc *
++bl_OpenUnPrelink(const char *shName, int *pid)
++{
++ char *command= strdup(FREEBL_PRELINK_COMMAND);
++ char *argString = NULL;
++ char **argv = NULL;
++ char *shNameArg = NULL;
++ char *cp;
++ pid_t child;
++ int argc = 0, argNext = 0;
++ struct stat statBuf;
++ int pipefd[2] = {-1,-1};
++ int ret;
++
++ *pid = 0;
++
++ /* make sure the prelink command exists first. If not, fall back to
++ * just reading the file */
++ for (cp = command; *cp ; cp++) {
++ if (*cp == ' ') {
++ *cp++ = 0;
++ argString = cp;
++ break;
++ }
++ }
++ memset (&statBuf, 0, sizeof(statBuf));
++ /* stat the file, follow the link */
++ ret = stat(command, &statBuf);
++ if (ret < 0) {
++ free(command);
++ return PR_Open(shName, PR_RDONLY, 0);
++ }
++ /* file exits, make sure it's an executable */
++ if (!S_ISREG(statBuf.st_mode) ||
++ ((statBuf.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0)) {
++ free(command);
++ return PR_Open(shName, PR_RDONLY, 0);
++ }
++
++ /* OK, the prelink command exists and looks correct, use it */
++ /* build the arglist while we can still malloc */
++ /* count the args if any */
++ if (argString && *argString) {
++ /* argString may have leading spaces, strip them off*/
++ for (cp = argString; *cp && *cp == ' '; cp++);
++ argString = cp;
++ if (*cp) {
++ /* there is at least one arg.. */
++ argc = 1;
++ }
++
++ /* count the rest: Note there is no provision for escaped
++ * spaces here */
++ for (cp = argString; *cp ; cp++) {
++ if (*cp == ' ') {
++ while (*cp && *cp == ' ') cp++;
++ if (*cp) argc++;
++ }
++ }
++ }
++
++ /* add the additional args: argv[0] (command), shName, NULL*/
++ argc += 3;
++ argv = PORT_NewArray(char *, argc);
++ if (argv == NULL) {
++ goto loser;
++ }
++
++ /* fill in the arglist */
++ argv[argNext++] = command;
++ if (argString && *argString) {
++ argv[argNext++] = argString;
++ for (cp = argString; *cp; cp++) {
++ if (*cp == ' ') {
++ *cp++ = 0;
++ while (*cp && *cp == ' ') cp++;
++ if (*cp) argv[argNext++] = cp;
++ }
++ }
++ }
++ /* exec doesn't advertise taking const char **argv, do the paranoid
++ * copy */
++ shNameArg = strdup(shName);
++ if (shNameArg == NULL) {
++ goto loser;
++ }
++ argv[argNext++] = shNameArg;
++ argv[argNext++] = 0;
++
++ ret = pipe(pipefd);
++ if (ret < 0) {
++ goto loser;
++ }
++
++ /* use vfork() so we don't trigger the pthread_at_fork() handlers */
++ child = vfork();
++ if (child < 0) goto loser;
++ if (child == 0) {
++ /* set up the file descriptors */
++ close(0);
++ /* associate pipefd[1] with stdout */
++ if (pipefd[1] != 1) dup2(pipefd[1], 1);
++ close(2);
++ close(pipefd[0]);
++ /* should probably close the other file descriptors? */
++
++
++ execv(command, argv);
++ /* avoid at_exit() handlers */
++ _exit(1); /* shouldn't reach here except on an error */
++ }
++ close(pipefd[1]);
++ pipefd[1] = -1;
++
++ /* this is safe because either vfork() as full fork() semantics, and thus
++ * already has it's own address space, or because vfork() has paused
++ * the parent util the exec or exit */
++ free(command);
++ free(shNameArg);
++ PORT_Free(argv);
++
++ *pid = child;
++
++ return PR_ImportPipe(pipefd[0]);
++
++loser:
++ if (pipefd[0] != -1) {
++ close(pipefd[0]);
++ }
++ if (pipefd[1] != -1) {
++ close(pipefd[1]);
++ }
++ free(command);
++ free(shNameArg);
++ PORT_Free(argv);
++
++ return NULL;
++}
++
++void
++bl_CloseUnPrelink( PRFileDesc *file, int pid)
++{
++ /* close the file descriptor */
++ PR_Close(file);
++ /* reap the child */
++ if (pid) {
++ waitpid(pid, NULL, 0);
++ }
++}
++#endif
+
+ /* #define DEBUG_SHVERIFY 1 */
+
+@@ -117,6 +279,9 @@ BLAPI_SHVerify(const char *name, PRFuncP
+ SECStatus rv;
+ DSAPublicKey key;
+ int count;
++#ifdef FREEBL_USE_PRELINK
++ int pid = 0;
++#endif
+
+ PRBool result = PR_FALSE; /* if anything goes wrong,
+ * the signature does not verify */
+@@ -197,7 +362,11 @@ BLAPI_SHVerify(const char *name, PRFuncP
+ checkFD = NULL;
+
+ /* open our library file */
++#ifdef FREEBL_USE_PRELINK
++ shFD = bl_OpenUnPrelink(shName,&pid);
++#else
+ shFD = PR_Open(shName, PR_RDONLY, 0);
++#endif
+ if (shFD == NULL) {
+ #ifdef DEBUG_SHVERIFY
+ fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
+@@ -218,7 +387,11 @@ BLAPI_SHVerify(const char *name, PRFuncP
+ SHA1_Update(hashcx, buf, bytesRead);
+ count += bytesRead;
+ }
++#ifdef FREEBL_USE_PRELINK
++ bl_CloseUnPrelink(shFD, pid);
++#else
+ PR_Close(shFD);
++#endif
+ shFD = NULL;
+
+ SHA1_End(hashcx, hash.data, &hash.len, hash.len);
+diff -up ./mozilla/security/nss/lib/freebl/stubs.c.prelink ./mozilla/security/nss/lib/freebl/stubs.c
+--- ./mozilla/security/nss/lib/freebl/stubs.c.prelink 2010-09-04 14:26:27.454327120 -0700
++++ ./mozilla/security/nss/lib/freebl/stubs.c 2010-09-04 14:31:56.778327428 -0700
+@@ -69,6 +69,7 @@
+ #include <secport.h>
+ #include <secitem.h>
+ #include <blapi.h>
++#include <private/pprio.h>
+
+ #define FREEBL_NO_WEAK 1
+
+@@ -157,6 +158,8 @@ STUB_DECLARE(void,PR_Lock,(PRLock *lock)
+ STUB_DECLARE(PRLock *,PR_NewLock,(void));
+ STUB_DECLARE(PRFileDesc *,PR_Open,(const char *name, PRIntn flags,
+ PRIntn mode));
+STUB_DECLARE(PRFileDesc *,PR_ImportFile,(PROsfd osfd));
- STUB_DECLARE(PRFileDesc *,PR_ImportPipe,(PROsfd osfd));
- STUB_DECLARE(void,PR_Lock,(PRLock *lock));
- STUB_DECLARE(PRCondVar *,PR_NewCondVar,(PRLock *lock));
-@@ -307,6 +308,20 @@ PR_Open_stub(const char *name, PRIntn fl
++STUB_DECLARE(PRFileDesc *,PR_ImportPipe,(PROsfd osfd));
+ STUB_DECLARE(PRInt32,PR_Read,(PRFileDesc *fd, void *buf, PRInt32 amount));
+ STUB_DECLARE(PROffset32,PR_Seek,(PRFileDesc *fd, PROffset32 offset,
+ PRSeekWhence whence));
+@@ -295,6 +298,34 @@ PR_Open_stub(const char *name, PRIntn fl
+ return (PRFileDesc *)lfd;
}
- extern PRFileDesc *
++extern PRFileDesc *
+PR_ImportFile_stub(PROsfd fd)
+{
+ int *lfd = NULL;
@@ -27,14 +259,40 @@ diff -up mozilla/security/nss/lib/freebl/stubs.c.prelink mozilla/security/nss/li
+}
+
+extern PRFileDesc *
- PR_ImportPipe_stub(PROsfd fd)
++PR_ImportPipe_stub(PROsfd fd)
++{
++ int *lfd = NULL;
++
++ STUB_SAFE_CALL1(PR_ImportPipe, fd);
++
++ lfd = PORT_New_stub(int);
++ if (lfd != NULL) {
++ *lfd = fd;
++ }
++ return (PRFileDesc *)lfd;
++}
++
+ extern PRStatus
+ PR_Close_stub(PRFileDesc *fd)
{
- int *lfd = NULL;
-@@ -566,6 +581,7 @@ freebl_InitNSPR(void *lib)
+@@ -492,6 +523,8 @@ freebl_InitNSPR(void *lib)
{
STUB_FETCH_FUNCTION(PR_Free);
STUB_FETCH_FUNCTION(PR_Open);
+ STUB_FETCH_FUNCTION(PR_ImportFile);
- STUB_FETCH_FUNCTION(PR_ImportPipe);
++ STUB_FETCH_FUNCTION(PR_ImportPipe);
STUB_FETCH_FUNCTION(PR_Close);
STUB_FETCH_FUNCTION(PR_Read);
+ STUB_FETCH_FUNCTION(PR_Seek);
+diff -up ./mozilla/security/nss/lib/freebl/stubs.h.prelink ./mozilla/security/nss/lib/freebl/stubs.h
+--- ./mozilla/security/nss/lib/freebl/stubs.h.prelink 2010-09-04 14:26:41.822327256 -0700
++++ ./mozilla/security/nss/lib/freebl/stubs.h 2010-09-04 14:32:53.498540767 -0700
+@@ -78,6 +78,8 @@
+ #define PR_Lock PR_Lock_stub
+ #define PR_NewLock PR_NewLock_stub
+ #define PR_Open PR_Open_stub
++#define PR_ImportFile PR_ImportFile_stub
++#define PR_ImportPipe PR_ImportPipe_stub
+ #define PR_Read PR_Read_stub
+ #define PR_Seek PR_Seek_stub
+ #define PR_Sleep PR_Sleep_stub
diff --git a/nss-softokn-710298.patch b/nss-softokn-710298.patch
new file mode 100644
index 0000000..d847b3f
--- /dev/null
+++ b/nss-softokn-710298.patch
@@ -0,0 +1,14 @@
+diff -up ./mozilla/security/nss/lib/freebl/intel-aes.s.710298 ./mozilla/security/nss/lib/freebl/intel-aes.s
+--- ./mozilla/security/nss/lib/freebl/intel-aes.s.710298 2011-06-14 16:12:37.167353550 -0700
++++ ./mozilla/security/nss/lib/freebl/intel-aes.s 2011-06-14 16:14:14.870654107 -0700
+@@ -1654,8 +1654,8 @@ intel_aes_decrypt_cbc_256:
+ .byte 0x66,0x41,0x0f,0x38,0xdf,0xc8 /* aesdeclast %xmm8, %xmm1 */
+ movdqu 112(%rdi), %xmm8
+ pxor %xmm0, %xmm1
+- movdqu %xmm1, (%rsi, %rax)
+- movdqu (%r8, %rax), %xmm0
++ movdqu (%r8, %rax), %xmm0 /* fetch the IV before we store the block */
++ movdqu %xmm1, (%rsi, %rax) /* in case input buf = output buf */
+ addq $16, %rax
+ cmpq %rax, %r9
+ jne 4b
diff --git a/nss-softokn-748524.patch b/nss-softokn-748524.patch
new file mode 100644
index 0000000..78e0939
--- /dev/null
+++ b/nss-softokn-748524.patch
@@ -0,0 +1,157 @@
+diff -up ./mozilla/security/nss/lib/softoken/sftkmod.c.748524 ./mozilla/security/nss/lib/softoken/sftkmod.c
+--- ./mozilla/security/nss/lib/softoken/sftkmod.c.748524 2011-10-24 10:38:11.144474083 -0700
++++ ./mozilla/security/nss/lib/softoken/sftkmod.c 2011-10-24 10:46:35.482664611 -0700
+@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char *
+ char *sep;
+
+ sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR);
+-#ifdef WINDOWS
++#ifdef _WIN32
+ if (!sep) {
+- sep = PORT_Strrchr(dirPath,'/');
++ /* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */
++ sep = PORT_Strrchr(dirPath,'\\');
+ }
+ #endif
+ if (sep) {
+- *(sep)=0;
++ *sep = 0;
++ file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
++ } else {
++ file = PR_smprintf("%s", filename);
+ }
+- file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
+ PORT_Free(dirPath);
+ return file;
+ }
+@@ -242,19 +245,24 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
+ char *paramsValue=NULL;
+ PRBool failed = PR_TRUE;
+
+- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
++ if ((dbname != NULL) &&
++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
+ return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw);
+ }
+
+ moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
+ if (moduleList == NULL) return NULL;
+
++ if (dbname == NULL) {
++ goto return_default;
++ }
++
+ /* do we really want to use streams here */
+ fd = fopen(dbname, "r");
+ if (fd == NULL) goto done;
+
+ /*
+- * the following loop takes line separated config lines and colapses
++ * the following loop takes line separated config lines and collapses
+ * the lines to a single string, escaping and quoting as necessary.
+ */
+ /* loop state variables */
+@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
+ moduleString = NULL;
+ }
+ done:
+- /* if we couldn't open a pkcs11 database, look for the old one */
++ /* If we couldn't open a pkcs11 database, look for the old one.
++ * This is necessary to maintain the semantics of the transition from
++ * old to new DB's. If there is an old DB and not new DB, we will
++ * automatically use the old DB. If the DB was opened read/write, we
++ * create a new db and upgrade it from the old one. */
+ if (fd == NULL) {
+ char *olddbname = sftk_getOldSecmodName(dbname,filename);
+ PRStatus status;
+@@ -462,6 +474,8 @@ bail:
+ PR_smprintf_free(olddbname);
+ }
+ }
++
++return_default:
+
+ if (!moduleList[0]) {
+ char * newParams;
+@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp
+ const char *filename, const char *dbname,
+ char **moduleSpecList, PRBool rw)
+ {
+- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
++ if ((dbname != NULL) &&
++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
+ return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname,
+ moduleSpecList, rw);
+ }
+@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
+ PRBool skip = PR_FALSE;
+ PRBool found = PR_FALSE;
+
++ if (dbname == NULL) {
++ return SECFailure;
++ }
++
+ if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw);
+ }
+@@ -579,7 +598,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
+
+
+ /*
+- * the following loop takes line separated config files and colapses
++ * the following loop takes line separated config files and collapses
+ * the lines to a single string, escaping and quoting as necessary.
+ */
+ /* loop state variables */
+@@ -638,6 +657,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
+ PORT_Free(dbname2);
+ PORT_Free(lib);
+ PORT_Free(name);
++ PORT_Free(block);
+ return SECSuccess;
+
+ loser:
+@@ -668,6 +688,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const
+ char *block = NULL;
+ PRBool libFound = PR_FALSE;
+
++ if (dbname == NULL) {
++ return SECFailure;
++ }
++
+ if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw);
+ }
+diff -up ./mozilla/security/nss/lib/softoken/sftkpars.c.748524 ./mozilla/security/nss/lib/softoken/sftkpars.c
+--- ./mozilla/security/nss/lib/softoken/sftkpars.c.748524 2011-10-24 10:39:21.697662167 -0700
++++ ./mozilla/security/nss/lib/softoken/sftkpars.c 2011-10-24 10:48:03.369411295 -0700
+@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType
+ char *value = NULL;
+ char *save_params = param;
+ const char *lconfigdir;
++ PRBool noModDB = PR_FALSE;
+ param = sftk_argStrip(param);
+
+
+@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType
+
+ if (sftk_argHasFlag("flags","noModDB",save_params)) {
+ /* there isn't a module db, don't load the legacy support */
++ noModDB = PR_TRUE;
+ *dbType = SDB_SQL;
++ PORT_Free(*filename);
++ *filename = NULL;
+ *rw = PR_FALSE;
+ }
+
+@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType
+ secmodName="pkcs11.txt";
+ }
+
+- if (lconfigdir) {
++ if (noModDB) {
++ value = NULL;
++ } else if (lconfigdir && lconfigdir[0] != '\0') {
+ value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
+ } else {
+ value = PR_smprintf("%s",secmodName);
diff --git a/nss-softokn.spec b/nss-softokn.spec
index e23e3d7..a423b61 100644
--- a/nss-softokn.spec
+++ b/nss-softokn.spec
@@ -1,4 +1,4 @@
-%global nspr_version 4.9
+%global nspr_version 4.8.9
%global nss_name nss
%global nss_util_version 3.13.1
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
@@ -16,8 +16,8 @@
Summary: Network Security Services Softoken Module
Name: nss-softokn
-Version: 3.13.1
-Release: 1%{?dist}
+Version: 3.12.9
+Release: 13%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -49,8 +49,24 @@ Source1: nss-split-softokn.sh
Source2: nss-softokn.pc.in
Source3: nss-softokn-config.in
+Patch1: add-relro-linker-option.patch
+# FIPS 140 remove these two patches once we rebase and
+# can pick up the fixes from upstream
Patch2: nss-softokn-3.12.4-prelink.patch
-Patch4: softoken-minimal-test-dependencies.patch
+Patch3: nss-softokn-3.12.4-fips-fix.patch
+Patch4: nss-softokn-710298.patch
+# Add drbg tests for FIPS validation, patch from upstream
+# see: https://bugzilla.mozilla.org/show_bug.cgi?id=695571
+# Remove this patch when we rebase to nss 3.13.2
+Patch5: drbg.patch
+# Backported from upstream nss 3.13
+# See: https://bugzilla.mozilla.org/show_bug.cgi?id=641052
+# Remove this patch when we rebase to nss 3.13.2
+Patch6: nss-softokn-748524.patch
+Patch7: linux3.patch
+
+#Uncomment when we are ready to enable testing
+#Patch8: softoken-minimal-test-dependencies.patch
%description
Network Security Services Softoken Cryptographic Module
@@ -100,14 +116,17 @@ Header and Library files for doing development with Network Security Services.
%prep
%setup -q
-#cp ./mozilla/security/nss/lib/util/seccomon.h ./mozilla/security/nss/freebl
-
+%patch1 -p0 -b .relro
%patch2 -p0 -b .prelink
-# FIXME uncomment these when we are ready
-# to resume testing of part of the build
-%patch4 -p0 -b .crypto
+%patch3 -p0 -b .fipsfix
+%patch4 -p0 -b .710298
+%patch5 -p0 -b .747053
+%patch6 -p0 -b .748524
+%patch7 -p0 -b .linux3
-#rm -rf ./mozilla/security/nss/lib/util
+# FIXME uncomment when we are ready to
+# resume testing of part of the build
+#%patch8 -p0 -b .crypto
%build
@@ -226,7 +245,7 @@ if [ $SPACEISBAD -ne 0 ]; then
fi
rm -rf ./mozilla/tests_results
-cd ./mozilla/security/nss/tests/
+#cd ./mozilla/security/nss/tests/
# all.sh is the test suite script
# only run cipher tests for nss-softokn
@@ -235,9 +254,9 @@ cd ./mozilla/security/nss/tests/
%global nss_ssl_tests " "
%global nss_ssl_run " "
-HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+#HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
-cd ../../../../
+#cd ../../../../
#killall $RANDSERV || :
@@ -374,9 +393,27 @@ done
%{_includedir}/nss3/shsign.h
%changelog
-* Thu Nov 03 2011 Elio Maldonado <emaldona at redhat.com> - 3.13.1-1
+* Tue Dec 06 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.9-13
+- Bug 757005 Build nss-softokn for rhel 7
+- Make it almost like nss-softokn-3.12.9 in rhel 6.2
+- Added a patch to build with Linux 3 and higher
+- Meant to work with nss and nss-utul 3.1.3.1
+- Download only the 3.12.9 sources from the lookaside cache
+
+* Fri Dec 02 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.9-12
+- Retagging
+
+* Wed Nov 23 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.9-11
+- Downgrading to 3.12.9 for a merge into new RHEL git repo
+- This build is for the buildroot for a limited time only
+- Do not not push it to update-testing
+
+* Tue Nov 08 2011 Elio Maldonado <emaldona at redhat.com> - 3.13.1-1
- Update to NSS_3_13_1_RTM
+* Wed Oct 12 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.10-6
+- Fix failure to switch nss-softokn to FIPS mode (#745571)
+
* Tue Oct 11 2011 Elio Maldonado <emaldona at redhat.com> - 3.13-0.1.rc0.3
- Update to NSS_3_13_RC0 post bootstrapping
- Don't incude util in sources for the lookaside cache
@@ -393,11 +430,8 @@ done
* Thu Sep 8 2011 Ville Skyttä <ville.skytta at iki.fi> - 3.12.11-3
- Avoid %%post/un shell invocations and dependencies.
-* Wed Aug 17 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.11-2
-- rebuilt as recommended to deal with an rpm issue
-
-* Tue Aug 09 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.11-1
-- Update to NSS_3_12_11_RTM
+* Wed Aug 17 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.10-5
+- rebuilt as recommended to deal with an rpm 4.9.1 issue
* Wed Jul 20 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.10-4
- Adjustements from code review (#715402)
diff --git a/nss-split-softokn.sh b/nss-split-softokn.sh
index 49c4a40..390d196 100755
--- a/nss-split-softokn.sh
+++ b/nss-split-softokn.sh
@@ -35,87 +35,53 @@ softokn_dir=${name}-softokn-${version}
# mozilla/security/nss/lib --- top files only
# mozilla/security/nss/lib/freebl --- full directory
# mozilla/security/nss/lib/softoken --- full directory
+# mozilla/security/nss/lib/softoken/dbm --- full directory
#-------------------------------------------------------
-WORK_DIR=work
-rm -rf ${WORK_DIR}
-mkdir ${WORK_DIR}
+SOFTOKN_WORK=${softokn_dir}-work
+rm -rf ${SOFTOKN_WORK}
+mkdir ${SOFTOKN_WORK}
# copy everything
-cp -a ${nss_source_dir} ${WORK_DIR}/${softokn_dir}
+cp -a ${nss_source_dir} ${SOFTOKN_WORK}/${softokn_dir}
# remove subdirectories that we don't want
-rm -rf ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/cmd
-rm -rf ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/tests
-rm -rf ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/lib
-rm -rf ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/pkg
-# start with an empty lib directory and copy only what we need
-mkdir ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/lib
+rm -rf ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd
+rm -rf ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/tests
+rm -rf ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib
+rm -rf ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/pkg
+# rstart with an empty lib directory and copy only what we need
+mkdir ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib
# copy entire freebl and softoken directories recursively
-cp -a ${nss_source_dir}/mozilla/security/nss/lib/freebl ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/lib/freebl
-cp -a ${nss_source_dir}/mozilla/security/nss/lib/softoken ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/lib/softoken
-# On boostrapping we may need to copy util because some headers have changed
-# Alternatively, we can bootsrap by rebasing nss and nss-util first and
-# when the system is boostrap then rebase nss-sotokn
-# cp -a ${nss_source_dir}/mozilla/security/nss/lib/util ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/lib/util
+cp -a ${nss_source_dir}/mozilla/security/nss/lib/freebl ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib/freebl
+cp -a ${nss_source_dir}/mozilla/security/nss/lib/softoken ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib/softoken
+cp -a ${nss_source_dir}/mozilla/security/nss/lib/softoken ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib/softoken/dbm
# and some Makefiles and related files
-cp ${nss_source_dir}/mozilla/security/nss/Makefile ${WORK_DIR}/${softokn_dir}/mozilla/security/nss
-cp ${nss_source_dir}/mozilla/security/nss/manifest.mn ${WORK_DIR}/${softokn_dir}/mozilla/security/nss
-cp ${nss_source_dir}/mozilla/security/nss/trademarks.txt ${WORK_DIR}/${softokn_dir}/mozilla/security/nss
-cp ${nss_source_dir}/mozilla/security/nss/lib/Makefile ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/lib
-cp ${nss_source_dir}/mozilla/security/nss/lib/manifest.mn ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/lib
-
-# we do need shlibsign from cmd and other things
-mkdir ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/cmd
-# copy some files at the top and selected subdirectories
-cp -p ${nss_source_dir}/mozilla/security/nss/cmd/Makefile ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/cmd
-cp -p ${nss_source_dir}/mozilla/security/nss/cmd/manifest.mn ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/cmd
-cp -p ${nss_source_dir}/mozilla/security/nss/cmd/platlibs.mk ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/cmd
-cp -p ${nss_source_dir}/mozilla/security/nss/cmd/platrules.mk ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/cmd
-
-cp -a ${nss_source_dir}/mozilla/security/nss/cmd/shlibsign ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/cmd/shlibsign
-#
-# copy the bltest, fipstests, lib, and subdirectories for testing
-#for d in "bltest fipstest lib shlibsign"; do
-src=${nss_source_dir}/mozilla/security/nss/cmd
-dst=${WORK_DIR}/${softokn_dir}/mozilla/security/nss/cmd
-# uncomment this line when we are to resume testing as part of the build
-# for bootstrapping make it ts=" " so they don't get copied
-ts="bltest fipstest lib"
-for t in $ts; do
- cp -a ${src}/$t ${dst}/$t
-done
-
-
-# we also need some test scripts and dtest data from tests
-mkdir ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/tests
-
-# copy the files at the top
-fs="all.sh clean_tbx core_watch dll_version.sh header jssdir \
-jss_dll_version.sh jssqa mksymlinks \
-nssdir nsspath nssqa path_uniq platformlist \
-platformlist.tbx qaclean qa_stage qa_stat \
-README.txt run_niscc.sh set_environment"
-for f in $fs; do
- cp -p ${nss_source_dir}/mozilla/security/nss/tests/$f \
- ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/tests
-done
-
-# copy the subdirectories that we need
-cp -a ${nss_source_dir}/mozilla/security/nss/tests/common \
- ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/tests
-cp -a ${nss_source_dir}/mozilla/security/nss/tests/cipher \
- ${WORK_DIR}/${softokn_dir}/mozilla/security/nss/tests
-
-pushd ${WORK_DIR}
+cp ${nss_source_dir}/mozilla/security/nss/Makefile ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss
+cp ${nss_source_dir}/mozilla/security/nss/manifest.mn ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss
+cp ${nss_source_dir}/mozilla/security/nss/trademarks.txt ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss
+cp ${nss_source_dir}/mozilla/security/nss/lib/Makefile ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib
+cp ${nss_source_dir}/mozilla/security/nss/lib/manifest.mn ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/lib
+
+# we do need shlibsign from cmd
+mkdir ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd
+# copy some files at the top and the slhlib subdirectory
+cp -p ${nss_source_dir}/mozilla/security/nss/cmd/Makefile ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd
+cp -p ${nss_source_dir}/mozilla/security/nss/cmd/manifest.mn ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd
+cp -p ${nss_source_dir}/mozilla/security/nss/cmd/platlibs.mk ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd
+cp -p ${nss_source_dir}/mozilla/security/nss/cmd/platrules.mk ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd
+
+cp -a ${nss_source_dir}/mozilla/security/nss/cmd/shlibsign ${SOFTOKN_WORK}/${softokn_dir}/mozilla/security/nss/cmd/shlibsign
+
+pushd ${SOFTOKN_WORK}
# the compressed tar ball for nss-softokn
tar -cjf ../${name}-softokn-${version}-stripped.tar.bz2 ${softokn_dir}
popd
# cleanup after ourselves
rm -fr ${nss_source_dir}
-rm -rf ${WORK_DIR}
+rm -rf ${SOFTOKN_WORK}
diff --git a/sources b/sources
index 0d198e9..cfd36ad 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
13b1d1dbf81765c137809d332a29aa0d nss-softokn-3.12.9-stripped.tar.bz2
-3daa76bcd96fa425dc7efaab6989faa5 nss-softokn-3.13.1-stripped.tar.bz2
More information about the scm-commits
mailing list