[nss-softokn/f16: 1/2] - Restore the update to 3.13.1 - Update the patch for freebl to deal with prelinked shared libraries
Elio Maldonado
emaldonado at fedoraproject.org
Tue Dec 13 23:04:26 UTC 2011
commit d4cc2c8fbcb44fe95ec147cb9620e5d6c6154826
Author: Elio Maldonado <emaldona at redhat.com>
Date: Tue Dec 13 14:17:52 2011 -0800
- Restore the update to 3.13.1
- Update the patch for freebl to deal with prelinked shared libraries
- Add additional dbrg power-up self-tests as required by fips
- Reactivate the tests
.gitignore | 2 +-
nss-softokn-3.12.4-prelink.patch | 299 ++++---------------------------------
nss-softokn.spec | 48 ++----
sources | 2 +-
4 files changed, 52 insertions(+), 299 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index dc1007b..2c62a64 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-nss-softokn-3.12.9-stripped.tar.bz2
+nss-softokn-3.13.1-stripped.tar.bz2
diff --git a/nss-softokn-3.12.4-prelink.patch b/nss-softokn-3.12.4-prelink.patch
index 5f2e46f..2ac26a3 100644
--- a/nss-softokn-3.12.4-prelink.patch
+++ b/nss-softokn-3.12.4-prelink.patch
@@ -1,250 +1,32 @@
diff -up ./mozilla/security/nss/lib/freebl/Makefile.prelink ./mozilla/security/nss/lib/freebl/Makefile
---- ./mozilla/security/nss/lib/freebl/Makefile.prelink 2010-09-04 14:13:58.846327263 -0700
-+++ ./mozilla/security/nss/lib/freebl/Makefile 2010-09-04 14:15:11.544326993 -0700
-@@ -82,6 +82,12 @@ ifeq ($(FREEBL_NO_DEPEND),1)
- else
- MAPFILE_SOURCE = freebl.def
- endif
-+ifdef FREEBL_USE_PRELINK
-+ DEFINES += -DFREEBL_USE_PRELINK
-+endif
-+ifdef FREEBL_PRELINK_COMMAND
-+ DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\"
-+endif
- # NSS_X86 means the target is a 32-bits x86 CPU architecture
- # NSS_X64 means the target is a 64-bits x64 CPU architecture
- # NSS_X86_OR_X64 means the target is either x86 or x64
diff -up ./mozilla/security/nss/lib/freebl/shvfy.c.prelink ./mozilla/security/nss/lib/freebl/shvfy.c
---- ./mozilla/security/nss/lib/freebl/shvfy.c.prelink 2010-09-04 14:16:01.518326988 -0700
-+++ ./mozilla/security/nss/lib/freebl/shvfy.c 2010-09-04 14:25:44.770326384 -0700
-@@ -48,6 +48,168 @@
- #include "stdio.h"
- #include "prmem.h"
+--- ./mozilla/security/nss/lib/freebl/shvfy.c.prelink 2011-12-13 09:02:42.554226434 -0800
++++ ./mozilla/security/nss/lib/freebl/shvfy.c 2011-12-13 09:05:51.152222223 -0800
+@@ -486,6 +486,9 @@ BLAPI_SHVerifyFile(const char *shName)
-+#ifdef FREEBL_USE_PRELINK
-+#ifndef FREELB_PRELINK_COMMAND
-+#define FREEBL_PRELINK_COMMAND "/usr/sbin/prelink -u -o -"
-+#endif
-+#include "private/pprio.h"
-+
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <fcntl.h>
-+#include <sys/wait.h>
-+#include <sys/stat.h>
-+
-+PRFileDesc *
-+bl_OpenUnPrelink(const char *shName, int *pid)
-+{
-+ char *command= strdup(FREEBL_PRELINK_COMMAND);
-+ char *argString = NULL;
-+ char **argv = NULL;
-+ char *shNameArg = NULL;
-+ char *cp;
-+ pid_t child;
-+ int argc = 0, argNext = 0;
-+ struct stat statBuf;
-+ int pipefd[2] = {-1,-1};
-+ int ret;
-+
-+ *pid = 0;
-+
-+ /* make sure the prelink command exists first. If not, fall back to
-+ * just reading the file */
-+ for (cp = command; *cp ; cp++) {
-+ if (*cp == ' ') {
-+ *cp++ = 0;
-+ argString = cp;
-+ break;
-+ }
-+ }
-+ memset (&statBuf, 0, sizeof(statBuf));
-+ /* stat the file, follow the link */
-+ ret = stat(command, &statBuf);
-+ if (ret < 0) {
-+ free(command);
-+ return PR_Open(shName, PR_RDONLY, 0);
-+ }
-+ /* file exits, make sure it's an executable */
-+ if (!S_ISREG(statBuf.st_mode) ||
-+ ((statBuf.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0)) {
-+ free(command);
-+ return PR_Open(shName, PR_RDONLY, 0);
-+ }
-+
-+ /* OK, the prelink command exists and looks correct, use it */
-+ /* build the arglist while we can still malloc */
-+ /* count the args if any */
-+ if (argString && *argString) {
-+ /* argString may have leading spaces, strip them off*/
-+ for (cp = argString; *cp && *cp == ' '; cp++);
-+ argString = cp;
-+ if (*cp) {
-+ /* there is at least one arg.. */
-+ argc = 1;
-+ }
-+
-+ /* count the rest: Note there is no provision for escaped
-+ * spaces here */
-+ for (cp = argString; *cp ; cp++) {
-+ if (*cp == ' ') {
-+ while (*cp && *cp == ' ') cp++;
-+ if (*cp) argc++;
-+ }
-+ }
-+ }
-+
-+ /* add the additional args: argv[0] (command), shName, NULL*/
-+ argc += 3;
-+ argv = PORT_NewArray(char *, argc);
-+ if (argv == NULL) {
-+ goto loser;
-+ }
-+
-+ /* fill in the arglist */
-+ argv[argNext++] = command;
-+ if (argString && *argString) {
-+ argv[argNext++] = argString;
-+ for (cp = argString; *cp; cp++) {
-+ if (*cp == ' ') {
-+ *cp++ = 0;
-+ while (*cp && *cp == ' ') cp++;
-+ if (*cp) argv[argNext++] = cp;
-+ }
-+ }
-+ }
-+ /* exec doesn't advertise taking const char **argv, do the paranoid
-+ * copy */
-+ shNameArg = strdup(shName);
-+ if (shNameArg == NULL) {
-+ goto loser;
-+ }
-+ argv[argNext++] = shNameArg;
-+ argv[argNext++] = 0;
-+
-+ ret = pipe(pipefd);
-+ if (ret < 0) {
-+ goto loser;
-+ }
-+
-+ /* use vfork() so we don't trigger the pthread_at_fork() handlers */
-+ child = vfork();
-+ if (child < 0) goto loser;
-+ if (child == 0) {
-+ /* set up the file descriptors */
-+ close(0);
-+ /* associate pipefd[1] with stdout */
-+ if (pipefd[1] != 1) dup2(pipefd[1], 1);
-+ close(2);
-+ close(pipefd[0]);
-+ /* should probably close the other file descriptors? */
-+
-+
-+ execv(command, argv);
-+ /* avoid at_exit() handlers */
-+ _exit(1); /* shouldn't reach here except on an error */
-+ }
-+ close(pipefd[1]);
-+ pipefd[1] = -1;
-+
-+ /* this is safe because either vfork() as full fork() semantics, and thus
-+ * already has it's own address space, or because vfork() has paused
-+ * the parent util the exec or exit */
-+ free(command);
-+ free(shNameArg);
-+ PORT_Free(argv);
-+
-+ *pid = child;
-+
-+ return PR_ImportPipe(pipefd[0]);
-+
-+loser:
-+ if (pipefd[0] != -1) {
-+ close(pipefd[0]);
-+ }
-+ if (pipefd[1] != -1) {
-+ close(pipefd[1]);
-+ }
-+ free(command);
-+ free(shNameArg);
-+ PORT_Free(argv);
-+
-+ return NULL;
-+}
-+
-+void
-+bl_CloseUnPrelink( PRFileDesc *file, int pid)
-+{
-+ /* close the file descriptor */
-+ PR_Close(file);
-+ /* reap the child */
-+ if (pid) {
-+ waitpid(pid, NULL, 0);
-+ }
-+}
-+#endif
-
- /* #define DEBUG_SHVERIFY 1 */
-@@ -117,6 +279,9 @@ BLAPI_SHVerify(const char *name, PRFuncP
- SECStatus rv;
- DSAPublicKey key;
- int count;
-+#ifdef FREEBL_USE_PRELINK
-+ int pid = 0;
-+#endif
-
- PRBool result = PR_FALSE; /* if anything goes wrong,
- * the signature does not verify */
-@@ -197,7 +362,11 @@ BLAPI_SHVerify(const char *name, PRFuncP
- checkFD = NULL;
-
- /* open our library file */
-+#ifdef FREEBL_USE_PRELINK
-+ shFD = bl_OpenUnPrelink(shName,&pid);
-+#else
- shFD = PR_Open(shName, PR_RDONLY, 0);
-+#endif
- if (shFD == NULL) {
- #ifdef DEBUG_SHVERIFY
- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
-@@ -218,7 +387,11 @@ BLAPI_SHVerify(const char *name, PRFuncP
- SHA1_Update(hashcx, buf, bytesRead);
- count += bytesRead;
+ loser:
++ if (shName != NULL) {
++ PR_Free(shName);
++ }
+ if (checkName != NULL) {
+ PORT_Free(checkName);
}
-+#ifdef FREEBL_USE_PRELINK
-+ bl_CloseUnPrelink(shFD, pid);
-+#else
- PR_Close(shFD);
-+#endif
- shFD = NULL;
-
- SHA1_End(hashcx, hash.data, &hash.len, hash.len);
diff -up ./mozilla/security/nss/lib/freebl/stubs.c.prelink ./mozilla/security/nss/lib/freebl/stubs.c
---- ./mozilla/security/nss/lib/freebl/stubs.c.prelink 2010-09-04 14:26:27.454327120 -0700
-+++ ./mozilla/security/nss/lib/freebl/stubs.c 2010-09-04 14:31:56.778327428 -0700
-@@ -69,6 +69,7 @@
- #include <secport.h>
- #include <secitem.h>
- #include <blapi.h>
-+#include <private/pprio.h>
-
- #define FREEBL_NO_WEAK 1
-
-@@ -157,6 +158,8 @@ STUB_DECLARE(void,PR_Lock,(PRLock *lock)
- STUB_DECLARE(PRLock *,PR_NewLock,(void));
- STUB_DECLARE(PRFileDesc *,PR_Open,(const char *name, PRIntn flags,
- PRIntn mode));
+--- ./mozilla/security/nss/lib/freebl/stubs.c.prelink 2011-12-13 09:02:13.210227199 -0800
++++ ./mozilla/security/nss/lib/freebl/stubs.c 2011-12-13 09:07:01.296220776 -0800
+@@ -156,6 +156,7 @@ STUB_DECLARE(void,PR_DestroyCondVar,(PRC
+ STUB_DECLARE(void,PR_Free,(void *ptr));
+ STUB_DECLARE(char * ,PR_GetLibraryFilePathname,(const char *name,
+ PRFuncPtr addr));
+STUB_DECLARE(PRFileDesc *,PR_ImportFile,(PROsfd osfd));
-+STUB_DECLARE(PRFileDesc *,PR_ImportPipe,(PROsfd osfd));
- STUB_DECLARE(PRInt32,PR_Read,(PRFileDesc *fd, void *buf, PRInt32 amount));
- STUB_DECLARE(PROffset32,PR_Seek,(PRFileDesc *fd, PROffset32 offset,
- PRSeekWhence whence));
-@@ -295,6 +298,34 @@ PR_Open_stub(const char *name, PRIntn fl
- return (PRFileDesc *)lfd;
+ STUB_DECLARE(PRFileDesc *,PR_ImportPipe,(PROsfd osfd));
+ STUB_DECLARE(void,PR_Lock,(PRLock *lock));
+ STUB_DECLARE(PRCondVar *,PR_NewCondVar,(PRLock *lock));
+@@ -307,6 +308,20 @@ PR_Open_stub(const char *name, PRIntn fl
}
-+extern PRFileDesc *
+ extern PRFileDesc *
+PR_ImportFile_stub(PROsfd fd)
+{
+ int *lfd = NULL;
@@ -259,40 +41,25 @@ diff -up ./mozilla/security/nss/lib/freebl/stubs.c.prelink ./mozilla/security/ns
+}
+
+extern PRFileDesc *
-+PR_ImportPipe_stub(PROsfd fd)
-+{
-+ int *lfd = NULL;
-+
-+ STUB_SAFE_CALL1(PR_ImportPipe, fd);
-+
-+ lfd = PORT_New_stub(int);
-+ if (lfd != NULL) {
-+ *lfd = fd;
-+ }
-+ return (PRFileDesc *)lfd;
-+}
-+
- extern PRStatus
- PR_Close_stub(PRFileDesc *fd)
+ PR_ImportPipe_stub(PROsfd fd)
{
-@@ -492,6 +523,8 @@ freebl_InitNSPR(void *lib)
+ int *lfd = NULL;
+@@ -566,6 +581,7 @@ freebl_InitNSPR(void *lib)
{
STUB_FETCH_FUNCTION(PR_Free);
STUB_FETCH_FUNCTION(PR_Open);
+ STUB_FETCH_FUNCTION(PR_ImportFile);
-+ STUB_FETCH_FUNCTION(PR_ImportPipe);
+ STUB_FETCH_FUNCTION(PR_ImportPipe);
STUB_FETCH_FUNCTION(PR_Close);
STUB_FETCH_FUNCTION(PR_Read);
- STUB_FETCH_FUNCTION(PR_Seek);
diff -up ./mozilla/security/nss/lib/freebl/stubs.h.prelink ./mozilla/security/nss/lib/freebl/stubs.h
---- ./mozilla/security/nss/lib/freebl/stubs.h.prelink 2010-09-04 14:26:41.822327256 -0700
-+++ ./mozilla/security/nss/lib/freebl/stubs.h 2010-09-04 14:32:53.498540767 -0700
-@@ -78,6 +78,8 @@
- #define PR_Lock PR_Lock_stub
- #define PR_NewLock PR_NewLock_stub
- #define PR_Open PR_Open_stub
+--- ./mozilla/security/nss/lib/freebl/stubs.h.prelink 2011-12-13 09:01:59.722227804 -0800
++++ ./mozilla/security/nss/lib/freebl/stubs.h 2011-12-13 09:07:40.134220235 -0800
+@@ -77,6 +77,7 @@
+ #define PR_DestroyLock PR_DestroyLock_stub
+ #define PR_Free PR_Free_stub
+ #define PR_GetLibraryFilePathname PR_GetLibraryFilePathname_stub
+#define PR_ImportFile PR_ImportFile_stub
-+#define PR_ImportPipe PR_ImportPipe_stub
- #define PR_Read PR_Read_stub
- #define PR_Seek PR_Seek_stub
- #define PR_Sleep PR_Sleep_stub
+ #define PR_ImportPipe PR_ImportPipe_stub
+ #define PR_Lock PR_Lock_stub
+ #define PR_NewCondVar PR_NewCondVar_stub
diff --git a/nss-softokn.spec b/nss-softokn.spec
index a423b61..9190ba5 100644
--- a/nss-softokn.spec
+++ b/nss-softokn.spec
@@ -16,8 +16,8 @@
Summary: Network Security Services Softoken Module
Name: nss-softokn
-Version: 3.12.9
-Release: 13%{?dist}
+Version: 3.13.1
+Release: 14%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -50,23 +50,12 @@ Source2: nss-softokn.pc.in
Source3: nss-softokn-config.in
Patch1: add-relro-linker-option.patch
-# FIPS 140 remove these two patches once we rebase and
-# can pick up the fixes from upstream
+# Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=562116
Patch2: nss-softokn-3.12.4-prelink.patch
-Patch3: nss-softokn-3.12.4-fips-fix.patch
-Patch4: nss-softokn-710298.patch
-# Add drbg tests for FIPS validation, patch from upstream
-# see: https://bugzilla.mozilla.org/show_bug.cgi?id=695571
-# Remove this patch when we rebase to nss 3.13.2
+# Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=457045
Patch5: drbg.patch
-# Backported from upstream nss 3.13
-# See: https://bugzilla.mozilla.org/show_bug.cgi?id=641052
-# Remove this patch when we rebase to nss 3.13.2
-Patch6: nss-softokn-748524.patch
-Patch7: linux3.patch
-
-#Uncomment when we are ready to enable testing
-#Patch8: softoken-minimal-test-dependencies.patch
+# TODO: Open upstream bug and submmit a patch for this
+Patch8: softoken-minimal-test-dependencies.patch
%description
Network Security Services Softoken Cryptographic Module
@@ -118,15 +107,8 @@ Header and Library files for doing development with Network Security Services.
%patch1 -p0 -b .relro
%patch2 -p0 -b .prelink
-%patch3 -p0 -b .fipsfix
-%patch4 -p0 -b .710298
-%patch5 -p0 -b .747053
-%patch6 -p0 -b .748524
-%patch7 -p0 -b .linux3
-
-# FIXME uncomment when we are ready to
-# resume testing of part of the build
-#%patch8 -p0 -b .crypto
+%patch5 -p0 -b .drbg
+%patch8 -p0 -b .crypto
%build
@@ -245,7 +227,7 @@ if [ $SPACEISBAD -ne 0 ]; then
fi
rm -rf ./mozilla/tests_results
-#cd ./mozilla/security/nss/tests/
+cd ./mozilla/security/nss/tests/
# all.sh is the test suite script
# only run cipher tests for nss-softokn
@@ -254,11 +236,9 @@ rm -rf ./mozilla/tests_results
%global nss_ssl_tests " "
%global nss_ssl_run " "
-#HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
-#cd ../../../../
-
-#killall $RANDSERV || :
+cd ../../../../
TEST_FAILURES=`grep -c FAILED ./mozilla/tests_results/security/localhost.1/output.log` || :
# test suite is failing on arm and has for awhile let's run the test suite but make it non fatal on arm
@@ -393,6 +373,12 @@ done
%{_includedir}/nss3/shsign.h
%changelog
+* Tue Dec 13 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.9-14
+- Restore the update to 3.13.1
+- Update the patch for freebl to deal with prelinked shared libraries
+- Add additional dbrg power-up self-tests as required by fips
+- Reactivate the tests
+
* Tue Dec 06 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.9-13
- Bug 757005 Build nss-softokn for rhel 7
- Make it almost like nss-softokn-3.12.9 in rhel 6.2
diff --git a/sources b/sources
index cfd36ad..ce78c5c 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-13b1d1dbf81765c137809d332a29aa0d nss-softokn-3.12.9-stripped.tar.bz2
+3daa76bcd96fa425dc7efaab6989faa5 nss-softokn-3.13.1-stripped.tar.bz2
More information about the scm-commits
mailing list