Mercurial > illumos > illumos-gate
changeset 10123:d9be114e78c4
6852240 libelfsign should use pkcs11_softtoken instead of OpenSSL for FIPS-140 integrity checking
6851814 tools elfsign is unnecessarily linked against pkcs11_softtoken
author | Valerie Bubb Fenwick <Valerie.Fenwick@Sun.COM> |
---|---|
date | Fri, 17 Jul 2009 19:53:22 -0700 |
parents | 96eda55bfd54 |
children | 5b9859ecb395 |
files | usr/src/lib/libelfsign/common/elfcertlib.c usr/src/lib/libkmf/libkmf/common/certop.c usr/src/lib/libkmf/libkmf/common/generalop.c usr/src/lib/pkcs11/Makefile usr/src/lib/pkcs11/libkcfd/Makefile usr/src/lib/pkcs11/libkcfd/Makefile.com usr/src/lib/pkcs11/libkcfd/README usr/src/lib/pkcs11/libkcfd/common/llib-lkcfd usr/src/lib/pkcs11/libkcfd/common/mapfile-vers usr/src/lib/pkcs11/libkcfd/i386/Makefile usr/src/lib/pkcs11/libkcfd/sparc/Makefile usr/src/pkgdefs/SUNWcslr/prototype_com usr/src/pkgdefs/etc/exception_list_i386 usr/src/pkgdefs/etc/exception_list_sparc usr/src/tools/elfsign/Makefile usr/src/tools/scripts/check_rtime.pl |
diffstat | 16 files changed, 380 insertions(+), 46 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/lib/libelfsign/common/elfcertlib.c Fri Jul 17 17:54:42 2009 -0700 +++ b/usr/src/lib/libelfsign/common/elfcertlib.c Fri Jul 17 19:53:22 2009 -0700 @@ -20,12 +20,10 @@ */ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <limits.h> #include <sys/types.h> #include <sys/stat.h> @@ -221,7 +219,7 @@ cert->c_verified = E_UNCHECKED; /* - * If the cert we are loading it the trust anchor (ie the CA) then + * If the cert we are loading is the trust anchor (ie the CA) then * we mark it as such in cert. This is so that we don't attempt * to verify it later. The CA is always implicitly verified. */ @@ -473,12 +471,13 @@ algid = KMF_ALGID_RSA; /* - * We tell KMF to use the OpenSSL verification - * APIs here to avoid a circular dependency with - * kcfd and libpkcs11. + * We tell KMF to use the PKCS11 verification APIs + * here to prevent the use of OpenSSL and to keep + * all validation within the FIPS-140 boundary for + * the Cryptographic Framework. */ rv = KMF_VerifyDataWithCert(ess->es_kmfhandle, - KMF_KEYSTORE_OPENSSL, algid, + KMF_KEYSTORE_PK11TOKEN, algid, &indata, &insig, &cert->c_cert.certificate); return ((rv == KMF_OK));
--- a/usr/src/lib/libkmf/libkmf/common/certop.c Fri Jul 17 17:54:42 2009 -0700 +++ b/usr/src/lib/libkmf/libkmf/common/certop.c Fri Jul 17 19:53:22 2009 -0700 @@ -19,12 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <stdio.h> #include <link.h> #include <fcntl.h> @@ -955,12 +953,14 @@ * where we want to force this operation to happen in * a specific keystore. * For example: - * libelfsign verifies signatures on crypto libraries. - * We cannot use libpkcs11 functions to verify the pkcs11 - * libraries because it results in a circular dependency. - * So, when libelfsign is verifying library sigs, it - * always forces the operation to happen in OpenSSL - * to avoid the circular dependency. + * libelfsign.so.1 verifies signatures on crypto libraries. + * We must use pkcs11 functions to verify the pkcs11 + * plugins in order to keep the validation within the + * Cryptographic Framework's FIPS-140 boundary. To avoid + * a circular dependency, pksc11_softtoken.so.1 is + * interposed by libkcfd.so.1 via kcfd, which prevents + * libpkcs11.so.1's interfaces from being used when libkmf.so.1 + * is called from kcfd. */ static KMF_RETURN plugin_verify_data_with_cert(KMF_HANDLE_T handle, @@ -976,8 +976,6 @@ /* * If NSS, use PKCS#11, we are not accessing the database(s), * we just prefer the "verify" operation from the crypto framework. - * The OpenSSL version is unique in order to avoid a dependency loop - * with the kcfd(1M) process. */ if (kstype == KMF_KEYSTORE_NSS) kstype = KMF_KEYSTORE_PK11TOKEN; @@ -3109,9 +3107,8 @@ /* * Use a signer cert to verify another certificate's signature. - * This code forces the use of the OPENSSL mechanism - * for the verify operation to avoid a circular dependency - * with libelfsign when it attempts to verify the PKCS#11 libraries. + * This code forces the use of the PKCS11 mechanism for the verify + * operation for the Cryptographic Framework's FIPS-140 boundary. */ static KMF_RETURN verify_cert_with_cert(KMF_HANDLE_T handle, @@ -3172,11 +3169,10 @@ } /* - * To avoid recursion with kcfd consumer and libpkcs11, - * do the certificate verification using the OpenSSL - * plugin algorithms instead of the crypto framework. + * Force use of PKCS11 API for kcfd/libelfsign. This is + * required for the Cryptographic Framework's FIPS-140 boundary. */ - ret = plugin_verify_data_with_cert(handle, KMF_KEYSTORE_OPENSSL, + ret = plugin_verify_data_with_cert(handle, KMF_KEYSTORE_PK11TOKEN, algid, &data_to_verify, &signature, SignerCertData); cleanup:
--- a/usr/src/lib/libkmf/libkmf/common/generalop.c Fri Jul 17 17:54:42 2009 -0700 +++ b/usr/src/lib/libkmf/libkmf/common/generalop.c Fri Jul 17 19:53:22 2009 -0700 @@ -19,13 +19,11 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <stdio.h> #include <dlfcn.h> #include <link.h> @@ -325,7 +323,13 @@ free(p); return (KMF_ERR_MEMORY); } - p->dldesc = dlopen(path, RTLD_LAZY | RTLD_GROUP | RTLD_PARENT); + /* + * Do not use RTLD_GROUP here, or this will cause a circular + * dependency when kmf_pkcs11.so.1 gets its PKCS#11 functions + * from libpkcs11.so.1 when kmf is used via libelfsign.so.1 + * called from kcfd. + */ + p->dldesc = dlopen(path, RTLD_LAZY | RTLD_PARENT); if (p->dldesc == NULL) { free(p->path); free(p);
--- a/usr/src/lib/pkcs11/Makefile Fri Jul 17 17:54:42 2009 -0700 +++ b/usr/src/lib/pkcs11/Makefile Fri Jul 17 19:53:22 2009 -0700 @@ -35,7 +35,8 @@ SUBDIRS = \ libpkcs11 \ - libsoftcrypto + libsoftcrypto \ + libkcfd # # The PKCS11 TPM provider is only available for x86.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/lib/pkcs11/libkcfd/Makefile Fri Jul 17 19:53:22 2009 -0700 @@ -0,0 +1,47 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +# lib/pkcs11/libkcfd/Makefile +# + +include $(SRC)/lib/Makefile.lib + +SUBDIRS= $(MACH) + +all := TARGET= all +clean := TARGET= clean +clobber := TARGET= clobber +install := TARGET= install + +.KEEP_STATE: + +all clean clobber install: $(SUBDIRS) + +check lint install_h: + +$(SUBDIRS): FRC + @cd $@; pwd; $(MAKE) $(TARGET) + +FRC:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/lib/pkcs11/libkcfd/Makefile.com Fri Jul 17 19:53:22 2009 -0700 @@ -0,0 +1,40 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +# lib/pkcs11/libkcfd/Makefile.com +# + +LIBRARY = libkcfd.a +VERS = .1 + +include $(SRC)/lib/Makefile.rootfs + +LIBS += $(LINTLIB) + +# +# Identify that this library is an interposer. This identification +# ensures that runtime symbol lookup resolves to this library +# (before libpkcs11.so.1) regardless of dependency link order. +# This library should only be linked to by kcfd. +# +DYNFLAGS += $(ZINTERPOSE) -R/usr/lib/security
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/lib/pkcs11/libkcfd/README Fri Jul 17 19:53:22 2009 -0700 @@ -0,0 +1,37 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +This is a filter library that's used exclusively by kcfd; +it's 32-bit-only because kcfd is 32-bit-only. + +libkcfd forces interposition of pkcs11_softtoken.so.1 into libkmf +when used by kcfd as part of the Cryptographic Framework's FIPS-140 +project, to ensure that only pkcs11_softtoken.so.1 is used for +validation of the FIPS-140 boundary. + +libelfsign could not be the interposer, because it would prevent +the elfsign(1) command from accessing actual PKCS#11 tokens when using +the -T option.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/lib/pkcs11/libkcfd/common/llib-lkcfd Fri Jul 17 19:53:22 2009 -0700 @@ -0,0 +1,34 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + */ +/* LINTLIBRARY */ +/* PROTOLIB1 */ + +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +/* + * usr/src/lib/pkcs11/libkcfd + * EMPTY library + */ + +#include <security/cryptoki.h>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/lib/pkcs11/libkcfd/common/mapfile-vers Fri Jul 17 19:53:22 2009 -0700 @@ -0,0 +1,112 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +# +# MAPFILE HEADER START +# +# WARNING: STOP NOW. DO NOT MODIFY THIS FILE. +# Object versioning must comply with the rules detailed in +# +# usr/src/lib/README.mapfiles +# +# You should not be making modifications here until you've read the most current +# copy of that file. If you need help, contact a gatekeeper for guidance. +# +# MAPFILE HEADER END +# + +SUNW_1.1 { + global: + C_CancelFunction = FUNCTION FILTER pkcs11_softtoken.so.1; + C_CloseAllSessions = FUNCTION FILTER pkcs11_softtoken.so.1; + C_CloseSession = FUNCTION FILTER pkcs11_softtoken.so.1; + C_CopyObject = FUNCTION FILTER pkcs11_softtoken.so.1; + C_CreateObject = FUNCTION FILTER pkcs11_softtoken.so.1; + C_Decrypt = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DecryptDigestUpdate = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DecryptFinal = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DecryptInit = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DecryptUpdate = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DecryptVerifyUpdate = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DeriveKey = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DestroyObject = FUNCTION FILTER pkcs11_softtoken.so.1; + C_Digest = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DigestEncryptUpdate = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DigestFinal = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DigestInit = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DigestKey = FUNCTION FILTER pkcs11_softtoken.so.1; + C_DigestUpdate = FUNCTION FILTER pkcs11_softtoken.so.1; + C_Encrypt = FUNCTION FILTER pkcs11_softtoken.so.1; + C_EncryptFinal = FUNCTION FILTER pkcs11_softtoken.so.1; + C_EncryptInit = FUNCTION FILTER pkcs11_softtoken.so.1; + C_EncryptUpdate = FUNCTION FILTER pkcs11_softtoken.so.1; + C_Finalize = FUNCTION FILTER pkcs11_softtoken.so.1; + C_FindObjects = FUNCTION FILTER pkcs11_softtoken.so.1; + C_FindObjectsFinal = FUNCTION FILTER pkcs11_softtoken.so.1; + C_FindObjectsInit = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GenerateKey = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GenerateKeyPair = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GenerateRandom = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetAttributeValue = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetFunctionList = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetFunctionStatus = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetInfo = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetMechanismInfo = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetMechanismList = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetObjectSize = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetOperationState = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetSessionInfo = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetSlotInfo = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetSlotList = FUNCTION FILTER pkcs11_softtoken.so.1; + C_GetTokenInfo = FUNCTION FILTER pkcs11_softtoken.so.1; + C_Initialize = FUNCTION FILTER pkcs11_softtoken.so.1; + C_InitPIN = FUNCTION FILTER pkcs11_softtoken.so.1; + C_InitToken = FUNCTION FILTER pkcs11_softtoken.so.1; + C_Login = FUNCTION FILTER pkcs11_softtoken.so.1; + C_Logout = FUNCTION FILTER pkcs11_softtoken.so.1; + C_OpenSession = FUNCTION FILTER pkcs11_softtoken.so.1; + C_SeedRandom = FUNCTION FILTER pkcs11_softtoken.so.1; + C_SetAttributeValue = FUNCTION FILTER pkcs11_softtoken.so.1; + C_SetOperationState = FUNCTION FILTER pkcs11_softtoken.so.1; + C_SetPIN = FUNCTION FILTER pkcs11_softtoken.so.1; + C_Sign = FUNCTION FILTER pkcs11_softtoken.so.1; + C_SignEncryptUpdate = FUNCTION FILTER pkcs11_softtoken.so.1; + C_SignFinal = FUNCTION FILTER pkcs11_softtoken.so.1; + C_SignInit = FUNCTION FILTER pkcs11_softtoken.so.1; + C_SignRecover = FUNCTION FILTER pkcs11_softtoken.so.1; + C_SignRecoverInit = FUNCTION FILTER pkcs11_softtoken.so.1; + C_UnwrapKey = FUNCTION FILTER pkcs11_softtoken.so.1; + C_Verify = FUNCTION FILTER pkcs11_softtoken.so.1; + C_VerifyFinal = FUNCTION FILTER pkcs11_softtoken.so.1; + C_VerifyInit = FUNCTION FILTER pkcs11_softtoken.so.1; + C_VerifyRecover = FUNCTION FILTER pkcs11_softtoken.so.1; + C_VerifyRecoverInit = FUNCTION FILTER pkcs11_softtoken.so.1; + C_VerifyUpdate = FUNCTION FILTER pkcs11_softtoken.so.1; + C_WaitForSlotEvent = FUNCTION FILTER pkcs11_softtoken.so.1; + C_WrapKey = FUNCTION FILTER pkcs11_softtoken.so.1; + local: + *; +}; +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/lib/pkcs11/libkcfd/i386/Makefile Fri Jul 17 19:53:22 2009 -0700 @@ -0,0 +1,34 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +# lib/pkcs11/libkcfd/i386/Makefile +# + +include $(SRC)/lib/Makefile.filter.com +include ../Makefile.com + +install: all $(ROOTLIBDIR) .WAIT $(ROOTLIBS) $(ROOTLINKS) $(ROOTLINT) + +include $(SRC)/lib/Makefile.filter.targ
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/lib/pkcs11/libkcfd/sparc/Makefile Fri Jul 17 19:53:22 2009 -0700 @@ -0,0 +1,34 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +# lib/pkcs11/libkcfd/sparc/Makefile +# + +include $(SRC)/lib/Makefile.filter.com +include ../Makefile.com + +install: all $(ROOTLIBDIR) .WAIT $(ROOTLIBS) $(ROOTLINKS) $(ROOTLINT) + +include $(SRC)/lib/Makefile.filter.targ
--- a/usr/src/pkgdefs/SUNWcslr/prototype_com Fri Jul 17 17:54:42 2009 -0700 +++ b/usr/src/pkgdefs/SUNWcslr/prototype_com Fri Jul 17 19:53:22 2009 -0700 @@ -97,6 +97,7 @@ f none lib/libintl.so.1 755 root bin s none lib/libipmp.so=./libipmp.so.1 f none lib/libipmp.so.1 755 root bin +f none lib/libkcfd.so.1 755 root bin s none lib/libkmf.so=libkmf.so.1 f none lib/libkmf.so.1 755 root bin s none lib/libkmfberder.so=libkmfberder.so.1
--- a/usr/src/pkgdefs/etc/exception_list_i386 Fri Jul 17 17:54:42 2009 -0700 +++ b/usr/src/pkgdefs/etc/exception_list_i386 Fri Jul 17 19:53:22 2009 -0700 @@ -67,6 +67,9 @@ usr/lib/llib-lsoftcrypto i386 usr/lib/llib-lsoftcrypto.ln i386 usr/lib/amd64/llib-lsoftcrypto.ln i386 +lib/llib-lkcfd i386 +lib/llib-lkcfd.ln i386 +lib/libkcfd.so i386 # # The following files are used by the DHCP service, the # standalone's DHCP implementation, and the kernel (nfs_dlboot).
--- a/usr/src/pkgdefs/etc/exception_list_sparc Fri Jul 17 17:54:42 2009 -0700 +++ b/usr/src/pkgdefs/etc/exception_list_sparc Fri Jul 17 19:53:22 2009 -0700 @@ -56,6 +56,9 @@ usr/lib/llib-lsoftcrypto sparc usr/lib/llib-lsoftcrypto.ln sparc usr/lib/sparcv9/llib-lsoftcrypto.ln sparc +lib/llib-lkcfd.ln sparc +lib/llib-lkcfd sparc +lib/libkcfd.so sparc # # The following files are used by libdhcpsvc, the # standalone's DHCP implementation, and the kernel (nfs_dlboot).
--- a/usr/src/tools/elfsign/Makefile Fri Jul 17 17:54:42 2009 -0700 +++ b/usr/src/tools/elfsign/Makefile Fri Jul 17 19:53:22 2009 -0700 @@ -20,9 +20,7 @@ # # -#ident "%Z%%M% %I% %E% SMI" -# -# Copyright 2007 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # @@ -53,17 +51,6 @@ CPPFLAGS += -I$(SRC)/lib/libcryptoutil/common LDFLAGS += -lmd -lelf -lkmf -lcryptoutil -lc -# -# While the gate builds a libelfsign.so linked staticly against -# pksc11_softtoken, the tools version of libelfsign is dynamically linked -# against the build machines pkcs11_softtoken.so. -# -SOFTTOKENDIR = /usr/lib/security -SOFTTOKENLIB = pkcs11_softtoken.so -LDFLAGS += -R $(SOFTTOKENDIR) $(SOFTTOKENDIR)/$(SOFTTOKENLIB) - -MKDIR= mkdir - .KEEP_STATE: all: $(PROG) $(SHFILES)
--- a/usr/src/tools/scripts/check_rtime.pl Fri Jul 17 17:54:42 2009 -0700 +++ b/usr/src/tools/scripts/check_rtime.pl Fri Jul 17 19:53:22 2009 -0700 @@ -209,7 +209,9 @@ /lib.*\ of\ .*libxml2\.so\.2 | # non-OSNET /lib.*\ of\ .*libxslt\.so\.1 | # non-OSNET /lib.*\ of\ .*libpq\.so\.4 | # non-OSNET - /lib.*\ of\ .*libpython2\.4\.so\.1\.0 # non-OSNET + /lib.*\ of\ .*libpython2\.4\.so\.1\.0 | # non-OSNET + /lib.*\ of\ .*kcfd | # interposer + /libpkcs11\.so\.1;\.*\ of\ .*libkmf\.so\.1 # interposed }x; # Define any files that should only have unused (ldd -u) processing.