Created attachment 555131 [details] [diff] [review] Enable fipstest to depend on lower layers only The fipstest application is the FIPS 140 validation test application. As such it should rely on headers and libraries from softoken and below (util). This would enable us to build it and be execute it in the presence of just softoken and it's lower level dependencies, i.e util. 1) fipstest currently calls NSS_NoBBInit which is not necessary as it just needs it uses the PKCS #11 interface directly. That would eliminate having to include nss.h. 2) It includes lib/cryptohi/keythi.h which is a higher level header. It makes that include because it needs an enumerated type KeyType. I suggest moving this enum out of the current header and placing in in one of the util headers. It seems to me that none of the existing headers seems to be suitable home for the enu. I suggest adding a small header for it that would be included by both keythi.h and fipstest.c. Any other tools and libraries that need it get it via keythi.h and don't need modification. My first cut was to make the header a private export but chose to make it a public export instead as in fedora and rhel 6, where we split nss into nss (rest of) nsssoftokn, and nssutil rpm's, the header would not be accessible top the tool.
Comment on attachment 555131 [details] [diff] [review] Enable fipstest to depend on lower layers only r- ditch the keytype.h and looks at the line that is actually failing without keythi.h... You'll see one line at 4238 where dsaKey is missing, but if you look at the code you'll see that dsaKey is *NOT* dsaKey from KeyType, but a typo for a local variable dsakey, so just remove keythi.h and fix the original bug. The rest of the patch will be fine (getting red of NSS_NO_DB_Init() and nss.h). bob
Created attachment 560620 [details] [diff] [review] Remove high level dependencies and fix a variable name
Comment on attachment 560620 [details] [diff] [review] Remove high level dependencies and fix a variable name r+ I can go with this version:)... bob
Committed to trunk Checking in mozilla/security/nss/cmd/fipstest/fipstest.c; /cvsroot/mozilla/security/nss/cmd/fipstest/fipstest.c,v <-- fipstest.c new revision: 1.38; previous revision: 1.37 done
The removal of the NSS_NoDB_Init call breaks fipstest.c. It still compiles and links, but doesn't work. The NSS_NoDB_Init call needs to be replaced by individual XXX_Init calls to initialize the subsystems required by fipstest.c, such as the RNG and the SECOID tables. Elio, Bob: you can either open a new bug (preferred) or just reopen this bug (less overhead) to fix this.
Opened Bug 698049