Bug 346991 - Port glibc to use NSS library for cryptography
Summary: Port glibc to use NSS library for cryptography
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: CryptoConsolidation
TreeView+ depends on / blocked
Reported: 2007-10-23 10:18 UTC by Peter Vrabec
Modified: 2009-06-18 07:27 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2009-06-18 07:27:05 UTC
Type: ---

Attachments (Terms of Use)
Patch to introduce separate nss-freebl.rpm (2.41 KB, patch)
2009-04-02 14:19 UTC, Kai Engert (:kaie) (inactive account)
no flags Details | Diff

Description Peter Vrabec 2007-10-23 10:18:19 UTC
glibc should be ported to use NSS library for cryptography.
See the tracking bug for details and links on how it could be done.

Comment 1 John Poelstra 2008-08-12 04:10:57 UTC

Comment 4 Bob Relyea 2009-03-16 23:11:50 UTC
It's in NSS 3.12.3. I don't know if that has been picked up by rawhide yet. I think only 3.12.3 Beta has been released, but the differences between beta and rtm should be pretty minor.

I can have kai pull it in.


Comment 5 Kai Engert (:kaie) (inactive account) 2009-03-31 20:11:30 UTC
The latest snapshot is NSS 3.12.3 beta 4 which is from 6 weeks ago.
There seem to be a couple of blocker bugs for the final release, still, so I'm going to build this beta into rawhide now.

Comment 6 Kai Engert (:kaie) (inactive account) 2009-03-31 21:22:29 UTC
I built it as https://koji.fedoraproject.org/koji/taskinfo?taskID=1268615

Looking at the resulting binary, here is what ldd tells me on libsoftokn and libfreebl:

$ ldd libfreebl3.so
        libnssutil3.so => /lib/libnssutil3.so (0x0038c000)
        libnspr4.so => /lib/libnspr4.so (0x00512000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x009e8000)
        libdl.so.2 => /lib/libdl.so.2 (0x0036d000)
        libc.so.6 => /lib/libc.so.6 (0x00110000)
        libplc4.so => /lib/libplc4.so (0x00284000)
        libplds4.so => /lib/libplds4.so (0x00289000)
        /lib/ld-linux.so.2 (0x00849000)

$ ldd libsoftokn3.so
        libnssutil3.so => /lib/libnssutil3.so (0x00c11000)
        libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x00ea2000)
        libplc4.so => /lib/libplc4.so (0x00fbc000)
        libplds4.so => /lib/libplds4.so (0x00f2d000)
        libnspr4.so => /lib/libnspr4.so (0x0014c000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00ca1000)
        libdl.so.2 => /lib/libdl.so.2 (0x00186000)
        libc.so.6 => /lib/libc.so.6 (0x004fd000)
        /lib/ld-linux.so.2 (0x00849000)

I'm surprised that I still see dependencies to the nspr libraries.

Comment 7 Ulrich Drepper 2009-03-31 21:30:29 UTC
(In reply to comment #6)
> I'm surprised that I still see dependencies to the nspr libraries.  

Indeed.  The whole purpose of the exercise is it to get rid of that dependency.

We are closing in fast on F11 (and therefore RHEL6).  Bob, can you take a look?

Comment 8 Kai Engert (:kaie) (inactive account) 2009-03-31 21:32:24 UTC
I guess there are special build flags necessary to get the nspr-free nss.
I'll test with FREEBL_NO_DEPEND=1

Comment 9 Bob Relyea 2009-03-31 22:10:45 UTC
yes, that's the flag.


Comment 10 Kai Engert (:kaie) (inactive account) 2009-03-31 22:19:48 UTC
thanks. build should be done shortly:

Comment 11 Ulrich Drepper 2009-04-01 23:01:45 UTC
I verified that the code now in rawhide has no such static dependency.  And it's easy enough to use, even for me.

But there still is a runtime dependency on nspr4.  Is this really necessary?  What is it that's needed from that library?  I definitely see it used.

Comment 12 Ulrich Drepper 2009-04-01 23:12:08 UTC
Oh, and Kai: can you please move libfreebl3.{so,chk} into a separate RPM file (a sub-package)?  This way glibc can depend only on that sub-package and not the whole of NSS.

Comment 14 Kai Engert (:kaie) (inactive account) 2009-04-02 14:17:56 UTC
Bob, Elio, do you agree to introduce a separate nss-freebl sub-package?

It's simply enough to do, I already have a patch and I'm running a local build for testing.

Comment 15 Kai Engert (:kaie) (inactive account) 2009-04-02 14:19:04 UTC
Created attachment 337823 [details]
Patch to introduce separate nss-freebl.rpm

Comment 16 Ulrich Drepper 2009-04-02 17:02:31 UTC
I talked with Steve Grubb and he said the if NSS fails the crypt() call should fail.  I've updated the patch and it is upstream now.  The next rawhide build should have it.

Jakub: configure rawhide with --enable-nss-crypt.

Comment 17 Kai Engert (:kaie) (inactive account) 2009-04-02 22:10:51 UTC
Talked to Bob and Elio, agreed to name the package nss-softokn-freebl, because at some point we might want to introduce a nss-softokn package...

I decided to move only the .so file to that package (for now), not the .chk file, because the .chk file is a generated file and need the signing tool, which needs nspr etc... 

So for now, let's keep the .chk file in the main NSS package.

I've started a build:

Comment 18 Kai Engert (:kaie) (inactive account) 2009-06-18 06:33:50 UTC
What the next step for this bug?
I believe the NSS portion has been completed.
As this bug is assigned to the glibc component, do you want to keep this bug open for other work, or should we close it?

Comment 19 Ulrich Drepper 2009-06-18 07:06:33 UTC
(In reply to comment #18)
> What the next step for this bug?
> I believe the NSS portion has been completed.

The glibc part is indeed done.  But there is one more change to nss.  The /etc/prelink.conf.d/nss-prelink.conf file should be in a separate rpm.  Only people interested in certification should install it.  For others prelinking should not be prevented.  Too many programs are negatively impacted otherwise.  How are the startup tests reacting to prelinking?

Comment 20 Kai Engert (:kaie) (inactive account) 2009-06-18 07:21:52 UTC
Could you please send me the output of
$ egrep "libfreebl3|libsoftokn3" /var/log/prelink/prelink.log 
from an affected system?
I'm curious how many packages it prevents from being prelinked.

On my Fedora 10 system it only affects pk11install.

I'm afraid you'll tell me that the new dependency from glibc to freebl changed that?

Comment 21 Kai Engert (:kaie) (inactive account) 2009-06-18 07:25:15 UTC
Ok, you're probably refering to bug 504949, which I hadn't seen until now.

Comment 22 Kai Engert (:kaie) (inactive account) 2009-06-18 07:27:05 UTC
I propose to close this bug and track the proposed change for prelinking in bug 504949.

Note You need to log in before you can comment on or make changes to this bug.