Bug 346991 - Port glibc to use NSS library for cryptography
Port glibc to use NSS library for cryptography
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks: CryptoConsolidation
  Show dependency treegraph
Reported: 2007-10-23 06:18 EDT by Peter Vrabec
Modified: 2009-06-18 03:27 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-06-18 03:27:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to introduce separate nss-freebl.rpm (2.41 KB, patch)
2009-04-02 10:19 EDT, Kai Engert (:kaie)
no flags Details | Diff

  None (edit)
Description Peter Vrabec 2007-10-23 06:18:19 EDT
glibc should be ported to use NSS library for cryptography.
See the tracking bug for details and links on how it could be done.
Comment 1 John Poelstra 2008-08-12 00:10:57 EDT
Comment 4 Bob Relyea 2009-03-16 19:11:50 EDT
It's in NSS 3.12.3. I don't know if that has been picked up by rawhide yet. I think only 3.12.3 Beta has been released, but the differences between beta and rtm should be pretty minor.

I can have kai pull it in.

Comment 5 Kai Engert (:kaie) 2009-03-31 16:11:30 EDT
The latest snapshot is NSS 3.12.3 beta 4 which is from 6 weeks ago.
There seem to be a couple of blocker bugs for the final release, still, so I'm going to build this beta into rawhide now.
Comment 6 Kai Engert (:kaie) 2009-03-31 17:22:29 EDT
I built it as https://koji.fedoraproject.org/koji/taskinfo?taskID=1268615

Looking at the resulting binary, here is what ldd tells me on libsoftokn and libfreebl:

$ ldd libfreebl3.so
        libnssutil3.so => /lib/libnssutil3.so (0x0038c000)
        libnspr4.so => /lib/libnspr4.so (0x00512000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x009e8000)
        libdl.so.2 => /lib/libdl.so.2 (0x0036d000)
        libc.so.6 => /lib/libc.so.6 (0x00110000)
        libplc4.so => /lib/libplc4.so (0x00284000)
        libplds4.so => /lib/libplds4.so (0x00289000)
        /lib/ld-linux.so.2 (0x00849000)

$ ldd libsoftokn3.so
        libnssutil3.so => /lib/libnssutil3.so (0x00c11000)
        libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x00ea2000)
        libplc4.so => /lib/libplc4.so (0x00fbc000)
        libplds4.so => /lib/libplds4.so (0x00f2d000)
        libnspr4.so => /lib/libnspr4.so (0x0014c000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00ca1000)
        libdl.so.2 => /lib/libdl.so.2 (0x00186000)
        libc.so.6 => /lib/libc.so.6 (0x004fd000)
        /lib/ld-linux.so.2 (0x00849000)

I'm surprised that I still see dependencies to the nspr libraries.
Comment 7 Ulrich Drepper 2009-03-31 17:30:29 EDT
(In reply to comment #6)
> I'm surprised that I still see dependencies to the nspr libraries.  

Indeed.  The whole purpose of the exercise is it to get rid of that dependency.

We are closing in fast on F11 (and therefore RHEL6).  Bob, can you take a look?
Comment 8 Kai Engert (:kaie) 2009-03-31 17:32:24 EDT
I guess there are special build flags necessary to get the nspr-free nss.
I'll test with FREEBL_NO_DEPEND=1
Comment 9 Bob Relyea 2009-03-31 18:10:45 EDT
yes, that's the flag.

Comment 10 Kai Engert (:kaie) 2009-03-31 18:19:48 EDT
thanks. build should be done shortly:
Comment 11 Ulrich Drepper 2009-04-01 19:01:45 EDT
I verified that the code now in rawhide has no such static dependency.  And it's easy enough to use, even for me.

But there still is a runtime dependency on nspr4.  Is this really necessary?  What is it that's needed from that library?  I definitely see it used.
Comment 12 Ulrich Drepper 2009-04-01 19:12:08 EDT
Oh, and Kai: can you please move libfreebl3.{so,chk} into a separate RPM file (a sub-package)?  This way glibc can depend only on that sub-package and not the whole of NSS.
Comment 14 Kai Engert (:kaie) 2009-04-02 10:17:56 EDT
Bob, Elio, do you agree to introduce a separate nss-freebl sub-package?

It's simply enough to do, I already have a patch and I'm running a local build for testing.
Comment 15 Kai Engert (:kaie) 2009-04-02 10:19:04 EDT
Created attachment 337823 [details]
Patch to introduce separate nss-freebl.rpm
Comment 16 Ulrich Drepper 2009-04-02 13:02:31 EDT
I talked with Steve Grubb and he said the if NSS fails the crypt() call should fail.  I've updated the patch and it is upstream now.  The next rawhide build should have it.

Jakub: configure rawhide with --enable-nss-crypt.
Comment 17 Kai Engert (:kaie) 2009-04-02 18:10:51 EDT
Talked to Bob and Elio, agreed to name the package nss-softokn-freebl, because at some point we might want to introduce a nss-softokn package...

I decided to move only the .so file to that package (for now), not the .chk file, because the .chk file is a generated file and need the signing tool, which needs nspr etc... 

So for now, let's keep the .chk file in the main NSS package.

I've started a build:
Comment 18 Kai Engert (:kaie) 2009-06-18 02:33:50 EDT
What the next step for this bug?
I believe the NSS portion has been completed.
As this bug is assigned to the glibc component, do you want to keep this bug open for other work, or should we close it?
Comment 19 Ulrich Drepper 2009-06-18 03:06:33 EDT
(In reply to comment #18)
> What the next step for this bug?
> I believe the NSS portion has been completed.

The glibc part is indeed done.  But there is one more change to nss.  The /etc/prelink.conf.d/nss-prelink.conf file should be in a separate rpm.  Only people interested in certification should install it.  For others prelinking should not be prevented.  Too many programs are negatively impacted otherwise.  How are the startup tests reacting to prelinking?
Comment 20 Kai Engert (:kaie) 2009-06-18 03:21:52 EDT
Could you please send me the output of
$ egrep "libfreebl3|libsoftokn3" /var/log/prelink/prelink.log 
from an affected system?
I'm curious how many packages it prevents from being prelinked.

On my Fedora 10 system it only affects pk11install.

I'm afraid you'll tell me that the new dependency from glibc to freebl changed that?
Comment 21 Kai Engert (:kaie) 2009-06-18 03:25:15 EDT
Ok, you're probably refering to bug 504949, which I hadn't seen until now.
Comment 22 Kai Engert (:kaie) 2009-06-18 03:27:05 EDT
I propose to close this bug and track the proposed change for prelinking in bug 504949.

Note You need to log in before you can comment on or make changes to this bug.