Description of problem: > Perhaps your ELinks changes are stable. However, nss_compat_ossl > 0.9.2 itself is not stable enough. Its SSL_library_init() calls > exit(1) with no error message at all if NSS_Init(certDir) fails. > That is just ridiculous; ELinks should still be able to access > non-SSL sites. > > I had some trouble building nss_compat_ossl 0.9.2 on Debian: > > - Here, the libnss3-dev package contains e.g. /usr/include/nss/ssl.h, and > pkg-config --cflags nss outputs "-I/usr/include/nss -I/usr/include/nspr", > but nss_compat_ossl-0.9.2/src/nss_compat_ossl.h does #include > <nss3/ssl.h>. As there is no actual nss3 directory, nor a symlink, this > does not work. > > - Likewise with #include <nspr4/nspr.h>. > > - Similarly, we have /usr/lib/nss/libsoftokn3.so, but pkg-config --libs nss > does not output any -L options, so -lsoftokn3 in > nss_compat_ossl-0.9.2/src/Makefile.am doesn't find the library; > however, if I remove that -lsoftokn3, then nss_compat_ossl builds. > > Browsing the source code, I noticed RAND_load_file() can get > stuck in a loop if I/O errors occur: fread() and feof() both > return 0. And RAND_write_file() should check for errors on > fwrite() and fclose(). I gave up on reviewing ssl.c because > I don't know NSPR and SSL well enough. Version-Release number of selected component (if applicable): nss_compat_ossl 0.9.2
Created attachment 317481 [details] proposed patch This patch: - checks the return values of fread() and fwrite() - removes nss3 and nspr4 prefix on includes - removes exit(1) if initialization fails. This will defer errors. - adds a chmod(0600) on the when writing a random file to match OpenSSL behavior Bob, can you review this?
Created attachment 318105 [details] updated patch to catch an NSS init failure Since SSL_library_init() alwasy succeeds we need to catch any initialization or passphrase errors later.
Committed upstream. Will be released as nss_compat-ossl-0.9.4 Sending src/nss_compat_ossl.h Sending src/rand.c Sending src/ssl.c Transmitting file data ... Committed revision 64.
nss_compat_ossl-0.9.4-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/nss_compat_ossl-0.9.4-1.fc9
nss_compat_ossl-0.9.4-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/nss_compat_ossl-0.9.4-1.fc8
nss_compat_ossl-0.9.4-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
nss_compat_ossl-0.9.4-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.