Hide Forgot
During investigation of Bugzilla Bug #533092 - mod_nss rfe - "Dynamic CRL Loading" (the RHEL 5.8 equivalent of Fedora Bugzilla Bug #767808 - mod_nss rfe - "Dynamic CRL Loading"), it was discovered that the "mod_revocator" source code contains its own private copies of numerous NSS "private" header files based upon version NSS 3.9.3: mozilla/security/nss/lib/base: total 64 drwxrwxr-x. 2 mharmsen mharmsen 4096 Apr 13 2010 ./ drwxrwxr-x. 4 mharmsen mharmsen 4096 Apr 13 2010 ../ -rw-rw-r--. 1 mharmsen mharmsen 32091 Aug 3 2006 base.h -rw-rw-r--. 1 mharmsen mharmsen 5299 Aug 3 2006 baset.h -rw-rw-r--. 1 mharmsen mharmsen 4482 Aug 3 2006 nssbase.h -rw-rw-r--. 1 mharmsen mharmsen 4238 Aug 3 2006 nssbaset.h mozilla/security/nss/lib/ckfw: total 260 drwxrwxr-x. 2 mharmsen mharmsen 4096 Apr 13 2010 ./ drwxrwxr-x. 4 mharmsen mharmsen 4096 Apr 13 2010 ../ -rw-rw-r--. 1 mharmsen mharmsen 23539 Aug 3 2006 ck.api -rw-rw-r--. 1 mharmsen mharmsen 2961 Aug 3 2006 ck.h -rw-rw-r--. 1 mharmsen mharmsen 11824 Aug 3 2006 ckapi.perl -rw-rw-r--. 1 mharmsen mharmsen 28783 Aug 3 2006 ckfw.h -rw-rw-r--. 1 mharmsen mharmsen 3245 Aug 3 2006 ckfwm.h -rw-rw-r--. 1 mharmsen mharmsen 2022 Aug 3 2006 ckfwtm.h -rw-rw-r--. 1 mharmsen mharmsen 2038 Aug 3 2006 ckmd.h -rw-rw-r--. 1 mharmsen mharmsen 1657 Aug 3 2006 ckt.h -rw-rw-r--. 1 mharmsen mharmsen 43798 Aug 3 2006 nssck.api -rw-rw-r--. 1 mharmsen mharmsen 1574 Aug 3 2006 nssckepv.h -rw-rw-r--. 1 mharmsen mharmsen 1581 Aug 3 2006 nssckft.h -rw-rw-r--. 1 mharmsen mharmsen 7642 Aug 3 2006 nssckfw.h -rw-rw-r--. 1 mharmsen mharmsen 18083 Aug 3 2006 nssckfwc.h -rw-rw-r--. 1 mharmsen mharmsen 2718 Aug 3 2006 nssckfwt.h -rw-rw-r--. 1 mharmsen mharmsen 1568 Aug 3 2006 nssckg.h -rw-rw-r--. 1 mharmsen mharmsen 62036 Aug 3 2006 nssckmdt.h -rw-rw-r--. 1 mharmsen mharmsen 1621 Aug 3 2006 nssckt.h Someone needs to work closely with the NSS developers to expose the necessary NSS header files to remedy this situation so that "mod_revocator" can merely include a build time dependency on one or more current NSS header files, rather than relying upon an older "stale" version of NSS, or at least change the build procedures to fetch the latest versions of the required NSS headers at build time.
Copying comments from the RHEL-6.4 bug as not everyone in fedora or upstream has access to it. mod_revocator should not keep its own copies of ckfw or base. Removing the former doesn't seem to pose difficulties as I was experimenting but with the removal of base it failed to compile. The problem is that pkcs11layer.h includes base.h, a private header of the base module. It currently needs it because of the arena functionality. In base,h I see #define nss_ZNEW(arenaOpt, type) ((type *)nss_ZAlloc((arenaOpt), sizeof(type))) Grepping elsewhere in the code I found. ./mod_revocator-1.0.3/rsession.cpp: rv = nss_ZNEW(arena, NSSCKMDSession); ./mod_revocator-1.0.3/rfind.cpp: rv = nss_ZNEW(arena, NSSCKMDFindObjects); ./mod_revocator-1.0.3/rfind.cpp: fo = nss_ZNEW(arena, struct revocatorFOStr); ./mod_revocator-1.0.3/rfind.cpp: temp = nss_ZNEWARRAY((NSSArena *)NULL, CRLInstance*, ./mod_revocator-1.0.3/rfind.cpp: fo->objs = nss_ZNEWARRAY(arena, CRLInstance *, fo->n); These are all private exports visible only by modules in the nss source tree. nssabase.h is a public header that exports a very minimal set of arena and error functions; namely, NSSArena_Create, NSSArena_Destroy, NSS_GetError and NSS_GetErrorStack. To meet mod_revocator's needs something like macros NSS_ZNEW and NSS_ZNEWARRAY, plus functions NSS_ZAlloc, NSS_ZRealloc, NSS_ZFreeIf added to to nssbase.h. These would be small wrappers that call their nss_ counterparts to do the work. nss needs to export thse functions via nssbase.h as mod_revocator, and other cfw type pkcs #11 modules, need them. For arenas the more generic functions aren't suitable because they use PL_ArenaPool whereas ckfw uses an NSSArena. As Bob Relya states: > arena's are an integral part of the ckfw API. mod-revocator for its part should not include ckfw private headers. PRIVATE_EXPORTS: ck.h, ckfw.h, ckfwm.h, ckfwtm.h, ckmd.h, and ckt.h EXPORTS: nssck.api, nssckepv.h, nssckft.h, nssckfw.h, nssckfwc.h, nssckfwt.h, nssckg.h, nssckmdt.h, and nssckt.h are fine. Current usage with suggested changes $ grep include mod_revocator-1.0.3/*.c* mod_revocator-1.0.3/*.h | grep ck REPLACEMENT mod_revocator-1.0.3/anchor.cpp:#include "nssck.api" mod_revocator-1.0.3/constants.c:#include "nssckt.h" mod_revocator-1.0.3/rinst.cpp:#include "ckfwtm.h" ---> ckfwtm.h + ckfw.h mod_revocator-1.0.3/rinst.cpp:#include "ckfw.h" ---> nssckw.h mod_revocator-1.0.3/rinst.cpp:#include "nssckfwt.h" mod_revocator-1.0.3/pkcs11layer.h:#include "nssckmdt.h" mod_revocator-1.0.3/pkcs11layer.h:#include "nssckfw.h" mod_revocator-1.0.3/pkcs11layer.h:#include "ckt.h" ---> nssckt.h nssck.api is one file we may need need to ship. The ckfw API seems otherwise complete. Two others private functions used are: mod_revocator-1.0.3/rfind.cpp: (void)nsslibc_memcpy(fo->objs, temp, sizeof(CRLInstance *) * fo->n); mod_revocator-1.0.3/robject.cpp: prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL); These two can be easily replaced with: (void) PORT_Memcopy(fo->objs, temp, sizeof(CRLInstance *) * fo->n); prb = PORT_Memcmp(a->pValue, b->data, b->size) == 0 ? PR_TRUE : PR_FALSE;
Created attachment 651735 [details] Suggested changes to replace usage of nss private headers Replaces usage of nss private headers with new public ones introduced in ss-3.14.
Created attachment 651736 [details] Part2 - posssible spec file changes
Comment on attachment 651736 [details] Part2 - posssible spec file changes These are minimal changes as I tested with an nss that installed nsscki.api header template in the nss include direcotory as well as the documents area. If we opt to install nsscki.api in the nested documentation direcoyry, /usr/share/docs/nss3/template, as has been suggested then some additional changes to mod_revocator.spec will be required.
This updates and saves the work in progress.
Matt, If it turns out that installing nsscki.api in the /usr/includes/nss3 is not allowed and we have to do it in /usr/share/docs/nss3/templates or some other directory then mod_revocator needs to know that path and tread is as an extra directory in the includes. To mod_revocator.spec we would need to add someting like this: %build ..... # FIXME: this is a hard-coded path, should find a way to # determine it at build time NSS_CKFW_NSSCK_API_DIR=/usr/shared/docs/nss3/templates' # To configure we could someting like # --with-nsscki-inc=$NSS_CKFW_NSSCK_API_DIR \ # and the appriopriate adjustment to conf %configure \ .... I don't know how to use autoconf so I'm leaving this for wiser folks :-) -Elio
(In reply to comment #7) Good news, installing nsscki.api in /usr/includes/nss3 is okay https://bugzilla.redhat.com/show_bug.cgi?id=879978#c5 and #6 That takes care of keeping things simple here.
This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Working on applying Elio's changes.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.