Description of problem: Previously PK11CertListCA was listing ALL CA's. With the nss-3.13.5-1.fc17.i686 NSS package installed, PK11CertListCA behaves the same as PK11CertListCAUnique. Hence replacing PK11CertListCA by PK11CertListAll which does the trick on my side. As per /usr/include/nss3/secmodt.h comment, PK11CertListCA should be returning ALL CA's but it does not any longer. Version-Release number of selected component (if applicable): nss-3.13.5-1.fc17.i686 How reproducible: Always Steps to Reproduce: 1. $ sudo yum install openswan 2. Use the guide at http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven-Part_2.html to enter at least two PKCS12 certificates into the NSS database 3. $ sudo rm -f /etc/ipsec.d/cacerts/* 3. $ sudo service ipsec restart 4. $ su -c 'ipsec auto --listall' Actual results: One CA certificate is displayed instead of all you entered. Expected results: All CA's displayed. Additional info:
Philippe reported it's a compiler bug. Closing
(In reply to comment #1) > Philippe reported it's a compiler bug. Which one?
This gcc bug can ONLY be observed on Libreswan source code and at gcc optimization level -O3. If this can help in narrowing down the bug, I compiled the offending source code with: [philippe@victor libreswan]$ cc -DLIBCURL -DUSE_SHA2 -I/home/philippe/libreswan/libreswan/lib/libcrypto/libsha2 -I/home/philippe/libreswan/libreswan/ports/linux/include -I/home/philippe/libreswan/libreswan/ports/linux/include -I/home/philippe/libreswan/libreswan/ports/linux/include -I. -I/home/philippe/libreswan/libreswan/linux/net/ipsec -I/home/philippe/libreswan/libreswan/linux/include -I/home/philippe/libreswan/libreswan -DDEBUG -DPFKEYV2 -DKLIPS -I/home/philippe/libreswan/libreswan/include -I/home/philippe/libreswan/libreswan/ports/linux/include -I/home/philippe/libreswan/libreswan/ports/linux/include -I/home/philippe/libreswan/libreswan/ports/linux/include -g -O3 -DGCC_LINT -I/usr/include/nss3 -I/usr/include/nspr4 -Wall -Wpointer-arith -Wcast-qual -Wstrict-prototypes -Wbad-function-cast -DNAT_TRAVERSAL -DUSE_MODP_RFC5114 -DDNSSEC -DFINALCONFDIR=\"/etc\" -DFINALCONFDDIR=\"/etc/ipsec.d\" -DFINALCONFFILE=\"/etc/ipsec.conf\" -DFINALVARDIR=\"/var\" -DFINALLIBEXECDIR=\"/usr/local/libexec/ipsec\" -DFINALLIBDIR=\"/usr/local/lib/ipsec\" -DFINALSBINDIR=\"/usr/local/sbin\" -S -o certload.s /home/philippe/libreswan/libreswan/lib/libswan/certload.c Notice the -O3 and -S. The offending part is: movzbl 68(%esp), %ebx .loc 1 432 0 call lsw_return_nss_password_file_info .LVL146: movl $3, (%esp) movl %eax, 4(%esp) call PK11_ListCerts .LVL147: This dissambled code corresponds to source line list = PK11_ListCerts(PK11CertListCA, lsw_return_nss_password_file_info()); $3 should correspond to PK11CertListCA but at run time it corresponds to PK11CertListCAUnique. I attach both the source file file and the output before the assembler.
Created attachment 659653 [details] This is the offending Libreswan C source code.
Created attachment 659654 [details] This is the gcc -g -03 -S output
[philippe@victor libreswan]$ rpm -qa | grep gcc gcc-gnat-4.7.2-2.fc17.i686 gcc-java-4.7.2-2.fc17.i686 gcc-4.7.2-2.fc17.i686 compat-libgcc-296-2.96-144.i686 gcc-objc-4.7.2-2.fc17.i686 gcc-gfortran-4.7.2-2.fc17.i686 libgcc-4.7.2-2.fc17.i686 gcc-objc++-4.7.2-2.fc17.i686 gcc-c++-4.7.2-2.fc17.i686 [philippe@victor libreswan]$
Dear Kamil, Do forget everything. The bug is now unreproducible. Please do accept my deepest apologies to have bothered you for nuts. Philippe Vouters (Fontainebleau/France)
Thanks for giving it a try, Philippe. As for the reproducer, it often helps to use the preprocessed code to get rid of the influence of header files when trying to reproduce the bug on different environments.
Kamil, The worse thing is that it is exact same computer which showed and no longer show the bug. However as Libreswan (the Opensource project I work onto) is constantly subject to many modifications, a slight change may cause gcc to fail or succeed, especially at -O3. Also I do need your advise regarding gcc on Fedora/RHEL. Many Opensource codes compile with -O2. This Libreswan project compiles with -O3 -g. According to your experience, wouldn't I have to change -O3 to -O2 or -Os ? Why many Opensource codes I built on my Fedora do build with -O2 and I can't remember any using -O3 ? Which gcc optimization level do you usually use to build the Fedora/RHEL packages ? If Red Hat always use -O2, is there any good reason behind ? With my very warmest regards to you. Philippe Vouters (Fontainebleau/France)
we should probably change that. This is what rpmbuild currently supplies as arguments: -g -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fno-strict-aliasing -fPIE -DPIE -Wall -Wpointer-arith -Wcast-qual -Wstrict-prototypes -Wbad-function-cast
You can find some discussion on using -O2 vs. -O3 in Fedora packages on the fedora-packaging ML: http://lists.fedoraproject.org/pipermail/packaging/2011-January/007566.html
Dear Kamil, Thank you so much for your outstanding support. I am very often very pleased with the support quality level Red Hat provides. You are no exception. Unless already closed, you may close this bugzilla report. With my very warmest regards to you and all the Red Hat support team. Philippe Vouters (Fontainebleau/France)