libfreebl3.so should be public, not in the nss subdir
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nss (Debian) |
Fix Released
|
Unknown
|
|||
nss (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hi,
I tried to move the chrony dependency from tomcrypt to libnss to avoid universe dependencies.
While doing so I found that libfreebl3 is not "normally" linkable being outside the normal ld paths.
E.g. sample program
#include <nss.h>
#include <hasht.h>
#include <nsslowhash.h>
int main(int argc, char **argv) {
NSSLOWHASH_
return 0;
}
Build:
gcc -g -O2 -fstack-
Then:
ldd docheck
will give you
Obviously a link into /usr/lib/
Note: Required to go on with the chrony MIR which is rather urgent to be sorted out as it has a lot of other dependencies that need to be adapted.
Related branches
- Canonical Server: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 212443 lines (+105527/-55021) (has conflicts)243 files modifieddebian/changelog (+21/-0)
debian/libnss3.symbols (+1/-0)
nss/.hg_archival.txt (+3/-3)
nss/.taskcluster.yml (+1/-1)
nss/Makefile (+1/-0)
nss/automation/abi-check/expected-report-libnss3.so.txt (+31/-2)
nss/automation/abi-check/expected-report-libsmime3.so.txt (+11/-0)
nss/automation/abi-check/expected-report-libssl3.so.txt (+7/-19)
nss/automation/abi-check/previous-nss-release (+1/-1)
nss/automation/release/nspr-version.txt (+1/-1)
nss/automation/taskcluster/docker-gcc-4.4/Dockerfile (+1/-0)
nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc (+143/-0)
nss/automation/taskcluster/docker-hacl/Dockerfile (+2/-1)
nss/automation/taskcluster/docker-hacl/setup.sh (+7/-3)
nss/automation/taskcluster/graph/src/extend.js (+127/-28)
nss/automation/taskcluster/graph/src/queue.js (+9/-1)
nss/automation/taskcluster/graph/src/try_syntax.js (+12/-1)
nss/automation/taskcluster/scripts/build.sh (+6/-0)
nss/automation/taskcluster/scripts/build_gyp.sh (+7/-1)
nss/automation/taskcluster/scripts/build_nspr.sh (+6/-0)
nss/automation/taskcluster/scripts/build_softoken.sh (+3/-2)
nss/automation/taskcluster/scripts/check_abi.sh (+6/-0)
nss/automation/taskcluster/scripts/gen_coverage_report.sh (+6/-0)
nss/automation/taskcluster/scripts/run_coverity.sh (+7/-1)
nss/automation/taskcluster/scripts/run_scan_build.sh (+6/-0)
nss/automation/taskcluster/windows/build.sh (+6/-0)
nss/automation/taskcluster/windows/build_gyp.sh (+7/-1)
nss/build.sh (+70/-40)
nss/cmd/addbuiltin/addbuiltin.c (+62/-27)
nss/cmd/httpserv/httpserv.c (+1/-1)
nss/cmd/lib/Makefile (+1/-0)
nss/cmd/lib/derprint.c (+3/-1)
nss/cmd/lib/lib.gyp (+2/-1)
nss/cmd/lib/manifest.mn (+2/-0)
nss/cmd/lib/pk11table.c (+2/-0)
nss/cmd/lib/secpwd.c (+1/-1)
nss/cmd/lib/secutil.c (+208/-28)
nss/cmd/lib/secutil.h (+14/-0)
nss/cmd/p7env/p7env.c (+2/-2)
nss/cmd/pk11importtest/pk11importtest.c (+3/-1)
nss/cmd/pk11mode/pk11mode.c (+1/-1)
nss/cmd/pk12util/pk12util.c (+1/-0)
nss/cmd/platlibs.mk (+2/-2)
nss/cmd/selfserv/selfserv.c (+36/-6)
nss/cmd/shlibsign/shlibsign.c (+1/-1)
nss/cmd/strsclnt/strsclnt.c (+34/-7)
nss/cmd/symkeyutil/symkeyutil.c (+1/-1)
nss/cmd/tstclnt/tstclnt.c (+38/-3)
nss/cmd/vfyserv/vfyserv.c (+6/-1)
nss/coreconf/UNIX.mk (+1/-3)
nss/coreconf/WIN32.mk (+3/-10)
nss/coreconf/config.gypi (+1/-0)
nss/coreconf/nspr.sh (+18/-3)
nss/cpputil/freebl_scoped_ptrs.h (+33/-0)
nss/cpputil/nss_scoped_ptrs.h (+18/-17)
nss/cpputil/scoped_ptrs_util.h (+5/-0)
nss/cpputil/tls_parser.h (+1/-0)
nss/fuzz/fuzz.gyp (+1/-0)
nss/gtests/common/testvectors/curve25519-vectors.h (+63/-3)
nss/gtests/common/testvectors/kw-vectors.h (+1940/-0)
nss/gtests/der_gtest/der_quickder_unittest.cc (+38/-13)
nss/gtests/freebl_gtest/cmac_unittests.cc (+187/-0)
nss/gtests/freebl_gtest/freebl_gtest.gyp (+2/-0)
nss/gtests/freebl_gtest/mpi_unittest.cc (+1/-1)
nss/gtests/mozpkix_gtest/mozpkix_gtest.gyp (+1/-0)
nss/gtests/mozpkix_gtest/pkixder_input_tests.cpp (+4/-2)
nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp (+50/-0)
nss/gtests/pk11_gtest/manifest.mn (+5/-1)
nss/gtests/pk11_gtest/pk11_aes_cmac_unittest.cc (+91/-0)
nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc (+60/-49)
nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc (+90/-100)
nss/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc (+415/-0)
nss/gtests/pk11_gtest/pk11_cbc_unittest.cc (+217/-0)
nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc (+67/-23)
nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc (+67/-15)
nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc (+5/-0)
nss/gtests/pk11_gtest/pk11_ecdsa_vectors.h (+32/-0)
nss/gtests/pk11_gtest/pk11_find_certs_unittest.cc (+311/-111)
nss/gtests/pk11_gtest/pk11_gtest.gyp (+8/-2)
nss/gtests/pk11_gtest/pk11_import_unittest.cc (+25/-141)
nss/gtests/pk11_gtest/pk11_key_unittest.cc (+80/-0)
nss/gtests/pk11_gtest/pk11_keygen.cc (+143/-0)
nss/gtests/pk11_gtest/pk11_keygen.h (+34/-0)
nss/gtests/pk11_gtest/pk11_seed_cbc_unittest.cc (+71/-0)
nss/gtests/pk11_gtest/pk11_signature_test.h (+3/-0)
nss/gtests/softoken_gtest/manifest.mn (+10/-1)
nss/gtests/softoken_gtest/softoken_gtest.cc (+187/-0)
nss/gtests/softoken_gtest/softoken_gtest.gyp (+6/-0)
nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc (+124/-0)
nss/gtests/ssl_gtest/libssl_internals.c (+19/-0)
nss/gtests/ssl_gtest/libssl_internals.h (+2/-1)
nss/gtests/ssl_gtest/manifest.mn (+1/-0)
nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc (+41/-0)
nss/gtests/ssl_gtest/ssl_auth_unittest.cc (+153/-8)
nss/gtests/ssl_gtest/ssl_cert_ext_unittest.cc (+2/-2)
nss/gtests/ssl_gtest/ssl_cipherorder_unittest.cc (+241/-0)
nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc (+19/-0)
nss/gtests/ssl_gtest/ssl_extension_unittest.cc (+1/-1)
nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc (+1/-1)
nss/gtests/ssl_gtest/ssl_gtest.gyp (+1/-0)
nss/gtests/ssl_gtest/ssl_record_unittest.cc (+36/-0)
nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc (+3/-2)
nss/gtests/ssl_gtest/ssl_renegotiation_unittest.cc (+23/-0)
nss/gtests/ssl_gtest/ssl_resumption_unittest.cc (+105/-13)
nss/gtests/ssl_gtest/tls_agent.cc (+21/-17)
nss/gtests/ssl_gtest/tls_agent.h (+7/-6)
nss/gtests/ssl_gtest/tls_esni_unittest.cc (+1/-1)
nss/gtests/ssl_gtest/tls_subcerts_unittest.cc (+243/-33)
nss/help.txt (+6/-0)
nss/lib/certdb/certdb.c (+6/-20)
nss/lib/certdb/certt.h (+15/-0)
nss/lib/certdb/stanpcertdb.c (+11/-12)
nss/lib/certhigh/certvfy.c (+43/-23)
nss/lib/ckfw/builtins/README (+62/-1)
nss/lib/ckfw/builtins/certdata.txt (+313/-630)
nss/lib/ckfw/builtins/manifest.mn (+2/-0)
nss/lib/ckfw/builtins/nssckbi.h (+2/-2)
nss/lib/ckfw/builtins/testlib/Makefile (+52/-0)
nss/lib/ckfw/builtins/testlib/builtins-testlib.gyp (+64/-0)
nss/lib/ckfw/builtins/testlib/certdata-testlib.txt (+479/-0)
nss/lib/ckfw/builtins/testlib/config.mk (+38/-0)
nss/lib/ckfw/builtins/testlib/manifest.mn (+25/-0)
nss/lib/ckfw/builtins/testlib/nssckbi-testlib.rc (+52/-0)
nss/lib/ckfw/builtins/testlib/testcert_err_distrust.txt (+50/-0)
nss/lib/ckfw/builtins/testlib/testcert_no_distrust.txt (+50/-0)
nss/lib/ckfw/builtins/testlib/testcert_ok_distrust.txt (+50/-0)
nss/lib/ckfw/manifest.mn (+1/-1)
nss/lib/freebl/Makefile (+29/-1)
nss/lib/freebl/aes-armv8.c (+1168/-0)
nss/lib/freebl/aes-armv8.h (+103/-0)
nss/lib/freebl/aeskeywrap.c (+2/-1)
nss/lib/freebl/blapi.h (+1/-0)
nss/lib/freebl/blinit.c (+49/-1)
nss/lib/freebl/chacha20poly1305.c (+5/-0)
nss/lib/freebl/cmac.c (+322/-0)
nss/lib/freebl/cmac.h (+47/-0)
nss/lib/freebl/ctr.c (+12/-0)
nss/lib/freebl/drbg.c (+90/-9)
nss/lib/freebl/ec.c (+1/-1)
nss/lib/freebl/ecl/curve25519_32.c (+4/-0)
nss/lib/freebl/exports.gyp (+1/-0)
nss/lib/freebl/freebl.gyp (+68/-0)
nss/lib/freebl/freebl_base.gypi (+1/-0)
nss/lib/freebl/gcm-aarch64.c (+96/-0)
nss/lib/freebl/gcm.c (+27/-2)
nss/lib/freebl/gcm.h (+6/-0)
nss/lib/freebl/intel-aes.h (+3/-3)
nss/lib/freebl/intel-gcm-wrap.c (+31/-0)
nss/lib/freebl/ldvector.c (+10/-1)
nss/lib/freebl/loader.c (+51/-0)
nss/lib/freebl/loader.h (+15/-1)
nss/lib/freebl/manifest.mn (+3/-0)
nss/lib/freebl/mpi/README (+1/-0)
nss/lib/freebl/mpi/mpcpucache.c (+1/-1)
nss/lib/freebl/mpi/mpi.c (+30/-12)
nss/lib/freebl/mpi/mpi.h (+10/-1)
nss/lib/freebl/pqg.c (+4/-4)
nss/lib/freebl/rijndael.c (+17/-4)
nss/lib/freebl/rsapkcs.c (+13/-10)
nss/lib/freebl/seed.c (+26/-7)
nss/lib/freebl/verified/FStar.c (+1/-1)
nss/lib/freebl/verified/FStar.h (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20.c (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20.h (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h (+1/-1)
nss/lib/freebl/verified/Hacl_Curve25519.c (+1/-1)
nss/lib/freebl/verified/Hacl_Curve25519.h (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_32.c (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_32.h (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_64.c (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_64.h (+1/-1)
nss/lib/freebl/verified/kremlib.h (+1/-1)
nss/lib/freebl/verified/kremlib_base.h (+1/-1)
nss/lib/freebl/verified/vec128.h (+1/-1)
nss/lib/jar/jarfile.c (+26/-18)
nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c (+3/-2)
nss/lib/mozpkix/include/pkix/pkixder.h (+11/-0)
nss/lib/mozpkix/lib/pkixcert.cpp (+7/-12)
nss/lib/mozpkix/test-lib/pkixtestnss.cpp (+6/-5)
nss/lib/nss/nss.def (+7/-1)
nss/lib/nss/nss.h (+2/-2)
nss/lib/pk11wrap/debug_module.c (+2/-0)
nss/lib/pk11wrap/pk11cert.c (+87/-0)
nss/lib/pk11wrap/pk11load.c (+4/-6)
nss/lib/pk11wrap/pk11mech.c (+4/-0)
nss/lib/pk11wrap/pk11pk12.c (+4/-0)
nss/lib/pk11wrap/pk11pub.h (+8/-0)
nss/lib/pki/pki3hack.c (+42/-13)
nss/lib/smime/cmssiginfo.c (+82/-25)
nss/lib/softoken/fipstokn.c (+24/-4)
nss/lib/softoken/legacydb/lgattr.c (+1/-1)
nss/lib/softoken/pkcs11.c (+18/-8)
nss/lib/softoken/pkcs11c.c (+323/-69)
nss/lib/softoken/pkcs11i.h (+2/-2)
nss/lib/softoken/pkcs11u.c (+5/-18)
nss/lib/softoken/sdb.c (+1/-1)
nss/lib/softoken/softkver.h (+2/-2)
nss/lib/softoken/tlsprf.c (+1/-1)
nss/lib/sqlite/Makefile (+2/-0)
nss/lib/sqlite/README (+1/-1)
nss/lib/sqlite/sqlite.gyp (+9/-1)
nss/lib/sqlite/sqlite3.c (+90169/-52437)
nss/lib/sqlite/sqlite3.h (+3773/-611)
nss/lib/ssl/ssl3con.c (+283/-154)
nss/lib/ssl/ssl3ext.c (+3/-0)
nss/lib/ssl/ssl3exthandle.c (+8/-3)
nss/lib/ssl/sslexp.h (+39/-0)
nss/lib/ssl/sslimpl.h (+10/-6)
nss/lib/ssl/sslsock.c (+115/-0)
nss/lib/ssl/sslt.h (+7/-1)
nss/lib/ssl/tls13con.c (+23/-16)
nss/lib/ssl/tls13esni.c (+1/-1)
nss/lib/ssl/tls13subcerts.c (+184/-11)
nss/lib/util/nssutil.h (+2/-2)
nss/lib/util/pkcs11n.h (+2/-0)
nss/lib/util/pkcs11t.h (+3/-0)
nss/lib/util/quickder.c (+1/-1)
nss/lib/util/utilmod.c (+4/-1)
nss/mach (+11/-3)
nss/nss.gyp (+3/-0)
nss/tests/all.sh (+3/-9)
nss/tests/cert/cert.sh (+1/-1)
nss/tests/common/certsetup.sh (+9/-2)
nss/tests/common/cleanup.sh (+9/-2)
nss/tests/fips/cavs_scripts/aes.sh (+2/-0)
nss/tests/fips/cavs_scripts/aesgcm.sh (+2/-0)
nss/tests/fips/cavs_scripts/dsa.sh (+2/-0)
nss/tests/fips/cavs_scripts/ecdsa.sh (+2/-0)
nss/tests/fips/cavs_scripts/hmac.sh (+3/-0)
nss/tests/fips/cavs_scripts/ike.sh (+2/-0)
nss/tests/fips/cavs_scripts/kas.sh (+2/-0)
nss/tests/fips/cavs_scripts/rng.sh (+3/-0)
nss/tests/fips/cavs_scripts/rsa.sh (+2/-0)
nss/tests/fips/cavs_scripts/sha.sh (+2/-0)
nss/tests/fips/cavs_scripts/tdea.sh (+2/-0)
nss/tests/fips/cavs_scripts/tls.sh (+3/-0)
nss/tests/policy/policy.sh (+1/-1)
nss/tests/smime/smime.sh (+213/-22)
nss/tests/ssl/ssl.sh (+64/-9)
nss/tests/ssl_gtests/ssl_gtests.sh (+1/-0)
nss/tests/tlsfuzzer/config.json.in (+20/-0)
nss/tests/tlsfuzzer/tlsfuzzer.sh (+3/-3)
Changed in nss (Ubuntu): | |
status: | New → In Progress |
Changed in nss (Debian): | |
status: | Unknown → New |
Changed in nss (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in nss (Debian): | |
status: | New → Fix Released |
From IRC discussion: nss/hasht. h which are backed by a .so in a subdir /usr/lib/ x86_64- linux-gnu/ nss/libfreebl3. so x86_64- linux-gnu/ freebl[ -devel] which does ship those libs as normal public libraries; they also have some dracut snippets to include those into initramfs.... x86_64- linux-gnu/ nss/libnssckbi. so what that one is yet, as it does not appear to be anywhere.
[13:20] <cpaelzer> xnox: hey I'd need your help/guidance on libnss that you touched recently
[13:20] <cpaelzer> it has headers like /usr/include/
[13:20] <cpaelzer> those are usually not meant to be direct includes, but it has symbols for it and everything
[13:21] <cpaelzer> it currently breaks the change of a lib usage that is not in main to use nss for this instead
[13:21] <cpaelzer> so I wonder if that lib should maybe not be in the subpath, but actually directly in /usr/lib/
[13:22] <cpaelzer> xnox: slangasek pointed out that you touched it recently, so we had some hope you might have a hint on this
[13:22] <cpaelzer> as it seems not really to be ment for dlopen only (symbols/headers available "normally")
[13:23] <cpaelzer> I'm on sprint, so latency to reply is high, but it would be great to hear your insight on this
[13:24] <xnox> cpaelzer, i will look into it. It does seem odd.... unless like libnss.so itself knows how to dlopen extra things.
[13:24] <xnox> can't recall anything special around it, off the top of my head.
[13:27] <cpaelzer> xnox: thanks for taking a look
[13:28] <cpaelzer> xnox: if it is meant to be internal only ok, but if not making it properly public would be great
[14:55] <xnox> cpaelzer, i am failing to understand what it is; but on e.g. Fedora, they have a separate source package nss-softokn which does have binary packages nss-softokn-
[14:55] <xnox> they have .chk files and can be used in FIPS mode
[14:55] <xnox> not sure about /usr/lib/
[14:57] <xnox> oh maybe that one is in the base nss package, one sec.
I'll loose connection soon, so lets continue in this bug to not loose it