libfreebl3.so should be public, not in the nss subdir

Bug #1744328 reported by Christian Ehrhardt  on 2018-01-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss (Debian)
New
Unknown
nss (Ubuntu)
Undecided
Unassigned

Bug Description

Hi,
I tried to move the chrony dependency from tomcrypt to libnss to avoid universe dependencies.
While doing so I found that libfreebl3 is not "normally" linkable being outside the normal ld paths.

E.g. sample program
#include <nss.h>
#include <hasht.h>
#include <nsslowhash.h>
int main(int argc, char **argv) {
    NSSLOWHASH_Begin(NSSLOWHASH_NewContext(NSSLOW_Init(), HASH_AlgSHA512));
    return 0;
}

Build:
gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wmissing-prototypes -Wall -pthread -Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/nss -I/usr/include/nspr -o docheck docheck.c -lfreebl3 -Wl,-Bsymbolic-functions -Wl,-z,relro -v -Wl,-v -L/usr/lib/x86_64-linux-gnu/nss

Then:
ldd docheck
will give you
        libfreebl3.so => not found

Obviously a link into /usr/lib/x86_64-linux-gnu/ fixes the issue but needs some more consideration if that is the thing we want (there might be a reason it is where it is).

Note: Required to go on with the chrony MIR which is rather urgent to be sorted out as it has a lot of other dependencies that need to be adapted.

From IRC discussion:
[13:20] <cpaelzer> xnox: hey I'd need your help/guidance on libnss that you touched recently
[13:20] <cpaelzer> it has headers like /usr/include/nss/hasht.h which are backed by a .so in a subdir /usr/lib/x86_64-linux-gnu/nss/libfreebl3.so
[13:20] <cpaelzer> those are usually not meant to be direct includes, but it has symbols for it and everything
[13:21] <cpaelzer> it currently breaks the change of a lib usage that is not in main to use nss for this instead
[13:21] <cpaelzer> so I wonder if that lib should maybe not be in the subpath, but actually directly in /usr/lib/x86_64-linux-gnu/
[13:22] <cpaelzer> xnox: slangasek pointed out that you touched it recently, so we had some hope you might have a hint on this
[13:22] <cpaelzer> as it seems not really to be ment for dlopen only (symbols/headers available "normally")
[13:23] <cpaelzer> I'm on sprint, so latency to reply is high, but it would be great to hear your insight on this
[13:24] <xnox> cpaelzer, i will look into it. It does seem odd.... unless like libnss.so itself knows how to dlopen extra things.
[13:24] <xnox> can't recall anything special around it, off the top of my head.
[13:27] <cpaelzer> xnox: thanks for taking a look
[13:28] <cpaelzer> xnox: if it is meant to be internal only ok, but if not making it properly public would be great
[14:55] <xnox> cpaelzer, i am failing to understand what it is; but on e.g. Fedora, they have a separate source package nss-softokn which does have binary packages nss-softokn-freebl[-devel] which does ship those libs as normal public libraries; they also have some dracut snippets to include those into initramfs....
[14:55] <xnox> they have .chk files and can be used in FIPS mode
[14:55] <xnox> not sure about /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so what that one is yet, as it does not appear to be anywhere.
[14:57] <xnox> oh maybe that one is in the base nss package, one sec.

I'll loose connection soon, so lets continue in this bug to not loose it

Whatever we do, there is one in proposed for a while already which blocks on autopkgtest of 389-ds-base.

That needs to be resolved anyway.
It makes way too much assumptions of the network:
  3 # hack for lxc
  4 IP=`ip route get 1.1.1.1 | sed -n -e's/.*src //; s/ .*//; p; q'`
  5 HOSTNAME=`cat /etc/hosts| grep '127.0.1.1' | awk '{print $NF; exit}'`
  6
  7 echo "$IP $HOSTNAME.debci $HOSTNAME" >> /etc/hosts

For now we need to mark this as a bad-test to be able to fix nss and get something migrating.

I followed the suggestion to take a look at Fedora, and it really is public there.

$ dnf repoquery --installed -l nss-softokn-freebl nss-softokn | grep '.so$'
/usr/lib64/libfreebl3.so
/usr/lib64/libfreeblpriv3.so
/usr/lib64/libnssdbm3.so
/usr/lib64/libsoftokn3.so

The only special one is /usr/lib64/libnssckbi.so which goes via in indirection through /etc/alternatives as it can be provided by p11-kit-trust

There might have been history in Debian we don't know of.
Create a suggested fix - for now only for freebl3, not the others - to move them to an accessible path and suggest to Debian.

Suggested a fix to Debian, but also to hear if there is any known background why it was split up that way.
See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888764

It seems this has some (non encouraging) history:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855879
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732201

I'll combine the approach in the former with what I have prepared for my report to Debian.
Packaging for the binary packages might follow the naming that Fedora uses.

Once/If I have something that works fine I'd open up an MP for Ubuntu to let people comment on it.
I'll take a look at that after getting some other (unrelated) blockers out of the way.

Discussion spun forward - TL;DR:
- we have time for the nss-pem changes and tjaalton will drive those in debian
- for our current need we might not even want to move the libs
  - but instead provide symlinks (least invasive change for now until Debian decided on our bug)

I'll revamp my current ppa fix, maybe merge the latest nss from Debian and retest for an MP/upload later on.

Thansk xnox and tjaalton for the great discussion on IRC.

Changed in nss (Ubuntu):
status: New → In Progress
Changed in nss (Debian):
status: Unknown → New
Changed in nss (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.35-2ubuntu2

---------------
nss (2:3.35-2ubuntu2) bionic; urgency=medium

  * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
    default is still causing too much issues in consumers of nss.
    So until resolved revert the switched default (LP: #1746947)

nss (2:3.35-2ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - When building with -O3, build with -Wno-error=maybe-uninitialized.
  * Added Changes:
    - d/libnss3.links: make freebl3 available as library (LP: #1744328)
      + d/control: add dh-exec to Build-Depends
      + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)

nss (2:3.35-2) unstable; urgency=medium

  * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.

nss (2:3.35-1) unstable; urgency=medium

  * New upstream release.

nss (2:3.34.1-1) unstable; urgency=medium

  * New upstream release.

 -- Christian Ehrhardt <email address hidden> Mon, 05 Feb 2018 11:36:07 +0100

Changed in nss (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.