NSS Refactor 3 12: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
 
 
(6 intermediate revisions by 3 users not shown)
Line 8: Line 8:
*Built with sources in nss/lib/crmf
*Built with sources in nss/lib/crmf
*Static library only.
*Static library only.
[http://hostgator1centcoupon.net/ Hostgator VPS Coupon]
[http://hostgator-reseller-coupon.com/ Hostgator Reseller Coupon]
[http://hostgator-vps-coupon.net/ Hostgator 1 cent coupon]
==== libsmime3.so ====
==== libsmime3.so ====
*Built with sources in nss/lib/smime
*Built with sources in nss/lib/smime
Line 30: Line 34:
**nss/lib/dev
**nss/lib/dev
**nss/lib/base
**nss/lib/base
**nss/lib/libpkix/pkix/certsel
**nss/lib/libpkix/pkix/checker
**nss/lib/libpkix/pkix/params
**nss/lib/libpkix/pkix/results
**nss/lib/libpkix/pkix/top
**nss/lib/libpkix/pkix/util
**nss/lib/libpkix/pkix/crlsel
**nss/lib/libpkix/pkix/store
**nss/lib/libpkix/pkix_pl_nss/pki
**nss/lib/libpkix/pkix_pl_nss/system
**nss/lib/libpkix/pkix_pl_nss/module
*Depends libsoftokn3.so
*Depends libsoftokn3.so
*Depends on nspr*
*Depends on nspr*
==== libsoftokn3.so ====
==== libsoftokn3.so ====
*Built with sources in nss/lib/softoken
*Built with sources in nss/lib/softoken
Line 43: Line 60:
  ^NOTE: Freebl dependency is dynamically loaded with DLopen and won't show up
  ^NOTE: Freebl dependency is dynamically loaded with DLopen and won't show up
  on a normal dependency list.
  on a normal dependency list.
  ^^NOTE2: liblgdbm.so dependency is also dynamically loaded with DLopen. It is only loaded if needed to process legacy databases.
  ^^NOTE2: liblgdbm.so dependency is also dynamically loaded with DLopen.  
It is only loaded if needed to process legacy databases.
 
==== liblgdbm3.so ====
==== liblgdbm3.so ====
*Built with sources in nss/lib/softoken
*Built with sources in nss/lib/softoken
Line 89: Line 108:
==== nss/lib/freebl ====
==== nss/lib/freebl ====
nss/lib/freebl
nss/lib/freebl
is really a static binding to a loader function with and explicit dynamical
is really a static binding to a loader function with an explicit dynamic
load, so in practice there is very little in freebl that is actually 'copied' between components. It can really be considered a shared library dependency
load, so in practice there is very little in freebl that is actually 'copied' between components. It can really be considered a shared library dependency
even though it won't show up on an ldd.
even though it won't show up on an ldd.
Line 99: Line 118:
depends on some headers in nss/lib/util, and nss/lib/ckfw depends on some
depends on some headers in nss/lib/util, and nss/lib/ckfw depends on some
headers in nss/lib/softoken.
headers in nss/lib/softoken.
nss/lib/base is one of the slowest changing directories in the NSS tree.
Since NSS 3.9 there have been a grand total of 4 changes made to that tree:
# Between 3.9 and 3.10 the license changed from dual to tri-license.
# Between 3.9 and 3.10 two pointers were changed from &pointer[offset] to pointer+offset (offset was negative, and the new code is more readable).
# Between 3.11.2 and 3.11.3 alex fixed a null dereference bug.
# Between 3.11 and 3.12 whatnspr.c was removed.


==== nss/lib/util ====
==== nss/lib/util ====
Line 125: Line 137:


Other question: crmf is currently a static only library, currently only used by tools and mozilla. Is it time for crmf to become it's own shared library?
Other question: crmf is currently a static only library, currently only used by tools and mozilla. Is it time for crmf to become it's own shared library?
'''Update''': It looks like capi and mkey do *NOT* depend on freebl, so it is possible to make ckfw it's own module which only depends on base. This leads to the question: do we want to make ckfw independent of util and softoken, including build time dependencies. In that case it argues for libbase to be it's own package.
[[Category:NSS]]

Latest revision as of 18:46, 18 April 2012

NSS Packaging Refactor for 3.12

The "Current" Dependency Tree

This is the "current" NSS dependency tree (NSS 3.12) based on changes to from libpkix and shared database.

libcrmf.a

  • Built with sources in nss/lib/crmf
  • Static library only.

Hostgator VPS Coupon Hostgator Reseller Coupon Hostgator 1 cent coupon

libsmime3.so

  • Built with sources in nss/lib/smime
  • Statically linked with objects in nss/lib/pkcs12 and nss/lib/pkcs7
  • Depends on libnss3.so
  • Depends on nspr*

libssl3.so

  • Built with sourced in nss/lib/ssl
  • Statically lined with library libreebl.a (nss/lib/freebl^)
  • Depends on libnss3.so
  • Depends on libfreebl.so^
  • Depends on nspr*

libnss3.so

  • Built with sources in nss/lib/nss
  • Statically linked with objects in:
    • nss/lib/certhigh
    • nss/lib/cryptohi
    • nss/lib/pk11wrap
    • nss/lib/certdb
    • nss/lib/util
    • nss/lib/pki
    • nss/lib/dev
    • nss/lib/base
    • nss/lib/libpkix/pkix/certsel
    • nss/lib/libpkix/pkix/checker
    • nss/lib/libpkix/pkix/params
    • nss/lib/libpkix/pkix/results
    • nss/lib/libpkix/pkix/top
    • nss/lib/libpkix/pkix/util
    • nss/lib/libpkix/pkix/crlsel
    • nss/lib/libpkix/pkix/store
    • nss/lib/libpkix/pkix_pl_nss/pki
    • nss/lib/libpkix/pkix_pl_nss/system
    • nss/lib/libpkix/pkix_pl_nss/module
  • Depends libsoftokn3.so
  • Depends on nspr*

libsoftokn3.so

  • Built with sources in nss/lib/softoken
  • Statically linked with libraries:
    • libsecutil.a (nss/lib/util)
    • libfreebl.a (nss/lib/freebl^)
  • Depends on libfreebl.so^
  • Depends on liblgdbm3.so^^
  • Depends on nspr*
^NOTE: Freebl dependency is dynamically loaded with DLopen and won't show up
on a normal dependency list.
^^NOTE2: liblgdbm.so dependency is also dynamically loaded with DLopen. 
It is only loaded if needed to process legacy databases.

liblgdbm3.so

  • Built with sources in nss/lib/softoken
  • Statically linked with libraries:
    • libsecutil.a (nss/lib/util)
    • libdbm.a (dbm)
    • libfreebl.a (nss/lib/freebl^)
  • Depends on libfreebl.so^
  • Depends on nspr*

libfreebl.so

  • Built with soruces in nss/lib/freebl
  • Statically linked with libraries:
    • libsecutil.a (nss/lib/util)
    • libdbm.a (dbm)

libnssckbi.so

  • Built with sources in nss/lib/ckfw/builtins
  • Statically linked with libraries:
    • libnssckfw.a (nss/lib/ckfw)
    • libssb.a (nss/lib/base)
  • Depends on nspr*

libnsscapi.so

  • Built with sources in nss/lib/ckfw/capi
  • Statically linked with libraries:
    • libnssckfw.a (nss/lib/ckfw)
    • libssb.a (nss/lib/base)
    • libfreebl.a (nss/lib/freebl^)
  • Depends on libfreebl.so^
  • Depends on nspr*

libnssmkey.so

  • Built with sources in nss/lib/ckfw/mkey
  • Statically linked with libraries:
    • libnssckfw.a (nss/lib/ckfw)
    • libssb.a (nss/lib/base)
    • libfreebl.a (nss/lib/freebl^)
  • Depends on libfreebl.so^
  • Depends on nspr*

Analysis

For the most part these are pretty much straight line dependencies, distinct dependencies.

The exceptions are nss/lib/base, nss/lib/util and nss/lib/freebl.

nss/lib/freebl

nss/lib/freebl is really a static binding to a loader function with an explicit dynamic load, so in practice there is very little in freebl that is actually 'copied' between components. It can really be considered a shared library dependency even though it won't show up on an ldd.

nss/lib/base

nss/lib/base is used in both libnss3.so and libckbi.so. This is the only runtime dependency libckbi.so has on the rest of NSS. Unfortately nss/lib/base depends on some headers in nss/lib/util, and nss/lib/ckfw depends on some headers in nss/lib/softoken.

nss/lib/util

nss/lib/util is used by libnss3.so, libsoftkn3.so. liblgdbm.so and libfreebl.so. Besided the copy issue, util also creates an issue for libsoftkn3.so and libfreebl.so because the latter or FIPS modules, changes to nss/lib/util technically affect the FIPS validation. Since nss/lib/util does not participate in the management of CPS, it is usually possible to reinstate the validation with a review and letter from the lab.

ckfw/* dependencies

With capi and mkey, ckfw depends on freebl. Since freebl depends on util, then it makes since that you would need base, util, freebl to build ckfw. As with NSS 3.11, there is also a build time dependency on the headers in softoken

Recommendations

  1. Make util it's own shared library. There are a number of issues with this which are discussed here.
  2. Bundle util and base as a 'basic' NSS package which can be built separately from the rest of nss (Question, should base be rolled into util, remain it's own static library, or become it's own shared library?).
  3. Bundle freebl and softoken as a 'crypto' NSS package which can be built separately, depending only on itself and basic.
  4. Bundle ckfw as a 'modules' NSS package which can be built separately, depending on itself, basic, and crypto.
  5. Bundle the rest of NSS as a 'nss' NSS package, which can be built separately, depending only on itself, basic, and crypto. (NOTE: it does not depend on 'modules'. (Question, should ssl and smime be separate packages as well?).

Other question: crmf is currently a static only library, currently only used by tools and mozilla. Is it time for crmf to become it's own shared library?

Update: It looks like capi and mkey do *NOT* depend on freebl, so it is possible to make ckfw it's own module which only depends on base. This leads to the question: do we want to make ckfw independent of util and softoken, including build time dependencies. In that case it argues for libbase to be it's own package.

Retrieved from "https://wiki.allizom.org/index.php?title=NSS_Refactor_3_12&oldid=421589"