NSS Refactor 3 11: Difference between revisions
m (grammar and spelling) |
m (→nss/lib/util) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 14: | Line 14: | ||
*Depends on nspr* | *Depends on nspr* | ||
==== libssl3.so ==== | ==== libssl3.so ==== | ||
*Built with | *Built with sources in nss/lib/ssl | ||
*Statically | *Statically linked with library libreebl.a (nss/lib/freebl^) | ||
*Depends on libnss3.so | *Depends on libnss3.so | ||
*Depends on | *Depends on libfreebl3.so^ | ||
*Depends on nspr* | *Depends on nspr* | ||
==== libnss3.so ==== | ==== libnss3.so ==== | ||
*Built with sources in nss/lib/nss | *Built with sources in nss/lib/nss | ||
| Line 84: | Line 85: | ||
==== nss/lib/util ==== | ==== nss/lib/util ==== | ||
nss/lib/util is used by libnss3.so, libsoftkn3.so and | nss/lib/util is used by libnss3.so, libsoftkn3.so and libfreebl3.so. | ||
Besides the copy issue, util also creates an issue for libsoftkn3.so and libfreebl3.so because the latter are FIPS modules. Changes to nss/lib/util technically affect the FIPS validation. Since nss/lib/util does not participate in the management of CPS, it is usually possible to reinstate the validation with a review and letter from the lab. | |||
=== ckfw/nssckbi dependencies === | === ckfw/nssckbi dependencies === | ||
Latest revision as of 16:45, 11 June 2007
NSS Packaging Refactor for 3.11
The Current Dependency Tree
Current NSS dependency tree (NSS 3.11.X).
libcrmf.a
- Built with sources in nss/lib/crmf
- Static library only.
libsmime3.so
- Built with sources in nss/lib/smime
- Statically linked with objects in nss/lib/pkcs12 and nss/lib/pkcs7
- Depends on libnss3.so
- Depends on nspr*
libssl3.so
- Built with sources in nss/lib/ssl
- Statically linked with library libreebl.a (nss/lib/freebl^)
- Depends on libnss3.so
- Depends on libfreebl3.so^
- Depends on nspr*
libnss3.so
- Built with sources in nss/lib/nss
- Statically linked with objects in:
- nss/lib/certhigh
- nss/lib/cryptohi
- nss/lib/pk11wrap
- nss/lib/certdb
- nss/lib/util
- nss/lib/pki
- nss/lib/dev
- nss/lib/base
- Depends libsoftokn3.so
- Depends on nspr*
libsoftokn3.so
- Built with sources in nss/lib/softoken
- Statically linked with libraries:
- libsecutil.a (nss/lib/util)
- libdbm.a (dbm)
- libfreebl.a (nss/lib/freebl^)
- Depends on libfreebl.so^
- Depends on nspr*
^NOTE: Freebl dependency is dynamically loaded with DLopen and won't show up on a normal dependency list.
libfreebl.so
- Built with soruces in nss/lib/freebl
- Statically linked with libraries:
- libsecutil.a (nss/lib/util)
- libdbm.a (dbm)
libnssckbi.so
- Built with sources in nss/lib/ckfw/builtins
- Statically linked with libraries:
- libnssckfw.a (nss/lib/ckfw)
- libssb.a (nss/lib/base)
- Depends on nspr*
Analysis
For the most part these are pretty much straight line dependencies, distinct dependencies.
The exceptions are nss/lib/base, nss/lib/util and nss/lib/freebl.
nss/lib/freebl
nss/lib/freebl is really a static binding to a loader function with an explicit dynamic load, so in practice there is very little in freebl that is actually 'copied' between components. It can really be considered a shared library dependency even though it won't show up on an ldd.
nss/lib/base
nss/lib/base is used in both libnss3.so and libckbi.so. This is the only runtime dependency libckbi.so has on the rest of NSS. Unfortately nss/lib/base depends on some headers in nss/lib/util, and nss/lib/ckfw depends on some headers in nss/lib/softoken.
nss/lib/base is one of the slowest changing directories in the NSS tree. Since NSS 3.9 there have been a grand total of 4 changes made to that tree:
- Between 3.9 and 3.10 the license changed from dual to tri-license.
- Between 3.9 and 3.10 two pointers were changed from &pointer[offset] to pointer+offset (offset was negative, and the new code is more readable).
- Between 3.11.2 and 3.11.3 alex fixed a null dereference bug.
- Between 3.11 and 3.12 whatnspr.c was removed.
nss/lib/util
nss/lib/util is used by libnss3.so, libsoftkn3.so and libfreebl3.so. Besides the copy issue, util also creates an issue for libsoftkn3.so and libfreebl3.so because the latter are FIPS modules. Changes to nss/lib/util technically affect the FIPS validation. Since nss/lib/util does not participate in the management of CPS, it is usually possible to reinstate the validation with a review and letter from the lab.
ckfw/nssckbi dependencies
Besides the object code dependencies, there are some unexpected build dependencies for ckfw.
If you try the following:
# get ckfw
cvs checkout -r NSS_3_11_BRANCH mozilla/security/coreconf \
mozilla/security/nss/lib/base mozilla/security/nss/lib/ckfw
# get nspr
cvs checkout mozilla/nsprpub
cvs checkout -r NSS_3_11_BRANCH mozilla/security/nss/Makefile \
mozilla/security/nss/manifest.mn
#build dependencies
cd mozilla/security/nss
make build_coreconf build_nspr
#build base
cd lib/base
make
#build ckfw
cd ../ckfw
make
You find the lib/base will fail because it needs header files supplied out of lib/util and lib/ckfw will fail because it needs header files supplied out of softoken (the pkcs11 headers).
Recommendation
Because of the static linking issue for NSS 3.11.x we should support the following:
- nssckbi.so built in it's own 3.11.x tree used in other versions of NSS 3.11.x.
- softoken.so/freebl.so built in an NSS 3.11.4 tree used with other versions of NSS 3.11.x (x > 4).
- nssckbi.so where the ckfw directory is built from a newer version of NSS 3.11.x, used in an older version of NSS 3.11.x
- fips validated versions of softoken freebl built in a newer nss tree where the new version of util in that tree has been validated with a letter from the lab.
Open Questions. Should we tag blessed combinations with special tags, or document which component mixing is approved?