Hacking NSS: Difference between revisions

From Libreswan
Jump to navigation Jump to search
(show how to make things stick)
(build from scratch)
Line 6: Line 6:


== Debugging NSS ==
== Debugging NSS ==
NSS_ENABLE_PKIX_VERIFY=1 LD_LIBRARY_PATH=$(cd ../dist/Debug/lib && pwd) gdb --args $(cd ../dist/Debug/bin && pwd)/certutil -V -n PasswordCert -u S -d ../tests_results/security/build.1/dbpass
(gdb) break PKIX_Shutdown
(gdb) break cert_VerifyCertChainPkix


== Linking libreswan against a custom NSS build ==
== Linking libreswan against a custom NSS build ==


== Building and Installing a Custom NSS RPMs ==
=== Building NSS RPMs ... ===
 
Below are notes on building the latest Fedora RPM on the build machine. 
 
=== Build Custom NSS RPM ... ===


==== ... using <tt>fedpkg local</tt> and a KVM ====
==== ... using <tt>fedpkg local</tt> and a KVM ====
Line 29: Line 29:
  build# dnf builddep nss
  build# dnf builddep nss


Next is to hack <tt>xmlto</tt> so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, <tt>./kvm uninstall install</tt> will wipe this):
Hack <tt>xmlto</tt> so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, <tt>./kvm uninstall install</tt> will wipe this):
  build# sed -i -e 's/ -p / /' \
  build# sed -i -e 's/ -p / /' \
     /usr/share/xmlto/format/docbook/man \
     /usr/share/xmlto/format/docbook/man \
Line 65: Line 65:
  # Append the actual RPM version
  # Append the actual RPM version
  KVM_NSS_VERSION = -3.63.0-1_lsw.fc32.x86_64.rpm
  KVM_NSS_VERSION = -3.63.0-1_lsw.fc32.x86_64.rpm
and then upgrade the base domain:
and then upgrade the base domain:
  $ ./kvm upgrade
  $ ./kvm upgrade
Line 70: Line 71:
   Upgrading        : nss-util-3.63.0-1_lsw.fc32.x86_64                    1/20  
   Upgrading        : nss-util-3.63.0-1_lsw.fc32.x86_64                    1/20  
  ...
  ...
and confirm:
 
finally, confirm:
  $ ./kvm install
  $ ./kvm install
  $ ./kvm sh east
  $ ./kvm sh east
Line 76: Line 78:
  nss-3.63.0-1_lsw.fc32.x86_64
  nss-3.63.0-1_lsw.fc32.x86_64


If needed, the the customisd domains can be reverted.  In Makefile.inc.local, comment out the lines added above, and then run:
If needed, the the customized domains can be reverted.  In Makefile.inc.local, comment out the lines added above, and then run:
  $ ./kvm downgrade
  $ ./kvm downgrade
  $ ./kvm upgrade
  $ ./kvm upgrade
  ...
  ...
   Installing      : nss-util-3.63.0-1.fc32.x86_64                      13/330  
   Installing      : nss-util-3.63.0-1.fc32.x86_64                      13/330  


=== Distributing Custom NSS RPMs ===
=== Distributing Custom NSS RPMs ===


Tar up both the .rpm and .srpm files into a single archive and make that available.  That way, who ever downloads the archive always gets the source code.
Tar up both the .rpm and .srpm files into a single archive and make that available.  That way, who ever downloads the archive always gets the source code.
== Building NSS+NSPR From Scratch ==
Setup:
$ ./kvm sh build
build# mkdir -p /pool/nss+nspr
build# cd !$
cd /pool/nss+nspr
build# dnf builddep nss
build# dnf install hg python gyp ninja-build
Hack <tt>xmlto</tt> so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, <tt>./kvm uninstall install</tt> will wipe this):
build# sed -i -e 's/ -p / /' \
    /usr/share/xmlto/format/docbook/man \
    /usr/share/xmlto/format/docbook/html
Using [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Building Building NSS] as a guide:
build# hg clone https://hg.mozilla.org/projects/nspr
build# hg clone https://hg.mozilla.org/projects/nss
build# ./nss/build.sh --enable-libpkix
testing:
build# HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh
however, of most interest is PKIX:
( cd nss/tests/cert/ l YSE_64=1 NSS_ENABLE_PKIX_VERIFY=1 DOMSUF=localdomain ./cert.sh )

Revision as of 20:05, 28 October 2021

Using NSS from Pluto

use lsw_nss_error*() to report errors

It includes both the error symbol name and the error message (the former is really useful when reading the code^D^D^D^D documentation when tracking down why the error was returned).

Debugging NSS

NSS_ENABLE_PKIX_VERIFY=1 LD_LIBRARY_PATH=$(cd ../dist/Debug/lib && pwd) gdb --args $(cd ../dist/Debug/bin && pwd)/certutil -V -n PasswordCert -u S -d ../tests_results/security/build.1/dbpass
(gdb) break PKIX_Shutdown
(gdb) break cert_VerifyCertChainPkix

Linking libreswan against a custom NSS build

Building NSS RPMs ...

... using fedpkg local and a KVM

Here, we use the build machine (it has lots of memory and network access) and the 9p mounted directory /pool (aka $(KVM_POOLDIR), but /testing and /root should also work). Just remember that any changes to build aren't permanent, we'll get to that later.

First lets set things up:

$ ./kvm sh build
build# cd /pool
build# dnf install -y fedpkg
build# cat /etc/fedora-release
Fedora release 32 (Thirty Two)
build# fedpkg clone --branch f32 --anonymous nss
build# cd nss
build# dnf builddep nss

Hack xmlto so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, ./kvm uninstall install will wipe this):

build# sed -i -e 's/ -p / /' \
   /usr/share/xmlto/format/docbook/man \
   /usr/share/xmlto/format/docbook/html

hack nss.specso that it has a unique suffix:

build# sed -i -e '/Release:/ s/\([0-9]*\)%/\1_lsw%/' nss.spec
build# fedpkg verrel
nss-3.63.0-1_lsw.fc32

hobble running tests during the build (optional):

build# sed -i -e 's/bcond_without tests/bcond_with tests/' nss.spec

finally build:

build# fedpkg local --without tests:

or:

build# fedpkg prep --without tests
build# fedpkg compile --short-circuit --without tests

the RPMs are under x86_64.

... using fedpkg mock and the Fedora host

Hmm, something goes here!

fedpkg mock-config
fedpkg mockbuild

Installing the NSS RPMs (and making them stick)

The NSS RPMs can either be installed manually on build (which means they only stick around until ./kvm uninstall), or they can be made more permenant by installing them into the base domain.

To install the RPMs on the base domain, add the following lines to Makefile.inc.local:

# Prepend the directory containing the RPMs, include /
KVM_NSS_RPMDIR = /pool/nss/x86_64/
# Append the actual RPM version
KVM_NSS_VERSION = -3.63.0-1_lsw.fc32.x86_64.rpm

and then upgrade the base domain:

$ ./kvm upgrade
...
 Upgrading        : nss-util-3.63.0-1_lsw.fc32.x86_64                     1/20 
...

finally, confirm:

$ ./kvm install
$ ./kvm sh east
east# rpm -q nss
nss-3.63.0-1_lsw.fc32.x86_64

If needed, the the customized domains can be reverted. In Makefile.inc.local, comment out the lines added above, and then run:

$ ./kvm downgrade
$ ./kvm upgrade
...
 Installing       : nss-util-3.63.0-1.fc32.x86_64                       13/330 

Distributing Custom NSS RPMs

Tar up both the .rpm and .srpm files into a single archive and make that available. That way, who ever downloads the archive always gets the source code.

Building NSS+NSPR From Scratch

Setup:

$ ./kvm sh build
build# mkdir -p /pool/nss+nspr
build# cd !$
cd /pool/nss+nspr
build# dnf builddep nss
build# dnf install hg python gyp ninja-build

Hack xmlto so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, ./kvm uninstall install will wipe this):

build# sed -i -e 's/ -p / /' \
   /usr/share/xmlto/format/docbook/man \
   /usr/share/xmlto/format/docbook/html

Using Building NSS as a guide:

build# hg clone https://hg.mozilla.org/projects/nspr
build# hg clone https://hg.mozilla.org/projects/nss
build# ./nss/build.sh --enable-libpkix

testing:

build# HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh

however, of most interest is PKIX:

( cd nss/tests/cert/ l YSE_64=1 NSS_ENABLE_PKIX_VERIFY=1 DOMSUF=localdomain ./cert.sh )