Hacking NSS: Difference between revisions
(known issues) |
(add workaround) |
||
Line 6: | Line 6: | ||
== Building Libreswan using custom NSS RPMs == | == Building Libreswan using custom NSS RPMs == | ||
=== Building NSS RPMs on the guest === | === Building NSS RPMs on the guest === | ||
Line 92: | Line 87: | ||
Tar up both the .rpm and .srpm files into a single archive and make that available. That way, who ever downloads the archive always gets the source code. | Tar up both the .rpm and .srpm files into a single archive and make that available. That way, who ever downloads the archive always gets the source code. | ||
== | === Potential Problems === | ||
* ikev2-x509-ecdsa-01, say, fails on east with: | |||
: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: The certificate was signed using a signature algorithm that is disabled because it is not secure. | |||
:* this happens when trying to use a very new NSS (3.71) on an old system (f32) | |||
:* the fix is to forceably upgrade crypto-policies and crypto-policies-scripts | |||
== Building Libreswan using a scratch NSS+NSPR build == | |||
=== Scratch building NSS+NSPR === | === Scratch building NSS+NSPR === | ||
Line 132: | Line 129: | ||
$ ./kvm sh east | $ ./kvm sh east | ||
cat /proc/$(pgrep pluto)/maps | grep nss | cat /proc/$(pgrep pluto)/maps | grep nss | ||
=== Potential Problems === | |||
* FIPS tests do not pass | |||
: it would appear that the system being in FIPS mode isn't detected? For instance with algparse-02-fips | |||
= Debugging NSS = | = Debugging NSS = |
Revision as of 04:05, 30 October 2021
Using NSS from Pluto
use lsw_nss_error*() to report errors
It includes both the error symbol name and the error message (the former is really useful when reading the code^D^D^D^D documentation when tracking down why the error was returned).
Building Libreswan using custom NSS RPMs
Building NSS RPMs on the guest
Here, we use the build machine (it has lots of memory and network access) and the 9p mounted directory /pool (aka $(KVM_POOLDIR), but /testing and /root should also work). Just remember that any changes to build aren't permanent, we'll get to that later.
Prepare the machine (xmlto is hacked so that it doesn't try to preserve permissions when copying files within the 9p file system):
$ ./kvm sh build build# dnf install -y fedpkg build# dnf builddep nss build# sed -i -e 's/ -p / /' \ /usr/share/xmlto/format/docbook/man \ /usr/share/xmlto/format/docbook/html
Get the sources (drop --branch f32 if trying to build rawhide):
build# cd /pool build# cat /etc/fedora-release Fedora release 32 (Thirty Two) build# fedpkg clone --branch f32 --anonymous nss build# cd nss
hack nss.specso that it has a unique suffix, and check result:
build# sed -i -e '/global baserelease/ s/$/lsw/' nss.spec build# sed -i -e '/global nspr_release/ s/$/lsw/' nss.spec build# fedpkg verrel nss-3.63.0-1lsw.fc32
if fedpkg verrel fails more hacks may be required
If building a newer NSS, try this:
build# sed -i -e '/Requires:.*crypto-policies/ s/crypto-policies.*/crypto-policies/' nss.spec
hobble running tests during the build (optional):
build# sed -i -e 's/bcond_without tests/bcond_with tests/' nss.spec
finally build:
build# fedpkg local --without tests:
or:
build# fedpkg prep --without tests build# fedpkg compile --short-circuit --without tests
the RPMs are under x86_64.
Building NSS RPMs on the host
Hmm, something goes here!
fedpkg mock-config fedpkg mockbuild
Installing the NSS RPMs (and making them stick)
The NSS RPMs can either be installed manually on build (which means they only stick around until ./kvm uninstall), or they can be made more permenant by installing them into the base domain.
To install the RPMs on the base domain, add the following lines to Makefile.inc.local:
# Prepend the directory containing the RPMs, include / KVM_NSS_RPMDIR = /pool/nss/x86_64/ KVM_NSPR_RPMDIR = /pool/nss/x86_64/ # Append the actual RPM version KVM_NSS_VERSION = -3.71.0-1lsw.fc36.x86_64.rpm KVM_NSPR_VERSION = -4.32.0-3lsw.fc36.x86_64.rpm
and then upgrade the base domain:
$ ./kvm upgrade ... Upgrading : nss-util-3.63.0-1_lsw.fc32.x86_64 1/20 ...
finally, confirm:
$ ./kvm install $ ./kvm sh east east# rpm -q nss nss-3.63.0-1_lsw.fc32.x86_64
If needed, the the customized domains can be reverted. In Makefile.inc.local, comment out the lines added above, and then run:
$ ./kvm downgrade $ ./kvm upgrade ... Installing : nss-util-3.63.0-1.fc32.x86_64 13/330
Distributing Custom NSS RPMs
Tar up both the .rpm and .srpm files into a single archive and make that available. That way, who ever downloads the archive always gets the source code.
Potential Problems
- ikev2-x509-ecdsa-01, say, fails on east with:
- SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: The certificate was signed using a signature algorithm that is disabled because it is not secure.
- this happens when trying to use a very new NSS (3.71) on an old system (f32)
- the fix is to forceably upgrade crypto-policies and crypto-policies-scripts
Building Libreswan using a scratch NSS+NSPR build
Scratch building NSS+NSPR
Prepare the machine (xmlto is hacked so that it doesn't try to preserve permissions when copying files within the 9p file system):
$ ./kvm sh build build# dnf builddep -y nss build# dnf install -y hg python gyp ninja-build build# sed -i -e 's/ -p / /' \ /usr/share/xmlto/format/docbook/man \ /usr/share/xmlto/format/docbook/html
Download and build using Building NSS as a guide:
build# cd /source build# hg clone https://hg.mozilla.org/projects/nspr build# hg clone https://hg.mozilla.org/projects/nss build# ./nss/build.sh --enable-libpkix
testing (for comparison, NSS build farm):
build# HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh
however, of most interest is PKIX:
( cd nss/tests/cert/ ; USE_64=1 NSS_ENABLE_PKIX_VERIFY=1 DOMSUF=localdomain ./cert.sh )
Linking with libreswan
finally, to link nss against the build, add the following to Makefile.inc.local (how correct is this?):
KVM_NSS_CFLAGS = -I/source/nspr/Debug/dist/include/nspr -I/source/dist/public/nss KVM_NSS_LDFLAGS = -L/source/dist/Debug/lib/ -Wl,-rpath,/source/dist/Debug/lib/ -lnss3
and then build as per normal:
$ ./kvm install check
and confirm it worked:
$ ./kvm sh east cat /proc/$(pgrep pluto)/maps | grep nss
Potential Problems
- FIPS tests do not pass
- it would appear that the system being in FIPS mode isn't detected? For instance with algparse-02-fips
Debugging NSS
NSS_ENABLE_PKIX_VERIFY=1 LD_LIBRARY_PATH=$(cd ../dist/Debug/lib && pwd) gdb --args $(cd ../dist/Debug/bin && pwd)/certutil -V -n PasswordCert -u S -d ../tests_results/security/build.1/dbpass (gdb) break PKIX_Shutdown (gdb) break cert_VerifyCertChainPkix