Hacking NSS: Difference between revisions
(show how to make things stick) |
(build from scratch) |
||
| Line 6: | Line 6: | ||
== Debugging NSS == | == Debugging NSS == | ||
NSS_ENABLE_PKIX_VERIFY=1 LD_LIBRARY_PATH=$(cd ../dist/Debug/lib && pwd) gdb --args $(cd ../dist/Debug/bin && pwd)/certutil -V -n PasswordCert -u S -d ../tests_results/security/build.1/dbpass | |||
(gdb) break PKIX_Shutdown | |||
(gdb) break cert_VerifyCertChainPkix | |||
== Linking libreswan against a custom NSS build == | == Linking libreswan against a custom NSS build == | ||
== Building | === Building NSS RPMs ... === | ||
==== ... using <tt>fedpkg local</tt> and a KVM ==== | ==== ... using <tt>fedpkg local</tt> and a KVM ==== | ||
| Line 29: | Line 29: | ||
build# dnf builddep nss | build# dnf builddep nss | ||
Hack <tt>xmlto</tt> so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, <tt>./kvm uninstall install</tt> will wipe this): | |||
build# sed -i -e 's/ -p / /' \ | build# sed -i -e 's/ -p / /' \ | ||
/usr/share/xmlto/format/docbook/man \ | /usr/share/xmlto/format/docbook/man \ | ||
| Line 65: | Line 65: | ||
# Append the actual RPM version | # Append the actual RPM version | ||
KVM_NSS_VERSION = -3.63.0-1_lsw.fc32.x86_64.rpm | KVM_NSS_VERSION = -3.63.0-1_lsw.fc32.x86_64.rpm | ||
and then upgrade the base domain: | and then upgrade the base domain: | ||
$ ./kvm upgrade | $ ./kvm upgrade | ||
| Line 70: | Line 71: | ||
Upgrading : nss-util-3.63.0-1_lsw.fc32.x86_64 1/20 | Upgrading : nss-util-3.63.0-1_lsw.fc32.x86_64 1/20 | ||
... | ... | ||
finally, confirm: | |||
$ ./kvm install | $ ./kvm install | ||
$ ./kvm sh east | $ ./kvm sh east | ||
| Line 76: | Line 78: | ||
nss-3.63.0-1_lsw.fc32.x86_64 | nss-3.63.0-1_lsw.fc32.x86_64 | ||
If needed, the the | If needed, the the customized domains can be reverted. In Makefile.inc.local, comment out the lines added above, and then run: | ||
$ ./kvm downgrade | $ ./kvm downgrade | ||
$ ./kvm upgrade | $ ./kvm upgrade | ||
... | ... | ||
Installing : nss-util-3.63.0-1.fc32.x86_64 13/330 | Installing : nss-util-3.63.0-1.fc32.x86_64 13/330 | ||
=== Distributing Custom NSS RPMs === | === Distributing Custom NSS RPMs === | ||
Tar up both the .rpm and .srpm files into a single archive and make that available. That way, who ever downloads the archive always gets the source code. | Tar up both the .rpm and .srpm files into a single archive and make that available. That way, who ever downloads the archive always gets the source code. | ||
== Building NSS+NSPR From Scratch == | |||
Setup: | |||
$ ./kvm sh build | |||
build# mkdir -p /pool/nss+nspr | |||
build# cd !$ | |||
cd /pool/nss+nspr | |||
build# dnf builddep nss | |||
build# dnf install hg python gyp ninja-build | |||
Hack <tt>xmlto</tt> so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, <tt>./kvm uninstall install</tt> will wipe this): | |||
build# sed -i -e 's/ -p / /' \ | |||
/usr/share/xmlto/format/docbook/man \ | |||
/usr/share/xmlto/format/docbook/html | |||
Using [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Building Building NSS] as a guide: | |||
build# hg clone https://hg.mozilla.org/projects/nspr | |||
build# hg clone https://hg.mozilla.org/projects/nss | |||
build# ./nss/build.sh --enable-libpkix | |||
testing: | |||
build# HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh | |||
however, of most interest is PKIX: | |||
( cd nss/tests/cert/ l YSE_64=1 NSS_ENABLE_PKIX_VERIFY=1 DOMSUF=localdomain ./cert.sh ) | |||
Revision as of 20:05, 28 October 2021
Using NSS from Pluto
use lsw_nss_error*() to report errors
It includes both the error symbol name and the error message (the former is really useful when reading the code^D^D^D^D documentation when tracking down why the error was returned).
Debugging NSS
NSS_ENABLE_PKIX_VERIFY=1 LD_LIBRARY_PATH=$(cd ../dist/Debug/lib && pwd) gdb --args $(cd ../dist/Debug/bin && pwd)/certutil -V -n PasswordCert -u S -d ../tests_results/security/build.1/dbpass (gdb) break PKIX_Shutdown (gdb) break cert_VerifyCertChainPkix
Linking libreswan against a custom NSS build
Building NSS RPMs ...
... using fedpkg local and a KVM
Here, we use the build machine (it has lots of memory and network access) and the 9p mounted directory /pool (aka $(KVM_POOLDIR), but /testing and /root should also work). Just remember that any changes to build aren't permanent, we'll get to that later.
First lets set things up:
$ ./kvm sh build build# cd /pool build# dnf install -y fedpkg build# cat /etc/fedora-release Fedora release 32 (Thirty Two) build# fedpkg clone --branch f32 --anonymous nss build# cd nss build# dnf builddep nss
Hack xmlto so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, ./kvm uninstall install will wipe this):
build# sed -i -e 's/ -p / /' \ /usr/share/xmlto/format/docbook/man \ /usr/share/xmlto/format/docbook/html
hack nss.specso that it has a unique suffix:
build# sed -i -e '/Release:/ s/\([0-9]*\)%/\1_lsw%/' nss.spec build# fedpkg verrel nss-3.63.0-1_lsw.fc32
hobble running tests during the build (optional):
build# sed -i -e 's/bcond_without tests/bcond_with tests/' nss.spec
finally build:
build# fedpkg local --without tests:
or:
build# fedpkg prep --without tests build# fedpkg compile --short-circuit --without tests
the RPMs are under x86_64.
... using fedpkg mock and the Fedora host
Hmm, something goes here!
fedpkg mock-config fedpkg mockbuild
Installing the NSS RPMs (and making them stick)
The NSS RPMs can either be installed manually on build (which means they only stick around until ./kvm uninstall), or they can be made more permenant by installing them into the base domain.
To install the RPMs on the base domain, add the following lines to Makefile.inc.local:
# Prepend the directory containing the RPMs, include / KVM_NSS_RPMDIR = /pool/nss/x86_64/ # Append the actual RPM version KVM_NSS_VERSION = -3.63.0-1_lsw.fc32.x86_64.rpm
and then upgrade the base domain:
$ ./kvm upgrade ... Upgrading : nss-util-3.63.0-1_lsw.fc32.x86_64 1/20 ...
finally, confirm:
$ ./kvm install $ ./kvm sh east east# rpm -q nss nss-3.63.0-1_lsw.fc32.x86_64
If needed, the the customized domains can be reverted. In Makefile.inc.local, comment out the lines added above, and then run:
$ ./kvm downgrade $ ./kvm upgrade ... Installing : nss-util-3.63.0-1.fc32.x86_64 13/330
Distributing Custom NSS RPMs
Tar up both the .rpm and .srpm files into a single archive and make that available. That way, who ever downloads the archive always gets the source code.
Building NSS+NSPR From Scratch
Setup:
$ ./kvm sh build build# mkdir -p /pool/nss+nspr build# cd !$ cd /pool/nss+nspr build# dnf builddep nss build# dnf install hg python gyp ninja-build
Hack xmlto so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, ./kvm uninstall install will wipe this):
build# sed -i -e 's/ -p / /' \ /usr/share/xmlto/format/docbook/man \ /usr/share/xmlto/format/docbook/html
Using Building NSS as a guide:
build# hg clone https://hg.mozilla.org/projects/nspr build# hg clone https://hg.mozilla.org/projects/nss build# ./nss/build.sh --enable-libpkix
testing:
build# HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh
however, of most interest is PKIX:
( cd nss/tests/cert/ l YSE_64=1 NSS_ENABLE_PKIX_VERIFY=1 DOMSUF=localdomain ./cert.sh )