Closed Bug 429716 Opened 16 years ago Closed 16 years ago

debug builds of libPKIX unconditionally dump socket traffic to stdout

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.12.1
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.12.1

People

(Reporter: nelson, Assigned: nelson)

References

(
URL
)

Details

(Whiteboard: PKIX)

Attachments

(1 file)

Turn socket tracing off by default
768 bytes, patch
alvolkov.bgs
: review+
Details | Diff | Splinter Review 
This is P1 for 3.12.1

libPKIX has code that is compiled into all DEBUG builds that unconditionally
dumps all socket traffic (such as OCSP or AIA cert fetching) to stdout in hex.
You can see an example of this in bug 425847 comment 0 and the attachment to 
bug 418644.  This is the main cause of bug 418644.

This is evil for several reasons:

a) it uses stdio, rather than using NSPR, and so it makes NSS only buildable
on platforms that have stdio.

b) programs that write output to stdout have their output corrupted by this
unwanted dump.  For example, ocspclnt writes the OCSP response in binary to 
stdout.  That binary output is useless when it is corrupted with this hex
dump.

c) it is unconditional.  It should be controlled by some means, such as an 
environment variable, and should NOT be enabled by default.

To fix this bug, 
1) all printf, fprintf, puts, fputs calls must be removed from libPKIX, and replaced with NSPR IO function calls (I recommend using PRLog), and 
2) some means of controlling this output must be established, such as checking
for the presence of an environment variable.  I'd suggest having a variable
named PKIX_SOCKET_TRACE_FILE whose value is the name of the file to which the
NSPR PRLog output will be written.  Using stdout might be an option if (say)
the value of this variable is some magic value (say: stdout).
Priority: -- → P1
Whiteboard: PKIX
Most (perhaps all) of the code that does this tracing of socket traffic to 
stdout is in file lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c 
but there are also a bunch of printf calls in widely used PKIX_DEBUG macros 
in lib/libpkix/pkix/util/pkix_tools.h 

All those uses of printf need to be changed to not use printf any more.
Using NSPR to print to stderr *MIGHT* be acceptable.
URL: http://mxr.mozilla.org/security/searc...
I see that there is an environment variable named "SOCKETTRACE" that is 
supposed to control the socket tracing, 
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c&rev=1.4#793

But it is not used everywhere.  That is, it appears to me that some of the 
printf calls will print, even when SOCKETTRACE tells them not to.
I may be wrong about SOCKETTRACE not disabling all the socket trace printfs.
I didn't see any unexpected printf activity when I ran ocspclnt with that
variable, e.g. 

NSS_ENABLE_PKIX_VERIFY=1 SOCKETTRACE=off vfyserv webmail.unicas.it

Simply changing the default value of the socketTraceFlag variable to 0
(false) would go a long way towards reducing the severity of this bug.
Alexei, please review.
Assignee: alexei.volkov.bugs → nelson
Status: NEW → ASSIGNED
Attachment #320821 - Flags: review?(alexei.volkov.bugs)
Attachment #320821 - Flags: review?(alexei.volkov.bugs) → review+
Checking in pkix_pl_socket.c; new revision: 1.5; previous revision: 1.4
Updated 
http://developer.mozilla.org/en/docs/NSS_reference:NSS_environment_variables
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: