Closed
Bug 1321350
Opened 8 years ago
Closed 8 years ago
Remove all JSS bypassPKCS11 functions as latest NSS has removed PKCS#11 bypass support
Categories
(JSS Graveyard :: Library, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
4.4
People
(Reporter: cfu, Assigned: cfu)
References
Details
Attachments
(3 files)
10.18 KB,
patch
|
elio.maldonado.batiz
:
review+
jmagne
:
review+
|
Details | Diff | Splinter Review |
4.17 KB,
patch
|
cfu
:
review+
|
Details | Diff | Splinter Review |
38.37 KB,
text/plain
|
Details |
This bug spinned off 1313122 See comment: https://bugzilla.mozilla.org/show_bug.cgi?id=1313122#c28 In suggestion "1" We should remove all JSS bypassPKCS11 functions as latest NSS has removed PKCS#11 bypass support; it will not be made a blocker
Assignee | ||
Updated•8 years ago
|
Assignee: glenbeasley → cfu
Severity: normal → major
Priority: -- → P1
Assignee | ||
Comment 1•8 years ago
|
||
Note: this bug depends on 1313122 as it contains caller code that would not compile if these functions are removed.
Depends on: 1313122
Assignee | ||
Comment 2•8 years ago
|
||
JSS library patch to remove reference calls to now-obsolete PKCS#11 bypass functions.
Attachment #8817301 -
Flags: review?(emaldona)
Assignee | ||
Updated•8 years ago
|
Attachment #8817301 -
Flags: review?(jmagne)
Comment on attachment 8817301 [details] [diff] [review] RemoveBypassPK11Funcs.patch Review of attachment 8817301 [details] [diff] [review]: ----------------------------------------------------------------- Looks good.
Attachment #8817301 -
Flags: review?(jmagne) → review+
Comment 4•8 years ago
|
||
Comment on attachment 8817301 [details] [diff] [review] RemoveBypassPK11Funcs.patch Review of attachment 8817301 [details] [diff] [review]: ----------------------------------------------------------------- r+ from me also, checked it on Rawhide and macOS.
Attachment #8817301 -
Flags: review?(emaldona) → review+
Updated•8 years ago
|
Target Milestone: --- → 4.4
Updated•8 years ago
|
Keywords: checkin-needed
Comment 5•8 years ago
|
||
needs rebasing at least for mozilla-inbound applying RemoveBypassPK11Funcs.patch unable to find 'org/mozilla/jss/ssl/SSLServerSocket.java' for patching (use '--prefix' to apply patch relative to the current directory) 1 out of 1 hunks FAILED -- saving rejects to file org/mozilla/jss/ssl/SSLServerSocket.java.rej unable to find 'org/mozilla/jss/ssl/SSLSocket.java' for patching (use '--prefix' to apply patch relative to the current directory) 2 out of 2 hunks FAILED -- saving rejects to file org/mozilla/jss/ssl/SSLSocket.java.rej unable to find 'org/mozilla/jss/ssl/SocketBase.java' for patching (use '--prefix' to apply patch relative to the current directory) 3 out of 3 hunks FAILED -- saving rejects to file org/mozilla/jss/ssl/SocketBase.java.rej unable to find 'org/mozilla/jss/ssl/common.c' for patching (use '--prefix' to apply patch relative to the current directory) 1 out of 1 hunks FAILED -- saving rejects to file org/mozilla/jss/ssl/common.c.rej patch failed, unable to continue (try -v) patch failed, rejects left in working directory errors during apply, please fix and qrefresh RemoveBypassPK11Funcs.patch
Flags: needinfo?(cfu)
Comment 6•8 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #5) > needs rebasing at least for mozilla-inbound Apologies for my ignorance what what's "rebasing at least for mozilla-inbound"? As far I know Mozilla products do not use JSS. > > applying RemoveBypassPK11Funcs.patch > unable to find 'org/mozilla/jss/ssl/SSLServerSocket.java' for patching > (use '--prefix' to apply patch relative to the current directory) > 1 out of 1 hunks FAILED -- saving rejects to file > org/mozilla/jss/ssl/SSLServerSocket.java.rej > unable to find 'org/mozilla/jss/ssl/SSLSocket.java' for patching > (use '--prefix' to apply patch relative to the current directory) > 2 out of 2 hunks FAILED -- saving rejects to file > org/mozilla/jss/ssl/SSLSocket.java.rej > unable to find 'org/mozilla/jss/ssl/SocketBase.java' for patching > (use '--prefix' to apply patch relative to the current directory) > 3 out of 3 hunks FAILED -- saving rejects to file > org/mozilla/jss/ssl/SocketBase.java.rej > unable to find 'org/mozilla/jss/ssl/common.c' for patching > (use '--prefix' to apply patch relative to the current directory) > 1 out of 1 hunks FAILED -- saving rejects to file > org/mozilla/jss/ssl/common.c.rej > patch failed, unable to continue (try -v) > patch failed, rejects left in working directory > errors during apply, please fix and qrefresh RemoveBypassPK11Funcs.patch Did you follow the the steps in the README? They worked for Jack and me and we tried them on several platforms.
Flags: needinfo?(cbook)
Comment 7•8 years ago
|
||
Hello Carsten, I think you can ignore this patch, it isn't intended for Firefox/Mozilla at all, but only for a separate project/repository.
Updated•8 years ago
|
Flags: needinfo?(cbook)
Comment 8•8 years ago
|
||
pushed: https://hg.mozilla.org/projects/jss/rev/1a96a08e6f3d7553fda15bfa1069eb6a740a1272
Updated•8 years ago
|
Flags: needinfo?(cfu)
BTW, because this change changes constants (which Javac inlines), code that is compiled against 2097:1a96a08e6f3d will throw an exception if run against code running JSS 4.3.2 and sslSocket.enableRenegotiation(SSLSocket.SSL_RENEGOTIATE_NEVER) is issued. New value is 23. 23 used to be SSL_ENABLE_RENEGOTIATION. Alternatively, code that was compiled against version 4.3.2, but run against 2097:1a96a08e6f3d will set SSL_RENEGOTIATE_UNRESTRICTED when SSL_RENEGOTIATE_NEVER was intended. Caused by: java.net.SocketException: Incorrect input value. at org.mozilla.jss.ssl.SSLServerSocket.enableRenegotiation(SSLServerSocket.java:428) Caused by: java.net.SocketException: Incorrect input value. at org.mozilla.jss.ssl.SSLSocket.enableRenegotiation(SSLSocket.java:617)
Comment 10•7 years ago
|
||
Patch to keep constants backward compatible with previous versions of JSS.
Comment 11•7 years ago
|
||
(In reply to mmcclain from comment #10) > Created attachment 8830729 [details] [diff] [review] > backward-compatible-constants.patch > > Patch to keep constants backward compatible with previous versions of JSS. Thank you Mathew for the patch. Notice this comment in common.c. /* * These must match up with the constants defined in SocketBase.java. * Note to developer these constants are not all related! i.e. you cannot * pass in PR_SHUTDOWN_RCV to setSSLOption etc! Check their usage * in NSS and NSPR before using. */ PRInt32 JSSL_enums[] = { and on SocketBase.java there are similar ones /** * Enums. These must match the enums table in common.c. This is * safer than copying the values of the C constants, which are subject * to change, into Java code. * Note to developer these constants are not all related! i.e. you cannot * pass in PR_SHUTDOWN_RCV to setSSLOption etc! Check their usage * in NSS and NSPR before using. */ Given that then along with common.c the SocketBase.java would need to be patched. This is something that we have discussed in the past and opted not to change it. We will revisit this topic. I will review and test your patch(es) adapted to to latest sources in that NSS_EXPERIMENTAL BRANCH so I can take advantage of the preferred way of building and testing from Bug 1331765. If needed I will modify the patches for bugs listed in the tracking bug 1307859 as needed. I'll get back to you in a few days. Thanks again. Elio
Comment 12•7 years ago
|
||
The patch I attached modified both common.c and SocketBase.java. The purpose was so Java code compiled against the old source (JSS 4.3.2) would continue to work without recompilation with the new source as long as it didn't use the removed option (SSL_BYPASS_PKCS11) or methods (bypassPKCS11, bypassPKCS11Default).
Comment 13•7 years ago
|
||
My bad, I didn't read carefully when looking at it via Splinter Review.
Assignee | ||
Comment 14•7 years ago
|
||
Comment on attachment 8830729 [details] [diff] [review] backward-compatible-constants.patch Review of attachment 8830729 [details] [diff] [review]: ----------------------------------------------------------------- looks good. Thank you!
Attachment #8830729 -
Flags: review+
Comment 15•7 years ago
|
||
Applied this patch, trivially modified on account of latest sources, and following the steps documented in Bug 1331765 and all tests passed.
Comment 16•7 years ago
|
||
Pushed: https://hg.mozilla.org/projects/jss/rev/e5e2f877029d5c7f4beaa99f43b269f986593fad
You need to log in
before you can comment on or make changes to this bug.
Description
•