Open
Bug 239960
Opened 20 years ago
Updated 2 years ago
remove all fortezza support
Categories
(NSS :: Libraries, enhancement, P3)
Tracking
(Not tracked)
ASSIGNED
People
(Reporter: nelson, Unassigned)
References
Details
Attachments
(2 files, 1 obsolete file)
91.04 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
18.30 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
NSS contains a lot of code to support fortezza, including a) lots of code for special fortezza ciphersuites in SSL b) a software fortezza PKCS11 module c) a pkcs11 module for interfacing to a hardware fortezza card (IIRC). d) special fortezza support in numerous test programs. But there are NO clients or servers that use it. It is orphan code. We don't honestly know if it even works any more. I propose that we rip it all out. That will reduce the size of NSS, less source, fewer shared libs, smaller shared libs and smaller test programs. It will increase the percentage of NSS source that is actually tested in QA.
Reporter | ||
Comment 1•20 years ago
|
||
Fellow NSS developers, This bug proposes the removal of all fortezza support from NSS. Do any of your object to this? If I attach a patch to this bug to remove all fortezza support from SSL would any of you object to checking it in (assuming it was correctly done) ?
Comment 2•20 years ago
|
||
Go for it. bob
Reporter | ||
Comment 3•19 years ago
|
||
Taking bug, because I'm about to add a patch for this. Christophe, I'd like us to consider this for NSS 3.10. We need to discuss it.
Assignee: wtchang → nelson
Reporter | ||
Comment 4•19 years ago
|
||
This patch removes all support for fortezza from libSSL. It also stops the building of nss/lib/fortcrypt. It does not affect any other nss libs. I will attach a separate patch for the changes to nss/cmd/*
Reporter | ||
Comment 5•19 years ago
|
||
Comment on attachment 178435 [details] [diff] [review] patch part 1 - for nss/lib (checked in) Changing patch description
Attachment #178435 -
Attachment description: patch v1 → patch part 1 - for nss/lib
Reporter | ||
Comment 6•19 years ago
|
||
This patch - stops building cmd/swfort - removes any mention of fortezza from the usage messages for the SSL commands, and from modutil. - It changes all the SSL commands so that they silently ignore and command line options that would specify the use of a fortezza ciphersuite, e.g. -c a This presereves compatiblity with test scripts.
Reporter | ||
Comment 7•19 years ago
|
||
Comment on attachment 178435 [details] [diff] [review] patch part 1 - for nss/lib (checked in) Bob, Please review, or feel free to ask someone else to do it. I wanted to give you the first right of refusal for this review. :)
Attachment #178435 -
Flags: review?(rrelyea)
Reporter | ||
Comment 8•19 years ago
|
||
Comment on attachment 178440 [details] [diff] [review] patch part 2 - for nss/cmd (checked in) Bob, please review this too.
Attachment #178440 -
Flags: review?(rrelyea)
Comment 9•19 years ago
|
||
This is a small patch that instructs the build system to not build fortezza. It may be a good idea to review and check this in first.
Comment 10•19 years ago
|
||
Comment on attachment 178435 [details] [diff] [review] patch part 1 - for nss/lib (checked in) If patches compile, OK to check in. Some general comments: preencryped files were meant to include non-fortezza formats. Since they have never been implemented and since we have the CVS history, it's OK to remove the existing code and leave the stub functions. There are also FORTEZZA functions in lib/pk11wrap. Some of them probably should live as nonworking stubs (KEAMatch or instance), some fragments should be removed (A 'FORTEZZA hack variable or flag in symkey and it's uses). The FORTEZZA code isn't as extensive in pk11wrap as in SSL. I also think there are FORTEZZA specific code fragments in cert as well, Chain verification comes to mind, but fortezza portions of public and private keys too.
Attachment #178435 -
Flags: review?(rrelyea) → review+
Updated•19 years ago
|
Attachment #178440 -
Flags: review?(rrelyea) → review+
Comment 11•19 years ago
|
||
I also think we should check this in. However, I think the patches are incomplete on at least one issue : KRL support was not removed.
Reporter | ||
Comment 12•19 years ago
|
||
Yes, the patch is known to be incomplete with respect to all of NSS. It addresses fortezza in the following 3 areas: 1. removes fortezza code from libSSL 2. stops the fortezza softoken from being built. 3. stops the fortezza-specific command from being built. It does not remove fortezza from the rest of libNSS, nor does it remove fortezza-specific command line options from some common test programs, such as tstclnt or selfserv (e.g. -f option). It's meant to be a first step, removing fortezza from parts of NSS upon which no other parts depend for fortezza. If Christophe gets approval after build 3 but before build 4, I will try to check this in then. If not, i'll make this P2 for 3.11.
Priority: -- → P3
Target Milestone: --- → 3.10
Reporter | ||
Updated•19 years ago
|
QA Contact: bishakhabanerjee → jason.m.reid
Reporter | ||
Comment 14•19 years ago
|
||
Checked in above patches (1 and 2) on trunk. Will leave bug open since more Fortezza code needs to be removed from NSS. Checking in cmd/manifest.mn; new rev: 1.21; previous rev: 1.20 Checking in cmd/platlibs.mk; new rev: 1.42; previous rev: 1.41 Checking in cmd/SSLsample/server.c; new rev: 1.9; previous rev: 1.8 Checking in cmd/SSLsample/sslsample.c; new rev: 1.11; previous rev: 1.10 Checking in cmd/modutil/modutil.c; new rev: 1.24; previous rev: 1.23 Checking in cmd/selfserv/selfserv.c; new rev: 1.66; previous rev: 1.65 Checking in cmd/sslstrength/sslstrength.c; new rev: 1.12; previous rev: 1.11 Checking in cmd/strsclnt/strsclnt.c; new rev: 1.42; previous rev: 1.41 Checking in cmd/tstclnt/tstclnt.c; new rev: 1.41; previous rev: 1.40 Checking in cmd/vfyserv/vfyserv.c; new rev: 1.11; previous rev: 1.10 Checking in cmd/vfyserv/vfyutil.c; new rev: 1.10; previous rev: 1.9 Checking in lib/manifest.mn; new rev: 1.16; previous rev: 1.15 Checking in lib/ssl/nsskea.c; new rev: 1.7; previous rev: 1.6 Checking in lib/ssl/preenc.h; new rev: 1.6; previous rev: 1.5 Checking in lib/ssl/prelib.c; new rev: 1.7; previous rev: 1.6 Checking in lib/ssl/ssl.h; new rev: 1.22; previous rev: 1.21 Checking in lib/ssl/ssl3con.c; new rev: 1.72; previous rev: 1.71 Checking in lib/ssl/ssl3prot.h; new rev: 1.9; previous rev: 1.8 Checking in lib/ssl/sslauth.c; new rev: 1.14; previous rev: 1.13 Checking in lib/ssl/sslcon.c; new rev: 1.27; previous rev: 1.26 Checking in lib/ssl/sslenum.c; new rev: 1.12; previous rev: 1.11 Checking in lib/ssl/sslimpl.h; new rev: 1.39; previous rev: 1.38 Checking in lib/ssl/sslinfo.c; new rev: 1.12; previous rev: 1.11 Checking in lib/ssl/sslproto.h; new rev: 1.9; previous rev: 1.8 Checking in lib/ssl/sslsecur.c; new rev: 1.31; previous rev: 1.30 Checking in lib/ssl/sslsnce.c; new rev: 1.34; previous rev: 1.33 Checking in lib/ssl/sslsock.c; new rev: 1.38; previous rev: 1.37 Checking in lib/ssl/sslt.h; new rev: 1.9; previous rev: 1.8
Status: NEW → ASSIGNED
Reporter | ||
Comment 15•19 years ago
|
||
Comment on attachment 178516 [details] [diff] [review] Small build system patch to not build fortezza I'm giving r+ to this specific portion of the patch. I will check it in. >Index: pkg/solaris/SUNWtlsd/prototype >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/pkg/solaris/SUNWtlsd/prototype,v >retrieving revision 1.4 >diff -u -r1.4 prototype >--- pkg/solaris/SUNWtlsd/prototype 28 Feb 2005 17:45:19 -0000 1.4 >+++ pkg/solaris/SUNWtlsd/prototype 24 Mar 2005 21:41:52 -0000 >@@ -160,6 +160,4 @@ > f none usr/include/mps/sslerr.h 0644 root bin > f none usr/include/mps/sslproto.h 0644 root bin > f none usr/include/mps/sslt.h 0644 root bin >-f none usr/include/mps/swfort.h 0644 root bin >-f none usr/include/mps/swfortt.h 0644 root bin > f none usr/include/mps/watcomfx.h 0644 root bin
Attachment #178516 -
Flags: review+
Comment 16•19 years ago
|
||
Fortezza has four functions calls in pk11pub.h and exported via nss.def that need to be handled: PK11_FortezzaMapSig PK11_FortezzaHasKEA PK11_GenerateFortezzaIV PK11_SetFortezzaHack
Reporter | ||
Comment 17•19 years ago
|
||
Comment on attachment 178516 [details] [diff] [review] Small build system patch to not build fortezza Wan-Teh, did you check in this reviewed patch? Shall I do so?
Comment 18•19 years ago
|
||
Comment on attachment 178516 [details] [diff] [review] Small build system patch to not build fortezza Nelson, I didn't check in this patch, but you checked in a larger patch that contains everything in this patch. So I marked this patch obsolete.
Attachment #178516 -
Attachment is obsolete: true
Comment 19•19 years ago
|
||
Do we want to remove any PKIX-related fortezza support from NSS ? Do we want to choke on Fortezza certs ? Do we even care to detect them anymore ?
Comment 20•19 years ago
|
||
There is still Fortezza code in nss/cmd, probably just nss/cmd/swfort. May I cvs remove those files?
Comment 21•19 years ago
|
||
yes, everything under swfort can be removed.
Comment 22•19 years ago
|
||
OK, cmd/swfort has been cvs removed.
Reporter | ||
Updated•18 years ago
|
Attachment #178435 -
Attachment description: patch part 1 - for nss/lib → patch part 1 - for nss/lib (checked in)
Reporter | ||
Updated•18 years ago
|
Attachment #178440 -
Attachment description: patch part 2 - for nss/cmd → patch part 2 - for nss/cmd (checked in)
Reporter | ||
Updated•18 years ago
|
QA Contact: jason.m.reid → libraries
Reporter | ||
Comment 23•17 years ago
|
||
remove target milestone, since the target was missed.
Target Milestone: 3.11 → ---
Reporter | ||
Updated•14 years ago
|
Assignee: nelson → nobody
Comment 24•13 years ago
|
||
Both attached patches are marked as checked in. Should this bug be resolved fixed?
Reporter | ||
Comment 25•13 years ago
|
||
Look at https://mxr.mozilla.org/security/search?string=FORTEZZA&find=%2Fsecurity%2Fnss%2F&tree=security and decide for yourself if this work is finished.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•