Darwin/X11 - No certs, libnssckbi.dylib fails to load

RESOLVED FIXED

Status

()

Core
Security: PSM
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: Jeremy Huddleston, Unassigned)

Tracking

Trunk
All
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-easy])

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3

Breakpoint 1, 0x01cf8937 in nss_Init (configdir=0x2117dc8 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default", certPrefix=0x1e5da70 "", keyPrefix=0x1e5da70 "", secmodName=0x1e4fed8 "secmod.db", updateDir=0x1e5da70 "", updCertPrefix=0x1e5da70 "", updKeyPrefix=0x1e5da70 "", updateID=0x1e5da70 "", updateName=0x1e5da70 "", readOnly=0, noCertDB=0, noModDB=0, forceOpen=0, noRootInit=0, optimizeSpace=1, noSingleThreadedModules=0, allowAlreadyInitializedModules=0, dontFinalizeModules=0) at nssinit.c:432
432	{
(gdb) n
433	    char *moduleSpec = NULL;
(gdb) n
434	    char *flags = NULL;
(gdb) n
435	    SECStatus rv = SECFailure;
(gdb) n
436	    char *lconfigdir = NULL;
(gdb) n
437	    char *lcertPrefix = NULL;
(gdb) n
438	    char *lkeyPrefix = NULL;
(gdb) n
439	    char *lsecmodName = NULL;
(gdb) n
440	    char *lupdateDir = NULL;
(gdb) n
441	    char *lupdCertPrefix = NULL;
(gdb) c
Continuing.
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done

Breakpoint 2, 0x01cf8877 in nss_FindExternalRoot (dbpath=0x2117dc8 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default", secmodprefix=0x1e4fed8 "secmod.db") at nssinit.c:372
372	{
(gdb) n
373		char *path = NULL;
(gdb) n
374	        char *oldpath = NULL;
(gdb) n
375	        PRBool hasrootcerts = PR_FALSE;
(gdb) n
382	        nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path);
(gdb) n
383	        if (oldpath) {
(gdb) print oldpath
$1 = 0x0
(gdb) print path
$2 = 0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib"
(gdb) n
387	        if (path && !hasrootcerts) {
(gdb) n
388		    (void) SECMOD_AddNewModule("Root Certs",path, 0, 0);
(gdb) s
SECMOD_AddNewModule (moduleName=0x1e4fdac "Root Certs", dllPath=0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib", defaultMechanismFlags=0, cipherEnableFlags=0) at pk11util.c:626
626	    return SECMOD_AddNewModuleEx(moduleName, dllPath, defaultMechanismFlags,
(gdb) s
SECMOD_AddNewModuleEx (moduleName=0x1e4fdac "Root Certs", dllPath=0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=0x0, nssparms=0x0) at pk11util.c:572
572	    SECStatus result = SECFailure;
(gdb) n
576	    PR_SetErrorText(0, NULL);
(gdb) n
578	    module = SECMOD_CreateModule(dllPath, moduleName, modparms, nssparms);
(gdb) s
SECMOD_CreateModule (library=0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib", moduleName=0x1e4fdac "Root Certs", parameters=0x0, nss=0x0) at pk11pars.c:117
117	    SECMODModule *mod = secmod_NewModule();
(gdb) n
120	    char *nssc = (char *)nss;
(gdb) n
121	    if (mod == NULL) return NULL;
(gdb) n
123	    mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName : "");
(gdb) n
124	    if (library) {
(gdb) n
125		mod->dllName = PORT_ArenaStrdup(mod->arena,library);
(gdb) n
128	    if (parameters) {
(gdb) n
131	    mod->internal   = secmod_argHasFlag("flags","internal",nssc);
(gdb) print mod->dllName
$3 = 0x2b25090 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib"
(gdb) n
132	    mod->isFIPS     = secmod_argHasFlag("flags","FIPS",nssc);
(gdb) n
133	    mod->isCritical = secmod_argHasFlag("flags","critical",nssc);
(gdb) n
134	    slotParams      = secmod_argGetParamValue("slotParams",nssc);
(gdb) n
135	    mod->slotInfo   = secmod_argParseSlotInfo(mod->arena,slotParams,
(gdb) n
137	    if (slotParams) PORT_Free(slotParams);
(gdb) 
139	    mod->trustOrder  = secmod_argReadLong("trustOrder",nssc,
(gdb) 
142	    mod->cipherOrder = secmod_argReadLong("cipherOrder",nssc,
(gdb) 
145	    mod->isModuleDB   = secmod_argHasFlag("flags","moduleDB",nssc);
(gdb) 
146	    mod->moduleDBOnly = secmod_argHasFlag("flags","moduleDBOnly",nssc);
(gdb) 
147	    if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE;
(gdb) 
149	    ciphers = secmod_argGetParamValue("ciphers",nssc);
(gdb) 
150	    secmod_argSetNewCipherFlags(&mod->ssl[0],ciphers);
(gdb) 
151	    if (ciphers) PORT_Free(ciphers);
(gdb) 
153	    secmod_PrivateModuleCount++;
(gdb) 
155	    return mod;
(gdb) 
156	}
(gdb) 
SECMOD_AddNewModuleEx (moduleName=0x1e4fdac "Root Certs", dllPath=0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=0x0, nssparms=0x0) at pk11util.c:580
580	    if (module == NULL) {
(gdb) n
584	    if (module->dllName != NULL) {
(gdb) 
585	        if (module->dllName[0] != 0) {
(gdb) 
586	            result = SECMOD_AddModule(module);
(gdb) s
SECMOD_AddModule (newModule=0x2b25010) at pk11util.c:481
481	    if ((oldModule = SECMOD_FindModule(newModule->commonName)) != NULL) {
(gdb) n
487	    rv = SECMOD_LoadPKCS11Module(newModule);
(gdb) s
SECMOD_LoadPKCS11Module (mod=0x2b25010) at pk11load.c:263
263	    PRLibrary *library = NULL;
(gdb) n
264	    CK_C_GetFunctionList entry = NULL;
(gdb) 
267	    CK_ULONG slotCount = 0;
(gdb) 
269	    PRBool alreadyLoaded = PR_FALSE;
(gdb) 
270	    char *disableUnload = NULL;
(gdb) 
272	    if (mod->loaded) return SECSuccess;
(gdb) 
275	    if (mod->internal) {
(gdb) 
308		if (mod->dllName == NULL) {
(gdb) 
319		full_name = PORT_Strdup(mod->dllName);
(gdb) 
325		library = PR_LoadLibrary(full_name);
(gdb) print full_name
$4 = 0x390bc20 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib"
(gdb) s
326		mod->library = (void *)library;
(gdb) n
330		PORT_Free(full_name);
(gdb) 
333		if (library == NULL) {
(gdb) 
334		    return SECFailure;
(gdb) print library
$5 = (PRLibrary *) 0x0
(gdb) quit
The program is running.  Exit anyway? (y or n) y


Reproducible: Always




The problem is that libnssckbi.dylib is in /opt/local/lib/libnssckbi.dylib . The library being requested is /Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib , if I make a symlink from MOZILLA_FIVE_HOME/libnssckbi.dylib to it, it will load.  This is because it follows up the failed load with:

(gdb) c  
Continuing.

Breakpoint 1, PR_LoadLibrary (name=0x390ce40 "/opt/local/lib/firefox-x11/libnssckbi.dylib") at prlink.c:599
599	{
(gdb) bt
#0  PR_LoadLibrary (name=0x390ce40 "/opt/local/lib/firefox-x11/libnssckbi.dylib") at prlink.c:599
#1  0x01d6dce2 in SECMOD_LoadPKCS11Module (mod=0x2b22210) at pk11load.c:325
#2  0x01d7a83e in SECMOD_LoadModule (modulespec=0x390cf78 "name=\"Builtin Roots Module\" library=\"/opt/local/lib/firefox-x11/libnssckbi.dylib\"", parent=0x0, recurse=0) at pk11pars.c:323
#3  0x01d7a9d5 in SECMOD_LoadUserModule (modulespec=0x390cf78 "name=\"Builtin Roots Module\" library=\"/opt/local/lib/firefox-x11/libnssckbi.dylib\"", parent=0x0, recurse=0) at pk11pars.c:391


but when we do --with-system-nss, we need to look where the system nss is and load those as well
I do not see this when an internal libnssckbi.dylib is used (3.1b3, 10.5/intel/X11)
(Reporter)

Comment 2

9 years ago
That is correct.  That is because the internal libnssckbi.dylib is installed in MOZILLA_FIVE_HOME.  The system-nss isn't necessarily there (as I mentioned, we use a symlink to workaround this for now).
This is a mass search for bugs which are in the Firefox General component, are
UNCO, have not been changed for 500 days and have an unspecified version. 

Reporter, can you please update to Firefox 3.6.10 or later, create a fresh profile, http://support.mozilla.com/en-US/kb/managing+profiles, and test again. If you still see the issue, please update this bug. If the issue is gone, please set the status to RESOLVED > WORKSFORME.
Whiteboard: [CLOSEME 2010-11-01]
(Reporter)

Comment 4

7 years ago
yeah, still an issue.

Updated

7 years ago
Whiteboard: [CLOSEME 2010-11-01]
Version: unspecified → 3.6 Branch
Confirming on trunk m-c built on 10.7/x86_64
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hardware: x86 → All
Version: 3.6 Branch → Trunk

Updated

6 years ago
Assignee: nobody → nobody
Component: General → Libraries
Product: Firefox → NSS
QA Contact: general → libraries
Version: Trunk → trunk

Comment 6

6 years ago
Out of curiousity, which software installs NSS in a system location on OSX?

Comment 7

6 years ago
Actually, this might rather be a PSM issue, because PSM has the code to attempt to detect the ckbi librariy.
Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries → psm
Version: trunk → Trunk

Comment 8

6 years ago
what happens if you add the system directory (the one that contains the ckbi library) to LD_LIBRARY_PATH (or it's OSX equivalent, I don't what exactly must be used) prior to starting?

Comment 9

6 years ago
Talked on IRC.
Given that it works, if you add the directory containing the lib to the library search path (DYLD_LIBRARY_PATH), then there is no bug.

Given that we cannot guess where on the system the lib is installed, there must be a hint, and this is it.

Resolving as invalid.
As a final test, you might include multiple directories in that variable (probably separated by colon dir1:dir2:dir3), and see if that works, too.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
(Reporter)

Comment 10

6 years ago
Uhm, no.  Setting DYLD_LIBRARY_PATH is bad practice.  This location should be configured at runtime, and you can dlopen() the full path or link to it at build time.
Status: RESOLVED → UNCONFIRMED
Ever confirmed: false
Resolution: INVALID → ---

Comment 11

6 years ago
Then please tell me:

How does the executable learn from which directory it must load the other NSS system libraries like libnss3 ?

Comment 12

6 years ago
static const char *NameOfNSSLib = SHLIB_PREFIX"nss3."SHLIB_SUFFIX;

path = PR_GetLibraryFilePathname(NameOfNSSLib,
                                         (PRFuncPtr)&NSS_Init);

This is essentially how softoken finds freebl. (see mozilla/security/nss/lib/freebl/{loader,genload.c}

bob

Comment 13

6 years ago
Kai: PSM can also just load "libnssckbi.dylib" and rely
on the current dynamic shared library search path.

Jeremy: is /opt/local/lib on the dynamic shared library
search path of MacPorts users?
(Reporter)

Comment 14

6 years ago
darwin does not use a shared library search path like linux.  Each library has an id which is its path on the system at run time.  At link time, the linker embeds this id in the linked executable.  At load time, the loaded resolves the link using that path.

dlopen() is expected to take a full path to the library being opened.  It is possible to use a search path, but it is highly frowned upon and not configured by default.

Comment 15

6 years ago
I like Bob's proposal from comment 12.
Someone needs to implement it.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [psm-easy]

Comment 16

6 years ago
Yes, if libnss3.dylib and libnssckbi.dylib are installed in the
same directory, then I agree Bob's proposal in comment 12 is the
right solution.

Comment 17

6 years ago
Bug 712759 has a patch that implements this strategy.
Depends on: 712579

Comment 18

6 years ago
This should be fixed by bug 712579.
Status: NEW → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.