Closed
Bug 928141
Opened 11 years ago
Closed 10 years ago
Add a build variable NSS_PKIX_NO_LDAP to conditionally disable the LDAP code in libpkix
Categories
(NSS :: Libraries, defect, P2)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.16
People
(Reporter: wtc, Assigned: wtc)
Details
Attachments
(1 file, 2 obsolete files)
|
19.26 KB,
patch
|
ryan.sleevi
:
review+
rrelyea
:
superreview+
|
Details | Diff | Splinter Review |
The LDAP support in libpkix is often a surprise to us during debugging. I don't think NSS needs to support LDAP URLs in the AIA extension. The attached patch removes the LDAP code from libpkix. In addition, the following files should be removed: lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.h lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.h lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.c lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.h lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapresponse.c lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapresponse.h lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapt.h lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaptemplates.c Do you see any problem with removing LDAP support? Maybe we will fail some NIST PKITS tests?
|
Assignee | |
Comment 1•11 years ago
|
||
I forgot to remove the declaration of pkix_pl_InfoAccess_ParseLocation. The NSS test suite all.sh passed with this patch applied.
Attachment #818737 -
Attachment is obsolete: true
Attachment #818775 -
Flags: superreview?(rrelyea)
Attachment #818775 -
Flags: review?(ryan.sleevi)
Attachment #818775 -
Flags: feedback?(brian)
|
||
Updated•11 years ago
|
Attachment #818775 -
Flags: review?(ryan.sleevi) → review+
|
||
Comment 2•11 years ago
|
||
Comment on attachment 818775 [details] [diff] [review] Remove LDAP support from libpkix, v1.1 Review of attachment 818775 [details] [diff] [review]: ----------------------------------------------------------------- I did not review the patch carefully because I assume rsleevi and wtc did. I definitely support removing the LDAP code as a risk-reduction, security-improving measure.
Attachment #818775 -
Flags: feedback?(brian) → feedback+
|
|
Assignee | |
Comment 3•10 years ago
|
||
I don't have time to rewrite the libpkix default LDAP client to use the OpenLDAP or Windows LDAP API. So I decided to add a build option to disable the LDAP code in libpkix. I welcome suggestions for a better name of the build variable, such as NSS_PKIX_DISABLE_LDAP or NSS_LIBPKIX_NO_LDAP.
Attachment #818775 -
Attachment is obsolete: true
Attachment #818775 -
Flags: superreview?(rrelyea)
Attachment #8359521 -
Flags: superreview?(rrelyea)
Attachment #8359521 -
Flags: review?(ryan.sleevi)
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8359521 [details] [diff] [review] Add a build variable NSS_PKIX_NO_LDAP to conditionally disable the LDAP code in libpkix r+ rrelyea
Attachment #8359521 -
Flags: superreview?(rrelyea) → superreview+
|
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8359521 [details] [diff] [review] Add a build variable NSS_PKIX_NO_LDAP to conditionally disable the LDAP code in libpkix Review of attachment 8359521 [details] [diff] [review]: ----------------------------------------------------------------- r+, as I already reviewed this for Chromium.
Attachment #8359521 -
Flags: review?(ryan.sleevi) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
Patch checked in: https://hg.mozilla.org/projects/nss/rev/a8b668fd72f7 Summary updated to reflect the final change.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Summary: Remove LDAP support from libpkix → Add a build variable NSS_PKIX_NO_LDAP to conditionally disable the LDAP code in libpkix
Target Milestone: --- → 3.16
You need to log in
before you can comment on or make changes to this bug.
Description
•