On 4/7/21 5:18 AM, Thomas Klausner wrote:
Hi!
TL;DR: nss has some of the same symbols as openssl, which leads to
core dumps when both are linked in the same binary
Long version:
Recently I tried packaging Sigil for pkgsrc. It links against nss via
qtwebengine. It also links against openssl via qtbase libraries, and
it has an embedded python interpreter that loads python's ssl loadable
module, which links against openssl.
Sigil's update checker uses a python script to download a file via
https. This dumps core on my machine, with a backtrace that ends in
nss, but the nss functions are called from openssl (which intends to
call its own functions of the same name instead).
Lots of details are in the Sigil bug report[1].
In the meantime I've found that the pkgsrc package for nss already
renames some of the symbols for the same reason, but triggered by
libcups or libgssapi.[2]
I wonder why this does not affect more people. Is pkgsrc or NetBSD
doing something weird/strange/wrong?
We have apps that use both NSS and OpenSSL all the time and haven't ran
into problems.
I'm not quite sure what the best fix is. I can add more patches to the
pkgsrc package to locally rename symbols.
I understand that it's hard to ask nss to change their symbols just
because openssl has the same names, but I think that's what I'm trying
to do with this email :)
If the symbols are exported in the .def files, then it's impossible. NSS
provides ABI forward compatibility for all releases. Fortunately the
symbols in question are not exported. In fact the symbols are in freebl,
which should be dynamically loaded anyway. If you are running intro
problems, it means you aren't building and running a standard version of
NSS anyway (In standard NSS those symbols are hidden in the freebl
shared library that is dynamically loaded by softoken and referenced
through a function table. softoken itself is a shared library that's
also reverenced through a function table.
In order to run into problems you are either:
Linking directly with freebl (not supported).
Linking directly with the libfreebl stub (not supported).
Linking directly with softoken (not supported).
What do you recommend?
If you access NSS through it's shared libraries, there is no issue
operating with openssl.
bob
Cheers,
Thomas
[1] https://github.com/Sigil-Ebook/Sigil/issues/604
[2] https://github.com/NetBSD/pkgsrc/blob/trunk/devel/nss/patches/patch-am
https://github.com/NetBSD/pkgsrc/blob/trunk/devel/nss/patches/patch-an
https://github.com/NetBSD/pkgsrc/blob/trunk/devel/nss/patches/patch-nss_lib_freebl_md5.c
--
You received this message because you are subscribed to the Google Groups
"dev-tech-crypto@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-tech-crypto+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/a24cc6ad-61cc-b065-3016-eaa380ce466b%40REDHAT.COM.
