Hi Bob!
Thanks again for the detailed explanation of the nss build system.
With it, it was quite easy to see that the whole symbol hiding stuff
was just missing in the NetBSD configuration coming with nss. For
nss' purposes, you can handle NetBSD, FreeBSD, and OpenBSD nearly the
same. I reduced the differences between the OpenBSD and NetBSD
configurations and came up with the attached patch.
(I also removed code for supporting the a.out file format, which is
not used in NetBSD for ten years or more. And it improves arm and
arm64 support.)
Please merge this (or something similar) into the next nss release.
Thanks,
Thomas
On Fri, Apr 16, 2021 at 03:25:07PM -0700, Robert Relyea wrote:
> NSS hides the symbols with shared libraries that only export a curated set
> of public symbols. Each nss shared library has it's own symbol list found in
> {sharedlibname}.def so lib/nss/nss.def lib/util/nssutil.def lib/ssl/ssl.def
> etc.
>
> The NSS build system massages this file to whatever system the OS uses to
> create an use an explicit export list for your shared library.
>
> When you link with NSS, you need to link with the NSS shared library, namley
> libnss3.so libnssutil3.so libssl3.so and libsmime3.so (depending on how much
> of NSS you need). libsoftken3 will be automatically loaded by libnss3.so and
> it in term will automatically load libfreebl* as needed. So only the last
> two are dlopened. You should not link with any libnss*.a files, or all bets
> are off on working with something like openssl.
>
> If you are doing all this and still running into issues, it's likely the
> build system (either your own or the NSS build system) isn't correctly
> processing the .def file for your platform. The command to process the .def
> file is set with the symbol PROCESS_MAP_FILE and is set in your {OS}.mk file
> in nss/coreconf.
>
> Linux, for instance, sets the command as follows:
>
> PROCESS_MAP_FILE = grep -v ';-' $< | \
> sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
> This removes all the lines with ;- , then removes all occurrences of ';+','
> DATA ',';;', and then all commands '; to the end of the line'
>
> Linux later adds the directive -Wl,-c,$(MAPFILE) to it's shared library
> linking command.
>
> It looks like openBSD has the same processing line as linux, and adds
> -Wl,--version-script,$(MAPFILE) which sounds right to me.
>
> (Some unsupported OSs ignore the MAPFILE, and they could be subject to
> symbol collisions).
>
> bob
>
>
> >
> > I looked at the code a bit and see that HASH_Update calls a function
> > indirectly, which in pk11cxt.c is forwarded and finally used in
> > pkcs11c.c - which however, then uses the wrong function, the one from
> > openssl.
> >
> > Can you please explain in more detail how the function table works?
> > In my case, it seems the wrong MD5_Update function is used when
> > openssl is linked into the binary.
> >
> > Perhaps it's a difference in linker behavior on NetBSD?
> >
> > As for pkgsrc - I cited the patches in my original email. The whole
> > package information is [1], the Makefile contains the flags used when
> > compiling and the patches directory the patches used. If you see what
> > the problem is, that'd be very helpful, but I don't think it's
> > something that's something obvious any longer.
> >
> > [1] https://github.com/NetBSD/pkgsrc/tree/trunk/devel/nss
> >
> > Thanks,
> > Thomas
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "dev-tech-crypto@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dev-tech-crypto+unsubscr...@mozilla.org.
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/8c271011-93c3-529f-6e08-deff68d9bb32%40redhat.com.
--
You received this message because you are subscribed to the Google Groups
"dev-tech-crypto@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-tech-crypto+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/20210501215744.4zpjecl7edcldwvh%40yt.nih.at.
$NetBSD: patch-nss_coreconf_NetBSD.mk,v 1.3 2021/05/01 21:52:02 wiz Exp $
Match more closely to OpenBSD.mk, and in particular, hide symbols (MAPFILE).
- fix wrong value of CPU_ARCH on NetBSD/evbarm-earmv7f
- s/aarch64eb/aarch64/
--- nss/coreconf/NetBSD.mk.orig 2021-04-15 16:17:44.000000000 +0000
+++ nss/coreconf/NetBSD.mk
@@ -5,9 +5,10 @@
include $(CORE_DEPTH)/coreconf/UNIX.mk
-DEFAULT_COMPILER = gcc
-CC = gcc
-CCC = g++
+CC ?= gcc
+CXX ?= g++
+DEFAULT_COMPILER = ${CC}
+CCC = ${CXX}
RANLIB = ranlib
CPU_ARCH := $(shell uname -p)
@@ -15,16 +16,14 @@ ifeq ($(CPU_ARCH),i386)
OS_REL_CFLAGS = -Di386
CPU_ARCH = x86
endif
-
-ifndef OBJECT_FMT
-OBJECT_FMT := $(shell if echo __ELF__ | $${CC:-cc} -E - | grep -q
__ELF__ ; then echo a.out ; else echo ELF ; fi)
+ifeq (,$(filter-out earm%,$(CPU_ARCH)))
+CPU_ARCH = arm
+endif
+ifeq ($(CPU_ARCH),aarch64eb)
+CPU_ARCH = aarch64
endif
-ifeq ($(OBJECT_FMT),ELF)
DLL_SUFFIX = so
-else
-DLL_SUFFIX = so.1.0
-endif
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wall -Wno-switch
-pipe -DNETBSD -Dunix -DHAVE_STRERROR -DHAVE_BSD_FLOCK
@@ -33,9 +32,16 @@ OS_LIBS = -lcompat
ARCH = netbsd
DSO_CFLAGS = -fPIC -DPIC
-DSO_LDOPTS = -shared
-ifeq ($(OBJECT_FMT),ELF)
-DSO_LDOPTS +=
-Wl,-soname,lib$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+DSO_LDOPTS = -shared
-Wl,-soname,lib$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+
+#
+# The default implementation strategy for NetBSD is pthreads.
+#
+ifndef CLASSIC_NSPR
+USE_PTHREADS = 1
+DEFINES += -D_THREAD_SAFE -D_REENTRANT
+OS_LIBS += -pthread
+DSO_LDOPTS += -pthread
endif
ifdef LIBRUNPATH
@@ -44,12 +50,8 @@ endif
MKSHLIB = $(CC) $(DSO_LDOPTS)
ifdef MAPFILE
-# Add LD options to restrict exported symbols to those in the map file
+ MKSHLIB += -Wl,--version-script,$(MAPFILE)
endif
-# Change PROCESS to put the mapfile in the correct format for this platform
-PROCESS_MAP_FILE = cp $< $@
-
-
-G++INCLUDES = -I/usr/include/g++
+PROCESS_MAP_FILE = grep -v ';-' $< | \
+ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
-INCLUDES += -I/usr/X11R6/include
