Skip to content

Implement version check for NSS

Summary

The configure script does not detect a version incompatibility, resulting in failing builds. This is especially relevant on stable release GNU/Linux distributions which do not ship the latest NSS libraries in the stock repositories.

Steps to reproduce:

  1. Install a distributions NSS libraries/development package, i.e. on openSUSE "mozilla-nss-devel", ensuring the version you install is < 3.54. If the tool nss-config is installed, the version can be verified using nss-config --version (however this binary is usually shipped in a separate package).
  2. Download Tor sources.
  3. ./configure --enable-nss
  4. make

What is the current bug behavior?

If the installed NSS libraries are not new enough, make will fail:

make  all-am
make[1]: Entering directory '/home/georg/new/tor'
  CC       src/lib/crypt_ops/src_lib_libtor_crypt_ops_a-crypto_rand.o
In file included from src/lib/crypt_ops/crypto_rand.c:53:0:
/usr/include/nss3/pk11pub.h:951:1: error: function declaration isn’t a prototype [-Werror=strict-prototypes]
 int SECMOD_GetSystemFIPSEnabled();
 ^~~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:15160: src/lib/crypt_ops/src_lib_libtor_crypt_ops_a-crypto_rand.o] Error 1
make[1]: Leaving directory '/home/georg/new/tor'
make: *** [Makefile:6180: all] Error 2

What is the expected behavior?

The configure script should detect this and complain before the user attempts to compile the software. The configure output should show libnss (--enable-nss): as "no" and print a warning if the installed NSS libraries version is lower than 3.55.

Environment

  • Tested on 0.4.6.4-rc and 0.4.5.8
  • Tested on openSUSE Leap 15.2
  • Tested with Source tarballs as well as Git repository clone

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1643528

Possible fixes

Alternatively to upgrading the package, the user can work around the issue by manually editing /usr/include/nss3/pk11pub.h (location might be different between distributions) and performing the following change at the end of the file:

int SECMOD_GetSystemFIPSEnabled(); to int SECMOD_GetSystemFIPSEnabled(void);

Cheers

Edited by acidsys
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information