[Swan-dev] notes from meeting nss guys

Antony Antony antony at phenome.org
Tue Feb 24 19:02:05 EET 2015


Hi,
Yesterday Paul and I met with NSS guys and here are some notes from the meeting.

NSPR threading: no need to use NSPR threading on Linux, because on Linux it is jut a wrapper around pthread.

Don't open a NSS DB file simultaneously(not even one app writing and another re-reading).  Due to the nature of in memory data structures things can go wrong. Close it completely and start again. Also use new format, not the old Berkeley DB.

In the NSS code base, operations on X509, ASN 1 is not within the 'crypto boundary', only the crypto operations are.  When it is running in FIPS more NSS will support non FIPS operations. It is upto applications not to decide.

If we want to store PSK/Xauth/EAP secrets in NSS we could store the "secret" encrypted by the master key. And the NSS can decrypt it for libreswan.

NSS can't talk to the Linux Kernel via Netlink; e.g to install ESP keys directly into XFRM module. However, they can talk to some of the TCP offload NIC.

Human readable error strings in NSS is possible. They mentioned an application(libreswan) must initialize "error code tables" in NSPR to access it in NSS. It might be worth investigating. You may also have to install NSS utils.

A quick googling shows libreswan use PR_GetError. However, libreswan seems to be missing initialization code, PR_ErrorInstallTable, nspr_InitializePRErrorTable. I haven't looked in detail. It seems prerr.h or prerr.c is a starting point.

Google developers are actively working ARM and other non Intel Architectures.
Cross compiling for MIPS Big Endian, for OpenWRT, should work! The buildroot  Makefile seem to build MIPS, even though NSPR config files only seems to support Little Endian architectures. 

There is no OpenWRT Makefile yet.

-antony


More information about the Swan-dev mailing list