Add IO::Socket::SSL and Net::SSLeay to the Perl core #20739
Conversation
|
JFDI++ FWIW think the concern is what to do if they don't or can't build on a platform. We target a lot of OSes and architectures, so the devil will be making sure that what works generally on *nix works ok on our other build targets. But this is a great start. Thank you for the effort! |
I think the easiest solution to that is to make it opt-in. Also, I'd find it cleaner to do this in two commits (one for Net::SSLeay and one for IO::Socket::SSL). |
|
Good to have a start on this. A few things that will need to be resolved.
|
I share @demerphq's concerns in this matter. Unfortunately, the CPAN maintenance of both of these libraries is not currently sufficiently robust to support their redistribution in the Perl core distribution. When I say "the CPAN maintenance" of these libraries, I'm referring to two things: (i) the support provided by the people currently maintaining them upstream on CPAN; and (ii) our ability to evaluate how well these libraries are performing across various OSes and architectures. Let's take each in turn. Upstream Support When we decide to include a CPAN distribution in core Perl, we are adding both a technical dependency and a human dependency. The technical dependency (e.g., which files in the distribution need to be omitted from core) has already begun to be addressed in this pull request by @atrodo, @Leont and @haarg. The human dependency remains to be addressed. Do the current upstream maintainers want their distributions to be shipped with core? Are the upstream maintainers willing to take on the extra work associated with inclusion of their libraries in the Perl core? Let's first acknowledge two things about Net-SSLeay and IO-Socket-SSL. First, the subject matter of these libraries is very complex -- probably more complex than any other libraries we ship with core. If you're not familiar with these complexities, then you should pause reading this post right now and read at least these parts of their documentations: Second, the current and past maintainers of these distributions do put a lot of work into maintaining them. Both Net-SSLeay and IO-Socket-SSL have had new releases in the past month. There are libraries we ship with core Perl which have not had new releases in years. Nonetheless, the sheer complexity of these libraries may mean that their upstream maintainers have to make decisions about the scope of their support that would unfavorably impact the value of having these libraries in core. Let me give one example from my own experience. Blead Breaks CPAN A large part of the QA work that I and other P5Pers do is to assess the impact of changes in development versions of Perl on CPAN libraries -- the so-called "Blead Breaks CPAN" (BBC) problem. We rely upon twenty years of work on the Perl toolchain to enable people to file CPANtesters reports. We rely upon other people to analyze those reports and file bug reports when blead breaks CPAN. Since these bugs are often platform-specific, we rely upon our ability to install toolchain modules such as Task::CPAN::Reporter on all platforms we actively support. More specifically, we need to be able to install these toolchain modules on all platforms on development versions of Perl (5.37.5, 5.37.6, etc.) -- not just on the last production release of Perl (5.36.0). If we can't install the toolchain modules on development versions of Perl on a specific supported platform, then we can't fully assess the impact of changes in blead on CPAN libraries subsequently installed on that platform. IO-Socket-SSL not installable against dev versions of perl on OpenBSD Last February I wanted to install Task::CPAN::Reporter on OpenBSD so that I could generate CPANtesters reports on that platform against blead in the leadup to the release of perl-5.36.0. I was unable to do so because Task::CPAN::Reporter has a dependency on IO::Socket::SSL and IO::Socket::SSL's tests were failing, rendering it (and its reverse dependencies) not installable from CPAN. I filed a bug ticket on GitHub about this problem. The maintainer of IO-Socket-SSL responded, "Unfortunately LibreSSL [used by OpenBSD] is a kind of moving target with varying support for TLS 1.3 and different API support in different versions of LibreSSL. This makes it very hard to support IO::Socket::SSL and Net::SSLeay on LibreSSL." We both acknowledged that Task::CPAN::Reporter could be installed against the system The maintainer closed my ticket. I have been unable to file CPANtesters reports against dev versions of Library Performance Apart from my own particular problems with IO-Socket-SSL and Task::CPAN::Reporter on one particular OS, we are currently not getting data sufficient to judge the performance of either Net-SSLeay or IO-Socket-SSL to assess how well they are doing against development versions of Net-SSLeay Net-SSLeay on CPANtesters The latest production release of this library against dev versions of IO-Socket-SSL IO-Socket-SSL on CPANtesters The latest production release of this library (2.080) has only been out five days, so let's look at the previous release (2.079) instead. That version has not been tested on either MSWin32 or OpenBSD since perl-5.32.1. It has never been tested on NetBSD. We don't have any reports on dev releases of Before we release a dev version of Summary The maintenance of these two libraries is very challenging. The upstream maintainers have largely met that challenge, but it is their prerogative to set limits on the scope of their maintenance work. Unfortunately, inclusion in the core would mean an even larger scope in what we need those libraries to do, and we would need much more testing of them to ensure their performance. I have no objection to the goal of "SSL support out of the box," but these two distributions are not yet in good enough shape to be shipped with core. |
|
I hadn't thought about it being in two commits and I think that would be better, so I'll split those into their own commits and add the exclusions. I'll also look at making it optional and at moving the probing into Configure, but I'm going to guess that changing Configure may end up being over my head. As to the questions of being able to include these two modules because of licenses or support, I will sit those conversations out as I'm not in position to advocate or challenge those questions. |
atrodo
force-pushed
the
add-ssl
branch
2 times, most recently
from
ae50e07 to
d0e9c39
Compare
Checking that a module version was bumped when .c/.h files are updated had an edge case where the previous version was unknown, notably when adding a new module to cpan/.
Currently, it appears that Net::SSLeay will not compile if perl was compiled with C++, so skip it on C++ builds for now
|
I agree that this wants to be split into two smaller commits but to keep things moving I've approved the CI run to at least test what we have so far. If that doesn't reveal any big issues, we can look into splitting into two PRs. |
|
Does anyone know the answer to the licensing issue? Net::SSLeay does not use the standard perl license. |
@codesections and @StuartJMackintosh addressed prior legal issues in our code in #19163 maybe they can do the same here. |
If @atrodo separates out the AUTHORS/.mailmap patch to an individual patch, and pushes it as a separate PR, maybe including a typo fix or comment tweak or something like that to justify the merge (not strictly necessary but probably "Good form"), then we can approve and merge that and then CI wont need approval (afaik) for any further work he does on this ticket. He only requires approval for CI because this is his first PR and he isn't "trusted" yet. (Note the important part is having a commit merged, not that its to AUTHORS/.mailmap, but that is an easy route to getting him "into the club" so to speak.) |
|
@h-vn, @mikemccauley, @chrisnovakovic sorry for the ping but it seems like the most direct way to reach out :D If these libraries were moved to core, how would it impact things from your standpoint? Is it something you want? Re the licensing side of things.. there is currently this file in core which is Artistic License (2.0) (and possibly others, I haven't looked too hard). |
|
I am going to attempt to summarize where I think this PR is at:
Those last 3 bullets must be addressed before this PR can be considered for merging, and those 3 things are largely out of my capacity to answer or push forward. In the meantime, I will work on the technical items as I can. |
|
Hello Aaron and All,
On Saturday, 18 February 2023 05:02:42 AEST Aaron Bieber wrote:
@h-vn, @mikemccauley, @chrisnovakovic sorry for the ping but it seems like
the most direct way to reach out :D
If these libraries were moved to core, how would it impact things from your
standpoint? Is it something you want?
I have no objection.
Cheers.
…
Re the licensing side of things.. there is currently
[this](https://github.com/Perl/perl5/blob/blead/cpan/Encode/bin/encguess#L1
41) file in core which is Artistic License (2.0) (and possibly others, I
haven't looked too hard).
--
Mike McCauley VK4AMM ***@***.***
Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia
http://www.airspayce.com 5R3MRFM2+X6
Phone +61 7 5598-7474
|
No I meant separate commits. I'm fine with them coming in one PR as
Yeah it would make sense to split that out.
Windows is typically configured by editing the constants in the relevant makefile, I believe.
Yeah, that would be where most of the complexity of this PR would be. |
Apologies for the slow reply - @h-vn and I have been speaking offline about this for the last week. We appreciate the reasoning behind this effort, and we also appreciate how this will make life easier for the majority of both Perl developers and end users. Notwithstanding the time Heikki and I (as well as numerous other contributors) have put into modernising and improving platform support for Net-SSLeay since we took over as maintainers five years ago, it remains true that the installation process is sometimes a frustrating experience, and including it in core would make that problem go away for the most part. Having said that, we have some concerns. In no particular order:
It would also be good to get a perspective from @noxxi, as the maintainer of IO-Socket-SSL. |
My concerns about this are similar. If the distributions move into core I would have higher standards on the production quality than if they stay out of core. Production quality here means less the coding and documentation but more the timely support, i.e. having sufficient knowledgeable developers to test the software, react to user questions, align shipping deadlines with core release times ... But I'm currently the single maintainer of IO::Socket::SSL and cannot allocate too much resources (both work and spare time) to it - this is not a question of pay but more of many other things to do. And debugging any kind of SSL problems is very hard. There are also problems at the coding level: while I have some review from coworkers and we use IO::Socket::SSL for production, there is not much testing and review done outside of it. This means the focus of testing is on a very few platforms and a limited set of functionality. Platform support for IO::Socket::SSL means not only the OS itself, but the already mentioned broad variety of OpenSSL versions, forks like LibreSSL with their own "personality" and also different versions of Net::SSLeay. While both Net::SSLeay and IO::Socket::SSL come with many tests, they are far from what is needed to actually cover lots of edge cases which happen in practice. On the positive side: Moving IO::Socket::SSL and Net::SSLeay to the core might add more stable dependencies or at least have a clearer focus on which dependencies (OpenSSL versions) need to be well supported and which combinations happen only if the user insists of using their own dependencies. In summary: before moving IO::Socket::SSL into core it should be made more robust in terms of developers involved in the project and tests done with the diversity of dependencies. |
While I absolutely admire all the work you do as a software maintainer, I really think you make it very difficult for yourself here! First of all, this discussion here is about bringing Net-SSLeay into core perl. So it does not concern perl 5.8, it concerns perl 5.38, there is more than 20 years between those versions. Second, if I would somehow want to use Perl 5.8 I definitely do not expect I can use it with the newest version of OpenSSL or conversely that I can expect to install the newest version of Net-SSLeay with my very old OpenSSL. For your example about 'would RHEL5 users expect to be able to install Net-SSLeay on perl 5.8.8?'
and to answer the question, if I would be a RHEL 5 user I would be amazed if I would be able to install any amount of new software. I also can't install new PostgreSQL versions, new nginx, most other software or at least not without an extreme amount of trouble. I really would say, especially from the perspective of perl 5 development, we would not need to care that there will be no Net::SSLeay if you somehow really want to compile modern perl 5 on such an old machine. Please also note that ssl is a security module, you might not even want to let users compile very old and insecure versions of openSSL with modern Net::SSLeay See also https://peps.python.org/pep-0644/ where they explicitly decide in 2021 to drop support for all openSSL versions before 1.1.1 because it's just too much maintenance work for them! I think this underscores how amazing all your maintenance work is, that you seem to be able to pull this off (with caveats) while the Python community can't. Of course, perl is not python! |
|
(very long thread and goes offtopic sometimes) https://www.nntp.perl.org/group/perl.perl5.porters/2021/12/msg262180.html Why was all of this work done for Perl on WinOS (basic CURL from MS's Core OS native no-GUI ever/server grade HTTP library in a DLL), yet zero hits on metacpan, for its usage 2 years later? |
|
I just noticed It is 2024. If XS CPAN modules don't have PERL_NO_GET_CONTEXT after 2 decades of perl threads, that shows alot of technical debt or very low free time by that module's author. |
Yeah, it would need a thorough cleanup. |
|
Poking around Chrome/Chromium's binaries on Win32, I don't think they (shared libs) are usable by 3rd party processes. The C symbol tables (DLL export tables) are very sparse. But looking at my Firefox 115. JACKPOT!!! dependency list on windows looks to be light, this isn't linking to libelectron mozglue.dll If we are talking about real WWW security and perl, I need assurances https://en.wikipedia.org/wiki/OCSP_stapling and https://datatracker.ietf.org/doc/html/rfc5280 actually work inside every perl process, including hello-world and throw away scripts. I see the XSUBs exist to use OCSP, but do the higher level CPAN modules always keep it on "out of the box". This line isn't really doesn't help proving OSCP/CRLs actually work in Perl. https://metacpan.org/release/SULLR/IO-Socket-SSL-2.095/source/lib/IO/Socket/SSL.pm#L111 full exported symbol table of nss3.dllATOB_AsciiToData ATOB_AsciiToData_Util ATOB_ConvertAsciiToItem_Util BTOA_ConvertItemToAscii_Util BTOA_DataToAscii BTOA_DataToAscii_Util CERT_AddCertToListHead CERT_AddCertToListTail CERT_AddExtension CERT_AddExtensionByOID CERT_AsciiToName CERT_CacheOCSPResponseFromSideChannel CERT_CertChainFromCert CERT_CertListFromCert CERT_CertificateRequestTemplate CERT_CertificateTemplate CERT_ChangeCertTrust CERT_CheckCertUsage CERT_CheckCertValidTimes CERT_CheckNameSpace CERT_ClearOCSPCache CERT_CompareCerts CERT_CompareName CERT_ConvertAndDecodeCertificate CERT_CopyName CERT_CopyRDN CERT_CreateCertificate CERT_CreateCertificateRequest CERT_CreateSubjectCertList CERT_CreateValidity CERT_CrlTemplate CERT_DecodeAVAValue CERT_DecodeAltNameExtension CERT_DecodeAuthInfoAccessExtension CERT_DecodeAuthKeyID CERT_DecodeBasicConstraintValue CERT_DecodeCRLDistributionPoints CERT_DecodeCertFromPackage CERT_DecodeCertPackage CERT_DecodeCertificatePoliciesExtension CERT_DecodeNameConstraintsExtension CERT_DecodeOidSequence CERT_DecodePrivKeyUsagePeriodExtension CERT_DecodeTrustString CERT_DecodeUserNotice CERT_DerNameToAscii CERT_DestroyCertArray CERT_DestroyCertList CERT_DestroyCertificate CERT_DestroyCertificateList CERT_DestroyCertificatePoliciesExtension CERT_DestroyCertificateRequest CERT_DestroyName CERT_DestroyOidSequence CERT_DestroyUserNotice CERT_DestroyValidity CERT_DisableOCSPChecking CERT_DisableOCSPDefaultResponder CERT_DupCertificate CERT_EnableOCSPChecking CERT_EncodeAltNameExtension CERT_EncodeAndAddBitStrExtension CERT_EncodeAuthKeyID CERT_EncodeBasicConstraintValue CERT_EncodeCRLDistributionPoints CERT_EncodeCertPoliciesExtension CERT_EncodeInfoAccessExtension CERT_EncodeInhibitAnyExtension CERT_EncodeNameConstraintsExtension CERT_EncodeNoticeReference CERT_EncodePolicyConstraintsExtension CERT_EncodePolicyMappingExtension CERT_EncodeSubjectKeyID CERT_EncodeUserNotice CERT_ExtractPublicKey CERT_FilterCertListByCANames CERT_FilterCertListByUsage CERT_FilterCertListForUserCerts CERT_FindCertByDERCert CERT_FindCertByIssuerAndSN CERT_FindCertByName CERT_FindCertByNickname CERT_FindCertByNicknameOrEmailAddr CERT_FindCertByNicknameOrEmailAddrCX CERT_FindCertExtension CERT_FindCertIssuer CERT_FindKeyUsageExtension CERT_FindUserCertByUsage CERT_FindUserCertsByUsage CERT_FinishCertificateRequestAttributes CERT_FinishExtensions CERT_ForcePostMethodForOCSP CERT_FreeNicknames CERT_GenTime2FormattedAscii_Util CERT_GetCertChainFromCert CERT_GetCertEmailAddress CERT_GetCertIsPerm CERT_GetCertKeyType CERT_GetCertTimes CERT_GetCertTrust CERT_GetCertificateDer CERT_GetCertificateRequestExtensions CERT_GetCommonName CERT_GetConstrainedCertificateNames CERT_GetCountryName CERT_GetDefaultCertDB CERT_GetFirstEmailAddress CERT_GetGeneralNameTypeFromString CERT_GetImposedNameConstraints CERT_GetLocalityName CERT_GetNextEmailAddress CERT_GetNextGeneralName CERT_GetNextNameConstraint CERT_GetOCSPAuthorityInfoAccessLocation CERT_GetOidString CERT_GetOrgName CERT_GetOrgUnitName CERT_GetStateName CERT_Hexify CERT_ImportCerts CERT_IsCACert CERT_IsUserCert CERT_MakeCANickname CERT_MergeExtensions CERT_NameTemplate CERT_NameToAscii CERT_NewCertList CERT_NewTempCertificate CERT_NicknameStringsFromCertList CERT_OCSPCacheSettings CERT_RFC1485_EscapeAndQuote CERT_RemoveCertListNode CERT_SaveSMimeProfile CERT_SequenceOfCertExtensionTemplate CERT_SetOCSPFailureMode CERT_SetOCSPTimeout CERT_SignedCrlTemplate CERT_SignedDataTemplate CERT_StartCertExtensions CERT_StartCertificateRequestAttributes CERT_SubjectPublicKeyInfoTemplate CERT_TimeChoiceTemplate CERT_VerifyCertificate CERT_VerifySignedDataWithPublicKeyInfo DER_AsciiToTime_Util DER_DecodeTimeChoice DER_DecodeTimeChoice_Util DER_Encode DER_EncodeTimeChoice_Util DER_Encode_Util DER_GeneralizedTimeToTime DER_GeneralizedTimeToTime_Util DER_GetInteger DER_GetInteger_Util DER_SetUInteger DER_UTCTimeToTime_Util DSAU_DecodeDerSigToLen DSAU_EncodeDerSigWithLen DTLS_GetHandshakeTimeout DTLS_ImportFD DllEntryPoint GetExecutionEnvironment HASH_Begin HASH_Create HASH_Destroy HASH_End HASH_GetHashObject HASH_GetHashOidTagByHashType HASH_GetHashTypeByOidTag HASH_GetType HASH_HashBuf HASH_ResultLenByOidTag HASH_Update NSSBase64_EncodeItem_Util NSSSMIME_GetVersion NSSSSL_GetVersion NSSUTIL_AddNSSFlagToModuleSpec NSSUTIL_ArgDecodeNumber NSSUTIL_ArgFetchValue NSSUTIL_ArgGetLabel NSSUTIL_ArgGetParamValue NSSUTIL_ArgHasFlag NSSUTIL_ArgIsBlank NSSUTIL_ArgParseCipherFlags NSSUTIL_ArgParseModuleSpec NSSUTIL_ArgParseSlotFlags NSSUTIL_ArgParseSlotInfo NSSUTIL_ArgReadLong NSSUTIL_ArgSkipParameter NSSUTIL_ArgStrip NSSUTIL_DoModuleDBFunction NSSUTIL_GetVersion NSSUTIL_MkModuleSpec NSSUTIL_MkNSSString NSSUTIL_MkSlotString NSSUTIL_Quote NSS_CMSContentInfo_GetContent NSS_CMSContentInfo_GetContentTypeTag NSS_CMSContentInfo_SetContent_SignedData NSS_CMSEncoder_Finish NSS_CMSEncoder_Start NSS_CMSMessage_ContentLevel NSS_CMSMessage_Create NSS_CMSMessage_CreateFromDER NSS_CMSMessage_Destroy NSS_CMSMessage_GetContentInfo NSS_CMSMessage_IsSigned NSS_CMSSignedData_AddCertificate NSS_CMSSignedData_CreateCertsOnly NSS_CMSSignedData_Destroy NSS_CMSSignedData_GetSignerInfo NSS_CMSSignedData_SignerInfoCount NSS_CMSSignerInfo_GetSigningCertificate NSS_CMSSignerInfo_Verify NSS_FindCertKEAType NSS_GetAlgorithmPolicy NSS_GetVersion NSS_Get_CERT_CertificateRequestTemplate NSS_Get_CERT_CertificateTemplate NSS_Get_CERT_CrlTemplate NSS_Get_CERT_NameTemplate NSS_Get_CERT_SequenceOfCertExtensionTemplate NSS_Get_CERT_SignedCrlTemplate NSS_Get_CERT_SignedDataTemplate NSS_Get_CERT_SubjectPublicKeyInfoTemplate NSS_Get_CERT_TimeChoiceTemplate NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate NSS_Get_SECKEY_RSAPSSParamsTemplate NSS_Get_SECOID_AlgorithmIDTemplate NSS_Get_SECOID_AlgorithmIDTemplate_Util NSS_Get_SEC_AnyTemplate_Util NSS_Get_SEC_BMPStringTemplate NSS_Get_SEC_BitStringTemplate NSS_Get_SEC_BitStringTemplate_Util NSS_Get_SEC_BooleanTemplate_Util NSS_Get_SEC_GeneralizedTimeTemplate_Util NSS_Get_SEC_IA5StringTemplate NSS_Get_SEC_IA5StringTemplate_Util NSS_Get_SEC_IntegerTemplate NSS_Get_SEC_IntegerTemplate_Util NSS_Get_SEC_NullTemplate_Util NSS_Get_SEC_ObjectIDTemplate_Util NSS_Get_SEC_OctetStringTemplate NSS_Get_SEC_OctetStringTemplate_Util NSS_Get_SEC_SignedCertificateTemplate NSS_Get_SEC_UTF8StringTemplate NSS_Get_SEC_UTF8StringTemplate_Util NSS_Init NSS_InitContext NSS_InitReadWrite NSS_InitWithMerge NSS_Initialize NSS_IsInitialized NSS_NoDB_Init NSS_OptionGet NSS_OptionSet NSS_SMIMESignerInfo_SaveSMIMEProfile NSS_SMIMEUtil_FindBulkAlgForRecipients NSS_SecureMemcmp NSS_SecureMemcmpZero NSS_SetAlgorithmPolicy NSS_SetDomesticPolicy NSS_Shutdown NSS_ShutdownContext NSS_VersionCheck PK11SDR_Decrypt PK11SDR_Encrypt PK11_AEADOp PK11_AlgtagToMechanism PK11_Authenticate PK11_ChangePW PK11_CheckUserPassword PK11_CipherOp PK11_ConfigurePKCS11 PK11_ConvertSessionSymKeyToTokenSymKey PK11_CreateContextBySymKey PK11_CreateDigestContext PK11_CreateGenericObject PK11_CreateMergeLog PK11_CreatePBEV2AlgorithmID PK11_DEREncodePublicKey PK11_Decrypt PK11_DeleteTokenCertAndKey PK11_DeleteTokenPrivateKey PK11_DeleteTokenPublicKey PK11_DeleteTokenSymKey PK11_Derive PK11_DeriveWithFlags PK11_DeriveWithTemplate PK11_DestroyContext PK11_DestroyGenericObject PK11_DestroyMergeLog PK11_DestroyObject PK11_DestroyTokenObject PK11_DigestBegin PK11_DigestFinal PK11_DigestOp PK11_DoesMechanism PK11_Encrypt PK11_ExportDERPrivateKeyInfo PK11_ExportEncryptedPrivKeyInfo PK11_ExtractKeyValue PK11_FindCertFromNickname PK11_FindCertInSlot PK11_FindCertsFromEmailAddress PK11_FindCertsFromNickname PK11_FindEncodedCertInSlot PK11_FindKeyByAnyCert PK11_FindKeyByDERCert PK11_FindKeyByKeyID PK11_FindRawCertsWithSubject PK11_FindSlotByName PK11_FindSlotsByNames PK11_FreeSlot PK11_FreeSlotList PK11_FreeSlotListElement PK11_FreeSymKey PK11_GenerateKeyPair PK11_GenerateKeyPairWithFlags PK11_GenerateKeyPairWithOpFlags PK11_GenerateRandom PK11_GenerateRandomOnSlot PK11_GetAllSlotsForCert PK11_GetAllTokens PK11_GetBestSlot PK11_GetBestSlotMultiple PK11_GetBlockSize PK11_GetCertFromPrivateKey PK11_GetCertsMatchingPrivateKey PK11_GetDefaultArray PK11_GetDefaultFlags PK11_GetDisabledReason PK11_GetFirstSafe PK11_GetIVLength PK11_GetInternalKeySlot PK11_GetInternalSlot PK11_GetKeyData PK11_GetKeyGen PK11_GetLowLevelKeyIDForPrivateKey PK11_GetMechanism PK11_GetModInfo PK11_GetModuleURI PK11_GetNextSafe PK11_GetNextSymKey PK11_GetPadMechanism PK11_GetPrivateKeyNickname PK11_GetPrivateModulusLen PK11_GetSlotFromPrivateKey PK11_GetSlotID PK11_GetSlotInfo PK11_GetSlotName PK11_GetSlotSeries PK11_GetSymKeyNickname PK11_GetTokenInfo PK11_GetTokenName PK11_GetTokenURI PK11_HPKE_Deserialize PK11_HPKE_DestroyContext PK11_HPKE_ExportSecret PK11_HPKE_GetEncapPubKey PK11_HPKE_NewContext PK11_HPKE_Open PK11_HPKE_Seal PK11_HPKE_Serialize PK11_HPKE_SetupR PK11_HPKE_SetupS PK11_HPKE_ValidateParameters PK11_HasAttributeSet PK11_HasRootCerts PK11_HashBuf PK11_ImportCRL PK11_ImportCert PK11_ImportCertForKey PK11_ImportDERPrivateKeyInfoAndReturnKey PK11_ImportDataKey PK11_ImportEncryptedPrivateKeyInfoAndReturnKey PK11_ImportPublicKey PK11_ImportSymKey PK11_InitPin PK11_IsDisabled PK11_IsFIPS PK11_IsFriendly PK11_IsHW PK11_IsInternal PK11_IsInternalKeySlot PK11_IsLoggedIn PK11_IsPresent PK11_IsReadOnly PK11_IsRemovable PK11_KeyForCertExists PK11_KeyGen PK11_KeyGenWithTemplate PK11_ListCerts PK11_ListCertsInSlot PK11_ListFixedKeysInSlot PK11_ListPrivKeysInSlot PK11_ListPrivateKeysInSlot PK11_LoadPrivKey PK11_Logout PK11_LogoutAll PK11_MakeIDFromPubKey PK11_MapSignKeyType PK11_MechanismToAlgtag PK11_MergeTokens PK11_NeedLogin PK11_NeedUserInit PK11_PBEKeyGen PK11_ParamFromIV PK11_PrivDecrypt PK11_PrivDecryptPKCS1 PK11_ProtectedAuthenticationPath PK11_PubDeriveWithKDF PK11_PubEncrypt PK11_PubEncryptPKCS1 PK11_PubUnwrapSymKey PK11_PubWrapSymKey PK11_RandomUpdate PK11_ReadRawAttribute PK11_ReferenceSlot PK11_ReferenceSymKey PK11_ResetToken PK11_SetPasswordFunc PK11_SetSymKeyNickname PK11_Sign PK11_SignWithMechanism PK11_SignatureLen PK11_TokenKeyGenWithFlags PK11_UnwrapPrivKey PK11_UnwrapSymKey PK11_UpdateSlotAttribute PK11_UserDisableSlot PK11_UserEnableSlot PK11_Verify PK11_VerifyWithMechanism PK11_WrapPrivKey PK11_WrapSymKey PL_ArenaAllocate PL_ArenaFinish PL_ArenaGrow PL_ArenaRelease PL_Base64Decode PL_Base64Encode PL_ClearArenaPool PL_CompactArenaPool PL_CompareStrings PL_CompareValues PL_CreateLongOptState PL_CreateOptState PL_DestroyOptState PL_FPrintError PL_FinishArenaPool PL_FreeArenaPool PL_GetNextOpt PL_HashString PL_HashTableAdd PL_HashTableDestroy PL_HashTableDump PL_HashTableEnumerateEntries PL_HashTableLookup PL_HashTableLookupConst PL_HashTableRawAdd PL_HashTableRawLookup PL_HashTableRawLookupConst PL_HashTableRawRemove PL_HashTableRemove PL_InitArenaPool PL_NewHashTable PL_PrintError PL_SizeOfArenaPoolExcludingPool PL_strcasecmp PL_strcaserstr PL_strcasestr PL_strcat PL_strcatn PL_strchr PL_strcmp PL_strcpy PL_strdup PL_strfree PL_strlen PL_strncasecmp PL_strncaserstr PL_strncasestr PL_strncat PL_strnchr PL_strncmp PL_strncpy PL_strncpyz PL_strndup PL_strnlen PL_strnpbrk PL_strnprbrk PL_strnrchr PL_strnrstr PL_strnstr PL_strpbrk PL_strprbrk PL_strrchr PL_strrstr PL_strstr PL_strtok_r PORT_Alloc PORT_Alloc_Util PORT_ArenaAlloc PORT_ArenaAlloc_Util PORT_ArenaGrow_Util PORT_ArenaMark_Util PORT_ArenaRelease_Util PORT_ArenaStrdup PORT_ArenaStrdup_Util PORT_ArenaUnmark_Util PORT_ArenaZAlloc PORT_ArenaZAlloc_Util PORT_DestroyCheapArena PORT_Free PORT_FreeArena PORT_FreeArena_Util PORT_Free_Util PORT_GetError PORT_GetError_Util PORT_InitCheapArena PORT_NewArena PORT_NewArena_Util PORT_Realloc_Util PORT_RegExpSearch PORT_SetError PORT_SetError_Util PORT_SetUCS2_ASCIIConversionFunction PORT_SetUCS2_ASCIIConversionFunction_Util PORT_Strdup PORT_Strdup_Util PORT_UCS2_ASCIIConversion_Util PORT_UCS2_UTF8Conversion PORT_UCS2_UTF8Conversion_Util PORT_ZAlloc PORT_ZAllocAlignedOffset_Util PORT_ZAlloc_Util PORT_ZFree_Util PRP_DestroyNakedCondVar PRP_NakedBroadcast PRP_NakedNotify PRP_NakedWait PRP_NewNakedCondVar PRP_TryLock PR_Abort PR_Accept PR_AcceptRead PR_Access PR_AddWaitFileDesc PR_AllocFileDesc PR_Assert PR_AssertCurrentThreadInMonitor PR_AssertCurrentThreadOwnsLock PR_AtomicAdd PR_AtomicDecrement PR_AtomicIncrement PR_AtomicSet PR_AttachThread PR_AttachThreadGCAble PR_Available PR_Available64 PR_Bind PR_BlockClockInterrupts PR_BlockInterrupt PR_CEnterMonitor PR_CExitMonitor PR_CNotify PR_CNotifyAll PR_CSetOnMonitorRecycle PR_CWait PR_CallOnce PR_CallOnceWithArg PR_Calloc PR_CancelJob PR_CancelWaitFileDesc PR_CancelWaitGroup PR_CeilingLog2 PR_ChangeFileDescNativeHandle PR_Cleanup PR_ClearInterrupt PR_ClearThreadGCAble PR_Close PR_CloseDir PR_CloseFileMap PR_CloseSemaphore PR_Connect PR_ConnectContinue PR_ConvertIPv4AddrToIPv6 PR_CreateFileMap PR_CreateIOLayer PR_CreateIOLayerStub PR_CreateMWaitEnumerator PR_CreatePipe PR_CreateProcess PR_CreateProcessDetached PR_CreateSocketPollFd PR_CreateStack PR_CreateThread PR_CreateThreadGCAble PR_CreateThreadPool PR_CreateWaitGroup PR_Delete PR_DeleteSemaphore PR_DestroyCondVar PR_DestroyLock PR_DestroyMWaitEnumerator PR_DestroyMonitor PR_DestroyPollableEvent PR_DestroyProcessAttr PR_DestroyRWLock PR_DestroySem PR_DestroySocketPollFd PR_DestroyStack PR_DestroyWaitGroup PR_DetachProcess PR_DetachThread PR_DisableClockInterrupts PR_DuplicateEnvironment PR_EmulateAcceptRead PR_EmulateSendFile PR_EnableClockInterrupts PR_EnterMonitor PR_EnumerateAddrInfo PR_EnumerateHostEnt PR_EnumerateThreads PR_EnumerateWaitGroup PR_ErrorInstallCallback PR_ErrorInstallTable PR_ErrorLanguages PR_ErrorToName PR_ErrorToString PR_ExitMonitor PR_ExplodeTime PR_ExportFileMapAsString PR_FD_CLR PR_FD_ISSET PR_FD_NCLR PR_FD_NISSET PR_FD_NSET PR_FD_SET PR_FD_ZERO PR_FileDesc2NativeHandle PR_FindFunctionSymbol PR_FindFunctionSymbolAndLibrary PR_FindSymbol PR_FindSymbolAndLibrary PR_FloorLog2 PR_FormatTime PR_FormatTimeUSEnglish PR_Free PR_FreeAddrInfo PR_FreeFileDesc PR_FreeLibraryName PR_GMTParameters PR_GetAddrInfoByName PR_GetCanonNameFromAddrInfo PR_GetConnectStatus PR_GetCurrentThread PR_GetDefaultIOMethods PR_GetDescType PR_GetDirectorySeparator PR_GetDirectorySepartor PR_GetEnv PR_GetEnvSecure PR_GetError PR_GetErrorText PR_GetErrorTextLength PR_GetFileInfo PR_GetFileInfo64 PR_GetFileMethods PR_GetHostByAddr PR_GetHostByName PR_GetIPNodeByName PR_GetIdentitiesLayer PR_GetInheritedFD PR_GetInheritedFileMap PR_GetLayersIdentity PR_GetLibraryFilePathname PR_GetLibraryName PR_GetLibraryPath PR_GetMemMapAlignment PR_GetMonitorEntryCount PR_GetNameForIdentity PR_GetNumberOfProcessors PR_GetOSError PR_GetOpenFileInfo PR_GetOpenFileInfo64 PR_GetPageShift PR_GetPageSize PR_GetPathSeparator PR_GetPeerName PR_GetPhysicalMemorySize PR_GetPipeMethods PR_GetPrefLoopbackAddrInfo PR_GetProtoByName PR_GetProtoByNumber PR_GetRandomNoise PR_GetSP PR_GetSockName PR_GetSocketOption PR_GetSpecialFD PR_GetSysfdTableMax PR_GetSystemInfo PR_GetTCPMethods PR_GetThreadAffinityMask PR_GetThreadID PR_GetThreadName PR_GetThreadPriority PR_GetThreadPrivate PR_GetThreadScope PR_GetThreadState PR_GetThreadType PR_GetUDPMethods PR_GetUniqueIdentity PR_GetVersion PR_ImplodeTime PR_ImportFile PR_ImportFileMapFromString PR_ImportPipe PR_ImportTCPSocket PR_ImportUDPSocket PR_Init PR_Initialize PR_InitializeNetAddr PR_Initialized PR_Interrupt PR_IntervalNow PR_IntervalToMicroseconds PR_IntervalToMilliseconds PR_IntervalToSeconds PR_IsNetAddrType PR_JoinJob PR_JoinThread PR_JoinThreadPool PR_KillProcess PR_Listen PR_LoadLibrary PR_LoadLibraryWithFlags PR_LoadStaticLibrary PR_LocalTimeParameters PR_Lock PR_LockFile PR_LogFlush PR_LogPrint PR_MakeDir PR_Malloc PR_MemMap PR_MemUnmap PR_MicrosecondsToInterval PR_MillisecondsToInterval PR_MkDir PR_NetAddrToString PR_NewCondVar PR_NewLock PR_NewLogModule PR_NewMonitor PR_NewNamedMonitor PR_NewPollableEvent PR_NewProcessAttr PR_NewRWLock PR_NewSem PR_NewTCPSocket PR_NewTCPSocketPair PR_NewThreadPrivateIndex PR_NewUDPSocket PR_NormalizeTime PR_Notify PR_NotifyAll PR_NotifyAllCondVar PR_NotifyCondVar PR_Now PR_Open PR_OpenAnonFileMap PR_OpenDir PR_OpenFile PR_OpenSemaphore PR_OpenTCPSocket PR_OpenUDPSocket PR_ParseTimeString PR_ParseTimeStringToExplodedTime PR_Poll PR_PopIOLayer PR_PostSem PR_PostSemaphore PR_ProcessAttrSetCurrentDirectory PR_ProcessAttrSetInheritableFD PR_ProcessAttrSetInheritableFileMap PR_ProcessAttrSetStdioRedirect PR_ProcessExit PR_PushIOLayer PR_QueueJob PR_QueueJob_Accept PR_QueueJob_Connect PR_QueueJob_Read PR_QueueJob_Timer PR_QueueJob_Write PR_RWLock_Rlock PR_RWLock_Unlock PR_RWLock_Wlock PR_Read PR_ReadDir PR_Realloc PR_Recv PR_RecvFrom PR_Rename PR_ResetProcessAttr PR_ResumeAll PR_RmDir PR_SecondsToInterval PR_Seek PR_Seek64 PR_Select PR_Send PR_SendFile PR_SendTo PR_SetCPUAffinityMask PR_SetConcurrency PR_SetCurrentThreadName PR_SetEnv PR_SetError PR_SetErrorText PR_SetFDCacheSize PR_SetFDInheritable PR_SetLibraryPath PR_SetLogBuffering PR_SetLogFile PR_SetNetAddr PR_SetPollableEvent PR_SetSocketOption PR_SetStdioRedirect PR_SetSysfdTableSize PR_SetThreadAffinityMask PR_SetThreadDumpProc PR_SetThreadGCAble PR_SetThreadPriority PR_SetThreadPrivate PR_SetThreadRecycleMode PR_ShowStatus PR_Shutdown PR_ShutdownThreadPool PR_Sleep PR_Socket PR_StackPop PR_StackPush PR_StringToNetAddr PR_SuspendAll PR_Sync PR_SyncMemMap PR_TLockFile PR_TestAndEnterMonitor PR_TestAndLock PR_TicksPerSecond PR_TransmitFile PR_USPacificTimeParameters PR_UnblockClockInterrupts PR_UnblockInterrupt PR_UnloadLibrary PR_Unlock PR_UnlockFile PR_VersionCheck PR_Wait PR_WaitCondVar PR_WaitForPollableEvent PR_WaitProcess PR_WaitRecvReady PR_WaitSem PR_WaitSemaphore PR_Write PR_Writev PR_Yield PR_cnvtf PR_dtoa PR_fprintf PR_htonl PR_htonll PR_htons PR_ntohl PR_ntohll PR_ntohs PR_smprintf PR_smprintf_free PR_snprintf PR_sprintf_append PR_sscanf PR_strtod PR_sxprintf PR_vfprintf PR_vsmprintf PR_vsnprintf PR_vsprintf_append PR_vsxprintf PT_FPrintStats SECITEM_AllocArray SECITEM_AllocItem SECITEM_AllocItem_Util SECITEM_ArenaDupItem_Util SECITEM_CompareItem_Util SECITEM_CopyItem SECITEM_CopyItem_Util SECITEM_DupArray SECITEM_DupItem SECITEM_DupItem_Util SECITEM_FreeItem SECITEM_FreeItem_Util SECITEM_HashCompare SECITEM_ItemsAreEqual SECITEM_ItemsAreEqual_Util SECITEM_ReallocItemV2 SECITEM_ZfreeItem SECITEM_ZfreeItem_Util SECKEY_ConvertToPublicKey SECKEY_CopyPrivateKey SECKEY_CopyPublicKey SECKEY_CopySubjectPublicKeyInfo SECKEY_CreateSubjectPublicKeyInfo SECKEY_DecodeDERSubjectPublicKeyInfo SECKEY_DestroyEncryptedPrivateKeyInfo SECKEY_DestroyPrivateKey SECKEY_DestroyPrivateKeyList SECKEY_DestroyPublicKey SECKEY_DestroySubjectPublicKeyInfo SECKEY_ECParamsToBasePointOrderLen SECKEY_ECParamsToKeySize SECKEY_EncodeDERSubjectPublicKeyInfo SECKEY_EncryptedPrivateKeyInfoTemplate SECKEY_ExtractPublicKey SECKEY_GetPrivateKeyType SECKEY_GetPublicKeyType SECKEY_ImportDERPublicKey SECKEY_PublicKeyStrength SECKEY_RSAPSSParamsTemplate SECKEY_SignatureLen SECMIME_DecryptionAllowed SECMOD_AddNewModule SECMOD_AddNewModuleEx SECMOD_CanDeleteInternalModule SECMOD_CancelWait SECMOD_CloseUserDB SECMOD_CreateModule SECMOD_DeleteInternalModule SECMOD_DeleteModule SECMOD_DestroyModule SECMOD_FindModule SECMOD_GetDeadModuleList SECMOD_GetDefaultModuleList SECMOD_GetDefaultModuleListLock SECMOD_GetInternalModule SECMOD_GetModuleSpecList SECMOD_GetReadLock SECMOD_InternaltoPubMechFlags SECMOD_LoadModule SECMOD_LoadUserModule SECMOD_LockedModuleHasRemovableSlots SECMOD_OpenUserDB SECMOD_PubCipherFlagstoInternal SECMOD_PubMechFlagstoInternal SECMOD_ReferenceModule SECMOD_ReleaseReadLock SECMOD_UnloadUserModule SECMOD_UpdateModule SECMOD_UpdateSlotList SECMOD_WaitForAnyTokenEvent SECOID_AddEntry SECOID_AddEntry_Util SECOID_AlgorithmIDTemplate SECOID_AlgorithmIDTemplate_Util SECOID_CopyAlgorithmID_Util SECOID_DestroyAlgorithmID SECOID_DestroyAlgorithmID_Util SECOID_FindOID SECOID_FindOIDByMechanism SECOID_FindOIDByTag SECOID_FindOIDByTag_Util SECOID_FindOIDTag SECOID_FindOIDTagDescription_Util SECOID_FindOIDTag_Util SECOID_FindOID_Util SECOID_GetAlgorithmTag SECOID_GetAlgorithmTag_Util SECOID_Init SECOID_SetAlgorithmID SECOID_SetAlgorithmID_Util SECOID_Shutdown SEC_ASN1Decode SEC_ASN1DecodeInteger SEC_ASN1DecodeItem SEC_ASN1DecodeItem_Util SEC_ASN1Decode_Util SEC_ASN1EncodeInteger_Util SEC_ASN1EncodeItem SEC_ASN1EncodeItem_Util SEC_ASN1EncodeUnsignedInteger_Util SEC_ASN1Encode_Util SEC_AnyTemplate_Util SEC_BMPStringTemplate SEC_BitStringTemplate SEC_BitStringTemplate_Util SEC_BooleanTemplate_Util SEC_CertNicknameConflict SEC_CreateSignatureAlgorithmParameters SEC_DeletePermCertificate SEC_DerSignData SEC_DerSignDataWithAlgorithmID SEC_DestroyCrl SEC_GeneralizedTimeTemplate_Util SEC_GetSignatureAlgorithmOidTag SEC_IA5StringTemplate SEC_IA5StringTemplate_Util SEC_IntegerTemplate SEC_IntegerTemplate_Util SEC_NullTemplate_Util SEC_ObjectIDTemplate_Util SEC_OctetStringTemplate SEC_OctetStringTemplate_Util SEC_PKCS12AddCertAndKey SEC_PKCS12AddPasswordIntegrity SEC_PKCS12CreateExportContext SEC_PKCS12CreatePasswordPrivSafe SEC_PKCS12CreateUnencryptedSafe SEC_PKCS12DecoderFinish SEC_PKCS12DecoderImportBags SEC_PKCS12DecoderIterateInit SEC_PKCS12DecoderIterateNext SEC_PKCS12DecoderRenameCertNicknames SEC_PKCS12DecoderStart SEC_PKCS12DecoderUpdate SEC_PKCS12DecoderValidateBags SEC_PKCS12DecoderVerify SEC_PKCS12DestroyExportContext SEC_PKCS12EnableCipher SEC_PKCS12Encode SEC_PKCS12IsEncryptionAllowed SEC_PKCS12SetPreferredCipher SEC_PKCS5GetPBEAlgorithm SEC_PKCS5IsAlgorithmPBEAlgTag SEC_PKCS7AddSigningTime SEC_PKCS7ContentIsEncrypted SEC_PKCS7ContentIsSigned SEC_PKCS7CopyContentInfo SEC_PKCS7CreateSignedData SEC_PKCS7DecodeItem SEC_PKCS7DecoderFinish SEC_PKCS7DecoderStart SEC_PKCS7DecoderUpdate SEC_PKCS7DestroyContentInfo SEC_PKCS7Encode SEC_PKCS7IncludeCertChain SEC_PKCS7VerifyDetachedSignature SEC_QuickDERDecodeItem SEC_QuickDERDecodeItem_Util SEC_RegisterDefaultHttpClient SEC_SignData SEC_SignedCertificateTemplate SEC_StringToOID SEC_UTF8StringTemplate SEC_UTF8StringTemplate_Util SGN_Begin SGN_CreateDigestInfo SGN_CreateDigestInfo_Util SGN_DecodeDigestInfo SGN_DestroyContext SGN_DestroyDigestInfo SGN_DestroyDigestInfo_Util SGN_End SGN_NewContext SGN_Update SSL_AlertSentCallback SSL_AuthCertificateComplete SSL_AuthCertificateHook SSL_CipherPrefGet SSL_CipherPrefSet SSL_CipherPrefSetDefault SSL_ClearSessionCache SSL_ClientCertCallbackComplete SSL_ConfigSecureServer SSL_ConfigSecureServerWithCertChain SSL_ConfigServerCert SSL_ConfigServerSessionIDCache SSL_ExportKeyingMaterial SSL_ForceHandshake SSL_GetChannelInfo SSL_GetCipherSuiteInfo SSL_GetClientAuthDataHook SSL_GetExperimentalAPI SSL_GetImplementedCiphers SSL_GetNextProto SSL_GetNumImplementedCiphers SSL_GetPreliminaryChannelInfo SSL_GetSRTPCipher SSL_GetStatistics SSL_HandshakeCallback SSL_HandshakeNegotiatedExtension SSL_ImplementedCiphers SSL_ImportFD SSL_NamedGroupConfig SSL_NumImplementedCiphers SSL_OptionGet SSL_OptionGetDefault SSL_OptionSet SSL_OptionSetDefault SSL_PeerCertificate SSL_PeerCertificateChain SSL_PeerSignedCertTimestamps SSL_PeerStapledOCSPResponses SSL_ResetHandshake SSL_SNISocketConfigHook SSL_SendAdditionalKeyShares SSL_SetCanFalseStartCallback SSL_SetDowngradeCheckVersion SSL_SetNextProtoNego SSL_SetPKCS11PinArg SSL_SetSRTPCiphers SSL_SetSockPeerID SSL_SetStapledOCSPResponses SSL_SetTrustAnchors SSL_SetURL SSL_ShutdownServerSessionIDCache SSL_SignatureSchemePrefSet SSL_VersionRangeGet SSL_VersionRangeGetDefault SSL_VersionRangeGetSupported SSL_VersionRangeSet SSL_VersionRangeSetDefault SetExecutionEnvironment UTIL_SetForkState VFY_Begin VFY_CreateContext VFY_DestroyContext VFY_End VFY_EndWithSignature VFY_Update VFY_VerifyData VFY_VerifyDataWithAlgorithmID VFY_VerifyDigestDirect _NSSUTIL_Access _NSSUTIL_EvaluateConfigDir _NSSUTIL_GetSecmodName _NSSUTIL_UTF8ToWide _PR_AddSleepQ _PR_CreateThread _PR_DelSleepQ _PR_GetPrimordialCPU _PR_MD_FREE_CV _PR_MD_INIT_LOCKS _PR_MD_NEW_CV _PR_MD_NEW_LOCK _PR_MD_NOTIFYALL_CV _PR_MD_NOTIFY_CV _PR_MD_UNLOCK _PR_MD_WAIT_CV _PR_NativeCreateThread _SGN_VerifyPKCS1DigestInfo __PK11_SetCertificateNickname _pr_push_ipv6toipv4_layer _pr_test_ipv6_socket sqlite3_aggregate_context sqlite3_auto_extension sqlite3_bind_blob sqlite3_bind_double sqlite3_bind_int sqlite3_bind_int64 sqlite3_bind_null sqlite3_bind_parameter_count sqlite3_bind_parameter_index sqlite3_bind_parameter_name sqlite3_bind_text sqlite3_bind_text16 sqlite3_bind_value sqlite3_bind_zeroblob sqlite3_busy_handler sqlite3_busy_timeout sqlite3_changes sqlite3_changes64 sqlite3_clear_bindings sqlite3_close sqlite3_collation_needed sqlite3_collation_needed16 sqlite3_column_blob sqlite3_column_bytes sqlite3_column_bytes16 sqlite3_column_count sqlite3_column_decltype sqlite3_column_double sqlite3_column_int sqlite3_column_int64 sqlite3_column_name sqlite3_column_name16 sqlite3_column_text sqlite3_column_text16 sqlite3_column_type sqlite3_column_value sqlite3_commit_hook sqlite3_complete sqlite3_complete16 sqlite3_config sqlite3_context_db_handle sqlite3_create_collation sqlite3_create_collation16 sqlite3_create_function sqlite3_create_function16 sqlite3_create_function_v2 sqlite3_create_module sqlite3_data_count sqlite3_database_file_object sqlite3_db_cacheflush sqlite3_db_config sqlite3_db_filename sqlite3_db_handle sqlite3_db_mutex sqlite3_db_readonly sqlite3_db_status sqlite3_declare_vtab sqlite3_enable_load_extension sqlite3_enable_shared_cache sqlite3_errcode sqlite3_errmsg sqlite3_errmsg16 sqlite3_error_offset sqlite3_exec sqlite3_expanded_sql sqlite3_extended_errcode sqlite3_extended_result_codes sqlite3_file_control sqlite3_finalize sqlite3_free sqlite3_free_table sqlite3_get_autocommit sqlite3_get_auxdata sqlite3_get_table sqlite3_initialize sqlite3_interrupt sqlite3_last_insert_rowid sqlite3_libversion sqlite3_libversion_number sqlite3_limit sqlite3_load_extension sqlite3_log sqlite3_malloc sqlite3_malloc64 sqlite3_memory_highwater sqlite3_memory_used sqlite3_mprintf sqlite3_mutex_alloc sqlite3_mutex_enter sqlite3_mutex_free sqlite3_mutex_leave sqlite3_mutex_try sqlite3_next_stmt sqlite3_open sqlite3_open16 sqlite3_open_v2 sqlite3_overload_function sqlite3_prepare sqlite3_prepare16 sqlite3_prepare16_v2 sqlite3_prepare_v2 sqlite3_progress_handler sqlite3_randomness sqlite3_realloc sqlite3_release_memory sqlite3_reset sqlite3_reset_auto_extension sqlite3_result_blob sqlite3_result_double sqlite3_result_error sqlite3_result_error16 sqlite3_result_error_code sqlite3_result_error_nomem sqlite3_result_error_toobig sqlite3_result_int sqlite3_result_int64 sqlite3_result_null sqlite3_result_subtype sqlite3_result_text sqlite3_result_text16 sqlite3_result_text16be sqlite3_result_text16le sqlite3_result_value sqlite3_result_zeroblob sqlite3_rollback_hook sqlite3_set_authorizer sqlite3_set_auxdata sqlite3_shutdown sqlite3_sleep sqlite3_snprintf sqlite3_sql sqlite3_status sqlite3_step sqlite3_stmt_busy sqlite3_stmt_isexplain sqlite3_stmt_readonly sqlite3_stmt_status sqlite3_stricmp sqlite3_threadsafe sqlite3_total_changes sqlite3_trace_v2 sqlite3_txn_state sqlite3_unlock_notify sqlite3_update_hook sqlite3_uri_parameter sqlite3_user_data sqlite3_value_blob sqlite3_value_bytes sqlite3_value_bytes16 sqlite3_value_double sqlite3_value_int sqlite3_value_int64 sqlite3_value_numeric_type sqlite3_value_subtype sqlite3_value_text sqlite3_value_text16 sqlite3_value_text16be sqlite3_value_text16le sqlite3_value_type sqlite3_version sqlite3_vfs_find sqlite3_vfs_register sqlite3_vfs_unregister sqlite3_vmprintf |
I'm not sure what your point is, libnss is not exactly a secret, but how does it help us? The PKCS11 functions certainly don't.
OCSP is dead, and it's solving a problem that has never really existed anyway. This is not really a concern. None of this is relevant. |
The best solution is to offload all maintenance of TLS sockets in Perl 5 to another entity which has far more manpower/resources/paid developers than the Perl ecosystem has. In real world terms, its some batteries included C library maintained by a FOSS OS vendor, or by one of the big 3 HTML browsers. That C library is 1 or 2 steps above the raw OpenSSL C API, and lib could actually be a HTTP 1.1/2/3 C library. There is too much Perl community written security sensitive code involved if we have to keep targeting the raw OpenSSL C API. And that API (or all TLS/SSL crypto libs are) is a constantly evolving unstable interface that the Perl volunteers will need to spend a huge amount of unpaid volunteer time to keep upto date. I want to see all OSes running Perl, to use something higher level API than raw OpenSSL. I really really don't want to, and my nightmare would be to see Perl 5 ONLY 0-day TLS related exploit being announced. If Apple announced a 0-day TLS exploit in Safari/OSX/iOS, that happens to also affect Perl 5 as collateral damage, cool, I'm totally fine with that happening. Same for Chrome/Android or desktop Windows platforms. Whatever the exploit/CVE was, it was someone elses responsibility and liability and someone elses social media drama, and that someone else (company/large FOSS project) is 100% unrelated to the Perl platform. That is my dream on how to solve this "no support/sketchy TLS 1.3 support in PP lang" problem once and forever, and never to be spoken of again. |
|
https://metacpan.org/release/SULLR/IO-Socket-SSL-2.095/source/lib/IO/Socket/SSL/Intercept.pm#L41 I can't track down the RV2CV optimization thread from last year, I wanna attack some of the BBCs ATM, but 2-3 of the CPAN modules that got broken by RV2CV last year, have problems like these output being weird/wrong/broken/different than Perl from 5 years ago Now imagine, in a fictional scenario, if RV2CV optimization alters the behavior of this line IO/Socket/SSL/Intercept.pm https://metacpan.org/release/SULLR/IO-Socket-SSL-2.095/source/lib/IO/Socket/SSL/Intercept.pm#L134 Eghhhh, Storable has alot of bit rot, Ive tried 3x to refactor it in the last 18 months. Storable's CPU burn is the #1 reason why updates: https://metacpan.org/release/SULLR/IO-Socket-SSL-2.095/source/lib/IO/Socket/SSL/PublicSuffix.pm#L350 The contents of that file, and control of the bytes in it, is the most dangerous file on earth, since that drives ACME automatic certificate issue protocol, HTTP cookie isolation between subdomains, and XHR/HTML5 same origin policy, and also drives the entire the ICANN IPv4/IPV6 public DNS system/proof of domain ownership for CA. I have non-perl offline personal beef with lines https://metacpan.org/release/SULLR/IO-Socket-SSL-2.095/source/lib/IO/Socket/SSL/PublicSuffix.pm#L12875 Oh no, this security sensitive file self updates over cleartext HTTP 😭 If somehow this line exact line https://metacpan.org/release/SULLR/IO-Socket-SSL-2.095/source/lib/IO/Socket/SSL/PublicSuffix.pm#L1208 got deleted for unexplained reasons (MITM/blackhat/easier to not think why), now using I've done enough rev engineering on a certain If the PSL is altered in a browser, https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly is the 2nd line of defense against blackhat behavior. What steps does IO::Socket::SSL take as a 2nd line of defense if its PSL file is maliciously altered in transit??? That is an example of why Perl shouldn't maintain their own TLS library, and get some other much much larger entity to do it. Side note, the alternative GUI vs the official Google Play App Store app, the end user still needs to manually transfer their cookie jar to my alternative GUI app using Chrome Dev Tools a couple times a year. No technological security systems were bypassed. Update: https://metacpan.org/release/SULLR/IO-Socket-SSL-2.095/source/lib/IO/Socket/SSL/Utils.pm#L278 |
On p5p, the question was asked what would it look like to just add IO::Socket::SSL and Net::SSLeay to the core. It appears that all that was needed is to include the distribution in cpan/, add information to Porting/Maintainers.pl, and include an explicit dependency between the two packages in Makefile.SH.
The tests all pass for me except for cmp_version.t. I think that's because it is confused by the newly added .c/.h files and thinking the versions need to be bumped instead of recognizing them as new. I am hoping to dig more into what is causing that failure and either fixing the files to pass or find a fix for cmpVERSION.pl.