NSS sqlite3 version question

27 views
Skip to first unread message

Usha Nayak

unread,
Mar 15, 2023, 11:39:14 AM3/15/23
to dev-tec...@mozilla.org
Hello,

We are building NSS and are packing it in our product. For our application we use IAIK PKCS#11 wrapper to connect to NSS.

Following properties file contains information that's used by iaik to connect to NSS :
image.png

We use following commands to create DB:
"NSS\bin\modutil.exe" -force -create -dbdir sql:"%XXX%\data\NSS\db"

As far as I know we are using the sqllite lib that's packaged in NSS3.88. Are there plans to upgrade it? If there are security concerns, what cna we do to mitigate it ?

Any help greatly appreciated 

Thanks.

Robert Relyea

unread,
Mar 15, 2023, 7:08:38 PM3/15/23
to dev-tec...@mozilla.org

The image is missing, so a vital part of our question isn't visible.

That being said, we usually update sqlite when we need to to fix NSS issues, or if NSS needs to use more advanced sqlite features.

Many users of NSS provide their own copy of sqlite (either because they have their own copy as part of a larger application... like firefox, or because sqlite is provided by the os (like many Linux distributions). If you are concerned with shipping or using the older version of sqlite3, you could build our own from the sqlite3 project and use it.

bob


Any help greatly appreciated 

Thanks.
--
You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/88ae58f8-c4c2-4f91-aa85-eccc3c745d71n%40mozilla.org.


Martin Thomson

unread,
Mar 15, 2023, 7:55:43 PM3/15/23
to Robert Relyea, dev-tec...@mozilla.org
Just to expand on what Bob said, we don't make any guarantees about the version of sqlite that is in our tree.  It exists only to support standalone builds of NSS.

As a general rule, it will be out of date and can be vulnerable.  But the sqlite project has a history of excellent ABI compatibility, so the latest version should work with NSS.  If it doesn't work, that might be worth flagging to us.

We also accept patches and would be happy to look at a patch that updates our copy of sqlite if that works better for you.

Usha Nayak

unread,
Mar 15, 2023, 10:13:01 PM3/15/23
to Martin Thomson, Robert Relyea, dev-tec...@mozilla.org
Hello

Thank you both for your responses.

Forgive me but I do have few follow up questions:

In event say a machine (windows or Linux) have latest version of sqlite ( system provided or say built manually ) , what needs to be done for NSS to pick it up ?

Do we need to build NSS with certain option so it can link to the machine’s SQLite ? In event there’s none on machine, I’m assuming NSS will default to using it’s own SQLite?

FYI, We are planning on upgrading to NSS 3.88 and if I’m not mistaken SQLite version that’s packaged up is 3.29

Thank you

Robert Relyea

unread,
Mar 16, 2023, 2:24:10 PM3/16/23
to Usha Nayak, Martin Thomson, dev-tec...@mozilla.org
On 3/15/23 7:12 PM, Usha Nayak wrote:
Hello

Thank you both for your responses.

Forgive me but I do have few follow up questions:

In event say a machine (windows or Linux) have latest version of sqlite ( system provided or say built manually ) , what needs to be done for NSS to pick it up ?

Do we need to build NSS with certain option so it can link to the machine’s SQLite ? In event there’s none on machine, I’m assuming NSS will default to using it’s own SQLite?

The easiest way is to build with system_sqlite:

./builds.sh --system-sqlite {your other build options}

for ninja/gyp builds or

export NSS_USE_SYSTEM_SQLITE=1

gmake nss_build_all

gmake builds


it's possible you can just make sure your copy of sqlite is in your path and remove the nss built one as well (I haven't tried it, but the only thing that would prevent it from working is any .dll config difference between the system shared library and the nss built one.

If you build with system-sqlite you'll need to have the  system-sqlite build environment installed at build time. If sqlite isn't on your system, NSS would fail (the libraries are direct link, so the systems loader will fail to load nss if it can't find a matching sqlite. You could also use the system function to include your own sqlite. Go to sqlite  upstream and pull and build it yourself, the install the header files. You can then build nss with the --system-sqlite and NSS would end up using your own built sqlite.

bob

bob

Reply all
Reply to author
Forward
0 new messages