Re: Support for NSS as a libpq TLS backend - Mailing list pgsql-hackers

From Joshua Brindle
Subject Re: Support for NSS as a libpq TLS backend
Date
Msg-id CAGB+Vh5A9jja8FxNry9YyqN3hjva_5TWGJ=sN-fziTjrLZaFfg@mail.gmail.com
Whole thread Raw
In response to Re: Support for NSS as a libpq TLS backend  (Daniel Gustafsson <daniel@yesql.se>)
Responses Re: Support for NSS as a libpq TLS backend
List pgsql-hackers
On Wed, Nov 10, 2021 at 8:49 AM Daniel Gustafsson <daniel@yesql.se> wrote:
>
> > On 9 Nov 2021, at 22:22, Joshua Brindle <joshua.brindle@crunchydata.com> wrote:
> > On Tue, Nov 9, 2021 at 2:02 PM Joshua Brindle
> > <joshua.brindle@crunchydata.com> wrote:
> >>
> >> On Tue, Nov 9, 2021 at 1:59 PM Joshua Brindle
> >> <joshua.brindle@crunchydata.com> wrote:
>
> >>> Hello, I'm looking to help out with reviews for this CF and I'm
> >>> currently looking at this patchset.
>
> Thanks, much appreciated!
>
> >>> currently I'm stuck trying to configure:
> >>>
> >>> checking for nss-config... /usr/bin/nss-config
> >>> checking for nspr-config... /usr/bin/nspr-config
> >>> ...
> >>> checking nss/ssl.h usability... no
> >>> checking nss/ssl.h presence... no
> >>> checking for nss/ssl.h... no
> >>> configure: error: header file <nss/ssl.h> is required for NSS
> >>>
> >>> This is on fedora 33 and nss-devel is installed, nss-config is
> >>> available (and configure finds it) but the directory is different from
> >>> Ubuntu:
> >>> (base) [vagrant@fedora ~]$ nss-config --includedir
> >>> /usr/include/nss3
> >>> (base) [vagrant@fedora ~]$ ls -al /usr/include/nss3/ssl.h
> >>> -rw-r--r--. 1 root root 70450 Sep 30 05:41 /usr/include/nss3/ssl.h
> >>>
> >>> So if nss-config --includedir is used then #include <ssl.h> should be
> >>> used, or if not then #include <nss3/ssl.h> but on this system #include
> >>> <nss/ssl.h> is not going to work.
>
> Interesting rename, I doubt any version but NSS 3 and NSPR 4 is alive anywhere
> and an incremented major version seems highly unlikely.  Going back to plain
> #include <ssl.h> and have the includeflags sort out the correct directories
> seems like the best option then.  Fixed in the attached.
>
> >> FYI, if I make a symlink to get past this, configure completes but
> >> compilation fails because nspr/nspr.h cannot be found (I'm not sure
> >> why configure doesn't discover this)
> >> ../../src/include/common/nss.h:31:10: fatal error: 'nspr/nspr.h' file not found
> >> #include <nspr/nspr.h>In file included from protocol_nss.c:24:
> >> ../../src/include/common/nss.h:31:10: fatal error: 'nspr/nspr.h' file not found
> >> #include <nspr/nspr.h>
> >> ^~~~~~~~~~~~~
> >>
> >> It's a similar issue:
> >> $ nspr-config --includedir
> >> /usr/include/nspr4
>
> Fixed.
>
> > If these get resolved the next issue is llvm bitcode doesn't compile
> > because the nss includedir is missing from CPPFLAGS:
> >
> > /usr/bin/clang -Wno-ignored-attributes -fno-strict-aliasing -fwrapv
> > -O2  -I../../../src/include  -D_GNU_SOURCE -I/usr/include/libxml2
> > -I/usr/include -flto=thin -emit-llvm -c -o be-secure-nss.bc
> > be-secure-nss.c
> > In file included from be-secure-nss.c:20:
> > In file included from ../../../src/include/common/nss.h:38:
> > In file included from /usr/include/nss/nss.h:34:
> > /usr/include/nss/seccomon.h:17:10: fatal error: 'prtypes.h' file not found
> > #include "prtypes.h"
> >         ^~~~~~~~~~~
> > 1 error generated.
>
> Fixed.

Apologies for the delay, this didn't go to my inbox and I missed it on list.

The bitcode generation is still broken, this time for nspr.h:

/usr/bin/clang -Wno-ignored-attributes -fno-strict-aliasing -fwrapv
-O2  -I../../../src/include  -D_GNU_SOURCE -I/usr/include/libxml2
-I/usr/include -flto=thin -emit-llvm -c -o be-secure-nss.bc
be-secure-nss.c
In file included from be-secure-nss.c:20:
../../../src/include/common/nss.h:31:10: fatal error: 'nspr.h' file not found
#include <nspr.h>
         ^~~~~~~~
1 error generated.

FWIW I attached the Dockerfile I've been using to test this, primarily
to ensure that there were no openssl devel files lurking around during
compilation.

It expects a ./postgres directory with whatever patches already applied to it.

>
> The attached also resolves the conflicts in pgcrypto following db7d1a7b05.  PGP
> elgamel and RSA pubkey functions aren't supported for now as there is no bignum
> functions similar to the BN_* in OpenSSL.  I will look into more how hard it
> would be to support, for now this gets us ahead.
>
> --
> Daniel Gustafsson               https://vmware.com/
>

Attachment

pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: [RFC] building postgres with meson
Next
From: Stephen Frost
Date:
Subject: Re: Commitfest 2021-11 Patch Triage - Part 2