Re: Support for NSS as a libpq TLS backend

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Rachel Heaton <rachelmheaton(at)gmail(dot)com>
Cc: "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Michael Paquier <michael(at)paquier(dot)xyz>, Jacob Champion <pchampion(at)vmware(dot)com>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net>
Subject: Re: Support for NSS as a libpq TLS backend
Date: 2021-09-30 12:17:29
Message-ID: 09DB934A-2B4B-4F1E-9DAA-C55D50F254D1@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 28 Sep 2021, at 01:07, Rachel Heaton <rachelmheaton(at)gmail(dot)com> wrote:

> 1. I get 7 warnings while running make (truncated):
> cryptohash_nss.c:101:21: warning: implicit conversion from enumeration
> type 'SECOidTag' to different enumeration type 'HASH_HashType'

Nice catch, fixed in the attached.

> 2. libpq-refs-stamp fails -- it appears an exit is being injected into
> libpq on Mac

I spent some time investigating this, and there are two cases of _exit() and
one atexit() which are coming from the threading code in libnspr (which is the
runtime lib required by libnss).

On macOS the threading code registers an atexit handler [0] in order to work
around issues with __attribute__((destructor)) [1]. The pthreads code also
defines PR_ProcessExit [2] which does what it says on the tin, calls exit and
not much more [3]. Both of these uses are only compiled when building with
pthreads, which can be disabled in autoconf but that seems broken in recent
version of NSPR. I'm fairly sure I've built NSPR with the user pthreads in the
past, but if packagers build it like this then we need to conform to that. The
PR_CreateProcess() [4] call further calls _exit() [5] in a number of error
paths on failing syscalls.

The libpq libnss implementation doesn't call either of these, and neither does
libnss.

I'm not entirely sure what to do here, it clearly requires an exception in the
Makefile check of sorts if we deem we can live with this.

@Jacob: how did you configure your copy of NSPR?

--
Daniel Gustafsson https://vmware.com/

[0] https://hg.mozilla.org/projects/nspr/file/tip/pr/src/pthreads/ptthread.c#l1034
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1399746#c99
[2] https://www-archive.mozilla.org/projects/nspr/reference/html/prinit.html#15859
[3] https://hg.mozilla.org/projects/nspr/file/tip/pr/src/pthreads/ptthread.c#l1181
[4] https://www-archive.mozilla.org/projects/nspr/reference/html/prprocess.html#24535
[5] https://hg.mozilla.org/projects/nspr/file/tip/pr/src/md/unix/uxproces.c#l268

Attachment Content-Type Size
v44-0001-nss-Support-libnss-as-TLS-library-in-libpq.patch application/octet-stream 102.6 KB
v44-0002-Refactor-SSL-testharness-for-multiple-library.patch application/octet-stream 11.5 KB
v44-0003-nss-Add-NSS-specific-tests.patch application/octet-stream 57.8 KB
v44-0004-test-check-for-empty-stderr-during-connect_ok.patch application/octet-stream 3.6 KB
v44-0005-nss-pg_strong_random-support.patch application/octet-stream 2.0 KB
v44-0006-nss-Documentation.patch application/octet-stream 35.3 KB
v44-0007-nss-Support-NSS-in-pgcrypto.patch application/octet-stream 24.9 KB
v44-0008-nss-Support-NSS-in-sslinfo.patch application/octet-stream 3.6 KB
v44-0009-nss-Support-NSS-in-cryptohash.patch application/octet-stream 6.1 KB
v44-0010-nss-Build-infrastructure.patch application/octet-stream 21.4 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2021-09-30 13:07:51 Re: pgsql: Fix WAL replay in presence of an incomplete record
Previous Message Alvaro Herrera 2021-09-30 12:02:30 Re: prevent immature WAL streaming