build: Use system NSS when possible (#1739)

* build: Use system-installed NSS instead of building our own Fixes #1711 * Update CI * Fix docs * Fix Dockerfile * Fix * build-essential * Try and search for nss * Try to get newest versions * More fixes * Restore Windows link.exe fix * Install pkg-config * Remove MSYS2 linker * Retain ability to build NSS from source * Update Linux instructions * Try and find MSYS2 library path * Retry * Again * Again * Again * Again * Again * Again * Again * Again * Again * Again * Revert many things, keep building NSS from source unless system version is OK * Fixes * Fixes * debug * Debug * Fixes * Compare versions with the `semver` crate * Use NSS version from code in CI * File has other name * Update .github/actions/nss/action.yml Co-authored-by: Martin Thomson <mt@lowentropy.net> Signed-off-by: Lars Eggert <lars@eggert.org> * Update neqo-crypto/build.rs Co-authored-by: Martin Thomson <mt@lowentropy.net> Signed-off-by: Lars Eggert <lars@eggert.org> * Update neqo-crypto/build.rs Co-authored-by: Martin Thomson <mt@lowentropy.net> Signed-off-by: Lars Eggert <lars@eggert.org> * Address code review comments. Not ready yet. Need to determine what to do in `nss_dir()`. See comments. * Update neqo-crypto/build.rs Co-authored-by: Martin Thomson <mt@lowentropy.net> Signed-off-by: Lars Eggert <lars@eggert.org> * Address code review * Updates to README * Remove `nss_dir()` --------- Signed-off-by: Lars Eggert <lars@eggert.org> Co-authored-by: Martin Thomson <mt@lowentropy.net>
mozilla · Mar 27, 2024 · 47dfb3b · 47dfb3b
1 parent 6a51a35
commit 47dfb3b
Show file tree

Hide file tree

Showing 11 changed files with 214 additions and 110 deletions.
diff --git a/.github/actions/nss/action.yml b/.github/actions/nss/action.yml
@@ -16,35 +16,68 @@ inputs:
 runs:
   using: composite
   steps:
+    - name: Check system NSS version
+      shell: bash
+      run: |
+        if ! command -v pkg-config &> /dev/null; then
+          echo "BUILD_NSS=1" >> "$GITHUB_ENV"
+          exit 0
+        fi
+        if ! pkg-config --exists nss; then
+          echo "BUILD_NSS=1" >> "$GITHUB_ENV"
+          exit 0
+        fi
+        NSS_VERSION="$(pkg-config --modversion nss)"
+        if [ "$?" -ne 0 ]; then
+          echo "BUILD_NSS=1" >> "$GITHUB_ENV"
+          exit 0
+        fi
+        NSS_MAJOR=$(echo "$NSS_VERSION" | cut -d. -f1)
+        NSS_MINOR=$(echo "$NSS_VERSION" | cut -d. -f2)
+        REQ_NSS_MAJOR=$(cat neqo-crypto/min_version.txt | cut -d. -f1)
+        REQ_NSS_MINOR=$(cat neqo-crypto/min_version.txt | cut -d. -f2)
+        if [ "$NSS_MAJOR" -lt "REQ_NSS_MAJOR" ] || [ "$NSS_MAJOR" -eq "REQ_NSS_MAJOR" -a "$NSS_MINOR" -lt "REQ_NSS_MINOR"]; then
+          echo "System NSS is too old: $NSS_VERSION"
+          echo "BUILD_NSS=1" >> "$GITHUB_ENV"
+          exit 0
+        fi
+        echo "System NSS is suitable: $NSS_VERSION"
+        echo "BUILD_NSS=0" >> "$GITHUB_ENV"
+
     # Ideally, we'd use this. But things are sufficiently flaky that we're better off
     # trying both hg and git. Leaving this here in case we want to re-try in the future.
     #
     # - name: Checkout NSPR
+    #   if: env.BUILD_NSS == '1'
     #   uses: actions/checkout@v4
     #   with:
     #     repository: "nss-dev/nspr"
     #     path: ${{ github.workspace }}/nspr
 
     # - name: Checkout NSS
+    #   if: env.BUILD_NSS == '1'
     #   uses: actions/checkout@v4
     #   with:
     #     repository: "nss-dev/nss"
     #     path: ${{ github.workspace }}/nss
 
     - name: Checkout NSPR
       shell: bash
+      if: env.BUILD_NSS == '1'
       run: |
         hg clone https://hg.mozilla.org/projects/nspr "${{ github.workspace }}/nspr" || \
           git clone --depth=1 https://github.com/nss-dev/nspr "${{ github.workspace }}/nspr"
 
     - name: Checkout NSS
       shell: bash
+      if: env.BUILD_NSS == '1'
       run: |
         hg clone https://hg.mozilla.org/projects/nss "${{ github.workspace }}/nss" || \
           git clone --depth=1 https://github.com/nss-dev/nss "${{ github.workspace }}/nss"
 
     - name: Build
       shell: bash
+      if: env.BUILD_NSS == '1'
       run: |
         if [ "${{ inputs.type }}" != "Debug" ]; then
           # We want to do an optimized build for accurate CPU profiling, but

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -49,33 +49,21 @@ jobs:
           sudo apt-get install -y --no-install-recommends gyp mercurial ninja-build lld
           echo "RUSTFLAGS=-C link-arg=-fuse-ld=lld" >> "$GITHUB_ENV"
 
-      # In addition to installing dependencies, first make sure System Integrity Protection (SIP)
-      # is disabled on this MacOS runner. This is needed to allow the NSS libraries to be loaded
-      # from the build directory and avoid various other test failures. This seems to always be
-      # the case on any macos-13 runner, but not consistently on macos-latest (which is currently
-      # macos-12, FWIW).
       - name: Install dependencies (MacOS)
         if: runner.os == 'MacOS'
         run: |
-          csrutil status | grep disabled
-          brew install ninja mercurial llvm
+          brew update
+          brew install llvm nss
           echo "/opt/homebrew/opt/llvm/bin" >> "$GITHUB_PATH"
-          ln -s /opt/homebrew/bin/python3 /opt/homebrew/bin/python
-          # python3 -m pip install gyp-next
-          # Above does not work, since pypi only has gyp 0.15.0, which is too old
-          # for the homebrew python3. Install from source instead.
-          python3 -m pip install git+https://github.com/nodejs/gyp-next
-          python3 -m pip install packaging
-          echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
           echo "RUSTFLAGS=-C link-arg=-fuse-ld=lld" >> "$GITHUB_ENV"
 
-      - name: Use MSYS2 environment and install more dependencies (Windows)
+      - name: Install dependencies (Windows)
         if: runner.os == 'Windows'
         run: |
           # shellcheck disable=SC2028
           {
-            echo "C:\\msys64\\usr\\bin"
-            echo "C:\\msys64\\mingw64\\bin"
+            echo C:/msys64/usr/bin
+            echo C:/msys64/mingw64/bin
           } >> "$GITHUB_PATH"
           /c/msys64/usr/bin/pacman -S --noconfirm nsinstall
           python3 -m pip install git+https://github.com/nodejs/gyp-next

diff --git a/README.md b/README.md
@@ -1,82 +1,102 @@
-# Neqo, an Implementation of QUIC written in Rust
+# Neqo, an Implementation of QUIC in Rust
 
 ![neqo logo](https://github.com/mozilla/neqo/raw/main/neqo.png "neqo logo")
 
-To run test HTTP/3 programs (neqo-client and neqo-server):
+To build Neqo:
 
-* `cargo build`
-* `./target/debug/neqo-server '[::]:12345' --db ./test-fixture/db`
-* `./target/debug/neqo-client http://127.0.0.1:12345/`
-
-If a "Failure to load dynamic library" error happens at runtime, do
 ```shell
-export LD_LIBRARY_PATH="$(dirname "$(find . -name libssl3.so -print | head -1)")"
+cargo build
 ```
 
-On a macOS, do
+This will use a system-installed [NSS][NSS] library if it is new enough. (See "Build with Separate NSS/NSPR" below if NSS is not installed or it is deemed too old.)
+
+To run test HTTP/3 programs (`neqo-client` and `neqo-server`):
+
 ```shell
-export DYLD_LIBRARY_PATH="$(dirname "$(find . -name libssl3.dylib -print | head -1)")"
+./target/debug/neqo-server '[::]:12345'
+./target/debug/neqo-client 'https://[::]:12345/'
 ```
 
-## Faster Builds with Separate NSS/NSPR
+## Build with separate NSS/NSPR
 
-You can clone NSS (https://hg.mozilla.org/projects/nss) and NSPR
-(https://hg.mozilla.org/projects/nspr) into the same directory and export an
+You can clone [NSS][NSS] and [NSPR][NSPR] into the same directory and export an
 environment variable called `NSS_DIR` pointing to NSS.  This causes the build to
 use the existing NSS checkout.  However, in order to run anything that depends
-on NSS, you need to set `$\[DY]LD\_LIBRARY\_PATH` to point to
-`$NSS_DIR/../dist/Debug/lib`.
+on NSS, you need to set an environment as follows:
+
+### Linux
+
+```shell
+export LD_LIBRARY_PATH="$(dirname "$(find . -name libssl3.so -print | head -1)")"
+```
+
+### macOS
+
+```shell
+export DYLD_LIBRARY_PATH="$(dirname "$(find . -name libssl3.dylib -print | head -1)")"
+```
 
-Note: If you did not compile NSS separately, you need to have mercurial (hg), installed.
-NSS builds require gyp, and ninja (or ninja-build) to be present also.
+Note: If you did not already compile NSS separately, you need to have
+[Mercurial (hg)][HG], installed. NSS builds require [GYP][GYP] and
+[Ninja][NINJA] to be installed.
 
 ## Debugging Neqo
 
-### QUIC Logging
+### QUIC logging
 
-Enable [QLOG](https://datatracker.ietf.org/doc/draft-ietf-quic-qlog-main-schema/) with:
+Enable generation of [QLOG][QLOG] logs with:
 
-```
-$ mkdir "$logdir"
-$ ./target/debug/neqo-server '[::]:12345' --db ./test-fixture/db --qlog-dir "$logdir"
-$ ./target/debug/neqo-client 'https://[::]:12345/' --qlog-dir "$logdir"
+```shell
+target/debug/neqo-server '[::]:12345' --qlog-dir .
+target/debug/neqo-client 'https://[::]:12345/' --qlog-dir .
 ```
 
-You may use https://qvis.quictools.info/ by uploading the QLOG files and visualize the flows.
+You can of course specify a different directory for the QLOG files.
+You can upload QLOG files to [qvis][QVIS] to visualize the flows.
 
-### Using SSLKEYLOGFILE to decrypt Wireshark logs
+### Using `SSLKEYLOGFILE` to decrypt Wireshark logs
 
-[Info here](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format)
-
-TODO: What is the minimum Wireshark version needed?
-TODO: Above link may be incorrect, protocol now called TLS instead of SSL?
+You can export TLS keys by setting the `SSLKEYLOGFILE` environment variable
+to a filename to instruct NSS to dump keys in the
+[standard format](https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/)
+to enable decryption by [Wireshark](https://wiki.wireshark.org/TLS) and other tools.
 
 ### Using RUST_LOG effectively
 
 As documented in the [env_logger documentation](https://docs.rs/env_logger/),
 the `RUST_LOG` environment variable can be used to selectively enable log messages
-from Rust code. This works for Neqo's cmdline tools, as well as for when Neqo is
+from Rust code. This works for Neqo's command line tools, as well as for when Neqo is
 incorporated into Gecko, although [Gecko needs to be built in debug mode](https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Configuring_Build_Options).
 
 Some examples:
-1. `RUST_LOG=neqo_transport::dump ./mach run` lists sent and received QUIC
-   packets and their frames' contents only.
-1. `RUST_LOG=neqo_transport=debug,neqo_http3=trace,info ./mach run` sets a
-   'debug' log level for transport, 'trace' level for http3, and 'info' log
+
+1. ```shell
+   RUST_LOG=neqo_transport::dump ./mach run
+   ```
+
+   lists sent and received QUIC packets and their frames' contents only.
+
+1. ```shell
+   RUST_LOG=neqo_transport=debug,neqo_http3=trace,info ./mach run
+   ```
+
+   sets a `debug` log level for `transport`, `trace` level for `http3`, and `info` log
    level for all other Rust crates, both Neqo and others used by Gecko.
-1. `RUST_LOG=neqo=trace,error ./mach run` sets `trace` level for all modules
-   starting with "neqo", and sets `error` as minimum log level for other
-   unrelated Rust log messages.
 
+1. ```shell
+   RUST_LOG=neqo=trace,error ./mach run
+   ```
+
+   sets `trace` level for all modules starting with `neqo`, and sets `error` as minimum log level for other unrelated Rust log messages.
 
-### Trying In-development Neqo code in Gecko
+### Trying in-development Neqo code in Gecko
 
 In a checked-out copy of Gecko source, set `[patches.*]` values for the four
 Neqo crates to local versions in the root `Cargo.toml`. For example, if Neqo
 was checked out to `/home/alice/git/neqo`, add the following lines to the root
 `Cargo.toml`.
 
-```
+```toml
 [patch."https://github.com/mozilla/neqo"]
 neqo-http3 = { path = "/home/alice/git/neqo/neqo-http3" }
 neqo-transport = { path = "/home/alice/git/neqo/neqo-transport" }
@@ -87,11 +107,23 @@ neqo-crypto = { path = "/home/alice/git/neqo/neqo-crypto" }
 
 Then run the following:
 
-```
+```shell
 ./mach vendor rust
 ```
 
-Compile Gecko as usual with `./mach build`.
+Compile Gecko as usual with
+
+```shell
+./mach build
+```
 
 Note: Using newer Neqo code with Gecko may also require changes (likely to `neqo_glue`) if
 something has changed.
+
+[NSS]: https://hg.mozilla.org/projects/nss
+[NSPR]: https://hg.mozilla.org/projects/nspr
+[GYP]: https://github.com/nodejs/gyp-next
+[HG]: https://www.mercurial-scm.org/
+[NINJA]: https://ninja-build.org/
+[QLOG]: https://datatracker.ietf.org/doc/draft-ietf-quic-qlog-main-schema/
+[QVIS]: https://qvis.quictools.info/
diff --git a/neqo-crypto/Cargo.toml b/neqo-crypto/Cargo.toml
@@ -21,6 +21,7 @@ neqo-common = { path = "../neqo-common" }
 # Sync with https://searchfox.org/mozilla-central/source/Cargo.lock 2024-02-08
 bindgen = { version = "0.69", default-features = false, features = ["runtime"] }
 mozbuild = { version = "0.1", default-features = false, optional = true }
+semver = { version = "1.0", default-features = false }
 serde = { version = "1.0", default-features = false }
 serde_derive = { version = "1.0", default-features = false }
 toml = { version = "0.5", default-features = false }

diff --git a/neqo-crypto/bindings/bindings.toml b/neqo-crypto/bindings/bindings.toml
@@ -265,8 +265,3 @@ enums = [
 [nspr_time]
 types = ["PRTime"]
 functions = ["PR_Now"]
-
-[mozpkix]
-cplusplus = true
-types = ["mozilla::pkix::ErrorCode"]
-enums = ["mozilla::pkix::ErrorCode"]
diff --git a/neqo-crypto/bindings/mozpkix.hpp b/neqo-crypto/bindings/mozpkix.hpp