Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l2SPe-0000ya-HY for pgsql-hackers@arkaria.postgresql.org; Thu, 21 Jan 2021 05:21:43 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1l2SPd-0006r6-Eo for pgsql-hackers@arkaria.postgresql.org; Thu, 21 Jan 2021 05:21:41 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l2SPb-0006qz-Us for pgsql-hackers@lists.postgresql.org; Thu, 21 Jan 2021 05:21:41 +0000 Received: from out2-smtp.messagingengine.com ([66.111.4.26]) by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l2SPY-0000U0-4x for pgsql-hackers@lists.postgresql.org; Thu, 21 Jan 2021 05:21:39 +0000 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 213CA5C0124; Thu, 21 Jan 2021 00:21:34 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Thu, 21 Jan 2021 00:21:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm3; bh=0QbTGlKxpOffQlqdRcgbGtHLkmk E4EnQDUDP+HUUPB4=; b=Q1YOf7r9KmODwSthUwWtMxyH448DhP+irXxlYQC9PbP UBB6LOk+YL7p3tN4oAGQTQBgXhknihRetzwA+nFphq2XX+vSjMloFTjqpKfz80Qf ASbrbCY/RRyefmA903WCIulnSPm1q1Q2UAf1OfddYnu83qCipr0e0THwlBc0Yu3l 23su3Osrm+Z+CukB49NxIHOWYr56lKzUAu99RM1frDoLirJiGEu4Rm/a+5DKAdbE uAZDjJTpt5/D5XWKlyXXUB19RsJcGfdkxp5LsnVWxMklvNi29ib2h1bQRxZaSKGE neK7Pybwtd+xVBdl7zKWM//fBbkBhCzq5jxEBwN6SDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=0QbTGl KxpOffQlqdRcgbGtHLkmkE4EnQDUDP+HUUPB4=; b=ZV/Q6isbt2Vg15JBqbx3oC S6mwT20WzKltpJQjYpuBhbIsE0NVQQdEmjewnRf02uuSmyeKR8er/flXq5v5RcXD 7/mcfkwgnQ9TXaRHItt2GRKwVjimIJK7fr3kTOEPSWPQGndAhHUGDtrTg8oql3Rf 0irB934mSE54xL9yq2DksQAjJU6jCwBrI349RaDF41sxVPxAr2IfT0oBb/7jljAx xgPainCCAOJkV3npVk0PTvf4yRUkgviNmhnpAGQxM1GhxnZIXuxFEJsglbNaLoS/ pSRLCuiE80xLln3t/DWCBKIhRJQ2INfhLeNAU5vLZz2WmNUXRcjGcx3kyDDBKEbw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudefgdekudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfg hrlhcuvffnffculdejtddmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddv necuhfhrohhmpefoihgthhgrvghlucfrrghquhhivghruceomhhitghhrggvlhesphgrqh huihgvrhdrgiihiieqnecuggftrfgrthhtvghrnhepvdegudeuhfdtueeltedtveejheeh ieevueeigeelteegleejleeiueeiheegvefhnecukfhppeduuddurddutddvrddukedtrd dukeehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep mhhitghhrggvlhesphgrqhhuihgvrhdrgiihii X-ME-Proxy: Received: from paquier.xyz (ee0822lan1.rev.em-net.ne.jp [111.102.180.185]) by mail.messagingengine.com (Postfix) with ESMTPA id 5D6931080057; Thu, 21 Jan 2021 00:21:31 -0500 (EST) Date: Thu, 21 Jan 2021 14:21:27 +0900 From: Michael Paquier To: Daniel Gustafsson Cc: Jacob Champion , Heikki Linnakangas , Andres Freund , Postgres hackers , Andrew Dunstan , Stephen Frost , Thomas Munro Subject: Re: Support for NSS as a libpq TLS backend Message-ID: References: <1B0B31E4-AD37-475C-9374-7E24AA808479@vmware.com> <5C27CF6F-5BD3-4639-AAA6-73465595B6DF@vmware.com> <7B5A88DF-863A-4B00-B841-0285C1FF70DF@yesql.se> <5F24348B-10BA-4AA1-999B-1E2AB22B4997@vmware.com> <94E22878-6289-43D5-A674-804F6CB23782@yesql.se> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rJ50jXzvhDmaTWg8" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --rJ50jXzvhDmaTWg8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 19, 2021 at 09:21:41PM +0100, Daniel Gustafsson wrote: >> In order to >> move on with this set, I would suggest to extract some parts of the >> patch set independently of the others and have two buildfarm members >> for the MSVC and non-MSVC cases to stress the parts that can be >> committed. Just seeing the size, we could move on with: >> - The ./configure set, with the change to introduce --with-ssl=3Dopenssl= =2E=20 >> - 0004 for strong randoms. >> - Support for cryptohashes. >=20 > I will leave it to others to decide the feasibility of this, I'm happy to= slice > and dice the commits into smaller bits to for example separate out the > --with-ssl autoconf change into a non NSS dependent commit, if that's wan= ted. IMO it makes sense to extract the independent pieces and build on top of them. The bulk of the changes is likely going to have a bunch of comments if reviewed deeply, so I think that we had better remove from the stack the small-ish problems to ease the next moves. The =2E/configure part and replacement of with_openssl by with_ssl is mixed in 0001 and 0002, which is actually confusing. And, FWIW, I would be fine with applying a patch that introduces a --with-ssl with a compatibility kept for --with-openssl. This is what 0001 is doing, actually, similarly to the past switches for --with-uuid. A point that has been mentioned offline by you, but not mentioned on this list. The structure of the modules in src/test/ssl/ could be refactored to help with an easier integration of more SSL libraries. This makes sense taken independently. > Based on an offlist discussion I believe this was a misunderstanding, but= if I > instead misunderstood that feel free to correct me with how you think this > should be done. The point would be to rename BITS_PER_BYTE to PG_BITS_PER_BYTE in the code and avoid conflicts. I am not completely sure if others would agree here, but this would remove quite some ifdef/undef stuff from the code dedicated to NSS. > > src/sgml/libpq.sgml needs to document PQdefaultSSLKeyPassHook_nss, no? >=20 > Good point, fixed. Please note that patch 0001 is failing to apply after the recent commit b663a41. There are conflicts in postgres_fdw.out. Also, what's the minimum version of NSS that would be supported? It would be good to define an acceptable older version, to keep that documented and to track that perhaps with some configure checks (?), similarly to what is done for OpenSSL. Patch 0006 has three trailing whitespaces (git diff --check complains). Running the regression tests of pgcrypto, I think that the SHA2 implementation is not completely right. Some SHA2 encoding reports results from already-freed data. I have spotted a second issue within scram_HMAC_init(), where pg_cryptohash_create() remains stuck inside NSS_InitContext(), freezing the regression tests where password hashed for SCRAM are created. + ResourceOwnerEnlargeCryptoHash(CurrentResourceOwner); + ctx =3D MemoryContextAlloc(TopMemoryContext, sizeof(pg_cryptohash_ctx)); +#else + ctx =3D pg_malloc(sizeof(pg_cryptohash_ctx)); +#endif cryptohash_nss.c cannot use pg_malloc() for frontend allocations. On OOM, your patch would call exit() directly, even within libpq. But shared library callers need to know about the OOM failure. + explicit_bzero(ctx, sizeof(pg_cryptohash_ctx)); + pfree(ctx); For similar reasons, pfree should not be used for the frontend code in cryptohash_nss.c. The fallback should be just a malloc/free set. + status =3D PK11_DigestBegin(ctx->pk11_context); + + if (status !=3D SECSuccess) + return 1; + return 0; This needs to return -1 on failure, not 1. I really need to study more the choide of the options chosen for NSS_InitContext()... But based on the docs I can read on the matter I think that saving nsscontext in pg_cryptohash_ctx is right for each cryptohash built. src/tools/msvc/ is missing an update for cryptohash_nss.c. -- Michael --rJ50jXzvhDmaTWg8 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmAJD1cACgkQnvQgOdby QH0/rQ//SxtlEyCVK5+OnFa9YoYeWVRuzV6Z1P+ffgCLqd193XzPXYTIwtSW4al+ VUVI6hsLHA1BZA/mMhlD2AnksQ/zE/PV7MTYjx1ZeJ/4q9bWIMRpTfzE1fT5pQvF /j/M2zHq71B++FN7pjxSmdINyeLECd623icKHT+Aq4/OxgDMmCjUQdGUusavijVz 6K0C+4EZryBXkzrxkMCHZ8Rbu9zOPIRkaD19/FNHu6J8KWnt+okCVzPECrkMZFz9 eibfm2nNQnr+8qpHbKXcv2Q+cyU+zqMImXm2Zr6cQ7t6WKgd+lIra68bVrCF241b zdjwMGAeTptit/I6IieMJHNc1hWe2c3Vgoe+N18TF6PkdwX+Z2qGIys9ycsIYyXC rYOpEUVJF/L3qB2DNDEu4uCDkhBePuCUBEdN0KkSJ2jP1CSNFPqoUHMEkpsHKHr/ FiWrnG3lO/8aJ0CaPPTwEqY/zz9QXOGl0jU5ZHJmnFVtyg5XkyegLdCIkCKtMrqN Ur93I13pCsn5xAx1RS2y/0pAua2KhEhKeIJ7OoSCIgXnhiVG1SEhRvnIFJrAR+K4 1zgIncjz9jVSGvLjva34ylb4dSp4M2pyuh5duGa2cqlDCv160HYAPZBOHIiAxnR9 rL9imN/aVT5iQAHnKPNYlM1ak9+224OGcy96p2EJJkccB1LRVeE= =XQvp -----END PGP SIGNATURE----- --rJ50jXzvhDmaTWg8--