From bbcaaf50087cd90bf666ec5434904c6a261d70ea Mon Sep 17 00:00:00 2001
From: Lars Eggert <lars@eggert.org>
Date: Thu, 14 Mar 2024 16:06:51 +1000
Subject: [PATCH] Revert many things, keep building NSS from source unless
 system version is OK

---
 .github/actions/nss/action.yml | 91 ++++++++++++++++++++++++++++++++++
 .github/workflows/bench.yml    |  3 ++
 .github/workflows/check.yml    | 37 +++++++++-----
 docs/linux_build.md            | 42 +++++++++++++---
 qns/Dockerfile                 | 32 ++++++------
 5 files changed, 169 insertions(+), 36 deletions(-)
 create mode 100644 .github/actions/nss/action.yml

diff --git a/.github/actions/nss/action.yml b/.github/actions/nss/action.yml
new file mode 100644
index 0000000000..347c53cb8e
--- /dev/null
+++ b/.github/actions/nss/action.yml
@@ -0,0 +1,91 @@
+name: Fetch and build NSS
+description: Fetch and build NSS
+
+inputs:
+  type:
+    description: "Whether to do a debug or release build of NSS"
+    default: "Release"
+
+# This step might be removed if the distro included a recent enough
+# version of NSS.  Ubuntu 20.04 only has 3.49, which is far too old.
+# (neqo-crypto/build.rs would also need to query pkg-config to get the
+# right build flags rather than building NSS.)
+#
+# Also see https://github.com/mozilla/neqo/issues/1711
+
+runs:
+  using: composite
+  steps:
+    - name: Check system NSS version
+      shell: bash
+      run: |
+        if ! command -v pkg-config &> /dev/null; then
+          echo "BUILD_NSS=1" >> "$GITHUB_ENV
+          exit 0
+        fi
+        NSS_VERSION=$(pkg-config --modversion nss)
+        NSS_MAJOR=$(echo $NSS_VERSION | cut -d. -f1)
+        NSS_MINOR=$(echo $NSS_VERSION | cut -d. -f2)
+        if [ $NSS_MAJOR -ne 3 ] || [ $NSS_MINOR -lt 98 ]; then
+          echo "System NSS is too old: $NSS_VERSION"
+          echo "BUILD_NSS=1" >> "$GITHUB_ENV
+        else
+          echo "System NSS is suitable: $NSS_VERSION"
+          echo "BUILD_NSS=0" >> "$GITHUB_ENV
+        fi
+
+    # Ideally, we'd use this. But things are sufficiently flaky that we're better off
+    # trying both hg and git. Leaving this here in case we want to re-try in the future.
+    #
+    # - name: Checkout NSPR
+    #   if: env.BUILD_NSS
+    #   uses: actions/checkout@v4
+    #   with:
+    #     repository: "nss-dev/nspr"
+    #     path: ${{ github.workspace }}/nspr
+
+    # - name: Checkout NSS
+    #   if: env.BUILD_NSS
+    #   uses: actions/checkout@v4
+    #   with:
+    #     repository: "nss-dev/nss"
+    #     path: ${{ github.workspace }}/nss
+
+    - name: Checkout NSPR
+      shell: bash
+      if: env.BUILD_NSS
+      run: |
+        hg clone https://hg.mozilla.org/projects/nspr "${{ github.workspace }}/nspr" || \
+          git clone --depth=1 https://github.com/nss-dev/nspr "${{ github.workspace }}/nspr"
+
+    - name: Checkout NSS
+      shell: bash
+      if: env.BUILD_NSS
+      run: |
+        hg clone https://hg.mozilla.org/projects/nss "${{ github.workspace }}/nss" || \
+          git clone --depth=1 https://github.com/nss-dev/nss "${{ github.workspace }}/nss"
+
+    - name: Build
+      shell: bash
+      if: env.BUILD_NSS
+      run: |
+        if [ "${{ inputs.type }}" != "Debug" ]; then
+          # We want to do an optimized build for accurate CPU profiling, but
+          # we also want debug symbols and frame pointers for that, which the normal optimized NSS
+          # build process doesn't provide.
+          OPT="-o"
+          NSS_TARGET=Release
+          [ "${{ runner.os }}" != "Windows" ] && export CFLAGS="-ggdb3 -fno-omit-frame-pointer"
+        else
+          NSS_TARGET=Debug
+        fi
+        $NSS_DIR/build.sh -g -Ddisable_tests=1 $OPT --static
+        echo "NSS_TARGET=$NSS_TARGET" >> "$GITHUB_ENV"
+        NSS_OUT="$NSS_DIR/../dist/$NSS_TARGET"
+        echo "LD_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV"
+        echo "DYLD_FALLBACK_LIBRARY_PATH=$NSS_OUT/lib" >> "$GITHUB_ENV"
+        echo "$NSS_OUT/lib" >> "$GITHUB_PATH"
+        echo "NSS_DIR=$NSS_DIR" >> "$GITHUB_ENV"
+      env:
+        NSS_DIR: ${{ github.workspace }}/nss
+        NSPR_DIR: ${{ github.workspace }}/nspr
diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml
index 5b7986226b..7c7f812341 100644
--- a/.github/workflows/bench.yml
+++ b/.github/workflows/bench.yml
@@ -32,6 +32,9 @@ jobs:
           version: $TOOLCHAIN
           components: rustfmt
 
+      - name: Fetch and build NSS and NSPR
+        uses: ./.github/actions/nss
+
       - name: Build
         run: |
           cargo "+$TOOLCHAIN" bench --features bench --no-run
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 93567edc9e..f3ff3b56c6 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -46,16 +46,8 @@ jobs:
         env:
           DEBIAN_FRONTEND: noninteractive
         run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends lld
-          sudo apt-get remove -y pkg-config
+          sudo apt-get install -y --no-install-recommends gyp mercurial ninja-build lld
           echo "RUSTFLAGS=-C link-arg=-fuse-ld=lld" >> "$GITHUB_ENV"
-          # Pull in a newer version of NSS than what Ubuntu 22.04 provides. Once newer
-          # GitHub runners are available, we can check if their NSS is sufficient.
-          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
-          brew update
-          brew install nss pkg-config
-          echo "/home/linuxbrew/.linuxbrew/bin" >> "$GITHUB_PATH"
 
       - name: Install dependencies (MacOS)
         if: runner.os == 'MacOS'
@@ -68,24 +60,43 @@ jobs:
       - name: Install dependencies (Windows)
         if: runner.os == 'Windows'
         run: |
-          vcpkg install nss
-          # See https://github.com/ilammy/msvc-dev-cmd#name-conflicts-with-shell-bash
-          rm /usr/bin/link.exe
+          # shellcheck disable=SC2028
+          {
+            echo C:/msys64/usr/bin
+            echo C:/msys64/mingw64/bin
+          } >> "$GITHUB_PATH"
+          /c/msys64/usr/bin/pacman -S --noconfirm nsinstall
+          python3 -m pip install git+https://github.com/nodejs/gyp-next
+          echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
 
       - name: Set up MSVC build environment (Windows)
         if: runner.os == 'Windows'
         uses: ilammy/msvc-dev-cmd@v1
 
+      - name: Set up NSS/NSPR build environment (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          {
+            echo "GYP_MSVS_OVERRIDE_PATH=$VSINSTALLDIR"
+            echo "GYP_MSVS_VERSION=2022"
+            echo "BASH=$SHELL"
+          } >> "$GITHUB_ENV"
+          # See https://github.com/ilammy/msvc-dev-cmd#name-conflicts-with-shell-bash
+          rm /usr/bin/link.exe
+
       - name: Install Rust
         uses: ./.github/actions/rust
         with:
           version: ${{ matrix.rust-toolchain }}
           components: rustfmt, clippy, llvm-tools-preview
 
+      - name: Fetch and build NSS and NSPR
+        uses: ./.github/actions/nss
+
       - name: Build
         run: |
           # shellcheck disable=SC2086
-          cargo +${{ matrix.rust-toolchain }} build -vv $BUILD_TYPE --all-targets --features ci
+          cargo +${{ matrix.rust-toolchain }} build $BUILD_TYPE --all-targets --features ci
 
       - name: Run tests and determine coverage
         run: |
diff --git a/docs/linux_build.md b/docs/linux_build.md
index bf64dbbb67..210d32034e 100644
--- a/docs/linux_build.md
+++ b/docs/linux_build.md
@@ -2,10 +2,8 @@
 
 ## Table of Contents
 
-- [Build Process for Linux](#build-process-for-linux)
-  - [Table of Contents](#table-of-contents)
-  - [System Details](#system-details)
-  - [Installation Steps](#installation-steps)
+1. [System Details](#system-details)
+2. [Installation Steps](#installation-steps)
 
 ## System Details
 
@@ -93,12 +91,40 @@ sudo apt-get update
 sudo apt-get install -y --no-install-recommends \
 ca-certificates coreutils curl git make mercurial ssh \
 build-essential clang llvm libclang-dev gyp ninja-build \
-pkg-config zlib1g-dev sudo libnss3-dev
+pkg-config zlib1g-dev sudo
 ```
 
-1. Install rust. Follow the steps from [https://www.rust-lang.org/tools/install](https://www.rust-lang.org/tools/install)
+2. Remove orphaned packages and clear local repository (optional)
 
-2. Navigate to your workspace and checkout **Neqo**
+```shell
+sudo apt-get autoremove -y && sudo apt-get clean -y
+```
+
+3. Install rust. Follow the steps from [https://www.rust-lang.org/tools/install](https://www.rust-lang.org/tools/install)
+
+4. Export following path variables. `$HOME` is your home directory which is usually `/home/{username}`. `LD_LIBRARY_PATH` will be `$NSS_DIR/../dist/Debug/lib`
+
+```shell
+export NSS_DIR=$HOME/nss
+export NSPR_DIR=$HOME/nspr
+export LD_LIBRARY_PATH=$NSS_DIR/../dist/Debug/lib
+```
+
+5. Clone **NSS** and **NSPR**
+
+```shell
+hg clone https://hg.mozilla.org/projects/nss "$NSS_DIR"
+hg clone -u NSPR_4_25_RTM https://hg.mozilla.org/projects/nspr "$NSPR_DIR"
+```
+
+6. Build **NSS**
+
+```shell
+cd $NSS_DIR
+./build.sh --static -Ddisable_tests=1
+```
+
+7. Navigate to your workspace and checkout **Neqo**
 
 ```shell
 git clone https://github.com/mozilla/neqo.git
@@ -117,6 +143,6 @@ cargo test -v
 ```shell
 #Start server
 cargo run --bin neqo-server -- [::]:12345 --db ./test-fixture/db
-#Run Client (In seperate shell.)
+#Run Client (In seperate shell. Will require LD_LIBRARY_PATH to be exported)
 ./target/debug/neqo-client http://127.0.0.1:12345/
 ```
diff --git a/qns/Dockerfile b/qns/Dockerfile
index 789a41d72c..eed7d3f986 100644
--- a/qns/Dockerfile
+++ b/qns/Dockerfile
@@ -1,9 +1,9 @@
 FROM martenseemann/quic-network-simulator-endpoint:latest AS buildimage
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl build-essential libclang-dev pkg-config \
-    build-essential procps curl file git \
-    && apt-get remove -y pkg-config \
+    curl git mercurial \
+    build-essential libclang-dev lld \
+    gyp ninja-build zlib1g-dev python \
     && apt-get autoremove -y && apt-get clean -y \
     && rm -rf /var/lib/apt/lists/*
 
@@ -16,29 +16,31 @@ ENV RUSTUP_HOME=/usr/local/rustup \
 RUN curl https://sh.rustup.rs -sSf | \
     sh -s -- -y -q --no-modify-path --profile minimal --default-toolchain $RUST_VERSION
 
-# Pull in a newer version of NSS with Homebrew. Note this only works on Intel platforms.
-# Once martenseemann/quic-network-simulator-endpoint uses an Ubuntu flavor with a new-enough
-# NSS, we should remove this and install NSS from the package manager.
-RUN useradd --create-home --shell /bin/bash --user-group linuxbrew \
-    && echo 'linuxbrew ALL=(ALL) NOPASSWD:ALL' >>/etc/sudoers
-USER linuxbrew
-RUN /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
-RUN /home/linuxbrew/.linuxbrew/bin/brew install nss pkg-config
+ENV NSS_DIR=/nss \
+    NSPR_DIR=/nspr \
+    LD_LIBRARY_PATH=/dist/Release/lib
+
+RUN set -eux; \
+    git clone --depth=1 https://github.com/nss-dev/nspr "$NSPR_DIR"; \
+    git clone --depth=1 https://github.com/nss-dev/nss "$NSS_DIR"
+
+RUN "$NSS_DIR"/build.sh --static -Ddisable_tests=1 -o
 
-USER root
 ADD . /neqo
 
 RUN set -eux; \
     cd /neqo; \
-    export PATH=/home/linuxbrew/.linuxbrew/bin:$PATH; \
-    cargo build --release --bin neqo-client --bin neqo-server
+    RUSTFLAGS="-g -C link-arg=-fuse-ld=lld" cargo build --release \
+    --bin neqo-client --bin neqo-server
 
 # Copy only binaries to the final image to keep it small.
 
 FROM martenseemann/quic-network-simulator-endpoint:latest
 
-# TODO: install NSS
+ENV LD_LIBRARY_PATH=/neqo/lib
 COPY --from=buildimage /neqo/target/release/neqo-client /neqo/target/release/neqo-server /neqo/bin/
+COPY --from=buildimage /dist/Release/lib/*.so /neqo/lib/
+COPY --from=buildimage /dist/Release/bin/certutil /dist/Release/bin/pk12util /neqo/bin/
 
 COPY qns/interop.sh /neqo/
 RUN chmod +x /neqo/interop.sh