main/build: Add p11-kit and initialize

For p11 certification/validation

CMakeLists.txt

@@ -148,6 +148,7 @@ find_package(ICU COMPONENTS uc i18n REQUIRED)
 find_package(fmt 10.0.0 REQUIRED)
 find_package(libdeflate REQUIRED)
 find_package(libxcrypt REQUIRED)
+find_package(p11-kit REQUIRED)
 find_package(Snappy REQUIRED)
 find_package(RapidJSON REQUIRED)
 find_package(xxHash REQUIRED)
@@ -345,6 +346,7 @@ if(Scylla_ENABLE_LTO)
 endif()
 
 target_link_libraries(scylla PRIVATE
+    p11-kit::p11-kit
     Seastar::seastar
     absl::headers
     yaml-cpp::yaml-cpp

cmake/Findp11-kit.cmake

@@ -0,0 +1,48 @@
+#
+# Copyright 2023-present ScyllaDB
+#
+
+#
+# SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
+#
+find_package(PkgConfig REQUIRED)
+
+pkg_check_modules(PC_p11_kit QUIET p11-kit-1)
+
+find_library(p11-kit_LIBRARY
+  NAMES p11-kit
+  PATH_SUFFIXES p11-kit-1
+  HINTS
+    ${PC_p11_kit_LIBDIR}
+    ${PC_p11_kit_LIBRARY_DIRS})
+
+find_path(p11-kit_INCLUDE_DIR
+  NAMES p11-kit/p11-kit.h
+  HINTS
+    ${PC_p11_kit_INCLUDEDIR}
+    ${PC_p11_kit_INCLUDE_DIRS})
+
+mark_as_advanced(
+  p11-kit_LIBRARY
+  p11-kit_INCLUDE_DIR)
+
+include(FindPackageHandleStandardArgs)
+
+find_package_handle_standard_args(p11-kit
+  REQUIRED_VARS
+    p11-kit_LIBRARY
+    p11-kit_INCLUDE_DIR
+  VERSION_VAR PC_p11_kit_VERSION)
+
+if(p11-kit_FOUND)
+  set(p11-kit_LIBRARIES ${p11-kit_LIBRARY})
+  set(p11-kit_INCLUDE_DIRS ${p11-kit_INCLUDE_DIR})
+  if(NOT(TARGET p11-kit::p11-kit))
+    add_library(p11-kit::p11-kit UNKNOWN IMPORTED)
+
+    set_target_properties(p11-kit::p11-kit
+      PROPERTIES
+        IMPORTED_LOCATION ${p11-kit_LIBRARY}
+        INTERFACE_INCLUDE_DIRECTORIES ${p11-kit_INCLUDE_DIRS})
+  endif()
+endif()

configure.py

@@ -2004,7 +2004,6 @@ def query_seastar_flags(pc_file, use_shared_libs, link_static_cxx=False):
         libs = f"-Wl,-rpath='{rpath}' {libs}"
     if link_static_cxx:
         libs = libs.replace('-lstdc++ ', '')
-
     testing_libs = pkg_config(pc_file.replace('seastar.pc', 'seastar-testing.pc'), '--libs', '--static')
     return {'seastar_cflags': cflags,
             'seastar_libs': libs,
@@ -2028,6 +2027,8 @@ libs = ' '.join([maybe_static(args.staticyamlcpp, '-lyaml-cpp'), '-latomic', '-l
                  '-ldeflate',
                 ])
 
+args.user_cflags += " " + pkg_config('p11-kit-1', '--cflags')
+
 if not args.staticboost:
     user_cflags += ' -DBOOST_ALL_DYN_LINK'
 

main.cc

@@ -118,6 +118,12 @@
 #include "utils/shared_dict.hh"
 #include "message/dictionary_service.hh"
 
+
+#define P11_KIT_FUTURE_UNSTABLE_API
+extern "C" {
+#include <p11-kit/p11-kit.h>
+}
+
 seastar::metrics::metric_groups app_metrics;
 
 using namespace std::chrono_literals;
@@ -2451,5 +2457,20 @@ int main(int ac, char** av) {
         return 0;
     }
 
+    // We have to override p11-kit config path before p11-kit initialization.
+    // And the initialization will invoke on seastar initalization, so it has to
+    // be before app.run()
+    // #3583 - need to potentially ensure this for tools as well, since at least
+    // sstable* might need crypto libraries.
+    auto scylla_path = fs::read_symlink(fs::path("/proc/self/exe")); // could just be argv[0] I guess...
+    auto p11_modules = scylla_path.parent_path().parent_path().append("share/p11-kit/modules");
+    // Note: must be in scope for application lifetime. p11_kit_override_system_files does _not_
+    // copy input strings.
+    auto p11_modules_str = p11_modules.string<char>();
+    // #3392 only do this if we are actually packaged and the path exists.
+    if (fs::exists(p11_modules)) {
+        ::p11_kit_override_system_files(NULL, NULL, p11_modules_str.c_str(), NULL, NULL);
+    }
+
     return main_func(ac, av);
 }