Merge pull request scylladb#99 from graphcareful/redpanda-current-hea…

…d-ss-ossl Add OpenSSL as an alternative TLS implementation
graphcareful · Mar 21, 2024 · 9532f94 · 9532f94
2 parents eaeb66d + 0e8cfae
commit 9532f94
Show file tree

Hide file tree

Showing 10 changed files with 1,817 additions and 886 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -90,7 +90,10 @@ if (NOT Seastar_SCHEDULING_GROUPS_COUNT MATCHES "^[1-9][0-9]*")
   message(FATAL_ERROR "Seastar_SCHEDULING_GROUPS_COUNT must be a positive number (${Seastar_SCHEDULING_GROUPS_COUNT})")
 endif()
 
-#
+option (Seastar_WITH_OSSL
+  "Use OpenSSL for underlying TLS mechanism"
+  OFF)
+
 # Add a dev build type.
 #
 # All pre-defined build modes include optimizations or debug info,
@@ -404,6 +407,10 @@ find_package (ragel 6.10 REQUIRED)
 find_package (Threads REQUIRED)
 find_package (PthreadSetName REQUIRED)
 find_package (Valgrind REQUIRED)
+# TODO(rob) - Add as cooking_ingredient instead
+if (Seastar_WITH_OSSL)
+  find_package (OpenSSL 3.0.0 REQUIRED)
+endif()
 
 #
 # Code generation helpers.
@@ -728,7 +735,9 @@ add_library (seastar
   src/net/socket_address.cc
   src/net/stack.cc
   src/net/tcp.cc
-  src/net/tls.cc
+  $<$<NOT:$<BOOL:${Seastar_WITH_OSSL}>>:src/net/tls.cc>
+  $<$<BOOL:${Seastar_WITH_OSSL}>:src/net/ossl.cc>
+  src/net/tls-impl.cc
   src/net/udp.cc
   src/net/unix_address.cc
   src/net/virtio.cc
@@ -746,7 +755,7 @@ add_library (seastar
   src/util/read_first_line.cc
   src/util/tmp_file.cc
   src/util/short_streams.cc
-  src/websocket/server.cc
+  $<$<NOT:$<BOOL:${Seastar_WITH_OSSL}>>:src/websocket/server.cc>
   )
 
 add_library (Seastar::seastar ALIAS seastar)
@@ -793,7 +802,12 @@ target_link_libraries (seastar
     SourceLocation::source_location
   PRIVATE
     ${CMAKE_DL_LIBS}
+    # TODO(rob) - GnuTLS still a dependency until its last use (gnutls_hash_hd_t) in
+    # seastar/net/tcp.hh can be removed
+    # $<$<NOT:$<BOOL:${Seastar_WITH_OSSL}>>:GnuTLS::gnutls>
     GnuTLS::gnutls
+    $<$<BOOL:${Seastar_WITH_OSSL}>:OpenSSL::SSL>
+    $<$<BOOL:${Seastar_WITH_OSSL}>:OpenSSL::Crypto>
     StdAtomic::atomic
     lksctp-tools::lksctp-tools
     rt::rt

diff --git a/demos/CMakeLists.txt b/demos/CMakeLists.txt
@@ -62,8 +62,10 @@ endif ()
 seastar_add_demo (hello-world
   SOURCES hello-world.cc)
 
+if (NOT ${Seastar_WITH_OSSL})
 seastar_add_demo (websocket
   SOURCES websocket_demo.cc)
+endif()
 
 seastar_add_demo (echo
   SOURCES echo_demo.cc)

diff --git a/demos/tls_echo_server.hh b/demos/tls_echo_server.hh
@@ -94,6 +94,7 @@ public:
                         }).then([strms]{
                             return strms->out.close();
                         }).handle_exception([](auto ep) {
+                            std::cout << "Exception: " << ep << std::endl;
                         }).finally([this, strms]{
                             if (_verbose) {
                                 std::cout << "Ending session" << std::endl;

diff --git a/include/seastar/net/tls.hh b/include/seastar/net/tls.hh
@@ -104,16 +104,6 @@ namespace tls {
         std::unique_ptr<impl> _impl;
     };
 
-    class x509_cert {
-        x509_cert(const blob&, x509_crt_format);
-
-        static future<x509_cert> from_file(const sstring&, x509_crt_format);
-    private:
-        class impl;
-        x509_cert(shared_ptr<impl>);
-        shared_ptr<impl> _impl;
-    };
-
     class abstract_credentials {
     public:
         virtual ~abstract_credentials() {};
@@ -152,6 +142,10 @@ namespace tls {
      */
     using dn_callback = noncopyable_function<void(session_type type, sstring subject, sstring issuer)>;
 
+    enum class client_auth {
+        NONE, REQUEST, REQUIRE
+    };
+
     /**
      * Holds certificates and keys.
      *
@@ -234,6 +228,9 @@ namespace tls {
          */
         std::optional<std::vector<cert_info>> get_trust_list_info() const noexcept;
 
+        /// TODO(rob) comment these
+        void enable_load_system_trust();
+        void set_client_auth(client_auth);
     private:
         class impl;
         friend class session;
@@ -251,10 +248,6 @@ namespace tls {
         using runtime_error::runtime_error;
     };
 
-    enum class client_auth {
-        NONE, REQUEST, REQUIRE
-    };
-
     /**
      * Extending certificates and keys for server usage.
      * More probably goes in here...
@@ -465,4 +458,4 @@ namespace tls {
     extern const int ERROR_UNKNOWN_SRP_USERNAME;
     extern const int ERROR_PREMATURE_TERMINATION;
 }
-}
+}
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -65,7 +65,8 @@ target_sources (seastar-module
     net/packet.cc
     net/inet_address.cc
     net/socket_address.cc
-    net/tls.cc
+    $<$<NOT:$<BOOL:${Seastar_WITH_OSSL}>>:src/net/tls.cc>
+    $<$<BOOL:${Seastar_WITH_OSSL}>:src/net/ossl.cc>
     net/virtio.cc
     http/common.cc
     http/file_handler.cc
@@ -111,7 +112,9 @@ target_link_libraries (seastar-module
     SourceLocation::source_location
   PRIVATE
     ${CMAKE_DL_LIBS}
-    GnuTLS::gnutls
+    $<$<NOT:$<BOOL:${Seastar_WITH_OSSL}>>:GnuTLS::gnutls>
+    $<$<BOOL:${Seastar_WITH_OSSL}>:OpenSSL::SSL>
+    $<$<BOOL:${Seastar_WITH_OSSL}>:OpenSSL::Crypto>
     StdAtomic::atomic
     lksctp-tools::lksctp-tools
     rt::rt