From ac9cecf2a41214d6ee2401df849a155dc877dc45 Mon Sep 17 00:00:00 2001 From: Mate Szalay-Beko Date: Sat, 14 Dec 2019 09:29:51 +0100 Subject: [PATCH] ZOOKEEPER-3630: Autodetection of openssl during ZooKeeper C client build **Thanks for ztzg for raising the issue and suggesting the solution!** In this patch we enhance the way how the openssl library is found during C client build. I introduced and documented a new build parameter for `configure` (`--with-openssl=...`), `cmake` (`-D WITH_OPENSSL=...`) and `mvn` (`-Dc-client-openssl=...`), so independent of the build tool, the build will work the same way: - By default, the OpenSSL library will be autodetected. If the library is found, then the C-client will be compiled with SSL support, otherwise we get a warning message, but the build will continue without SSL support. The SSL related unit tests will be skipped as well. - you can explicitly disable the SSL support (e.g. `-Dc-client-openssl=no`) - or you can specify an alternative path to look for the openssl library (e.g. `-Dc-client-openssl=/path/to/openssl`) I tested the patch - using mvn on linux - using make on linux - using cmake on linux and on windows In addition, I also added the openssl dependencies to the dev docker image and copied the OpenSSL license to the C client LICENSE file. Author: Mate Szalay-Beko Reviewers: Enrico Olivelli , Norbert Kalmar , Damien Diederen Closes #1159 from symat/ZOOKEEPER-3630 --- README_packaging.md | 11 +- dev/docker/Dockerfile | 2 +- pom.xml | 4 + .../src/main/assembly/lib-package.xml | 5 +- .../zookeeper-client-c/CMakeLists.txt | 21 +-- zookeeper-client/zookeeper-client-c/LICENSE | 133 ++++++++++++++++++ .../zookeeper-client-c/Makefile.am | 2 +- zookeeper-client/zookeeper-client-c/README | 2 + .../zookeeper-client-c/configure.ac | 44 +++--- zookeeper-client/zookeeper-client-c/pom.xml | 2 +- zookeeper-client/zookeeper-client-c/src/cli.c | 2 + .../zookeeper-client-c/ssl/gencerts.sh | 8 +- 12 files changed, 200 insertions(+), 36 deletions(-) diff --git a/README_packaging.md b/README_packaging.md index e2a2d47672a..b290dd9f93d 100644 --- a/README_packaging.md +++ b/README_packaging.md @@ -57,7 +57,13 @@ Optional parameters you might consider when using maven: - `-Pfull-build` - activates the full-build profile, causing the C client to be built - `-DskipTests` - this parameter will skip both java and C++ unit test execution during the build - `-Pc-test-coverage` - activates the test coverage calculation during the execution of C client tests - +- `-Dc-client-openssl` - specify ssl support and openssl library location. Default value: `yes`, resulting in + the autodetection of the openssl library. If the openssl library will not be detected, + then a warning will be shown and the C client will be compiled without SSL support. + Use `-Dc-client-openssl=no` to explicitly disable SSL feature in C client. Or use + `-Dc-client-openssl=/path/to/openssl/` if you want to use a non-default / specific + openssl library location. + Please note: if you don't provide the `-Pfull-build` parameter, then the C client will not be built, the C client tests will not be executed and the previous C client builds will no be cleaned up (e.g. with simply using `mvn clean`). @@ -66,4 +72,5 @@ The compiled C client can be found here: - `zookeeper-client/zookeeper-client-c/target/c/lib` - Native libraries - `zookeeper-client/zookeeper-client-c/target/c/include/zookeeper` - Native library headers -The same folders gets archived to the `zookeeper-assembly/target/apache-zookeeper--lib.tar.gz` file, assuming you activated the `full-build` maven profile. +The same folders gets archived to the `zookeeper-assembly/target/apache-zookeeper--lib.tar.gz` file, assuming +you activated the `full-build` maven profile. diff --git a/dev/docker/Dockerfile b/dev/docker/Dockerfile index c53b2b5b492..cead98adf1c 100644 --- a/dev/docker/Dockerfile +++ b/dev/docker/Dockerfile @@ -20,4 +20,4 @@ FROM maven:3.6.3-jdk-8 RUN apt-get update -RUN apt-get install -y g++ cmake autoconf libcppunit-dev libtool +RUN apt-get install -y g++ cmake autoconf libcppunit-dev libtool openssl libssl-dev diff --git a/pom.xml b/pom.xml index f7f03a2e35a..9084d01c709 100755 --- a/pom.xml +++ b/pom.xml @@ -297,6 +297,10 @@ 3.2.5 3.1.9 8.17 + + + yes + diff --git a/zookeeper-assembly/src/main/assembly/lib-package.xml b/zookeeper-assembly/src/main/assembly/lib-package.xml index 61c277900ea..81194f9e64d 100644 --- a/zookeeper-assembly/src/main/assembly/lib-package.xml +++ b/zookeeper-assembly/src/main/assembly/lib-package.xml @@ -50,10 +50,11 @@ - ${project.basedir}/.. + ${project.basedir}/../zookeeper-client/zookeeper-client-c - LICENSE.txt + LICENSE + / ${rw.file.permission} ${rwx.file.permission} diff --git a/zookeeper-client/zookeeper-client-c/CMakeLists.txt b/zookeeper-client/zookeeper-client-c/CMakeLists.txt index 05ae915e46c..06bbf983912 100644 --- a/zookeeper-client/zookeeper-client-c/CMakeLists.txt +++ b/zookeeper-client/zookeeper-client-c/CMakeLists.txt @@ -182,17 +182,20 @@ target_link_libraries(zookeeper PUBLIC $<$:rt> # clock_gettime $<$:ws2_32>) # Winsock 2.0 -option(WITH_OPENSSL "openssl directory" OFF) -if(WITH_OPENSSL) - target_compile_definitions(zookeeper PUBLIC HAVE_OPENSSL_H) - include_directories(${WITH_OPENSSL}/include) - link_directories(${WITH_OPENSSL}/lib) - if(WIN32) - target_link_libraries(zookeeper PUBLIC ssleay32 libeay32) +option(WITH_OPENSSL "turn ON/OFF SSL support, or define openssl library location (default: ON)" ON) +message("-- using WITH_OPENSSL=${WITH_OPENSSL}") +if(NOT WITH_OPENSSL STREQUAL "OFF") + if(NOT WITH_OPENSSL STREQUAL "ON") + set(OPENSSL_ROOT_DIR,${WITH_OPENSSL}) + endif() + find_package(OpenSSL) + if(OPENSSL_FOUND) + target_compile_definitions(zookeeper PUBLIC HAVE_OPENSSL_H) + target_link_libraries(zookeeper PUBLIC OpenSSL::SSL OpenSSL::Crypto) + message("-- OpenSSL libraries found! will build with SSL support.") else() - target_link_libraries(zookeeper PUBLIC ssl crypto) + message("-- WARNING: unable to find OpenSSL libraries! will build without SSL support.") endif() - endif() if(WANT_SYNCAPI AND NOT WIN32) diff --git a/zookeeper-client/zookeeper-client-c/LICENSE b/zookeeper-client/zookeeper-client-c/LICENSE index d6456956733..863a2219c3c 100644 --- a/zookeeper-client/zookeeper-client-c/LICENSE +++ b/zookeeper-client/zookeeper-client-c/LICENSE @@ -200,3 +200,136 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. + + + +=========================================================================================== +=== The following part contains the dual OpenSSL and SSLeay license === +=== for OpenSSL versions 1.1.1, 1.1.0, 1.0.2 and all prior releases === +=== (see https://www.openssl.org/source/license.html) === +=========================================================================================== + + + LICENSE ISSUES + ============== + + The OpenSSL toolkit stays under a double license, i.e. both the conditions of + the OpenSSL License and the original SSLeay license apply to the toolkit. + See below for the actual license texts. + + OpenSSL License + --------------- + +/* ==================================================================== + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + Original SSLeay License + ----------------------- + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ diff --git a/zookeeper-client/zookeeper-client-c/Makefile.am b/zookeeper-client/zookeeper-client-c/Makefile.am index 8e9b1ca1ffe..34ef01208c5 100644 --- a/zookeeper-client/zookeeper-client-c/Makefile.am +++ b/zookeeper-client/zookeeper-client-c/Makefile.am @@ -9,7 +9,7 @@ if SOLARIS endif if WANT_OPENSSL - OPENSSL_CPPFLAGS = -DHAVE_OPENSSL_H -I$(OPENSSL_DIR) + OPENSSL_CPPFLAGS = -DHAVE_OPENSSL_H OPENSSL_LIB_LDFLAGS = -lssl -lcrypto endif diff --git a/zookeeper-client/zookeeper-client-c/README b/zookeeper-client/zookeeper-client-c/README index 33b179bab71..0816f626b93 100644 --- a/zookeeper-client/zookeeper-client-c/README +++ b/zookeeper-client/zookeeper-client-c/README @@ -81,6 +81,8 @@ Follow steps 1 and 2 above, and then continue here. -DCMAKE_BUILD_TYPE Debug by default, Release enables optimzation etc. -DWANT_SYNCAPI ON by default, OFF disables the Sync API support -DWANT_CPPUNIT ON except on Windows, OFF disables the tests + -DWITH_OPENSSL ON by default, OFF disables the SSL support. You can also + specify a custom path by -DWITH_OPENSSL=/path/to/openssl/ -DBUILD_SHARED_LIBS not yet supported, only static libraries are built other CMake options see "cmake --help" for generic options, such as generator diff --git a/zookeeper-client/zookeeper-client-c/configure.ac b/zookeeper-client/zookeeper-client-c/configure.ac index f155c3fecb4..96ddaeca03e 100644 --- a/zookeeper-client/zookeeper-client-c/configure.ac +++ b/zookeeper-client/zookeeper-client-c/configure.ac @@ -38,25 +38,33 @@ else CHECK_CPPUNIT(1.10.2) fi -AM_CONDITIONAL([WANT_OPENSSL],[test "x$with_openssl" != x]) - - +dnl OpenSSL AC_ARG_WITH(openssl, - AS_HELP_STRING([--without-openssl], - [Do not use Openssl. Default: auto-detect]), [ -case "$with_openssl" in - yes|no) - : # Nothing special to do here - ;; - *) - if test ! -d "$withval" ; then - AC_MSG_ERROR([--with-openssl path does not point to a directory]) - fi - OPENSSL_DIR="$withval" - AC_SUBST(OPENSSL_DIR) - esac -]) -AH_TEMPLATE(USE_OPENSSL,[Openssl support is available]) + [AC_HELP_STRING([--with-openssl[=DIR]], [build with openssl (autodetect openssl library by default) )])], + [], [with_openssl=yes]) +AC_MSG_NOTICE([configuring SSL using --with-openssl=$with_openssl]) +saved_CPPFLAGS="$CPPFLAGS" +saved_LDFLAGS="$LDFLAGS" +if test "x$with_openssl" != "xno" && test "x$with_openssl" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I$with_openssl/include" + LDFLAGS="$LDFLAGS -L$with_openssl/lib" +fi +have_openssl=no +AC_CHECK_HEADER(openssl/ssl.h, [ AC_CHECK_LIB(ssl, SSL_CTX_new, [have_openssl=yes]) ]) +if test "x$with_openssl" != "xno" && test "x$with_openssl" != "xyes" && test "x$have_openssl" != "xyes"; then + CPPFLAGS="$saved_CPPFLAGS" + LDFLAGS="$saved_LDFLAGS" +fi +if test "x$with_openssl" != xno && test "x$have_openssl" = xno; then + AC_MSG_WARN([cannot build SSL support -- openssl not found]) + with_openssl=no +fi +if test "x$with_openssl" != xno; then + AC_MSG_NOTICE([building with SSL support]) +else + AC_MSG_NOTICE([building without SSL support]) +fi +AM_CONDITIONAL([WANT_OPENSSL],[test "x$with_openssl" != xno]) if test "$CALLER" = "ANT" ; then CPPUNIT_CFLAGS="$CPPUNIT_CFLAGS -DZKSERVER_CMD=\"\\\"${base_dir}/zookeeper-client/zookeeper-client-c/tests/zkServer.sh\\\"\"" diff --git a/zookeeper-client/zookeeper-client-c/pom.xml b/zookeeper-client/zookeeper-client-c/pom.xml index fb3b52f5704..3536d1a3c27 100755 --- a/zookeeper-client/zookeeper-client-c/pom.xml +++ b/zookeeper-client/zookeeper-client-c/pom.xml @@ -88,7 +88,7 @@ ANT - --with-openssl=/usr/include/openssl/ + --with-openssl=${c-client-openssl} --prefix=${project.build.directory}/c ${c-test-coverage-arg} diff --git a/zookeeper-client/zookeeper-client-c/src/cli.c b/zookeeper-client/zookeeper-client-c/src/cli.c index 64b328c4ec8..b2314345aee 100644 --- a/zookeeper-client/zookeeper-client-c/src/cli.c +++ b/zookeeper-client/zookeeper-client-c/src/cli.c @@ -836,8 +836,10 @@ int main(int argc, char **argv) { "OPTIONAL ARGS:\n" "-m, --myid Path to the file contains the client ID\n" "-c, --cmd Command to execute, e.g. ls|ls2|create|create2|od|...\n" +#ifdef HAVE_OPENSSL_H "-s, --ssl Comma separated parameters to initiate SSL connection\n" " e.g.: server_cert.crt,client_cert.crt,client_priv_key.pem,passwd\n" +#endif "-r, --readonly Connect in read-only mode\n" "-d, --debug Activate debug logs right from the beginning (you can also use the \n" " command 'verbose' later to activate debug logs in the cli shell)\n\n", diff --git a/zookeeper-client/zookeeper-client-c/ssl/gencerts.sh b/zookeeper-client/zookeeper-client-c/ssl/gencerts.sh index 528af1f98bf..f32cf5895bd 100755 --- a/zookeeper-client/zookeeper-client-c/ssl/gencerts.sh +++ b/zookeeper-client/zookeeper-client-c/ssl/gencerts.sh @@ -25,9 +25,13 @@ # relative to the canonical path of this script. # -# use local fully qualified domain name in the certificates, or fall back -# to zookeeper.apache.org if no domain name is set or the `hostname` command fails + +# determining the domain name in the certificates: +# - use the first commandline argument, if present +# - if not, then use the fully qualified domain name +# - if `hostname` command fails, fall back to zookeeper.apache.org FQDN=`hostname -f` +FQDN=${1:-$FQDN} FQDN=${FQDN:-"zookeeper.apache.org"} # Generate the root key