Skip to content

Commit

Permalink
Support to WolfSSL (Step 1) (netdata#17516)
Browse files Browse the repository at this point in the history
  • Loading branch information
thiagoftsm authored May 16, 2024
1 parent bfdd228 commit 8d9c464
Show file tree
Hide file tree
Showing 22 changed files with 210 additions and 65 deletions.
74 changes: 49 additions & 25 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -126,9 +126,13 @@ set(CONFIG_H ${CONFIG_H_DIR}/config.h)
option(DEFAULT_FEATURE_STATE "Specify the default state for most optional features" True)
mark_as_advanced(DEFAULT_FEATURE_STATE)

# ssl
option(ENABLE_WOLFSSL "Compile netdata using WolfSSL." False)
cmake_dependent_option(ENABLE_OPENSSL "Compile netdata using OpenSSL." True "NOT ENABLE_WOLFSSL" False)

# High-level features
option(ENABLE_ACLK "Enable Netdata Cloud support (ACLK)" ${DEFAULT_FEATURE_STATE})
option(ENABLE_CLOUD "Enable Netdata Cloud by default at runtime" ${DEFAULT_FEATURE_STATE})
cmake_dependent_option(ENABLE_ACLK "Enable Netdata Cloud support (ACLK)" ${DEFAULT_FEATURE_STATE} "NOT ENABLE_WOLFSSL" False)
cmake_dependent_option(ENABLE_CLOUD "Enable Netdata Cloud by default at runtime" ${DEFAULT_FEATURE_STATE} "NOT ENABLE_WOLFSSL" False)
option(ENABLE_ML "Enable machine learning features" ${DEFAULT_FEATURE_STATE})
option(ENABLE_DBENGINE "Enable dbengine metrics storage" True)

Expand All @@ -143,7 +147,7 @@ mark_as_advanced(ENABLE_LEGACY_EBPF_PROGRAMS)
option(ENABLE_PLUGIN_FREEIPMI "Enable IPMI monitoring" ${DEFAULT_FEATURE_STATE})
option(ENABLE_PLUGIN_GO "Enable metric collectors written in Go" ${DEFAULT_FEATURE_STATE})
option(ENABLE_PLUGIN_LOCAL_LISTENERS "Enable local listening socket tracking (including service auto-discovery support)" ${DEFAULT_FEATURE_STATE})
option(ENABLE_PLUGIN_LOGS_MANAGEMENT "Enable log collection and monitoring based on Fluent Bit" ${DEFAULT_FEATURE_STATE})
cmake_dependent_option(ENABLE_PLUGIN_LOGS_MANAGEMENT "Enable log collection and monitoring based on Fluent Bit" ${DEFAULT_FEATURE_STATE} "NOT ENABLE_WOLFSSL" False)
option(ENABLE_PLUGIN_NETWORK_VIEWER "Enable network viewer functionality" ${DEFAULT_FEATURE_STATE})
option(ENABLE_PLUGIN_NFACCT "Enable Linux NFACCT metric collection" ${DEFAULT_FEATURE_STATE})
option(ENABLE_PLUGIN_PERF "Enable Linux performance counter monitoring" ${DEFAULT_FEATURE_STATE})
Expand All @@ -167,7 +171,8 @@ mark_as_advanced(ENABLE_LOGS_MANAGEMENT_TESTS)
# Experimental features
option(ENABLE_WEBRTC "Enable WebRTC dashboard communications (experimental)" False)
mark_as_advanced(ENABLE_WEBRTC)
option(ENABLE_H2O "Enable H2O web server (experimental)" True)

cmake_dependent_option(ENABLE_H2O "Enable H2O web server (experimental)" True "NOT ENABLE_WOLFSSL" False)
mark_as_advanced(ENABLE_H2O)

# Other optional functionality
Expand All @@ -180,6 +185,21 @@ mark_as_advanced(BUILD_FOR_PACKAGING)
cmake_dependent_option(FORCE_LEGACY_LIBBPF "Force usage of libbpf 0.0.9 instead of the latest version." False "ENABLE_PLUGIN_EBPF" False)
mark_as_advanced(FORCE_LEGACY_LIBBPF)

include(CheckFunctionExists)

if(ENABLE_WOLFSSL)
pkg_check_modules(WOLFSSL wolfssl)

list(APPEND CMAKE_REQUIRED_LIBRARIES wolfssl)
check_function_exists(wolfSSL_set_alpn_protos HAVE_WOLFSSL_SET_ALPN_PROTOS)
if(NOT HAVE_WOLFSSL_SET_ALPN_PROTOS)
message(FATAL_ERROR "Your WolfSSL library has not been compiled with the OPENSSL_EXTRA flag, which is necessary to create symbols for the OpenSSL API that Netdata uses.")
endif()
else()
# openssl/crypto
pkg_check_modules(OPENSSL openssl)
endif()

if(ENABLE_ACLK OR ENABLE_EXPORTER_PROMETHEUS_REMOTE_WRITE)
set(NEED_PROTOBUF True)
else()
Expand Down Expand Up @@ -288,11 +308,6 @@ endif()
# Libm
#

# checks link with cmake required libs
cmake_policy(SET CMP0075 NEW)

include(CheckFunctionExists)

check_function_exists(log10 HAVE_LOG10)
if(NOT HAVE_LOG10)
unset(HAVE_LOG10 CACHE)
Expand Down Expand Up @@ -541,11 +556,7 @@ if(FREEBSD OR MACOS)
set(HAVE_BUILTIN_ATOMICS True)
endif()

# openssl/crypto
set(ENABLE_OPENSSL True)
pkg_check_modules(OPENSSL openssl)

if(NOT OPENSSL_FOUND)
if(NOT OPENSSL_FOUND AND ENABLE_OPENSSL)
if(MACOS)
execute_process(COMMAND
brew --prefix --installed openssl
Expand All @@ -565,7 +576,7 @@ if(NOT OPENSSL_FOUND)
endif()
endif()

if(NOT MACOS)
if(NOT MACOS AND ENABLE_OPENSSL)
pkg_check_modules(CRYPTO libcrypto)
endif()

Expand Down Expand Up @@ -687,6 +698,7 @@ set(LIBNETDATA_FILES
src/libnetdata/required_dummies.h
src/libnetdata/socket/security.c
src/libnetdata/socket/security.h
src/libnetdata/ssl/ssl.h
src/libnetdata/simple_pattern/simple_pattern.c
src/libnetdata/simple_pattern/simple_pattern.h
src/libnetdata/socket/socket.c
Expand Down Expand Up @@ -1407,7 +1419,7 @@ set(NETDATA_FILES
${WEB_PLUGIN_FILES}
${CLAIM_PLUGIN_FILES}
${SPAWN_PLUGIN_FILES}
${ACLK_ALWAYS_BUILD}
"$<$<BOOL:${ENABLE_OPENSSL}>:${ACLK_ALWAYS_BUILD}>"
${PROFILE_PLUGIN_FILES}
)

Expand Down Expand Up @@ -1708,15 +1720,26 @@ target_include_directories(libnetdata BEFORE PUBLIC ${LIBUV_INCLUDE_DIRS})
target_compile_options(libnetdata PUBLIC ${LIBUV_CFLAGS_OTHER})
target_link_libraries(libnetdata PUBLIC ${LIBUV_LDFLAGS})

# crypto
target_include_directories(libnetdata BEFORE PUBLIC ${CRYPTO_INCLUDE_DIRS})
target_compile_options(libnetdata PUBLIC ${CRYPTO_CFLAGS_OTHER})
target_link_libraries(libnetdata PUBLIC ${CRYPTO_LDFLAGS})
if (ENABLE_OPENSSL)
message(STATUS "Compiling Netdata with OpenSSL")
# crypto
target_include_directories(libnetdata BEFORE PUBLIC ${CRYPTO_INCLUDE_DIRS})
target_compile_options(libnetdata PUBLIC ${CRYPTO_CFLAGS_OTHER})
target_link_libraries(libnetdata PUBLIC ${CRYPTO_LDFLAGS})

# openssl
target_include_directories(libnetdata BEFORE PUBLIC ${OPENSSL_INCLUDE_DIRS})
target_compile_options(libnetdata PUBLIC ${OPENSSL_CFLAGS_OTHER})
target_link_libraries(libnetdata PUBLIC ${OPENSSL_LDFLAGS})
# openssl
target_include_directories(libnetdata BEFORE PUBLIC ${OPENSSL_INCLUDE_DIRS})
target_compile_options(libnetdata PUBLIC ${OPENSSL_CFLAGS_OTHER})
target_link_libraries(libnetdata PUBLIC ${OPENSSL_LDFLAGS})
endif()

if (ENABLE_WOLFSSL)
message(STATUS "Compiling Netdata with WolfSSL")

target_include_directories(libnetdata BEFORE PUBLIC ${WOLFSSL_INCLUDE_DIRS})
target_compile_options(libnetdata PUBLIC ${WOLFSSL_CFLAGS_OTHER})
target_link_libraries(libnetdata PUBLIC ${WOLFSSL_LDFLAGS})
endif()

# mnl
if(NOT MACOS)
Expand Down Expand Up @@ -1744,7 +1767,8 @@ if(ENABLE_MQTTWEBSOCKETS)

target_compile_options(mqttwebsockets PUBLIC -DMQTT_WSS_CUSTOM_ALLOC
-DRBUF_CUSTOM_MALLOC
-DMQTT_WSS_CPUSTATS)
-DMQTT_WSS_CPUSTATS
)

target_include_directories(mqttwebsockets PUBLIC ${CMAKE_SOURCE_DIR}/aclk/helpers
${CMAKE_SOURCE_DIR}/src/web/server/h2o/libh2o/include)
Expand Down
1 change: 1 addition & 0 deletions packaging/cmake/config.cmake.h.in
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@
// enabled features

#cmakedefine ENABLE_OPENSSL
#cmakedefine ENABLE_WOLFSSL
#cmakedefine ENABLE_CLOUD
#cmakedefine ENABLE_ACLK
#cmakedefine ENABLE_ML
Expand Down
2 changes: 2 additions & 0 deletions src/aclk/aclk.c
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,9 @@ struct aclk_shared_state aclk_shared_state = {
};

#ifdef MQTT_WSS_DEBUG
#if defined(ENABLE_OPENSSL)
#include <openssl/ssl.h>
#endif
#define DEFAULT_SSKEYLOGFILE_NAME "SSLKEYLOGFILE"
const char *ssl_log_filename = NULL;
FILE *ssl_log_file = NULL;
Expand Down
8 changes: 8 additions & 0 deletions src/aclk/mqtt_websockets/mqtt_wss_client.c
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,25 @@
#include <netinet/tcp.h> //TCP_NODELAY
#include <netdb.h>

#ifdef ENABLE_OPENSSL
#include <openssl/err.h>
#include <openssl/ssl.h>
#elif defined(ENABLE_WOLFSSL)
#include <wolfssl/options.h>
#include <wolfssl/openssl/err.h>
#include <wolfssl/openssl/ssl.h>
#endif

#define PIPE_READ_END 0
#define PIPE_WRITE_END 1
#define POLLFD_SOCKET 0
#define POLLFD_PIPE 1

#if defined(ENABLE_OPENSSL)
#if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) && (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097)
#include <openssl/conf.h>
#endif
#endif //ENABLE_OPENSSL

//TODO MQTT_PUBLISH_RETAIN should not be needed anymore
#define MQTT_PUBLISH_RETAIN 0x01
Expand Down
5 changes: 5 additions & 0 deletions src/aclk/mqtt_websockets/mqtt_wss_client.h
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,12 @@ struct mqtt_wss_stats {
struct mqtt_wss_stats mqtt_wss_get_stats(mqtt_wss_client client);

#ifdef MQTT_WSS_DEBUG
#ifdef ENABLE_OPENSSL
#include <openssl/ssl.h>
#elif defined(ENABLE_WOLFSSL)
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
#endif
void mqtt_wss_set_SSL_CTX_keylog_cb(mqtt_wss_client client, void (*ssl_ctx_keylog_cb)(const SSL *ssl, const char *line));
#endif

Expand Down
5 changes: 5 additions & 0 deletions src/aclk/mqtt_websockets/ws_client.c
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,12 @@
#include <errno.h>
#include <ctype.h>

#ifdef ENABLE_OPENSSL
#include <openssl/evp.h>
#elif defined(ENABLE_WOLFSSL)
#include <wolfssl/options.h>
#include <wolfssl/openssl/evp.h>
#endif

#include "ws_client.h"
#include "common_internal.h"
Expand Down
2 changes: 1 addition & 1 deletion src/claim/claim.c
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ CLAIM_AGENT_RESPONSE claim_agent(const char *claiming_arguments, bool force, con
return CLAIM_AGENT_CLOUD_DISABLED;
}

#ifndef DISABLE_CLOUD
#if defined(ENABLE_CLOUD) && defined(ENABLE_ACLK)
int exit_code;
pid_t command_pid;
char command_exec_buffer[CLAIMING_COMMAND_LENGTH + 1];
Expand Down
13 changes: 9 additions & 4 deletions src/daemon/buildinfo.c
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ typedef enum __attribute__((packed)) {
BIB_LIB_ZLIB,
BIB_LIB_BROTLI,
BIB_LIB_PROTOBUF,
BIB_LIB_OPENSSL,
BIB_LIB_SSL,
BIB_LIB_LIBDATACHANNEL,
BIB_LIB_JSONC,
BIB_LIB_LIBCAP,
Expand Down Expand Up @@ -650,12 +650,17 @@ static struct {
.json = "protobuf",
.value = NULL,
},
[BIB_LIB_OPENSSL] = {
[BIB_LIB_SSL] = {
.category = BIC_LIBS,
.type = BIT_BOOLEAN,
.analytics = NULL,
#if defined(ENABLE_OPENSSL)
.print = "OpenSSL (cryptography)",
.json = "openssl",
#elif defined(ENABLE_WOLFSSL)
.print = "WolfSSL (cryptography)",
.json = "wolfssl",
#endif
.value = NULL,
},
[BIB_LIB_LIBDATACHANNEL] = {
Expand Down Expand Up @@ -1162,8 +1167,8 @@ __attribute__((constructor)) void initialize_build_info(void) {
#ifdef HAVE_LIBDATACHANNEL
build_info_set_status(BIB_LIB_LIBDATACHANNEL, true);
#endif
#ifdef ENABLE_OPENSSL
build_info_set_status(BIB_LIB_OPENSSL, true);
#if defined(ENABLE_OPENSSL) || defined(ENABLE_WOLFSSL)
build_info_set_status(BIB_LIB_SSL, true);
#endif
#ifdef ENABLE_JSONC
build_info_set_status(BIB_LIB_JSONC, true);
Expand Down
7 changes: 7 additions & 0 deletions src/daemon/commands.c
Original file line number Diff line number Diff line change
Expand Up @@ -295,10 +295,17 @@ static cmd_status_t cmd_ping_execute(char *args, char **message)
static cmd_status_t cmd_aclk_state(char *args, char **message)
{
netdata_log_info("COMMAND: Reopening aclk/cloud state.");
#ifdef ENABLE_ACLK
if (strstr(args, "json"))
*message = aclk_state_json();
else
*message = aclk_state();
#else
if (strstr(args, "json"))
*message = strdupz("{\"aclk-available\":false}");
else
*message = strdupz("ACLK Available: No");;
#endif

return CMD_STATUS_SUCCESS;
}
Expand Down
6 changes: 6 additions & 0 deletions src/database/contexts/api_v2.c
Original file line number Diff line number Diff line change
Expand Up @@ -800,6 +800,7 @@ static void rrdhost_sender_to_json(BUFFER *wb, RRDHOST_STATUS *s, const char *ke
buffer_json_object_close(wb); // streaming
}

#ifdef ENABLE_ACLK
static void agent_capabilities_to_json(BUFFER *wb, RRDHOST *host, const char *key) {
buffer_json_member_add_array(wb, key);

Expand All @@ -816,6 +817,7 @@ static void agent_capabilities_to_json(BUFFER *wb, RRDHOST *host, const char *ke
buffer_json_array_close(wb);
freez(capas);
}
#endif

static inline void host_dyncfg_to_json_v2(BUFFER *wb, const char *key, RRDHOST_STATUS *s) {
buffer_json_member_add_object(wb, key);
Expand Down Expand Up @@ -893,7 +895,9 @@ static void rrdcontext_to_json_v2_rrdhost(BUFFER *wb, RRDHOST *host, struct rrdc
buffer_json_member_add_string(wb, "state", rrdhost_state_cloud_emulation(host) ? "reachable" : "stale");

rrdhost_health_to_json_v2(wb, "health", &s);
#ifdef ENABLE_ACLK
agent_capabilities_to_json(wb, host, "capabilities");
#endif
}

if (ctl->mode & (CONTEXTS_V2_NODE_INSTANCES)) {
Expand Down Expand Up @@ -937,7 +941,9 @@ static void rrdcontext_to_json_v2_rrdhost(BUFFER *wb, RRDHOST *host, struct rrdc
rrdhost_health_to_json_v2(wb, "health", &s);

host_functions2json(host, wb); // functions
#ifdef ENABLE_ACLK
agent_capabilities_to_json(wb, host, "capabilities");
#endif

host_dyncfg_to_json_v2(wb, "dyncfg", &s);
}
Expand Down
2 changes: 2 additions & 0 deletions src/database/contexts/worker.c
Original file line number Diff line number Diff line change
Expand Up @@ -959,9 +959,11 @@ static void rrdcontext_dequeue_from_hub_queue(RRDCONTEXT *rc) {

static void rrdcontext_dispatch_queued_contexts_to_hub(RRDHOST *host, usec_t now_ut) {

#ifdef ENABLE_ACLK
// check if we have received a streaming command for this host
if(!rrdhost_flag_check(host, RRDHOST_FLAG_ACLK_STREAM_CONTEXTS) || !aclk_connected || !host->rrdctx.hub_queue)
return;
#endif

// check if there are queued items to send
if(!dictionary_entries(host->rrdctx.hub_queue))
Expand Down
6 changes: 6 additions & 0 deletions src/database/engine/rrdengine.h
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,14 @@
#include <fcntl.h>
#include <lz4.h>
#include <Judy.h>
#ifdef ENABLE_OPENSSL
#include <openssl/sha.h>
#include <openssl/evp.h>
#elif defined(ENABLE_WOLFSSL)
#include <wolfssl/options.h>
#include <wolfssl/openssl/sha.h>
#include <wolfssl/openssl/evp.h>
#endif
#include "daemon/common.h"
#include "../rrd.h"
#include "rrddiskprotocol.h"
Expand Down
4 changes: 4 additions & 0 deletions src/database/rrdfunctions-inflight.c
Original file line number Diff line number Diff line change
Expand Up @@ -438,13 +438,17 @@ int rrd_function_run(RRDHOST *host, BUFFER *result_wb, int timeout_s,

if(!http_access_user_has_enough_access_level_for_endpoint(user_access, rdcf->access)) {

#ifdef ENABLE_ACLK
if(!aclk_connected)
code = rrd_call_function_error(result_wb,
"This Netdata must be connected to Netdata Cloud for Single-Sign-On (SSO) "
"access this feature. Claim this Netdata to Netdata Cloud to enable access.",
HTTP_ACCESS_PERMISSION_DENIED_HTTP_CODE(user_access));

else if((rdcf->access & HTTP_ACCESS_SIGNED_ID) && !(user_access & HTTP_ACCESS_SIGNED_ID))
#else
if((rdcf->access & HTTP_ACCESS_SIGNED_ID) && !(user_access & HTTP_ACCESS_SIGNED_ID))
#endif
code = rrd_call_function_error(result_wb,
"You need to be authenticated via Netdata Cloud Single-Sign-On (SSO) "
"to access this feature. Sign-in on this dashboard, "
Expand Down
2 changes: 2 additions & 0 deletions src/database/rrdhost.c
Original file line number Diff line number Diff line change
Expand Up @@ -1384,7 +1384,9 @@ static void rrdhost_load_auto_labels(void) {
if (localhost->system_info->prebuilt_dist)
rrdlabels_add(labels, "_prebuilt_dist", localhost->system_info->prebuilt_dist, RRDLABEL_SRC_AUTO);

#ifdef ENABLE_ACLK
add_aclk_host_labels();
#endif

// The source should be CONF, but when it is set, these labels are exported by default ('send configured labels' in exporting.conf).
// Their export seems to break exporting to Graphite, see https://github.com/netdata/netdata/issues/14084.
Expand Down
3 changes: 2 additions & 1 deletion src/libnetdata/libnetdata.h
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ extern "C" {

#include "config.h"

#ifdef ENABLE_OPENSSL
#if defined(ENABLE_OPENSSL) || defined(ENABLE_WOLFSSL)
#define ENABLE_HTTPS 1
#endif

Expand Down Expand Up @@ -483,6 +483,7 @@ extern char *netdata_configured_host_prefix;
#include "popen/popen.h"
#include "simple_pattern/simple_pattern.h"
#ifdef ENABLE_HTTPS
# include "ssl/ssl.h"
# include "socket/security.h"
#endif
#include "socket/socket.h"
Expand Down
Loading

0 comments on commit 8d9c464

Please sign in to comment.