diff options
author | Stelios Fragkakis <52996999+stelfrag@users.noreply.github.com> | 2024-05-17 18:58:08 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-05-17 18:58:08 +0300 |
commit | a124de491a4fc06219a505a331ed1fa703232033 (patch) | |
tree | b08e0b1c95bddb0c548bad0e7b1b5383ad687a26 | |
parent | f3e0205be0243d8055b8e7da9dd2fe073f2e213d (diff) |
Revert "Support to WolfSSL (Step 1) (#17516)"revert-17516-use_wolfssl
This reverts commit 8d9c464de3f79f2e92fe6c46894ad2e09dd8f4d5.
-rw-r--r-- | CMakeLists.txt | 74 | ||||
-rw-r--r-- | packaging/cmake/config.cmake.h.in | 1 | ||||
-rw-r--r-- | src/aclk/aclk.c | 2 | ||||
-rw-r--r-- | src/aclk/mqtt_websockets/mqtt_wss_client.c | 8 | ||||
-rw-r--r-- | src/aclk/mqtt_websockets/mqtt_wss_client.h | 5 | ||||
-rw-r--r-- | src/aclk/mqtt_websockets/ws_client.c | 5 | ||||
-rw-r--r-- | src/claim/claim.c | 2 | ||||
-rw-r--r-- | src/daemon/buildinfo.c | 13 | ||||
-rw-r--r-- | src/daemon/commands.c | 7 | ||||
-rw-r--r-- | src/database/contexts/api_v2.c | 6 | ||||
-rw-r--r-- | src/database/contexts/worker.c | 2 | ||||
-rw-r--r-- | src/database/engine/rrdengine.h | 6 | ||||
-rw-r--r-- | src/database/rrdfunctions-inflight.c | 4 | ||||
-rw-r--r-- | src/database/rrdhost.c | 2 | ||||
-rw-r--r-- | src/libnetdata/libnetdata.h | 3 | ||||
-rw-r--r-- | src/libnetdata/socket/README.md | 8 | ||||
-rw-r--r-- | src/libnetdata/socket/security.c | 53 | ||||
-rw-r--r-- | src/libnetdata/socket/security.h | 19 | ||||
-rw-r--r-- | src/libnetdata/ssl/ssl.h | 43 | ||||
-rw-r--r-- | src/streaming/receiver.c | 4 | ||||
-rw-r--r-- | src/streaming/sender.c | 4 | ||||
-rw-r--r-- | src/web/api/web_api_v1.c | 4 |
22 files changed, 65 insertions, 210 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 214f96c3b0..36f7ab7cab 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -126,13 +126,9 @@ set(CONFIG_H ${CONFIG_H_DIR}/config.h) option(DEFAULT_FEATURE_STATE "Specify the default state for most optional features" True) mark_as_advanced(DEFAULT_FEATURE_STATE) -# ssl -option(ENABLE_WOLFSSL "Compile netdata using WolfSSL." False) -cmake_dependent_option(ENABLE_OPENSSL "Compile netdata using OpenSSL." True "NOT ENABLE_WOLFSSL" False) - # High-level features -cmake_dependent_option(ENABLE_ACLK "Enable Netdata Cloud support (ACLK)" ${DEFAULT_FEATURE_STATE} "NOT ENABLE_WOLFSSL" False) -cmake_dependent_option(ENABLE_CLOUD "Enable Netdata Cloud by default at runtime" ${DEFAULT_FEATURE_STATE} "NOT ENABLE_WOLFSSL" False) +option(ENABLE_ACLK "Enable Netdata Cloud support (ACLK)" ${DEFAULT_FEATURE_STATE}) +option(ENABLE_CLOUD "Enable Netdata Cloud by default at runtime" ${DEFAULT_FEATURE_STATE}) option(ENABLE_ML "Enable machine learning features" ${DEFAULT_FEATURE_STATE}) option(ENABLE_DBENGINE "Enable dbengine metrics storage" True) @@ -147,7 +143,7 @@ mark_as_advanced(ENABLE_LEGACY_EBPF_PROGRAMS) option(ENABLE_PLUGIN_FREEIPMI "Enable IPMI monitoring" ${DEFAULT_FEATURE_STATE}) option(ENABLE_PLUGIN_GO "Enable metric collectors written in Go" ${DEFAULT_FEATURE_STATE}) option(ENABLE_PLUGIN_LOCAL_LISTENERS "Enable local listening socket tracking (including service auto-discovery support)" ${DEFAULT_FEATURE_STATE}) -cmake_dependent_option(ENABLE_PLUGIN_LOGS_MANAGEMENT "Enable log collection and monitoring based on Fluent Bit" ${DEFAULT_FEATURE_STATE} "NOT ENABLE_WOLFSSL" False) +option(ENABLE_PLUGIN_LOGS_MANAGEMENT "Enable log collection and monitoring based on Fluent Bit" ${DEFAULT_FEATURE_STATE}) option(ENABLE_PLUGIN_NETWORK_VIEWER "Enable network viewer functionality" ${DEFAULT_FEATURE_STATE}) option(ENABLE_PLUGIN_NFACCT "Enable Linux NFACCT metric collection" ${DEFAULT_FEATURE_STATE}) option(ENABLE_PLUGIN_PERF "Enable Linux performance counter monitoring" ${DEFAULT_FEATURE_STATE}) @@ -171,8 +167,7 @@ mark_as_advanced(ENABLE_LOGS_MANAGEMENT_TESTS) # Experimental features option(ENABLE_WEBRTC "Enable WebRTC dashboard communications (experimental)" False) mark_as_advanced(ENABLE_WEBRTC) - -cmake_dependent_option(ENABLE_H2O "Enable H2O web server (experimental)" True "NOT ENABLE_WOLFSSL" False) +option(ENABLE_H2O "Enable H2O web server (experimental)" True) mark_as_advanced(ENABLE_H2O) # Other optional functionality @@ -185,21 +180,6 @@ mark_as_advanced(BUILD_FOR_PACKAGING) cmake_dependent_option(FORCE_LEGACY_LIBBPF "Force usage of libbpf 0.0.9 instead of the latest version." False "ENABLE_PLUGIN_EBPF" False) mark_as_advanced(FORCE_LEGACY_LIBBPF) -include(CheckFunctionExists) - -if(ENABLE_WOLFSSL) - pkg_check_modules(WOLFSSL wolfssl) - - list(APPEND CMAKE_REQUIRED_LIBRARIES wolfssl) - check_function_exists(wolfSSL_set_alpn_protos HAVE_WOLFSSL_SET_ALPN_PROTOS) - if(NOT HAVE_WOLFSSL_SET_ALPN_PROTOS) - message(FATAL_ERROR "Your WolfSSL library has not been compiled with the OPENSSL_EXTRA flag, which is necessary to create symbols for the OpenSSL API that Netdata uses.") - endif() -else() - # openssl/crypto - pkg_check_modules(OPENSSL openssl) -endif() - if(ENABLE_ACLK OR ENABLE_EXPORTER_PROMETHEUS_REMOTE_WRITE) set(NEED_PROTOBUF True) else() @@ -308,6 +288,11 @@ endif() # Libm # +# checks link with cmake required libs +cmake_policy(SET CMP0075 NEW) + +include(CheckFunctionExists) + check_function_exists(log10 HAVE_LOG10) if(NOT HAVE_LOG10) unset(HAVE_LOG10 CACHE) @@ -561,7 +546,11 @@ if(FREEBSD OR MACOS) set(HAVE_BUILTIN_ATOMICS True) endif() -if(NOT OPENSSL_FOUND AND ENABLE_OPENSSL) +# openssl/crypto +set(ENABLE_OPENSSL True) +pkg_check_modules(OPENSSL openssl) + +if(NOT OPENSSL_FOUND) if(MACOS) execute_process(COMMAND brew --prefix --installed openssl @@ -581,7 +570,7 @@ if(NOT OPENSSL_FOUND AND ENABLE_OPENSSL) endif() endif() -if(NOT MACOS AND ENABLE_OPENSSL) +if(NOT MACOS) pkg_check_modules(CRYPTO libcrypto) endif() @@ -703,7 +692,6 @@ set(LIBNETDATA_FILES src/libnetdata/required_dummies.h src/libnetdata/socket/security.c src/libnetdata/socket/security.h - src/libnetdata/ssl/ssl.h src/libnetdata/simple_pattern/simple_pattern.c src/libnetdata/simple_pattern/simple_pattern.h src/libnetdata/socket/socket.c @@ -1430,7 +1418,7 @@ set(NETDATA_FILES ${WEB_PLUGIN_FILES} ${CLAIM_PLUGIN_FILES} ${SPAWN_PLUGIN_FILES} - "$<$<BOOL:${ENABLE_OPENSSL}>:${ACLK_ALWAYS_BUILD}>" + ${ACLK_ALWAYS_BUILD} ${PROFILE_PLUGIN_FILES} ) @@ -1725,26 +1713,15 @@ target_include_directories(libnetdata BEFORE PUBLIC ${LIBUV_INCLUDE_DIRS}) target_compile_options(libnetdata PUBLIC ${LIBUV_CFLAGS_OTHER}) target_link_libraries(libnetdata PUBLIC ${LIBUV_LDFLAGS}) -if (ENABLE_OPENSSL) - message(STATUS "Compiling Netdata with OpenSSL") - # crypto - target_include_directories(libnetdata BEFORE PUBLIC ${CRYPTO_INCLUDE_DIRS}) - target_compile_options(libnetdata PUBLIC ${CRYPTO_CFLAGS_OTHER}) - target_link_libraries(libnetdata PUBLIC ${CRYPTO_LDFLAGS}) +# crypto +target_include_directories(libnetdata BEFORE PUBLIC ${CRYPTO_INCLUDE_DIRS}) +target_compile_options(libnetdata PUBLIC ${CRYPTO_CFLAGS_OTHER}) +target_link_libraries(libnetdata PUBLIC ${CRYPTO_LDFLAGS}) - # openssl - target_include_directories(libnetdata BEFORE PUBLIC ${OPENSSL_INCLUDE_DIRS}) - target_compile_options(libnetdata PUBLIC ${OPENSSL_CFLAGS_OTHER}) - target_link_libraries(libnetdata PUBLIC ${OPENSSL_LDFLAGS}) -endif() - -if (ENABLE_WOLFSSL) - message(STATUS "Compiling Netdata with WolfSSL") - - target_include_directories(libnetdata BEFORE PUBLIC ${WOLFSSL_INCLUDE_DIRS}) - target_compile_options(libnetdata PUBLIC ${WOLFSSL_CFLAGS_OTHER}) - target_link_libraries(libnetdata PUBLIC ${WOLFSSL_LDFLAGS}) -endif() +# openssl +target_include_directories(libnetdata BEFORE PUBLIC ${OPENSSL_INCLUDE_DIRS}) +target_compile_options(libnetdata PUBLIC ${OPENSSL_CFLAGS_OTHER}) +target_link_libraries(libnetdata PUBLIC ${OPENSSL_LDFLAGS}) # mnl if(NOT MACOS) @@ -1772,8 +1749,7 @@ if(ENABLE_MQTTWEBSOCKETS) target_compile_options(mqttwebsockets PUBLIC -DMQTT_WSS_CUSTOM_ALLOC -DRBUF_CUSTOM_MALLOC - -DMQTT_WSS_CPUSTATS - ) + -DMQTT_WSS_CPUSTATS) target_include_directories(mqttwebsockets PUBLIC ${CMAKE_SOURCE_DIR}/aclk/helpers ${CMAKE_SOURCE_DIR}/src/web/server/h2o/libh2o/include) diff --git a/packaging/cmake/config.cmake.h.in b/packaging/cmake/config.cmake.h.in index 4455ed123e..79c72b7f8c 100644 --- a/packaging/cmake/config.cmake.h.in +++ b/packaging/cmake/config.cmake.h.in @@ -105,7 +105,6 @@ // enabled features #cmakedefine ENABLE_OPENSSL -#cmakedefine ENABLE_WOLFSSL #cmakedefine ENABLE_CLOUD #cmakedefine ENABLE_ACLK #cmakedefine ENABLE_ML diff --git a/src/aclk/aclk.c b/src/aclk/aclk.c index 33f458e3f7..991745491c 100644 --- a/src/aclk/aclk.c +++ b/src/aclk/aclk.c @@ -62,9 +62,7 @@ struct aclk_shared_state aclk_shared_state = { }; #ifdef MQTT_WSS_DEBUG -#if defined(ENABLE_OPENSSL) #include <openssl/ssl.h> -#endif #define DEFAULT_SSKEYLOGFILE_NAME "SSLKEYLOGFILE" const char *ssl_log_filename = NULL; FILE *ssl_log_file = NULL; diff --git a/src/aclk/mqtt_websockets/mqtt_wss_client.c b/src/aclk/mqtt_websockets/mqtt_wss_client.c index 908b0711f2..a2aef80ceb 100644 --- a/src/aclk/mqtt_websockets/mqtt_wss_client.c +++ b/src/aclk/mqtt_websockets/mqtt_wss_client.c @@ -23,25 +23,17 @@ #include <netinet/tcp.h> //TCP_NODELAY #include <netdb.h> -#ifdef ENABLE_OPENSSL #include <openssl/err.h> #include <openssl/ssl.h> -#elif defined(ENABLE_WOLFSSL) -#include <wolfssl/options.h> -#include <wolfssl/openssl/err.h> -#include <wolfssl/openssl/ssl.h> -#endif #define PIPE_READ_END 0 #define PIPE_WRITE_END 1 #define POLLFD_SOCKET 0 #define POLLFD_PIPE 1 -#if defined(ENABLE_OPENSSL) #if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) && (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) #include <openssl/conf.h> #endif -#endif //ENABLE_OPENSSL //TODO MQTT_PUBLISH_RETAIN should not be needed anymore #define MQTT_PUBLISH_RETAIN 0x01 diff --git a/src/aclk/mqtt_websockets/mqtt_wss_client.h b/src/aclk/mqtt_websockets/mqtt_wss_client.h index d1ad2dc875..4bdea4db9f 100644 --- a/src/aclk/mqtt_websockets/mqtt_wss_client.h +++ b/src/aclk/mqtt_websockets/mqtt_wss_client.h @@ -155,12 +155,7 @@ struct mqtt_wss_stats { struct mqtt_wss_stats mqtt_wss_get_stats(mqtt_wss_client client); #ifdef MQTT_WSS_DEBUG -#ifdef ENABLE_OPENSSL #include <openssl/ssl.h> -#elif defined(ENABLE_WOLFSSL) -#include <wolfssl/options.h> -#include <wolfssl/openssl/ssl.h> -#endif void mqtt_wss_set_SSL_CTX_keylog_cb(mqtt_wss_client client, void (*ssl_ctx_keylog_cb)(const SSL *ssl, const char *line)); #endif diff --git a/src/aclk/mqtt_websockets/ws_client.c b/src/aclk/mqtt_websockets/ws_client.c index b3aebdc229..240e889caa 100644 --- a/src/aclk/mqtt_websockets/ws_client.c +++ b/src/aclk/mqtt_websockets/ws_client.c @@ -17,12 +17,7 @@ #include <errno.h> #include <ctype.h> -#ifdef ENABLE_OPENSSL #include <openssl/evp.h> -#elif defined(ENABLE_WOLFSSL) -#include <wolfssl/options.h> -#include <wolfssl/openssl/evp.h> -#endif #include "ws_client.h" #include "common_internal.h" diff --git a/src/claim/claim.c b/src/claim/claim.c index de174215ee..5f4ec9a433 100644 --- a/src/claim/claim.c +++ b/src/claim/claim.c @@ -52,7 +52,7 @@ CLAIM_AGENT_RESPONSE claim_agent(const char *claiming_arguments, bool force, con return CLAIM_AGENT_CLOUD_DISABLED; } -#if defined(ENABLE_CLOUD) && defined(ENABLE_ACLK) +#ifndef DISABLE_CLOUD int exit_code; pid_t command_pid; char command_exec_buffer[CLAIMING_COMMAND_LENGTH + 1]; diff --git a/src/daemon/buildinfo.c b/src/daemon/buildinfo.c index b07734f1df..63b017e817 100644 --- a/src/daemon/buildinfo.c +++ b/src/daemon/buildinfo.c @@ -69,7 +69,7 @@ typedef enum __attribute__((packed)) { BIB_LIB_ZLIB, BIB_LIB_BROTLI, BIB_LIB_PROTOBUF, - BIB_LIB_SSL, + BIB_LIB_OPENSSL, BIB_LIB_LIBDATACHANNEL, BIB_LIB_JSONC, BIB_LIB_LIBCAP, @@ -650,17 +650,12 @@ static struct { .json = "protobuf", .value = NULL, }, - [BIB_LIB_SSL] = { + [BIB_LIB_OPENSSL] = { .category = BIC_LIBS, .type = BIT_BOOLEAN, .analytics = NULL, -#if defined(ENABLE_OPENSSL) .print = "OpenSSL (cryptography)", .json = "openssl", -#elif defined(ENABLE_WOLFSSL) - .print = "WolfSSL (cryptography)", - .json = "wolfssl", -#endif .value = NULL, }, [BIB_LIB_LIBDATACHANNEL] = { @@ -1167,8 +1162,8 @@ __attribute__((constructor)) void initialize_build_info(void) { #ifdef HAVE_LIBDATACHANNEL build_info_set_status(BIB_LIB_LIBDATACHANNEL, true); #endif -#if defined(ENABLE_OPENSSL) || defined(ENABLE_WOLFSSL) - build_info_set_status(BIB_LIB_SSL, true); +#ifdef ENABLE_OPENSSL + build_info_set_status(BIB_LIB_OPENSSL, true); #endif #ifdef ENABLE_JSONC build_info_set_status(BIB_LIB_JSONC, true); diff --git a/src/daemon/commands.c b/src/daemon/commands.c index 6141e9803f..43123b2291 100644 --- a/src/daemon/commands.c +++ b/src/daemon/commands.c @@ -295,17 +295,10 @@ static cmd_status_t cmd_ping_execute(char *args, char **message) static cmd_status_t cmd_aclk_state(char *args, char **message) { netdata_log_info("COMMAND: Reopening aclk/cloud state."); -#ifdef ENABLE_ACLK if (strstr(args, "json")) *message = aclk_state_json(); else *message = aclk_state(); -#else - if (strstr(args, "json")) - *message = strdupz("{\"aclk-available\":false}"); - else - *message = strdupz("ACLK Available: No");; -#endif return CMD_STATUS_SUCCESS; } diff --git a/src/database/contexts/api_v2.c b/src/database/contexts/api_v2.c index c02b5e4f31..a5c759d92f 100644 --- a/src/database/contexts/api_v2.c +++ b/src/database/contexts/api_v2.c @@ -800,7 +800,6 @@ static void rrdhost_sender_to_json(BUFFER *wb, RRDHOST_STATUS *s, const char *ke buffer_json_object_close(wb); // streaming } -#ifdef ENABLE_ACLK static void agent_capabilities_to_json(BUFFER *wb, RRDHOST *host, const char *key) { buffer_json_member_add_array(wb, key); @@ -817,7 +816,6 @@ static void agent_capabilities_to_json(BUFFER *wb, RRDHOST *host, const char *ke buffer_json_array_close(wb); freez(capas); } -#endif static inline void host_dyncfg_to_json_v2(BUFFER *wb, const char *key, RRDHOST_STATUS *s) { buffer_json_member_add_object(wb, key); @@ -895,9 +893,7 @@ static void rrdcontext_to_json_v2_rrdhost(BUFFER *wb, RRDHOST *host, struct rrdc buffer_json_member_add_string(wb, "state", rrdhost_state_cloud_emulation(host) ? "reachable" : "stale"); rrdhost_health_to_json_v2(wb, "health", &s); -#ifdef ENABLE_ACLK agent_capabilities_to_json(wb, host, "capabilities"); -#endif } if (ctl->mode & (CONTEXTS_V2_NODE_INSTANCES)) { @@ -941,9 +937,7 @@ static void rrdcontext_to_json_v2_rrdhost(BUFFER *wb, RRDHOST *host, struct rrdc rrdhost_health_to_json_v2(wb, "health", &s); host_functions2json(host, wb); // functions -#ifdef ENABLE_ACLK agent_capabilities_to_json(wb, host, "capabilities"); -#endif host_dyncfg_to_json_v2(wb, "dyncfg", &s); } diff --git a/src/database/contexts/worker.c b/src/database/contexts/worker.c index 604bb7e30f..71af3c44df 100644 --- a/src/database/contexts/worker.c +++ b/src/database/contexts/worker.c @@ -959,11 +959,9 @@ static void rrdcontext_dequeue_from_hub_queue(RRDCONTEXT *rc) { static void rrdcontext_dispatch_queued_contexts_to_hub(RRDHOST *host, usec_t now_ut) { -#ifdef ENABLE_ACLK // check if we have received a streaming command for this host if(!rrdhost_flag_check(host, RRDHOST_FLAG_ACLK_STREAM_CONTEXTS) || !aclk_connected || !host->rrdctx.hub_queue) return; -#endif // check if there are queued items to send if(!dictionary_entries(host->rrdctx.hub_queue)) diff --git a/src/database/engine/rrdengine.h b/src/database/engine/rrdengine.h index 6b94c41ac6..c594efe992 100644 --- a/src/database/engine/rrdengine.h +++ b/src/database/engine/rrdengine.h @@ -6,14 +6,8 @@ #include <fcntl.h> #include <lz4.h> #include <Judy.h> -#ifdef ENABLE_OPENSSL #include <openssl/sha.h> #include <openssl/evp.h> -#elif defined(ENABLE_WOLFSSL) -#include <wolfssl/options.h> -#include <wolfssl/openssl/sha.h> -#include <wolfssl/openssl/evp.h> -#endif #include "daemon/common.h" #include "../rrd.h" #include "rrddiskprotocol.h" diff --git a/src/database/rrdfunctions-inflight.c b/src/database/rrdfunctions-inflight.c index 6b75d5fbd8..adb27b3e7d 100644 --- a/src/database/rrdfunctions-inflight.c +++ b/src/database/rrdfunctions-inflight.c @@ -438,7 +438,6 @@ int rrd_function_run(RRDHOST *host, BUFFER *result_wb, int timeout_s, if(!http_access_user_has_enough_access_level_for_endpoint(user_access, rdcf->access)) { -#ifdef ENABLE_ACLK if(!aclk_connected) code = rrd_call_function_error(result_wb, "This Netdata must be connected to Netdata Cloud for Single-Sign-On (SSO) " @@ -446,9 +445,6 @@ int rrd_function_run(RRDHOST *host, BUFFER *result_wb, int timeout_s, HTTP_ACCESS_PERMISSION_DENIED_HTTP_CODE(user_access)); else if((rdcf->access & HTTP_ACCESS_SIGNED_ID) && !(user_access & HTTP_ACCESS_SIGNED_ID)) -#else - if((rdcf->access & HTTP_ACCESS_SIGNED_ID) && !(user_access & HTTP_ACCESS_SIGNED_ID)) -#endif code = rrd_call_function_error(result_wb, "You need to be authenticated via Netdata Cloud Single-Sign-On (SSO) " "to access this feature. Sign-in on this dashboard, " diff --git a/src/database/rrdhost.c b/src/database/rrdhost.c index 2f3b86fdcd..02e2d7da45 100644 --- a/src/database/rrdhost.c +++ b/src/database/rrdhost.c @@ -1384,9 +1384,7 @@ static void rrdhost_load_auto_labels(void) { if (localhost->system_info->prebuilt_dist) rrdlabels_add(labels, "_prebuilt_dist", localhost->system_info->prebuilt_dist, RRDLABEL_SRC_AUTO); -#ifdef ENABLE_ACLK add_aclk_host_labels(); -#endif // The source should be CONF, but when it is set, these labels are exported by default ('send configured labels' in exporting.conf). // Their export seems to break exporting to Graphite, see https://github.com/netdata/netdata/issues/14084. diff --git a/src/libnetdata/libnetdata.h b/src/libnetdata/libnetdata.h index a56d6d3acb..8781a85307 100644 --- a/src/libnetdata/libnetdata.h +++ b/src/libnetdata/libnetdata.h @@ -9,7 +9,7 @@ extern "C" { #include "config.h" -#if defined(ENABLE_OPENSSL) || defined(ENABLE_WOLFSSL) +#ifdef ENABLE_OPENSSL #define ENABLE_HTTPS 1 #endif @@ -483,7 +483,6 @@ extern char *netdata_configured_host_prefix; #include "popen/popen.h" #include "simple_pattern/simple_pattern.h" #ifdef ENABLE_HTTPS -# include "ssl/ssl.h" # include "socket/security.h" #endif #include "socket/socket.h" diff --git a/src/libnetdata/socket/README.md b/src/libnetdata/socket/README.md index 8ee4989dc7..b81cbb8dfb 100644 --- a/src/libnetdata/socket/README.md +++ b/src/libnetdata/socket/README.md @@ -6,11 +6,3 @@ learn_status: "Published" learn_topic_type: "References" learn_rel_path: "Developers/libnetdata" --> - -# WolfSSL support - -Support for WolfSSL is currently in the experimental stage, as it does not yet offer all the features available in the -OpenSSL library. - -When integrating with WolfSSL, it's essential to confirm that the version of WolfSSL being used has enabled support for -the OpenSSL API during compilation. Failure to do so will result in compilation errors. diff --git a/src/libnetdata/socket/security.c b/src/libnetdata/socket/security.c index 7d7b193673..502998b79f 100644 --- a/src/libnetdata/socket/security.c +++ b/src/libnetdata/socket/security.c @@ -18,11 +18,7 @@ static SOCKET_PEERS netdata_ssl_peers(NETDATA_SSL *ssl) { if(unlikely(!ssl->conn)) sock_fd = -1; else -#if defined(ENABLE_OPENSSL) sock_fd = SSL_get_rfd(ssl->conn); -#elif defined(ENABLE_WOLFSSL) - sock_fd = SSL_get_fd(ssl->conn); -#endif return socket_peers(sock_fd); } @@ -363,11 +359,7 @@ static inline bool want_read_write_should_retry(NETDATA_SSL *ssl, int err) { int ssl_errno = SSL_get_error(ssl->conn, err); if(ssl_errno == SSL_ERROR_WANT_READ || ssl_errno == SSL_ERROR_WANT_WRITE) { struct pollfd pfds[1] = { [0] = { -#if defined(ENABLE_OPENSSL) .fd = SSL_get_rfd(ssl->conn), -#elif defined(ENABLE_WOLFSSL) - .fd = SSL_get_fd(ssl->conn), -#endif .events = (short)(((ssl_errno == SSL_ERROR_WANT_READ ) ? POLLIN : 0) | ((ssl_errno == SSL_ERROR_WANT_WRITE) ? POLLOUT : 0)), }}; @@ -445,13 +437,7 @@ bool netdata_ssl_accept(NETDATA_SSL *ssl) { static void netdata_ssl_info_callback(const SSL *ssl, int where, int ret __maybe_unused) { (void)ssl; if (where & SSL_CB_ALERT) { - netdata_log_debug(D_WEB_CLIENT,"SSL INFO CALLBACK %s %s", -#if defined(ENABLE_OPENSSL) - SSL_alert_type_string(ret), -#else - NULL, -#endif - SSL_alert_desc_string_long(ret)); + netdata_log_debug(D_WEB_CLIENT,"SSL INFO CALLBACK %s %s", SSL_alert_type_string(ret), SSL_alert_desc_string_long(ret)); } } @@ -462,7 +448,7 @@ static void netdata_ssl_info_callback(const SSL *ssl, int where, int ret __maybe */ void netdata_ssl_initialize_openssl() { -#if defined(ENABLE_OPENSSL) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 # if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) OPENSSL_config(NULL); # endif @@ -472,9 +458,11 @@ void netdata_ssl_initialize_openssl() { SSL_library_init(); #else + if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) { netdata_log_error("SSL library cannot be initialized."); } + #endif } @@ -556,7 +544,7 @@ static SSL_CTX * netdata_ssl_create_server_ctx(unsigned long mode) { static int netdata_id_context = 1; //TO DO: Confirm the necessity to check return for other OPENSSL function -#if defined(ENABLE_OPENSSL) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 ctx = SSL_CTX_new(SSLv23_server_method()); if (!ctx) { netdata_log_error("Cannot create a new SSL context, netdata won't encrypt communication"); @@ -571,21 +559,14 @@ static SSL_CTX * netdata_ssl_create_server_ctx(unsigned long mode) { return NULL; } - if (SSL_CTX_use_certificate_chain_file(ctx, netdata_ssl_security_cert) != 1) { - goto end_ssl_server_ctx; - } + SSL_CTX_use_certificate_chain_file(ctx, netdata_ssl_security_cert); #endif -#if defined(ENABLE_OPENSSL) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); #else - if (SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) != 1) { - goto end_ssl_server_ctx; - } - - if ( SSL_CTX_set_max_proto_version(ctx, netdata_ssl_select_tls_version(tls_version)) != 1) { - goto end_ssl_server_ctx; - } + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + SSL_CTX_set_max_proto_version(ctx, netdata_ssl_select_tls_version(tls_version)); if(tls_ciphers && strcmp(tls_ciphers, "none") != 0) { if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) { @@ -597,13 +578,16 @@ static SSL_CTX * netdata_ssl_create_server_ctx(unsigned long mode) { SSL_CTX_use_PrivateKey_file(ctx, netdata_ssl_security_key,SSL_FILETYPE_PEM); if (!SSL_CTX_check_private_key(ctx)) { - goto end_ssl_server_ctx; + ERR_error_string_n(ERR_get_error(),lerror,sizeof(lerror)); + netdata_log_error("SSL cannot check the private key: %s",lerror); + SSL_CTX_free(ctx); + return NULL; } SSL_CTX_set_session_id_context(ctx,(void*)&netdata_id_context,(unsigned int)sizeof(netdata_id_context)); SSL_CTX_set_info_callback(ctx, netdata_ssl_info_callback); -#if defined(ENABLE_OPENSSL) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_095) +#if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_095) SSL_CTX_set_verify_depth(ctx,1); #endif netdata_log_debug(D_WEB_CLIENT,"SSL GLOBAL CONTEXT STARTED\n"); @@ -611,11 +595,6 @@ static SSL_CTX * netdata_ssl_create_server_ctx(unsigned long mode) { SSL_CTX_set_mode(ctx, mode); return ctx; -end_ssl_server_ctx: - ERR_error_string_n(ERR_get_error(), lerror, sizeof(lerror)); - netdata_log_error("SSL error: %s", lerror); - SSL_CTX_free(ctx); - return NULL; } /** @@ -705,10 +684,8 @@ void netdata_ssl_cleanup() netdata_ssl_exporting_ctx = NULL; } -#if defined(ENABLE_OPENSSL) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 ERR_free_strings(); -#elif defined(ENABLE_WOLFSSL) - wolfSSL_Cleanup(); #endif } diff --git a/src/libnetdata/socket/security.h b/src/libnetdata/socket/security.h index a7e8a217e5..283d81db85 100644 --- a/src/libnetdata/socket/security.h +++ b/src/libnetdata/socket/security.h @@ -14,7 +14,24 @@ typedef enum __attribute__((packed)) { # ifdef ENABLE_HTTPS -#include "../ssl/ssl.h" +#define OPENSSL_VERSION_095 0x00905100L +#define OPENSSL_VERSION_097 0x0907000L +#define OPENSSL_VERSION_110 0x10100000L +#define OPENSSL_VERSION_111 0x10101000L +#define OPENSSL_VERSION_300 0x30000000L + +# include <openssl/ssl.h> +# include <openssl/err.h> +# include <openssl/evp.h> +# include <openssl/pem.h> +# if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) +# include <openssl/conf.h> +# endif + +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300 +#include <openssl/core_names.h> +#include <openssl/decoder.h> +#endif typedef struct netdata_ssl { SSL *conn; // SSL connection diff --git a/src/libnetdata/ssl/ssl.h b/src/libnetdata/ssl/ssl.h deleted file mode 100644 index e24d949a90..0000000000 --- a/src/libnetdata/ssl/ssl.h +++ /dev/null @@ -1,43 +0,0 @@ -#ifndef NETDATA_SSL_H -#define NETDATA_SSL_H - -// External SSL libraries used with netdata - -#ifdef ENABLE_HTTPS - -#define OPENSSL_VERSION_095 0x00905100L -#define OPENSSL_VERSION_097 0x0907000L -#define OPENSSL_VERSION_110 0x10100000L -#define OPENSSL_VERSION_111 0x10101000L -#define OPENSSL_VERSION_300 0x30000000L - -#ifdef ENABLE_OPENSSL - -# include <openssl/ssl.h> -# include <openssl/err.h> -# include <openssl/sha.h> -# include <openssl/evp.h> -# include <openssl/pem.h> -# if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) -# include <openssl/conf.h> -# endif - -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300 -#include <openssl/core_names.h> -#include <openssl/decoder.h> -#endif -#elif defined(ENABLE_WOLFSSL) -#include <wolfssl/options.h> -#include <wolfssl/version.h> -#include <wolfssl/ssl.h> -#include <wolfssl/error-ssl.h> - -#include <wolfssl/openssl/ssl.h> -#include <wolfssl/openssl/err.h> -#include <wolfssl/openssl/sha.h> -#include <wolfssl/openssl/evp.h> -#endif // ENABLE_OPENSSL - -#endif // ENABLE_HTTPS - -#endif diff --git a/src/streaming/receiver.c b/src/streaming/receiver.c index 99a1e2ad34..2cbf247dc4 100644 --- a/src/streaming/receiver.c +++ b/src/streaming/receiver.c @@ -445,9 +445,7 @@ static bool rrdhost_set_receiver(RRDHOST *host, struct receiver_state *rpt) { rrdpush_receiver_replication_reset(host); rrdhost_flag_clear(rpt->host, RRDHOST_FLAG_RRDPUSH_RECEIVER_DISCONNECTED); -#ifdef ENABLE_ACLK aclk_queue_node_info(rpt->host, true); -#endif rrdpush_reset_destinations_postpone_time(host); @@ -782,7 +780,7 @@ static void rrdpush_receive(struct receiver_state *rpt) } netdata_log_debug(D_STREAM, "Initial response to %s: %s", rpt->client_ip, initial_response); -#if defined(ENABLE_H2O) && defined(ENABLE_OPENSSL) +#ifdef ENABLE_H2O if (is_h2o_rrdpush(rpt)) { h2o_stream_write(rpt->h2o_ctx, initial_response, strlen(initial_response)); } else { diff --git a/src/streaming/sender.c b/src/streaming/sender.c index 0ae66db6b6..d4c3cc0009 100644 --- a/src/streaming/sender.c +++ b/src/streaming/sender.c @@ -634,7 +634,6 @@ static bool rrdpush_sender_connect_ssl(struct sender_state *s __maybe_unused) { #endif } -#if defined(ENABLE_H2O) && defined(ENABLE_OPENSSL) static int rrdpush_http_upgrade_prelude(RRDHOST *host, struct sender_state *s) { char http[HTTP_HEADE |