-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for compiling TLS into binaries #508
Conversation
fdbcli/fdbcli.actor.cpp
Outdated
TraceEvent::setNetworkThread(); | ||
printf("Set network thread\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
printf's
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are still here
fdbrpc/md5/md5.h
Outdated
void MD5_Init(MD5_CTX *ctx); | ||
void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size); | ||
void MD5_Final(unsigned char *result, MD5_CTX *ctx); | ||
void __attribute__((weak)) MD5_Init(MD5_CTX *ctx); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you'll need to add a preprocessor macro, probably to flow/Platform.h, which looks like
#ifndef MULTIPLY_DEFINED_SYMBOL
#if windows
#define MULTIPLY_DEFINED_SYMBOL __declspec(selectany)
#else
#define MULTIPLY_DEFINED_SYMBOL __attribute__((weak))
#endif
#endif
and then use MULTIPLY_DEFINED_SYMBOL, or some better name, here, as msvc doesn't support attribute((weak)).
bindings/c/local.mk
Outdated
@@ -26,6 +26,10 @@ fdb_c_LIBS := lib/libfdbclient.a lib/libfdbrpc.a lib/libflow.a | |||
fdb_c_tests_LIBS := -Llib -lfdb_c | |||
fdb_c_tests_HEADERS := -Ibindings/c | |||
|
|||
ifndef __TLS_DISABLED__ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd much prefer TLS_DISABLED for the Makefile and #define. Two leading underscore names are technically reserved by the C/C++ standard.
bindings/c/local.mk
Outdated
@@ -26,6 +26,10 @@ fdb_c_LIBS := lib/libfdbclient.a lib/libfdbrpc.a lib/libflow.a | |||
fdb_c_tests_LIBS := -Llib -lfdb_c | |||
fdb_c_tests_HEADERS := -Ibindings/c | |||
|
|||
ifndef __TLS_DISABLED__ | |||
fdb_c_LIBS += lib/libFDBLibTLS.a /usr/local/lib/libtls.a /usr/local/lib/libssl.a /usr/local/lib/libcrypto.a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it'd be better do the same $(CC) $(CFLAGS) -print-file-name libtls.a
sort of trick for each static library, and assign that to some ${TLS_LIBRARIES} variable, so that we don't have to pin the libraries to a specific file path.
And having a TLS_LIBRARIES variable that holds the above list of libraries if it is enabled and nothing if it's disabled lets you remove all the other ifndef __TLS_DISABLED__
's from the Makefile.
Was there a reason you decided not to go the -Bstatic -l tls -l ssl -l crypto -Bdynamic
route? That'd make the above explicit file path naming unnecessary.
FDBLibTLS/Makefile
Outdated
@@ -1,109 +0,0 @@ | |||
PROJECTPATH = $(dir $(realpath $(firstword $(MAKEFILE_LIST)))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we at least move test
, test-plugin
, and test-verify
to somewhere else in our build system so that we can do development on the plugin code?
Or has statically-linking the plugin meant that this testing framework no longer works?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that I (and previously you) were just asked to do a few enhancements to this code, I'm more nervous than before about us deprecating testing that seems important to keep.
fdbrpc/LoadPlugin.h
Outdated
@@ -20,13 +20,14 @@ | |||
|
|||
#pragma once | |||
|
|||
// Will need to be defined at link time | |||
extern "C" void *get_plugin(const char *plugin_type_name_and_version); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd think we should probably rename the TLS plugin's get_plugin to something TLS-specific
fdbrpc/LoadPlugin.h
Outdated
else | ||
return Reference<T>( NULL ); | ||
#ifdef __TLS_DISABLED__ | ||
return Reference<T>( NULL ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and check plugin_name == fdb-libressl-plugin, or something, and then call get_tls_plugin if it matches and get_plugin if it doesn't.
We should either leave the plugin interface as a generic working plugin interface, and make it special case out the TLS plugin that's now built-in, or just remove the generic plugin interface entirely. But I'm kind of against just crippling it whenever we aren't using the TLS code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about this comment?
fdbrpc/TLSConnection.actor.cpp
Outdated
void TLSOptions::init_plugin( std::string const& plugin_path ) { | ||
std::string path; | ||
void TLSOptions::init_plugin() { | ||
std::string plugin_path = platform::getDefaultPluginPath("fdb-libressl-plugin"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's not much of a point in expanding this out to a filesystem path that will never again exist, right? It seems easier to just leave this as a fake path of just "fdb-libressl-plugin", so that you have something fixed to match against later on.
Disable TLS within Windows until working
build/link-wrapper.sh
Outdated
@@ -19,6 +19,7 @@ case $1 in | |||
fi | |||
|
|||
OPTIONS=$( eval echo "$OPTIONS $LDFLAGS \$$2_LDFLAGS \$$2_OBJECTS \$$2_LIBS \$$2_STATIC_LIBS_REAL -o $3" ) | |||
echo "OPTIONS: $OPTIONS" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
echo
build/link-wrapper.sh
Outdated
@@ -33,6 +34,7 @@ case $1 in | |||
fi | |||
;; | |||
*) | |||
echo "Command: $CC $OPTIONS" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
echo
fdbrpc/LoadPlugin.h
Outdated
else | ||
return Reference<T>( NULL ); | ||
#ifdef __TLS_DISABLED__ | ||
return Reference<T>( NULL ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about this comment?
fdbcli/fdbcli.actor.cpp
Outdated
TraceEvent::setNetworkThread(); | ||
printf("Set network thread\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are still here
…r TLS use case Defined TLS plugin name constant Changed TLS plugin name to get_tls_plugin Fixed link script Removed compilation flags from info make target
Changed TLS documentation to not specify it as a plugin but compiled in
documentation/sphinx/source/tls.rst
Outdated
@@ -73,22 +72,11 @@ The value for each setting can be specified in more than one way. The actual va | |||
|
|||
As with all other command-line options to ``fdbserver``, the TLS settings can be specified in the :ref:`[fdbserver] section of the configuration file <foundationdb-conf-fdbserver>`. | |||
|
|||
The settings for certificate file, key file, peer verification, password and CA file are interpreted by the loaded plugin. | |||
The settings for certificate file, key file, peer verification, password and CA file are interpreted by the TLS. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"interpreted by the TLS" is missing a word, I think. The TLS implementation? I'm not sure what wording to suggest here...
documentation/sphinx/source/tls.rst
Outdated
@@ -106,31 +94,29 @@ The default peer verification is ``Check.Valid=0``. | |||
Default Password | |||
^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
|
|||
There is no default password. If no password is specified, the plugin assumes that private key is unencrypted. | |||
There is no default password. If no password is specified, TLS assumes that private key is unencrypted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I read "the plugin" to mean "our code" and "TLS" to mean "the Transport Layer Security standard", which makes this sentence read... not quite right. I think I'd recommend changing the phrasing to "If no password is specified, it is assumed that the private key is unencrypted", and similar rephrasing to the rest of the s/the plugin/TLS/ changes that you've done. If you need to name something, I think it'd be more proper to name FoundationDB
rather than TLS.
documentation/sphinx/source/tls.rst
Outdated
|
||
If the local certificate and chain is invalid, a FoundationDB server process bound to a TLS address will not start. In the case of invalid certificates on a client, the client will be able to start but will be unable to connect any TLS-enabled cluster. | ||
|
||
Formats | ||
------- | ||
|
||
The LibreSSL plugin can read certificates and their private keys in base64-encoded DER-formatted X.509 format (which is known as PEM). A PEM file can contain both certificates and a private key or the two can be stored in separate files. | ||
The LibreSSL TLS can read certificates and their private keys in base64-encoded DER-formatted X.509 format (which is known as PEM). A PEM file can contain both certificates and a private key or the two can be stored in separate files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/The LibreSSL TLS/LibreSSL/
documentation/sphinx/source/tls.rst
Outdated
================================= | ||
|
||
FoundationDB offers a TLS plugin based on the LibreSSL library. By default, it will be loaded automatically when participating in a TLS-enabled cluster. | ||
FoundationDB offers TLS based on the LibreSSL library. By default, it will be loaded automatically when participating in a TLS-enabled cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The second sentence needs to be changed, as "loaded" implies a plugin.
documentation/sphinx/source/tls.rst
Outdated
@@ -9,7 +9,7 @@ Introduction | |||
|
|||
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are protocols designed to provide communication security over public networks. Users exchange a symmetric session key that is used to encrypt data exchanged between the parties. | |||
|
|||
By default, a FoundationDB cluster uses *unencrypted* connections among client and server processes. This document describes the `Transport Layer Security <http://en.wikipedia.org/wiki/Transport_Layer_Security>`_ (TLS) capabilities of FoundationDB, which enable security and authentication through a public/private key infrastructure. TLS is provided in FoundationDB via a plugin-based architecture. This document will describe the basic TLS capabilities of FoundationDB and document the default plugin, which is based on `LibreSSL <https://www.libressl.org/>`_. TLS-enabled servers will only communicate with other TLS-enabled servers and TLS-enabled clients. Therefore, a cluster's machines must all enable TLS in order for TLS to be used. | |||
By default, a FoundationDB cluster uses *unencrypted* connections among client and server processes. This document describes the `Transport Layer Security <http://en.wikipedia.org/wiki/Transport_Layer_Security>`_ (TLS) capabilities of FoundationDB, which enable security and authentication through a public/private key infrastructure. TLS is available within each FoundationDB binary. This document will describe the basic TLS capabilities of FoundationDB and document its implementation, which is based on `LibreSSL <https://www.libressl.org/>`_. TLS-enabled servers will only communicate with other TLS-enabled servers and TLS-enabled clients. Therefore, a cluster's machines must all enable TLS in order for TLS to be used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TLS is available within each FoundationDB binary -> TLS is compiled into each FoundationDB binary by default ?
CFLAGS += -DTLS_DISABLED | ||
TLS_LIBS := | ||
else | ||
TLS_LIBS := lib/libFDBLibTLS.a $(shell gcc --print-file-name=libtls.a) $(shell gcc --print-file-name=libssl.a) $(shell gcc --print-file-name=libcrypto.a) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/gcc/$(CC)/
but why are you doing both this and setting LIBRARY_PATH ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, and you need to pass in CFLAGS, in case someone provided a LIBRARY_PATH or -L that you'd later use in the link line anyway.
Added support for compiling TLS into binaries
Resolves issue #436