Added support for compiling TLS into binaries #508
Conversation
fdbcli/fdbcli.actor.cpp
Outdated
| TraceEvent::setNetworkThread(); | ||
| printf("Set network thread\n"); |
There was a problem hiding this comment.
These are still here
fdbrpc/md5/md5.h
Outdated
| void MD5_Init(MD5_CTX *ctx); | ||
| void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size); | ||
| void MD5_Final(unsigned char *result, MD5_CTX *ctx); | ||
| void __attribute__((weak)) MD5_Init(MD5_CTX *ctx); |
There was a problem hiding this comment.
I think you'll need to add a preprocessor macro, probably to flow/Platform.h, which looks like
#ifndef MULTIPLY_DEFINED_SYMBOL
#if windows
#define MULTIPLY_DEFINED_SYMBOL __declspec(selectany)
#else
#define MULTIPLY_DEFINED_SYMBOL __attribute__((weak))
#endif
#endif
and then use MULTIPLY_DEFINED_SYMBOL, or some better name, here, as msvc doesn't support attribute((weak)).
bindings/c/local.mk
Outdated
| @@ -26,6 +26,10 @@ fdb_c_LIBS := lib/libfdbclient.a lib/libfdbrpc.a lib/libflow.a | |||
| fdb_c_tests_LIBS := -Llib -lfdb_c | |||
| fdb_c_tests_HEADERS := -Ibindings/c | |||
|
|
|||
| ifndef __TLS_DISABLED__ | |||
There was a problem hiding this comment.
I'd much prefer TLS_DISABLED for the Makefile and #define. Two leading underscore names are technically reserved by the C/C++ standard.
bindings/c/local.mk
Outdated
| @@ -26,6 +26,10 @@ fdb_c_LIBS := lib/libfdbclient.a lib/libfdbrpc.a lib/libflow.a | |||
| fdb_c_tests_LIBS := -Llib -lfdb_c | |||
| fdb_c_tests_HEADERS := -Ibindings/c | |||
|
|
|||
| ifndef __TLS_DISABLED__ | |||
| fdb_c_LIBS += lib/libFDBLibTLS.a /usr/local/lib/libtls.a /usr/local/lib/libssl.a /usr/local/lib/libcrypto.a | |||
There was a problem hiding this comment.
I think it'd be better do the same $(CC) $(CFLAGS) -print-file-name libtls.a sort of trick for each static library, and assign that to some ${TLS_LIBRARIES} variable, so that we don't have to pin the libraries to a specific file path.
And having a TLS_LIBRARIES variable that holds the above list of libraries if it is enabled and nothing if it's disabled lets you remove all the other ifndef __TLS_DISABLED__'s from the Makefile.
Was there a reason you decided not to go the -Bstatic -l tls -l ssl -l crypto -Bdynamic route? That'd make the above explicit file path naming unnecessary.
FDBLibTLS/Makefile
Outdated
| @@ -1,109 +0,0 @@ | |||
| PROJECTPATH = $(dir $(realpath $(firstword $(MAKEFILE_LIST)))) | |||
There was a problem hiding this comment.
Should we at least move test, test-plugin, and test-verify to somewhere else in our build system so that we can do development on the plugin code?
Or has statically-linking the plugin meant that this testing framework no longer works?
There was a problem hiding this comment.
Given that I (and previously you) were just asked to do a few enhancements to this code, I'm more nervous than before about us deprecating testing that seems important to keep.
fdbrpc/LoadPlugin.h
Outdated
| @@ -20,13 +20,14 @@ | |||
|
|
|||
| #pragma once | |||
|
|
|||
| // Will need to be defined at link time | |||
| extern "C" void *get_plugin(const char *plugin_type_name_and_version); | |||
There was a problem hiding this comment.
I'd think we should probably rename the TLS plugin's get_plugin to something TLS-specific
fdbrpc/LoadPlugin.h
Outdated
| else | ||
| return Reference<T>( NULL ); | ||
| #ifdef __TLS_DISABLED__ | ||
| return Reference<T>( NULL ); |
There was a problem hiding this comment.
and check plugin_name == fdb-libressl-plugin, or something, and then call get_tls_plugin if it matches and get_plugin if it doesn't.
We should either leave the plugin interface as a generic working plugin interface, and make it special case out the TLS plugin that's now built-in, or just remove the generic plugin interface entirely. But I'm kind of against just crippling it whenever we aren't using the TLS code.
There was a problem hiding this comment.
what about this comment?
fdbrpc/TLSConnection.actor.cpp
Outdated
| void TLSOptions::init_plugin( std::string const& plugin_path ) { | ||
| std::string path; | ||
| void TLSOptions::init_plugin() { | ||
| std::string plugin_path = platform::getDefaultPluginPath("fdb-libressl-plugin"); |
There was a problem hiding this comment.
There's not much of a point in expanding this out to a filesystem path that will never again exist, right? It seems easier to just leave this as a fake path of just "fdb-libressl-plugin", so that you have something fixed to match against later on.
Disable TLS within Windows until working
build/link-wrapper.sh
Outdated
| @@ -19,6 +19,7 @@ case $1 in | |||
| fi | |||
|
|
|||
| OPTIONS=$( eval echo "$OPTIONS $LDFLAGS \$$2_LDFLAGS \$$2_OBJECTS \$$2_LIBS \$$2_STATIC_LIBS_REAL -o $3" ) | |||
| echo "OPTIONS: $OPTIONS" | |||
build/link-wrapper.sh
Outdated
| @@ -33,6 +34,7 @@ case $1 in | |||
| fi | |||
| ;; | |||
| *) | |||
| echo "Command: $CC $OPTIONS" | |||
fdbrpc/LoadPlugin.h
Outdated
| else | ||
| return Reference<T>( NULL ); | ||
| #ifdef __TLS_DISABLED__ | ||
| return Reference<T>( NULL ); |
There was a problem hiding this comment.
what about this comment?
fdbcli/fdbcli.actor.cpp
Outdated
| TraceEvent::setNetworkThread(); | ||
| printf("Set network thread\n"); |
There was a problem hiding this comment.
These are still here
…r TLS use case Defined TLS plugin name constant Changed TLS plugin name to get_tls_plugin Fixed link script Removed compilation flags from info make target
Changed TLS documentation to not specify it as a plugin but compiled in
documentation/sphinx/source/tls.rst
Outdated
| @@ -73,22 +72,11 @@ The value for each setting can be specified in more than one way. The actual va | |||
|
|
|||
| As with all other command-line options to ``fdbserver``, the TLS settings can be specified in the :ref:`[fdbserver] section of the configuration file <foundationdb-conf-fdbserver>`. | |||
|
|
|||
| The settings for certificate file, key file, peer verification, password and CA file are interpreted by the loaded plugin. | |||
| The settings for certificate file, key file, peer verification, password and CA file are interpreted by the TLS. | |||
There was a problem hiding this comment.
"interpreted by the TLS" is missing a word, I think. The TLS implementation? I'm not sure what wording to suggest here...
documentation/sphinx/source/tls.rst
Outdated
| @@ -106,31 +94,29 @@ The default peer verification is ``Check.Valid=0``. | |||
| Default Password | |||
| ^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
|
|
|||
| There is no default password. If no password is specified, the plugin assumes that private key is unencrypted. | |||
| There is no default password. If no password is specified, TLS assumes that private key is unencrypted. | |||
There was a problem hiding this comment.
I read "the plugin" to mean "our code" and "TLS" to mean "the Transport Layer Security standard", which makes this sentence read... not quite right. I think I'd recommend changing the phrasing to "If no password is specified, it is assumed that the private key is unencrypted", and similar rephrasing to the rest of the s/the plugin/TLS/ changes that you've done. If you need to name something, I think it'd be more proper to name FoundationDB rather than TLS.
documentation/sphinx/source/tls.rst
Outdated
|
|
||
| If the local certificate and chain is invalid, a FoundationDB server process bound to a TLS address will not start. In the case of invalid certificates on a client, the client will be able to start but will be unable to connect any TLS-enabled cluster. | ||
|
|
||
| Formats | ||
| ------- | ||
|
|
||
| The LibreSSL plugin can read certificates and their private keys in base64-encoded DER-formatted X.509 format (which is known as PEM). A PEM file can contain both certificates and a private key or the two can be stored in separate files. | ||
| The LibreSSL TLS can read certificates and their private keys in base64-encoded DER-formatted X.509 format (which is known as PEM). A PEM file can contain both certificates and a private key or the two can be stored in separate files. |
There was a problem hiding this comment.
s/The LibreSSL TLS/LibreSSL/
documentation/sphinx/source/tls.rst
Outdated
| ================================= | ||
|
|
||
| FoundationDB offers a TLS plugin based on the LibreSSL library. By default, it will be loaded automatically when participating in a TLS-enabled cluster. | ||
| FoundationDB offers TLS based on the LibreSSL library. By default, it will be loaded automatically when participating in a TLS-enabled cluster. |
There was a problem hiding this comment.
The second sentence needs to be changed, as "loaded" implies a plugin.
documentation/sphinx/source/tls.rst
Outdated
| @@ -9,7 +9,7 @@ Introduction | |||
|
|
|||
| Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are protocols designed to provide communication security over public networks. Users exchange a symmetric session key that is used to encrypt data exchanged between the parties. | |||
|
|
|||
| By default, a FoundationDB cluster uses *unencrypted* connections among client and server processes. This document describes the `Transport Layer Security <http://en.wikipedia.org/wiki/Transport_Layer_Security>`_ (TLS) capabilities of FoundationDB, which enable security and authentication through a public/private key infrastructure. TLS is provided in FoundationDB via a plugin-based architecture. This document will describe the basic TLS capabilities of FoundationDB and document the default plugin, which is based on `LibreSSL <https://www.libressl.org/>`_. TLS-enabled servers will only communicate with other TLS-enabled servers and TLS-enabled clients. Therefore, a cluster's machines must all enable TLS in order for TLS to be used. | |||
| By default, a FoundationDB cluster uses *unencrypted* connections among client and server processes. This document describes the `Transport Layer Security <http://en.wikipedia.org/wiki/Transport_Layer_Security>`_ (TLS) capabilities of FoundationDB, which enable security and authentication through a public/private key infrastructure. TLS is available within each FoundationDB binary. This document will describe the basic TLS capabilities of FoundationDB and document its implementation, which is based on `LibreSSL <https://www.libressl.org/>`_. TLS-enabled servers will only communicate with other TLS-enabled servers and TLS-enabled clients. Therefore, a cluster's machines must all enable TLS in order for TLS to be used. | |||
There was a problem hiding this comment.
TLS is available within each FoundationDB binary -> TLS is compiled into each FoundationDB binary by default ?
| CFLAGS += -DTLS_DISABLED | ||
| TLS_LIBS := | ||
| else | ||
| TLS_LIBS := lib/libFDBLibTLS.a $(shell gcc --print-file-name=libtls.a) $(shell gcc --print-file-name=libssl.a) $(shell gcc --print-file-name=libcrypto.a) |
There was a problem hiding this comment.
s/gcc/$(CC)/
but why are you doing both this and setting LIBRARY_PATH ?
There was a problem hiding this comment.
Ah, and you need to pass in CFLAGS, in case someone provided a LIBRARY_PATH or -L that you'd later use in the link line anyway.
Added support for compiling TLS into binaries
Resolves issue #436