Support to WolfSSL (Step 1)

CMakeLists.txt

@@ -126,9 +126,13 @@ set(CONFIG_H ${CONFIG_H_DIR}/config.h)
 option(DEFAULT_FEATURE_STATE "Specify the default state for most optional features" True)
 mark_as_advanced(DEFAULT_FEATURE_STATE)
 
+# ssl
+option(ENABLE_WOLFSSL "Compile netdata using WolfSSL." False)
+cmake_dependent_option(ENABLE_OPENSSL "Compile netdata using OpenSSL." True "NOT ENABLE_WOLFSSL" False)
+
 # High-level features
-option(ENABLE_ACLK "Enable Netdata Cloud support (ACLK)" ${DEFAULT_FEATURE_STATE})
-option(ENABLE_CLOUD "Enable Netdata Cloud by default at runtime" ${DEFAULT_FEATURE_STATE})
+cmake_dependent_option(ENABLE_ACLK "Enable Netdata Cloud support (ACLK)" ${DEFAULT_FEATURE_STATE} "NOT ENABLE_WOLFSSL" False)
+cmake_dependent_option(ENABLE_CLOUD "Enable Netdata Cloud by default at runtime" ${DEFAULT_FEATURE_STATE} "NOT ENABLE_WOLFSSL" False)
 option(ENABLE_ML "Enable machine learning features" ${DEFAULT_FEATURE_STATE})
 option(ENABLE_DBENGINE "Enable dbengine metrics storage" True)
 
@@ -143,7 +147,7 @@ mark_as_advanced(ENABLE_LEGACY_EBPF_PROGRAMS)
 option(ENABLE_PLUGIN_FREEIPMI "Enable IPMI monitoring" ${DEFAULT_FEATURE_STATE})
 option(ENABLE_PLUGIN_GO "Enable metric collectors written in Go" ${DEFAULT_FEATURE_STATE})
 option(ENABLE_PLUGIN_LOCAL_LISTENERS "Enable local listening socket tracking (including service auto-discovery support)" ${DEFAULT_FEATURE_STATE})
-option(ENABLE_PLUGIN_LOGS_MANAGEMENT "Enable log collection and monitoring based on Fluent Bit" ${DEFAULT_FEATURE_STATE})
+cmake_dependent_option(ENABLE_PLUGIN_LOGS_MANAGEMENT "Enable log collection and monitoring based on Fluent Bit" ${DEFAULT_FEATURE_STATE} "NOT ENABLE_WOLFSSL" False)
 option(ENABLE_PLUGIN_NETWORK_VIEWER "Enable network viewer functionality" ${DEFAULT_FEATURE_STATE})
 option(ENABLE_PLUGIN_NFACCT "Enable Linux NFACCT metric collection" ${DEFAULT_FEATURE_STATE})
 option(ENABLE_PLUGIN_PERF "Enable Linux performance counter monitoring" ${DEFAULT_FEATURE_STATE})
@@ -167,7 +171,8 @@ mark_as_advanced(ENABLE_LOGS_MANAGEMENT_TESTS)
 # Experimental features
 option(ENABLE_WEBRTC "Enable WebRTC dashboard communications (experimental)" False)
 mark_as_advanced(ENABLE_WEBRTC)
-option(ENABLE_H2O "Enable H2O web server (experimental)" True)
+
+cmake_dependent_option(ENABLE_H2O "Enable H2O web server (experimental)" True "NOT ENABLE_WOLFSSL" False)
 mark_as_advanced(ENABLE_H2O)
 
 # Other optional functionality
@@ -180,6 +185,21 @@ mark_as_advanced(BUILD_FOR_PACKAGING)
 cmake_dependent_option(FORCE_LEGACY_LIBBPF "Force usage of libbpf 0.0.9 instead of the latest version." False "ENABLE_PLUGIN_EBPF" False)
 mark_as_advanced(FORCE_LEGACY_LIBBPF)
 
+include(CheckFunctionExists)
+
+if(ENABLE_WOLFSSL)
+        pkg_check_modules(WOLFSSL wolfssl)
+
+        list(APPEND CMAKE_REQUIRED_LIBRARIES wolfssl)
+        check_function_exists(wolfSSL_set_alpn_protos HAVE_WOLFSSL_SET_ALPN_PROTOS)
+        if(NOT HAVE_WOLFSSL_SET_ALPN_PROTOS)
+            message(FATAL_ERROR "Your WolfSSL library has not been compiled with the OPENSSL_EXTRA flag, which is necessary to create symbols for the OpenSSL API that Netdata uses.")
+        endif()
+else()
+        # openssl/crypto
+        pkg_check_modules(OPENSSL openssl)
+endif()
+
 if(ENABLE_ACLK OR ENABLE_EXPORTER_PROMETHEUS_REMOTE_WRITE)
         set(NEED_PROTOBUF True)
 else()
@@ -260,11 +280,6 @@ endif()
 # Libm
 #
 
-# checks link with cmake required libs
-cmake_policy(SET CMP0075 NEW)
-
-include(CheckFunctionExists)
-
 check_function_exists(log10 HAVE_LOG10)
 if(NOT HAVE_LOG10)
         unset(HAVE_LOG10 CACHE)
@@ -493,11 +508,7 @@ if(FREEBSD OR MACOS)
         set(HAVE_BUILTIN_ATOMICS True)
 endif()
 
-# openssl/crypto
-set(ENABLE_OPENSSL True)
-pkg_check_modules(OPENSSL openssl)
-
-if(NOT OPENSSL_FOUND)
+if(NOT OPENSSL_FOUND AND ENABLE_OPENSSL)
         if(MACOS)
                 execute_process(COMMAND
                                 brew --prefix --installed openssl
@@ -517,7 +528,7 @@ if(NOT OPENSSL_FOUND)
         endif()
 endif()
 
-if(NOT MACOS)
+if(NOT MACOS AND ENABLE_OPENSSL)
         pkg_check_modules(CRYPTO libcrypto)
 endif()
 
@@ -639,6 +650,7 @@ set(LIBNETDATA_FILES
         src/libnetdata/required_dummies.h
         src/libnetdata/socket/security.c
         src/libnetdata/socket/security.h
+        src/libnetdata/ssl/ssl.h
         src/libnetdata/simple_pattern/simple_pattern.c
         src/libnetdata/simple_pattern/simple_pattern.h
         src/libnetdata/socket/socket.c
@@ -1303,7 +1315,7 @@ set(NETDATA_FILES
         ${WEB_PLUGIN_FILES}
         ${CLAIM_PLUGIN_FILES}
         ${SPAWN_PLUGIN_FILES}
-        ${ACLK_ALWAYS_BUILD}
+        "$<$<BOOL:${ENABLE_OPENSSL}>:${ACLK_ALWAYS_BUILD}>"
         ${PROFILE_PLUGIN_FILES}
 )
 
@@ -1594,15 +1606,26 @@ target_include_directories(libnetdata BEFORE PUBLIC ${LIBUV_INCLUDE_DIRS})
 target_compile_definitions(libnetdata PUBLIC ${LIBUV_CFLAGS_OTHER})
 target_link_libraries(libnetdata PUBLIC ${LIBUV_LDFLAGS})
 
-# crypto
-target_include_directories(libnetdata BEFORE PUBLIC ${CRYPTO_INCLUDE_DIRS})
-target_compile_options(libnetdata PUBLIC ${CRYPTO_CFLAGS_OTHER})
-target_link_libraries(libnetdata PUBLIC ${CRYPTO_LDFLAGS})
+if (ENABLE_OPENSSL)
+        message(STATUS "Compiling Netdata with OpenSSL")
+        # crypto
+        target_include_directories(libnetdata BEFORE PUBLIC ${CRYPTO_INCLUDE_DIRS})
+        target_compile_options(libnetdata PUBLIC ${CRYPTO_CFLAGS_OTHER})
+        target_link_libraries(libnetdata PUBLIC ${CRYPTO_LDFLAGS})
 
-# openssl
-target_include_directories(libnetdata BEFORE PUBLIC ${OPENSSL_INCLUDE_DIRS})
-target_compile_options(libnetdata PUBLIC ${OPENSSL_CFLAGS_OTHER})
-target_link_libraries(libnetdata PUBLIC ${OPENSSL_LDFLAGS})
+        # openssl
+        target_include_directories(libnetdata BEFORE PUBLIC ${OPENSSL_INCLUDE_DIRS})
+        target_compile_options(libnetdata PUBLIC ${OPENSSL_CFLAGS_OTHER})
+        target_link_libraries(libnetdata PUBLIC ${OPENSSL_LDFLAGS})
+endif()
+
+if (ENABLE_WOLFSSL)
+        message(STATUS "Compiling Netdata with WolfSSL")
+
+        target_include_directories(libnetdata BEFORE PUBLIC ${WOLFSSL_INCLUDE_DIRS})
+        target_compile_options(libnetdata PUBLIC ${WOLFSSL_CFLAGS_OTHER})
+        target_link_libraries(libnetdata PUBLIC ${WOLFSSL_LDFLAGS})
+endif()
 
 # mnl
 if(NOT MACOS)
@@ -1630,7 +1653,8 @@ if(ENABLE_MQTTWEBSOCKETS)
 
         target_compile_options(mqttwebsockets PUBLIC -DMQTT_WSS_CUSTOM_ALLOC
                                                      -DRBUF_CUSTOM_MALLOC
-                                                     -DMQTT_WSS_CPUSTATS)
+                                                     -DMQTT_WSS_CPUSTATS
+                )
 
         target_include_directories(mqttwebsockets PUBLIC ${CMAKE_SOURCE_DIR}/aclk/helpers
                                                          ${CMAKE_SOURCE_DIR}/src/web/server/h2o/libh2o/include)

packaging/cmake/config.cmake.h.in

@@ -81,6 +81,7 @@
 // enabled features
 
 #cmakedefine ENABLE_OPENSSL
+#cmakedefine ENABLE_WOLFSSL
 #cmakedefine ENABLE_CLOUD
 #cmakedefine ENABLE_ACLK
 #cmakedefine ENABLE_ML

src/aclk/aclk.c

@@ -62,7 +62,9 @@ struct aclk_shared_state aclk_shared_state = {
 };
 
 #ifdef MQTT_WSS_DEBUG
+#if defined(ENABLE_OPENSSL)
 #include <openssl/ssl.h>
+#endif
 #define DEFAULT_SSKEYLOGFILE_NAME "SSLKEYLOGFILE"
 const char *ssl_log_filename = NULL;
 FILE *ssl_log_file = NULL;

src/aclk/mqtt_websockets/mqtt_wss_client.c

@@ -23,17 +23,25 @@
 #include <netinet/tcp.h> //TCP_NODELAY
 #include <netdb.h>
 
+#ifdef ENABLE_OPENSSL
 #include <openssl/err.h>
 #include <openssl/ssl.h>
+#elif defined(ENABLE_WOLFSSL)
+#include <wolfssl/options.h>
+#include <wolfssl/openssl/err.h>
+#include <wolfssl/openssl/ssl.h>
+#endif
 
 #define PIPE_READ_END  0
 #define PIPE_WRITE_END 1
 #define POLLFD_SOCKET  0
 #define POLLFD_PIPE    1
 
+#if defined(ENABLE_OPENSSL)
 #if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) && (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097)
 #include <openssl/conf.h>
 #endif
+#endif //ENABLE_OPENSSL
 
 //TODO MQTT_PUBLISH_RETAIN should not be needed anymore
 #define MQTT_PUBLISH_RETAIN 0x01

src/aclk/mqtt_websockets/mqtt_wss_client.h

@@ -155,7 +155,12 @@ struct mqtt_wss_stats {
 struct mqtt_wss_stats mqtt_wss_get_stats(mqtt_wss_client client);
 
 #ifdef MQTT_WSS_DEBUG
+#ifdef ENABLE_OPENSSL
 #include <openssl/ssl.h>
+#elif defined(ENABLE_WOLFSSL)
+#include <wolfssl/options.h>
+#include <wolfssl/openssl/ssl.h>
+#endif
 void mqtt_wss_set_SSL_CTX_keylog_cb(mqtt_wss_client client, void (*ssl_ctx_keylog_cb)(const SSL *ssl, const char *line));
 #endif
 

src/aclk/mqtt_websockets/ws_client.c

@@ -17,7 +17,12 @@
 #include <errno.h>
 #include <ctype.h>
 
+#ifdef ENABLE_OPENSSL
 #include <openssl/evp.h>
+#elif defined(ENABLE_WOLFSSL)
+#include <wolfssl/options.h>
+#include <wolfssl/openssl/evp.h>
+#endif
 
 #include "ws_client.h"
 #include "common_internal.h"

src/claim/claim.c

@@ -52,7 +52,7 @@ CLAIM_AGENT_RESPONSE claim_agent(const char *claiming_arguments, bool force, con
         return CLAIM_AGENT_CLOUD_DISABLED;
     }
 
-#ifndef DISABLE_CLOUD
+#if defined(ENABLE_CLOUD) && defined(ENABLE_ACLK)
     int exit_code;
     pid_t command_pid;
     char command_exec_buffer[CLAIMING_COMMAND_LENGTH + 1];

src/daemon/buildinfo.c

@@ -69,7 +69,7 @@ typedef enum __attribute__((packed)) {
     BIB_LIB_ZLIB,
     BIB_LIB_BROTLI,
     BIB_LIB_PROTOBUF,
-    BIB_LIB_OPENSSL,
+    BIB_LIB_SSL,
     BIB_LIB_LIBDATACHANNEL,
     BIB_LIB_JSONC,
     BIB_LIB_LIBCAP,
@@ -650,12 +650,17 @@ static struct {
                 .json = "protobuf",
                 .value = NULL,
         },
-        [BIB_LIB_OPENSSL] = {
+        [BIB_LIB_SSL] = {
                 .category = BIC_LIBS,
                 .type = BIT_BOOLEAN,
                 .analytics = NULL,
+#if defined(ENABLE_OPENSSL)
                 .print = "OpenSSL (cryptography)",
                 .json = "openssl",
+#elif defined(ENABLE_WOLFSSL)
+                .print = "WolfSSL (cryptography)",
+                .json = "wolfssl",
+#endif
                 .value = NULL,
         },
         [BIB_LIB_LIBDATACHANNEL] = {
@@ -1152,8 +1157,8 @@ __attribute__((constructor)) void initialize_build_info(void) {
 #ifdef HAVE_LIBDATACHANNEL
     build_info_set_status(BIB_LIB_LIBDATACHANNEL, true);
 #endif
-#ifdef ENABLE_OPENSSL
-    build_info_set_status(BIB_LIB_OPENSSL, true);
+#if defined(ENABLE_OPENSSL) || defined(ENABLE_WOLFSSL)
+    build_info_set_status(BIB_LIB_SSL, true);
 #endif
 #ifdef ENABLE_JSONC
     build_info_set_status(BIB_LIB_JSONC, true);

src/daemon/commands.c

@@ -295,10 +295,17 @@ static cmd_status_t cmd_ping_execute(char *args, char **message)
 static cmd_status_t cmd_aclk_state(char *args, char **message)
 {
     netdata_log_info("COMMAND: Reopening aclk/cloud state.");
+#ifdef ENABLE_ACLK
     if (strstr(args, "json"))
         *message = aclk_state_json();
     else
         *message = aclk_state();
+#else
+    if (strstr(args, "json"))
+        *message = strdupz("{\"aclk-available\":false}");
+    else
+        *message = strdupz("ACLK Available: No");;
+#endif
 
     return CMD_STATUS_SUCCESS;
 }

src/database/contexts/api_v2.c

@@ -800,6 +800,7 @@ static void rrdhost_sender_to_json(BUFFER *wb, RRDHOST_STATUS *s, const char *ke
     buffer_json_object_close(wb); // streaming
 }
 
+#ifdef ENABLE_ACLK
 static void agent_capabilities_to_json(BUFFER *wb, RRDHOST *host, const char *key) {
     buffer_json_member_add_array(wb, key);
 
@@ -816,6 +817,7 @@ static void agent_capabilities_to_json(BUFFER *wb, RRDHOST *host, const char *ke
     buffer_json_array_close(wb);
     freez(capas);
 }
+#endif
 
 static inline void host_dyncfg_to_json_v2(BUFFER *wb, const char *key, RRDHOST_STATUS *s) {
     buffer_json_member_add_object(wb, key);
@@ -893,7 +895,9 @@ static void rrdcontext_to_json_v2_rrdhost(BUFFER *wb, RRDHOST *host, struct rrdc
             buffer_json_member_add_string(wb, "state", rrdhost_state_cloud_emulation(host) ? "reachable" : "stale");
 
             rrdhost_health_to_json_v2(wb, "health", &s);
+#ifdef ENABLE_ACLK
             agent_capabilities_to_json(wb, host, "capabilities");
+#endif
         }
 
         if (ctl->mode & (CONTEXTS_V2_NODE_INSTANCES)) {
@@ -937,7 +941,9 @@ static void rrdcontext_to_json_v2_rrdhost(BUFFER *wb, RRDHOST *host, struct rrdc
                 rrdhost_health_to_json_v2(wb, "health", &s);
 
                 host_functions2json(host, wb); // functions
+#ifdef ENABLE_ACLK
                 agent_capabilities_to_json(wb, host, "capabilities");
+#endif
 
                 host_dyncfg_to_json_v2(wb, "dyncfg", &s);
             }

src/database/contexts/worker.c

@@ -959,9 +959,11 @@ static void rrdcontext_dequeue_from_hub_queue(RRDCONTEXT *rc) {
 
 static void rrdcontext_dispatch_queued_contexts_to_hub(RRDHOST *host, usec_t now_ut) {
 
+#ifdef ENABLE_ACLK
     // check if we have received a streaming command for this host
     if(!rrdhost_flag_check(host, RRDHOST_FLAG_ACLK_STREAM_CONTEXTS) || !aclk_connected || !host->rrdctx.hub_queue)
         return;
+#endif
 
     // check if there are queued items to send
     if(!dictionary_entries(host->rrdctx.hub_queue))

src/database/engine/rrdengine.h

@@ -9,8 +9,14 @@
 #include <fcntl.h>
 #include <lz4.h>
 #include <Judy.h>
+#ifdef ENABLE_OPENSSL
 #include <openssl/sha.h>
 #include <openssl/evp.h>
+#elif defined(ENABLE_WOLFSSL)
+#include <wolfssl/options.h>
+#include <wolfssl/openssl/sha.h>
+#include <wolfssl/openssl/evp.h>
+#endif
 #include "daemon/common.h"
 #include "../rrd.h"
 #include "rrddiskprotocol.h"

src/database/rrdfunctions-inflight.c

@@ -438,13 +438,17 @@ int rrd_function_run(RRDHOST *host, BUFFER *result_wb, int timeout_s,
 
     if(!http_access_user_has_enough_access_level_for_endpoint(user_access, rdcf->access)) {
 
+#ifdef ENABLE_ACLK
         if(!aclk_connected)
             code = rrd_call_function_error(result_wb,
                                            "This Netdata must be connected to Netdata Cloud for Single-Sign-On (SSO) "
                                            "access this feature. Claim this Netdata to Netdata Cloud to enable access.",
                                            HTTP_ACCESS_PERMISSION_DENIED_HTTP_CODE(user_access));
 
         else if((rdcf->access & HTTP_ACCESS_SIGNED_ID) && !(user_access & HTTP_ACCESS_SIGNED_ID))
+#else
+        if((rdcf->access & HTTP_ACCESS_SIGNED_ID) && !(user_access & HTTP_ACCESS_SIGNED_ID))
+#endif
             code = rrd_call_function_error(result_wb,
                                            "You need to be authenticated via Netdata Cloud Single-Sign-On (SSO) "
                                            "to access this feature. Sign-in on this dashboard, "

src/database/rrdhost.c

@@ -1387,7 +1387,9 @@ static void rrdhost_load_auto_labels(void) {
     if (localhost->system_info->prebuilt_dist)
         rrdlabels_add(labels, "_prebuilt_dist", localhost->system_info->prebuilt_dist, RRDLABEL_SRC_AUTO);
 
+#ifdef ENABLE_ACLK
     add_aclk_host_labels();
+#endif
 
     // The source should be CONF, but when it is set, these labels are exported by default ('send configured labels' in exporting.conf).
     // Their export seems to break exporting to Graphite, see https://github.com/netdata/netdata/issues/14084.

src/libnetdata/libnetdata.h

@@ -9,7 +9,7 @@ extern "C" {
 
 #include "config.h"
 
-#ifdef ENABLE_OPENSSL
+#if defined(ENABLE_OPENSSL) || defined(ENABLE_WOLFSSL)
 #define ENABLE_HTTPS 1
 #endif
 
@@ -402,6 +402,7 @@ extern char *netdata_configured_host_prefix;
 #include "popen/popen.h"
 #include "simple_pattern/simple_pattern.h"
 #ifdef ENABLE_HTTPS
+# include "ssl/ssl.h"
 # include "socket/security.h"
 #endif
 #include "socket/socket.h"