diff --git a/install-dependencies.sh b/install-dependencies.sh index 2124f3d9fbe1e..7e989edbd2d3e 100755 --- a/install-dependencies.sh +++ b/install-dependencies.sh @@ -31,7 +31,6 @@ deb_deps=( clang-tidy cmake git - gnutls-dev golang libboost-all-dev libc-ares-dev @@ -71,7 +70,6 @@ fedora_deps=( compiler-rt cryptopp-devel git - gnutls-devel golang hwloc-devel krb5-devel diff --git a/licenses/third_party.md b/licenses/third_party.md index 6663a46f944d4..ef6878f04cebd 100644 --- a/licenses/third_party.md +++ b/licenses/third_party.md @@ -20,7 +20,6 @@ please keep this up to date with every new library use. | DPDK | BSD | | fmt | BSD | | gmp | LGPL v3 | -| gnutls | LGPL v2.1 | | HdrHistogram | BSD 2 | | hwloc | BSD | | krb5 | MIT | diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 1a40c97f1b8a6..cba4f1afb76e1 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,14 +1,5 @@ find_package(Seastar REQUIRED) -# normalize the name of the gnutls dependency. when seastar is imported via a -# normal installation arrange for the library name given by seastar's find -# module to match the name from the system cmake find module for gnutls. -if (TARGET GnuTLS::gnutls) - add_library(GnuTLS::GnuTLS ALIAS GnuTLS::gnutls) -else() - find_package(GnuTLS) -endif() - find_package(Boost REQUIRED COMPONENTS iostreams diff --git a/src/v/cloud_roles/refresh_credentials.cc b/src/v/cloud_roles/refresh_credentials.cc index 1bb04f3d80bc7..22726993d422f 100644 --- a/src/v/cloud_roles/refresh_credentials.cc +++ b/src/v/cloud_roles/refresh_credentials.cc @@ -361,7 +361,7 @@ ss::future<> refresh_credentials::impl::init_tls_certs(ss::sstring name) { co_await b.set_x509_trust_file( ca_file.value(), ss::tls::x509_crt_format::PEM); } else { - vlog(clrl_log.info, "Using GnuTLS default"); + vlog(clrl_log.info, "Using system default"); co_await b.set_system_trust(); } diff --git a/src/v/cloud_roles/tests/signature_test.cc b/src/v/cloud_roles/tests/signature_test.cc index d7c749490ffc3..319178d9f31a8 100644 --- a/src/v/cloud_roles/tests/signature_test.cc +++ b/src/v/cloud_roles/tests/signature_test.cc @@ -226,7 +226,7 @@ SEASTAR_THREAD_TEST_CASE(test_abs_signature_computation_many_query_params) { /// Test is based on this example /// https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html -SEASTAR_THREAD_TEST_CASE(test_gnutls) { +SEASTAR_THREAD_TEST_CASE(test_sig_gen) { std::string ksecret = "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"; std::string date = "20150830"; std::string region = "us-east-1"; diff --git a/src/v/cloud_storage_clients/configuration.cc b/src/v/cloud_storage_clients/configuration.cc index 53d80b2c445fb..37de70481f6ea 100644 --- a/src/v/cloud_storage_clients/configuration.cc +++ b/src/v/cloud_storage_clients/configuration.cc @@ -26,27 +26,19 @@ build_tls_credentials( std::optional trust_file, ss::logger& log) { ss::tls::credentials_builder cred_builder; -#ifdef SEASTAR_WITH_TLS_OSSL cred_builder.set_cipher_string( {config::tlsv1_2_cipher_string.data(), config::tlsv1_2_cipher_string.size()}); cred_builder.set_ciphersuites( {config::tlsv1_3_ciphersuites.data(), config::tlsv1_3_ciphersuites.size()}); -#else - // NOTE: this is a pre-defined gnutls priority string that - // picks the ciphersuites with 128-bit ciphers which - // leads to up to 10x improvement in upload speed, compared - // to 256-bit ciphers - cred_builder.set_priority_string("PERFORMANCE"); -#endif if (trust_file.has_value()) { auto file = trust_file.value(); vlog(log.info, "Use non-default trust file {}", file()); co_await cred_builder.set_x509_trust_file( file().string(), ss::tls::x509_crt_format::PEM); } else { - // Use GnuTLS defaults, might not work on all systems + // Use system defaults, might not work on all systems auto ca_file = co_await net::find_ca_file(); if (ca_file) { vlog( @@ -58,7 +50,7 @@ build_tls_credentials( } else { vlog( log.info, - "Trust file can't be detected automatically, using GnuTLS " + "Trust file can't be detected automatically, using system " "default"); co_await cred_builder.set_system_trust(); } diff --git a/src/v/cloud_storage_clients/s3_client.cc b/src/v/cloud_storage_clients/s3_client.cc index e98e50b788dac..1688efe11127b 100644 --- a/src/v/cloud_storage_clients/s3_client.cc +++ b/src/v/cloud_storage_clients/s3_client.cc @@ -42,7 +42,6 @@ #include #include #include -#include #include #include diff --git a/src/v/cloud_storage_clients/test_client/abs_test_client_main.cc b/src/v/cloud_storage_clients/test_client/abs_test_client_main.cc index ff9a60e4f9196..d32d0765cdcaa 100644 --- a/src/v/cloud_storage_clients/test_client/abs_test_client_main.cc +++ b/src/v/cloud_storage_clients/test_client/abs_test_client_main.cc @@ -38,7 +38,6 @@ #include #include #include -#include #include #include diff --git a/src/v/cloud_storage_clients/test_client/s3_test_client_main.cc b/src/v/cloud_storage_clients/test_client/s3_test_client_main.cc index 2704b1f4e8e6f..d36215ae47016 100644 --- a/src/v/cloud_storage_clients/test_client/s3_test_client_main.cc +++ b/src/v/cloud_storage_clients/test_client/s3_test_client_main.cc @@ -38,7 +38,6 @@ #include #include #include -#include #include #include diff --git a/src/v/config/tls_config.cc b/src/v/config/tls_config.cc index bbe3e2a5c8aff..76f62c23131c4 100644 --- a/src/v/config/tls_config.cc +++ b/src/v/config/tls_config.cc @@ -26,15 +26,11 @@ tls_config::get_credentials_builder() const& { return ss::do_with( ss::tls::credentials_builder{}, [this](ss::tls::credentials_builder& builder) { -#ifdef SEASTAR_WITH_TLS_OSSL builder.enable_server_precedence(); builder.set_cipher_string( {tlsv1_2_cipher_string.data(), tlsv1_2_cipher_string.size()}); builder.set_ciphersuites( {tlsv1_3_ciphersuites.data(), tlsv1_3_ciphersuites.size()}); -#else - builder.set_priority_string("PERFORMANCE:%SERVER_PRECEDENCE"); -#endif builder.set_dh_level(ss::tls::dh_params::level::MEDIUM); if (_require_client_auth) { builder.set_client_auth(ss::tls::client_auth::REQUIRE); diff --git a/src/v/crypto/tests/CMakeLists.txt b/src/v/crypto/tests/CMakeLists.txt index cc3fa2253f04f..b11e986e719e5 100644 --- a/src/v/crypto/tests/CMakeLists.txt +++ b/src/v/crypto/tests/CMakeLists.txt @@ -59,7 +59,7 @@ rp_test( BINARY_NAME crypto_bench SOURCES crypto_bench.cc LIBRARIES - Seastar::seastar_perf_testing v::crypto v::random GnuTLS::GnuTLS + Seastar::seastar_perf_testing v::crypto v::random LABELS crypto ENV "OPENSSL_CONF=${CMAKE_CURRENT_BINARY_DIR}/test/openssl_conf.cnf;MODULE_DIR=${REDPANDA_DEPS_INSTALL_DIR}/lib/ossl-modules" ) @@ -72,7 +72,7 @@ rp_test( DEFINITIONS PERF_FIPS_MODE LIBRARIES - Seastar::seastar_perf_testing v::crypto v::random GnuTLS::GnuTLS + Seastar::seastar_perf_testing v::crypto v::random LABELS crypto ENV "OPENSSL_CONF=${CMAKE_CURRENT_BINARY_DIR}/test/openssl_conf.cnf;MODULE_DIR=${REDPANDA_DEPS_INSTALL_DIR}/lib/ossl-modules" ) diff --git a/src/v/crypto/tests/crypto_bench.cc b/src/v/crypto/tests/crypto_bench.cc index 43c748b423f9c..701ce2c6cdadf 100644 --- a/src/v/crypto/tests/crypto_bench.cc +++ b/src/v/crypto/tests/crypto_bench.cc @@ -17,129 +17,8 @@ #include #include -#include -#include - static constexpr size_t inner_iters = 1000; -template -class hmac { - static_assert(DigestSize > 0, "digest cannot be zero length"); - -public: - // silence clang-tidy about _handle being uninitialized - // NOLINTNEXTLINE(hicpp-member-init, cppcoreguidelines-pro-type-member-init) - explicit hmac(std::string_view key) - : hmac(key.data(), key.size()) {} - - // silence clang-tidy about _handle being uninitialized - // NOLINTNEXTLINE(hicpp-member-init, cppcoreguidelines-pro-type-member-init) - explicit hmac(bytes_view key) - : hmac(key.data(), key.size()) {} - - hmac(const hmac&) = delete; - hmac& operator=(const hmac&) = delete; - hmac(hmac&&) = delete; - hmac& operator=(hmac&&) = delete; - - ~hmac() noexcept { gnutls_hmac_deinit(_handle, nullptr); } - - void update(std::string_view data) { update(data.data(), data.size()); } - void update(bytes_view data) { update(data.data(), data.size()); } - - template - void update(const std::array& data) { - update(data.data(), Size); - } - - /** - * Return the current output and reset. - */ - std::array reset() { - std::array digest; - gnutls_hmac_output(_handle, digest.data()); - return digest; - } - -private: - // silence clang-tidy about _handle being uninitialized - // NOLINTNEXTLINE(hicpp-member-init, cppcoreguidelines-pro-type-member-init) - hmac(const void* key, size_t size) { - int ret = gnutls_hmac_init(&_handle, Algo, key, size); - if (unlikely(ret)) { - throw std::runtime_error(gnutls_strerror(ret)); - } - - ret = gnutls_hmac_get_len(Algo); - if (unlikely(ret != DigestSize)) { - throw std::runtime_error("invalid digest length"); - } - } - - void update(const void* data, size_t size) { - int ret = gnutls_hmac(_handle, data, size); - if (unlikely(ret)) { - throw std::runtime_error(gnutls_strerror(ret)); - } - } - - gnutls_hmac_hd_t _handle; -}; - -template -class hash { -public: - static constexpr auto digest_size = DigestSize; - using digest_type = std::array; - - hash() { - int ret = gnutls_hash_init(&_handle, Algo); - if (unlikely(ret)) { - throw std::runtime_error("hash init failed"); - } - - ret = gnutls_hash_get_len(Algo); - if (unlikely(ret != DigestSize)) { - throw std::runtime_error("BOO"); - } - } - - hash(const hash&) = delete; - hash& operator=(const hash&) = delete; - hash(hash&&) = delete; - hash& operator=(hash&&) = delete; - - ~hash() noexcept { gnutls_hash_deinit(_handle, nullptr); } - - void update(std::string_view data) { update(data.data(), data.size()); } - void update(bytes_view data) { update(data.data(), data.size()); } - - /** - * Return the current output and reset. - */ - digest_type reset() { - std::array digest; - gnutls_hash_output(_handle, digest.data()); - return digest; - } - -private: - void update(const void* data, size_t size) { - int ret = gnutls_hash(_handle, data, size); - if (unlikely(ret)) { - throw std::runtime_error("blah update"); - } - } - - gnutls_hash_hd_t _handle; -}; - -using hmac_sha256 = hmac; -using hmac_sha512 = hmac; -using hash_sha256 = hash; -using hash_sha512 = hash; -using hash_md5 = hash; - template static size_t test_body(size_t msg_len, F n) { auto buffer = random_generators::gen_alphanum_string(msg_len); @@ -209,30 +88,6 @@ PERF_TEST_F(openssl_perf, sha512_1k) { }); } -PERF_TEST(gnutls, md5_1k) { - return test_body(1024, [](const ss::sstring& buffer) { - hash_md5 md5{}; - md5.update(buffer); - return md5.reset(); - }); -} - -PERF_TEST(gnutls, sha256_1k) { - return test_body(1024, [](const ss::sstring& buffer) { - hash_sha256 sha256{}; - sha256.update(buffer); - return sha256.reset(); - }); -} - -PERF_TEST(gnutls, sha512_1k) { - return test_body(1024, [](const ss::sstring& buffer) { - hash_sha512 sha512{}; - sha512.update(buffer); - return sha512.reset(); - }); -} - PERF_TEST_F(openssl_perf, hmac_sha256_1k) { return test_body(1024, [](const ss::sstring& buffer) { auto key = random_generators::gen_alphanum_string(32); @@ -246,21 +101,3 @@ PERF_TEST_F(openssl_perf, hmac_sha512_1k) { return crypto::hmac(crypto::digest_type::SHA512, key, buffer); }); } - -PERF_TEST(gnutls, hmac_sha256_1k) { - return test_body(1024, [](const ss::sstring& buffer) { - auto key = random_generators::gen_alphanum_string(32); - hmac_sha256 hmac{key}; - hmac.update(buffer); - return hmac.reset(); - }); -} - -PERF_TEST(gnutls, hmac_sha512_1k) { - return test_body(1024, [](const ss::sstring& buffer) { - auto key = random_generators::gen_alphanum_string(32); - hmac_sha512 hmac{key}; - hmac.update(buffer); - return hmac.reset(); - }); -} diff --git a/src/v/net/include/net/tls.h b/src/v/net/include/net/tls.h index eff1b6022c691..477a9d130633d 100644 --- a/src/v/net/include/net/tls.h +++ b/src/v/net/include/net/tls.h @@ -20,14 +20,14 @@ namespace net { /// Historically, different linux distributions use different locations to /// store certificates for their private key infrastructure. This is just a /// convention and can't be queried by the application code. The application -/// is required to 'know' where to find the certs. In case of GnuTLS the +/// is required to 'know' where to find the certs. In case of OpenSSL the /// location is configured during build time. It depend on distribution on -/// which GnuTLS is built. This approach doesn't work for Redpanda because +/// which OpenSSL is built. This approach doesn't work for Redpanda because /// single Redpanda binary can be executed on any linux distro. So the default /// option only work on some distributions. The rest require the location to /// be explicitly specified. This function does different thing. It probes /// the set of default locations for different distributions untill it finds -/// the one that exists. This path is then passed to GnuTLS. +/// the one that exists. This path is then passed to OpenSSL. ss::future> find_ca_file(); } // namespace net diff --git a/src/v/storage/key_offset_map.h b/src/v/storage/key_offset_map.h index ddbe2dd7c4028..ee34571a7f262 100644 --- a/src/v/storage/key_offset_map.h +++ b/src/v/storage/key_offset_map.h @@ -174,7 +174,8 @@ class hash_key_offset_map : public key_offset_map { /** * hash the compaction key. this helper will catch exceptions and reset the - * hashing object which is reused to avoid reinitialization of gnutls state. + * hashing object which is reused to avoid reinitialization of OpenSSL + * state. */ hash_type::digest_type hash_key(const compaction_key&) const;