diff --git a/Cargo.lock b/Cargo.lock index 391d78773fb7c..14e805e09b788 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1853,11 +1853,12 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.77" +version = "1.0.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9f73505338f7d905b19d18738976aae232eb46b8efc15554ffc56deb5d9ebe4" +checksum = "305fe645edc1442a0fa8b6726ba61d422798d37a52e12eaecf4b022ebbb88f01" dependencies = [ "jobserver", + "libc", ] [[package]] @@ -5850,9 +5851,8 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "openssl-src" -version = "111.25.0+1.1.1t" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3173cd3626c43e3854b1b727422a276e568d9ec5fe8cec197822cf52cfb743d6" +version = "300.1.3+3.1.2" +source = "git+https://github.com/vectordotdev/openssl-src-rs.git?tag=release-300-force-engine+3.1.2#98b1172bcef15358ad7bbf4baa3a3aa59d831e81" dependencies = [ "cc", ] @@ -5860,8 +5860,7 @@ dependencies = [ [[package]] name = "openssl-sys" version = "0.9.91" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "866b5f16f90776b9bb8dc1e1802ac6f0513de3a7a7465867bfbc563dc737faac" +source = "git+https://github.com/vectordotdev/rust-openssl.git?tag=openssl-sys-v0.9.91+3.0.0#c3a8b494e0a8ab88db692c239d30c903353b56a3" dependencies = [ "cc", "libc", diff --git a/Cargo.toml b/Cargo.toml index 531cc7ba0afe4..0669ae29d8122 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -345,7 +345,7 @@ nix = { version = "0.26.2", default-features = false, features = ["socket", "sig [build-dependencies] prost-build = { version = "0.11", default-features = false, optional = true } tonic-build = { version = "0.9", default-features = false, features = ["transport", "prost"], optional = true } -openssl-src = { version = "111", default-features = false, features = ["force-engine"] } +openssl-src = { version = "300", default-features = false, features = ["force-engine", "legacy"] } [dev-dependencies] approx = "0.5.1" @@ -381,6 +381,11 @@ nix = { git = "https://github.com/vectordotdev/nix.git", branch = "memfd/gnu/mus # The `heim` crates depend on `ntapi` 0.3.7 on Windows, but that version has an # unaligned access bug fixed in the following revision. ntapi = { git = "https://github.com/MSxDOS/ntapi.git", rev = "24fc1e47677fc9f6e38e5f154e6011dc9b270da6" } +# The current `openssl-sys` crate will vendor the OpenSSL sources via +# `openssl-src` at version 1.1.1*, but we want version 3.1.*. Bring in forked +# version of that crate with the appropriate dependency patched in. +openssl-sys = { git = "https://github.com/vectordotdev/rust-openssl.git", tag = "openssl-sys-v0.9.91+3.0.0" } +openssl-src = { git = "https://github.com/vectordotdev/openssl-src-rs.git", tag = "release-300-force-engine+3.1.2"} [features] # Default features for *-unknown-linux-gnu and *-apple-darwin diff --git a/lib/vector-core/src/tls/settings.rs b/lib/vector-core/src/tls/settings.rs index 4454cfc76026e..175660be97649 100644 --- a/lib/vector-core/src/tls/settings.rs +++ b/lib/vector-core/src/tls/settings.rs @@ -630,6 +630,7 @@ mod test { #[test] fn from_options_pkcs12() { + let _provider = openssl::provider::Provider::try_load(None, "legacy", true).unwrap(); let options = TlsConfig { crt_file: Some(TEST_PKCS12_PATH.into()), key_pass: Some("NOPASS".into()), diff --git a/scripts/cross/bootstrap-centos.sh b/scripts/cross/bootstrap-centos.sh index ce35c53283019..58b1cbba003c6 100755 --- a/scripts/cross/bootstrap-centos.sh +++ b/scripts/cross/bootstrap-centos.sh @@ -3,3 +3,7 @@ set -o errexit yum install -y unzip centos-release-scl yum install -y llvm-toolset-7 + +# needed to compile openssl +yum install -y perl-IPC-Cmd + diff --git a/src/app.rs b/src/app.rs index 63d2a53bb1614..d20489b1c18c1 100644 --- a/src/app.rs +++ b/src/app.rs @@ -8,6 +8,7 @@ use futures::StreamExt; #[cfg(feature = "enterprise")] use futures_util::future::BoxFuture; use once_cell::race::OnceNonZeroUsize; +use openssl::provider::Provider; use tokio::{ runtime::{self, Runtime}, sync::mpsc, @@ -61,6 +62,7 @@ pub struct Application { pub require_healthy: Option, pub config: ApplicationConfig, pub signals: SignalPair, + pub openssl_legacy_provider: Option, } impl ApplicationConfig { @@ -186,6 +188,12 @@ impl Application { opts.root.internal_log_rate_limit, ); + let openssl_legacy_provider = opts + .root + .openssl_legacy_provider + .then(load_openssl_legacy_provider) + .flatten(); + let runtime = build_runtime(opts.root.threads, "vector-worker")?; // Signal handler for OS and provider messages. @@ -206,6 +214,7 @@ impl Application { require_healthy: opts.root.require_healthy, config, signals, + openssl_legacy_provider, }, )) } @@ -222,6 +231,7 @@ impl Application { require_healthy, config, signals, + openssl_legacy_provider, } = self; let topology_controller = SharedTopologyController::new(TopologyController { @@ -239,6 +249,7 @@ impl Application { graceful_crash_receiver: config.graceful_crash_receiver, signals, topology_controller, + openssl_legacy_provider, }) } } @@ -248,6 +259,7 @@ pub struct StartedApplication { pub graceful_crash_receiver: mpsc::UnboundedReceiver<()>, pub signals: SignalPair, pub topology_controller: SharedTopologyController, + pub openssl_legacy_provider: Option, } impl StartedApplication { @@ -261,6 +273,7 @@ impl StartedApplication { graceful_crash_receiver, signals, topology_controller, + openssl_legacy_provider, } = self; let mut graceful_crash = UnboundedReceiverStream::new(graceful_crash_receiver); @@ -315,6 +328,7 @@ impl StartedApplication { signal, signal_rx, topology_controller, + openssl_legacy_provider, } } } @@ -323,6 +337,7 @@ pub struct FinishedApplication { pub signal: SignalTo, pub signal_rx: SignalRx, pub topology_controller: SharedTopologyController, + pub openssl_legacy_provider: Option, } impl FinishedApplication { @@ -331,6 +346,7 @@ impl FinishedApplication { signal, mut signal_rx, topology_controller, + openssl_legacy_provider, } = self; // At this point, we'll have the only reference to the shared topology controller and can @@ -340,7 +356,7 @@ impl FinishedApplication { .expect("fail to unwrap topology controller") .into_inner(); - match signal { + let status = match signal { SignalTo::Shutdown => { emit!(VectorStopped); tokio::select! { @@ -382,7 +398,9 @@ impl FinishedApplication { }) } _ => unreachable!(), - } + }; + drop(openssl_legacy_provider); + status } } @@ -525,3 +543,18 @@ pub fn init_logging(color: bool, format: LogFormat, log_level: &str, rate: u64) ); info!(message = "Log level is enabled.", level = ?level); } + +/// Load the legacy OpenSSL provider. +/// +/// The returned [Provider] must stay in scope for the entire lifetime of the application, as it +/// will be unloaded when it is dropped. +pub fn load_openssl_legacy_provider() -> Option { + warn!(message = "DEPRECATED The openssl legacy provider provides algorithms and key sizes no longer recommended for use."); + Provider::try_load(None, "legacy", true) + .map(|provider| { + info!(message = "Loaded openssl legacy provider."); + provider + }) + .map_err(|error| error!(message = "Failed to load openssl legacy provider.", %error)) + .ok() +} diff --git a/src/cli.rs b/src/cli.rs index 68d49db299061..1493e8db117e8 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -194,6 +194,10 @@ pub struct RootOpts { default_value = "5000" )] pub allocation_tracing_reporting_interval_ms: u64, + + /// Load the OpenSSL legacy provider. + #[arg(long, env = "VECTOR_OPENSSL_LEGACY_PROVIDER", default_value = "true")] + pub openssl_legacy_provider: bool, } impl RootOpts {