SSLNTV-29 Add the ability to use a custom OpenSSL engine#16
SSLNTV-29 Add the ability to use a custom OpenSSL engine#16heyuanliu-intel wants to merge 1 commit intowildfly-security:mainfrom
Conversation
|
Thanks for the PR, @heyuanliu-intel! Tests for WildFly OpenSSL are included in the wildfly-openssl project that depends on this |
|
I have verified this using Intel QAT engine and using Airlift sample as a testcase. Please refer to this project. |
|
Thanks, took a look at https://github.com/heyuanliu-intel/AirliftPerformance. I noticed the In particular, it looks like corresponding changes would be needed in |
|
Yes. Below is the git commit diff --git a/java/src/main/java/org/wildfly/openssl/SSLImpl.java b/java/src/main/java/org/wildfly/openssl/SSLImpl.java
diff --git a/java/src/main/java/org/wildfly/openssl/SSL.java b/java/src/main/java/org/wildfly/openssl/SSL.java
@@ -289,7 +291,7 @@ public abstract class SSL {
|
|
@heyuanliu-intel Thanks! Would you be able to submit a PR against wildfly-openssl and indicate in the description that it depends on this PR? |
|
When creating the PR against wildfly-openssl, please reference WFSSL-111 in the commit message. Thanks! |
|
Create a new PR on wildfly-openssl. |
|
Throw exceptions when error occurs during initialize custom engine. |
There was a problem hiding this comment.
@heyuanliu-intel Thanks for the updates! I've added some comments, feel free to let me know if you have any questions.
One more small thing, please update the commits in this PR so they reference SSLNTV-29.
Thanks!
| return 0; | ||
| TCN_FREE_CSTRING(customEngine); | ||
| throwIllegalStateException(e, "Could not load openssl dynamic methods."); | ||
| goto init_failed; |
There was a problem hiding this comment.
I don't see any changes made to load_openssl_dynamic_methods. Is there a reason for introducing the above two lines? These change the behaviour compared to what was done before so am curious about the need for this.
There was a problem hiding this comment.
Yes. Previous logic doesn't contains this. I added this exception to keep the consistent with the other error processing. As you know, I added the logic to throw exception when the error occurs during loading custom engine. So If you think this isn't necessary, I can remove this line.
There was a problem hiding this comment.
Because this would mean a change in behaviour compared to what was happening before, for backwards compatibility, I think we should remove these two lines.
|
|
||
| /* Check if already initialized */ | ||
| if (ssl_initialized++) { | ||
| TCN_FREE_CSTRING(customEngine); |
There was a problem hiding this comment.
It looks like we are missing a call to TCN_FREE_CSTRING(customEngine) after the changes below.
There was a problem hiding this comment.
Yes. You are right. I can move TCN_FREE_CSTRING(customEngine) to init_failed.
| return (jint)0; | ||
|
|
||
| init_failed: | ||
| return 0; |
There was a problem hiding this comment.
I think there should be a call to TCN_FREE_CSTRING(customEngine) before returning.
There was a problem hiding this comment.
I think ssl_initialized should also be set to 0 here.
There was a problem hiding this comment.
Yes. You are right. I will do the code change.
| } | ||
| } | ||
|
|
||
| if (ssl_engine) { |
There was a problem hiding this comment.
For this case, it looks like both the Netty and Tomcat OpenSSL implementations also do this before attempting to set the default:
#ifdef ENGINE_CTRL_CHIL_SET_FORKCHECK
if (strcmp(J2S(engine), "chil") == 0)
ENGINE_ctrl(tcn_ssl_engine, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
#endif
See https://github.com/netty/netty-tcnative/blob/main/openssl-dynamic/src/main/c/ssl.c#L804-L810 and https://github.com/apache/tomcat-native/blob/main/native/src/ssl.c#L540-L547.
Do you think we could do something similar here?
There was a problem hiding this comment.
I don't know the real reason to add this logic. So I need to check.
There was a problem hiding this comment.
This logic is specifically for the "chil" engine. It's not strictly required to add this for your changes but since both the Netty and Tomcat OpenSSL implementations have this, I think we might as well add the same logic here as well.
There was a problem hiding this comment.
The ENGINE_CTRL_CHIL_SET_FORKCHECK is never going to be defined, so adding the lines like they are now is doing nothing. Note that wildfly-openssl works using dlopen without any openssl include at compilation. If we really want to set this option for chil like in the other implementations we need to add the define in wfssl.h:
+/* Flags specific to the nCipher "chil" engine */
+# define ENGINE_CTRL_CHIL_SET_FORKCHECK 100And always execute the ENGINE_ctrl in case of the chil engine.
Nit-picky request, please add the brackets to the if. 😄
There was a problem hiding this comment.
@heyuanliu-intel The #ifdef is not needed now, it's going to be always defined. All the rest LGTM now. Thanks!
There was a problem hiding this comment.
okay. I will remove it.
|
Note that the test failures in this CI job are expected because the corresponding changes to |
heyuanliu-intel
force-pushed
the
custom_engine
branch
2 times, most recently
from
6a17ec9 to
e8914f5
Compare
rmartinc
left a comment
rmartinc
left a comment
There was a problem hiding this comment.
@heyuanliu-intel I have added a few more comments.
Thanks!
| if (!crypto_methods.ENGINE_ctrl_cmd_string(ssl_engine, "SO_PATH", engine, 0) || !crypto_methods.ENGINE_ctrl_cmd_string(ssl_engine, "LOAD", NULL, 0)) { | ||
| crypto_methods.ENGINE_free(ssl_engine); | ||
| ssl_engine = NULL; | ||
| tcn_Throw(e, "Could not load openssl custom engine (%s) .so library file", engine); |
There was a problem hiding this comment.
@heyuanliu-intel What do you think about returning the openssl error too?
Something like the following:
char err[2048];
crypto_methods.ENGINE_free(ssl_engine);
ssl_engine = NULL;
generate_openssl_stack_error(e, err, sizeof(err));
tcn_Throw(e, "Could not load openssl custom engine (%s) .so library file: %s", engine, err);There was a problem hiding this comment.
Good suggestion. It will help software developer get more detailed error message. I will add this to the code change.
| if (!crypto_methods.ENGINE_set_default(ssl_engine, ENGINE_METHOD_ALL)) { | ||
| crypto_methods.ENGINE_free(ssl_engine); | ||
| ssl_engine = NULL; | ||
| tcn_Throw(e, "Could not set custom engine (%s) to default engine.", engine); |
There was a problem hiding this comment.
Same here, I would add the openssl error like in the previous throw.
| } | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
The customEngine is not freed in non-error return, you can add TCN_FREE_CSTRING(customEngine); here after the if.
There was a problem hiding this comment.
You are right and I will fix this.
| } | ||
| } | ||
|
|
||
| if (ssl_engine) { |
There was a problem hiding this comment.
The ENGINE_CTRL_CHIL_SET_FORKCHECK is never going to be defined, so adding the lines like they are now is doing nothing. Note that wildfly-openssl works using dlopen without any openssl include at compilation. If we really want to set this option for chil like in the other implementations we need to add the define in wfssl.h:
+/* Flags specific to the nCipher "chil" engine */
+# define ENGINE_CTRL_CHIL_SET_FORKCHECK 100And always execute the ENGINE_ctrl in case of the chil engine.
Nit-picky request, please add the brackets to the if. 😄
heyuanliu-intel
changed the title
rmartinc
left a comment
rmartinc
left a comment
There was a problem hiding this comment.
LGTM now, thanks @heyuanliu-intel !
|
Thanks for the updates @heyuanliu-intel! Would you be able to squash the commits into a single commit? |
heyuanliu-intel
force-pushed
the
custom_engine
branch
from
5ec0da9 to
bd6365a
Compare
|
I have squashed the commits into a singe commit, please review it again. |
fjuma
left a comment
fjuma
left a comment
There was a problem hiding this comment.
Looks good, thanks @heyuanliu-intel!
|
@heyuanliu-intel Just to keep you updated, we are planning on doing a WildFly OpenSSL release next month so will get this merged in the next few weeks (we are currently working on some updates to our CI environments). Will keep you posted on the release date. Thanks. |
|
Great! Thanks. |
3 participants
Add support custom engine to fix the issue #15
Intel QAT can boost SSL/TLS performance and has been integrated into many popular open source frameworks.
Such as envoy and nginx. Please refer to envoyproxy/envoy#21984
And for the async mode nginx, it can get 4X performance boost with QAT.
Please refer to https://01.org/sites/default/files/downloads/intelr-quickassist-technology/intelquickassisttechnologyopensslperformance.pdf
So many applications can get benefit from QAT custom engine and other custom engines.