Update seastar for v25.3.x

.github/workflows/alpinelinux.yaml

@@ -54,6 +54,7 @@ jobs:
       run: |
         cmake -B build -G Ninja            \
          -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+         -DSeastar_USE_OPENSSL=yes         \
          -DSeastar_DOCS=OFF
 
     - name: Build Seastar

.github/workflows/test.yaml

@@ -33,6 +33,11 @@ on:
         type: string
         default: ''
         required: false
+      crypto_provider:
+        description: 'cryptographic provider to use'
+        type: string
+        default: 'GnuTLS'
+        required: false
 
 jobs:
   test:
@@ -81,14 +86,15 @@ jobs:
           if ${{ inputs.enable-ccache }}; then
             MAYBE_CCACHE_OPT="--ccache"
           fi
-          ./configure.py                          \
-            --c++-standard ${{ inputs.standard }} \
-            --compiler ${{ inputs.compiler }}     \
-            --c-compiler $CC                      \
-            --mode ${{ inputs.mode }}             \
-            $MAYBE_CCACHE_OPT                     \
-            ${{ inputs.options }}                 \
-            ${{ inputs.enables }}
+          ./configure.py                                     \
+            --c++-standard ${{ inputs.standard }}            \
+            --compiler ${{ inputs.compiler }}                \
+            --c-compiler $CC                                 \
+            --mode ${{ inputs.mode }}                        \
+            $MAYBE_CCACHE_OPT                                \
+            ${{ inputs.options }}                            \
+            ${{ inputs.enables }}                            \
+            --crypto-provider ${{ inputs.crypto_provider }}
 
       - name: Build
         run: cmake --build build/${{inputs.mode}}

.github/workflows/tests.yaml

@@ -11,20 +11,22 @@ concurrency:
 
 jobs:
   regular_test:
-    name: "Test (${{ matrix.compiler }}, C++${{ matrix.standard}}, ${{ matrix.mode }})"
+    name: "Test (${{ matrix.compiler }}, C++${{ matrix.standard}}, ${{ matrix.mode }}, ${{ matrix.crypto_provider }})"
     uses: ./.github/workflows/test.yaml
     strategy:
       fail-fast: false
       matrix:
         compiler: [clang++, g++]
         standard: [20, 23]
         mode: [dev, debug, release]
+        crypto_provider: [GnuTLS, OpenSSL]
     with:
       compiler: ${{ matrix.compiler }}
       standard: ${{ matrix.standard }}
       mode: ${{ matrix.mode }}
       enables: ${{ matrix.enables }}
       options: ${{ matrix.options }}
+      crypto_provider: ${{ matrix.crypto_provider }}
   build_with_dpdk:
     name: "Test with DPDK enabled"
     uses: ./.github/workflows/test.yaml
@@ -36,8 +38,8 @@ jobs:
       mode: release
       enables: --enable-dpdk
       options: --cook dpdk
-  build_with_cxx_modules:
-    name: "Test with C++20 modules enabled"
+  build_with_cxx_modules_gnutls:
+    name: "Test with C++20 modules enabled (GnuTLS)"
     uses: ./.github/workflows/test.yaml
     strategy:
       fail-fast: false
@@ -47,3 +49,22 @@ jobs:
       mode: debug
       enables: --enable-cxx-modules
       enable-ccache: false
+      crypto_provider: GnuTLS
+    # disable modules build as we aren't using module and it is quite
+    # broken at the moment
+    if: false
+  build_with_cxx_modules_openssl:
+    name: "Test with C++20 modules enabled (OpenSSL)"
+    uses: ./.github/workflows/test.yaml
+    strategy:
+      fail-fast: false
+    with:
+      compiler: clang++
+      standard: 23
+      mode: debug
+      enables: --enable-cxx-modules
+      enable-ccache: false
+      crypto_provider: OpenSSL
+    # disable modules build as we aren't using module and it is quite
+    # broken at the moment
+    if: false

CMakeLists.txt

@@ -89,6 +89,16 @@ if (NOT Seastar_SCHEDULING_GROUPS_COUNT MATCHES "^[1-9][0-9]*")
   message(FATAL_ERROR "Seastar_SCHEDULING_GROUPS_COUNT must be a positive number (${Seastar_SCHEDULING_GROUPS_COUNT})")
 endif ()
 
+option (Seastar_USE_OPENSSL
+  "Use OpenSSL rather than GnuTLS for cryptographic operations, including TLS"
+  OFF)
+
+if (Seastar_USE_OPENSSL)
+  set (Seastar_USE_GNUTLS OFF)
+else ()
+  set (Seastar_USE_GNUTLS ON)
+endif ()
+
 #
 # Add a dev build type.
 #
@@ -677,6 +687,7 @@ add_library (seastar
   src/core/reactor_backend.cc
   src/core/thread_pool.cc
   src/core/app-template.cc
+  src/core/cpu_profiler.cc
   src/core/disk_params.cc
   src/core/dpdk_rte.cc
   src/core/exception_hacks.cc
@@ -709,6 +720,7 @@ add_library (seastar
   src/core/io_queue.cc
   src/core/semaphore.cc
   src/core/condition-variable.cc
+  src/core/signal_mutex.cc
   src/http/api_docs.cc
   src/http/common.cc
   src/http/file_handler.cc
@@ -736,13 +748,16 @@ add_library (seastar
   src/net/native-stack-impl.hh
   src/net/native-stack.cc
   src/net/net.cc
+  $<$<BOOL:${Seastar_USE_OPENSSL}>:src/net/ossl.cc>
   src/net/packet.cc
   src/net/posix-stack.cc
   src/net/proxy.cc
   src/net/socket_address.cc
   src/net/stack.cc
   src/net/tcp.cc
-  src/net/tls.cc
+  $<$<BOOL:${Seastar_USE_GNUTLS}>:src/net/tls.cc>
+  src/net/tls-impl.cc
+  src/net/tls-impl.hh
   src/net/udp.cc
   src/net/unix_address.cc
   src/net/virtio.cc
@@ -840,7 +855,9 @@ target_link_libraries (seastar
     SourceLocation::source_location
   PRIVATE
     ${CMAKE_DL_LIBS}
-    GnuTLS::gnutls
+    $<$<BOOL:${Seastar_USE_GNUTLS}>:GnuTLS::gnutls>
+    $<$<BOOL:${Seastar_USE_OPENSSL}>:OpenSSL::SSL>
+    $<$<BOOL:${Seastar_USE_OPENSSL}>:OpenSSL::Crypto>
     StdAtomic::atomic
     lksctp-tools::lksctp-tools
     protobuf::libprotobuf
@@ -892,6 +909,8 @@ include (CTest)
 target_compile_definitions(seastar
   PUBLIC
   SEASTAR_API_LEVEL=${Seastar_API_LEVEL}
+  $<$<BOOL:${Seastar_USE_OPENSSL}>:SEASTAR_USE_OPENSSL>
+  $<$<BOOL:${Seastar_USE_GNUTLS}>:SEASTAR_USE_GNUTLS>
   $<$<BOOL:${BUILD_SHARED_LIBS}>:SEASTAR_BUILD_SHARED_LIBS>)
 
 target_compile_features(seastar

cmake/SeastarDependencies.cmake

@@ -88,7 +88,12 @@ macro (seastar_find_dependencies)
   endif()
   seastar_find_dep (fmt 8.1.1 REQUIRED)
   seastar_find_dep (lz4 1.7.3 REQUIRED)
-  seastar_find_dep (GnuTLS 3.3.26 REQUIRED)
+  if (Seastar_USE_GNUTLS)
+    seastar_find_dep (GnuTLS 3.3.26 REQUIRED)
+  endif()
+  if (Seastar_USE_OPENSSL)
+    seastar_find_dep (OpenSSL 3.0.0 REQUIRED)
+  endif()
   if (Seastar_IO_URING)
     seastar_find_dep (LibUring 2.0 REQUIRED)
   endif()

configure.py

@@ -89,6 +89,9 @@ def standard_supported(standard, compiler='g++'):
 arg_parser.add_argument('--verbose', dest='verbose', action='store_true', help='Make configure output more verbose.')
 arg_parser.add_argument('--scheduling-groups-count', action='store', dest='scheduling_groups_count', default='16',
                         help='Number of available scheduling groups in the reactor')
+arg_parser.add_argument('--crypto-provider', dest='crypto_provider', choices=seastar_cmake.SUPPORTED_CRYPTO_PROVIDERS,
+                        default='GnuTLS', help='The cryptographic provider ot use')
+arg_parser.add_argument('--openssl-root-dir', dest='openssl_root_dir', help="Root directory for OpenSSL library")
 
 add_tristate(
     arg_parser,
@@ -191,6 +194,7 @@ def configure_mode(mode):
         '-DBUILD_SHARED_LIBS={}'.format('yes' if mode in ('debug', 'dev') else 'no'),
         '-DSeastar_API_LEVEL={}'.format(args.api_level),
         '-DSeastar_SCHEDULING_GROUPS_COUNT={}'.format(args.scheduling_groups_count),
+        '-DSeastar_USE_OPENSSL={}'.format('yes' if args.crypto_provider == 'OpenSSL' else 'no'),
         tr(args.exclude_tests, 'EXCLUDE_TESTS_FROM_ALL'),
         tr(args.exclude_apps, 'EXCLUDE_APPS_FROM_ALL'),
         tr(args.exclude_demos, 'EXCLUDE_DEMOS_FROM_ALL'),
@@ -211,6 +215,9 @@ def configure_mode(mode):
         tr(args.debug_shared_ptr, 'DEBUG_SHARED_PTR', value_when_none='default'),
     ]
 
+    if args.openssl_root_dir is not None:
+        TRANSLATED_ARGS.appen(f'-DOPENSSL_ROOT_DIR={args.openssl_root_dir}')
+
     ingredients_to_cook = set(args.cook)
 
     if args.dpdk:

demos/tls_echo_server.hh

@@ -46,70 +46,86 @@ class echoserver {
     seastar::gate _gate;
     bool _stopped = false;
     bool _verbose = false;
+
+    future<stop_iteration> run_once() {
+        if (_stopped) {
+            return make_ready_future<stop_iteration>(stop_iteration::yes);
+        }
+        return with_gate(_gate, [this] {
+            return _socket.accept().then([this](accept_result ar) {
+                ::connected_socket s = std::move(ar.connection);
+                    socket_address a = std::move(ar.remote_address);
+                    if (_verbose) {
+                        std::cout << "Got connection from "<< a << std::endl;
+                    }
+                    auto strms = make_lw_shared<streams>(std::move(s));
+                    return repeat([strms, this]() {
+                        return strms->in.read().then([this, strms](temporary_buffer<char> buf) {
+                            if (buf.empty()) {
+                                if (_verbose) {
+                                    std::cout << "EOM" << std::endl;
+                                }
+                                return make_ready_future<stop_iteration>(stop_iteration::yes);
+                            }
+                            sstring tmp(buf.begin(), buf.end());
+                            if (_verbose) {
+                                std::cout << "Read " << tmp.size() << "B" << std::endl;
+                            }
+                            return strms->out.write(tmp).then([strms]() {
+                                return strms->out.flush();
+                            }).then([] {
+                                return make_ready_future<stop_iteration>(stop_iteration::no);
+                            });
+                        });
+                    }).then([strms]{
+                        return strms->out.close();
+                    }).handle_exception([](auto ep) {
+                        std::cout << "Exception: " << ep << std::endl;
+                    }).finally([this, strms]{
+                        if (_verbose) {
+                            std::cout << "Ending session" << std::endl;
+                        }
+                        return strms->in.close();
+                    });
+            }).handle_exception([this](auto ep) {
+                if (!_stopped) {
+                    std::cerr << "Error: " << ep << std::endl;
+                }
+            }).then([this] {
+                return make_ready_future<stop_iteration>(_stopped ? stop_iteration::yes : stop_iteration::no);
+            });
+        });
+    }
 public:
     echoserver(bool verbose = false)
             : _certs(make_shared<tls::server_credentials>(make_shared<tls::dh_params>()))
             , _verbose(verbose)
     {}
 
-    future<> listen(socket_address addr, sstring crtfile, sstring keyfile, tls::client_auth ca = tls::client_auth::NONE) {
-        _certs->set_client_auth(ca);
-        return _certs->set_x509_key_file(crtfile, keyfile, tls::x509_crt_format::PEM).then([this, addr] {
-            ::listen_options opts;
-            opts.reuse_address = true;
+    future<> listen(socket_address addr, sstring crtfile, sstring keyfile, sstring cafile) {
+        _certs->set_dn_verification_callback([](seastar::tls::session_type, sstring subject, sstring issuer){
+            std::cout << "DN Verification callback, subject: " << subject << " issuer: " << issuer << std::endl;
+        });
+        auto f = make_ready_future();
+        auto cauth = tls::client_auth::NONE;
+        if (cafile != "") {
+            cauth = tls::client_auth::REQUIRE;
+            f = _certs->set_x509_trust_file(cafile, tls::x509_crt_format::PEM);
+        }
+        _certs->set_client_auth(cauth);
+        return f.then([this, addr, crtfile, keyfile] {
+            return _certs->set_x509_key_file(crtfile, keyfile, tls::x509_crt_format::PEM).then([this, addr] {
+                ::listen_options opts;
+                    opts.reuse_address = true;
 
-            _socket = tls::listen(_certs, addr, opts);
+                    _socket = tls::listen(_certs, addr, opts);
 
-            // Listen in background.
-            (void)repeat([this] {
-                if (_stopped) {
-                    return make_ready_future<stop_iteration>(stop_iteration::yes);
-                }
-                return with_gate(_gate, [this] {
-                    return _socket.accept().then([this](accept_result ar) {
-                        ::connected_socket s = std::move(ar.connection);
-                        socket_address a = std::move(ar.remote_address);
-                        if (_verbose) {
-                            std::cout << "Got connection from "<< a << std::endl;
-                        }
-                        auto strms = make_lw_shared<streams>(std::move(s));
-                        return repeat([strms, this]() {
-                            return strms->in.read().then([this, strms](temporary_buffer<char> buf) {
-                                if (buf.empty()) {
-                                    if (_verbose) {
-                                        std::cout << "EOM" << std::endl;
-                                    }
-                                    return make_ready_future<stop_iteration>(stop_iteration::yes);
-                                }
-                                sstring tmp(buf.begin(), buf.end());
-                                if (_verbose) {
-                                    std::cout << "Read " << tmp.size() << "B" << std::endl;
-                                }
-                                return strms->out.write(tmp).then([strms]() {
-                                    return strms->out.flush();
-                                }).then([] {
-                                    return make_ready_future<stop_iteration>(stop_iteration::no);
-                                });
-                            });
-                        }).then([strms]{
-                            return strms->out.close();
-                        }).handle_exception([](auto ep) {
-                        }).finally([this, strms]{
-                            if (_verbose) {
-                                std::cout << "Ending session" << std::endl;
-                            }
-                            return strms->in.close();
-                        });
-                    }).handle_exception([this](auto ep) {
-                        if (!_stopped) {
-                            std::cerr << "Error: " << ep << std::endl;
-                        }
-                    }).then([this] {
-                        return make_ready_future<stop_iteration>(_stopped ? stop_iteration::yes : stop_iteration::no);
+                    // Listen in background.
+                    (void)repeat([this] {
+                        return run_once();
                     });
-                });
+                    return make_ready_future();
             });
-            return make_ready_future();
         });
     }
 

demos/tls_echo_server_demo.cc

@@ -37,6 +37,7 @@ int main(int ac, char** av) {
     app.add_options()
                     ("port", bpo::value<uint16_t>()->default_value(10000), "Server port")
                     ("address", bpo::value<std::string>()->default_value("127.0.0.1"), "Server address")
+                    ("ca,a", bpo::value<std::string>()->default_value(""), "Server CA chain file")
                     ("cert,c", bpo::value<std::string>()->required(), "Server certificate file")
                     ("key,k", bpo::value<std::string>()->required(), "Certificate key")
                     ("verbose,v", bpo::value<bool>()->default_value(false)->implicit_value(true), "Verbose")
@@ -46,6 +47,7 @@ int main(int ac, char** av) {
             seastar_apps_lib::stop_signal stop_signal;
             auto&& config = app.configuration();
             uint16_t port = config["port"].as<uint16_t>();
+            auto ca = config["ca"].as<std::string>();
             auto crt = config["cert"].as<std::string>();
             auto key = config["key"].as<std::string>();
             auto addr = config["address"].as<std::string>();
@@ -61,7 +63,7 @@ int main(int ac, char** av) {
             auto stop_server = deferred_stop(server);
 
             try {
-                server.invoke_on_all(&echoserver::listen, socket_address(ia), sstring(crt), sstring(key), tls::client_auth::NONE).get();
+                server.invoke_on_all(&echoserver::listen, socket_address(ia), sstring(crt), sstring(key),sstring(ca)).get();
             } catch (...) {
                 std::cerr << "Error: " << std::current_exception() << std::endl;
                 return 1;