vectordotdev · hhromic · Aug 15, 2023 · Aug 15, 2023
@@ -25,7 +25,7 @@ use crate::metrics;
 #[cfg(feature = "api")]
 use crate::{api, internal_events::ApiStarted};
 use crate::{
-    cli::{handle_config_errors, LogFormat, Opts, RootOpts},
+    cli::{handle_config_errors, LogFormat, OpenSSLProvider, Opts, RootOpts},
     config::{self, Config, ConfigPath},
     heartbeat,
     signal::{ShutdownError, SignalHandler, SignalPair, SignalRx, SignalTo},
@@ -62,7 +62,7 @@ pub struct Application {
     pub require_healthy: Option<bool>,
     pub config: ApplicationConfig,
     pub signals: SignalPair,
-    pub openssl_legacy_provider: Option<Provider>,
+    pub openssl_provider: Option<Provider>,
 }
 
 impl ApplicationConfig {
@@ -196,11 +196,7 @@ impl Application {
             debug!(message = "Disabled probing and configuration of root certificate locations on the system for OpenSSL.");
         }
 
-        let openssl_legacy_provider = opts
-            .root
-            .openssl_legacy_provider
-            .then(load_openssl_legacy_provider)
-            .flatten();
+        let openssl_provider = load_openssl_provider(opts.root.openssl_provider);
 
         let runtime = build_runtime(opts.root.threads, "vector-worker")?;
 
@@ -222,7 +218,7 @@ impl Application {
                 require_healthy: opts.root.require_healthy,
                 config,
                 signals,
-                openssl_legacy_provider,
+                openssl_provider,
             },
         ))
     }
@@ -239,7 +235,7 @@ impl Application {
             require_healthy,
             config,
             signals,
-            openssl_legacy_provider,
+            openssl_provider,
         } = self;
 
         let topology_controller = SharedTopologyController::new(TopologyController {
@@ -257,7 +253,7 @@ impl Application {
             graceful_crash_receiver: config.graceful_crash_receiver,
             signals,
             topology_controller,
-            openssl_legacy_provider,
+            openssl_provider,
         })
     }
 }
@@ -267,7 +263,7 @@ pub struct StartedApplication {
     pub graceful_crash_receiver: mpsc::UnboundedReceiver<ShutdownError>,
     pub signals: SignalPair,
     pub topology_controller: SharedTopologyController,
-    pub openssl_legacy_provider: Option<Provider>,
+    pub openssl_provider: Option<Provider>,
 }
 
 impl StartedApplication {
@@ -281,7 +277,7 @@ impl StartedApplication {
             graceful_crash_receiver,
             signals,
             topology_controller,
-            openssl_legacy_provider,
+            openssl_provider,
         } = self;
 
         let mut graceful_crash = UnboundedReceiverStream::new(graceful_crash_receiver);
@@ -313,7 +309,7 @@ impl StartedApplication {
             signal,
             signal_rx,
             topology_controller,
-            openssl_legacy_provider,
+            openssl_provider,
         }
     }
 }
@@ -368,7 +364,7 @@ pub struct FinishedApplication {
     pub signal: SignalTo,
     pub signal_rx: SignalRx,
     pub topology_controller: SharedTopologyController,
-    pub openssl_legacy_provider: Option<Provider>,
+    pub openssl_provider: Option<Provider>,
 }
 
 impl FinishedApplication {
@@ -377,7 +373,7 @@ impl FinishedApplication {
             signal,
             signal_rx,
             topology_controller,
-            openssl_legacy_provider,
+            openssl_provider,
         } = self;
 
         // At this point, we'll have the only reference to the shared topology controller and can
@@ -392,7 +388,7 @@ impl FinishedApplication {
             SignalTo::Quit => Self::quit(),
             _ => unreachable!(),
         };
-        drop(openssl_legacy_provider);
+        drop(openssl_provider);
         status
     }
 
@@ -567,17 +563,20 @@ pub fn init_logging(color: bool, format: LogFormat, log_level: &str, rate: u64)
     info!(message = "Log level is enabled.", level = ?level);
 }
 
-/// Load the legacy OpenSSL provider.
+/// Load an OpenSSL provider to use.
 ///
 /// The returned [Provider] must stay in scope for the entire lifetime of the application, as it
 /// will be unloaded when it is dropped.
-pub fn load_openssl_legacy_provider() -> Option<Provider> {
-    warn!(message = "DEPRECATED The openssl legacy provider provides algorithms and key sizes no longer recommended for use.");
-    Provider::try_load(None, "legacy", true)
-        .map(|provider| {
-            info!(message = "Loaded openssl legacy provider.");
-            provider
+pub fn load_openssl_provider(provider: OpenSSLProvider) -> Option<Provider> {
+    if provider == OpenSSLProvider::Legacy {
+        warn!(message = "DEPRECATED OpenSSL provider: The legacy provider provides algorithms and key sizes no longer recommended for use.");
+    }
+    let name = provider.name();
+    Provider::try_load(None, name, true)
+        .map(|p| {
+            info!(message = "Loaded openssl provider.", name = name);
+            p
         })
-        .map_err(|error| error!(message = "Failed to load openssl legacy provider.", %error))
+        .map_err(|error| error!(message = "Failed to load openssl provider.", name = name, %error))
         .ok()
 }
@@ -195,9 +195,9 @@ pub struct RootOpts {
     )]
     pub allocation_tracing_reporting_interval_ms: u64,
 
-    /// Load the OpenSSL legacy provider.
-    #[arg(long, env = "VECTOR_OPENSSL_LEGACY_PROVIDER", default_value = "true")]
-    pub openssl_legacy_provider: bool,
+    /// Set the OpenSSL implementation provider to use.
+    #[arg(long, env = "VECTOR_OPENSSL_PROVIDER", default_value = "legacy")]
+    pub openssl_provider: OpenSSLProvider,
 
     /// Disable probing and configuration of root certificate locations on the system for OpenSSL.
     ///
@@ -329,6 +329,27 @@ pub enum LogFormat {
     Json,
 }
 
+#[derive(clap::ValueEnum, Debug, Clone, Copy, PartialEq, Eq)]
+pub enum OpenSSLProvider {
+    Default,
+    Base,
+    FIPS,
+    Legacy,
+    Null,
+}
+
+impl OpenSSLProvider {
+    pub fn name(&self) -> &str {
+        match self {
+            OpenSSLProvider::Default => "default",
+            OpenSSLProvider::Base => "base",
+            OpenSSLProvider::FIPS => "fips",
+            OpenSSLProvider::Legacy => "legacy",
+            OpenSSLProvider::Null => "null",
+        }
+    }
+}
+
 pub fn handle_config_errors(errors: Vec<String>) -> exitcode::ExitCode {
     for error in errors {
         error!(message = "Configuration error.", %error);

@@ -113,10 +113,6 @@ cli: {
 			description: env_vars.VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT.description
 			env_var:     "VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT"
 		}
-		"openssl-legacy-provider": {
-			description: env_vars.VECTOR_OPENSSL_LEGACY_PROVIDER.description
-			env_var:     "VECTOR_OPENSSL_LEGACY_PROVIDER"
-		}
 		"openssl-no-probe": {
 			description: env_vars.VECTOR_OPENSSL_NO_PROBE.description
 			env_var:     "VECTOR_OPENSSL_NO_PROBE"
@@ -187,6 +183,12 @@ cli: {
 			type:        "integer"
 			env_var:     "VECTOR_INTERNAL_LOG_RATE_LIMIT"
 		}
+		"openssl-provider": {
+			description: env_vars.VECTOR_OPENSSL_PROVIDER.description
+			default:     env_vars.VECTOR_OPENSSL_PROVIDER.type.string.default
+			enum:        env_vars.VECTOR_OPENSSL_PROVIDER.type.string.enum
+			env_var:     "VECTOR_OPENSSL_PROVIDER"
+		}
 	}
 
 	options: _core_options
@@ -632,9 +634,18 @@ cli: {
 			description: "Never time out while waiting for graceful shutdown after SIGINT or SIGTERM received. This is useful when you would like for Vector to attempt to send data until terminated by a SIGKILL. Overrides/cannot be set with `--graceful-shutdown-limit-secs`."
 			type: bool: default: false
 		}
-		VECTOR_OPENSSL_LEGACY_PROVIDER: {
-			description: "Load the OpenSSL legacy provider."
-			type: bool: default: true
+		VECTOR_OPENSSL_PROVIDER: {
+			description: "Set the OpenSSL implementation provider to use."
+			type: string: {
+				default: "legacy"
+				enum: {
+					default: "The default provider contains all of the most commonly used algorithm implementations. This is the recommended provider."
+					base:    "The base provider contains algorithm implementations for encoding and decoding for OpenSSL keys."
+					fips:    "The FIPS provider contains algorithm implementations that have been validated according to the FIPS 140-2 standard."
+					legacy:  "The legacy provider contains algorithm implementations that are considered insecure, or are no longer in common use such as MD2 or RC4. This provider is deprecated and is not recommended. It is set as default for backwards compatibility."
+					null:    "The null provider contains no algorithms in it at all. This provider is useful for testing."
+				}
+			}
 		}
 		VECTOR_OPENSSL_NO_PROBE: {
 			description: """