diff options
author | robot-piglet <robot-piglet@yandex-team.com> | 2023-08-02 15:07:36 +0300 |
---|---|---|
committer | robot-piglet <robot-piglet@yandex-team.com> | 2023-08-02 15:07:36 +0300 |
commit | 8c89ef3c44a03572c2d8a182337f8e73743ae68f (patch) | |
tree | 815854d728620ef9febaead59da0b03a9657ade2 | |
parent | 6d33d6ed03659640a628e99d108e80d942f9676a (diff) | |
download | ydb-8c89ef3c44a03572c2d8a182337f8e73743ae68f.tar.gz |
Intermediate changes
-rw-r--r-- | yt/yt/core/bus/tcp/connection.cpp | 7 | ||||
-rw-r--r-- | yt/yt/core/bus/tcp/ssl_context.cpp | 49 | ||||
-rw-r--r-- | yt/yt/core/bus/tcp/ssl_context.h | 8 | ||||
-rw-r--r-- | yt/yt/core/bus/unittests/ssl_ut.cpp | 55 |
4 files changed, 109 insertions, 10 deletions
diff --git a/yt/yt/core/bus/tcp/connection.cpp b/yt/yt/core/bus/tcp/connection.cpp index 85088d9d7f..8dca9a3f28 100644 --- a/yt/yt/core/bus/tcp/connection.cpp +++ b/yt/yt/core/bus/tcp/connection.cpp @@ -1946,6 +1946,13 @@ void TTcpConnection::TryEstablishSslSession() return; } + if (Config_->CipherList) { + if (SSL_set_cipher_list(Ssl_.get(), Config_->CipherList->data()) != 1) { + Abort(TError(NBus::EErrorCode::SslError, "Failed to set cipher list: %v", GetLastSslErrorString())); + return; + } + } + if (ConnectionType_ == EConnectionType::Server) { SSL_set_accept_state(Ssl_.get()); diff --git a/yt/yt/core/bus/tcp/ssl_context.cpp b/yt/yt/core/bus/tcp/ssl_context.cpp index e2836da542..56494d8ea7 100644 --- a/yt/yt/core/bus/tcp/ssl_context.cpp +++ b/yt/yt/core/bus/tcp/ssl_context.cpp @@ -77,9 +77,10 @@ public: return SslCtx_.get(); } + //! This function is for testing purposes. void LoadCAFile(const TString& filePath) { - TGuard<TMutex> guard(CAMutex_); + TGuard<TMutex> guard(Mutex_); LoadCAFileUnlocked(filePath); @@ -92,7 +93,7 @@ public: return; } - TGuard<TMutex> guard(CAMutex_); + TGuard<TMutex> guard(Mutex_); if (CAIsLoaded_) { return; @@ -119,9 +120,10 @@ public: } } + //! This function is for testing purposes. void UseCA(const TString& ca) { - TGuard<TMutex> guard(CAMutex_); + TGuard<TMutex> guard(Mutex_); UseCAUnlocked(ca); @@ -171,11 +173,31 @@ public: } } - void SetCipherList(const TString& cipherList) + void SetCipherListIfUnset(const TString& cipherList) { - if (SSL_CTX_set_cipher_list(SslCtx_.get(), cipherList.data()) != 1) { - THROW_ERROR_EXCEPTION("Failed to set cipher list: %v", GetLastSslErrorString()); + if (CipherListIsSet_) { + return; } + + TGuard<TMutex> guard(Mutex_); + + if (CipherListIsSet_) { + return; + } + + SetCipherListUnlocked(cipherList); + + CipherListIsSet_ = true; + } + + //! This function is for testing purposes. + void SetCipherList(const TString& cipherList) + { + TGuard<TMutex> guard(Mutex_); + + SetCipherListUnlocked(cipherList); + + CipherListIsSet_ = true; } //! Check the consistency of a private key with the corresponding certificate. @@ -196,6 +218,13 @@ private: } } + void SetCipherListUnlocked(const TString& cipherList) + { + if (SSL_CTX_set_cipher_list(SslCtx_.get(), cipherList.data()) != 1) { + THROW_ERROR_EXCEPTION("Failed to set cipher list: %v", GetLastSslErrorString()); + } + } + void UseCAUnlocked(const TString& ca) { std::unique_ptr<BIO, TDeleter> bio(BIO_new_mem_buf(ca.data(), ca.size())); @@ -215,8 +244,9 @@ private: } private: - TMutex CAMutex_; + TMutex Mutex_; std::atomic<bool> CAIsLoaded_ = false; + std::atomic<bool> CipherListIsSet_ = false; std::unique_ptr<SSL_CTX, TDeleter> SslCtx_; }; @@ -279,6 +309,11 @@ void TSslContext::SetCipherList(const TString& cipherList) return Impl_->SetCipherList(cipherList); } +void TSslContext::SetCipherListIfUnset(const TString& cipherList) +{ + return Impl_->SetCipherListIfUnset(cipherList); +} + void TSslContext::CheckPrivateKeyWithCertificate() { return Impl_->CheckPrivateKeyWithCertificate(); diff --git a/yt/yt/core/bus/tcp/ssl_context.h b/yt/yt/core/bus/tcp/ssl_context.h index 635422c086..ba8b414b81 100644 --- a/yt/yt/core/bus/tcp/ssl_context.h +++ b/yt/yt/core/bus/tcp/ssl_context.h @@ -23,17 +23,19 @@ public: SSL_CTX* GetSslCtx(); static TSslContext* Get(); - void LoadCAFile(const TString& filePath); void LoadCAFileIfNotLoaded(const TString& filePath); void LoadCertificateChain(const TString& filePath); void LoadPrivateKey(const TString& filePath); - void UseCA(const TString& ca); void UseCertificateChain(const TString& certificate); void UsePrivateKey(const TString& privateKey); - void SetCipherList(const TString& cipherList); + void SetCipherListIfUnset(const TString& cipherList); void CheckPrivateKeyWithCertificate(); + // For testing purposes. + void LoadCAFile(const TString& filePath); void Reset(); + void SetCipherList(const TString& cipherList); + void UseCA(const TString& ca); private: class TImpl; diff --git a/yt/yt/core/bus/unittests/ssl_ut.cpp b/yt/yt/core/bus/unittests/ssl_ut.cpp index 3c96233fb7..a0a5d81157 100644 --- a/yt/yt/core/bus/unittests/ssl_ut.cpp +++ b/yt/yt/core/bus/unittests/ssl_ut.cpp @@ -541,6 +541,61 @@ JFWcF3ghP7uPmbONWLiTFwxsSJHT0svVQZgq1aZz .ThrowOnError(); } +TEST_F(TSslTest, ServerCipherList) +{ + auto serverConfig = TBusServerConfig::CreateTcp(Port); + serverConfig->UseKeyPairFromSslContext = true; + serverConfig->EncryptionMode = EEncryptionMode::Required; + serverConfig->VerificationMode = EVerificationMode::None; + serverConfig->CipherList = "AES128-GCM-SHA256:PSK-AES128-GCM-SHA256"; + auto server = CreateBusServer(serverConfig); + server->Start(New<TEmptyBusHandler>()); + + auto clientConfig = TBusClientConfig::CreateTcp(Address); + clientConfig->EncryptionMode = EEncryptionMode::Required; + clientConfig->VerificationMode = EVerificationMode::None; + auto client = CreateBusClient(clientConfig); + + auto bus = client->CreateBus(New<TEmptyBusHandler>()); + EXPECT_TRUE(bus->GetReadyFuture().Get().IsOK()); + EXPECT_TRUE(bus->IsEncrypted()); + + for (int i = 0; i < 2; ++i) { + auto message = CreateMessage(1); + auto sendFuture = bus->Send(message, NBus::TSendOptions(EDeliveryTrackingLevel::Full)); + Cerr << sendFuture.Get().GetMessage() << Endl; + EXPECT_TRUE(sendFuture.Get().IsOK()); + } + + server->Stop() + .Get() + .ThrowOnError(); +} + +TEST_F(TSslTest, DifferentCipherLists) +{ + auto serverConfig = TBusServerConfig::CreateTcp(Port); + serverConfig->UseKeyPairFromSslContext = true; + serverConfig->EncryptionMode = EEncryptionMode::Required; + serverConfig->VerificationMode = EVerificationMode::None; + serverConfig->CipherList = "PSK-AES128-GCM-SHA256"; + auto server = CreateBusServer(serverConfig); + server->Start(New<TEmptyBusHandler>()); + + auto clientConfig = TBusClientConfig::CreateTcp(Address); + clientConfig->EncryptionMode = EEncryptionMode::Required; + clientConfig->VerificationMode = EVerificationMode::None; + clientConfig->CipherList = "AES128-GCM-SHA256"; + auto client = CreateBusClient(clientConfig); + + auto bus = client->CreateBus(New<TEmptyBusHandler>()); + EXPECT_FALSE(bus->GetReadyFuture().Get().IsOK()); + + server->Stop() + .Get() + .ThrowOnError(); +} + //////////////////////////////////////////////////////////////////////////////// } // namespace |