Intermediate changes

author: robot-piglet <robot-piglet@yandex-team.com> 2023-08-02 15:07:36 +0300
committer: robot-piglet <robot-piglet@yandex-team.com> 2023-08-02 15:07:36 +0300
commit: 8c89ef3c44a03572c2d8a182337f8e73743ae68f (patch)
tree: 815854d728620ef9febaead59da0b03a9657ade2
parent: 6d33d6ed03659640a628e99d108e80d942f9676a (diff)
download: ydb-8c89ef3c44a03572c2d8a182337f8e73743ae68f.tar.gz
4 files changed, 109 insertions, 10 deletions
diff --git a/yt/yt/core/bus/tcp/connection.cpp b/yt/yt/core/bus/tcp/connection.cpp
index 85088d9d7f..8dca9a3f28 100644
--- a/yt/yt/core/bus/tcp/connection.cpp
+++ b/yt/yt/core/bus/tcp/connection.cpp
@@ -1946,6 +1946,13 @@ void TTcpConnection::TryEstablishSslSession()
         return;
     }
 
+    if (Config_->CipherList) {
+        if (SSL_set_cipher_list(Ssl_.get(), Config_->CipherList->data()) != 1) {
+            Abort(TError(NBus::EErrorCode::SslError, "Failed to set cipher list: %v", GetLastSslErrorString()));
+            return;
+        }
+    }
+
     if (ConnectionType_ == EConnectionType::Server) {
         SSL_set_accept_state(Ssl_.get());
 
diff --git a/yt/yt/core/bus/tcp/ssl_context.cpp b/yt/yt/core/bus/tcp/ssl_context.cpp
index e2836da542..56494d8ea7 100644
--- a/yt/yt/core/bus/tcp/ssl_context.cpp
+++ b/yt/yt/core/bus/tcp/ssl_context.cpp
@@ -77,9 +77,10 @@ public:
         return SslCtx_.get();
     }
 
+    //! This function is for testing purposes.
     void LoadCAFile(const TString& filePath)
     {
-        TGuard<TMutex> guard(CAMutex_);
+        TGuard<TMutex> guard(Mutex_);
 
         LoadCAFileUnlocked(filePath);
 
@@ -92,7 +93,7 @@ public:
             return;
         }
 
-        TGuard<TMutex> guard(CAMutex_);
+        TGuard<TMutex> guard(Mutex_);
 
         if (CAIsLoaded_) {
             return;
@@ -119,9 +120,10 @@ public:
         }
     }
 
+    //! This function is for testing purposes.
     void UseCA(const TString& ca)
     {
-        TGuard<TMutex> guard(CAMutex_);
+        TGuard<TMutex> guard(Mutex_);
 
         UseCAUnlocked(ca);
 
@@ -171,11 +173,31 @@ public:
         }
     }
 
-    void SetCipherList(const TString& cipherList)
+    void SetCipherListIfUnset(const TString& cipherList)
     {
-        if (SSL_CTX_set_cipher_list(SslCtx_.get(), cipherList.data()) != 1) {
-            THROW_ERROR_EXCEPTION("Failed to set cipher list: %v", GetLastSslErrorString());
+        if (CipherListIsSet_) {
+            return;
         }
+
+        TGuard<TMutex> guard(Mutex_);
+
+        if (CipherListIsSet_) {
+            return;
+        }
+
+        SetCipherListUnlocked(cipherList);
+
+        CipherListIsSet_ = true;
+    }
+
+    //! This function is for testing purposes.
+    void SetCipherList(const TString& cipherList)
+    {
+        TGuard<TMutex> guard(Mutex_);
+
+        SetCipherListUnlocked(cipherList);
+
+        CipherListIsSet_ = true;
     }
 
     //! Check the consistency of a private key with the corresponding certificate.
@@ -196,6 +218,13 @@ private:
         }
     }
 
+    void SetCipherListUnlocked(const TString& cipherList)
+    {
+        if (SSL_CTX_set_cipher_list(SslCtx_.get(), cipherList.data()) != 1) {
+            THROW_ERROR_EXCEPTION("Failed to set cipher list: %v", GetLastSslErrorString());
+        }
+    }
+
     void UseCAUnlocked(const TString& ca)
     {
         std::unique_ptr<BIO, TDeleter> bio(BIO_new_mem_buf(ca.data(), ca.size()));
@@ -215,8 +244,9 @@ private:
     }
 
 private:
-    TMutex CAMutex_;
+    TMutex Mutex_;
     std::atomic<bool> CAIsLoaded_ = false;
+    std::atomic<bool> CipherListIsSet_ = false;
     std::unique_ptr<SSL_CTX, TDeleter> SslCtx_;
 };
 
@@ -279,6 +309,11 @@ void TSslContext::SetCipherList(const TString& cipherList)
     return Impl_->SetCipherList(cipherList);
 }
 
+void TSslContext::SetCipherListIfUnset(const TString& cipherList)
+{
+    return Impl_->SetCipherListIfUnset(cipherList);
+}
+
 void TSslContext::CheckPrivateKeyWithCertificate()
 {
     return Impl_->CheckPrivateKeyWithCertificate();
diff --git a/yt/yt/core/bus/tcp/ssl_context.h b/yt/yt/core/bus/tcp/ssl_context.h
index 635422c086..ba8b414b81 100644
--- a/yt/yt/core/bus/tcp/ssl_context.h
+++ b/yt/yt/core/bus/tcp/ssl_context.h
@@ -23,17 +23,19 @@ public:
     SSL_CTX* GetSslCtx();
     static TSslContext* Get();
 
-    void LoadCAFile(const TString& filePath);
     void LoadCAFileIfNotLoaded(const TString& filePath);
     void LoadCertificateChain(const TString& filePath);
     void LoadPrivateKey(const TString& filePath);
-    void UseCA(const TString& ca);
     void UseCertificateChain(const TString& certificate);
     void UsePrivateKey(const TString& privateKey);
-    void SetCipherList(const TString& cipherList);
+    void SetCipherListIfUnset(const TString& cipherList);
     void CheckPrivateKeyWithCertificate();
+
     // For testing purposes.
+    void LoadCAFile(const TString& filePath);
     void Reset();
+    void SetCipherList(const TString& cipherList);
+    void UseCA(const TString& ca);
 
 private:
     class TImpl;
diff --git a/yt/yt/core/bus/unittests/ssl_ut.cpp b/yt/yt/core/bus/unittests/ssl_ut.cpp
index 3c96233fb7..a0a5d81157 100644
--- a/yt/yt/core/bus/unittests/ssl_ut.cpp
+++ b/yt/yt/core/bus/unittests/ssl_ut.cpp
@@ -541,6 +541,61 @@ JFWcF3ghP7uPmbONWLiTFwxsSJHT0svVQZgq1aZz
         .ThrowOnError();
 }
 
+TEST_F(TSslTest, ServerCipherList)
+{
+    auto serverConfig = TBusServerConfig::CreateTcp(Port);
+    serverConfig->UseKeyPairFromSslContext = true;
+    serverConfig->EncryptionMode = EEncryptionMode::Required;
+    serverConfig->VerificationMode = EVerificationMode::None;
+    serverConfig->CipherList = "AES128-GCM-SHA256:PSK-AES128-GCM-SHA256";
+    auto server = CreateBusServer(serverConfig);
+    server->Start(New<TEmptyBusHandler>());
+
+    auto clientConfig = TBusClientConfig::CreateTcp(Address);
+    clientConfig->EncryptionMode = EEncryptionMode::Required;
+    clientConfig->VerificationMode = EVerificationMode::None;
+    auto client = CreateBusClient(clientConfig);
+
+    auto bus = client->CreateBus(New<TEmptyBusHandler>());
+    EXPECT_TRUE(bus->GetReadyFuture().Get().IsOK());
+    EXPECT_TRUE(bus->IsEncrypted());
+
+    for (int i = 0; i < 2; ++i) {
+        auto message = CreateMessage(1);
+        auto sendFuture = bus->Send(message, NBus::TSendOptions(EDeliveryTrackingLevel::Full));
+        Cerr << sendFuture.Get().GetMessage() << Endl;
+        EXPECT_TRUE(sendFuture.Get().IsOK());
+    }
+
+    server->Stop()
+        .Get()
+        .ThrowOnError();
+}
+
+TEST_F(TSslTest, DifferentCipherLists)
+{
+    auto serverConfig = TBusServerConfig::CreateTcp(Port);
+    serverConfig->UseKeyPairFromSslContext = true;
+    serverConfig->EncryptionMode = EEncryptionMode::Required;
+    serverConfig->VerificationMode = EVerificationMode::None;
+    serverConfig->CipherList = "PSK-AES128-GCM-SHA256";
+    auto server = CreateBusServer(serverConfig);
+    server->Start(New<TEmptyBusHandler>());
+
+    auto clientConfig = TBusClientConfig::CreateTcp(Address);
+    clientConfig->EncryptionMode = EEncryptionMode::Required;
+    clientConfig->VerificationMode = EVerificationMode::None;
+    clientConfig->CipherList = "AES128-GCM-SHA256";
+    auto client = CreateBusClient(clientConfig);
+
+    auto bus = client->CreateBus(New<TEmptyBusHandler>());
+    EXPECT_FALSE(bus->GetReadyFuture().Get().IsOK());
+
+    server->Stop()
+        .Get()
+        .ThrowOnError();
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 
 } // namespace
author	robot-piglet <robot-piglet@yandex-team.com>	2023-08-02 15:07:36 +0300
committer	robot-piglet <robot-piglet@yandex-team.com>	2023-08-02 15:07:36 +0300
commit	8c89ef3c44a03572c2d8a182337f8e73743ae68f (patch)
tree	815854d728620ef9febaead59da0b03a9657ade2
parent	6d33d6ed03659640a628e99d108e80d942f9676a (diff)
download	ydb-8c89ef3c44a03572c2d8a182337f8e73743ae68f.tar.gz