diff options
author | cerevra <cerevra@yandex-team.ru> | 2022-02-10 16:45:59 +0300 |
---|---|---|
committer | Daniil Cherednik <dcherednik@yandex-team.ru> | 2022-02-10 16:45:59 +0300 |
commit | 4f292c7e2fd0a41da93fda51b2d440c979a330b7 (patch) | |
tree | 1a2c5ffcf89eb53ecd79dbc9bc0a195c27404d0c /library/cpp/openssl | |
parent | bf41dd01f6c920583e9faae7cd55ed25e547e052 (diff) | |
download | ydb-4f292c7e2fd0a41da93fda51b2d440c979a330b7.tar.gz |
Restoring authorship annotation for <cerevra@yandex-team.ru>. Commit 2 of 2.
Diffstat (limited to 'library/cpp/openssl')
-rw-r--r-- | library/cpp/openssl/holders/bio.h | 2 | ||||
-rw-r--r-- | library/cpp/openssl/holders/ut/ya.make | 2 | ||||
-rw-r--r-- | library/cpp/openssl/holders/x509_vfy.h | 2 | ||||
-rw-r--r-- | library/cpp/openssl/io/stream.cpp | 182 | ||||
-rw-r--r-- | library/cpp/openssl/io/stream.h | 40 | ||||
-rw-r--r-- | library/cpp/openssl/io/ut/builtin_ut.cpp | 16 | ||||
-rw-r--r-- | library/cpp/openssl/io/ut/ya.make | 16 | ||||
-rw-r--r-- | library/cpp/openssl/io/ya.make | 6 | ||||
-rw-r--r-- | library/cpp/openssl/method/io.h | 2 | ||||
-rw-r--r-- | library/cpp/openssl/method/ut/io_ut.cpp | 2 | ||||
-rw-r--r-- | library/cpp/openssl/method/ut/ya.make | 2 | ||||
-rw-r--r-- | library/cpp/openssl/method/ya.make | 2 | ||||
-rw-r--r-- | library/cpp/openssl/ya.make | 2 |
13 files changed, 138 insertions, 138 deletions
diff --git a/library/cpp/openssl/holders/bio.h b/library/cpp/openssl/holders/bio.h index f1d8df6ed7..bcd6a7a9d6 100644 --- a/library/cpp/openssl/holders/bio.h +++ b/library/cpp/openssl/holders/bio.h @@ -2,7 +2,7 @@ #include <contrib/libs/openssl/include/openssl/bio.h> -#include <library/cpp/openssl/holders/holder.h> +#include <library/cpp/openssl/holders/holder.h> namespace NOpenSSL { diff --git a/library/cpp/openssl/holders/ut/ya.make b/library/cpp/openssl/holders/ut/ya.make index c303d63c6c..045cdc3566 100644 --- a/library/cpp/openssl/holders/ut/ya.make +++ b/library/cpp/openssl/holders/ut/ya.make @@ -1,4 +1,4 @@ -UNITTEST_FOR(library/cpp/openssl/holders) +UNITTEST_FOR(library/cpp/openssl/holders) OWNER(somov deshevoy) diff --git a/library/cpp/openssl/holders/x509_vfy.h b/library/cpp/openssl/holders/x509_vfy.h index 6d472ae93d..b735d8a042 100644 --- a/library/cpp/openssl/holders/x509_vfy.h +++ b/library/cpp/openssl/holders/x509_vfy.h @@ -2,7 +2,7 @@ #include <contrib/libs/openssl/include/openssl/x509_vfy.h> -#include <library/cpp/openssl/holders/holder.h> +#include <library/cpp/openssl/holders/holder.h> namespace NOpenSSL { diff --git a/library/cpp/openssl/io/stream.cpp b/library/cpp/openssl/io/stream.cpp index 65a326c27f..0b4be38c0e 100644 --- a/library/cpp/openssl/io/stream.cpp +++ b/library/cpp/openssl/io/stream.cpp @@ -1,18 +1,18 @@ #include "stream.h" -#include <util/generic/deque.h> +#include <util/generic/deque.h> #include <util/generic/singleton.h> #include <util/generic/yexception.h> -#include <library/cpp/openssl/init/init.h> -#include <library/cpp/openssl/method/io.h> -#include <library/cpp/resource/resource.h> +#include <library/cpp/openssl/init/init.h> +#include <library/cpp/openssl/method/io.h> +#include <library/cpp/resource/resource.h> #include <openssl/bio.h> #include <openssl/ssl.h> #include <openssl/err.h> -#include <openssl/tls1.h> -#include <openssl/x509v3.h> +#include <openssl/tls1.h> +#include <openssl/x509v3.h> using TOptions = TOpenSslClientIO::TOptions; @@ -55,19 +55,19 @@ namespace { static inline void Destroy(bio_st* bio) noexcept { BIO_free(bio); } - - static inline void Destroy(x509_st* x509) noexcept { - X509_free(x509); - } + + static inline void Destroy(x509_st* x509) noexcept { + X509_free(x509); + } }; template <class T> - using TSslHolderPtr = THolder<T, TSslDestroy>; + using TSslHolderPtr = THolder<T, TSslDestroy>; - using TSslContextPtr = TSslHolderPtr<ssl_ctx_st>; - using TSslPtr = TSslHolderPtr<ssl_st>; - using TBioPtr = TSslHolderPtr<bio_st>; - using TX509Ptr = TSslHolderPtr<x509_st>; + using TSslContextPtr = TSslHolderPtr<ssl_ctx_st>; + using TSslPtr = TSslHolderPtr<ssl_st>; + using TBioPtr = TSslHolderPtr<bio_st>; + using TX509Ptr = TSslHolderPtr<x509_st>; inline TSslContextPtr CreateSslCtx(const ssl_method_st* method) { TSslContextPtr ctx(SSL_CTX_new(method)); @@ -77,7 +77,7 @@ namespace { } SSL_CTX_set_options(ctx.Get(), SSL_OP_NO_SSLv2); - SSL_CTX_set_options(ctx.Get(), SSL_OP_NO_SSLv3); + SSL_CTX_set_options(ctx.Get(), SSL_OP_NO_SSLv3); SSL_CTX_set_options(ctx.Get(), SSL_OP_MICROSOFT_SESS_ID_BUG); SSL_CTX_set_options(ctx.Get(), SSL_OP_NETSCAPE_CHALLENGE_BUG); @@ -171,35 +171,35 @@ namespace { ythrow TSslError() << "SSL_new"; } - if (VerifyCert_) { - InitVerification(ssl.Get()); - } - + if (VerifyCert_) { + InitVerification(ssl.Get()); + } + BIO_up_ref(Io); // SSL_set_bio consumes only one reference if rbio and wbio are the same SSL_set_bio(ssl.Get(), Io, Io); return ssl; } - inline void InitVerification(ssl_st* ssl) { - X509_VERIFY_PARAM* param = SSL_get0_param(ssl); - X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + inline void InitVerification(ssl_st* ssl) { + X509_VERIFY_PARAM* param = SSL_get0_param(ssl); + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); Y_ENSURE(X509_VERIFY_PARAM_set1_host(param, VerifyCert_->Hostname_.data(), VerifyCert_->Hostname_.size())); SSL_set_tlsext_host_name(ssl, VerifyCert_->Hostname_.data()); // TLS extenstion: SNI - - SSL_CTX_set_cert_store(Ctx.Get(), GetBuiltinOpenSslX509Store().Release()); - - Y_ENSURE_EX(1 == SSL_CTX_set_default_verify_paths(Ctx.Get()), - TSslError()); - // it is OK to ignore result of SSL_CTX_load_verify_locations(): - // Dir "/etc/ssl/certs/" may be missing - SSL_CTX_load_verify_locations(Ctx.Get(), - "/etc/ssl/certs/ca-certificates.crt", - "/etc/ssl/certs/"); - - SSL_set_verify(ssl, SSL_VERIFY_PEER, nullptr); - } - + + SSL_CTX_set_cert_store(Ctx.Get(), GetBuiltinOpenSslX509Store().Release()); + + Y_ENSURE_EX(1 == SSL_CTX_set_default_verify_paths(Ctx.Get()), + TSslError()); + // it is OK to ignore result of SSL_CTX_load_verify_locations(): + // Dir "/etc/ssl/certs/" may be missing + SSL_CTX_load_verify_locations(Ctx.Get(), + "/etc/ssl/certs/ca-certificates.crt", + "/etc/ssl/certs/"); + + SSL_set_verify(ssl, SSL_VERIFY_PEER, nullptr); + } + inline void Connect() { if (SSL_connect(Ssl.Get()) != 1) { ythrow TSslError() << "SSL_connect"; @@ -270,60 +270,60 @@ void TOpenSslClientIO::DoWrite(const void* buf, size_t len) { size_t TOpenSslClientIO::DoRead(void* buf, size_t len) { return Impl_->Read(buf, len); } - -namespace NPrivate { - void TSslDestroy::Destroy(x509_store_st* x509) noexcept { - X509_STORE_free(x509); - } -} - -class TBuiltinCerts { -public: - TBuiltinCerts() { - TString c = NResource::Find("/builtin/cacert"); - + +namespace NPrivate { + void TSslDestroy::Destroy(x509_store_st* x509) noexcept { + X509_STORE_free(x509); + } +} + +class TBuiltinCerts { +public: + TBuiltinCerts() { + TString c = NResource::Find("/builtin/cacert"); + TBioPtr cbio(BIO_new_mem_buf(c.data(), c.size())); - Y_ENSURE_EX(cbio, TSslError() << "BIO_new_mem_buf"); - - while (true) { + Y_ENSURE_EX(cbio, TSslError() << "BIO_new_mem_buf"); + + while (true) { TX509Ptr cert(PEM_read_bio_X509(cbio.Get(), nullptr, nullptr, nullptr)); - if (!cert) { - break; - } - Certs.push_back(std::move(cert)); - } - - int err = GetLastSslError(); - if (!Certs.empty() && ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { - ERR_clear_error(); - } else { - ythrow TSslError() << "can't load provided bundle: " << ERR_reason_error_string(err); - } - - Y_ENSURE_EX(!Certs.empty(), TSslError()); - } - - TOpenSslX509StorePtr GetX509Store() const { + if (!cert) { + break; + } + Certs.push_back(std::move(cert)); + } + + int err = GetLastSslError(); + if (!Certs.empty() && ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { + ERR_clear_error(); + } else { + ythrow TSslError() << "can't load provided bundle: " << ERR_reason_error_string(err); + } + + Y_ENSURE_EX(!Certs.empty(), TSslError()); + } + + TOpenSslX509StorePtr GetX509Store() const { TOpenSslX509StorePtr store(X509_STORE_new()); - - for (const TX509Ptr& c : Certs) { - if (0 == X509_STORE_add_cert(store.Get(), c.Get())) { - int err = GetLastSslError(); - if (ERR_GET_LIB(err) == ERR_LIB_X509 && ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) { - ERR_clear_error(); - } else { - ythrow TSslError() << "can't load provided bundle: " << ERR_reason_error_string(err); - } - } - } - - return store; - } - -private: - TDeque<TX509Ptr> Certs; -}; - -TOpenSslX509StorePtr GetBuiltinOpenSslX509Store() { - return Singleton<TBuiltinCerts>()->GetX509Store(); -} + + for (const TX509Ptr& c : Certs) { + if (0 == X509_STORE_add_cert(store.Get(), c.Get())) { + int err = GetLastSslError(); + if (ERR_GET_LIB(err) == ERR_LIB_X509 && ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) { + ERR_clear_error(); + } else { + ythrow TSslError() << "can't load provided bundle: " << ERR_reason_error_string(err); + } + } + } + + return store; + } + +private: + TDeque<TX509Ptr> Certs; +}; + +TOpenSslX509StorePtr GetBuiltinOpenSslX509Store() { + return Singleton<TBuiltinCerts>()->GetX509Store(); +} diff --git a/library/cpp/openssl/io/stream.h b/library/cpp/openssl/io/stream.h index 5984bfbbc0..7bca8f80ef 100644 --- a/library/cpp/openssl/io/stream.h +++ b/library/cpp/openssl/io/stream.h @@ -1,6 +1,6 @@ #pragma once -#include <util/generic/maybe.h> +#include <util/generic/maybe.h> #include <util/generic/ptr.h> #include <util/stream/input.h> #include <util/stream/output.h> @@ -8,19 +8,19 @@ class TOpenSslClientIO: public IInputStream, public IOutputStream { public: struct TOptions { - struct TVerifyCert { - // Uses builtin certs. - // Also uses default CA path /etc/ssl/certs/ - can be provided with debian package: ca-certificates.deb. - // It can be expanded with ENV: SSL_CERT_DIR. - TString Hostname_; - }; + struct TVerifyCert { + // Uses builtin certs. + // Also uses default CA path /etc/ssl/certs/ - can be provided with debian package: ca-certificates.deb. + // It can be expanded with ENV: SSL_CERT_DIR. + TString Hostname_; + }; struct TClientCert { TString CertificateFile_; TString PrivateKeyFile_; TString PrivateKeyPassword_; }; - - TMaybe<TVerifyCert> VerifyCert_; + + TMaybe<TVerifyCert> VerifyCert_; TMaybe<TClientCert> ClientCert_; // TODO - keys, cyphers, etc }; @@ -37,14 +37,14 @@ private: struct TImpl; THolder<TImpl> Impl_; }; - -struct x509_store_st; - -namespace NPrivate { - struct TSslDestroy { - static void Destroy(x509_store_st* x509) noexcept; - }; -} - -using TOpenSslX509StorePtr = THolder<x509_store_st, NPrivate::TSslDestroy>; -TOpenSslX509StorePtr GetBuiltinOpenSslX509Store(); + +struct x509_store_st; + +namespace NPrivate { + struct TSslDestroy { + static void Destroy(x509_store_st* x509) noexcept; + }; +} + +using TOpenSslX509StorePtr = THolder<x509_store_st, NPrivate::TSslDestroy>; +TOpenSslX509StorePtr GetBuiltinOpenSslX509Store(); diff --git a/library/cpp/openssl/io/ut/builtin_ut.cpp b/library/cpp/openssl/io/ut/builtin_ut.cpp index 8254f8148a..987cd08492 100644 --- a/library/cpp/openssl/io/ut/builtin_ut.cpp +++ b/library/cpp/openssl/io/ut/builtin_ut.cpp @@ -1,9 +1,9 @@ -#include <library/cpp/openssl/io/stream.h> +#include <library/cpp/openssl/io/stream.h> #include <library/cpp/testing/unittest/registar.h> - -Y_UNIT_TEST_SUITE(Builtin) { - Y_UNIT_TEST(Init) { - UNIT_ASSERT_NO_EXCEPTION(GetBuiltinOpenSslX509Store()); - UNIT_ASSERT_NO_EXCEPTION(GetBuiltinOpenSslX509Store()); - } -} + +Y_UNIT_TEST_SUITE(Builtin) { + Y_UNIT_TEST(Init) { + UNIT_ASSERT_NO_EXCEPTION(GetBuiltinOpenSslX509Store()); + UNIT_ASSERT_NO_EXCEPTION(GetBuiltinOpenSslX509Store()); + } +} diff --git a/library/cpp/openssl/io/ut/ya.make b/library/cpp/openssl/io/ut/ya.make index eab282b4e9..b978a6c046 100644 --- a/library/cpp/openssl/io/ut/ya.make +++ b/library/cpp/openssl/io/ut/ya.make @@ -1,12 +1,12 @@ -UNITTEST_FOR(library/cpp/openssl/io) - +UNITTEST_FOR(library/cpp/openssl/io) + OWNER( pg cerevra ) - -SRCS( - builtin_ut.cpp -) - -END() + +SRCS( + builtin_ut.cpp +) + +END() diff --git a/library/cpp/openssl/io/ya.make b/library/cpp/openssl/io/ya.make index 885d490b1c..aaebba4011 100644 --- a/library/cpp/openssl/io/ya.make +++ b/library/cpp/openssl/io/ya.make @@ -3,10 +3,10 @@ LIBRARY() OWNER(pg) PEERDIR( - certs + certs contrib/libs/openssl - library/cpp/openssl/init - library/cpp/openssl/method + library/cpp/openssl/init + library/cpp/openssl/method ) SRCS( diff --git a/library/cpp/openssl/method/io.h b/library/cpp/openssl/method/io.h index 7d055d8feb..f1d3df978d 100644 --- a/library/cpp/openssl/method/io.h +++ b/library/cpp/openssl/method/io.h @@ -1,6 +1,6 @@ #pragma once -#include <library/cpp/openssl/holders/bio.h> +#include <library/cpp/openssl/holders/bio.h> namespace NOpenSSL { diff --git a/library/cpp/openssl/method/ut/io_ut.cpp b/library/cpp/openssl/method/ut/io_ut.cpp index 04e193273f..bff2b23d31 100644 --- a/library/cpp/openssl/method/ut/io_ut.cpp +++ b/library/cpp/openssl/method/ut/io_ut.cpp @@ -1,4 +1,4 @@ -#include <library/cpp/openssl/method/io.h> +#include <library/cpp/openssl/method/io.h> #include <library/cpp/testing/unittest/registar.h> diff --git a/library/cpp/openssl/method/ut/ya.make b/library/cpp/openssl/method/ut/ya.make index 347aa9cb05..3645ad17e6 100644 --- a/library/cpp/openssl/method/ut/ya.make +++ b/library/cpp/openssl/method/ut/ya.make @@ -1,4 +1,4 @@ -UNITTEST_FOR(library/cpp/openssl/method) +UNITTEST_FOR(library/cpp/openssl/method) OWNER(somov deshevoy) diff --git a/library/cpp/openssl/method/ya.make b/library/cpp/openssl/method/ya.make index c8c8946dcd..c8f6f18b6b 100644 --- a/library/cpp/openssl/method/ya.make +++ b/library/cpp/openssl/method/ya.make @@ -4,7 +4,7 @@ OWNER(somov deshevoy) PEERDIR( contrib/libs/openssl - library/cpp/openssl/holders + library/cpp/openssl/holders ) SRCS( diff --git a/library/cpp/openssl/ya.make b/library/cpp/openssl/ya.make index 2bdb9a60ce..7c10963e26 100644 --- a/library/cpp/openssl/ya.make +++ b/library/cpp/openssl/ya.make @@ -6,7 +6,7 @@ RECURSE( holders holders/ut io - io/ut + io/ut method method/ut init |