aboutsummaryrefslogtreecommitdiffstats
path: root/yt
diff options
context:
space:
mode:
authorrobot-piglet <robot-piglet@yandex-team.com>2024-02-29 21:55:33 +0300
committerrobot-piglet <robot-piglet@yandex-team.com>2024-02-29 22:06:43 +0300
commit8684dc884613d721c87968d05c25acb5d88fdd80 (patch)
tree64013b2392b6041aa16121bc20bdffae3cacd194 /yt
parent37b83ac8f9363ea59c3e999e73adc41da03548f5 (diff)
downloadydb-8684dc884613d721c87968d05c25acb5d88fdd80.tar.gz
Intermediate changes
Diffstat (limited to 'yt')
-rw-r--r--yt/yt/client/chunk_client/data_statistics.cpp5
-rw-r--r--yt/yt/core/bus/tcp/connection.cpp38
-rw-r--r--yt/yt/core/bus/unittests/ssl_ut.cpp236
-rw-r--r--yt/yt/core/compression/dictionary_codec.h6
-rw-r--r--yt/yt/core/compression/zstd.cpp8
-rw-r--r--yt/yt/core/crypto/tls.cpp55
6 files changed, 265 insertions, 83 deletions
diff --git a/yt/yt/client/chunk_client/data_statistics.cpp b/yt/yt/client/chunk_client/data_statistics.cpp
index ce4ca1cd84..34327adbf7 100644
--- a/yt/yt/client/chunk_client/data_statistics.cpp
+++ b/yt/yt/client/chunk_client/data_statistics.cpp
@@ -212,9 +212,8 @@ TDuration TCodecStatistics::GetTotalDuration() const
void FormatValue(TStringBuilderBase* builder, const TCodecStatistics& statistics, TStringBuf /* spec */)
{
FormatKeyValueRange(builder, statistics.CodecToDuration(), TDefaultFormatter());
- if (statistics.ValueDictionaryCompressionDuration()) {
- builder->AppendString(", ");
- builder->AppendFormat("ValueDictionaryCompressionDuration: %v",
+ if (statistics.ValueDictionaryCompressionDuration() != TDuration::Zero()) {
+ builder->AppendFormat(", ValueDictionaryCompressionDuration: %v",
statistics.ValueDictionaryCompressionDuration());
}
}
diff --git a/yt/yt/core/bus/tcp/connection.cpp b/yt/yt/core/bus/tcp/connection.cpp
index a235ec6290..cf5eb2fed8 100644
--- a/yt/yt/core/bus/tcp/connection.cpp
+++ b/yt/yt/core/bus/tcp/connection.cpp
@@ -2011,17 +2011,35 @@ void TTcpConnection::TryEstablishSslSession()
switch (VerificationMode_) {
case EVerificationMode::Full:
- // Set the hostname for the peer certificate verification.
- if (SSL_set1_host(Ssl_.get(), EndpointHostName_.data()) != 1) {
- Abort(TError(NBus::EErrorCode::SslError, "Failed to set hostname %v for the peer certificate verification", EndpointHostName_));
- return;
- }
- if (Config_->PeerAlternativeHostName &&
- SSL_add1_host(Ssl_.get(), Config_->PeerAlternativeHostName->data()) != 1)
- {
- Abort(TError(NBus::EErrorCode::SslError, "Failed to set alternative hostname %v for the peer certificate verification", *Config_->PeerAlternativeHostName));
- return;
+ // Because of the implementation of check_id() from libs/openssl/crypto/x509/x509_vfy.c,
+ // we can not set both ip and host checks. So we separate them as follows.
+ if (Config_->PeerAlternativeHostName) {
+ // Set hostname for peer certificate verification.
+ if (SSL_set1_host(Ssl_.get(), EndpointHostName_.c_str()) != 1) {
+ Abort(TError(NBus::EErrorCode::SslError, "Failed to set hostname %v for peer certificate verification", EndpointHostName_));
+ return;
+ }
+
+ // Add alternative hostname for peer certificate verification.
+ if (SSL_add1_host(Ssl_.get(), Config_->PeerAlternativeHostName->c_str()) != 1) {
+ Abort(TError(NBus::EErrorCode::SslError, "Failed to add alternative hostname %v for peer certificate verification", *Config_->PeerAlternativeHostName));
+ return;
+ }
+ } else if (auto networkAddress = TNetworkAddress::TryParse(EndpointHostName_); networkAddress.IsOK() && networkAddress.Value().IsIP()) {
+ // Set ip address for peer certificate verification.
+ auto address = ToString(networkAddress.Value(), {.IncludePort = false, .IncludeTcpProtocol = false});
+ if (X509_VERIFY_PARAM_set1_ip_asc(SSL_get0_param(Ssl_.get()), address.c_str()) != 1) {
+ Abort(TError(NBus::EErrorCode::SslError, "Failed to set ip address %v for peer certificate verification", address));
+ return;
+ }
+ } else {
+ // Set hostname for peer certificate verification.
+ if (SSL_set1_host(Ssl_.get(), EndpointHostName_.c_str()) != 1) {
+ Abort(TError(NBus::EErrorCode::SslError, "Failed to set hostname %v for peer certificate verification", EndpointHostName_));
+ return;
+ }
}
+
[[fallthrough]];
case EVerificationMode::Ca: {
if (!Config_->CA) {
diff --git a/yt/yt/core/bus/unittests/ssl_ut.cpp b/yt/yt/core/bus/unittests/ssl_ut.cpp
index 79d235e1a7..d43f42cdc5 100644
--- a/yt/yt/core/bus/unittests/ssl_ut.cpp
+++ b/yt/yt/core/bus/unittests/ssl_ut.cpp
@@ -51,7 +51,8 @@ class TSslTest
public:
NTesting::TPortHolder Port;
TString Address;
- TString AddressWithIp;
+ TString AddressWithIpV4;
+ TString AddressWithIpV6;
const char* CA = R"foo(-----BEGIN CERTIFICATE-----
MIIFWjCCA0KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJSVTEP
@@ -170,11 +171,128 @@ qrpW/AReSwhvwVugcMFUgMXaDx/3SAY75B808wX1tizv76omWZAQ774FeGQGyP4C
rPl77gAcribJm3TzBVHm2m6jBGtb
-----END PRIVATE KEY-----)foo";
+ const char* CAWithSAN = R"foo(-----BEGIN CERTIFICATE-----
+MIIFHzCCAwegAwIBAgIUQEt4xnHWGulMGzqad434c4Mw+cAwDQYJKoZIhvcNAQEL
+BQAwJjERMA8GA1UECgwIWVRzYXVydXMxETAPBgNVBAMMCFlUc2F1cnVzMB4XDTI0
+MDIyOTEwMTIzM1oXDTM0MDIyNjEwMTIzM1owJjERMA8GA1UECgwIWVRzYXVydXMx
+ETAPBgNVBAMMCFlUc2F1cnVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+AgEAwUS9deIwfMNeicFqw7/fDslSb7sSiPbYfYUxwuELBR8nVomaL/a7IpQx5dOw
+nB2CSUiTDsLczNaBvQyNkjJ8VIX4fEPtgfHCuoUaCg4NwcaHfY0TSssbCKh8U92z
+fM/iSCjjkMdp9pTzZL93yam72dqfFbHmBvO6XiGjYeR9BL6AqoZMBnIjmxsU9JCW
+SM7B0l+Sf8dsH8DmnzqtLUXKIZJyVK6LOVb7MtSw0iAYatrIt3t7IytqZMOe+dEZ
+V0C0YzTecOgCWKS+rA8X1h7zHW5vXLDYU6RR+qw3gFsRK0oHmECuo+4Ui2nMzkx1
+jf2nK8L0Z2MHP0YFI9cGCBfSZMv6eocbYZI1DmhNKZNFhSLL8lmfzv4uR7WPyNL6
+Ml+2xgp03r1QFx93cRNW5bjjFytzYQkEVwbvLsABHDFm056PpNXKh6eoXGkUfaWf
+iXxUWhAFJRxggkTrPawCr+YQtVbBFe/YcdrTkdvFengFLm4wE20RiJUZWvG4oXmV
+JdKvDMsR1RFoQQfSqKL3mERMvVBBO1CXqymdPW6K+S2r367ryXGCG6kRDGpfmu7R
+vYZcA9BJqNvGcowf5fBe2VZf3cqZwdZKjCYOR3dCVDbXClraeStzy0VXKgxukHyT
+g3XfPqptaUKtpy413b/AVG2YupEn+SoOGMP0NKMyj9XAr20CAwEAAaNFMEMwDgYD
+VR0PAQH/BAQDAgLkMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAYGwcRb
+cWnfIkC1Mozkzm0CDcFbMA0GCSqGSIb3DQEBCwUAA4ICAQCztlZxgJNdhebicTkT
+B4iXXntoOzlnusua1lCBKRUowHAocw2ylXb32Ahh/fENmHyt/jYTlcFu/qK6Q1T8
+/pN14hnyF2pB+ZJjyAr3vNnZtHGJ2xz3wPqFRzD00YUqvvLi9xD2nhsfn4xex/OK
+KUx/dbV6FkJ60Fpg97zeOmO+5Kh9srIEGEczPb+y9meiMGB91tm+ZUcd9cGShTRH
+krFkuCySJuNgrAZCxqvdsUPvPDd12lPyqmfmuVjauON9ENYUYwNoxQc8MxEx0x6j
+QolYDmc2A2VP29rTLQhyjf8TvwXfq8z+zNoeQZCNCON5jg7zH67XarXxK1AZOePc
+ZqHtjfTLTqmmKkkG7IRt1h9dtGsROMaRfXf0t4M9mvqx/1Cx6abA6LfcOkp7OG8S
+0tx0IzIRnQh2iN4zR1MihS3hn3s9ayviiaopIPVyCKEKRZpsL3QzhzydnQM/Wb+r
+UTe546vZV3q2irHH/x4SZFWoFhDwepAyUMI4qo1REd+cM/MakLP5x4nFzzDmPjyf
+FiuyqHTlkMtjveytSblzpzWE1/Sum3RcMh4s9ECq8XaUl/8FerUYvIJfRDq1j79J
+w/cDyD142joRYwQG0HQkmE4ph4mYFwKhmYOv11Wik9zvEt156VPFaExu6rkjmLia
+nTkPBMUXiU3GIb4H7k78sEjv1g==
+-----END CERTIFICATE-----)foo";
+
+ const char* CertChainWithSAN = R"foo(-----BEGIN CERTIFICATE-----
+MIIFVTCCAz2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMREwDwYDVQQKDAhZVHNh
+dXJ1czERMA8GA1UEAwwIWVRzYXVydXMwHhcNMjQwMjI5MTAxMjMzWhcNMzQwMjI2
+MTAxMjMzWjATMREwDwYDVQQKDAhZVHNhdXJ1czCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAJ4BhT+WpWpkEEgaqcbZoV5/JOeAkFj2iZL08nIjkDRVhDBh
+dQoop47vB1lpLD/1i5+2YEackPrfeJawbNu32s/belvxHpTc1ljndCJlilMiR5B+
+MccP00fUZRsFhkzznANz++31PI4wamHJ1kdJOgD/4civ0mpWgd5s1hityqsypXI3
+RFbi689+mnBp2sGCD6l3QVbMj+8ORvXOVC1h1W3tExiivabjFILgXwb6WG6ZNgg8
+T20zdH4uEc4d2v6XKY4nz4AqYDHax9oqs3XTOTo0Bld6m7oipjGjToMqqpJD32pb
+nxSNT/XECpsNqZ/UMtcQf3HoA2LEOZOg/Knf1mosEww2svb0CqMGfsxxHehCaFJT
+CWkdd8GTQ/3t85xtrd5Ccdqb78o+5039H4GkfkcxAIZQe7siNLbUJ+dR6wRMzJw2
+GMcAHEIozOYVDgwyOT/Q3gaKMg4A3Ki2x7tkCie1KmmAcnECWDRhzG/Hg/RdnYqA
+L6g/m7Z3bw93rUbwXNudVj1ls5MPoyYtTACtZAXnv/PBBd+KR+RZ//T6dD7B9zzC
+MiIsIHemPzE3XsWB6I1AqXv2B8THELgJ8foN6Rho4YQ0t0wjhcM0higfSaiHwqhf
+Cgoc5xxOGa8PlEETWQvcT3ORAukpjM22QbZmA3uLN/MR1DJbwNHqiYPiFZ1zAgMB
+AAGjgaAwgZ0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
+BgEFBQcDAjAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAA
+AAAAAAEwHQYDVR0OBBYEFDyAfXqSAoKxK/sCyFs3d2yUpSntMB8GA1UdIwQYMBaA
+FAYGwcRbcWnfIkC1Mozkzm0CDcFbMA0GCSqGSIb3DQEBCwUAA4ICAQCHRuHI5XaS
+PIK3JKzA6l01z7YDHROGn5Xf9hqo5QKHv/aUD01UUhxCbx5z/YZMFDc6iRvu4xQw
+HMl8BCvTo3gHSS8JRcgRn1ov5m50NZMl0Ws9xvvy1j5rZWd3HkBTQSpzr4eSHAZp
+dUWXN2JEW7QIaIxtoiLwMZVjo3Lfr2Qv4uIn9lbIR0F7s39+qFlzvDx+6JbstJsv
+5wPjTS9og3WfpBDaOecHM/nP8v1H9ilx8/EW0nM3jlS0q0Gj9whkha0Pcl156Bga
+biLDoQk7uTccO8Wiyddwfq6tlYy1OAIMqDy0vmoz4L/3FHJUqrzO/fdI9VQLlug+
+M2G6qTJHKzmDkvmtxPfTjRFMu+g7L3QEdYCBogfIHS+VoB9a9K/XmoWBg85cWIPw
+Kfjjf7OouqksfOQopxY2+PCQ66nnkN7y13RjoU2heAme8Fexiowkjhzc1lq0Zn0Q
+XPlnvCHAQMNRNmvBLwNEkW+KN4no0TCImOOTuInBrlKGTaBkinUNS39AF9lZWwAE
+hd1kK5zzF6XvZnKXdVIn4MjcW81hcbrnulq5GHz7XY+lwmORYumYo3Gykjj/+G93
+K9HRlSRV1+BNXmPYtI8hvbAYw05+AWKCk0J5r1GQtPx+Tx3sug/2qks26oURgEHc
+ySl4OPJLp2lhKCUkKVP24Tzg/iS1xT/uHQ==
+-----END CERTIFICATE-----)foo";
+
+ const char* PrivateKeyWithSAN = R"foo(-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCeAYU/lqVqZBBI
+GqnG2aFefyTngJBY9omS9PJyI5A0VYQwYXUKKKeO7wdZaSw/9YuftmBGnJD633iW
+sGzbt9rP23pb8R6U3NZY53QiZYpTIkeQfjHHD9NH1GUbBYZM85wDc/vt9TyOMGph
+ydZHSToA/+HIr9JqVoHebNYYrcqrMqVyN0RW4uvPfppwadrBgg+pd0FWzI/vDkb1
+zlQtYdVt7RMYor2m4xSC4F8G+lhumTYIPE9tM3R+LhHOHdr+lymOJ8+AKmAx2sfa
+KrN10zk6NAZXepu6IqYxo06DKqqSQ99qW58UjU/1xAqbDamf1DLXEH9x6ANixDmT
+oPyp39ZqLBMMNrL29AqjBn7McR3oQmhSUwlpHXfBk0P97fOcba3eQnHam+/KPudN
+/R+BpH5HMQCGUHu7IjS21CfnUesETMycNhjHABxCKMzmFQ4MMjk/0N4GijIOANyo
+tse7ZAontSppgHJxAlg0Ycxvx4P0XZ2KgC+oP5u2d28Pd61G8FzbnVY9ZbOTD6Mm
+LUwArWQF57/zwQXfikfkWf/0+nQ+wfc8wjIiLCB3pj8xN17FgeiNQKl79gfExxC4
+CfH6DekYaOGENLdMI4XDNIYoH0moh8KoXwoKHOccThmvD5RBE1kL3E9zkQLpKYzN
+tkG2ZgN7izfzEdQyW8DR6omD4hWdcwIDAQABAoICADzT/QZD6p6QsyvvB9lDwznr
+3Ls65Vc6YjAvGH8UbdmX6nHtsu8cQ5VlNAEZ2i0tTHlJ7rqAX9gU3Am3FdFocFaA
++hQXOVy5v9MuF6l+SchDdCWOT3+A+ie2/s1uTQum5TL3Hc+4D3316Z6H43RCHpBv
+8e4esfS6JPkKEUoi7dkGgGb+G9MPPRT+elo4hjzk4z6saH0P94Fij7LlocZu2Yme
+MTHUxQpQdX8E/dBj5FN/rCtzfGhf3MMO3U/qcnp8m0Tc0qdWqP3IahP1SG1dybQ8
+fwyCaR05ZZ3KbtlUPaJdes8pQo7Y8CV/OU4D7n9XY9MjyMyDM3p8bGYHHf4P7C0M
+qdTYAVXZ9NvKlf87J8zMJ4YDiKTMLdgFjgnj/tYJ9PkUZHgfsk1KSr5IT6wpLBAx
+jEs0+WsbQRmtlJ93ZvZsDJyGZbkeCRIAxyz/eN2Rf56YGrWZcPcn8yrAsnt4nYqz
+ewjM9wu6jB8bfAgDS0y3kPsl1www+AkRDnNQ9s+Vw5x0nccjbV7fdezkwf04cA6N
+QL+0WSALsU0iGGPKrLA5L/kC3W650xSeOgINdvCnZsSEPAF6HQ/E5udd9HD5+7Ma
+hVl2S7FbEVxKgXpXPd1GFBKZKnUTCB5erMDyaN7jAiaVBtRE8qc0hQRhHCtE7qNT
+HvWkztmzBuVGTpOkBQuRAoIBAQDDIsOMkYo/svV/lsUJM4fVMTVJ354ThhxvFdJs
+rlaUEX2mZIsbzjI76yuOsu6nlGKLuiYVfAAV3HNEhNrSnp6+3NPXMgSsE33TFRPR
+Y6P1oT/ZE8YrBkndSioU1ad9Z0ClRNhDlP2c9xCBGpXUSQLt/4C2Nk/wgG/wy7gG
++hJ2ybn133DPpwcx1KQCpslF+VaECPLrpjxWCFEGInOV8gVvxhEb7hrD8qmUPlAR
+3WYFT6/RJGCJ7BeOvXWYa8AfWRysLfLwnzuoUxl45O7X7eZqPufrhAJyDNgN3c6J
+VgVxNPSSc6mjsY0NyItQZEOXtzRJqnRlmGD2Zd5BJFG7PmIVAoIBAQDPSgFqnFe1
+RM7AtC5wRBLTU/LQo8XV3WPsvQpYaa2+YyPG1bjSMWmdejsy4k+lbUx4VzD+veX7
+ZdSmukYmeGT0pp6Yy7FYYAcZ8Tu+CSAxGH8Bvab+U1oy2Y3++lXdAc0OVjuezVSy
+RbUE97S9MjeFMTKxIg2RkJc4p+Ir0sFn8rC9a0ZqNdcV1BCzJkMB5Y0PbG+afopL
+wS4xIMIy2Jp3Y0CanOW/dl6LnWYdEtWMt0Pi5wFDVVn0/DgGNx0SDG5fKj4rJE4F
+6mezK3kyAf7qI35nf8wm/rL7wL262F4iGZp+OKNFQnaEuKmrUsz/l2GZZkfIIcbI
+pPVaqKbAQEtnAoIBAQCj9V/NirRY1WuFqw8frhahwVj/G09dJEBb7kACZXIFs7SZ
+zL09vcFjqzPMEPiKAhnTQbOiNbB0reiEWATtF65WvIGavUJDu5TreThPpaMsTjKx
+mPXXTM9fimNVYjf7HHiq5O+5yURXURijAc2Gs1os05Q4heYhNCnab7HO2uwMt27y
+8q19LODUs9CjEbTogJp7EnHaIrFrsE00FFp+UP7Ubd4OU8BViF2IW9s3R4njSJN3
+7VLYUHFy1CosycyCCoQW//yyxXiA9GHgvKsa75+9AeIod6D+Z2BaNlbF+mtUNaSS
+MXEGQ7c7L5gvEi/hGGRsyTZH7wL5xZo7reKmq8IJAoIBAHIiaHdAEFcBxOl8DFnK
+UadEgNz6X/LqzJtMV0bpIT5ELi3L/dDWXjXUWIYi8AHBFarpL1QEUX5Dynvm8rs5
+7TR8DbVJ6qMjdKWHGwL+2VfPChd2Sl2cnXyEJ1gulFp1JGfxeTBuFGV4Vjye+0h1
+Pva6aRP5EQmGWI1cev7wM4e9rC0PxRyz+nLNakiKF7kSoMHOTgD+Db26Z2mrhOIk
+O6Di6G55V1M9pL8w8kmt1iF9wwZLdXmSpE5tFZfufrYyXA9QHhz5B3DgaSrRFBFB
+4g8fbfkk9868zOYrcQxRGDukZ1l6bAO1nbZkSx/HHpLY0md5VqrOVjqiAWpilDYk
+8J8CggEAVN7WQIMWzuGBc9Hj6H539eXLnoWgccvYN+GwqclQGKQJdUQrM7Ci3kP/
+Zj00T//jew/vHtxx6U1XUfCIbI5SjujqhbkCkikUMAhozsjlmUlAxKz8689/XFXK
+9bPRRvmKw6p14drk507w6t3uD4E/O3PHeEtrdEeDmY78e01T5zkg90jVq10szUMo
+sxw0PoOG4ktYtCsmwXXPHq9gRtzfOqZT/UNHgnBsLALmWcec2gZLa++M1OnVaqI2
+hTyvWDnxD5oKa7hDSBXTOorcfQVRSaC05HPGMhX+HkfHwfXJBxAE1UC38UMD7x58
+AbE/BnHl1tAmZXLMrHq/4r0wYUjBsA==
+-----END PRIVATE KEY-----)foo";
+
TSslTest()
{
Port = NTesting::GetFreePort();
Address = Format("localhost:%v", Port);
- AddressWithIp = Format("127.0.0.1:%v", Port);
+ AddressWithIpV4 = Format("127.0.0.1:%v", Port);
+ AddressWithIpV6 = Format("[::1]:%v", Port);
}
};
@@ -508,54 +626,94 @@ TEST_F(TSslTest, FullVerificationMode)
.ThrowOnError();
}
-TEST_F(TSslTest, FullVerificationAlternativeHostName)
+TEST_F(TSslTest, FullVerificationModeWithSANCerts)
{
// Reset ctx in order to unload possibly loaded CA.
TSslContext::Get()->Reset();
- auto serverConfig = TBusServerConfig::CreateTcp(Port);
- serverConfig->EncryptionMode = EEncryptionMode::Required;
- serverConfig->VerificationMode = EVerificationMode::None;
- serverConfig->CertificateChain = New<NCrypto::TPemBlobConfig>();
- serverConfig->CertificateChain->Value = CertChain;
- serverConfig->PrivateKey = New<NCrypto::TPemBlobConfig>();
- serverConfig->PrivateKey->Value = PrivateKey;
- auto server = CreateBusServer(serverConfig);
- server->Start(New<TEmptyBusHandler>());
-
- // Connect via IP.
- auto clientConfig = TBusClientConfig::CreateTcp(AddressWithIp);
- clientConfig->EncryptionMode = EEncryptionMode::Required;
- clientConfig->VerificationMode = EVerificationMode::Full;
- clientConfig->CA = New<NCrypto::TPemBlobConfig>();
- clientConfig->CA->Value = CA;
-
- {
+ for (const auto& address : {AddressWithIpV4, AddressWithIpV6}) {
+ auto serverConfig = TBusServerConfig::CreateTcp(Port);
+ serverConfig->EncryptionMode = EEncryptionMode::Required;
+ serverConfig->VerificationMode = EVerificationMode::None;
+ serverConfig->CertificateChain = New<NCrypto::TPemBlobConfig>();
+ serverConfig->CertificateChain->Value = CertChainWithSAN;
+ serverConfig->PrivateKey = New<NCrypto::TPemBlobConfig>();
+ serverConfig->PrivateKey->Value = PrivateKeyWithSAN;
+ auto server = CreateBusServer(serverConfig);
+ server->Start(New<TEmptyBusHandler>());
+
+ auto clientConfig = TBusClientConfig::CreateTcp(address);
+ clientConfig->EncryptionMode = EEncryptionMode::Required;
+ clientConfig->VerificationMode = EVerificationMode::Full;
+ clientConfig->CA = New<NCrypto::TPemBlobConfig>();
+ clientConfig->CA->Value = CAWithSAN;
auto client = CreateBusClient(clientConfig);
+
auto bus = client->CreateBus(New<TEmptyBusHandler>());
- // This test should fail since 127.0.0.1 != localhost.
- EXPECT_THROW_MESSAGE_HAS_SUBSTR(
- bus->GetReadyFuture().Get().ThrowOnError(),
- NYT::TErrorException,
- "Failed to establish TLS/SSL session");
+ // This test should pass since (127.0.0.1 | [::1]) is in SAN.
+ EXPECT_TRUE(bus->GetReadyFuture().Get().IsOK());
+ EXPECT_TRUE(bus->IsEncrypted());
+
+ auto message = CreateMessage(1);
+ auto sendFuture = bus->Send(message, {.TrackingLevel = EDeliveryTrackingLevel::Full});
+ EXPECT_TRUE(sendFuture.Get().IsOK());
+
+ server->Stop()
+ .Get()
+ .ThrowOnError();
}
+}
- // Connect via IP with Alt Hostname.
- clientConfig->PeerAlternativeHostName = "localhost";
- auto client = CreateBusClient(clientConfig);
+TEST_F(TSslTest, FullVerificationAlternativeHostName)
+{
+ // Reset ctx in order to unload possibly loaded CA.
+ TSslContext::Get()->Reset();
- auto bus = client->CreateBus(New<TEmptyBusHandler>());
- // This test should pass since key pair is issued for CN=localhost.
- EXPECT_NO_THROW(bus->GetReadyFuture().Get().ThrowOnError());
- EXPECT_TRUE(bus->IsEncrypted());
+ for (const auto& address : {AddressWithIpV4, AddressWithIpV6}) {
+ auto serverConfig = TBusServerConfig::CreateTcp(Port);
+ serverConfig->EncryptionMode = EEncryptionMode::Required;
+ serverConfig->VerificationMode = EVerificationMode::None;
+ serverConfig->CertificateChain = New<NCrypto::TPemBlobConfig>();
+ serverConfig->CertificateChain->Value = CertChain;
+ serverConfig->PrivateKey = New<NCrypto::TPemBlobConfig>();
+ serverConfig->PrivateKey->Value = PrivateKey;
+ auto server = CreateBusServer(serverConfig);
+ server->Start(New<TEmptyBusHandler>());
+
+ // Connect via IP.
+ auto clientConfig = TBusClientConfig::CreateTcp(address);
+ clientConfig->EncryptionMode = EEncryptionMode::Required;
+ clientConfig->VerificationMode = EVerificationMode::Full;
+ clientConfig->CA = New<NCrypto::TPemBlobConfig>();
+ clientConfig->CA->Value = CA;
+
+ {
+ auto client = CreateBusClient(clientConfig);
+ auto bus = client->CreateBus(New<TEmptyBusHandler>());
+ // This test should fail since (127.0.0.1 | [::1]) != localhost.
+ EXPECT_THROW_MESSAGE_HAS_SUBSTR(
+ bus->GetReadyFuture().Get().ThrowOnError(),
+ NYT::TErrorException,
+ "Failed to establish TLS/SSL session");
+ }
+
+ // Connect via IP with Alt Hostname.
+ clientConfig->PeerAlternativeHostName = "localhost";
+ auto client = CreateBusClient(clientConfig);
- auto message = CreateMessage(1);
- auto sendFuture = bus->Send(message, {.TrackingLevel = EDeliveryTrackingLevel::Full});
- EXPECT_NO_THROW(sendFuture.Get().ThrowOnError());
+ auto bus = client->CreateBus(New<TEmptyBusHandler>());
+ // This test should pass since key pair is issued for CN=localhost.
+ EXPECT_NO_THROW(bus->GetReadyFuture().Get().ThrowOnError());
+ EXPECT_TRUE(bus->IsEncrypted());
- server->Stop()
- .Get()
- .ThrowOnError();
+ auto message = CreateMessage(1);
+ auto sendFuture = bus->Send(message, {.TrackingLevel = EDeliveryTrackingLevel::Full});
+ EXPECT_NO_THROW(sendFuture.Get().ThrowOnError());
+
+ server->Stop()
+ .Get()
+ .ThrowOnError();
+ }
}
TEST_F(TSslTest, ServerCipherList)
diff --git a/yt/yt/core/compression/dictionary_codec.h b/yt/yt/core/compression/dictionary_codec.h
index 8205fa2c50..a394d452e6 100644
--- a/yt/yt/core/compression/dictionary_codec.h
+++ b/yt/yt/core/compression/dictionary_codec.h
@@ -35,7 +35,7 @@ struct IDictionaryDecompressor
: public TRefCounted
{
//! Decompresses #input into #ouput.
- //! Memory for output must be pre-allocated, its size can be infered from frame info.
+ //! Memory for output must be pre-allocated, its size can be inferred from frame info.
virtual void Decompress(
TRef input,
TMutableRef output) = 0;
@@ -73,13 +73,15 @@ DEFINE_REFCOUNTED_TYPE(IDigestedDecompressionDictionary)
struct IDictionaryCompressionCodec
{
+ virtual ~IDictionaryCompressionCodec() = default;
+
virtual int GetMinDictionarySize() const = 0;
virtual int GetMaxCompressionLevel() const = 0;
virtual int GetDefaultCompressionLevel() const = 0;
//! Trains compression dictionary of size not exceeding #dictionarySize.
- //! This dicionary may then be digested for (de)compression.
+ //! This dictionary may then be digested for (de)compression.
//! NB: May return null if training failed, e.g. due to lack of #samples
//! or no sufficient profit from using dictionary on them.
virtual TErrorOr<TSharedRef> TrainCompressionDictionary(
diff --git a/yt/yt/core/compression/zstd.cpp b/yt/yt/core/compression/zstd.cpp
index a22b4b682a..e24a076938 100644
--- a/yt/yt/core/compression/zstd.cpp
+++ b/yt/yt/core/compression/zstd.cpp
@@ -225,7 +225,7 @@ class TDigestedCompressionDictionary
, private TNonCopyable
{
public:
- TDigestedCompressionDictionary(ZSTD_CDict* digestedDictionary)
+ explicit TDigestedCompressionDictionary(ZSTD_CDict* digestedDictionary)
: DigestedDictionary_(digestedDictionary)
{
YT_VERIFY(DigestedDictionary_);
@@ -261,7 +261,7 @@ class TDigestedDecompressionDictionary
, private TNonCopyable
{
public:
- TDigestedDecompressionDictionary(ZSTD_DDict* digestedDictionary)
+ explicit TDigestedDecompressionDictionary(ZSTD_DDict* digestedDictionary)
: DigestedDictionary_(digestedDictionary)
{
YT_VERIFY(DigestedDictionary_);
@@ -459,11 +459,9 @@ TErrorOr<TSharedRef> ZstdTrainCompressionDictionary(i64 dictionarySize, const st
sampleSizes.data(),
sampleSizes.size());
if (ZSTD_isError(resultDictionarySize)) {
- auto error = TError("Compression dictionary training failed")
+ return TError("Compression dictionary training failed")
<< TErrorAttribute("zstd_error_code", static_cast<int>(ZSTD_getErrorCode(resultDictionarySize)))
<< TErrorAttribute("zstd_error_name", ZSTD_getErrorName(resultDictionarySize));
- YT_LOG_DEBUG(error);
- return error;
}
YT_VERIFY(resultDictionarySize <= dictionary.Size());
diff --git a/yt/yt/core/crypto/tls.cpp b/yt/yt/core/crypto/tls.cpp
index f2e9ae036a..96a5d24457 100644
--- a/yt/yt/core/crypto/tls.cpp
+++ b/yt/yt/core/crypto/tls.cpp
@@ -34,11 +34,18 @@ static const TLogger Logger{"Tls"};
namespace {
-TErrorAttribute GetLastSslError()
+TErrorAttribute GetOpenSSLErrors()
{
- char errorStr[256];
- ERR_error_string_n(ERR_get_error(), errorStr, sizeof(errorStr));
- return TErrorAttribute("ssl_error", TString(errorStr));
+ TString errorStr;
+ ERR_print_errors_cb([](const char* str, size_t len, void* ctx) {
+ TString& out = *reinterpret_cast<TString*>(ctx);
+ if (!out.empty()) {
+ out += ", ";
+ }
+ out.append(str, len);
+ return 1;
+ }, &errorStr);
+ return TErrorAttribute("ssl_error", errorStr);
}
constexpr auto TlsBufferSize = 1_MB;
@@ -76,21 +83,21 @@ struct TSslContextImpl
Ctx = SSL_CTX_new(TLS_method());
if (!Ctx) {
THROW_ERROR_EXCEPTION("SSL_CTX_new(TLS_method()) failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
if (SSL_CTX_set_min_proto_version(Ctx, TLS1_2_VERSION) == 0) {
THROW_ERROR_EXCEPTION("SSL_CTX_set_min_proto_version failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
if (SSL_CTX_set_max_proto_version(Ctx, TLS1_2_VERSION) == 0) {
THROW_ERROR_EXCEPTION("SSL_CTX_set_max_proto_version failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
#else
Ctx = SSL_CTX_new(TLSv1_2_method());
if (!Ctx) {
THROW_ERROR_EXCEPTION("SSL_CTX_new(TLSv1_2_method()) failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
#endif
}
@@ -150,7 +157,7 @@ public:
Ssl_ = Ctx_->NewSsl();
if (!Ssl_) {
THROW_ERROR_EXCEPTION("SSL_new failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
InputBIO_ = BIO_new(BIO_s_mem());
@@ -466,7 +473,7 @@ private:
MaybeStartUnderlyingIO(true);
} else {
Error_ = TError("SSL_do_handshake failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
YT_LOG_DEBUG(Error_, "TLS handshake failed");
CheckError();
return;
@@ -485,7 +492,7 @@ private:
if (count < 0) {
Error_ = TError("SSL_write failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
YT_LOG_DEBUG(Error_, "TLS write failed");
CheckError();
return;
@@ -517,7 +524,7 @@ private:
MaybeStartUnderlyingIO(true);
} else {
Error_ = TError("SSL_read failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
YT_LOG_DEBUG(Error_, "TLS read failed");
CheckError();
return;
@@ -636,7 +643,7 @@ void TSslContext::SetCipherList(const TString& list)
if (SSL_CTX_set_cipher_list(Impl_->Ctx, list.data()) == 0) {
THROW_ERROR_EXCEPTION("SSL_CTX_set_cipher_list failed")
<< TErrorAttribute("cipher_list", list)
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
}
@@ -645,7 +652,7 @@ void TSslContext::AddCertificateFromFile(const TString& path)
if (SSL_CTX_use_certificate_file(Impl_->Ctx, path.c_str(), SSL_FILETYPE_PEM) != 1) {
THROW_ERROR_EXCEPTION("SSL_CTX_use_certificate_file failed")
<< TErrorAttribute("path", path)
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
}
@@ -654,7 +661,7 @@ void TSslContext::AddCertificateChainFromFile(const TString& path)
if (SSL_CTX_use_certificate_chain_file(Impl_->Ctx, path.c_str()) != 1) {
THROW_ERROR_EXCEPTION("SSL_CTX_use_certificate_chain_file failed")
<< TErrorAttribute("path", path)
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
}
@@ -663,7 +670,7 @@ void TSslContext::AddPrivateKeyFromFile(const TString& path)
if (SSL_CTX_use_PrivateKey_file(Impl_->Ctx, path.c_str(), SSL_FILETYPE_PEM) != 1) {
THROW_ERROR_EXCEPTION("SSL_CTX_use_PrivateKey_file failed")
<< TErrorAttribute("path", path)
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
}
@@ -678,7 +685,7 @@ void TSslContext::AddCertificateChain(const TString& certificateChain)
auto certificateObject = PEM_read_bio_X509_AUX(bio, nullptr, nullptr, nullptr);
if (!certificateObject) {
THROW_ERROR_EXCEPTION("PEM_read_bio_X509_AUX failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
auto freeCertificate = Finally([&] {
X509_free(certificateObject);
@@ -686,7 +693,7 @@ void TSslContext::AddCertificateChain(const TString& certificateChain)
if (SSL_CTX_use_certificate(Impl_->Ctx, certificateObject) != 1) {
THROW_ERROR_EXCEPTION("SSL_CTX_use_certificate failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
SSL_CTX_clear_chain_certs(Impl_->Ctx);
@@ -700,14 +707,14 @@ void TSslContext::AddCertificateChain(const TString& certificateChain)
}
THROW_ERROR_EXCEPTION("PEM_read_bio_X509")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
int result = SSL_CTX_add0_chain_cert(Impl_->Ctx, chainCertificateObject);
if (!result) {
X509_free(chainCertificateObject);
THROW_ERROR_EXCEPTION("SSL_CTX_add0_chain_cert")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
}
}
@@ -723,7 +730,7 @@ void TSslContext::AddCertificate(const TString& certificate)
auto certificateObject = PEM_read_bio_X509_AUX(bio, nullptr, nullptr, nullptr);
if (!certificateObject) {
THROW_ERROR_EXCEPTION("PEM_read_bio_X509_AUX")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
auto freeCertificate = Finally([&] {
X509_free(certificateObject);
@@ -731,7 +738,7 @@ void TSslContext::AddCertificate(const TString& certificate)
if (SSL_CTX_use_certificate(Impl_->Ctx, certificateObject) != 1) {
THROW_ERROR_EXCEPTION("SSL_CTX_use_certificate failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
}
@@ -746,7 +753,7 @@ void TSslContext::AddPrivateKey(const TString& privateKey)
auto privateKeyObject = PEM_read_bio_PrivateKey(bio, nullptr, nullptr, nullptr);
if (!privateKeyObject) {
THROW_ERROR_EXCEPTION("PEM_read_bio_PrivateKey failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
auto freePrivateKey = Finally([&] {
EVP_PKEY_free(privateKeyObject);
@@ -754,7 +761,7 @@ void TSslContext::AddPrivateKey(const TString& privateKey)
if (SSL_CTX_use_PrivateKey(Impl_->Ctx, privateKeyObject) != 1) {
THROW_ERROR_EXCEPTION("SSL_CTX_use_PrivateKey failed")
- << GetLastSslError();
+ << GetOpenSSLErrors();
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-23 19:45:12 +0000