forked from fl00r/go-tarantool-1.6
-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The patch adds support for using SSL to encrypt the client-server communications [1]. It uses a wrapper around the OpenSSL library for full compatibility with Tarantool Enterprise (GOST cryptographic algorithms [2] are not supported by Golang's crypto/tls). The feature can be disabled using a build tag [3] 'go_tarantool_ssl_disable'. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. https://github.com/gost-engine/engine 3. https://pkg.go.dev/go/build#hdr-Build_Constraints Closes #155
- Loading branch information
1 parent
d44ffa0
commit dabffea
Showing
18 changed files
with
939 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,19 @@ | ||
package tarantool | ||
|
||
import ( | ||
"net" | ||
"time" | ||
) | ||
|
||
func (schema *Schema) ResolveSpaceIndex(s interface{}, i interface{}) (spaceNo, indexNo uint32, err error) { | ||
return schema.resolveSpaceIndex(s, i) | ||
} | ||
|
||
func SslDialTimeout(network, address string, timeout time.Duration, | ||
opts SslOpts) (connection net.Conn, err error) { | ||
return sslDialTimeout(network, address, timeout, opts) | ||
} | ||
|
||
func SslCreateContext(opts SslOpts) (ctx interface{}, err error) { | ||
return sslCreateContext(opts) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
//go:build !go_tarantool_ssl_disable | ||
// +build !go_tarantool_ssl_disable | ||
|
||
package tarantool | ||
|
||
import ( | ||
"errors" | ||
"io/ioutil" | ||
"net" | ||
"time" | ||
|
||
"github.com/tarantool/go-openssl" | ||
) | ||
|
||
func sslDialTimeout(network, address string, timeout time.Duration, | ||
opts SslOpts) (connection net.Conn, err error) { | ||
var ctx interface{} | ||
if ctx, err = sslCreateContext(opts); err != nil { | ||
return | ||
} | ||
|
||
return openssl.DialTimeout(network, address, timeout, ctx.(*openssl.Ctx), 0) | ||
} | ||
|
||
// interface{} is a hack. It helps to avoid dependency of go-openssl in build | ||
// of tests with the tag 'go_tarantool_ssl_disable'. | ||
func sslCreateContext(opts SslOpts) (ctx interface{}, err error) { | ||
var sslCtx *openssl.Ctx | ||
|
||
// Require TLSv1.2, because other protocol versions don't seem to | ||
// support the GOST cipher. | ||
if sslCtx, err = openssl.NewCtxWithVersion(openssl.TLSv1_2); err != nil { | ||
return | ||
} | ||
ctx = sslCtx | ||
sslCtx.SetMaxProtoVersion(openssl.TLS1_2_VERSION) | ||
sslCtx.SetMinProtoVersion(openssl.TLS1_2_VERSION) | ||
|
||
if opts.CertFile != "" { | ||
if err = sslLoadCert(sslCtx, opts.CertFile); err != nil { | ||
return | ||
} | ||
} | ||
|
||
if opts.KeyFile != "" { | ||
if err = sslLoadKey(sslCtx, opts.KeyFile); err != nil { | ||
return | ||
} | ||
} | ||
|
||
if opts.CaFile != "" { | ||
if err = sslCtx.LoadVerifyLocations(opts.CaFile, ""); err != nil { | ||
return | ||
} | ||
verifyFlags := openssl.VerifyPeer | openssl.VerifyFailIfNoPeerCert | ||
sslCtx.SetVerify(verifyFlags, nil) | ||
} | ||
|
||
if opts.Ciphers != "" { | ||
sslCtx.SetCipherList(opts.Ciphers) | ||
} | ||
|
||
return | ||
} | ||
|
||
func sslLoadCert(ctx *openssl.Ctx, certFile string) (err error) { | ||
var certBytes []byte | ||
if certBytes, err = ioutil.ReadFile(certFile); err != nil { | ||
return | ||
} | ||
|
||
certs := openssl.SplitPEM(certBytes) | ||
if len(certs) == 0 { | ||
err = errors.New("No PEM certificate found in " + certFile) | ||
return | ||
} | ||
first, certs := certs[0], certs[1:] | ||
|
||
var cert *openssl.Certificate | ||
if cert, err = openssl.LoadCertificateFromPEM(first); err != nil { | ||
return | ||
} | ||
if err = ctx.UseCertificate(cert); err != nil { | ||
return | ||
} | ||
|
||
for _, pem := range certs { | ||
if cert, err = openssl.LoadCertificateFromPEM(pem); err != nil { | ||
break | ||
} | ||
if err = ctx.AddChainCertificate(cert); err != nil { | ||
break | ||
} | ||
} | ||
return | ||
} | ||
|
||
func sslLoadKey(ctx *openssl.Ctx, keyFile string) (err error) { | ||
var keyBytes []byte | ||
if keyBytes, err = ioutil.ReadFile(keyFile); err != nil { | ||
return | ||
} | ||
|
||
var key openssl.PrivateKey | ||
if key, err = openssl.LoadPrivateKeyFromPEM(keyBytes); err != nil { | ||
return | ||
} | ||
|
||
return ctx.UsePrivateKey(key) | ||
} |
Oops, something went wrong.