diff options
| author | Henning Baldersheim <balder@yahoo-inc.com> | 2023-01-04 19:59:41 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-04 19:59:41 +0100 |
| commit | 0d15a90264be2ffdf955e2ce8099dc7d43944f55 (patch) | |
| tree | 39c093c40cf7a566159122729f858a1f98554a78 /vespalib | |
| parent | bb6638634f5bec608f62d710c97b0b97f79fc07f (diff) | |
| parent | 0a9e6b37d715b20652853282f6e4f3e4c1ac97c7 (diff) | |
Merge pull request #25400 from vespa-engine/havardpe/remove-xor-crypto-engine
Havardpe/remove xor crypto engine
Diffstat (limited to 'vespalib')
5 files changed, 0 insertions, 194 deletions
diff --git a/vespalib/src/tests/net/crypto_socket/crypto_socket_test.cpp b/vespalib/src/tests/net/crypto_socket/crypto_socket_test.cpp index 37b773426a1..08445ab74c2 100644 --- a/vespalib/src/tests/net/crypto_socket/crypto_socket_test.cpp +++ b/vespalib/src/tests/net/crypto_socket/crypto_socket_test.cpp @@ -224,12 +224,6 @@ TEST_MT_FFF("require that encrypted async socket io works with NullCryptoEngine" TEST_DO(verify_crypto_socket(f1, f2, (thread_id == 0))); } -TEST_MT_FFF("require that encrypted async socket io works with XorCryptoEngine", - 2, SocketPair(), XorCryptoEngine(), TimeBomb(60)) -{ - TEST_DO(verify_crypto_socket(f1, f2, (thread_id == 0))); -} - TEST_MT_FFF("require that encrypted async socket io works with TlsCryptoEngine", 2, SocketPair(), TlsCryptoEngine(make_tls_options_for_testing()), TimeBomb(60)) { diff --git a/vespalib/src/tests/net/sync_crypto_socket/sync_crypto_socket_test.cpp b/vespalib/src/tests/net/sync_crypto_socket/sync_crypto_socket_test.cpp index d689ef2b348..37f61437ae6 100644 --- a/vespalib/src/tests/net/sync_crypto_socket/sync_crypto_socket_test.cpp +++ b/vespalib/src/tests/net/sync_crypto_socket/sync_crypto_socket_test.cpp @@ -115,12 +115,6 @@ TEST_MT_FFF("require that encrypted sync socket io works with NullCryptoEngine", TEST_DO(verify_crypto_socket(f1, f2, (thread_id == 0))); } -TEST_MT_FFF("require that encrypted sync socket io works with XorCryptoEngine", - 2, SocketPair(), XorCryptoEngine(), TimeBomb(60)) -{ - TEST_DO(verify_crypto_socket(f1, f2, (thread_id == 0))); -} - TEST_MT_FFF("require that encrypted sync socket io works with TlsCryptoEngine", 2, SocketPair(), TlsCryptoEngine(make_tls_options_for_testing()), TimeBomb(60)) { diff --git a/vespalib/src/tests/portal/portal_test.cpp b/vespalib/src/tests/portal/portal_test.cpp index fb9b58fc248..52c6d802354 100644 --- a/vespalib/src/tests/portal/portal_test.cpp +++ b/vespalib/src/tests/portal/portal_test.cpp @@ -76,12 +76,10 @@ struct Encryption { Encryption::~Encryption() = default; auto null_crypto() { return std::make_shared<NullCryptoEngine>(); } -auto xor_crypto() { return std::make_shared<XorCryptoEngine>(); } auto tls_crypto() { return std::make_shared<TlsCryptoEngine>(make_tls_options_for_testing()); } auto maybe_tls_crypto(bool client_tls) { return std::make_shared<MaybeTlsCryptoEngine>(tls_crypto(), client_tls); } std::vector<Encryption> crypto_list = {{"no encryption", null_crypto()}, - {"ad-hoc xor", xor_crypto()}, {"always TLS", tls_crypto()}, {"maybe TLS; yes", maybe_tls_crypto(true)}, {"maybe TLS; no", maybe_tls_crypto(false)}}; diff --git a/vespalib/src/vespa/vespalib/net/crypto_engine.cpp b/vespalib/src/vespa/vespalib/net/crypto_engine.cpp index d2b02e7cc7c..f826e74e450 100644 --- a/vespalib/src/vespa/vespalib/net/crypto_engine.cpp +++ b/vespalib/src/vespa/vespalib/net/crypto_engine.cpp @@ -1,7 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. #include "crypto_engine.h" -#include <vespa/vespalib/data/smart_buffer.h> #include <vespa/vespalib/crypto/crypto_exception.h> #include <vespa/vespalib/net/tls/authorization_mode.h> #include <vespa/vespalib/net/tls/auto_reloading_tls_crypto_engine.h> @@ -12,11 +11,6 @@ #include <vespa/vespalib/net/tls/transport_security_options_reading.h> #include <vespa/vespalib/stllike/string.h> #include <vespa/vespalib/util/size_literals.h> -#include <vector> -#include <chrono> -#include <thread> -#include <xxhash.h> -#include <cassert> #include <vespa/log/log.h> LOG_SETUP(".vespalib.net.crypto_engine"); @@ -25,19 +19,6 @@ namespace vespalib { namespace { -struct HashState { - using clock = std::chrono::high_resolution_clock; - const void *self; - clock::time_point now; - HashState() : self(this), now(clock::now()) {} -}; - -char gen_key() { - HashState hash_state; - std::this_thread::sleep_for(std::chrono::microseconds(42)); - return XXH64(&hash_state, sizeof(hash_state), 0); -} - class NullCryptoSocket : public CryptoSocket { private: @@ -56,143 +37,6 @@ public: void drop_empty_buffers() override {} }; -class XorCryptoSocket : public CryptoSocket -{ -private: - static constexpr size_t CHUNK_SIZE = 16_Ki; - enum class OP { READ_KEY, WRITE_KEY }; - std::vector<OP> _op_stack; - char _my_key; - char _peer_key; - SmartBuffer _input; - SmartBuffer _output; - SocketHandle _socket; - - bool is_blocked(ssize_t res, int error) const { - return ((res < 0) && ((error == EWOULDBLOCK) || (error == EAGAIN))); - } - - HandshakeResult try_read_key() { - ssize_t res = _socket.read(&_peer_key, 1); - if (is_blocked(res, errno)) { - return HandshakeResult::NEED_READ; - } - return (res == 1) - ? HandshakeResult::DONE - : HandshakeResult::FAIL; - } - - HandshakeResult try_write_key() { - ssize_t res = _socket.write(&_my_key, 1); - if (is_blocked(res, errno)) { - return HandshakeResult::NEED_WRITE; - } - return (res == 1) - ? HandshakeResult::DONE - : HandshakeResult::FAIL; - } - - HandshakeResult perform_hs_op(OP op) { - if (op == OP::READ_KEY) { - return try_read_key(); - } else { - assert(op == OP::WRITE_KEY); - return try_write_key(); - } - } - -public: - XorCryptoSocket(SocketHandle socket, bool is_server) - : _op_stack(is_server - ? std::vector<OP>({OP::WRITE_KEY, OP::READ_KEY}) - : std::vector<OP>({OP::READ_KEY, OP::WRITE_KEY})), - _my_key(gen_key()), - _peer_key(0), - _input(CHUNK_SIZE * 2), - _output(CHUNK_SIZE * 2), - _socket(std::move(socket)) {} - int get_fd() const override { return _socket.get(); } - HandshakeResult handshake() override { - while (!_op_stack.empty()) { - HandshakeResult partial_result = perform_hs_op(_op_stack.back()); - if (partial_result != HandshakeResult::DONE) { - return partial_result; - } - _op_stack.pop_back(); - } - return HandshakeResult::DONE; - } - void do_handshake_work() override {} - size_t min_read_buffer_size() const override { return 1; } - ssize_t read(char *buf, size_t len) override { - if (_input.obtain().size == 0) { - auto dst = _input.reserve(CHUNK_SIZE); - ssize_t res = _socket.read(dst.data, dst.size); - if (res > 0) { - _input.commit(res); - } else { - return res; // eof/error - } - } - return drain(buf, len); - } - ssize_t drain(char *buf, size_t len) override { - auto src = _input.obtain(); - size_t frame = std::min(len, src.size); - for (size_t i = 0; i < frame; ++i) { - buf[i] = (src.data[i] ^ _my_key); - } - _input.evict(frame); - return frame; - } - ssize_t write(const char *buf, size_t len) override { - if (_output.obtain().size >= CHUNK_SIZE) { - if (flush() < 0) { - return -1; - } - if (_output.obtain().size > 0) { - errno = EWOULDBLOCK; - return -1; - } - } - size_t frame = std::min(len, CHUNK_SIZE); - auto dst = _output.reserve(frame); - for (size_t i = 0; i < frame; ++i) { - dst.data[i] = (buf[i] ^ _peer_key); - } - _output.commit(frame); - return frame; - } - ssize_t flush() override { - auto pending = _output.obtain(); - if (pending.size > 0) { - ssize_t res = _socket.write(pending.data, pending.size); - if (res > 0) { - _output.evict(res); - return 1; // progress - } else { - assert(res < 0); - return -1; // error - } - } - return 0; // done - } - ssize_t half_close() override { - auto flush_res = flush(); - while (flush_res > 0) { - flush_res = flush(); - } - if (flush_res < 0) { - return flush_res; - } - return _socket.half_close(); - } - void drop_empty_buffers() override { - _input.drop_if_empty(); - _output.drop_if_empty(); - } -}; - using net::tls::AuthorizationMode; AuthorizationMode authorization_mode_from_env() { @@ -269,16 +113,4 @@ NullCryptoEngine::create_server_crypto_socket(SocketHandle socket) return std::make_unique<NullCryptoSocket>(std::move(socket)); } -CryptoSocket::UP -XorCryptoEngine::create_client_crypto_socket(SocketHandle socket, const SocketSpec &) -{ - return std::make_unique<XorCryptoSocket>(std::move(socket), false); -} - -CryptoSocket::UP -XorCryptoEngine::create_server_crypto_socket(SocketHandle socket) -{ - return std::make_unique<XorCryptoSocket>(std::move(socket), true); -} - } // namespace vespalib diff --git a/vespalib/src/vespa/vespalib/net/crypto_engine.h b/vespalib/src/vespa/vespalib/net/crypto_engine.h index d6de53bd3e0..7f4b5287415 100644 --- a/vespalib/src/vespa/vespalib/net/crypto_engine.h +++ b/vespalib/src/vespa/vespalib/net/crypto_engine.h @@ -37,16 +37,4 @@ struct NullCryptoEngine : public CryptoEngine { CryptoSocket::UP create_server_crypto_socket(SocketHandle socket) override; }; -/** - * Very simple crypto engine that requires connection handshaking and - * data transformation. Used to test encryption integration separate - * from TLS. - **/ -struct XorCryptoEngine : public CryptoEngine { - bool use_tls_when_client() const override { return false; } - bool always_use_tls_when_server() const override { return false; } - CryptoSocket::UP create_client_crypto_socket(SocketHandle socket, const SocketSpec &spec) override; - CryptoSocket::UP create_server_crypto_socket(SocketHandle socket) override; -}; - } // namespace vespalib |