From 8cdcc431fe5b3cb001523b697d1348abe111d88c Mon Sep 17 00:00:00 2001 From: Antonio Andelic Date: Mon, 16 Sep 2024 09:56:31 +0200 Subject: [PATCH] Fix --- .../poco/Crypto/include/Poco/Crypto/EVPPKey.h | 14 +++++++++++++ src/Coordination/KeeperServer.cpp | 4 ++-- tests/integration/helpers/cluster.py | 2 +- .../test_keeper_internal_secure/ssl_conf.yml | 0 .../test_keeper_internal_secure/test.py | 21 ++++++++++--------- 5 files changed, 28 insertions(+), 13 deletions(-) delete mode 100644 tests/integration/test_keeper_internal_secure/ssl_conf.yml diff --git a/base/poco/Crypto/include/Poco/Crypto/EVPPKey.h b/base/poco/Crypto/include/Poco/Crypto/EVPPKey.h index c33e0ae847f..6e44d9f45b7 100644 --- a/base/poco/Crypto/include/Poco/Crypto/EVPPKey.h +++ b/base/poco/Crypto/include/Poco/Crypto/EVPPKey.h @@ -226,6 +226,13 @@ namespace Crypto error: if (pFile) fclose(pFile); + if (*ppKey) + { + if constexpr (std::is_same_v) + EVP_PKEY_free(*ppKey); + else + EC_KEY_free(*ppKey); + } throw OpenSSLException("EVPKey::loadKey(string)"); } @@ -287,6 +294,13 @@ namespace Crypto error: if (pBIO) BIO_free(pBIO); + if (*ppKey) + { + if constexpr (std::is_same_v) + EVP_PKEY_free(*ppKey); + else + EC_KEY_free(*ppKey); + } throw OpenSSLException("EVPKey::loadKey(stream)"); } diff --git a/src/Coordination/KeeperServer.cpp b/src/Coordination/KeeperServer.cpp index e0a94b1a00c..2eada508e22 100644 --- a/src/Coordination/KeeperServer.cpp +++ b/src/Coordination/KeeperServer.cpp @@ -125,9 +125,9 @@ void setSSLParams(nuraft::asio_service::options & asio_opts) disabled_protocols |= Poco::Net::Context::PROTO_TLSV1_2; } - asio_opts.ssl_context_provider_server_ = [ctx_params = params, certificate_data, disabled_protocols] + asio_opts.ssl_context_provider_server_ = [params, certificate_data, disabled_protocols] { - Poco::Net::Context context(Poco::Net::Context::Usage::TLSV1_2_SERVER_USE, ctx_params); + Poco::Net::Context context(Poco::Net::Context::Usage::TLSV1_2_SERVER_USE, params); context.disableProtocols(disabled_protocols); SSL_CTX * ssl_ctx = context.takeSslContext(); SSL_CTX_set_cert_cb(ssl_ctx, callSetCertificate, reinterpret_cast(certificate_data.get())); diff --git a/tests/integration/helpers/cluster.py b/tests/integration/helpers/cluster.py index 821bb887435..4ef2699ea3b 100644 --- a/tests/integration/helpers/cluster.py +++ b/tests/integration/helpers/cluster.py @@ -4093,7 +4093,7 @@ class ClickHouseInstance: exclusion_substring="", ): if from_host: - # We check fist file exists but want to look for all rotated logs as well + # We check first file exists but want to look for all rotated logs as well result = subprocess_check_call( [ "bash", diff --git a/tests/integration/test_keeper_internal_secure/ssl_conf.yml b/tests/integration/test_keeper_internal_secure/ssl_conf.yml deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/tests/integration/test_keeper_internal_secure/test.py b/tests/integration/test_keeper_internal_secure/test.py index af511a60636..8cab03b6e2d 100644 --- a/tests/integration/test_keeper_internal_secure/test.py +++ b/tests/integration/test_keeper_internal_secure/test.py @@ -161,21 +161,22 @@ def check_valid_configuration(filename, password): run_test() +def check_invalid_configuration(filename, password): + stop_all_clickhouse() + for node in nodes: + setupSsl(node, filename, password) + + nodes[0].start_clickhouse(expected_to_fail=True) + nodes[0].wait_for_log_line( + "OpenSSLException: EVPKey::loadKey.*error:0480006C:PEM routines::no start line", + ) + + def test_secure_raft_works(started_cluster): check_valid_configuration("WithoutPassPhrase", None) def test_secure_raft_works_with_password(started_cluster): - def check_invalid_configuration(filename, password): - stop_all_clickhouse() - for node in nodes: - setupSsl(node, filename, password) - - nodes[0].start_clickhouse(expected_to_fail=True) - nodes[0].contains_in_log( - "OpenSSLException: EVPKey::loadKey(string): error:0480006C:PEM routines::no start line" - ) - check_valid_configuration("WithoutPassPhrase", "unusedpassword") check_invalid_configuration("WithPassPhrase", "wrongpassword") check_invalid_configuration("WithPassPhrase", "")