From 2af8c1913e03c46a0a1b493bf3187ac97946d7be Mon Sep 17 00:00:00 2001 From: William Yang Date: Fri, 22 Sep 2023 10:35:34 +0200 Subject: [PATCH] fix: listener should not load cacert with verify_none --- c_src/quicer_config.c | 2 +- c_src/quicer_listener.c | 5 +++-- c_src/quicer_tls.c | 9 ++++++++- c_src/quicer_tls.h | 3 ++- test/quicer_listener_SUITE.erl | 29 +++++++++++++++++++++++++++++ 5 files changed, 43 insertions(+), 5 deletions(-) diff --git a/c_src/quicer_config.c b/c_src/quicer_config.c index 65c24172..31a35c1c 100644 --- a/c_src/quicer_config.c +++ b/c_src/quicer_config.c @@ -306,7 +306,7 @@ ClientLoadConfiguration(ErlNifEnv *env, parse_cert_options(env, *options, &CredConfig); // If Verify Peer... - if (!parse_verify_options(env, *options, &CredConfig, FALSE)) + if (!parse_verify_options(env, *options, &CredConfig, FALSE, NULL)) { return ERROR_TUPLE_2(ATOM_VERIFY); } diff --git a/c_src/quicer_listener.c b/c_src/quicer_listener.c index 0443031f..f8fdfe78 100644 --- a/c_src/quicer_listener.c +++ b/c_src/quicer_listener.c @@ -265,7 +265,8 @@ listen2(ErlNifEnv *env, __unused_parm__ int argc, const ERL_NIF_TERM argv[]) return ERROR_TUPLE_2(ATOM_QUIC_TLS); } - if (!parse_verify_options(env, options, &CredConfig, TRUE)) + BOOLEAN is_verify = FALSE; + if (!parse_verify_options(env, options, &CredConfig, TRUE, &is_verify)) { return ERROR_TUPLE_2(ATOM_VERIFY); } @@ -284,7 +285,7 @@ listen2(ErlNifEnv *env, __unused_parm__ int argc, const ERL_NIF_TERM argv[]) return ERROR_TUPLE_2(ATOM_ERROR_NOT_ENOUGH_MEMORY); } - if (cacertfile) + if (is_verify && cacertfile) { l_ctx->cacertfile = cacertfile; // We do our own certificate verification against the certificates diff --git a/c_src/quicer_tls.c b/c_src/quicer_tls.c index 2c1f2217..e2cc6170 100644 --- a/c_src/quicer_tls.c +++ b/c_src/quicer_tls.c @@ -88,16 +88,23 @@ parse_cert_options(ErlNifEnv *env, /* * Parse verify option for listener (server) * verify : boolean() | undefined + * output *is_verify if is_verify is not NULL */ BOOLEAN parse_verify_options(ErlNifEnv *env, ERL_NIF_TERM options, QUIC_CREDENTIAL_CONFIG *CredConfig, - BOOLEAN is_server) + BOOLEAN is_server, + _Out_ BOOLEAN *is_verify) { BOOLEAN verify = load_verify(env, &options, FALSE); + if (is_verify) + { + *is_verify = verify; + } + if (!verify) { CredConfig->Flags |= QUIC_CREDENTIAL_FLAG_NO_CERTIFICATE_VALIDATION; diff --git a/c_src/quicer_tls.h b/c_src/quicer_tls.h index e82c1c32..3aa5e724 100644 --- a/c_src/quicer_tls.h +++ b/c_src/quicer_tls.h @@ -26,7 +26,8 @@ BOOLEAN parse_verify_options(ErlNifEnv *env, ERL_NIF_TERM options, QUIC_CREDENTIAL_CONFIG *CredConfig, - BOOLEAN is_server); + BOOLEAN is_server, + _Out_ BOOLEAN *is_verify); BOOLEAN parse_cacertfile_option(ErlNifEnv *env, diff --git a/test/quicer_listener_SUITE.erl b/test/quicer_listener_SUITE.erl index ce4f3e5d..0c070356 100644 --- a/test/quicer_listener_SUITE.erl +++ b/test/quicer_listener_SUITE.erl @@ -466,11 +466,40 @@ tc_listener_stopped_when_owner_die(Config) -> %% Then the new listener can be closed ok = quicer:close_listener(L1). +tc_verify_none_butwith_cacert(Config)-> + Port = select_port(), + %% When Listener is copnfigured with CA cert but verify_none + LConfig = default_listener_opts(Config, verify_none), + ConnectionOpts = [ {conn_callback, quicer_server_conn_callback} + , {stream_acceptors, 32} + | default_conn_opts()], + StreamOpts = [ {stream_callback, quicer_echo_server_stream_callback} + | default_stream_opts() ], + Options = {LConfig, ConnectionOpts, StreamOpts}, + {ok, QuicApp} = quicer:spawn_listener(?FUNCTION_NAME, Port, Options), + + %% Then the connection should succeed + {ok, Conn} = + quicer:connect("localhost", Port, + [ {verify, verify_none} + , {peer_unidi_stream_count, 3} + , {alpn, ["sample"]} | Config], 5000), + quicer:close_connection(Conn), + quicer:terminate_listener(?FUNCTION_NAME), + ok. + select_port() -> Port = select_free_port(quic), timer:sleep(100), Port. +default_listener_opts(Config, Verify) -> + DataDir = ?config(data_dir, Config), + [ {cacertfile, filename:join(DataDir, "ca.pem")} + , {conn_acceptors, 4} + , {verify, Verify} | + tl(default_listen_opts(Config)) ]. + %%%_* Emacs ==================================================================== %%% Local Variables: %%% allout-layout: t