Skip to content

Commit

Permalink
fix: listener should not load cacert with verify_none
Browse files Browse the repository at this point in the history
  • Loading branch information
qzhuyan committed Sep 22, 2023
1 parent 7fe30c7 commit 918608f
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 8 deletions.
2 changes: 1 addition & 1 deletion c_src/quicer_config.c
Original file line number Diff line number Diff line change
Expand Up @@ -306,7 +306,7 @@ ClientLoadConfiguration(ErlNifEnv *env,
parse_cert_options(env, *options, &CredConfig);

// If Verify Peer...
if (!parse_verify_options(env, *options, &CredConfig, FALSE))
if (!parse_verify_options(env, *options, &CredConfig, FALSE, NULL))
{
return ERROR_TUPLE_2(ATOM_VERIFY);
}
Expand Down
3 changes: 0 additions & 3 deletions c_src/quicer_connection.c
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,6 @@ limitations under the License.
#include <openssl/x509.h>
#include <unistd.h>

extern inline void
EncodeHexBuffer(uint8_t *Buffer, uint8_t BufferLen, char *HexString);

extern inline const char *QuicStatusToString(QUIC_STATUS Status);

static QUIC_STATUS
Expand Down
5 changes: 3 additions & 2 deletions c_src/quicer_listener.c
Original file line number Diff line number Diff line change
Expand Up @@ -265,7 +265,8 @@ listen2(ErlNifEnv *env, __unused_parm__ int argc, const ERL_NIF_TERM argv[])
return ERROR_TUPLE_2(ATOM_QUIC_TLS);
}

if (!parse_verify_options(env, options, &CredConfig, TRUE))
BOOLEAN is_verify = FALSE;
if (!parse_verify_options(env, options, &CredConfig, TRUE, &is_verify))
{
return ERROR_TUPLE_2(ATOM_VERIFY);
}
Expand All @@ -284,7 +285,7 @@ listen2(ErlNifEnv *env, __unused_parm__ int argc, const ERL_NIF_TERM argv[])
return ERROR_TUPLE_2(ATOM_ERROR_NOT_ENOUGH_MEMORY);
}

if (cacertfile)
if (is_verify && cacertfile)
{
l_ctx->cacertfile = cacertfile;
// We do our own certificate verification against the certificates
Expand Down
9 changes: 8 additions & 1 deletion c_src/quicer_tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -88,16 +88,23 @@ parse_cert_options(ErlNifEnv *env,
/*
* Parse verify option for listener (server)
* verify : boolean() | undefined
* output *is_verify if is_verify is not NULL
*/
BOOLEAN
parse_verify_options(ErlNifEnv *env,
ERL_NIF_TERM options,
QUIC_CREDENTIAL_CONFIG *CredConfig,
BOOLEAN is_server)
BOOLEAN is_server,
_Out_ BOOLEAN *is_verify)
{

BOOLEAN verify = load_verify(env, &options, FALSE);

if (is_verify)
{
*is_verify = verify;
}

if (!verify)
{
CredConfig->Flags |= QUIC_CREDENTIAL_FLAG_NO_CERTIFICATE_VALIDATION;
Expand Down
3 changes: 2 additions & 1 deletion c_src/quicer_tls.h
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ BOOLEAN
parse_verify_options(ErlNifEnv *env,
ERL_NIF_TERM options,
QUIC_CREDENTIAL_CONFIG *CredConfig,
BOOLEAN is_server);
BOOLEAN is_server,
_Out_ BOOLEAN *is_verify);

BOOLEAN
parse_cacertfile_option(ErlNifEnv *env,
Expand Down
29 changes: 29 additions & 0 deletions test/quicer_listener_SUITE.erl
Original file line number Diff line number Diff line change
Expand Up @@ -466,11 +466,40 @@ tc_listener_stopped_when_owner_die(Config) ->
%% Then the new listener can be closed
ok = quicer:close_listener(L1).

tc_verify_none_butwith_cacert(Config)->
Port = select_port(),
%% When Listener is copnfigured with CA cert but verify_none
LConfig = default_listener_opts(Config, verify_none),
ConnectionOpts = [ {conn_callback, quicer_server_conn_callback}
, {stream_acceptors, 32}
| default_conn_opts()],
StreamOpts = [ {stream_callback, quicer_echo_server_stream_callback}
| default_stream_opts() ],
Options = {LConfig, ConnectionOpts, StreamOpts},
{ok, QuicApp} = quicer:spawn_listener(?FUNCTION_NAME, Port, Options),

%% Then the connection should succeed
{ok, Conn} =
quicer:connect("localhost", Port,
[ {verify, verify_none}
, {peer_unidi_stream_count, 3}
, {alpn, ["sample"]} | Config], 5000),
quicer:close_connection(Conn),
quicer:terminate_listener(?FUNCTION_NAME),
ok.

select_port() ->
Port = select_free_port(quic),
timer:sleep(100),
Port.

default_listener_opts(Config, Verify) ->
DataDir = ?config(data_dir, Config),
[ {cacertfile, filename:join(DataDir, "ca.pem")}
, {conn_acceptors, 4}
, {verify, Verify} |
tl(default_listen_opts(Config)) ].

%%%_* Emacs ====================================================================
%%% Local Variables:
%%% allout-layout: t
Expand Down

0 comments on commit 918608f

Please sign in to comment.