Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:23
erlang
4611-ssl-Correct-OpenSSL-interop-tests.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 4611-ssl-Correct-OpenSSL-interop-tests.patch of Package erlang
From c0443a50756398b3676c3418d1b50c2217da24c1 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin <ingela@erlang.org> Date: Mon, 8 Nov 2021 11:25:40 +0100 Subject: [PATCH 1/2] ssl: Correct OpenSSL interop tests Add missing call to wait_for_openssl_server. Also make sure openssl interop tests honor DTLS group configuration. --- lib/ssl/test/openssl_client_cert_SUITE.erl | 5 +- lib/ssl/test/openssl_ocsp_SUITE.erl | 84 +++++++++++----------- lib/ssl/test/ssl_cert_tests.erl | 4 +- lib/ssl/test/ssl_test_lib.erl | 58 +++++++++++---- 4 files changed, 89 insertions(+), 62 deletions(-) diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl index 263628c3c4..6effd69664 100644 --- a/lib/ssl/test/openssl_client_cert_SUITE.erl +++ b/lib/ssl/test/openssl_client_cert_SUITE.erl @@ -82,10 +82,10 @@ groups() -> [ {openssl_client, [], protocol_groups()}, {'tlsv1.3', [], tls_1_3_protocol_groups()}, - {'tlsv1.2', [], pre_tls_1_3_protocol_groups() ++ [{group, rsa_pss_rsae}, {group, rsa_pss_pss}]}, + {'tlsv1.2', [], pre_tls_1_3_protocol_groups() ++ [{group, ecdsa}, {group, rsa_pss_rsae}, {group, rsa_pss_pss}]}, {'tlsv1.1', [], pre_tls_1_3_protocol_groups()}, {'tlsv1', [], pre_tls_1_3_protocol_groups()}, - {'dtlsv1.2', [], pre_tls_1_3_protocol_groups()}, + {'dtlsv1.2', [], pre_tls_1_3_protocol_groups() ++ [{group, ecdsa}]}, {'dtlsv1', [], pre_tls_1_3_protocol_groups()}, {rsa, [], all_version_tests()}, {ecdsa, [], all_version_tests()}, @@ -119,7 +119,6 @@ protocol_groups() -> pre_tls_1_3_protocol_groups() -> [{group, rsa}, - {group, ecdsa}, {group, dsa}]. tls_1_3_protocol_groups() -> diff --git a/lib/ssl/test/openssl_ocsp_SUITE.erl b/lib/ssl/test/openssl_ocsp_SUITE.erl index f4a68f7543..ec12354b8d 100644 --- a/lib/ssl/test/openssl_ocsp_SUITE.erl +++ b/lib/ssl/test/openssl_ocsp_SUITE.erl @@ -145,12 +145,12 @@ ocsp_stapling_basic(Config) [{options, ServerOpts}], Config), Port = ssl_test_lib:inet_port(Server), - ClientOpts = [{log_level, debug}, - {verify, verify_peer}, - {cacertfile, CACertsFile}, - {server_name_indication, disable}, - {ocsp_stapling, true}, - {ocsp_nonce, false}] ++ dtls_client_opt(GroupName), + ClientOpts = ssl_test_lib:ssl_options([{log_level, debug}, + {verify, verify_peer}, + {cacertfile, CACertsFile}, + {server_name_indication, disable}, + {ocsp_stapling, true}, + {ocsp_nonce, false}], Config), Client = ssl_test_lib:start_client(erlang, [{port, Port}, {options, ClientOpts}], Config), @@ -175,12 +175,12 @@ ocsp_stapling_with_nonce(Config) [{options, ServerOpts}], Config), Port = ssl_test_lib:inet_port(Server), - ClientOpts = [{log_level, debug}, - {verify, verify_peer}, - {cacertfile, CACertsFile}, - {server_name_indication, disable}, - {ocsp_stapling, true}, - {ocsp_nonce, true}] ++ dtls_client_opt(GroupName), + ClientOpts = ssl_test_lib:ssl_options([{log_level, debug}, + {verify, verify_peer}, + {cacertfile, CACertsFile}, + {server_name_indication, disable}, + {ocsp_stapling, true}, + {ocsp_nonce, true}], Config), Client = ssl_test_lib:start_client(erlang, [{port, Port}, {options, ClientOpts}], Config), @@ -212,13 +212,13 @@ ocsp_stapling_with_responder_cert(Config) [{'Certificate', Der, _IsEncrypted}] = public_key:pem_decode(ResponderCert), - ClientOpts = [{log_level, debug}, - {verify, verify_peer}, - {cacertfile, CACertsFile}, - {server_name_indication, disable}, - {ocsp_stapling, true}, - {ocsp_nonce, true}, - {ocsp_responder_certs, [Der]}] ++ dtls_client_opt(GroupName), + ClientOpts = ssl_test_lib:ssl_options([{log_level, debug}, + {verify, verify_peer}, + {cacertfile, CACertsFile}, + {server_name_indication, disable}, + {ocsp_stapling, true}, + {ocsp_nonce, true}, + {ocsp_responder_certs, [Der]}], Config), Client = ssl_test_lib:start_client(erlang, [{port, Port}, {options, ClientOpts}], Config), @@ -244,13 +244,13 @@ ocsp_stapling_revoked(Config) [{options, ServerOpts}], Config), Port = ssl_test_lib:inet_port(Server), - ClientOpts = [{log_level, debug}, - {verify, verify_peer}, - {server_name_indication, disable}, - {cacertfile, CACertsFile}, - {ocsp_stapling, true}, - {ocsp_nonce, true} - ] ++ dtls_client_opt(GroupName), + ClientOpts = ssl_test_lib:ssl_options([{log_level, debug}, + {verify, verify_peer}, + {server_name_indication, disable}, + {cacertfile, CACertsFile}, + {ocsp_stapling, true}, + {ocsp_nonce, true} + ], Config), Client = ssl_test_lib:start_client_error([{node, ClientNode},{port, Port}, {host, Hostname}, {from, self()}, @@ -275,13 +275,13 @@ ocsp_stapling_undetermined(Config) [{options, ServerOpts}], Config), Port = ssl_test_lib:inet_port(Server), - ClientOpts = [{log_level, debug}, - {verify, verify_peer}, - {server_name_indication, disable}, - {cacertfile, CACertsFile}, - {ocsp_stapling, true}, - {ocsp_nonce, true} - ] ++ dtls_client_opt(GroupName), + ClientOpts = ssl_test_lib:ssl_options([{log_level, debug}, + {verify, verify_peer}, + {server_name_indication, disable}, + {cacertfile, CACertsFile}, + {ocsp_stapling, true}, + {ocsp_nonce, true} + ], Config), Client = ssl_test_lib:start_client_error([{node, ClientNode},{port, Port}, {host, Hostname}, {from, self()}, @@ -307,13 +307,13 @@ ocsp_stapling_no_staple(Config) [{options, ServerOpts}], Config), Port = ssl_test_lib:inet_port(Server), - ClientOpts = [{log_level, debug}, - {verify, verify_peer}, - {server_name_indication, disable}, - {cacertfile, CACertsFile}, - {ocsp_stapling, true}, - {ocsp_nonce, true} - ] ++ dtls_client_opt(GroupName), + ClientOpts = ssl_test_lib:ssl_options([{log_level, debug}, + {verify, verify_peer}, + {server_name_indication, disable}, + {cacertfile, CACertsFile}, + {ocsp_stapling, true}, + {ocsp_nonce, true} + ], Config), Client = ssl_test_lib:start_client_error([{node, ClientNode},{port, Port}, {host, Hostname}, {from, self()}, @@ -382,7 +382,3 @@ get_free_port() -> ok = gen_tcp:close(Listen), Port. -dtls_client_opt('dtlsv1.2') -> - [{protocol, dtls}]; -dtls_client_opt(_Other) -> - []. \ No newline at end of file diff --git a/lib/ssl/test/ssl_cert_tests.erl b/lib/ssl/test/ssl_cert_tests.erl index 2b71998b11..a6760663f8 100644 --- a/lib/ssl/test/ssl_cert_tests.erl +++ b/lib/ssl/test/ssl_cert_tests.erl @@ -434,8 +434,8 @@ test_ciphers(_, 'tlsv1.3' = Version) -> end, Ciphers); test_ciphers(_, Version) when Version == 'dtlsv1'; Version == 'dtlsv1.2' -> - {_, Minor} = dtls_record:proplists(Version), - Ciphers = dtls_v1:suites(Minor), + {_, Minor} = dtls_record:protocol_version(Version), + Ciphers = [ssl_cipher_format:suite_bin_to_map(Bin) || Bin <- dtls_v1:suites(Minor)], ct:log("Version ~p Testing ~p~n", [Version, Ciphers]), OpenSSLCiphers = openssl_ciphers(), ct:log("OpenSSLCiphers ~p~n", [OpenSSLCiphers]), diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 7ef5034f4b..fb992e8c51 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -325,7 +325,7 @@ working_openssl_client() -> end. init_per_group_openssl(GroupName, Config0) -> - case is_tls_version(GroupName) andalso sufficient_crypto_support(GroupName) of + case is_protocol_version(GroupName) andalso sufficient_crypto_support(GroupName) of true -> Config = clean_protocol_version(Config0), case openssl_tls_version_support(GroupName, Config) @@ -346,7 +346,7 @@ init_per_group_openssl(GroupName, Config0) -> end. end_per_group(GroupName, Config) -> - case is_tls_version(GroupName) of + case is_protocol_version(GroupName) of true -> clean_protocol_version(Config); false -> @@ -373,6 +373,8 @@ openssl_ciphers() -> openssl_support_rsa_kex() -> case portable_cmd("openssl", ["version"]) of + "OpenSSL 3." ++ _Rest -> + false; "OpenSSL 1.1.1" ++ _Rest -> false; _ -> @@ -2027,8 +2029,8 @@ accepters(Acc, N) -> basic_test(COpts, SOpts, Config) -> SType = proplists:get_value(server_type, Config, erlang), CType = proplists:get_value(client_type, Config, erlang), - {Server, Port} = start_server(SType, COpts, SOpts, Config), - Client = start_client(CType, Port, COpts, Config), + {Server, Port} = start_server(SType, COpts, ssl_options(SOpts, Config), Config), + Client = start_client(CType, Port, ssl_options(COpts, Config), Config), gen_check_result(Server, SType, Client, CType), stop(Server, Client). @@ -2565,31 +2567,48 @@ openssl_tls_version_support(Version, Config0) -> CertFile = proplists:get_value(certfile, ServerOpts), KeyFile = proplists:get_value(keyfile, ServerOpts), Exe = "openssl", - Args0 = ["s_server", "-accept", - integer_to_list(Port), "-CAfile", CaCertFile, - "-cert", CertFile,"-key", KeyFile], + {Proto, Opts} = case is_tls_version(Version) of + true -> + {tls, [{protocol,tls}, {versions, [Version]}]}; + false -> + {dtls, [{protocol,dtls}, {versions, [Version]}]} + end, + Args0 = case Proto of + tls -> + ["s_server", "-accept", + integer_to_list(Port), "-CAfile", CaCertFile, + "-cert", CertFile,"-key", KeyFile]; + dtls -> + ["s_server", "-accept", + integer_to_list(Port), "-dtls", "-CAfile", CaCertFile, + "-cert", CertFile,"-key", KeyFile] + end, Args = maybe_force_ipv4(Args0), OpensslPort = portable_open_port(Exe, Args), - try wait_for_openssl_server(Port, tls) of + try wait_for_openssl_server(Port, Proto) of ok -> - case ssl:connect("localhost", Port, [{versions, [Version]}]) of + case ssl:connect("localhost", Port, Opts, 5000) of {ok, Socket} -> ssl:close(Socket), close_port(OpensslPort), true; {error, {tls_alert, {protocol_version, _}}} -> - ct:pal("Openssl does not support ~p", [Version]), + ct:pal("OpenSSL does not support ~p", [Version]), close_port(OpensslPort), false; {error, {tls_alert, Alert}} -> - ct:pal("Openssl returned alert ~p", [Alert]), + ct:pal("OpenSSL returned alert ~p", [Alert]), + close_port(OpensslPort), + false; + {error, timeout} -> + ct:pal("Timed out conntion to OpenSSL", []), close_port(OpensslPort), false end catch _:_ -> - ct:pal("Openssl does not support ~p", [Version]), + ct:pal("OpenSSL does not support ~p", [Version]), close_port(OpensslPort), false end. @@ -3100,7 +3119,9 @@ check_sane_openssl_renegotiate(Config) -> end. openssl_allows_client_renegotiate(Config) -> - case portable_cmd("openssl", ["version"]) of + case portable_cmd("openssl", ["version"]) of + "OpenSSL 3" ++ _ -> + {skip, "OpenSSL does not allow client renegotiation"}; "OpenSSL 1.1" ++ _ -> {skip, "OpenSSL does not allow client renegotiation"}; "LibreSSL" ++ _ -> @@ -3124,8 +3145,11 @@ enough_openssl_crl_support(_) -> true. wait_for_openssl_server(Port, tls) -> do_wait_for_openssl_tls_server(Port, 10); wait_for_openssl_server(_Port, dtls) -> + ct:sleep(?SLEEP), ok. %% No need to wait for DTLS over UDP server %% client will retransmitt until it is up. + %% But wait a little for openssl debug printing + do_wait_for_openssl_tls_server(_, 0) -> exit(failed_to_connect_to_openssl); @@ -3868,6 +3892,14 @@ default_ciphers(Version) -> case portable_cmd("openssl", ["version"]) of "OpenSSL 0.9" ++ _ -> ssl:cipher_suites(all,Version); + "OpenSSL 3." ++ _ -> + ssl:filter_cipher_suites(ssl:cipher_suites(default, Version), + [{mac, + fun(sha) -> + false; + (_) -> + true + end}]); _ -> ssl:cipher_suites(default, Version) end, -- 2.31.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor