File 1633-ssl-Add-handling-of-new-policy-options.patch of Package erlang

Overview Repositories Revisions Requests Users Attributes Meta

File 1633-ssl-Add-handling-of-new-policy-options.patch of Package erlang

From d2195fc53d1947f1bf9d1d402e2bb8b5b1eafd6b Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 12 Mar 2024 10:42:59 +0100
Subject: [PATCH 3/3] ssl: Add handling of new policy options

---
 lib/ssl/src/ssl.app.src        |  2 +-
 lib/ssl/src/ssl.erl            | 60 ++++++++++++++++++-----
 lib/ssl/src/ssl_handshake.erl  |  3 +-
 lib/ssl/test/ssl_api_SUITE.erl | 87 +++++++---------------------------
 4 files changed, 69 insertions(+), 83 deletions(-)

diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src
index 1cfa0b1505..271f34bf58 100644
--- a/lib/ssl/src/ssl.app.src
+++ b/lib/ssl/src/ssl.app.src
@@ -92,6 +92,6 @@
     {applications, [crypto, public_key, kernel, stdlib]},
     {env, []},
     {mod, {ssl_app, []}},
-    {runtime_dependencies, ["stdlib-4.1","public_key-1.11.3","kernel-9.0",
+    {runtime_dependencies, ["stdlib-4.1","public_key-1.15","kernel-9.0",
                             "erts-14.0","crypto-5.0", "inets-5.10.7",
                             "runtime_tools-1.15.1"]}]}.
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 399460471f..d83cd13f25 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -473,6 +473,7 @@ only the [signature_algs](`t:signature_algs/0`) extension is sent.
                                 {keep_secrets, keep_secrets()} |
                                 {depth, allowed_cert_chain_length()} |
                                 {verify_fun, custom_verify()} |
+                                {cert_policy_opts, [policy_opt()]} |
                                 {crl_check, crl_check()} |
                                 {crl_cache, crl_cache_opts()} |
                                 {max_handshake_size, handshake_size()} |
@@ -799,6 +800,7 @@ certificate chain validating the CRLs.
 -type allowed_cert_chain_length() :: integer().
 
 -type custom_verify()               ::  {Verifyfun :: fun(), InitialUserState :: any()}.
+-type policy_opt() :: {policy_set, [public_key:oid()]} | {explicit_policy, boolean()} |  {inhibit_policy_mapping, boolean()} | {inhibit_any_policy, boolean()}.
 -type crl_check()                :: boolean() | peer | best_effort.
 -type crl_cache_opts()           :: {Module :: atom(),
                                      {DbHandle :: internal | term(),
@@ -3394,7 +3404,7 @@ ssl_options() ->
      use_ticket,
      use_srtp,
      user_lookup_fun,
-     verify, verify_fun,
+     verify, verify_fun, cert_policy_opts,
      versions
     ].
 
@@ -3561,17 +3571,18 @@ opt_verification(UserOpts, Opts0, #{role := Role} = Env) ->
     option_incompatible(FailNoPeerCert andalso Verify =:= verify_none,
                         [{verify, verify_none}, {fail_if_no_peer_cert, true}]),
 
-    Opts = set_opt_int(depth, 0, 255, ?DEFAULT_DEPTH, UserOpts, Opts2),
+    Opts3 = set_opt_int(depth, 0, 255, ?DEFAULT_DEPTH, UserOpts, Opts2),
 
-    case Role of
-        client ->
-            opt_verify_fun(UserOpts, Opts#{partial_chain => PartialChain},
-                           Env);
-        server ->
-            opt_verify_fun(UserOpts, Opts#{partial_chain => PartialChain,
-                                           fail_if_no_peer_cert => FailNoPeerCert},
-                           Env)
-    end.
+    Opts = case Role of
+               client ->
+                   opt_verify_fun(UserOpts, Opts3#{partial_chain => PartialChain},
+                                  Env);
+               server ->
+                   opt_verify_fun(UserOpts, Opts3#{partial_chain => PartialChain,
+                                                   fail_if_no_peer_cert => FailNoPeerCert},
+                                  Env)
+           end,
+    opt_policies(UserOpts, Opts).
 
 default_verify(client) ->
     %% Server authenication is by default requiered
@@ -3625,6 +3636,33 @@ convert_verify_fun() ->
             {valid, UserState}
     end.
 
+opt_policies(UserOpts, Opts) ->
+    case get_opt(cert_policy_opts, [], UserOpts, Opts) of
+        {default, []} ->
+            Opts#{cert_policy_opts => []};
+        {old, POpts} ->
+            Opts#{cert_policy_opts => POpts};
+        {_, POpts} ->
+            validate_policy_opts(POpts),
+            Opts#{cert_policy_opts => POpts}
+    end.
+
+validate_policy_opts([]) ->
+    true;
+validate_policy_opts([{policy_set, OidList} | Rest]) when is_list(OidList) ->
+    validate_policy_opts(Rest);
+validate_policy_opts([{Opt, Bool} | Rest]) when Opt == explicit_policy;
+                                                Opt == inhibit_policy_mapping;
+                                                Opt == inhibit_any_policy ->
+    case is_boolean(Bool) of
+        true ->
+            validate_policy_opts(Rest);
+        false ->
+            option_error(cert_policy_opts, {Opt, Bool})
+    end;
+validate_policy_opts([Opt| _]) ->
+    option_error(cert_policy_opts, Opt).
+
 opt_certs(UserOpts, #{log_level := LogLevel} = Opts0, Env) ->
     case get_opt_list(certs_keys, [], UserOpts, Opts0) of
         {Where, []} when Where =/= new ->
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 211644365c..131cb3cd6b 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -2099,8 +2099,9 @@ validation_fun_and_state(undefined, VerifyState, CertPath, LogLevel) ->
      end, VerifyState}.
 
 path_validation_options(Opts, ValidationFunAndState) ->
+    PolicyOpts = maps:get(cert_policy_opts, Opts, []),
     [{max_path_length, maps:get(depth, Opts, ?DEFAULT_DEPTH)},
-     {verify_fun, ValidationFunAndState}].
+     {verify_fun, ValidationFunAndState} | PolicyOpts].
 
 apply_user_fun(Fun, OtpCert, VerifyResult0, UserState0, SslState, CertPath, LogLevel) when
       (VerifyResult0 == valid) or (VerifyResult0 == valid_peer) ->
diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
index 20b017436c..3eedf1305a 100644
--- a/lib/ssl/test/ssl_api_SUITE.erl
+++ b/lib/ssl/test/ssl_api_SUITE.erl
@@ -134,8 +134,6 @@
          invalid_keyfile/1,
          options_not_proplist/0,
          options_not_proplist/1,
-         invalid_options/0,
-         invalid_options/1,
          options_whitebox/0, options_whitebox/1,
          cb_info/0,
          cb_info/1,
@@ -252,8 +250,7 @@ groups() ->
                            handshake_paus_tests()) --
                           [dh_params,
                            new_options_in_handshake,
-                           handshake_continue_tls13_client,
-                           invalid_options])
+                           handshake_continue_tls13_client])
       ++ (since_1_2() -- [conf_signature_algs])},
      {'tlsv1.2', [],  gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3() ++ [honor_client_cipher_order_tls12,
                                                                                                 honor_server_cipher_order_tls12]},
@@ -283,7 +280,6 @@ simple_api_tests() ->
      invalid_certfile,
      invalid_cacertfile,
      invalid_dhfile,
-     invalid_options,
      options_not_proplist,
      options_whitebox,
      format_error
@@ -2159,71 +2155,6 @@ options_not_proplist(Config) when is_list(Config) ->
 	ssl:connect("twitter.com", 443, [binary, {active, false}, 
 					 BadOption]).
 
-%%-------------------------------------------------------------------
-invalid_options() ->
-    [{doc,"Test what happens when we give invalid options"}].
-       
-invalid_options(Config) when is_list(Config) -> 
-    ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config),
-    ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
-    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-    
-    Check = fun(Client, Server, {versions, [sslv2, sslv3]} = Option) ->
-		    ssl_test_lib:check_result(Server, 
-					      {error, {options, {sslv2, Option}}}, 
-					      Client,
-					      {error, {options, {sslv2, Option}}});
-	       (Client, Server, Option) ->
-		    ssl_test_lib:check_result(Server, 
-					      {error, {options, Option}}, 
-					      Client,
-					      {error, {options, Option}})
-	    end,
-
-    TestOpts = 
-         [{versions, [sslv2, sslv3]}, 
-          {verify_fun, function},
-          {fail_if_no_peer_cert, 0}, 
-          {depth, four}, 
-          {certfile, 'cert.pem'}, 
-          {keyfile,'key.pem' }, 
-          {password, foo},
-          {cacertfile, ""}, 
-          {ciphers, [{foo, bar, sha, ignore}]},
-          {reuse_session, foo},
-          {reuse_sessions, 0},
-          {renegotiate_at, "10"},
-          {mode, depech},
-          {packet, 8.0},
-          {packet_size, "2"},
-          {header, a},
-          {active, trice},
-          {key, 'key.pem' }],
-
-    TestOpts2 =
-        [{[{supported_groups, []}, {versions, [tlsv1]}],
-          {options,incompatible,[supported_groups,{versions,['tlsv1']}]}}],
-
-    [begin
-	 Server =
-	     ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
-					{from, self()},
-					{options, ServerOpts ++ [TestOpt]}]),
-	 %% Will never reach a point where port is used.
-	 Client =
-	     ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
-					      {host, Hostname}, {from, self()},
-					      {options, ClientOpts ++ [TestOpt]}]),
-	 Check(Client, Server, TestOpt),
-	 ok
-     end || TestOpt <- TestOpts],
-
-    [begin
-         start_client_negative(Config, TestOpt, ErrorMsg),
-         ok
-     end || {TestOpt, ErrorMsg} <- TestOpts2],
-    ok.
-
 options_whitebox() ->
     [{doc,"Whitebox tests of option handling"}].
 
@@ -2279,6 +2210,7 @@ customize_defaults(Opts, Role, Host) ->
                 try ssl:handle_options(__Opts, Role, Host) of
                     {ok, #config{ssl=EXP = __ALL}} ->
                         ShouldBeMissing = ShouldBeMissing -- maps:keys(__ALL);
+                       %% __ALL = ssl:update_options([], Role, __ALL);
                     Other ->
                         ?CT_PAL("ssl:handle_options(~0p,~0p,~0p).",[__Opts,Role,Host]),
                         error({unexpected, Other})
@@ -2822,6 +2754,12 @@ options_verify(Config) ->  %% fail_if_no_peer_cert, verify, verify_fun, partial_
      ?OK(#{fail_if_no_peer_cert := true, verify := verify_peer, verify_fun := undefined, partial_chain := _},
          [{verify, verify_peer}, {cacerts, [Cert]}], server),
 
+    %% Test ssl option handling. Option values are verified by public_key tests
+    CertPolicyOpts = [{policy_set, [?anyPolicy]}, {explicit_policy, false}],
+
+    ?OK(#{cert_policy_opts := CertPolicyOpts}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, CertPolicyOpts}],
+        client),
+
     NewF3 = fun(_,_,_) -> ok end,
     NewF4 = fun(_,_,_,_) -> ok end,
     ?OK(#{}, [], client, [fail_if_no_peer_cert]),
@@ -2853,6 +2791,15 @@ options_verify(Config) ->  %% fail_if_no_peer_cert, verify, verify_fun, partial_
     ?ERR({options, incompatible, [{verify, _}, {cacerts, undefined}]}, [{verify, verify_peer}], server),
     ?ERR({partial_chain, not_a_fun}, [{partial_chain, not_a_fun}], client),
     ?ERR({verify_fun, not_a_fun}, [{verify_fun, not_a_fun}], client),
+    ?ERR({cert_policy_opts, {foo, bar}}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, [{foo,bar}]}],
+        client),
+    ?ERR({cert_policy_opts, {explicit_policy, bar}}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, [{explicit_policy,bar}]}],
+         client),
+    ?ERR({cert_policy_opts, {inhibit_policy_mapping, bar}}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, [{explicit_policy, true},
+                                                                                                                           {inhibit_policy_mapping,bar}]}],
+         client),
+    ?ERR({cert_policy_opts, {inhibit_any_policy, bar}}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, [{inhibit_any_policy,bar}]}],
+         client),
     ok.
 
 options_fallback(_Config) ->
-- 
2.35.3

Places

File 1633-ssl-Add-handling-of-new-policy-options.patch of Package erlang

Places