Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:26
erlang
1633-ssl-Add-handling-of-new-policy-options.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 1633-ssl-Add-handling-of-new-policy-options.patch of Package erlang
From d2195fc53d1947f1bf9d1d402e2bb8b5b1eafd6b Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin <ingela@erlang.org> Date: Tue, 12 Mar 2024 10:42:59 +0100 Subject: [PATCH 3/3] ssl: Add handling of new policy options --- lib/ssl/src/ssl.app.src | 2 +- lib/ssl/src/ssl.erl | 60 ++++++++++++++++++----- lib/ssl/src/ssl_handshake.erl | 3 +- lib/ssl/test/ssl_api_SUITE.erl | 87 +++++++--------------------------- 4 files changed, 69 insertions(+), 83 deletions(-) diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src index 1cfa0b1505..271f34bf58 100644 --- a/lib/ssl/src/ssl.app.src +++ b/lib/ssl/src/ssl.app.src @@ -92,6 +92,6 @@ {applications, [crypto, public_key, kernel, stdlib]}, {env, []}, {mod, {ssl_app, []}}, - {runtime_dependencies, ["stdlib-4.1","public_key-1.11.3","kernel-9.0", + {runtime_dependencies, ["stdlib-4.1","public_key-1.15","kernel-9.0", "erts-14.0","crypto-5.0", "inets-5.10.7", "runtime_tools-1.15.1"]}]}. diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index 399460471f..d83cd13f25 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -473,6 +473,7 @@ only the [signature_algs](`t:signature_algs/0`) extension is sent. {keep_secrets, keep_secrets()} | {depth, allowed_cert_chain_length()} | {verify_fun, custom_verify()} | + {cert_policy_opts, [policy_opt()]} | {crl_check, crl_check()} | {crl_cache, crl_cache_opts()} | {max_handshake_size, handshake_size()} | @@ -799,6 +800,7 @@ certificate chain validating the CRLs. -type allowed_cert_chain_length() :: integer(). -type custom_verify() :: {Verifyfun :: fun(), InitialUserState :: any()}. +-type policy_opt() :: {policy_set, [public_key:oid()]} | {explicit_policy, boolean()} | {inhibit_policy_mapping, boolean()} | {inhibit_any_policy, boolean()}. -type crl_check() :: boolean() | peer | best_effort. -type crl_cache_opts() :: {Module :: atom(), {DbHandle :: internal | term(), @@ -3394,7 +3404,7 @@ ssl_options() -> use_ticket, use_srtp, user_lookup_fun, - verify, verify_fun, + verify, verify_fun, cert_policy_opts, versions ]. @@ -3561,17 +3571,18 @@ opt_verification(UserOpts, Opts0, #{role := Role} = Env) -> option_incompatible(FailNoPeerCert andalso Verify =:= verify_none, [{verify, verify_none}, {fail_if_no_peer_cert, true}]), - Opts = set_opt_int(depth, 0, 255, ?DEFAULT_DEPTH, UserOpts, Opts2), + Opts3 = set_opt_int(depth, 0, 255, ?DEFAULT_DEPTH, UserOpts, Opts2), - case Role of - client -> - opt_verify_fun(UserOpts, Opts#{partial_chain => PartialChain}, - Env); - server -> - opt_verify_fun(UserOpts, Opts#{partial_chain => PartialChain, - fail_if_no_peer_cert => FailNoPeerCert}, - Env) - end. + Opts = case Role of + client -> + opt_verify_fun(UserOpts, Opts3#{partial_chain => PartialChain}, + Env); + server -> + opt_verify_fun(UserOpts, Opts3#{partial_chain => PartialChain, + fail_if_no_peer_cert => FailNoPeerCert}, + Env) + end, + opt_policies(UserOpts, Opts). default_verify(client) -> %% Server authenication is by default requiered @@ -3625,6 +3636,33 @@ convert_verify_fun() -> {valid, UserState} end. +opt_policies(UserOpts, Opts) -> + case get_opt(cert_policy_opts, [], UserOpts, Opts) of + {default, []} -> + Opts#{cert_policy_opts => []}; + {old, POpts} -> + Opts#{cert_policy_opts => POpts}; + {_, POpts} -> + validate_policy_opts(POpts), + Opts#{cert_policy_opts => POpts} + end. + +validate_policy_opts([]) -> + true; +validate_policy_opts([{policy_set, OidList} | Rest]) when is_list(OidList) -> + validate_policy_opts(Rest); +validate_policy_opts([{Opt, Bool} | Rest]) when Opt == explicit_policy; + Opt == inhibit_policy_mapping; + Opt == inhibit_any_policy -> + case is_boolean(Bool) of + true -> + validate_policy_opts(Rest); + false -> + option_error(cert_policy_opts, {Opt, Bool}) + end; +validate_policy_opts([Opt| _]) -> + option_error(cert_policy_opts, Opt). + opt_certs(UserOpts, #{log_level := LogLevel} = Opts0, Env) -> case get_opt_list(certs_keys, [], UserOpts, Opts0) of {Where, []} when Where =/= new -> diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 211644365c..131cb3cd6b 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -2099,8 +2099,9 @@ validation_fun_and_state(undefined, VerifyState, CertPath, LogLevel) -> end, VerifyState}. path_validation_options(Opts, ValidationFunAndState) -> + PolicyOpts = maps:get(cert_policy_opts, Opts, []), [{max_path_length, maps:get(depth, Opts, ?DEFAULT_DEPTH)}, - {verify_fun, ValidationFunAndState}]. + {verify_fun, ValidationFunAndState} | PolicyOpts]. apply_user_fun(Fun, OtpCert, VerifyResult0, UserState0, SslState, CertPath, LogLevel) when (VerifyResult0 == valid) or (VerifyResult0 == valid_peer) -> diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index 20b017436c..3eedf1305a 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -134,8 +134,6 @@ invalid_keyfile/1, options_not_proplist/0, options_not_proplist/1, - invalid_options/0, - invalid_options/1, options_whitebox/0, options_whitebox/1, cb_info/0, cb_info/1, @@ -252,8 +250,7 @@ groups() -> handshake_paus_tests()) -- [dh_params, new_options_in_handshake, - handshake_continue_tls13_client, - invalid_options]) + handshake_continue_tls13_client]) ++ (since_1_2() -- [conf_signature_algs])}, {'tlsv1.2', [], gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3() ++ [honor_client_cipher_order_tls12, honor_server_cipher_order_tls12]}, @@ -283,7 +280,6 @@ simple_api_tests() -> invalid_certfile, invalid_cacertfile, invalid_dhfile, - invalid_options, options_not_proplist, options_whitebox, format_error @@ -2159,71 +2155,6 @@ options_not_proplist(Config) when is_list(Config) -> ssl:connect("twitter.com", 443, [binary, {active, false}, BadOption]). -%%------------------------------------------------------------------- -invalid_options() -> - [{doc,"Test what happens when we give invalid options"}]. - -invalid_options(Config) when is_list(Config) -> - ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), - ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Check = fun(Client, Server, {versions, [sslv2, sslv3]} = Option) -> - ssl_test_lib:check_result(Server, - {error, {options, {sslv2, Option}}}, - Client, - {error, {options, {sslv2, Option}}}); - (Client, Server, Option) -> - ssl_test_lib:check_result(Server, - {error, {options, Option}}, - Client, - {error, {options, Option}}) - end, - - TestOpts = - [{versions, [sslv2, sslv3]}, - {verify_fun, function}, - {fail_if_no_peer_cert, 0}, - {depth, four}, - {certfile, 'cert.pem'}, - {keyfile,'key.pem' }, - {password, foo}, - {cacertfile, ""}, - {ciphers, [{foo, bar, sha, ignore}]}, - {reuse_session, foo}, - {reuse_sessions, 0}, - {renegotiate_at, "10"}, - {mode, depech}, - {packet, 8.0}, - {packet_size, "2"}, - {header, a}, - {active, trice}, - {key, 'key.pem' }], - - TestOpts2 = - [{[{supported_groups, []}, {versions, [tlsv1]}], - {options,incompatible,[supported_groups,{versions,['tlsv1']}]}}], - - [begin - Server = - ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, - {from, self()}, - {options, ServerOpts ++ [TestOpt]}]), - %% Will never reach a point where port is used. - Client = - ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0}, - {host, Hostname}, {from, self()}, - {options, ClientOpts ++ [TestOpt]}]), - Check(Client, Server, TestOpt), - ok - end || TestOpt <- TestOpts], - - [begin - start_client_negative(Config, TestOpt, ErrorMsg), - ok - end || {TestOpt, ErrorMsg} <- TestOpts2], - ok. - options_whitebox() -> [{doc,"Whitebox tests of option handling"}]. @@ -2279,6 +2210,7 @@ customize_defaults(Opts, Role, Host) -> try ssl:handle_options(__Opts, Role, Host) of {ok, #config{ssl=EXP = __ALL}} -> ShouldBeMissing = ShouldBeMissing -- maps:keys(__ALL); + %% __ALL = ssl:update_options([], Role, __ALL); Other -> ?CT_PAL("ssl:handle_options(~0p,~0p,~0p).",[__Opts,Role,Host]), error({unexpected, Other}) @@ -2822,6 +2754,12 @@ options_verify(Config) -> %% fail_if_no_peer_cert, verify, verify_fun, partial_ ?OK(#{fail_if_no_peer_cert := true, verify := verify_peer, verify_fun := undefined, partial_chain := _}, [{verify, verify_peer}, {cacerts, [Cert]}], server), + %% Test ssl option handling. Option values are verified by public_key tests + CertPolicyOpts = [{policy_set, [?anyPolicy]}, {explicit_policy, false}], + + ?OK(#{cert_policy_opts := CertPolicyOpts}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, CertPolicyOpts}], + client), + NewF3 = fun(_,_,_) -> ok end, NewF4 = fun(_,_,_,_) -> ok end, ?OK(#{}, [], client, [fail_if_no_peer_cert]), @@ -2853,6 +2791,15 @@ options_verify(Config) -> %% fail_if_no_peer_cert, verify, verify_fun, partial_ ?ERR({options, incompatible, [{verify, _}, {cacerts, undefined}]}, [{verify, verify_peer}], server), ?ERR({partial_chain, not_a_fun}, [{partial_chain, not_a_fun}], client), ?ERR({verify_fun, not_a_fun}, [{verify_fun, not_a_fun}], client), + ?ERR({cert_policy_opts, {foo, bar}}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, [{foo,bar}]}], + client), + ?ERR({cert_policy_opts, {explicit_policy, bar}}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, [{explicit_policy,bar}]}], + client), + ?ERR({cert_policy_opts, {inhibit_policy_mapping, bar}}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, [{explicit_policy, true}, + {inhibit_policy_mapping,bar}]}], + client), + ?ERR({cert_policy_opts, {inhibit_any_policy, bar}}, [{verify, verify_peer}, {cacerts, [Cert]}, {cert_policy_opts, [{inhibit_any_policy,bar}]}], + client), ok. options_fallback(_Config) -> -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor