Merge pull request #219 from qzhuyan/dev/william/fix-listener-verify-…

…none fix: listener should not load cacert with verify_none
emqx · Sep 25, 2023 · 3e8f713 · 3e8f713
2 parents 7fe30c7 + fbf5dcd
commit 3e8f713
Show file tree

Hide file tree

Showing 10 changed files with 53 additions and 8 deletions.
diff --git a/c_src/quicer_config.c b/c_src/quicer_config.c
@@ -306,7 +306,7 @@ ClientLoadConfiguration(ErlNifEnv *env,
   parse_cert_options(env, *options, &CredConfig);
 
   // If Verify Peer...
-  if (!parse_verify_options(env, *options, &CredConfig, FALSE))
+  if (!parse_verify_options(env, *options, &CredConfig, FALSE, NULL))
     {
       return ERROR_TUPLE_2(ATOM_VERIFY);
     }

diff --git a/c_src/quicer_connection.c b/c_src/quicer_connection.c
@@ -23,8 +23,10 @@ limitations under the License.
 #include <openssl/x509.h>
 #include <unistd.h>
 
+#ifdef DEBUG
 extern inline void
 EncodeHexBuffer(uint8_t *Buffer, uint8_t BufferLen, char *HexString);
+#endif
 
 extern inline const char *QuicStatusToString(QUIC_STATUS Status);
 

diff --git a/c_src/quicer_dgram.c b/c_src/quicer_dgram.c
@@ -82,6 +82,7 @@ send_dgram(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[])
   //
 
   assert(bin->data != NULL);
+  uint32_t bin_size = (uint32_t)bin->size;
   dgram_send_ctx->Buffer.Buffer = (uint8_t *)bin->data;
   dgram_send_ctx->Buffer.Length = (uint32_t)bin->size;
 
@@ -99,7 +100,7 @@ send_dgram(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[])
   else
     {
       enif_mutex_unlock(c_ctx->lock);
-      return SUCCESS(ETERM_UINT_64(bin->size));
+      return SUCCESS(ETERM_UINT_64(bin_size));
     }
 }
 

diff --git a/c_src/quicer_listener.c b/c_src/quicer_listener.c
@@ -265,7 +265,8 @@ listen2(ErlNifEnv *env, __unused_parm__ int argc, const ERL_NIF_TERM argv[])
       return ERROR_TUPLE_2(ATOM_QUIC_TLS);
     }
 
-  if (!parse_verify_options(env, options, &CredConfig, TRUE))
+  BOOLEAN is_verify = FALSE;
+  if (!parse_verify_options(env, options, &CredConfig, TRUE, &is_verify))
     {
       return ERROR_TUPLE_2(ATOM_VERIFY);
     }
@@ -284,7 +285,7 @@ listen2(ErlNifEnv *env, __unused_parm__ int argc, const ERL_NIF_TERM argv[])
       return ERROR_TUPLE_2(ATOM_ERROR_NOT_ENOUGH_MEMORY);
     }
 
-  if (cacertfile)
+  if (is_verify && cacertfile)
     {
       l_ctx->cacertfile = cacertfile;
       // We do our own certificate verification against the certificates

diff --git a/c_src/quicer_stream.c b/c_src/quicer_stream.c
@@ -676,6 +676,7 @@ send3(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[])
   assert(bin->data != NULL);
   send_ctx->Buffer.Buffer = (uint8_t *)bin->data;
   send_ctx->Buffer.Length = (uint32_t)bin->size;
+  uint32_t bin_size = (uint32_t)bin->size;
 
   QUIC_STATUS Status;
   // note, SendBuffer as sendcontext, free the buffer while message is sent
@@ -689,7 +690,7 @@ send3(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[])
 
   else
     {
-      res = SUCCESS(ETERM_UINT_64(bin->size));
+      res = SUCCESS(ETERM_UINT_64(bin_size));
       goto Exit;
     }
 ErrorExit:

diff --git a/c_src/quicer_tls.c b/c_src/quicer_tls.c
@@ -88,16 +88,23 @@ parse_cert_options(ErlNifEnv *env,
 /*
  * Parse verify option for listener (server)
  *  verify : boolean() | undefined
+ *  output *is_verify if is_verify is not NULL
  */
 BOOLEAN
 parse_verify_options(ErlNifEnv *env,
                      ERL_NIF_TERM options,
                      QUIC_CREDENTIAL_CONFIG *CredConfig,
-                     BOOLEAN is_server)
+                     BOOLEAN is_server,
+                     _Out_ BOOLEAN *is_verify)
 {
 
   BOOLEAN verify = load_verify(env, &options, FALSE);
 
+  if (is_verify)
+    {
+      *is_verify = verify;
+    }
+
   if (!verify)
     {
       CredConfig->Flags |= QUIC_CREDENTIAL_FLAG_NO_CERTIFICATE_VALIDATION;

diff --git a/c_src/quicer_tls.h b/c_src/quicer_tls.h
@@ -26,7 +26,8 @@ BOOLEAN
 parse_verify_options(ErlNifEnv *env,
                      ERL_NIF_TERM options,
                      QUIC_CREDENTIAL_CONFIG *CredConfig,
-                     BOOLEAN is_server);
+                     BOOLEAN is_server,
+                     _Out_ BOOLEAN *is_verify);
 
 BOOLEAN
 parse_cacertfile_option(ErlNifEnv *env,

diff --git a/src/quicer_connection.erl b/src/quicer_connection.erl
@@ -92,7 +92,7 @@
                             cb_state()) -> cb_ret().
 %% Handle Stream Available, reflect number of streams flow control at peer.
 
--callback peer_needs_streams(connection_handle(), undefined, cb_state()) -> cb_ret().
+-callback peer_needs_streams(connection_handle(), unidi_streams | bidi_streams, cb_state()) -> cb_ret().
 %% Handle Peer needs streams that peer could not start new stream due to local flow control.
 
 -callback resumed(connection_handle(), SessionData:: binary() | false, cb_state()) -> cb_ret().

diff --git a/test/quicer_connection_SUITE.erl b/test/quicer_connection_SUITE.erl
@@ -471,6 +471,9 @@ run_tc_conn_client_bad_cert(Config)->
         {error, stm_open_error, aborted} ->
           %% Depending on the timing, connection open could fail already.
           ok;
+        {error, stm_start_error, aborted} ->
+          %% Depending on the timing, connection open could fail already.
+          ok;
         {ok, Stm} ->
           case quicer:send(Stm, <<"ping">>) of
             {ok, 4} -> ok;

diff --git a/test/quicer_listener_SUITE.erl b/test/quicer_listener_SUITE.erl
@@ -466,11 +466,40 @@ tc_listener_stopped_when_owner_die(Config) ->
   %% Then the new listener can be closed
   ok = quicer:close_listener(L1).
 
+tc_verify_none_butwith_cacert(Config)->
+  Port = select_port(),
+  %% When Listener is configured with CA certfile but verify_none
+  LConfig = default_listener_opts(Config, verify_none),
+  ConnectionOpts = [ {conn_callback, quicer_server_conn_callback}
+                   , {stream_acceptors, 32}
+                     | default_conn_opts()],
+  StreamOpts = [ {stream_callback, quicer_echo_server_stream_callback}
+               | default_stream_opts() ],
+  Options = {LConfig, ConnectionOpts, StreamOpts},
+  {ok, _QuicApp} = quicer:spawn_listener(?FUNCTION_NAME, Port, Options),
+
+  %% Then the connection should succeed
+  {ok, Conn} =
+    quicer:connect("localhost", Port,
+                   [ {verify, verify_none}
+                   , {peer_unidi_stream_count, 3}
+                   , {alpn, ["sample"]} | Config], 5000),
+  quicer:close_connection(Conn),
+  quicer:terminate_listener(?FUNCTION_NAME),
+  ok.
+
 select_port() ->
   Port = select_free_port(quic),
   timer:sleep(100),
   Port.
 
+default_listener_opts(Config, Verify) ->
+  DataDir = ?config(data_dir, Config),
+  [ {cacertfile, filename:join(DataDir, "ca.pem")}
+  , {conn_acceptors, 4}
+  , {verify, Verify} |
+    tl(default_listen_opts(Config)) ].
+
 %%%_* Emacs ====================================================================
 %%% Local Variables:
 %%% allout-layout: t