Merge pull request #175 from emqx/fix/william/null-cert-chain

Fix null cert chain
emqx · Feb 3, 2023 · 85b1746 · 85b1746
2 parents 5282fef + 8ed3260
commit 85b1746
Show file tree

Hide file tree

Showing 9 changed files with 35 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -67,8 +67,8 @@ make
 ``` erlang
 application:ensure_all_started(quicer),
 Port = 4567,
-LOptions = [ {cert, "cert.pem"}
-           , {key,  "key.pem"}
+LOptions = [ {certfile, "cert.pem"}
+           , {keyfile,  "key.pem"}
            , {alpn, ["sample"]}
            , {peer_bidi_stream_count, 1}
              ],

diff --git a/c_src/quicer_config.c b/c_src/quicer_config.c
@@ -225,8 +225,10 @@ ClientLoadConfiguration(ErlNifEnv *env,
   CredConfig.Type = QUIC_CREDENTIAL_TYPE_NONE;
   CredConfig.Flags = QUIC_CREDENTIAL_FLAG_CLIENT;
 
-  if (get_str_from_map(env, ATOM_CERT, options, cert_path, PATH_MAX + 1)
-      && get_str_from_map(env, ATOM_KEY, options, key_path, PATH_MAX + 1))
+  if ((get_str_from_map(env, ATOM_CERTFILE, options, cert_path, PATH_MAX + 1)
+       || get_str_from_map(env, ATOM_CERT, options, cert_path, PATH_MAX + 1))
+      && (get_str_from_map(env, ATOM_KEYFILE, options, key_path, PATH_MAX + 1)
+          || get_str_from_map(env, ATOM_KEY, options, key_path, PATH_MAX + 1)))
     {
       if (get_str_from_map(env, ATOM_PASSWORD, options, password, 256))
         {
@@ -376,9 +378,9 @@ load_verify(ErlNifEnv *env, const ERL_NIF_TERM *options, bool default_verify)
   if (!enif_get_map_value(env, *options, ATOM_VERIFY, &verify_atom))
     return default_verify;
 
-  if (verify_atom == ATOM_PEER)
+  if (verify_atom == ATOM_PEER || verify_atom == ATOM_VERIFY_PEER)
     return true;
-  else if (verify_atom == ATOM_NONE)
+  else if (verify_atom == ATOM_NONE || verify_atom == ATOM_VERIFY_NONE)
     return false;
   else
     return default_verify;

diff --git a/c_src/quicer_connection.c b/c_src/quicer_connection.c
@@ -1464,9 +1464,8 @@ handle_connection_event_resumption_ticket_received(
 }
 
 static QUIC_STATUS
-handle_connection_event_peer_certificate_received(
-    __unused_parm__ QuicerConnCTX *c_ctx,
-    __unused_parm__ QUIC_CONNECTION_EVENT *Event)
+handle_connection_event_peer_certificate_received(QuicerConnCTX *c_ctx,
+                                                  QUIC_CONNECTION_EVENT *Event)
 {
   // @TODO peer_certificate_received
   // Only with QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED set
@@ -1475,11 +1474,12 @@ handle_connection_event_peer_certificate_received(
   X509 *cert = (X509 *)Event->PEER_CERTIFICATE_RECEIVED.Certificate;
   X509_STORE_CTX *x509_ctx
       = (X509_STORE_CTX *)Event->PEER_CERTIFICATE_RECEIVED.Chain;
-  STACK_OF(X509) *untrusted = X509_STORE_CTX_get0_untrusted(x509_ctx);
 
   if (cert == NULL)
     return QUIC_STATUS_BAD_CERTIFICATE;
 
+  STACK_OF(X509) *untrusted = X509_STORE_CTX_get0_untrusted(x509_ctx);
+
   X509_STORE_CTX *ctx = X509_STORE_CTX_new();
   X509_STORE_CTX_init(ctx, c_ctx->trusted, cert, untrusted);
   int res = X509_verify_cert(ctx);

diff --git a/c_src/quicer_eterms.h b/c_src/quicer_eterms.h
@@ -110,7 +110,9 @@ extern ERL_NIF_TERM ATOM_QUIC_STATUS_CERT_UNOBTAINABLE;
 
 // option keys
 extern ERL_NIF_TERM ATOM_CERT;
+extern ERL_NIF_TERM ATOM_CERTFILE;
 extern ERL_NIF_TERM ATOM_KEY;
+extern ERL_NIF_TERM ATOM_KEYFILE;
 extern ERL_NIF_TERM ATOM_PASSWORD;
 extern ERL_NIF_TERM ATOM_ALPN;
 extern ERL_NIF_TERM ATOM_HANDLE;

diff --git a/c_src/quicer_listener.c b/c_src/quicer_listener.c
@@ -299,12 +299,18 @@ listen2(ErlNifEnv *env, __unused_parm__ int argc, const ERL_NIF_TERM argv[])
   char key_path[PATH_MAX + 1] = { 0 };
   ERL_NIF_TERM tmp_term;
 
-  if (get_str_from_map(env, ATOM_CERT, &options, cert_path, PATH_MAX + 1) <= 0)
+  if (get_str_from_map(env, ATOM_CERTFILE, &options, cert_path, PATH_MAX + 1)
+          <= 0
+      && get_str_from_map(env, ATOM_CERT, &options, cert_path, PATH_MAX + 1)
+             <= 0)
     {
       return ERROR_TUPLE_2(ATOM_BADARG);
     }
 
-  if (get_str_from_map(env, ATOM_KEY, &options, key_path, PATH_MAX + 1) <= 0)
+  if (get_str_from_map(env, ATOM_KEYFILE, &options, key_path, PATH_MAX + 1)
+          <= 0
+      && get_str_from_map(env, ATOM_KEY, &options, key_path, PATH_MAX + 1)
+             <= 0)
     {
       return ERROR_TUPLE_2(ATOM_BADARG);
     }

diff --git a/c_src/quicer_nif.c b/c_src/quicer_nif.c
@@ -129,7 +129,9 @@ ERL_NIF_TERM ATOM_QUIC_STATUS_CERT_UNOBTAINABLE;
 
 // option keys
 ERL_NIF_TERM ATOM_CERT;
+ERL_NIF_TERM ATOM_CERTFILE;
 ERL_NIF_TERM ATOM_KEY;
+ERL_NIF_TERM ATOM_KEYFILE;
 ERL_NIF_TERM ATOM_PASSWORD;
 ERL_NIF_TERM ATOM_ALPN;
 ERL_NIF_TERM ATOM_HANDLE;
@@ -604,7 +606,9 @@ ERL_NIF_TERM ATOM_UNDEFINED;
   ATOM(ATOM_QUIC_STREAM_OPTS_START_FLAG, start_flag)                          \
   /*                  QUIC_STREAM_OPTS end                        */          \
   ATOM(ATOM_CERT, cert);                                                      \
+  ATOM(ATOM_CERTFILE, certfile);                                              \
   ATOM(ATOM_KEY, key);                                                        \
+  ATOM(ATOM_KEYFILE, keyfile);                                                \
   ATOM(ATOM_PASSWORD, password);                                              \
   ATOM(ATOM_ALPN, alpn);                                                      \
   ATOM(ATOM_HANDLE, handle);                                                  \

diff --git a/include/quicer_types.hrl b/include/quicer_types.hrl
@@ -75,8 +75,10 @@
 -type listen_opts() :: listen_security_opts() | quic_settings().
 -type listen_security_opts() :: #{ alpn := [alpn()]
                                  , cert := file:filename()
+                                 , certfile := file:filename()
                                  , key := file:filename()
-                                 , verify => none | peer
+                                 , keyfile := file:filename()
+                                 , verify => none | peer | verify_peer | verify_none
                                  , cacertfile => filelib:filename()
                                  , password => string()
                                  , sslkeylogfile => filelib:filename()
@@ -132,7 +134,9 @@
 -type conn_opts() :: quic_settings() |  #{ alpn := [string()]
                                          , conn_callback => module()
                                          , cert => filelib:filename()
+                                         , certfile => filelib:filename()
                                          , key => filelib:filename()
+                                         , keyfile => filelib:filename()
                                          , password => string()
                                          , verify => none | peer
                                          , handle => connection_handle() %% get NST from last connection, for reconnect.

diff --git a/test/quicer_SUITE.erl b/test/quicer_SUITE.erl
@@ -2916,8 +2916,8 @@ default_conn_opts_bad_client_cert(Config, Ca) ->
 default_listen_opts(Config) ->
   DataDir = ?config(data_dir, Config),
   [ {verify, none}
-  , {cert, filename:join(DataDir, "server.pem")}
-  , {key,  filename:join(DataDir, "server.key")}
+  , {certfile, filename:join(DataDir, "server.pem")}
+  , {keyfile,  filename:join(DataDir, "server.key")}
   , {alpn, ["sample"]}
   , {idle_timeout_ms, 10000}
   , {server_resumption_level, 2} % QUIC_SERVER_RESUME_AND_ZERORTT

diff --git a/test/quicer_snb_SUITE.erl b/test/quicer_snb_SUITE.erl
@@ -2026,8 +2026,8 @@ default_conn_opts() ->
 
 default_listen_opts(Config) ->
   DataDir = ?config(data_dir, Config),
-  [ {cert, filename:join(DataDir, "server.pem")}
-  , {key,  filename:join(DataDir, "server.key")}
+  [ {certfile, filename:join(DataDir, "server.pem")}
+  , {keyfile,  filename:join(DataDir, "server.key")}
   , {alpn, ["sample"]}
   , {verify, none}
   , {idle_timeout_ms, 10000}