File 4611-ssl-Correct-OpenSSL-interop-tests.patch of Package erlang
From c0443a50756398b3676c3418d1b50c2217da24c1 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 8 Nov 2021 11:25:40 +0100
Subject: [PATCH 1/2] ssl: Correct OpenSSL interop tests
Add missing call to wait_for_openssl_server. Also make
sure openssl interop tests honor DTLS group configuration.
---
lib/ssl/test/openssl_client_cert_SUITE.erl | 5 +-
lib/ssl/test/openssl_ocsp_SUITE.erl | 84 +++++++++++-----------
lib/ssl/test/ssl_cert_tests.erl | 4 +-
lib/ssl/test/ssl_test_lib.erl | 58 +++++++++++----
4 files changed, 89 insertions(+), 62 deletions(-)
diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl
index 263628c3c4..6effd69664 100644
--- a/lib/ssl/test/openssl_client_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_client_cert_SUITE.erl
@@ -82,10 +82,10 @@ groups() ->
[
{openssl_client, [], protocol_groups()},
{'tlsv1.3', [], tls_1_3_protocol_groups()},
- {'tlsv1.2', [], pre_tls_1_3_protocol_groups() ++ [{group, rsa_pss_rsae}, {group, rsa_pss_pss}]},
+ {'tlsv1.2', [], pre_tls_1_3_protocol_groups() ++ [{group, ecdsa}, {group, rsa_pss_rsae}, {group, rsa_pss_pss}]},
{'tlsv1.1', [], pre_tls_1_3_protocol_groups()},
{'tlsv1', [], pre_tls_1_3_protocol_groups()},
- {'dtlsv1.2', [], pre_tls_1_3_protocol_groups()},
+ {'dtlsv1.2', [], pre_tls_1_3_protocol_groups() ++ [{group, ecdsa}]},
{'dtlsv1', [], pre_tls_1_3_protocol_groups()},
{rsa, [], all_version_tests()},
{ecdsa, [], all_version_tests()},
@@ -119,7 +119,6 @@ protocol_groups() ->
pre_tls_1_3_protocol_groups() ->
[{group, rsa},
- {group, ecdsa},
{group, dsa}].
tls_1_3_protocol_groups() ->
diff --git a/lib/ssl/test/openssl_ocsp_SUITE.erl b/lib/ssl/test/openssl_ocsp_SUITE.erl
index f4a68f7543..ec12354b8d 100644
--- a/lib/ssl/test/openssl_ocsp_SUITE.erl
+++ b/lib/ssl/test/openssl_ocsp_SUITE.erl
@@ -145,12 +145,12 @@ ocsp_stapling_basic(Config)
[{options, ServerOpts}], Config),
Port = ssl_test_lib:inet_port(Server),
- ClientOpts = [{log_level, debug},
- {verify, verify_peer},
- {cacertfile, CACertsFile},
- {server_name_indication, disable},
- {ocsp_stapling, true},
- {ocsp_nonce, false}] ++ dtls_client_opt(GroupName),
+ ClientOpts = ssl_test_lib:ssl_options([{log_level, debug},
+ {verify, verify_peer},
+ {cacertfile, CACertsFile},
+ {server_name_indication, disable},
+ {ocsp_stapling, true},
+ {ocsp_nonce, false}], Config),
Client = ssl_test_lib:start_client(erlang,
[{port, Port},
{options, ClientOpts}], Config),
@@ -175,12 +175,12 @@ ocsp_stapling_with_nonce(Config)
[{options, ServerOpts}], Config),
Port = ssl_test_lib:inet_port(Server),
- ClientOpts = [{log_level, debug},
- {verify, verify_peer},
- {cacertfile, CACertsFile},
- {server_name_indication, disable},
- {ocsp_stapling, true},
- {ocsp_nonce, true}] ++ dtls_client_opt(GroupName),
+ ClientOpts = ssl_test_lib:ssl_options([{log_level, debug},
+ {verify, verify_peer},
+ {cacertfile, CACertsFile},
+ {server_name_indication, disable},
+ {ocsp_stapling, true},
+ {ocsp_nonce, true}], Config),
Client = ssl_test_lib:start_client(erlang,
[{port, Port},
{options, ClientOpts}], Config),
@@ -212,13 +212,13 @@ ocsp_stapling_with_responder_cert(Config)
[{'Certificate', Der, _IsEncrypted}] =
public_key:pem_decode(ResponderCert),
- ClientOpts = [{log_level, debug},
- {verify, verify_peer},
- {cacertfile, CACertsFile},
- {server_name_indication, disable},
- {ocsp_stapling, true},
- {ocsp_nonce, true},
- {ocsp_responder_certs, [Der]}] ++ dtls_client_opt(GroupName),
+ ClientOpts = ssl_test_lib:ssl_options([{log_level, debug},
+ {verify, verify_peer},
+ {cacertfile, CACertsFile},
+ {server_name_indication, disable},
+ {ocsp_stapling, true},
+ {ocsp_nonce, true},
+ {ocsp_responder_certs, [Der]}], Config),
Client = ssl_test_lib:start_client(erlang,
[{port, Port},
{options, ClientOpts}], Config),
@@ -244,13 +244,13 @@ ocsp_stapling_revoked(Config)
[{options, ServerOpts}], Config),
Port = ssl_test_lib:inet_port(Server),
- ClientOpts = [{log_level, debug},
- {verify, verify_peer},
- {server_name_indication, disable},
- {cacertfile, CACertsFile},
- {ocsp_stapling, true},
- {ocsp_nonce, true}
- ] ++ dtls_client_opt(GroupName),
+ ClientOpts = ssl_test_lib:ssl_options([{log_level, debug},
+ {verify, verify_peer},
+ {server_name_indication, disable},
+ {cacertfile, CACertsFile},
+ {ocsp_stapling, true},
+ {ocsp_nonce, true}
+ ], Config),
Client = ssl_test_lib:start_client_error([{node, ClientNode},{port, Port},
{host, Hostname}, {from, self()},
@@ -275,13 +275,13 @@ ocsp_stapling_undetermined(Config)
[{options, ServerOpts}], Config),
Port = ssl_test_lib:inet_port(Server),
- ClientOpts = [{log_level, debug},
- {verify, verify_peer},
- {server_name_indication, disable},
- {cacertfile, CACertsFile},
- {ocsp_stapling, true},
- {ocsp_nonce, true}
- ] ++ dtls_client_opt(GroupName),
+ ClientOpts = ssl_test_lib:ssl_options([{log_level, debug},
+ {verify, verify_peer},
+ {server_name_indication, disable},
+ {cacertfile, CACertsFile},
+ {ocsp_stapling, true},
+ {ocsp_nonce, true}
+ ], Config),
Client = ssl_test_lib:start_client_error([{node, ClientNode},{port, Port},
{host, Hostname}, {from, self()},
@@ -307,13 +307,13 @@ ocsp_stapling_no_staple(Config)
[{options, ServerOpts}], Config),
Port = ssl_test_lib:inet_port(Server),
- ClientOpts = [{log_level, debug},
- {verify, verify_peer},
- {server_name_indication, disable},
- {cacertfile, CACertsFile},
- {ocsp_stapling, true},
- {ocsp_nonce, true}
- ] ++ dtls_client_opt(GroupName),
+ ClientOpts = ssl_test_lib:ssl_options([{log_level, debug},
+ {verify, verify_peer},
+ {server_name_indication, disable},
+ {cacertfile, CACertsFile},
+ {ocsp_stapling, true},
+ {ocsp_nonce, true}
+ ], Config),
Client = ssl_test_lib:start_client_error([{node, ClientNode},{port, Port},
{host, Hostname}, {from, self()},
@@ -382,7 +382,3 @@ get_free_port() ->
ok = gen_tcp:close(Listen),
Port.
-dtls_client_opt('dtlsv1.2') ->
- [{protocol, dtls}];
-dtls_client_opt(_Other) ->
- [].
\ No newline at end of file
diff --git a/lib/ssl/test/ssl_cert_tests.erl b/lib/ssl/test/ssl_cert_tests.erl
index 2b71998b11..a6760663f8 100644
--- a/lib/ssl/test/ssl_cert_tests.erl
+++ b/lib/ssl/test/ssl_cert_tests.erl
@@ -434,8 +434,8 @@ test_ciphers(_, 'tlsv1.3' = Version) ->
end, Ciphers);
test_ciphers(_, Version) when Version == 'dtlsv1';
Version == 'dtlsv1.2' ->
- {_, Minor} = dtls_record:proplists(Version),
- Ciphers = dtls_v1:suites(Minor),
+ {_, Minor} = dtls_record:protocol_version(Version),
+ Ciphers = [ssl_cipher_format:suite_bin_to_map(Bin) || Bin <- dtls_v1:suites(Minor)],
ct:log("Version ~p Testing ~p~n", [Version, Ciphers]),
OpenSSLCiphers = openssl_ciphers(),
ct:log("OpenSSLCiphers ~p~n", [OpenSSLCiphers]),
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 7ef5034f4b..fb992e8c51 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -325,7 +325,7 @@ working_openssl_client() ->
end.
init_per_group_openssl(GroupName, Config0) ->
- case is_tls_version(GroupName) andalso sufficient_crypto_support(GroupName) of
+ case is_protocol_version(GroupName) andalso sufficient_crypto_support(GroupName) of
true ->
Config = clean_protocol_version(Config0),
case openssl_tls_version_support(GroupName, Config)
@@ -346,7 +346,7 @@ init_per_group_openssl(GroupName, Config0) ->
end.
end_per_group(GroupName, Config) ->
- case is_tls_version(GroupName) of
+ case is_protocol_version(GroupName) of
true ->
clean_protocol_version(Config);
false ->
@@ -373,6 +373,8 @@ openssl_ciphers() ->
openssl_support_rsa_kex() ->
case portable_cmd("openssl", ["version"]) of
+ "OpenSSL 3." ++ _Rest ->
+ false;
"OpenSSL 1.1.1" ++ _Rest ->
false;
_ ->
@@ -2027,8 +2029,8 @@ accepters(Acc, N) ->
basic_test(COpts, SOpts, Config) ->
SType = proplists:get_value(server_type, Config, erlang),
CType = proplists:get_value(client_type, Config, erlang),
- {Server, Port} = start_server(SType, COpts, SOpts, Config),
- Client = start_client(CType, Port, COpts, Config),
+ {Server, Port} = start_server(SType, COpts, ssl_options(SOpts, Config), Config),
+ Client = start_client(CType, Port, ssl_options(COpts, Config), Config),
gen_check_result(Server, SType, Client, CType),
stop(Server, Client).
@@ -2565,31 +2567,48 @@ openssl_tls_version_support(Version, Config0) ->
CertFile = proplists:get_value(certfile, ServerOpts),
KeyFile = proplists:get_value(keyfile, ServerOpts),
Exe = "openssl",
- Args0 = ["s_server", "-accept",
- integer_to_list(Port), "-CAfile", CaCertFile,
- "-cert", CertFile,"-key", KeyFile],
+ {Proto, Opts} = case is_tls_version(Version) of
+ true ->
+ {tls, [{protocol,tls}, {versions, [Version]}]};
+ false ->
+ {dtls, [{protocol,dtls}, {versions, [Version]}]}
+ end,
+ Args0 = case Proto of
+ tls ->
+ ["s_server", "-accept",
+ integer_to_list(Port), "-CAfile", CaCertFile,
+ "-cert", CertFile,"-key", KeyFile];
+ dtls ->
+ ["s_server", "-accept",
+ integer_to_list(Port), "-dtls", "-CAfile", CaCertFile,
+ "-cert", CertFile,"-key", KeyFile]
+ end,
Args = maybe_force_ipv4(Args0),
OpensslPort = portable_open_port(Exe, Args),
- try wait_for_openssl_server(Port, tls) of
+ try wait_for_openssl_server(Port, Proto) of
ok ->
- case ssl:connect("localhost", Port, [{versions, [Version]}]) of
+ case ssl:connect("localhost", Port, Opts, 5000) of
{ok, Socket} ->
ssl:close(Socket),
close_port(OpensslPort),
true;
{error, {tls_alert, {protocol_version, _}}} ->
- ct:pal("Openssl does not support ~p", [Version]),
+ ct:pal("OpenSSL does not support ~p", [Version]),
close_port(OpensslPort),
false;
{error, {tls_alert, Alert}} ->
- ct:pal("Openssl returned alert ~p", [Alert]),
+ ct:pal("OpenSSL returned alert ~p", [Alert]),
+ close_port(OpensslPort),
+ false;
+ {error, timeout} ->
+ ct:pal("Timed out conntion to OpenSSL", []),
close_port(OpensslPort),
false
end
catch
_:_ ->
- ct:pal("Openssl does not support ~p", [Version]),
+ ct:pal("OpenSSL does not support ~p", [Version]),
close_port(OpensslPort),
false
end.
@@ -3100,7 +3119,9 @@ check_sane_openssl_renegotiate(Config) ->
end.
openssl_allows_client_renegotiate(Config) ->
- case portable_cmd("openssl", ["version"]) of
+ case portable_cmd("openssl", ["version"]) of
+ "OpenSSL 3" ++ _ ->
+ {skip, "OpenSSL does not allow client renegotiation"};
"OpenSSL 1.1" ++ _ ->
{skip, "OpenSSL does not allow client renegotiation"};
"LibreSSL" ++ _ ->
@@ -3124,8 +3145,11 @@ enough_openssl_crl_support(_) -> true.
wait_for_openssl_server(Port, tls) ->
do_wait_for_openssl_tls_server(Port, 10);
wait_for_openssl_server(_Port, dtls) ->
+ ct:sleep(?SLEEP),
ok. %% No need to wait for DTLS over UDP server
%% client will retransmitt until it is up.
+ %% But wait a little for openssl debug printing
+
do_wait_for_openssl_tls_server(_, 0) ->
exit(failed_to_connect_to_openssl);
@@ -3868,6 +3892,14 @@ default_ciphers(Version) ->
case portable_cmd("openssl", ["version"]) of
"OpenSSL 0.9" ++ _ ->
ssl:cipher_suites(all,Version);
+ "OpenSSL 3." ++ _ ->
+ ssl:filter_cipher_suites(ssl:cipher_suites(default, Version),
+ [{mac,
+ fun(sha) ->
+ false;
+ (_) ->
+ true
+ end}]);
_ ->
ssl:cipher_suites(default, Version)
end,
--
2.31.1
