From a819cb1633e0cf5f3916b1d660fb0c7f37d51981 Mon Sep 17 00:00:00 2001 From: Raimo Niskanen Date: Thu, 19 Apr 2018 11:48:55 +0200 Subject: Rewrite TLS dist to handle node names in certs --- lib/ssl/test/ssl_dist_bench_SUITE.erl | 45 +++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 12 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/ssl_dist_bench_SUITE.erl b/lib/ssl/test/ssl_dist_bench_SUITE.erl index 4d27564319..06150218ea 100644 --- a/lib/ssl/test/ssl_dist_bench_SUITE.erl +++ b/lib/ssl/test/ssl_dist_bench_SUITE.erl @@ -1,7 +1,7 @@ %%%------------------------------------------------------------------- %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2017. All Rights Reserved. +%% Copyright Ericsson AB 2017-2018. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -95,14 +95,14 @@ init_per_suite(Config) -> _ -> PrivDir = proplists:get_value(priv_dir, Config), %% - [_, HostA] = string:split(atom_to_list(Node), "@"), + [_, HostA] = split_node(Node), NodeAName = ?MODULE_STRING ++ "_node_a", NodeAString = NodeAName ++ "@" ++ HostA, NodeAConfFile = filename:join(PrivDir, NodeAString ++ ".conf"), NodeA = list_to_atom(NodeAString), %% ServerNode = ssl_bench_test_lib:setup(dist_server), - [_, HostB] = string:split(atom_to_list(ServerNode), "@"), + [_, HostB] = split_node(ServerNode), NodeBName = ?MODULE_STRING ++ "_node_b", NodeBString = NodeBName ++ "@" ++ HostB, NodeBConfFile = filename:join(PrivDir, NodeBString ++ ".conf"), @@ -116,16 +116,23 @@ init_per_suite(Config) -> ?MODULE_STRING ++ " ROOT CA", CertOptions), SSLConf = [{verify, verify_peer}, + {fail_if_no_peer_cert, true}, {versions, [TLSVersion]}, {ciphers, [TLSCipher]}], + ServerConf = + [{verify_fun, + {fun inet_tls_dist:verify_client/3, undefined}} + | SSLConf], + ClientConf = + [{verify_fun, + {fun inet_tls_dist:verify_server/3, node}} + | SSLConf], %% write_node_conf( - NodeAConfFile, NodeA, - [{fail_if_no_peer_cert, true} | SSLConf], SSLConf, + NodeAConfFile, NodeA, ServerConf, ClientConf, CertOptions, RootCert), write_node_conf( - NodeBConfFile, NodeB, - [{fail_if_no_peer_cert, true} | SSLConf], SSLConf, + NodeBConfFile, NodeB, ServerConf, ClientConf, CertOptions, RootCert), %% [{node_a_name, NodeAName}, @@ -179,8 +186,17 @@ write_node_conf( [{extensions, [#'Extension'{ extnID = ?'id-ce-subjectAltName', - extnValue = [{dNSName, atom_to_list(Node)}], - critical = false}]} | CertOptions]}), + %% extnValue = [{dNSName, atom_to_list(Node)}], + %% extnValue = [{rfc822Name, atom_to_list(Node)}], + extnValue = + [{directoryName, + {rdnSequence, + [[#'AttributeTypeAndValue'{ + type = ?'id-at-commonName', + value = + {utf8String, + atom_to_binary(Node, utf8)}}]]}}], + critical = true}]} | CertOptions]}), NodeConf = [{server, ServerConf ++ Conf}, {client, ClientConf ++ Conf}], {ok, Fd} = file:open(ConfFile, [write]), @@ -188,6 +204,8 @@ write_node_conf( io:format(Fd, "~p.~n", [NodeConf]), ok = file:close(Fd). +split_node(Node) -> + string:split(atom_to_list(Node), "@"). %%%------------------------------------------------------------------- %%% Test cases @@ -221,15 +239,18 @@ setup_loop(_A, _B, T, 0) -> T; setup_loop(A, B, T, N) -> StartTime = start_time(), - [A] = rpc:block_call(B, erlang, nodes, []), + [N,A] = [N|rpc:block_call(B, erlang, nodes, [])], Time = elapsed_time(StartTime), - [B] = erlang:nodes(), + [N,B] = [N|erlang:nodes()], Mref = erlang:monitor(process, {rex,B}), true = net_kernel:disconnect(B), receive {'DOWN',Mref,process,_,_} -> [] = erlang:nodes(), - setup_loop(A, B, Time + T, N - 1) + receive + after 500 -> + setup_loop(A, B, Time + T, N - 1) + end end. -- cgit v1.2.3 From 0edf78512f444b0029b27de1cde60c38ea388845 Mon Sep 17 00:00:00 2001 From: Raimo Niskanen Date: Fri, 20 Apr 2018 15:11:53 +0200 Subject: Create plug-in for distro cert nodes --- lib/ssl/test/ssl_dist_bench_SUITE.erl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/ssl_dist_bench_SUITE.erl b/lib/ssl/test/ssl_dist_bench_SUITE.erl index 06150218ea..8852b6f3c6 100644 --- a/lib/ssl/test/ssl_dist_bench_SUITE.erl +++ b/lib/ssl/test/ssl_dist_bench_SUITE.erl @@ -121,11 +121,13 @@ init_per_suite(Config) -> {ciphers, [TLSCipher]}], ServerConf = [{verify_fun, - {fun inet_tls_dist:verify_client/3, undefined}} + {fun inet_tls_dist:verify_client/3, + fun inet_tls_dist:cert_nodes/1}} | SSLConf], ClientConf = [{verify_fun, - {fun inet_tls_dist:verify_server/3, node}} + {fun inet_tls_dist:verify_server/3, + fun inet_tls_dist:cert_nodes/1}} | SSLConf], %% write_node_conf( -- cgit v1.2.3 From b5ec77bf908877d7471997527959e3d98d45bd96 Mon Sep 17 00:00:00 2001 From: Raimo Niskanen Date: Tue, 24 Apr 2018 09:34:51 +0200 Subject: Parse cert primarily for host names --- lib/ssl/test/ssl_dist_bench_SUITE.erl | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/ssl_dist_bench_SUITE.erl b/lib/ssl/test/ssl_dist_bench_SUITE.erl index 8852b6f3c6..31de0936f9 100644 --- a/lib/ssl/test/ssl_dist_bench_SUITE.erl +++ b/lib/ssl/test/ssl_dist_bench_SUITE.erl @@ -181,6 +181,7 @@ end_per_testcase(_Func, _Conf) -> write_node_conf( ConfFile, Node, ServerConf, ClientConf, CertOptions, RootCert) -> + [_Name,Host] = string:split(atom_to_list(Node), "@"), Conf = public_key:pkix_test_data( #{root => RootCert, @@ -188,17 +189,23 @@ write_node_conf( [{extensions, [#'Extension'{ extnID = ?'id-ce-subjectAltName', - %% extnValue = [{dNSName, atom_to_list(Node)}], - %% extnValue = [{rfc822Name, atom_to_list(Node)}], - extnValue = - [{directoryName, - {rdnSequence, - [[#'AttributeTypeAndValue'{ - type = ?'id-at-commonName', - value = - {utf8String, - atom_to_binary(Node, utf8)}}]]}}], - critical = true}]} | CertOptions]}), + extnValue = [{dNSName, Host}], + critical = true}%, + %% #'Extension'{ + %% extnID = ?'id-ce-subjectAltName', + %% extnValue = + %% [{directoryName, + %% {rdnSequence, + %% [[#'AttributeTypeAndValue'{ + %% type = ?'id-at-commonName', + %% value = + %% {utf8String, + %% unicode:characters_to_binary( + %% Name, utf8) + %% } + %% }]]}}], + %% critical = true} + ]} | CertOptions]}), NodeConf = [{server, ServerConf ++ Conf}, {client, ClientConf ++ Conf}], {ok, Fd} = file:open(ConfFile, [write]), -- cgit v1.2.3 From c9b2af1f2cecb6565a2c79d683d86a1d7ee746e0 Mon Sep 17 00:00:00 2001 From: Raimo Niskanen Date: Tue, 24 Apr 2018 15:19:54 +0200 Subject: Check client IP from server --- lib/ssl/test/ssl_dist_bench_SUITE.erl | 52 ++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 16 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/ssl_dist_bench_SUITE.erl b/lib/ssl/test/ssl_dist_bench_SUITE.erl index 31de0936f9..77c42de3f2 100644 --- a/lib/ssl/test/ssl_dist_bench_SUITE.erl +++ b/lib/ssl/test/ssl_dist_bench_SUITE.erl @@ -77,6 +77,7 @@ init_per_suite(Config) -> try Node =/= nonode@nohost orelse throw({skipped,"Node not distributed"}), + verify_node_src_addr(), {supported, SSLVersions} = lists:keyfind(supported, 1, ssl:versions()), lists:member(TLSVersion, SSLVersions) orelse @@ -179,9 +180,28 @@ end_per_testcase(_Func, _Conf) -> %%%------------------------------------------------------------------- %%% CommonTest API helpers +verify_node_src_addr() -> + Msg = "Hello, world!", + {ok,Host} = inet:gethostname(), + {ok,DstAddr} = inet:getaddr(Host, inet), + {ok,Socket} = gen_udp:open(0, [{active,false}]), + {ok,Port} = inet:port(Socket), + ok = gen_udp:send(Socket, DstAddr, Port, Msg), + case gen_udp:recv(Socket, length(Msg) + 1, 1000) of + {ok,{DstAddr,Port,Msg}} -> + ok; + {ok,{SrcAddr,Port,Msg}} -> + throw({skipped, + "Src and dst address mismatch: " ++ + term_to_string(SrcAddr) ++ " =:= " ++ + term_to_string(DstAddr)}); + Weird -> + error(Weird) + end. + write_node_conf( ConfFile, Node, ServerConf, ClientConf, CertOptions, RootCert) -> - [_Name,Host] = string:split(atom_to_list(Node), "@"), + [Name,Host] = split_node(Node), Conf = public_key:pkix_test_data( #{root => RootCert, @@ -190,21 +210,21 @@ write_node_conf( [#'Extension'{ extnID = ?'id-ce-subjectAltName', extnValue = [{dNSName, Host}], - critical = true}%, - %% #'Extension'{ - %% extnID = ?'id-ce-subjectAltName', - %% extnValue = - %% [{directoryName, - %% {rdnSequence, - %% [[#'AttributeTypeAndValue'{ - %% type = ?'id-at-commonName', - %% value = - %% {utf8String, - %% unicode:characters_to_binary( - %% Name, utf8) - %% } - %% }]]}}], - %% critical = true} + critical = true}, + #'Extension'{ + extnID = ?'id-ce-subjectAltName', + extnValue = + [{directoryName, + {rdnSequence, + [[#'AttributeTypeAndValue'{ + type = ?'id-at-commonName', + value = + {utf8String, + unicode:characters_to_binary( + Name, utf8) + } + }]]}}], + critical = true} ]} | CertOptions]}), NodeConf = [{server, ServerConf ++ Conf}, {client, ClientConf ++ Conf}], -- cgit v1.2.3 From ba25ad268065f48ad7647464c8f4c237d07d18b1 Mon Sep 17 00:00:00 2001 From: Raimo Niskanen Date: Wed, 25 Apr 2018 08:51:00 +0200 Subject: Move check ip to before SSL handshake --- lib/ssl/test/ssl_dist_bench_SUITE.erl | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/ssl_dist_bench_SUITE.erl b/lib/ssl/test/ssl_dist_bench_SUITE.erl index 77c42de3f2..4ffc486fc4 100644 --- a/lib/ssl/test/ssl_dist_bench_SUITE.erl +++ b/lib/ssl/test/ssl_dist_bench_SUITE.erl @@ -246,7 +246,7 @@ setup(Config) -> run_nodepair_test(fun setup/5, Config). setup(A, B, Prefix, HA, HB) -> - Rounds = 10, + Rounds = 50, [] = ssl_apply(HA, erlang, nodes, []), [] = ssl_apply(HB, erlang, nodes, []), {SetupTime, CycleTime} = @@ -276,10 +276,7 @@ setup_loop(A, B, T, N) -> receive {'DOWN',Mref,process,_,_} -> [] = erlang:nodes(), - receive - after 500 -> - setup_loop(A, B, Time + T, N - 1) - end + setup_loop(A, B, Time + T, N - 1) end. -- cgit v1.2.3 From 5586959ed008c09141689f1e8865476150e48519 Mon Sep 17 00:00:00 2001 From: Raimo Niskanen Date: Thu, 26 Apr 2018 09:37:24 +0200 Subject: Allow check for node name --- lib/ssl/test/ssl_dist_bench_SUITE.erl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/ssl_dist_bench_SUITE.erl b/lib/ssl/test/ssl_dist_bench_SUITE.erl index 4ffc486fc4..f827ea12bb 100644 --- a/lib/ssl/test/ssl_dist_bench_SUITE.erl +++ b/lib/ssl/test/ssl_dist_bench_SUITE.erl @@ -207,7 +207,8 @@ write_node_conf( #{root => RootCert, peer => [{extensions, - [#'Extension'{ + [ + #'Extension'{ extnID = ?'id-ce-subjectAltName', extnValue = [{dNSName, Host}], critical = true}, -- cgit v1.2.3 From 5803f0ad5be257b451588e8da83d1295eabea85e Mon Sep 17 00:00:00 2001 From: Raimo Niskanen Date: Fri, 27 Apr 2018 11:13:40 +0200 Subject: Fix distro CRL test cases short vs long names --- lib/ssl/test/make_certs.erl | 30 ++++++++++++++++++++---------- lib/ssl/test/ssl_dist_SUITE.erl | 7 ++++--- 2 files changed, 24 insertions(+), 13 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl index ecbacc1590..8fe7c54549 100644 --- a/lib/ssl/test/make_certs.erl +++ b/lib/ssl/test/make_certs.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2017. All Rights Reserved. +%% Copyright Ericsson AB 2007-2018. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -19,7 +19,7 @@ %% -module(make_certs). --compile([export_all]). +-compile([export_all, nowarn_export_all]). %-export([all/1, all/2, rootCA/2, intermediateCA/3, endusers/3, enduser/3, revoke/3, gencrl/2, verify/3]). @@ -34,14 +34,15 @@ ecc_certs = false, issuing_distribution_point = false, crl_port = 8000, - openssl_cmd = "openssl"}). + openssl_cmd = "openssl", + hostname = "host.example.com"}). default_config() -> - #config{}. + #config{hostname = net_adm:localhost()}. make_config(Args) -> - make_config(Args, #config{}). + make_config(Args, default_config()). make_config([], C) -> C; @@ -66,7 +67,9 @@ make_config([{ecc_certs, Bool}|T], C) when is_boolean(Bool) -> make_config([{issuing_distribution_point, Bool}|T], C) when is_boolean(Bool) -> make_config(T, C#config{issuing_distribution_point = Bool}); make_config([{openssl_cmd, Cmd}|T], C) when is_list(Cmd) -> - make_config(T, C#config{openssl_cmd = Cmd}). + make_config(T, C#config{openssl_cmd = Cmd}); +make_config([{hostname, Hostname}|T], C) when is_list(Hostname) -> + make_config(T, C#config{hostname = Hostname}). all([DataDir, PrivDir]) -> @@ -384,8 +387,11 @@ req_cnf(Root, C) -> "subjectKeyIdentifier = hash\n" "subjectAltName = email:copy\n"]. -ca_cnf(Root, C = #config{issuing_distribution_point = true}) -> - Hostname = net_adm:localhost(), +ca_cnf( + Root, + #config{ + issuing_distribution_point = true, + hostname = Hostname} = C) -> ["# Purpose: Configuration for CAs.\n" "\n" "ROOTDIR = " ++ Root ++ "\n" @@ -464,8 +470,12 @@ ca_cnf(Root, C = #config{issuing_distribution_point = true}) -> "crlDistributionPoints=@crl_section\n" ]; -ca_cnf(Root, C = #config{issuing_distribution_point = false}) -> - Hostname = net_adm:localhost(), +ca_cnf( + Root, + #config{ + issuing_distribution_point = false, + hostname = Hostname + } = C) -> ["# Purpose: Configuration for CAs.\n" "\n" "ROOTDIR = " ++ Root ++ "\n" diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl index c822a52d1f..003e1fc448 100644 --- a/lib/ssl/test/ssl_dist_SUITE.erl +++ b/lib/ssl/test/ssl_dist_SUITE.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2017. All Rights Reserved. +%% Copyright Ericsson AB 2007-2018. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -25,7 +25,7 @@ -include("ssl_dist_test_lib.hrl"). %% Note: This directive should only be used in test suites. --compile(export_all). +-compile([export_all, nowarn_export_all]). -define(DEFAULT_TIMETRAP_SECS, 240). @@ -724,7 +724,8 @@ setup_certs(Config) -> ok = file:make_dir(NodeDir), ok = file:make_dir(RGenDir), make_randfile(RGenDir), - {ok, _} = make_certs:all(RGenDir, NodeDir), + [Hostname|_] = string:split(net_adm:localhost(), ".", all), + {ok, _} = make_certs:all(RGenDir, NodeDir, [{hostname,Hostname}]), SDir = filename:join([NodeDir, "server"]), SC = filename:join([SDir, "cert.pem"]), SK = filename:join([SDir, "key.pem"]), -- cgit v1.2.3