Merge pull request #300 from qzhuyan/dev/william/prepare-link-system-…

…crypto prepare link system crypto
emqx · Sep 27, 2024 · 0a3107f · 0a3107f
2 parents 706fe1c + 88f7507
commit 0a3107f
Show file tree

Hide file tree

Showing 13 changed files with 65 additions and 27 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -93,6 +93,7 @@ jobs:
         openssl:
           - openssl3
           - openssl
+          - sys
         rebar3:
           - 3.23.0
         build_type:
@@ -115,15 +116,15 @@ jobs:
       - name: release build with debug log off
         env:
           CMAKE_BUILD_TYPE: ${{ matrix.build_type }}
-          QUIC_TLS: ${{ matrix.openssl }}
+          QUICER_TLS_VER: ${{ matrix.openssl }}
           QUIC_ENABLE_LOGGING: ${{ matrix.logging }}
         run: |
           echo "github ref: ${{ github.event.ref }}"
           echo "github ref: ${{ github.ref }}"
           sudo sysctl -w kernel.core_pattern=core
           ulimit -c unlimited
           export CMAKE_BUILD_TYPE
-          export QUIC_TLS
+          export QUICER_TLS_VER
           export QUIC_ENABLE_LOGGING
           if [ "${QUIC_ENABLE_LOGGING}" == "ON" ] ; then
             export QUIC_LOGGING_TYPE=lttng

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -49,12 +49,12 @@ jobs:
       - name: build release
         if: startsWith(github.ref, 'refs/tags/')
         env:
-          QUIC_TLS: ${{ matrix.openssl }}
+          QUICER_TLS_VER: ${{ matrix.openssl }}
         run: |
           wget https://s3.amazonaws.com/rebar3/rebar3 && chmod +x rebar3
           sudo mv rebar3 /usr/local/bin/ && sudo chmod +x /usr/local/bin/rebar3
           erl -eval 'erlang:display(erlang:system_info(system_version)),halt()'
-          export QUIC_TLS
+          export QUICER_TLS_VER
           BUILD_RELEASE=1 make
 
       - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
@@ -65,7 +65,7 @@ jobs:
             _packages/*.gz
             _packages/*.gz.sha256
 
-  linux:
+  emqx-linux:
     strategy:
       fail-fast: false
       matrix:
@@ -75,6 +75,7 @@ jobs:
         openssl:
           - openssl3
           - openssl
+          - sys
         arch:
           - amd64
           - arm64
@@ -90,6 +91,9 @@ jobs:
           - amzn2
           - el9
           - el8
+        exclude:
+          - os: el9
+            openssl: sys
     runs-on: ubuntu-latest
 
     steps:
@@ -113,7 +117,7 @@ jobs:
         run: |
           IMAGE=ghcr.io/emqx/emqx-builder/5.3-13:1.15.7-${{ matrix.otp }}-${{ matrix.os }}
           docker run -i --rm -v $(pwd):/wd --workdir /wd --platform=linux/${{ matrix.arch }} \
-          -e BUILD_RELEASE=1 -e QUIC_TLS=${{ matrix.openssl }} \
+          -e BUILD_RELEASE=1 -e QUICER_TLS_VER=${{ matrix.openssl }} \
           $IMAGE bash -euc 'git config --global --add safe.directory /wd; make'
 
       - uses: actions/upload-artifact@v4
@@ -128,7 +132,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - mac
-      - linux
+      - emqx-linux
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - uses: actions/download-artifact@v4

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -35,14 +35,20 @@ else()
   set(CMAKE_BUILD_TYPE "RelWithDebInfo")
 endif()
 
-if (DEFINED ENV{QUICER_USE_OPENSSL3})
-  message(STATUS "Use openssl3")
-  set(QUIC_TLS "openssl3")
-endif()
+if (DEFINED ENV{QUICER_TLS_VER})
+  if ($ENV{QUICER_TLS_VER} STREQUAL "sys")
+    ## Link to sys libcrypto, auto openssl vsn
+    find_package(OpenSSL REQUIRED)
+    if ("${OPENSSL_VERSION}" MATCHES "3.*")
+      set(QUIC_TLS "openssl3" CACHE STRING "QUIC_TLS")
+    else()
+      set(QUIC_TLS "openssl" CACHE STRING "QUIC_TLS")
+    endif()
+    set(QUIC_USE_SYSTEM_LIBCRYPTO "ON")
+  else()
+    set(QUIC_TLS $ENV{QUICER_TLS_VER})
+  endif()
 
-if (DEFINED ENV{QUIC_USE_SYSTEM_LIBCRYPTO})
-  message(STATUS "Link to system libcrypto")
-  set(QUIC_USE_SYSTEM_LIBCRYPTO "ON")
 endif()
 
 if (DEFINED ENV{QUIC_ENABLE_LOGGING})

diff --git a/c_src/quicer_eterms.h b/c_src/quicer_eterms.h
@@ -104,6 +104,7 @@ extern ERL_NIF_TERM ATOM_QUIC_STATUS_UNSUPPORTED_CERTIFICATE;
 extern ERL_NIF_TERM ATOM_QUIC_STATUS_REVOKED_CERTIFICATE;
 extern ERL_NIF_TERM ATOM_QUIC_STATUS_EXPIRED_CERTIFICATE;
 extern ERL_NIF_TERM ATOM_QUIC_STATUS_UNKNOWN_CERTIFICATE;
+extern ERL_NIF_TERM ATOM_QUIC_STATUS_REQUIRED_CERTIFICATE;
 extern ERL_NIF_TERM ATOM_QUIC_STATUS_CERT_EXPIRED;
 extern ERL_NIF_TERM ATOM_QUIC_STATUS_CERT_UNTRUSTED_ROOT;
 extern ERL_NIF_TERM ATOM_QUIC_STATUS_CERT_NO_CERT;

diff --git a/c_src/quicer_nif.c b/c_src/quicer_nif.c
@@ -127,6 +127,7 @@ ERL_NIF_TERM ATOM_QUIC_STATUS_UNSUPPORTED_CERTIFICATE;
 ERL_NIF_TERM ATOM_QUIC_STATUS_REVOKED_CERTIFICATE;
 ERL_NIF_TERM ATOM_QUIC_STATUS_EXPIRED_CERTIFICATE;
 ERL_NIF_TERM ATOM_QUIC_STATUS_UNKNOWN_CERTIFICATE;
+ERL_NIF_TERM ATOM_QUIC_STATUS_REQUIRED_CERTIFICATE;
 ERL_NIF_TERM ATOM_QUIC_STATUS_CERT_EXPIRED;
 ERL_NIF_TERM ATOM_QUIC_STATUS_CERT_UNTRUSTED_ROOT;
 ERL_NIF_TERM ATOM_QUIC_STATUS_CERT_NO_CERT;
@@ -502,6 +503,7 @@ ERL_NIF_TERM ATOM_QUIC_DATAGRAM_SEND_CANCELED;
   ATOM(ATOM_QUIC_STATUS_REVOKED_CERTIFICATE, revoked_certificate);            \
   ATOM(ATOM_QUIC_STATUS_EXPIRED_CERTIFICATE, expired_certificate);            \
   ATOM(ATOM_QUIC_STATUS_UNKNOWN_CERTIFICATE, unknown_certificate);            \
+  ATOM(ATOM_QUIC_STATUS_REQUIRED_CERTIFICATE, required_certificate);          \
   ATOM(ATOM_QUIC_STATUS_CERT_EXPIRED, cert_expired);                          \
   ATOM(ATOM_QUIC_STATUS_CERT_UNTRUSTED_ROOT, cert_untrusted_root);            \
   ATOM(ATOM_QUIC_STATUS_CERT_NO_CERT, cert_no_cert);                          \
@@ -1337,6 +1339,21 @@ atom_status(ErlNifEnv *env, QUIC_STATUS status)
     case QUIC_STATUS_STREAM_LIMIT_REACHED:
       eterm = ATOM_QUIC_STATUS_STREAM_LIMIT_REACHED;
       break;
+    case QUIC_STATUS_UNSUPPORTED_CERTIFICATE:
+      eterm = ATOM_QUIC_STATUS_UNSUPPORTED_CERTIFICATE;
+      break;
+    case QUIC_STATUS_REVOKED_CERTIFICATE:
+      eterm = ATOM_QUIC_STATUS_REVOKED_CERTIFICATE;
+      break;
+    case QUIC_STATUS_EXPIRED_CERTIFICATE:
+      eterm = ATOM_QUIC_STATUS_EXPIRED_CERTIFICATE;
+      break;
+    case QUIC_STATUS_UNKNOWN_CERTIFICATE:
+      eterm = ATOM_QUIC_STATUS_UNKNOWN_CERTIFICATE;
+      break;
+    case QUIC_STATUS_REQUIRED_CERTIFICATE:
+      eterm = ATOM_QUIC_STATUS_REQUIRED_CERTIFICATE;
+      break;
     case QUIC_STATUS_CERT_EXPIRED:
       eterm = ATOM_QUIC_STATUS_CERT_EXPIRED;
       break;

diff --git a/pkgname.sh b/pkgname.sh
@@ -29,7 +29,7 @@ esac
 ARCH="$(uname -m)"
 VSN="$(git describe --tags --exact-match | head -1)"
 
-OPENSSL=${QUIC_TLS:-openssl}
+OPENSSL=${QUICER_TLS_VER:-openssl}
 
 if [ -z "$VSN" ]; then
     exit 0

diff --git a/test/prop_stateful_client_conn.erl b/test/prop_stateful_client_conn.erl
@@ -271,7 +271,7 @@ default_listen_opts() ->
 default_conn_opts() ->
     [
         {alpn, ["prop"]},
-        %% , {sslkeylogfile, "/tmp/SSLKEYLOGFILE"}
+        %%{sslkeylogfile, "/tmp/SSLKEYLOGFILE"},
         {verify, none},
         {idle_timeout_ms, 0},
         {cacertfile, "./msquic/submodules/openssl/test/certs/rootCA.pem"},

diff --git a/test/prop_stateful_server_conn.erl b/test/prop_stateful_server_conn.erl
@@ -353,7 +353,7 @@ default_listen_opts() ->
 default_conn_opts() ->
     [
         {alpn, ["prop"]},
-        %% , {sslkeylogfile, "/tmp/SSLKEYLOGFILE"}
+        %% {sslkeylogfile, "/tmp/SSLKEYLOGFILE"},
         {verify, none},
         {idle_timeout_ms, 5000},
         {cacertfile, "./msquic/submodules/openssl/test/certs/rootCA.pem"},

diff --git a/test/prop_stateful_stream.erl b/test/prop_stateful_stream.erl
@@ -323,7 +323,7 @@ default_listen_opts() ->
 default_conn_opts() ->
     [
         {alpn, ["prop"]},
-        %% , {sslkeylogfile, "/tmp/SSLKEYLOGFILE"}
+        %% {sslkeylogfile, "/tmp/SSLKEYLOGFILE"},
         {verify, none},
         {idle_timeout_ms, 0},
         {handshake_idle_timeout_ms, 10000},

diff --git a/test/quicer_SUITE.erl b/test/quicer_SUITE.erl
@@ -2424,7 +2424,7 @@ tc_conn_opt_sslkeylogfile(Config) ->
     ),
     quicer:close_connection(Conn),
     timer:sleep(100),
-    {ok, #file_info{type = regular}} = file:read_file_info("SSLKEYLOGFILE").
+    {ok, #file_info{type = regular}} = file:read_file_info(TargetFName).
 
 tc_insecure_traffic(Config) ->
     Port = select_port(),

diff --git a/test/quicer_connection_SUITE.erl b/test/quicer_connection_SUITE.erl
@@ -230,7 +230,7 @@ tc_conn_basic_verify_peer(Config) ->
         443,
         [
             {verify, verify_peer},
-            %, {sslkeylogfile, "/tmp/SSLKEYLOGFILE"}
+            % {sslkeylogfile, "/tmp/SSLKEYLOGFILE"},
             {peer_unidi_stream_count, 3},
             {alpn, ["h3"]}
             | Config
@@ -473,9 +473,10 @@ run_tc_conn_custom_ca_other(Config) ->
             error := _ErrorCode,
             status := Status
         }} when
-            Status == handshake_failure;
-            Status == bad_certificate;
-            Status == cert_untrusted_root,
+            Status =:= unknown_certificate;
+            Status =:= handshake_failure;
+            Status =:= bad_certificate;
+            Status =:= cert_untrusted_root,
         Res
     ),
     SPid ! done,
@@ -656,9 +657,10 @@ run_tc_conn_client_bad_cert(Config) ->
                         {quic, transport_shutdown, _Ref, #{
                             error := _ErrorCode, status := Status
                         }} when
-                            Status == handshake_failure;
-                            Status == bad_certificate;
-                            Status == cert_untrusted_root
+                            Status =:= unknown_certificate;
+                            Status =:= handshake_failure;
+                            Status =:= bad_certificate;
+                            Status =:= cert_untrusted_root
                         ->
                             _ = flush([])
                     after 2000 ->

diff --git a/test/quicer_listener_SUITE.erl b/test/quicer_listener_SUITE.erl
@@ -338,6 +338,12 @@ tc_get_listener_opt_addr(Config) ->
     {ok, {{0, 0, 0, 0}, Port}} = quicer:getopt(L, local_address),
     quicer:close_listener(L).
 
+tc_get_listener_opt_addr_specified(Config) ->
+    Port = select_port(),
+    {ok, L} = quicer:listen("127.0.0.1:" ++ integer_to_list(Port), default_listen_opts(Config)),
+    ?assertEqual({ok, {{127, 0, 0, 1}, Port}}, quicer:getopt(L, local_address)),
+    quicer:close_listener(L).
+
 tc_get_listener_opt_stats(Config) ->
     Port = select_port(),
     {ok, L} = quicer:listen(Port, default_listen_opts(Config)),
@@ -520,6 +526,7 @@ tc_listener_conf_reload(Config) ->
     %% THEN: start new connection with old cacert must fail
     ?assertMatch(
         {error, transport_down, #{error := _, status := Status}} when
+            Status =:= unknown_certificate;
             Status =:= bad_certificate;
             Status =:= cert_untrusted_root;
             Status =:= handshake_failure,

diff --git a/test/quicer_snb_SUITE.erl b/test/quicer_snb_SUITE.erl
@@ -3312,7 +3312,7 @@ default_stream_opts() ->
 default_conn_opts() ->
     [
         {alpn, ["sample"]},
-        %% , {sslkeylogfile, "/tmp/SSLKEYLOGFILE"}
+        %% {sslkeylogfile, "/tmp/SSLKEYLOGFILE"},
         {verify, none},
         {idle_timeout_ms, 5000}
     ].