Skip to content

Commit

Permalink
ssl: Use public_key:verify_fun/4
Browse files Browse the repository at this point in the history
  • Loading branch information
@IngelaAndin
IngelaAndin committed Aug 16, 2024
1 parent 8caa869 commit ca2f6cf
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 28 deletions.
2 changes: 1 addition & 1 deletion lib/ssl/src/ssl.app.src
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,6 @@
{applications, [crypto, public_key, kernel, stdlib]},
{env, []},
{mod, {ssl_app, []}},
{runtime_dependencies, ["stdlib-6.0","public_key-1.15","kernel-9.0",
{runtime_dependencies, ["stdlib-6.0","public_key-@OTP-19169@","kernel-9.0",
"erts-15.0","crypto-5.0", "inets-5.10.7",
"runtime_tools-1.15.1"]}]}.
18 changes: 9 additions & 9 deletions lib/ssl/src/ssl.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -800,29 +800,29 @@ Common certificate related options to both client and server.
Default option `verify_fun` in `verify_peer mode`:
```erlang
{fun(_,{bad_cert, _} = Reason, _) ->
{fun(_, _, {bad_cert, _} = Reason, _) ->
{fail, Reason};
(_,{extension, _}, UserState) ->
(_, _, {extension, _}, UserState) ->
{unknown, UserState};
(_, valid, UserState) ->
(_, _, valid, UserState) ->
{valid, UserState};
(_, valid_peer, UserState) ->
(_, _, valid_peer, UserState) ->
{valid, UserState}
end, []}
```
Default option `verify_fun` in mode `verify_none`:
```erlang
{fun(_,{bad_cert, _}, UserState) ->
{fun(_, _, {bad_cert, _}, UserState) ->
{valid, UserState};
(_,{extension, #'Extension'{critical = true}}, UserState) ->
(_, _, {extension, #'Extension'{critical = true}}, UserState) ->
{valid, UserState};
(_,{extension, _}, UserState) ->
(_, _, {extension, _}, UserState) ->
{unknown, UserState};
(_, valid, UserState) ->
(_, _, valid, UserState) ->
{valid, UserState};
(_, valid_peer, UserState) ->
(_, _, valid_peer, UserState) ->
{valid, UserState}
end, []}
```
Expand Down
35 changes: 17 additions & 18 deletions lib/ssl/src/ssl_handshake.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2070,40 +2070,40 @@ path_validate(TrustedAndPath, ServerName, Role, CertDbHandle, CertDbRef, CRLDbHa
Version, SslOptions, ExtInfo, InitialInvalidated, InitialPotentialError).

validation_fun_and_state({Fun, UserState0}, VerifyState, CertPath, LogLevel) ->
{fun(OtpCert, {extension, _} = Extension, {SslState, UserState}) ->
{fun(OtpCert, DerCert, {extension, _} = Extension, {SslState, UserState}) ->
case ssl_certificate:validate(OtpCert,
Extension,
SslState,
LogLevel) of
{valid, NewSslState} ->
{valid, {NewSslState, UserState}};
{fail, Reason} ->
apply_user_fun(Fun, OtpCert, Reason, UserState,
apply_user_fun(Fun, OtpCert, DerCert, Reason, UserState,
SslState, CertPath, LogLevel);
{unknown, _} ->
apply_user_fun(Fun, OtpCert,
Extension, UserState, SslState, CertPath,
LogLevel)
apply_user_fun(Fun, OtpCert, DerCert,
Extension, UserState, SslState,
CertPath, LogLevel)
end;
(OtpCert, VerifyResult, {SslState, UserState}) ->
apply_user_fun(Fun, OtpCert, VerifyResult, UserState,
(OtpCert, DerCert, VerifyResult, {SslState, UserState}) ->
apply_user_fun(Fun, OtpCert, DerCert, VerifyResult, UserState,
SslState, CertPath, LogLevel)
end, {VerifyState, UserState0}};
validation_fun_and_state(undefined, VerifyState, CertPath, LogLevel) ->
{fun(OtpCert, {extension, _} = Extension, SslState) ->
{fun(OtpCert, _DerCert, {extension, _} = Extension, SslState) ->
ssl_certificate:validate(OtpCert,
Extension,
SslState,
LogLevel);
(OtpCert, VerifyResult, SslState) when (VerifyResult == valid) or
(VerifyResult == valid_peer) ->
(OtpCert, _DerCert, VerifyResult, SslState) when (VerifyResult == valid) or
(VerifyResult == valid_peer) ->
case cert_status_check(OtpCert, SslState, VerifyResult, CertPath, LogLevel) of
valid ->
ssl_certificate:validate(OtpCert, VerifyResult, SslState, LogLevel);
Reason ->
{fail, Reason}
end;
(OtpCert, VerifyResult, SslState) ->
(OtpCert, _DerCert, VerifyResult, SslState) ->
ssl_certificate:validate(OtpCert,
VerifyResult,
SslState, LogLevel)
Expand All @@ -2114,22 +2114,22 @@ path_validation_options(Opts, ValidationFunAndState) ->
[{max_path_length, maps:get(depth, Opts, ?DEFAULT_DEPTH)},
{verify_fun, ValidationFunAndState} | PolicyOpts].

apply_user_fun(Fun, OtpCert, VerifyResult0, UserState0, SslState, CertPath, LogLevel) when
apply_user_fun(Fun, OtpCert, DerCert, VerifyResult0, UserState0, SslState, CertPath, LogLevel) when
(VerifyResult0 == valid) or (VerifyResult0 == valid_peer) ->
VerifyResult = maybe_check_hostname(OtpCert, VerifyResult0, SslState, LogLevel),
case apply_fun(Fun, OtpCert, VerifyResult, UserState0, CertPath) of
case apply_fun(Fun, OtpCert, DerCert, VerifyResult, UserState0) of
{Valid, UserState} when (Valid == valid) orelse (Valid == valid_peer) ->
case cert_status_check(OtpCert, SslState, VerifyResult, CertPath, LogLevel) of
valid ->
{Valid, {SslState, UserState}};
Result ->
apply_user_fun(Fun, OtpCert, Result, UserState, SslState, CertPath, LogLevel)
apply_user_fun(Fun, OtpCert, DerCert, Result, UserState, SslState, CertPath, LogLevel)
end;
{fail, _} = Fail ->
Fail
end;
apply_user_fun(Fun, OtpCert, ExtensionOrError, UserState0, SslState, CertPath, _LogLevel) ->
case apply_fun(Fun, OtpCert, ExtensionOrError, UserState0, CertPath) of
apply_user_fun(Fun, OtpCert, DerCert, ExtensionOrError, UserState0, SslState, _, _) ->
case apply_fun(Fun, OtpCert, DerCert, ExtensionOrError, UserState0) of
{Valid, UserState} when (Valid == valid) orelse (Valid == valid_peer)->
{Valid, {SslState, UserState}};
{fail, _} = Fail ->
Expand All @@ -2138,9 +2138,8 @@ apply_user_fun(Fun, OtpCert, ExtensionOrError, UserState0, SslState, CertPath, _
{unknown, {SslState, UserState}}
end.

apply_fun(Fun, OtpCert, ExtensionOrError, UserState, CertPath) ->
apply_fun(Fun, OtpCert, DerCert, ExtensionOrError, UserState) ->
if is_function(Fun, 4) ->
#cert{der=DerCert} = lists:keyfind(OtpCert, #cert.otp, CertPath),
Fun(OtpCert, DerCert, ExtensionOrError, UserState);
is_function(Fun, 3) ->
Fun(OtpCert, ExtensionOrError, UserState)
Expand Down

0 comments on commit ca2f6cf

Please sign in to comment.