From ca2f6cf5a25df2d80887ea477f53a8359ce90840 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Fri, 16 Aug 2024 11:00:02 +0200 Subject: [PATCH] ssl: Use public_key:verify_fun/4 --- lib/ssl/src/ssl.app.src | 2 +- lib/ssl/src/ssl.erl | 18 +++++++++--------- lib/ssl/src/ssl_handshake.erl | 35 +++++++++++++++++------------------ 3 files changed, 27 insertions(+), 28 deletions(-) diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src index 7515edf756e3..d1a6565fd0dd 100644 --- a/lib/ssl/src/ssl.app.src +++ b/lib/ssl/src/ssl.app.src @@ -92,6 +92,6 @@ {applications, [crypto, public_key, kernel, stdlib]}, {env, []}, {mod, {ssl_app, []}}, - {runtime_dependencies, ["stdlib-6.0","public_key-1.15","kernel-9.0", + {runtime_dependencies, ["stdlib-6.0","public_key-@OTP-19169@","kernel-9.0", "erts-15.0","crypto-5.0", "inets-5.10.7", "runtime_tools-1.15.1"]}]}. diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index b0fd043a444f..da49a69963f5 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -800,13 +800,13 @@ Common certificate related options to both client and server. Default option `verify_fun` in `verify_peer mode`: ```erlang - {fun(_,{bad_cert, _} = Reason, _) -> + {fun(_, _, {bad_cert, _} = Reason, _) -> {fail, Reason}; - (_,{extension, _}, UserState) -> + (_, _, {extension, _}, UserState) -> {unknown, UserState}; - (_, valid, UserState) -> + (_, _, valid, UserState) -> {valid, UserState}; - (_, valid_peer, UserState) -> + (_, _, valid_peer, UserState) -> {valid, UserState} end, []} ``` @@ -814,15 +814,15 @@ Common certificate related options to both client and server. Default option `verify_fun` in mode `verify_none`: ```erlang - {fun(_,{bad_cert, _}, UserState) -> + {fun(_, _, {bad_cert, _}, UserState) -> {valid, UserState}; - (_,{extension, #'Extension'{critical = true}}, UserState) -> + (_, _, {extension, #'Extension'{critical = true}}, UserState) -> {valid, UserState}; - (_,{extension, _}, UserState) -> + (_, _, {extension, _}, UserState) -> {unknown, UserState}; - (_, valid, UserState) -> + (_, _, valid, UserState) -> {valid, UserState}; - (_, valid_peer, UserState) -> + (_, _, valid_peer, UserState) -> {valid, UserState} end, []} ``` diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index eb9ab86ecee0..1cf61001b106 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -2070,7 +2070,7 @@ path_validate(TrustedAndPath, ServerName, Role, CertDbHandle, CertDbRef, CRLDbHa Version, SslOptions, ExtInfo, InitialInvalidated, InitialPotentialError). validation_fun_and_state({Fun, UserState0}, VerifyState, CertPath, LogLevel) -> - {fun(OtpCert, {extension, _} = Extension, {SslState, UserState}) -> + {fun(OtpCert, DerCert, {extension, _} = Extension, {SslState, UserState}) -> case ssl_certificate:validate(OtpCert, Extension, SslState, @@ -2078,32 +2078,32 @@ validation_fun_and_state({Fun, UserState0}, VerifyState, CertPath, LogLevel) -> {valid, NewSslState} -> {valid, {NewSslState, UserState}}; {fail, Reason} -> - apply_user_fun(Fun, OtpCert, Reason, UserState, + apply_user_fun(Fun, OtpCert, DerCert, Reason, UserState, SslState, CertPath, LogLevel); {unknown, _} -> - apply_user_fun(Fun, OtpCert, - Extension, UserState, SslState, CertPath, - LogLevel) + apply_user_fun(Fun, OtpCert, DerCert, + Extension, UserState, SslState, + CertPath, LogLevel) end; - (OtpCert, VerifyResult, {SslState, UserState}) -> - apply_user_fun(Fun, OtpCert, VerifyResult, UserState, + (OtpCert, DerCert, VerifyResult, {SslState, UserState}) -> + apply_user_fun(Fun, OtpCert, DerCert, VerifyResult, UserState, SslState, CertPath, LogLevel) end, {VerifyState, UserState0}}; validation_fun_and_state(undefined, VerifyState, CertPath, LogLevel) -> - {fun(OtpCert, {extension, _} = Extension, SslState) -> + {fun(OtpCert, _DerCert, {extension, _} = Extension, SslState) -> ssl_certificate:validate(OtpCert, Extension, SslState, LogLevel); - (OtpCert, VerifyResult, SslState) when (VerifyResult == valid) or - (VerifyResult == valid_peer) -> + (OtpCert, _DerCert, VerifyResult, SslState) when (VerifyResult == valid) or + (VerifyResult == valid_peer) -> case cert_status_check(OtpCert, SslState, VerifyResult, CertPath, LogLevel) of valid -> ssl_certificate:validate(OtpCert, VerifyResult, SslState, LogLevel); Reason -> {fail, Reason} end; - (OtpCert, VerifyResult, SslState) -> + (OtpCert, _DerCert, VerifyResult, SslState) -> ssl_certificate:validate(OtpCert, VerifyResult, SslState, LogLevel) @@ -2114,22 +2114,22 @@ path_validation_options(Opts, ValidationFunAndState) -> [{max_path_length, maps:get(depth, Opts, ?DEFAULT_DEPTH)}, {verify_fun, ValidationFunAndState} | PolicyOpts]. -apply_user_fun(Fun, OtpCert, VerifyResult0, UserState0, SslState, CertPath, LogLevel) when +apply_user_fun(Fun, OtpCert, DerCert, VerifyResult0, UserState0, SslState, CertPath, LogLevel) when (VerifyResult0 == valid) or (VerifyResult0 == valid_peer) -> VerifyResult = maybe_check_hostname(OtpCert, VerifyResult0, SslState, LogLevel), - case apply_fun(Fun, OtpCert, VerifyResult, UserState0, CertPath) of + case apply_fun(Fun, OtpCert, DerCert, VerifyResult, UserState0) of {Valid, UserState} when (Valid == valid) orelse (Valid == valid_peer) -> case cert_status_check(OtpCert, SslState, VerifyResult, CertPath, LogLevel) of valid -> {Valid, {SslState, UserState}}; Result -> - apply_user_fun(Fun, OtpCert, Result, UserState, SslState, CertPath, LogLevel) + apply_user_fun(Fun, OtpCert, DerCert, Result, UserState, SslState, CertPath, LogLevel) end; {fail, _} = Fail -> Fail end; -apply_user_fun(Fun, OtpCert, ExtensionOrError, UserState0, SslState, CertPath, _LogLevel) -> - case apply_fun(Fun, OtpCert, ExtensionOrError, UserState0, CertPath) of +apply_user_fun(Fun, OtpCert, DerCert, ExtensionOrError, UserState0, SslState, _, _) -> + case apply_fun(Fun, OtpCert, DerCert, ExtensionOrError, UserState0) of {Valid, UserState} when (Valid == valid) orelse (Valid == valid_peer)-> {Valid, {SslState, UserState}}; {fail, _} = Fail -> @@ -2138,9 +2138,8 @@ apply_user_fun(Fun, OtpCert, ExtensionOrError, UserState0, SslState, CertPath, _ {unknown, {SslState, UserState}} end. -apply_fun(Fun, OtpCert, ExtensionOrError, UserState, CertPath) -> +apply_fun(Fun, OtpCert, DerCert, ExtensionOrError, UserState) -> if is_function(Fun, 4) -> - #cert{der=DerCert} = lists:keyfind(OtpCert, #cert.otp, CertPath), Fun(OtpCert, DerCert, ExtensionOrError, UserState); is_function(Fun, 3) -> Fun(OtpCert, ExtensionOrError, UserState)