diff options
author | Erlang/OTP <otp@erlang.org> | 2020-04-06 10:45:16 (GMT) |
---|---|---|
committer | Erlang/OTP <otp@erlang.org> | 2020-04-06 10:45:16 (GMT) |
commit | 981bab75e400b8383dfe42078915c4659cafea13 (patch) | |
tree | 3486813e61e56e7ce6abf0c69d984efa26e72a16 | |
parent | 2bdaeaddc519b4ca95b363a803e76067e41e790b (diff) | |
parent | d850c185ad9ecbb4be977f6eb417133f0439b220 (diff) | |
download | erlang-otp-981bab75e400b8383dfe42078915c4659cafea13.zip erlang-otp-981bab75e400b8383dfe42078915c4659cafea13.tar.gz erlang-otp-981bab75e400b8383dfe42078915c4659cafea13.tar.bz2 |
Merge branch 'ingela/ssl/partial_chain/ERIERL-481/OTP-16567' into maint-22
* ingela/ssl/partial_chain/ERIERL-481/OTP-16567:
ssl: Correct handling of empty result of partial_chain callback
-rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 2 | ||||
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 45 |
2 files changed, 28 insertions, 19 deletions
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 3d8125e..6d718df 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -362,7 +362,7 @@ new_trusteded_chain(DerCert, [DerCert | Chain]) -> new_trusteded_chain(DerCert, [_ | Rest]) -> new_trusteded_chain(DerCert, Rest); new_trusteded_chain(_, []) -> - unknown_ca. + {unknown_ca, []}. verify_hostname({fallback, Hostname}, Customize, Cert, UserState) when is_list(Hostname) -> case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}], Customize) of diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 978902a..7cc4a0a 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -1720,15 +1720,20 @@ handle_incomplete_chain(PeerCert, Chain0, #{partial_chain := PartialChain} = Opts, Options, CertDbHandle, CertsDbRef, Reason) -> case ssl_certificate:certificate_chain(PeerCert, CertDbHandle, CertsDbRef) of {ok, _, [PeerCert | _] = Chain} when Chain =/= Chain0 -> %% Chain candidate found - {Trusted, Path} = ssl_certificate:trusted_cert_and_path(Chain, - CertDbHandle, CertsDbRef, - PartialChain), - case public_key:pkix_path_validation(Trusted, Path, Options) of - {ok, {PublicKeyInfo,_}} -> - {PeerCert, PublicKeyInfo}; - {error, PathError} -> - handle_unordered_chain(PeerCert, Chain0, Opts, Options, CertDbHandle, CertsDbRef, PathError) - end; + case ssl_certificate:trusted_cert_and_path(Chain, + CertDbHandle, CertsDbRef, + PartialChain) of + {unknown_ca, []} -> + path_validation_alert(Reason); + {Trusted, Path} -> + case public_key:pkix_path_validation(Trusted, Path, Options) of + {ok, {PublicKeyInfo,_}} -> + {PeerCert, PublicKeyInfo}; + {error, PathError} -> + handle_unordered_chain(PeerCert, Chain0, Opts, Options, + CertDbHandle, CertsDbRef, PathError) + end + end; _ -> handle_unordered_chain(PeerCert, Chain0, Opts, Options, CertDbHandle, CertsDbRef, Reason) end. @@ -1738,15 +1743,19 @@ handle_unordered_chain(PeerCert, Chain0, {ok, ExtractedCerts} = ssl_pkix_db:extract_trusted_certs({der, Chain0}), case ssl_certificate:certificate_chain(PeerCert, CertDbHandle, ExtractedCerts, Chain0) of {ok, _, Chain} when Chain =/= Chain0 -> %% Chain appaears to be unordered - {Trusted, Path} = ssl_certificate:trusted_cert_and_path(Chain, - CertDbHandle, CertsDbRef, - PartialChain), - case public_key:pkix_path_validation(Trusted, Path, Options) of - {ok, {PublicKeyInfo,_}} -> - {PeerCert, PublicKeyInfo}; - {error, PathError} -> - path_validation_alert(PathError) - end; + case ssl_certificate:trusted_cert_and_path(Chain, + CertDbHandle, CertsDbRef, + PartialChain) of + {unknown_ca, []} -> + path_validation_alert(Reason); + {Trusted, Path} -> + case public_key:pkix_path_validation(Trusted, Path, Options) of + {ok, {PublicKeyInfo,_}} -> + {PeerCert, PublicKeyInfo}; + {error, PathError} -> + path_validation_alert(PathError) + end + end; _ -> path_validation_alert(Reason) end. |