From f821c91cebe0cee22c1c6e0a9dfe45d4e9b5f129 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 5 Jun 2018 18:01:02 +0200
Subject: ssl: Add option customize_hostname_check

---
 lib/ssl/src/ssl.erl             |  7 +++++--
 lib/ssl/src/ssl_certificate.erl | 18 +++++++++---------
 lib/ssl/src/ssl_handshake.erl   |  9 +++++----
 lib/ssl/src/ssl_internal.hrl    |  3 ++-
 4 files changed, 21 insertions(+), 16 deletions(-)

(limited to 'lib/ssl/src')

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index a7b4ec2bf7..565cc9e1bc 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -938,7 +938,8 @@ handle_options(Opts0, Role, Host) ->
 		    crl_check = handle_option(crl_check, Opts, false),
 		    crl_cache = handle_option(crl_cache, Opts, {ssl_crl_cache, {internal, []}}),
                     max_handshake_size = handle_option(max_handshake_size, Opts, ?DEFAULT_MAX_HANDSHAKE_SIZE),
-                    handshake = handle_option(handshake, Opts, full)
+                    handshake = handle_option(handshake, Opts, full),
+                    customize_hostname_check = handle_option(customize_hostname_check, Opts, [])
 		   },
 
     CbInfo  = proplists:get_value(cb_info, Opts, default_cb_info(Protocol)),
@@ -954,7 +955,7 @@ handle_options(Opts0, Role, Host) ->
 		  client_preferred_next_protocols, log_alert,
 		  server_name_indication, honor_cipher_order, padding_check, crl_check, crl_cache,
 		  fallback, signature_algs, eccs, honor_ecc_order, beast_mitigation,
-                  max_handshake_size, handshake],
+                  max_handshake_size, handshake, customize_hostname_check],
     SockOpts = lists:foldl(fun(Key, PropList) ->
 				   proplists:delete(Key, PropList)
 			   end, Opts, SslOptions),
@@ -1197,6 +1198,8 @@ validate_option(handshake, hello = Value) ->
     Value;
 validate_option(handshake, full = Value) ->
     Value;
+validate_option(customize_hostname_check, Value) when is_list(Value) ->
+    Value;
 validate_option(Opt, Value) ->
     throw({error, {options, {Opt, Value}}}).
 
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index a3333d35e9..dbd2ebf539 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -138,8 +138,8 @@ validate(_, {bad_cert, _} = Reason, _) ->
     {fail, Reason};
 validate(_, valid, UserState) ->
     {valid, UserState};
-validate(Cert, valid_peer, UserState = {client, _,_, Hostname, _, _}) when Hostname =/= disable ->
-    verify_hostname(Hostname, Cert, UserState);  
+validate(Cert, valid_peer, UserState = {client, _,_, {Hostname, Customize}, _, _}) when Hostname =/= disable ->
+    verify_hostname(Hostname, Customize, Cert, UserState);  
 validate(_, valid_peer, UserState) ->    
    {valid, UserState}.
 
@@ -333,12 +333,12 @@ new_trusteded_chain(DerCert, [_ | Rest]) ->
 new_trusteded_chain(_, []) ->
     unknown_ca.
 
-verify_hostname({fallback, Hostname}, Cert, UserState) when is_list(Hostname) ->
-    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of
+verify_hostname({fallback, Hostname}, Customize, Cert, UserState) when is_list(Hostname) ->
+    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}], Customize) of
         true ->
             {valid, UserState};
         false ->
-            case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}]) of
+            case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}], Customize) of
                 true ->
                     {valid, UserState};
                 false ->
@@ -346,16 +346,16 @@ verify_hostname({fallback, Hostname}, Cert, UserState) when is_list(Hostname) ->
             end
     end;
 
-verify_hostname({fallback, Hostname}, Cert, UserState) ->
-    case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}]) of
+verify_hostname({fallback, Hostname}, Customize, Cert, UserState) ->
+    case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}], Customize) of
         true ->
             {valid, UserState};
         false ->
             {fail, {bad_cert, hostname_check_failed}}
     end;
 
-verify_hostname(Hostname, Cert, UserState) ->
-    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of
+verify_hostname(Hostname, Customize, Cert, UserState) ->
+    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}], Customize) of
         true ->
             {valid, UserState};
         false ->
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index ebbb633b22..71eeb00183 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -345,6 +345,7 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef,
                                                   Opts#ssl_options.partial_chain),
         ValidationFunAndState = validation_fun_and_state(Opts#ssl_options.verify_fun, Role, 
                                                          CertDbHandle, CertDbRef, ServerName,
+                                                         Opts#ssl_options.customize_hostname_check,
                                                          Opts#ssl_options.crl_check, CRLDbHandle, CertPath),
 	case public_key:pkix_path_validation(TrustedCert,
 					     CertPath,
@@ -1243,7 +1244,7 @@ certificate_authorities_from_db(_CertDbHandle, {extracted, CertDbData}) ->
 
 %%-------------Handle handshake messages --------------------------------
 validation_fun_and_state({Fun, UserState0}, Role,  CertDbHandle, CertDbRef, 
-                         ServerNameIndication, CRLCheck, CRLDbHandle, CertPath) ->
+                         ServerNameIndication, CustomizeHostCheck, CRLCheck, CRLDbHandle, CertPath) ->
     {fun(OtpCert, {extension, _} = Extension, {SslState, UserState}) ->
 	     case ssl_certificate:validate(OtpCert,
 					   Extension,
@@ -1260,9 +1261,9 @@ validation_fun_and_state({Fun, UserState0}, Role,  CertDbHandle, CertDbRef,
 	(OtpCert, VerifyResult, {SslState, UserState}) ->
 	     apply_user_fun(Fun, OtpCert, VerifyResult, UserState,
 			    SslState, CertPath)
-     end, {{Role, CertDbHandle, CertDbRef, ServerNameIndication, CRLCheck, CRLDbHandle}, UserState0}};
+     end, {{Role, CertDbHandle, CertDbRef, {ServerNameIndication, CustomizeHostCheck}, CRLCheck, CRLDbHandle}, UserState0}};
 validation_fun_and_state(undefined, Role, CertDbHandle, CertDbRef, 
-                         ServerNameIndication, CRLCheck, CRLDbHandle, CertPath) ->
+                         ServerNameIndication, CustomizeHostCheck, CRLCheck, CRLDbHandle, CertPath) ->
     {fun(OtpCert, {extension, _} = Extension, SslState) ->
 	     ssl_certificate:validate(OtpCert,
 				      Extension,
@@ -1282,7 +1283,7 @@ validation_fun_and_state(undefined, Role, CertDbHandle, CertDbRef,
 	     ssl_certificate:validate(OtpCert,
 				      VerifyResult,
 				      SslState)
-     end, {Role, CertDbHandle, CertDbRef, ServerNameIndication, CRLCheck, CRLDbHandle}}.
+     end, {Role, CertDbHandle, CertDbRef, {ServerNameIndication, CustomizeHostCheck}, CRLCheck, CRLDbHandle}}.
 
 apply_user_fun(Fun, OtpCert, VerifyResult, UserState0, 
 	       {_, CertDbHandle, CertDbRef, _, CRLCheck, CRLDbHandle} = SslState, CertPath) when
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 977d012fa7..b736047678 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -145,7 +145,8 @@
 	  eccs,
 	  honor_ecc_order            :: boolean(),
           max_handshake_size         :: integer(),
-          handshake
+          handshake,
+          customize_hostname_check
          }).
 
 -record(socket_options,
-- 
cgit v1.2.3