From e501709bec61bf8813cab741b0e39c211c73c89e Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 27 Sep 2010 13:59:29 +0200
Subject: Peer awarness

Changed the verify fun so that it differentiate between the peer
certificate and CA certificates by using valid_peer or valid as the
second argument to the verify fun. It may not always be trivial or
even possible to know when the peer certificate is reached otherwise.
---
 lib/ssl/doc/src/ssl.xml          | 20 +++++++++++++-------
 lib/ssl/src/ssl.erl              |  4 ++++
 lib/ssl/src/ssl_certificate.erl  |  2 ++
 lib/ssl/test/ssl_basic_SUITE.erl |  6 +++++-
 4 files changed, 24 insertions(+), 8 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index d5b7253ef3..9d31282a44 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -202,10 +202,10 @@
 	<p>The verification fun should be defined as:</p>
 
 	<code>
-fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
+fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
 	     {extension, #'Extension'{}}, InitialUserState :: term()) ->
-	{valid, UserState :: term()} | {fail, Reason :: term()} |
-	{unknown, UserState :: term()}.
+	{valid, UserState :: term()} | {valid_peer, UserState :: term()} |
+	{fail, Reason :: term()} | {unknown, UserState :: term()}.
 	</code>
 
 	<p>The verify fun will be called during the X509-path
@@ -213,10 +213,12 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
 	application is encountered. Additionally it will be called
 	when a certificate is considered valid by the path validation
 	to allow access to each certificate in the path to the user
-	application.
+	application. Note that the it will differentiate between
+	the peer certificate and CA certificates by using valid_peer
+	or valid as the second argument to the verify fun.
 	See
 	<seealso marker="public_key:application">public_key(3)</seealso>
-	for definition of #'OtpCertificate'{} and #'Extension'{}.</p>
+	for definition of #'OTPCertificate'{} and #'Extension'{}.</p>
 
 	<p>If the verify callback fun returns {fail, Reason}, the
 	verification process is immediately stopped and an alert is
@@ -237,7 +239,9 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
     (_,{extension, _}, UserState) ->
 	 {unknown, UserState};
     (_, valid, UserState) ->
-	 {valid, UserState}
+	 {valid, UserState};
+    (_, valid_peer, UserState) ->
+         {valid, UserState}
  end, []}
       </code>
 
@@ -251,7 +255,9 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
     (_,{extension, _}, UserState) ->
 	 {unknown, UserState};
     (_, valid, UserState) ->
-	 {valid, UserState}
+	 {valid, UserState};
+    (_, valid_peer, UserState) ->
+         {valid, UserState}
  end, []}
       </code>
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 12dffb413c..7a3b24c783 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -537,6 +537,8 @@ handle_options(Opts0, _Role) ->
 	    (_,{extension, _}, UserState) ->
 		 {unknown, UserState};
 	    (_, valid, UserState) ->
+		 {valid, UserState};
+	    (_, valid_peer, UserState) ->
 		 {valid, UserState}
 	 end, []},
 
@@ -635,6 +637,8 @@ validate_option(verify_fun, Fun) when is_function(Fun) ->
 	(_,{extension, _}, UserState) ->
 	     {unknown, UserState};
 	(_, valid, UserState) ->
+	     {valid, UserState};
+	(_, valid_peer, UserState) ->
 	     {valid, UserState}
      end, Fun};
 validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) ->
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 206024315e..714c94270d 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -129,6 +129,8 @@ validate_extension(_, {bad_cert, _} = Reason, _) ->
 validate_extension(_, {extension, _}, Role) ->
     {unknown, Role};
 validate_extension(_, valid, Role) ->
+    {valid, Role};
+validate_extension(_, valid_peer, Role) ->
     {valid, Role}.
 
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 3cb9337775..fade67f3ba 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -2857,11 +2857,13 @@ unknown_server_ca_fail(Config) when is_list(Config) ->
 					      {options, ServerOpts}]),
     Port  = ssl_test_lib:inet_port(Server),
 
-    FunAndState =  {fun(_,{bad_cert, _} = Reason, _) ->
+    FunAndState =  {fun(_,{bad_cert, unknown_ca} = Reason, _) ->
 			    {fail, Reason};
 		       (_,{extension, _}, UserState) ->
 			    {unknown, UserState};
 		       (_, valid, UserState) ->
+			    {valid, [test_to_update_user_state | UserState]};
+		       (_, valid_peer, UserState) ->
 			    {valid, UserState}
 		    end, []},
 
@@ -2930,6 +2932,8 @@ unknown_server_ca_accept_verify_peer(Config) when is_list(Config) ->
 		       (_,{extension, _}, UserState) ->
 			    {unknown, UserState};
 		       (_, valid, UserState) ->
+			    {valid, UserState};
+		       (_, valid_peer, UserState) ->
 			    {valid, UserState}
 		    end, []},
 
-- 
cgit v1.2.3