File 3731-ssl-Improve-names.patch of Package erlang
From 605baff232abc7fe00378a332feab973dc57f0ef Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Thu, 5 May 2022 15:54:38 +0200
Subject: [PATCH 1/2] ssl: Improve names
---
lib/ssl/src/ssl_certificate.erl | 12 ++++++------
lib/ssl/src/ssl_handshake.erl | 12 ++++++------
lib/ssl/src/tls_handshake_1_3.erl | 32 +++++++++++++++----------------
3 files changed, 28 insertions(+), 28 deletions(-)
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 05162c34d6..3d360803ac 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -699,18 +699,18 @@ maybe_shorten_path(Path, PartialChainHandler, Default) ->
DerCerts = [Der || #cert{der=Der} <- Path],
try PartialChainHandler(DerCerts) of
{trusted_ca, Root} ->
- new_trusteded_path(Root, Path, Default);
+ new_trusted_path(Root, Path, Default);
unknown_ca ->
Default
catch _:_ ->
Default
end.
-new_trusteded_path(DerCert, [#cert{der=DerCert}=Cert | Chain], _) ->
- {Cert, Chain};
-new_trusteded_path(DerCert, [_ | Rest], Default) ->
- new_trusteded_path(DerCert, Rest, Default);
-new_trusteded_path(_, [], Default) ->
+new_trusted_path(DerCert, [#cert{der=DerCert}=Cert | Path], _) ->
+ {Cert, Path};
+new_trusted_path(DerCert, [_ | Rest], Default) ->
+ new_trusted_path(DerCert, Rest, Default);
+new_trusted_path(_, [], Default) ->
%% User did not pick a cert present
%% in the cert chain so ignore
Default.
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 178229f853..2776e0d6a3 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1065,7 +1065,7 @@ select_session(SuggestedSessionId, CipherSuites, HashSigns, Compressions, SessId
new_session_parameters(SessionId, #session{ecc = ECCCurve0} = Session, CipherSuites, SslOpts,
Version, Compressions, HashSigns, CertKeyPairs) ->
Compression = select_compression(Compressions),
- {Certs, Key, {ECCCurve, CipherSuite}} = select_cert_key_pair_and_params(CipherSuites, CertKeyPairs, HashSigns,
+ {Certs, Key, {ECCCurve, CipherSuite}} = server_select_cert_key_pair_and_params(CipherSuites, CertKeyPairs, HashSigns,
ECCCurve0, SslOpts, Version),
Session#session{session_id = SessionId,
ecc = ECCCurve,
@@ -1076,32 +1076,32 @@ new_session_parameters(SessionId, #session{ecc = ECCCurve0} = Session, CipherSui
%% Possibly support part of "trusted_ca_keys" extension that corresponds to TLS-1.3 certificate_authorities?!
-select_cert_key_pair_and_params(CipherSuites, [#{private_key := NoKey, certs := [[]] = NoCerts}], HashSigns, ECCCurve0,
+server_select_cert_key_pair_and_params(CipherSuites, [#{private_key := NoKey, certs := [[]] = NoCerts}], HashSigns, ECCCurve0,
#{ciphers := UserSuites, honor_cipher_order := HonorCipherOrder}, Version) ->
%% This can happen if anonymous cipher suites are enabled
Suites = available_suites(undefined, UserSuites, Version, HashSigns, ECCCurve0),
CipherSuite0 = select_cipher_suite(CipherSuites, Suites, HonorCipherOrder),
CurveAndSuite = cert_curve(undefined, ECCCurve0, CipherSuite0),
{NoCerts, NoKey, CurveAndSuite};
-select_cert_key_pair_and_params(CipherSuites, [#{private_key := Key, certs := [Cert | _] = Certs}], HashSigns, ECCCurve0,
+server_select_cert_key_pair_and_params(CipherSuites, [#{private_key := Key, certs := [Cert | _] = Certs}], HashSigns, ECCCurve0,
#{ciphers := UserSuites, honor_cipher_order := HonorCipherOrder}, Version) ->
Suites = available_suites(Cert, UserSuites, Version, HashSigns, ECCCurve0),
CipherSuite0 = select_cipher_suite(CipherSuites, Suites, HonorCipherOrder),
CurveAndSuite = cert_curve(Cert, ECCCurve0, CipherSuite0),
{Certs, Key, CurveAndSuite};
-select_cert_key_pair_and_params(CipherSuites, [#{private_key := Key, certs := [Cert | _] = Certs} | Rest], HashSigns, ECCCurve0,
+server_select_cert_key_pair_and_params(CipherSuites, [#{private_key := Key, certs := [Cert | _] = Certs} | Rest], HashSigns, ECCCurve0,
#{ciphers := UserSuites, honor_cipher_order := HonorCipherOrder} = Opts, Version) ->
Suites = available_suites(Cert, UserSuites, Version, HashSigns, ECCCurve0),
case select_cipher_suite(CipherSuites, Suites, HonorCipherOrder) of
no_suite ->
- select_cert_key_pair_and_params(CipherSuites, Rest, HashSigns, ECCCurve0, Opts, Version);
+ server_select_cert_key_pair_and_params(CipherSuites, Rest, HashSigns, ECCCurve0, Opts, Version);
CipherSuite0 ->
case is_acceptable_cert(Cert, HashSigns, ssl:tls_version(Version)) of
true ->
CurveAndSuite = cert_curve(Cert, ECCCurve0, CipherSuite0),
{Certs, Key, CurveAndSuite};
false ->
- select_cert_key_pair_and_params(CipherSuites, Rest, HashSigns, ECCCurve0, Opts, Version)
+ server_select_cert_key_pair_and_params(CipherSuites, Rest, HashSigns, ECCCurve0, Opts, Version)
end
end.
diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl
index a68c7de159..e145044533 100644
--- a/lib/ssl/src/tls_handshake_1_3.erl
+++ b/lib/ssl/src/tls_handshake_1_3.erl
@@ -2315,14 +2315,14 @@ check_cert_sign_algo(SignAlgo, SignHash, _, ClientSignAlgsCert) ->
%% DSA keys are not supported by TLS 1.3
-select_sign_algo(dsa, _RSAKeySize, _PeerSignAlgs, _OwnSignAlgs, _Curve) ->
+select_sign_algo(dsa, _RSAKeySize, _CertSignAlg, _OwnSignAlgs, _Curve) ->
{error, ?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY, no_suitable_public_key)};
select_sign_algo(_, _RSAKeySize, [], _, _) ->
{error, ?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY, no_suitable_signature_algorithm)};
select_sign_algo(_, _RSAKeySize, undefined, _OwnSignAlgs, _) ->
{error, ?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY, no_suitable_public_key)};
-select_sign_algo(PublicKeyAlgo, RSAKeySize, [PeerSignAlg|PeerSignAlgs], OwnSignAlgs, Curve) ->
- {_, S, _} = ssl_cipher:scheme_to_components(PeerSignAlg),
+select_sign_algo(PublicKeyAlgo, RSAKeySize, [CertSignAlg|CertSignAlgs], OwnSignAlgs, Curve) ->
+ {_, S, _} = ssl_cipher:scheme_to_components(CertSignAlg),
%% RSASSA-PKCS1-v1_5 and Legacy algorithms are not defined for use in signed
%% TLS handshake messages: filter sha-1 and rsa_pkcs1.
%%
@@ -2336,36 +2336,36 @@ select_sign_algo(PublicKeyAlgo, RSAKeySize, [PeerSignAlg|PeerSignAlgs], OwnSignA
orelse (PublicKeyAlgo =:= eddsa andalso S =:= eddsa)
)
andalso
- lists:member(PeerSignAlg, OwnSignAlgs) of
+ lists:member(CertSignAlg, OwnSignAlgs) of
true ->
validate_key_compatibility(PublicKeyAlgo, RSAKeySize,
- [PeerSignAlg|PeerSignAlgs], OwnSignAlgs, Curve);
+ [CertSignAlg|CertSignAlgs], OwnSignAlgs, Curve);
false ->
- select_sign_algo(PublicKeyAlgo, RSAKeySize, PeerSignAlgs, OwnSignAlgs, Curve)
+ select_sign_algo(PublicKeyAlgo, RSAKeySize, CertSignAlgs, OwnSignAlgs, Curve)
end.
-validate_key_compatibility(PublicKeyAlgo, RSAKeySize, [PeerSignAlg|PeerSignAlgs], OwnSignAlgs, Curve)
+validate_key_compatibility(PublicKeyAlgo, RSAKeySize, [CertSignAlg|CertSignAlgs], OwnSignAlgs, Curve)
when PublicKeyAlgo =:= rsa orelse
PublicKeyAlgo =:= rsa_pss_pss ->
- {Hash, Sign, _} = ssl_cipher:scheme_to_components(PeerSignAlg),
+ {Hash, Sign, _} = ssl_cipher:scheme_to_components(CertSignAlg),
case (Sign =:= rsa_pss_rsae orelse Sign =:= rsa_pss_pss) andalso
is_rsa_key_compatible(RSAKeySize, Hash) of
true ->
- {ok, PeerSignAlg};
+ {ok, CertSignAlg};
false ->
- select_sign_algo(PublicKeyAlgo, RSAKeySize, PeerSignAlgs, OwnSignAlgs, Curve)
+ select_sign_algo(PublicKeyAlgo, RSAKeySize, CertSignAlgs, OwnSignAlgs, Curve)
end;
-validate_key_compatibility(PublicKeyAlgo, RSAKeySize, [PeerSignAlg|PeerSignAlgs], OwnSignAlgs, Curve)
+validate_key_compatibility(PublicKeyAlgo, RSAKeySize, [CertSignAlg|CertSignAlgs], OwnSignAlgs, Curve)
when PublicKeyAlgo =:= ecdsa ->
- {_ , Sign, PeerCurve} = ssl_cipher:scheme_to_components(PeerSignAlg),
+ {_ , Sign, PeerCurve} = ssl_cipher:scheme_to_components(CertSignAlg),
case Sign =:= ecdsa andalso Curve =:= PeerCurve of
true ->
- {ok, PeerSignAlg};
+ {ok, CertSignAlg};
false ->
- select_sign_algo(PublicKeyAlgo, RSAKeySize, PeerSignAlgs, OwnSignAlgs, Curve)
+ select_sign_algo(PublicKeyAlgo, RSAKeySize, CertSignAlgs, OwnSignAlgs, Curve)
end;
-validate_key_compatibility(_, _, [PeerSignAlg|_], _, _) ->
- {ok, PeerSignAlg}.
+validate_key_compatibility(_, _, [CertSignAlg|_], _, _) ->
+ {ok, CertSignAlg}.
is_rsa_key_compatible(KeySize, Hash) ->
HashSize = ssl_cipher:hash_size(Hash),
--
2.35.3
