yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(tls): move default_root_fun to ?CONST_MOD_V1

This commit is contained in:
William Yang 2024-06-20 11:38:52 +02:00
parent 8d04545f03
commit 464a0a82f0
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apps/emqx_auth_ext/src/emqx_auth_ext_tls_const_v1.erl
View File

@ -10,7 +10,12 @@
make_tls_verify_fun/2 make_tls_verify_fun/2
]). ]).
-export([default_root_fun/1]).
-include_lib("public_key/include/public_key.hrl"). -include_lib("public_key/include/public_key.hrl").
-define(unknown_ca, unknown_ca).
%% @doc Build a root fun for verify TLS partial_chain. %% @doc Build a root fun for verify TLS partial_chain.
%% The `InputChain' is composed by OTP SSL with local cert store %% The `InputChain' is composed by OTP SSL with local cert store
%% AND the cert (chain if any) from the client. %% AND the cert (chain if any) from the client.
@ -109,3 +114,8 @@ ext_key_opts(Str) ->
end, end,
Usages Usages
). ).
%% @doc default root fun for partial_chain 'false'
-spec default_root_fun(_) -> ?unknown_ca.
default_root_fun(_) ->
?unknown_ca.

3
apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl
View File

@ -13,13 +13,12 @@
-include_lib("emqx/include/logger.hrl"). -include_lib("emqx/include/logger.hrl").
-define(CONST_MOD_V1, emqx_auth_ext_tls_const_v1). -define(CONST_MOD_V1, emqx_auth_ext_tls_const_v1).
-define(unknown_ca, unknown_ca).
%% @doc enable TLS partial_chain validation %% @doc enable TLS partial_chain validation
-spec opt_partial_chain(SslOpts :: map()) -> NewSslOpts :: map(). -spec opt_partial_chain(SslOpts :: map()) -> NewSslOpts :: map().
opt_partial_chain(#{partial_chain := false} = SslOpts) -> opt_partial_chain(#{partial_chain := false} = SslOpts) ->
%% For config update scenario, we must set it to override %% For config update scenario, we must set it to override
%% the 'existing' partial_chain in the listener %% the 'existing' partial_chain in the listener
SslOpts#{partial_chain := fun(_) -> ?unknown_ca end}; SslOpts#{partial_chain := fun ?CONST_MOD_V1:default_root_fun/1};
opt_partial_chain(#{partial_chain := true} = SslOpts) -> opt_partial_chain(#{partial_chain := true} = SslOpts) ->
SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)}; SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)};
opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) -> opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) ->