aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl_handshake.erl
diff options
context:
space:
mode:
authorIngela Anderton Andin <ingela@erlang.org>2012-02-03 14:06:53 +0100
committerIngela Anderton Andin <ingela@erlang.org>2012-02-08 11:46:23 +0100
commit25b2354cc9bcf09c87dc65526936e976fe95d3fd (patch)
treeb7c326771a1748df5f21d1d560e3df86c5d8488a /lib/ssl/src/ssl_handshake.erl
parentab2ba6f1b0713fbe5c78f67aeefb73ffc006e995 (diff)
downloadotp-25b2354cc9bcf09c87dc65526936e976fe95d3fd.tar.gz
otp-25b2354cc9bcf09c87dc65526936e976fe95d3fd.tar.bz2
otp-25b2354cc9bcf09c87dc65526936e976fe95d3fd.zip
User defined verify_fun is now called correctly
Background from erlang-questions: > We use this test suite to verify our PKIX-path-validation code, > granted we do not yet support CRL-handling but that is on its > way. Our verify_fun will let you work around the problem that it > is not yet supported. (Not so fun for you perhaps but a possible > solution for now). this is unfortunately not the case since for versions that contain commit 4dbf3c9e4ae7cfd19b247353369166d31b8f15e5 (it is in R14B04 and R15B) the documented behaviour (verify_fun will be called for every certificate) is broken: the verify_fun will only be called, if the certificate contains unknown extensions. it is therefore not useful as a CRL workaround (anymore). best regards Stefan Grundmann
Diffstat (limited to 'lib/ssl/src/ssl_handshake.erl')
-rw-r--r--lib/ssl/src/ssl_handshake.erl17
1 files changed, 10 insertions, 7 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 371f475c85..542033e6ce 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -188,14 +188,14 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef,
ValidationFunAndState =
case VerifyFunAndState of
undefined ->
- {fun(OtpCert, ExtensionOrError, SslState) ->
+ {fun(OtpCert, ExtensionOrVerifyResult, SslState) ->
ssl_certificate:validate_extension(OtpCert,
- ExtensionOrError, SslState)
+ ExtensionOrVerifyResult, SslState)
end, Role};
{Fun, UserState0} ->
- {fun(OtpCert, ExtensionOrError, {SslState, UserState}) ->
+ {fun(OtpCert, {extension, _} = Extension, {SslState, UserState}) ->
case ssl_certificate:validate_extension(OtpCert,
- ExtensionOrError,
+ Extension,
SslState) of
{valid, NewSslState} ->
{valid, {NewSslState, UserState}};
@@ -204,8 +204,11 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef,
SslState);
{unknown, _} ->
apply_user_fun(Fun, OtpCert,
- ExtensionOrError, UserState, SslState)
- end
+ Extension, UserState, SslState)
+ end;
+ (OtpCert, VerifyResult, {SslState, UserState}) ->
+ apply_user_fun(Fun, OtpCert, VerifyResult, UserState,
+ SslState)
end, {Role, UserState0}}
end,