diff options
| author | Ingela Anderton Andin <[email protected]> | 2012-02-03 14:06:53 +0100 |
|---|---|---|
| committer | Ingela Anderton Andin <[email protected]> | 2012-02-08 11:46:23 +0100 |
| commit | 25b2354cc9bcf09c87dc65526936e976fe95d3fd (patch) | |
| tree | b7c326771a1748df5f21d1d560e3df86c5d8488a /lib/ssl/src/ssl_handshake.erl | |
| parent | ab2ba6f1b0713fbe5c78f67aeefb73ffc006e995 (diff) | |
| download | otp-25b2354cc9bcf09c87dc65526936e976fe95d3fd.tar.gz otp-25b2354cc9bcf09c87dc65526936e976fe95d3fd.tar.bz2 otp-25b2354cc9bcf09c87dc65526936e976fe95d3fd.zip | |
User defined verify_fun is now called correctly
Background from erlang-questions:
> We use this test suite to verify our PKIX-path-validation code,
> granted we do not yet support CRL-handling but that is on its
> way. Our verify_fun will let you work around the problem that it
> is not yet supported. (Not so fun for you perhaps but a possible
> solution for now).
this is unfortunately not the case since for versions that contain
commit 4dbf3c9e4ae7cfd19b247353369166d31b8f15e5 (it is in R14B04 and
R15B) the documented behaviour (verify_fun will be called for every
certificate) is broken: the verify_fun will only be called, if the
certificate contains unknown extensions.
it is therefore not useful as a CRL workaround (anymore).
best regards
Stefan Grundmann
Diffstat (limited to 'lib/ssl/src/ssl_handshake.erl')
| -rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 371f475c85..542033e6ce 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2011. All Rights Reserved. +%% Copyright Ericsson AB 2007-2012. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -188,14 +188,14 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef, ValidationFunAndState = case VerifyFunAndState of undefined -> - {fun(OtpCert, ExtensionOrError, SslState) -> + {fun(OtpCert, ExtensionOrVerifyResult, SslState) -> ssl_certificate:validate_extension(OtpCert, - ExtensionOrError, SslState) + ExtensionOrVerifyResult, SslState) end, Role}; {Fun, UserState0} -> - {fun(OtpCert, ExtensionOrError, {SslState, UserState}) -> + {fun(OtpCert, {extension, _} = Extension, {SslState, UserState}) -> case ssl_certificate:validate_extension(OtpCert, - ExtensionOrError, + Extension, SslState) of {valid, NewSslState} -> {valid, {NewSslState, UserState}}; @@ -204,8 +204,11 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef, SslState); {unknown, _} -> apply_user_fun(Fun, OtpCert, - ExtensionOrError, UserState, SslState) - end + Extension, UserState, SslState) + end; + (OtpCert, VerifyResult, {SslState, UserState}) -> + apply_user_fun(Fun, OtpCert, VerifyResult, UserState, + SslState) end, {Role, UserState0}} end, |