diff options
| author | Péter Dimitrov <[email protected]> | 2019-01-23 11:17:15 +0100 |
|---|---|---|
| committer | Péter Dimitrov <[email protected]> | 2019-01-28 09:44:10 +0100 |
| commit | 8f4b83c8b7d02e5720ba99150562b259550a7bd0 (patch) | |
| tree | 26bc5a8f6762a404bec63a93213001dc78fd8617 /lib/ssl | |
| parent | 05d80e2ca5b5703b3928af8ef8ca1160c7a2062f (diff) | |
| download | otp-8f4b83c8b7d02e5720ba99150562b259550a7bd0.tar.gz otp-8f4b83c8b7d02e5720ba99150562b259550a7bd0.tar.bz2 otp-8f4b83c8b7d02e5720ba99150562b259550a7bd0.zip | |
ssl: Update certificate_verify
Change-Id: I6adacc846f938d1ca1eb1a798780cc804b501a71
Diffstat (limited to 'lib/ssl')
| -rw-r--r-- | lib/ssl/src/tls_handshake_1_3.erl | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl index 44fa7303f1..a0ece6c7f6 100644 --- a/lib/ssl/src/tls_handshake_1_3.erl +++ b/lib/ssl/src/tls_handshake_1_3.erl @@ -41,7 +41,7 @@ %% Create handshake messages -export([certificate/5, - certificate_verify/5, + certificate_verify/4, encrypted_extensions/0, server_hello/4]). @@ -112,12 +112,14 @@ certificate(OwnCert, CertDbHandle, CertDbRef, _CRContext, server) -> end. %% TODO: use maybe monad for error handling! -certificate_verify(OwnCert, PrivateKey, SignatureScheme, Messages, server) -> +certificate_verify(PrivateKey, SignatureScheme, + #state{handshake_env = + #handshake_env{ + tls_handshake_history = {Messages, _}}}, server) -> {HashAlgo, _, _} = ssl_cipher:scheme_to_components(SignatureScheme), - %% Transcript-Hash(Handshake Context, Certificate) - Context = [Messages, OwnCert], + Context = lists:reverse(Messages), THash = tls_v1:transcript_hash(Context, HashAlgo), Signature = digitally_sign(THash, <<"TLS 1.3, server CertificateVerify">>, @@ -316,7 +318,8 @@ digitally_sign(THash, Context, HashAlgo, PrivateKey = #'RSAPrivateKey'{}) -> public_key:sign(Content, HashAlgo, PrivateKey, [{rsa_padding, rsa_pkcs1_pss_padding}, - {rsa_pss_saltlen, PadLen}]). + {rsa_pss_saltlen, -1}, + {rsa_mgf1_md, HashAlgo}]). build_content(Context, THash) -> @@ -452,13 +455,9 @@ do_negotiated(#{client_share := ClientKey, State5 = tls_connection:queue_handshake(Certificate, State4), %% Create CertificateVerify - #state{handshake_env = - #handshake_env{tls_handshake_history = {Messages, _}}} = State5, - %% Use selected signature_alg from here, HKDF only used for key_schedule - CertificateVerify = - tls_handshake_1_3:certificate_verify(OwnCert, CertPrivateKey, SignatureScheme, - Messages, server), + CertificateVerify = certificate_verify(CertPrivateKey, SignatureScheme, + State5, server), %% Encode CertificateVerify %% Send Certificate, CertifricateVerify |