diff options
author | Ingela Anderton Andin <[email protected]> | 2010-06-29 09:22:10 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2010-06-29 11:31:38 +0200 |
commit | ba903abd7e863f5a29ff4ab0d7a33547b0361de0 (patch) | |
tree | d4fe1d231466227267d0e9652c804cb7aee15303 /lib/ssl | |
parent | 5ef0b06ddbaa48499394c30d56fc81e7162abf50 (diff) | |
download | otp-ba903abd7e863f5a29ff4ab0d7a33547b0361de0.tar.gz otp-ba903abd7e863f5a29ff4ab0d7a33547b0361de0.tar.bz2 otp-ba903abd7e863f5a29ff4ab0d7a33547b0361de0.zip |
The server now verifies the client certificate verify message correctly, instead of causing a case-clause.
Diffstat (limited to 'lib/ssl')
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 12 | ||||
-rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 4 | ||||
-rw-r--r-- | lib/ssl/test/ssl_to_openssl_SUITE.erl | 4 |
3 files changed, 15 insertions, 5 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 3811906d77..fcc30f6137 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -304,9 +304,15 @@ certificate_verify(Signature, {_, PublicKey, _}, Version, end; certificate_verify(Signature, {_, PublicKey, PublicKeyParams}, Version, MasterSecret, dhe_dss = Algorithm, {_, Hashes0}) -> - Hashes = calc_certificate_verify(Version, MasterSecret, - Algorithm, Hashes0), - public_key:verify_signature(Hashes, sha, Signature, PublicKey, PublicKeyParams). + Hashes = calc_certificate_verify(Version, MasterSecret, + Algorithm, Hashes0), + case public_key:verify_signature(Hashes, none, Signature, PublicKey, PublicKeyParams) of + true -> + valid; + false -> + ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE) + end. + %%-------------------------------------------------------------------- -spec certificate_request(#connection_states{}, certdb_ref()) -> diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 40715dbf30..dd0818827a 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -325,6 +325,10 @@ make_dsa_cert(Config) -> [{server_dsa_opts, [{ssl_imp, new},{reuseaddr, true}, {cacertfile, ServerCaCertFile}, {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]}, + {server_dsa_verify_opts, [{ssl_imp, new},{reuseaddr, true}, + {cacertfile, ServerCaCertFile}, + {certfile, ServerCertFile}, {keyfile, ServerKeyFile}, + {verify, verify_peer}]}, {client_dsa_opts, [{ssl_imp, new},{reuseaddr, true}, {cacertfile, ClientCaCertFile}, {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]} diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl index d2a4ca8db5..75cfce0052 100644 --- a/lib/ssl/test/ssl_to_openssl_SUITE.erl +++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl @@ -309,7 +309,7 @@ tls1_erlang_server_openssl_client_dsa_cert(suite) -> tls1_erlang_server_openssl_client_dsa_cert(Config) when is_list(Config) -> process_flag(trap_exit, true), ClientOpts = ?config(client_dsa_opts, Config), - ServerOpts = ?config(server_dsa_opts, Config), + ServerOpts = ?config(server_dsa_verify_opts, Config), {_, ServerNode, _} = ssl_test_lib:run_where(Config), @@ -398,7 +398,7 @@ ssl3_erlang_server_openssl_client_dsa_cert(suite) -> ssl3_erlang_server_openssl_client_dsa_cert(Config) when is_list(Config) -> process_flag(trap_exit, true), ClientOpts = ?config(client_dsa_opts, Config), - ServerOpts = ?config(server_dsa_opts, Config), + ServerOpts = ?config(server_dsa_verify_opts, Config), {_, ServerNode, _} = ssl_test_lib:run_where(Config), |