From 536a22a409a496c39abf5eaee408502071e184a9 Mon Sep 17 00:00:00 2001
From: Nicholas Wilson <nicholas.wilson@realvnc.com>
Date: Wed, 15 Jun 2016 17:55:57 +0100
Subject: [PATCH] Add a "pre-verify" callback to ssl_tls.c

This enables a client to populate the trust chain on-demand, rather than
loading all the trusted certificates up-front.  This is useful on mobile
clients where the OS cert store contains >200 certificates, 199 of which
won't be used at any given time.
---
 include/mbedtls/ssl.h | 19 +++++++++++++++++++
 library/ssl_tls.c     | 13 +++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index dffc16219..905460d42 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -627,6 +627,10 @@ struct mbedtls_ssl_config
     /** Callback to customize X.509 certificate chain verification          */
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
     void *p_vrfy;                   /*!< context for X.509 verify calllback */
+
+    /** Callback to receive notification before X.509 chain building        */
+    void (*f_pre_vrfy)(void *, mbedtls_x509_crt *);
+    void *p_pre_vrfy;               /*!< context for pre-verify calllback   */
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1076,6 +1080,21 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy );
+
+/**
+ * \brief          Set the pre-verification callback (Optional).
+ *
+ *                 If set, the pre-verification callback is called before the
+ *                 peer's certificate is verified.  This allows a client to
+ *                 dynamically populate the list of ca_certs, for example.
+ *
+ * \param conf     SSL configuration
+ * \param f_pre_vrfy pre-verification function
+ * \param p_pre_vrfy pre-verification parameter
+ */
+void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
+                                 void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
+                                 void *p_pre_vrfy);
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 /**
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 236e52d76..199f3d3d5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4628,6 +4628,11 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
         /*
          * Main check: verify certificate
          */
+        if( ssl->conf->f_pre_vrfy != NULL )
+        {
+            ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy,
+                                   ssl->session_negotiate->peer_cert );
+        }
         ret = mbedtls_x509_crt_verify_with_profile(
                                 ssl->session_negotiate->peer_cert,
                                 ca_chain, ca_crl,
@@ -5877,6 +5882,14 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
     conf->f_vrfy      = f_vrfy;
     conf->p_vrfy      = p_vrfy;
 }
+
+void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
+                             void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
+                             void *p_pre_vrfy)
+{
+  conf->f_pre_vrfy = f_pre_vrfy;
+  conf->p_pre_vrfy = p_pre_vrfy;
+}
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,