diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index be8033296..845a29929 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -600,6 +600,11 @@ #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_PREVERIFY_CB) && \ + !defined(MBEDTLS_X509_CRT_PARSE_C) +#error "MBEDTLS_SSL_PREVERIFY_CB defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_THREADING_PTHREAD) #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index b5905ef9d..dc3ba9dac 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1436,6 +1436,15 @@ */ //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT +/** + * \def MBEDTLS_SSL_PREVERIFY_CB + * + * Enable support for a pre-verification callback for received certificates. + * + * Uncomment this to enable support for the preverification callback + */ +//#define MBEDTLS_SSL_PREVERIFY_CB + /** * \def MBEDTLS_THREADING_ALT * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 905460d42..4d0d6a116 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -627,7 +627,9 @@ struct mbedtls_ssl_config /** Callback to customize X.509 certificate chain verification */ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); void *p_vrfy; /*!< context for X.509 verify calllback */ +#endif +#if defined(MBEDTLS_SSL_PREVERIFY_CB) /** Callback to receive notification before X.509 chain building */ void (*f_pre_vrfy)(void *, mbedtls_x509_crt *); void *p_pre_vrfy; /*!< context for pre-verify calllback */ @@ -1080,7 +1082,9 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); +#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_PREVERIFY_CB) /** * \brief Set the pre-verification callback (Optional). * @@ -1095,7 +1099,7 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf, void(*f_pre_vrfy)(void *, mbedtls_x509_crt *), void *p_pre_vrfy); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_SSL_PREVERIFY_CB */ /** * \brief Set the random number generator callback diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 199f3d3d5..55d145ae6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4628,11 +4628,13 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) /* * Main check: verify certificate */ +#if defined(MBEDTLS_SSL_PREVERIFY_CB) if( ssl->conf->f_pre_vrfy != NULL ) { ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy, ssl->session_negotiate->peer_cert ); } +#endif ret = mbedtls_x509_crt_verify_with_profile( ssl->session_negotiate->peer_cert, ca_chain, ca_crl, @@ -5882,7 +5884,9 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, conf->f_vrfy = f_vrfy; conf->p_vrfy = p_vrfy; } +#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_PREVERIFY_CB) void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf, void(*f_pre_vrfy)(void *, mbedtls_x509_crt *), void *p_pre_vrfy) @@ -5890,7 +5894,7 @@ void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf, conf->f_pre_vrfy = f_pre_vrfy; conf->p_pre_vrfy = p_pre_vrfy; } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_SSL_PREVERIFY_CB */ void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, int (*f_rng)(void *, unsigned char *, size_t),