Add compile-time guard MBEDTLS_SSL_PREVERIFY_CB for pre-verify callback

include/mbedtls/check_config.h

@@ -600,6 +600,11 @@
 #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_SSL_PREVERIFY_CB) && \
+        !defined(MBEDTLS_X509_CRT_PARSE_C)
+#error "MBEDTLS_SSL_PREVERIFY_CB defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_THREADING_PTHREAD)
 #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"

include/mbedtls/config.h

@@ -1436,6 +1436,15 @@
  */
 //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
 
+/**
+ * \def MBEDTLS_SSL_PREVERIFY_CB
+ *
+ * Enable support for a pre-verification callback for received certificates.
+ *
+ * Uncomment this to enable support for the preverification callback
+ */
+//#define MBEDTLS_SSL_PREVERIFY_CB
+
 /**
  * \def MBEDTLS_THREADING_ALT
  *

include/mbedtls/ssl.h

@@ -627,7 +627,9 @@ struct mbedtls_ssl_config
     /** Callback to customize X.509 certificate chain verification          */
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
     void *p_vrfy;                   /*!< context for X.509 verify calllback */
+#endif
 
+#if defined(MBEDTLS_SSL_PREVERIFY_CB)
     /** Callback to receive notification before X.509 chain building        */
     void (*f_pre_vrfy)(void *, mbedtls_x509_crt *);
     void *p_pre_vrfy;               /*!< context for pre-verify calllback   */
@@ -1080,7 +1082,9 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+#if defined(MBEDTLS_SSL_PREVERIFY_CB)
 /**
  * \brief          Set the pre-verification callback (Optional).
  *
@@ -1095,7 +1099,7 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
 void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
                                  void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
                                  void *p_pre_vrfy);
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_SSL_PREVERIFY_CB */
 
 /**
  * \brief          Set the random number generator callback

library/ssl_tls.c

@@ -4628,11 +4628,13 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
         /*
          * Main check: verify certificate
          */
+#if defined(MBEDTLS_SSL_PREVERIFY_CB)
         if( ssl->conf->f_pre_vrfy != NULL )
         {
             ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy,
                                    ssl->session_negotiate->peer_cert );
         }
+#endif
         ret = mbedtls_x509_crt_verify_with_profile(
                                 ssl->session_negotiate->peer_cert,
                                 ca_chain, ca_crl,
@@ -5882,7 +5884,9 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
     conf->f_vrfy      = f_vrfy;
     conf->p_vrfy      = p_vrfy;
 }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+#if defined(MBEDTLS_SSL_PREVERIFY_CB)
 void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
                              void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
                              void *p_pre_vrfy)
@@ -5890,7 +5894,7 @@ void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
   conf->f_pre_vrfy = f_pre_vrfy;
   conf->p_pre_vrfy = p_pre_vrfy;
 }
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_SSL_PREVERIFY_CB */
 
 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
                   int (*f_rng)(void *, unsigned char *, size_t),