diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 845a29929..be8033296 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -600,11 +600,6 @@ #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_PREVERIFY_CB) && \ - !defined(MBEDTLS_X509_CRT_PARSE_C) -#error "MBEDTLS_SSL_PREVERIFY_CB defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_THREADING_PTHREAD) #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index dc3ba9dac..b5905ef9d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1436,15 +1436,6 @@ */ //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT -/** - * \def MBEDTLS_SSL_PREVERIFY_CB - * - * Enable support for a pre-verification callback for received certificates. - * - * Uncomment this to enable support for the preverification callback - */ -//#define MBEDTLS_SSL_PREVERIFY_CB - /** * \def MBEDTLS_THREADING_ALT * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 4d0d6a116..fa5ae2f3b 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -535,6 +535,16 @@ typedef void mbedtls_ssl_set_timer_t( void * ctx, */ typedef int mbedtls_ssl_get_timer_t( void * ctx ); +#if defined(MBEDTLS_X509_CRT_PARSE_C) +/** + * \brief Callback type: receive notification before X.509 chain + * building + * + * \param ctx Context pointer + * \param crt X.509 certificate pointer + */ +typedef void mbedtls_ssl_pre_verify_t( void *ctx, mbedtls_x509_crt *crt ); +#endif /* Defined below */ typedef struct mbedtls_ssl_session mbedtls_ssl_session; @@ -624,17 +634,15 @@ struct mbedtls_ssl_config #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) + /** Callback to receive notification before X.509 chain building */ + mbedtls_ssl_pre_verify_t *f_pre_vrfy; + void *p_pre_vrfy; /*!< context for pre-verify calllback */ + /** Callback to customize X.509 certificate chain verification */ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); void *p_vrfy; /*!< context for X.509 verify calllback */ #endif -#if defined(MBEDTLS_SSL_PREVERIFY_CB) - /** Callback to receive notification before X.509 chain building */ - void (*f_pre_vrfy)(void *, mbedtls_x509_crt *); - void *p_pre_vrfy; /*!< context for pre-verify calllback */ -#endif - #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) /** Callback to retrieve PSK key from identity */ int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); @@ -1082,9 +1090,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_PREVERIFY_CB) /** * \brief Set the pre-verification callback (Optional). * @@ -1096,10 +1102,10 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, * \param f_pre_vrfy pre-verification function * \param p_pre_vrfy pre-verification parameter */ -void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf, - void(*f_pre_vrfy)(void *, mbedtls_x509_crt *), - void *p_pre_vrfy); -#endif /* MBEDTLS_SSL_PREVERIFY_CB */ +void mbedtls_ssl_conf_pre_verify( mbedtls_ssl_config *conf, + mbedtls_ssl_pre_verify_t *f_pre_vrfy, + void *p_pre_vrfy); +#endif /* MBEDTLS_X509_CRT_PARSE_C */ /** * \brief Set the random number generator callback diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 55d145ae6..c87b37019 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4625,16 +4625,15 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ca_crl = ssl->conf->ca_crl; } - /* - * Main check: verify certificate - */ -#if defined(MBEDTLS_SSL_PREVERIFY_CB) if( ssl->conf->f_pre_vrfy != NULL ) { ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy, ssl->session_negotiate->peer_cert ); } -#endif + + /* + * Main check: verify certificate + */ ret = mbedtls_x509_crt_verify_with_profile( ssl->session_negotiate->peer_cert, ca_chain, ca_crl, @@ -5884,17 +5883,15 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, conf->f_vrfy = f_vrfy; conf->p_vrfy = p_vrfy; } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_PREVERIFY_CB) -void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf, - void(*f_pre_vrfy)(void *, mbedtls_x509_crt *), - void *p_pre_vrfy) +void mbedtls_ssl_conf_pre_verify( mbedtls_ssl_config *conf, + mbedtls_ssl_pre_verify_t *f_pre_vrfy, + void *p_pre_vrfy) { conf->f_pre_vrfy = f_pre_vrfy; conf->p_pre_vrfy = p_pre_vrfy; } -#endif /* MBEDTLS_SSL_PREVERIFY_CB */ +#endif /* MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, int (*f_rng)(void *, unsigned char *, size_t), diff --git a/library/version_features.c b/library/version_features.c index ae7bc8f45..da47e3d75 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -471,9 +471,6 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT", #endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */ -#if defined(MBEDTLS_SSL_PREVERIFY_CB) - "MBEDTLS_SSL_PREVERIFY_CB", -#endif /* MBEDTLS_SSL_PREVERIFY_CB */ #if defined(MBEDTLS_THREADING_ALT) "MBEDTLS_THREADING_ALT", #endif /* MBEDTLS_THREADING_ALT */ diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index fcfaf454e..c85846769 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -82,7 +82,7 @@ void ssl_set_hostname_twice( char *hostname0, char *hostname1 ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PREVERIFY_CB:MBEDTLS_FS_IO:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_AES_C:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_AES_C:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC */ void ssl_preverifycb( char *crt_file ) { mbedtls_ssl_context ssl;