X509: Remove MBEDTLS_SSL_PREVERIFY_CB

Add a callback typedef

include/mbedtls/check_config.h

@@ -600,11 +600,6 @@
 #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_PREVERIFY_CB) && \
-        !defined(MBEDTLS_X509_CRT_PARSE_C)
-#error "MBEDTLS_SSL_PREVERIFY_CB defined, but not all prerequisites"
-#endif
-
 #if defined(MBEDTLS_THREADING_PTHREAD)
 #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"

include/mbedtls/config.h

@@ -1436,15 +1436,6 @@
  */
 //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
 
-/**
- * \def MBEDTLS_SSL_PREVERIFY_CB
- *
- * Enable support for a pre-verification callback for received certificates.
- *
- * Uncomment this to enable support for the preverification callback
- */
-//#define MBEDTLS_SSL_PREVERIFY_CB
-
 /**
  * \def MBEDTLS_THREADING_ALT
  *

include/mbedtls/ssl.h

@@ -535,6 +535,16 @@ typedef void mbedtls_ssl_set_timer_t( void * ctx,
  */
 typedef int mbedtls_ssl_get_timer_t( void * ctx );
 
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Callback type: receive notification before X.509 chain
+ *                 building
+ *
+ * \param ctx      Context pointer
+ * \param crt      X.509 certificate pointer
+ */
+typedef void mbedtls_ssl_pre_verify_t( void *ctx, mbedtls_x509_crt *crt );
+#endif
 
 /* Defined below */
 typedef struct mbedtls_ssl_session mbedtls_ssl_session;
@@ -624,17 +634,15 @@ struct mbedtls_ssl_config
 #endif
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /** Callback to receive notification before X.509 chain building        */
+    mbedtls_ssl_pre_verify_t *f_pre_vrfy;
+    void *p_pre_vrfy;               /*!< context for pre-verify calllback   */
+
     /** Callback to customize X.509 certificate chain verification          */
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
     void *p_vrfy;                   /*!< context for X.509 verify calllback */
 #endif
 
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
-    /** Callback to receive notification before X.509 chain building        */
-    void (*f_pre_vrfy)(void *, mbedtls_x509_crt *);
-    void *p_pre_vrfy;               /*!< context for pre-verify calllback   */
-#endif
-
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
     /** Callback to retrieve PSK key from identity                          */
     int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
@@ -1082,9 +1090,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
 /**
  * \brief          Set the pre-verification callback (Optional).
  *
@@ -1096,10 +1102,10 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
  * \param f_pre_vrfy pre-verification function
  * \param p_pre_vrfy pre-verification parameter
  */
-void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
-                                 void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
+void mbedtls_ssl_conf_pre_verify( mbedtls_ssl_config *conf,
+                         mbedtls_ssl_pre_verify_t *f_pre_vrfy,
                          void *p_pre_vrfy);
-#endif /* MBEDTLS_SSL_PREVERIFY_CB */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 /**
  * \brief          Set the random number generator callback

library/ssl_tls.c

@@ -4625,16 +4625,15 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
             ca_crl   = ssl->conf->ca_crl;
         }
 
-        /*
-         * Main check: verify certificate
-         */
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
         if( ssl->conf->f_pre_vrfy != NULL )
         {
             ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy,
                                    ssl->session_negotiate->peer_cert );
         }
-#endif
+
+        /*
+         * Main check: verify certificate
+         */
         ret = mbedtls_x509_crt_verify_with_profile(
                                 ssl->session_negotiate->peer_cert,
                                 ca_chain, ca_crl,
@@ -5884,17 +5883,15 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
     conf->f_vrfy      = f_vrfy;
     conf->p_vrfy      = p_vrfy;
 }
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
-void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
-                             void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
+void mbedtls_ssl_conf_pre_verify( mbedtls_ssl_config *conf,
+                         mbedtls_ssl_pre_verify_t *f_pre_vrfy,
                          void *p_pre_vrfy)
 {
   conf->f_pre_vrfy = f_pre_vrfy;
   conf->p_pre_vrfy = p_pre_vrfy;
 }
-#endif /* MBEDTLS_SSL_PREVERIFY_CB */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
                   int (*f_rng)(void *, unsigned char *, size_t),

library/version_features.c

@@ -471,9 +471,6 @@ static const char *features[] = {
 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
     "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT",
 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */
-#if defined(MBEDTLS_SSL_PREVERIFY_CB)
-    "MBEDTLS_SSL_PREVERIFY_CB",
-#endif /* MBEDTLS_SSL_PREVERIFY_CB */
 #if defined(MBEDTLS_THREADING_ALT)
     "MBEDTLS_THREADING_ALT",
 #endif /* MBEDTLS_THREADING_ALT */

tests/suites/test_suite_ssl.function

@@ -82,7 +82,7 @@ void ssl_set_hostname_twice( char *hostname0, char *hostname1 )
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_SSL_PREVERIFY_CB:MBEDTLS_FS_IO:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_AES_C:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC */
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_AES_C:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC */
 void ssl_preverifycb( char *crt_file )
 {
     mbedtls_ssl_context ssl;