Add a "pre-verify" callback to ssl_tls.c

This enables a client to populate the trust chain on-demand, rather than loading all the trusted certificates up-front. This is useful on mobile clients where the OS cert store contains >200 certificates, 199 of which won't be used at any given time.
2024-11-27 07:14:15 +01:00 · 2016-06-15 17:55:57 +01:00 · 2016-06-15 17:55:57 +01:00 · 536a22a409
commit 536a22a409
parent fc458d0b9b
2 changed files with 32 additions and 0 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -627,6 +627,10 @@ struct mbedtls_ssl_config
    /** Callback to customize X.509 certificate chain verification          */
    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
    void *p_vrfy;                   /*!< context for X.509 verify calllback */
+
+    /** Callback to receive notification before X.509 chain building        */
+    void (*f_pre_vrfy)(void *, mbedtls_x509_crt *);
+    void *p_pre_vrfy;               /*!< context for pre-verify calllback   */
 #endif

 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@ -1076,6 +1080,21 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                     void *p_vrfy );
+
+/**
+ * \brief          Set the pre-verification callback (Optional).
+ *
+ *                 If set, the pre-verification callback is called before the
+ *                 peer's certificate is verified.  This allows a client to
+ *                 dynamically populate the list of ca_certs, for example.
+ *
+ * \param conf     SSL configuration
+ * \param f_pre_vrfy pre-verification function
+ * \param p_pre_vrfy pre-verification parameter
+ */
+void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
+                                 void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
+                                 void *p_pre_vrfy);
 #endif /* MBEDTLS_X509_CRT_PARSE_C */

 /**
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -4628,6 +4628,11 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
        /*
         * Main check: verify certificate
         */
+        if( ssl->conf->f_pre_vrfy != NULL )
+        {
+            ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy,
+                                   ssl->session_negotiate->peer_cert );
+        }
        ret = mbedtls_x509_crt_verify_with_profile(
                                ssl->session_negotiate->peer_cert,
                                ca_chain, ca_crl,
@ -5877,6 +5882,14 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
    conf->f_vrfy      = f_vrfy;
    conf->p_vrfy      = p_vrfy;
 }
+
+void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
+                             void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
+                             void *p_pre_vrfy)
+{
+  conf->f_pre_vrfy = f_pre_vrfy;
+  conf->p_pre_vrfy = p_pre_vrfy;
+}
 #endif /* MBEDTLS_X509_CRT_PARSE_C */

 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,