mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-30 12:54:14 +01:00
Add a "pre-verify" callback to ssl_tls.c
This enables a client to populate the trust chain on-demand, rather than loading all the trusted certificates up-front. This is useful on mobile clients where the OS cert store contains >200 certificates, 199 of which won't be used at any given time.
This commit is contained in:
parent
fc458d0b9b
commit
536a22a409
@ -627,6 +627,10 @@ struct mbedtls_ssl_config
|
||||
/** Callback to customize X.509 certificate chain verification */
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
|
||||
void *p_vrfy; /*!< context for X.509 verify calllback */
|
||||
|
||||
/** Callback to receive notification before X.509 chain building */
|
||||
void (*f_pre_vrfy)(void *, mbedtls_x509_crt *);
|
||||
void *p_pre_vrfy; /*!< context for pre-verify calllback */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
@ -1076,6 +1080,21 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
|
||||
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy );
|
||||
|
||||
/**
|
||||
* \brief Set the pre-verification callback (Optional).
|
||||
*
|
||||
* If set, the pre-verification callback is called before the
|
||||
* peer's certificate is verified. This allows a client to
|
||||
* dynamically populate the list of ca_certs, for example.
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param f_pre_vrfy pre-verification function
|
||||
* \param p_pre_vrfy pre-verification parameter
|
||||
*/
|
||||
void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
|
||||
void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
|
||||
void *p_pre_vrfy);
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
/**
|
||||
|
@ -4628,6 +4628,11 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||
/*
|
||||
* Main check: verify certificate
|
||||
*/
|
||||
if( ssl->conf->f_pre_vrfy != NULL )
|
||||
{
|
||||
ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy,
|
||||
ssl->session_negotiate->peer_cert );
|
||||
}
|
||||
ret = mbedtls_x509_crt_verify_with_profile(
|
||||
ssl->session_negotiate->peer_cert,
|
||||
ca_chain, ca_crl,
|
||||
@ -5877,6 +5882,14 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
|
||||
conf->f_vrfy = f_vrfy;
|
||||
conf->p_vrfy = p_vrfy;
|
||||
}
|
||||
|
||||
void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
|
||||
void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
|
||||
void *p_pre_vrfy)
|
||||
{
|
||||
conf->f_pre_vrfy = f_pre_vrfy;
|
||||
conf->p_pre_vrfy = p_pre_vrfy;
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
|
||||
|
Loading…
Reference in New Issue
Block a user