Enable restart for certificate verify
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f91e2a8..f3cde7f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4518,6 +4518,7 @@
#else
const int authmode = ssl->conf->authmode;
#endif
+ void *rs_ctx = NULL;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
@@ -4545,11 +4546,20 @@
{
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+
ssl->state++;
return( 0 );
}
#endif
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ssl->handshake->ecrs_enabled &&
+ ssl->handshake->ecrs_state == ssl_ecrs_crt_parsed )
+ {
+ goto crt_verify;
+ }
+#endif
+
if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
{
/* mbedtls_ssl_read_record may have sent an alert already. We
@@ -4572,6 +4582,15 @@
return( ret );
}
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ssl->handshake->ecrs_enabled)
+ ssl->handshake->ecrs_state++;
+
+crt_verify:
+ if( ssl->handshake->ecrs_enabled)
+ rs_ctx = &ssl->handshake->ecrs_ctx;
+#endif
+
if( authmode != MBEDTLS_SSL_VERIFY_NONE )
{
mbedtls_x509_crt *ca_chain;
@@ -4593,19 +4612,24 @@
/*
* Main check: verify certificate
*/
- ret = mbedtls_x509_crt_verify_with_profile(
+ ret = mbedtls_x509_crt_verify_restartable(
ssl->session_negotiate->peer_cert,
ca_chain, ca_crl,
ssl->conf->cert_profile,
ssl->hostname,
&ssl->session_negotiate->verify_result,
- ssl->conf->f_vrfy, ssl->conf->p_vrfy );
+ ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
}
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ return( ret );
+#endif
+
/*
* Secondary checks: always done, but change 'ret' only if it was 0
*/
@@ -4702,6 +4726,11 @@
#endif /* MBEDTLS_DEBUG_C */
}
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ssl->handshake->ecrs_enabled)
+ ssl->handshake->ecrs_state++;
+#endif
+
ssl->state++;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );