commit 536a22a409a496c39abf5eaee408502071e184a9
author Nicholas Wilson <nicholas.wilson@realvnc.com> Wed Jun 15 17:55:57 2016 +0100
committer Simon Butcher <simon.butcher@arm.com> Tue Mar 27 18:08:46 2018 +0100
tree 893c8d887b0786bb20ccdf0b23b6b8ab96b7104f
parent fc458d0b9bbfe5e0cd6335eb083b7c15958a2610

Add a "pre-verify" callback to ssl_tls.c

This enables a client to populate the trust chain on-demand, rather than
loading all the trusted certificates up-front.  This is useful on mobile
clients where the OS cert store contains >200 certificates, 199 of which
won't be used at any given time.

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index dffc162..905460d 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -627,6 +627,10 @@
     /** Callback to customize X.509 certificate chain verification          */
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
     void *p_vrfy;                   /*!< context for X.509 verify calllback */
+
+    /** Callback to receive notification before X.509 chain building        */
+    void (*f_pre_vrfy)(void *, mbedtls_x509_crt *);
+    void *p_pre_vrfy;               /*!< context for pre-verify calllback   */
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1076,6 +1080,21 @@
 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy );
+
+/**
+ * \brief          Set the pre-verification callback (Optional).
+ *
+ *                 If set, the pre-verification callback is called before the
+ *                 peer's certificate is verified.  This allows a client to
+ *                 dynamically populate the list of ca_certs, for example.
+ *
+ * \param conf     SSL configuration
+ * \param f_pre_vrfy pre-verification function
+ * \param p_pre_vrfy pre-verification parameter
+ */
+void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
+                                 void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
+                                 void *p_pre_vrfy);
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 /**

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 236e52d..199f3d3 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4628,6 +4628,11 @@
         /*
          * Main check: verify certificate
          */
+        if( ssl->conf->f_pre_vrfy != NULL )
+        {
+            ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy,
+                                   ssl->session_negotiate->peer_cert );
+        }
         ret = mbedtls_x509_crt_verify_with_profile(
                                 ssl->session_negotiate->peer_cert,
                                 ca_chain, ca_crl,
@@ -5877,6 +5882,14 @@
     conf->f_vrfy      = f_vrfy;
     conf->p_vrfy      = p_vrfy;
 }
+
+void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
+                             void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
+                             void *p_pre_vrfy)
+{
+  conf->f_pre_vrfy = f_pre_vrfy;
+  conf->p_pre_vrfy = p_pre_vrfy;
+}
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,