Implement context-specific verification callbacks
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 660d548..8800cc7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6038,6 +6038,9 @@
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+ void *p_vrfy;
+
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
return( 0 );
@@ -6054,6 +6057,17 @@
ca_crl = ssl->conf->ca_crl;
}
+ if( ssl->f_vrfy != NULL )
+ {
+ f_vrfy = ssl->f_vrfy;
+ p_vrfy = ssl->p_vrfy;
+ }
+ else
+ {
+ f_vrfy = ssl->conf->f_vrfy;
+ p_vrfy = ssl->conf->p_vrfy;
+ }
+
/*
* Main check: verify certificate
*/
@@ -6063,7 +6077,7 @@
ssl->conf->cert_profile,
ssl->hostname,
&ssl->session_negotiate->verify_result,
- ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
+ f_vrfy, p_vrfy, rs_ctx );
if( ret != 0 )
{
@@ -7902,6 +7916,16 @@
}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy )
+{
+ ssl->f_vrfy = f_vrfy;
+ ssl->p_vrfy = p_vrfy;
+}
+#endif
+
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/*
* Set EC J-PAKE password for current handshake