commit b63b0afc05c700280438c23f9bf68596ae6e865c
author Paul Bakker <p.j.bakker@polarssl.org> Thu Jan 13 17:54:59 2011 +0000
committer Paul Bakker <p.j.bakker@polarssl.org> Thu Jan 13 17:54:59 2011 +0000
tree 8bbe4cdc5e4bf367822ddada514c35e8136164bb
parent 1b57b067518793957b552a7c8ffab534f860fe89

 - Added verification callback in certificate verification chain in order to allow external blacklisting

include/polarssl/ssl.h

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 715a4e8..3d3c020 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -215,17 +215,19 @@
     int max_minor_ver;          /*!< max. minor version from client   */
 
     /*
-     * Callbacks (RNG, debug, I/O)
+     * Callbacks (RNG, debug, I/O, verification)
      */
     int  (*f_rng)(void *);
     void (*f_dbg)(void *, int, const char *);
     int (*f_recv)(void *, unsigned char *, int);
     int (*f_send)(void *, unsigned char *, int);
+    int (*f_vrfy)(void *, x509_cert *, int, int);
 
     void *p_rng;                /*!< context for the RNG function     */
     void *p_dbg;                /*!< context for the debug function   */
     void *p_recv;               /*!< context for reading operations   */
     void *p_send;               /*!< context for writing operations   */
+    void *p_vrfy;               /*!< context for verification */
 
     /*
      * Session layer
@@ -354,6 +356,23 @@
 void ssl_set_authmode( ssl_context *ssl, int authmode );
 
 /**
+ * \brief          Set the verification callback (Optional).
+ *
+ *                 If set, the verification callback is called once for every
+ *                 certificate in the chain. The verification function has the
+ *                 following parameter: (void *parameter, x509_cert certificate,
+ *                 int certifcate_depth, int preverify_ok). It should
+ *                 return 0 on SUCCESS.
+ *
+ * \param ssl      SSL context
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ */
+void ssl_set_verify( ssl_context *ssl,
+                     int (*f_vrfy)(void *, x509_cert *, int, int),
+                     void *p_vrfy );
+
+/**
  * \brief          Set the random number generator callback
  *
  * \param ssl      SSL context

include/polarssl/x509.h

diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 0df8433..c54fc2d 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -501,6 +501,8 @@
  * \param cn       expected Common Name (can be set to
  *                 NULL if the CN must not be verified)
  * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
  *
  * \return         0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED,
  *                 in which case *flags will have one or more of
@@ -515,7 +517,9 @@
 int x509parse_verify( x509_cert *crt,
                       x509_cert *trust_ca,
                       x509_crl *ca_crl,
-                      const char *cn, int *flags );
+                      const char *cn, int *flags,
+                      int (*f_vrfy)(void *, x509_cert *, int, int),
+                      void *p_vrfy );
 
 /** @} name Functions to verify a certificate */