Add compile-time guard MBEDTLS_SSL_PREVERIFY_CB for pre-verify callback
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index be80332..845a299 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -600,6 +600,11 @@
#error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_SSL_PREVERIFY_CB) && \
+ !defined(MBEDTLS_X509_CRT_PARSE_C)
+#error "MBEDTLS_SSL_PREVERIFY_CB defined, but not all prerequisites"
+#endif
+
#if defined(MBEDTLS_THREADING_PTHREAD)
#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
#error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index b5905ef..dc3ba9d 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1437,6 +1437,15 @@
//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
/**
+ * \def MBEDTLS_SSL_PREVERIFY_CB
+ *
+ * Enable support for a pre-verification callback for received certificates.
+ *
+ * Uncomment this to enable support for the preverification callback
+ */
+//#define MBEDTLS_SSL_PREVERIFY_CB
+
+/**
* \def MBEDTLS_THREADING_ALT
*
* Provide your own alternate threading implementation.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 905460d..4d0d6a1 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -627,7 +627,9 @@
/** Callback to customize X.509 certificate chain verification */
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy; /*!< context for X.509 verify calllback */
+#endif
+#if defined(MBEDTLS_SSL_PREVERIFY_CB)
/** Callback to receive notification before X.509 chain building */
void (*f_pre_vrfy)(void *, mbedtls_x509_crt *);
void *p_pre_vrfy; /*!< context for pre-verify calllback */
@@ -1080,7 +1082,9 @@
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_PREVERIFY_CB)
/**
* \brief Set the pre-verification callback (Optional).
*
@@ -1095,7 +1099,7 @@
void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
void *p_pre_vrfy);
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_SSL_PREVERIFY_CB */
/**
* \brief Set the random number generator callback
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 199f3d3..55d145a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4628,11 +4628,13 @@
/*
* Main check: verify certificate
*/
+#if defined(MBEDTLS_SSL_PREVERIFY_CB)
if( ssl->conf->f_pre_vrfy != NULL )
{
ssl->conf->f_pre_vrfy( ssl->conf->p_pre_vrfy,
ssl->session_negotiate->peer_cert );
}
+#endif
ret = mbedtls_x509_crt_verify_with_profile(
ssl->session_negotiate->peer_cert,
ca_chain, ca_crl,
@@ -5882,7 +5884,9 @@
conf->f_vrfy = f_vrfy;
conf->p_vrfy = p_vrfy;
}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_PREVERIFY_CB)
void mbedtls_ssl_conf_pre_verify(mbedtls_ssl_config *conf,
void(*f_pre_vrfy)(void *, mbedtls_x509_crt *),
void *p_pre_vrfy)
@@ -5890,7 +5894,7 @@
conf->f_pre_vrfy = f_pre_vrfy;
conf->p_pre_vrfy = p_pre_vrfy;
}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_SSL_PREVERIFY_CB */
void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
int (*f_rng)(void *, unsigned char *, size_t),