commit fe7106755ee915301c2ac318bbff760547ff3214
author Jaeden Amero <jaeden.amero@arm.com> Tue Apr 16 15:03:12 2019 +0100
committer Jaeden Amero <jaeden.amero@arm.com> Tue Apr 16 15:05:18 2019 +0100
tree 2f42c642bdc7afdc018871fb23d33310e000a835
parent ff34d43720022b8f5e47f33a5e3ed0363616530f
parent 4031b314eddd677835d4cbb623a13778d8224620

Merge remote-tracking branch 'origin/pr/2539' into development

Resolve conflicts by performing the following:
  - Ensure calls to mbedtls_x509_crt_verify_* are made with callbacks

* origin/pr/2539:
  Make CRT callback tests more robust
  Rename constant in client2.c
  Fix typo
  Add test for configuration specific CRT callback
  Fix doxygen documentation of mbedtls_ssl_set_verify()
  Add test exercising context-specific CRT callback to ssl-opt.sh
  Add cmd to use context-specific CRT callback in ssl_client2
  Implement context-specific verification callbacks
  Add context-specific CRT verification callbacks
  Improve documentation of mbedtls_ssl_conf_verify()

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 09645cd..dac160d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6037,9 +6037,25 @@
         ssl->transform_negotiate->ciphersuite_info;
     int have_ca_chain = 0;
 
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;
+
     if( authmode == MBEDTLS_SSL_VERIFY_NONE )
         return( 0 );
 
+    if( ssl->f_vrfy != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
+        f_vrfy = ssl->f_vrfy;
+        p_vrfy = ssl->p_vrfy;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
+        f_vrfy = ssl->conf->f_vrfy;
+        p_vrfy = ssl->conf->p_vrfy;
+    }
+
     /*
      * Main check: verify certificate
      */
@@ -6057,7 +6073,7 @@
             ssl->conf->cert_profile,
             ssl->hostname,
             &ssl->session_negotiate->verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy );
+            f_vrfy, p_vrfy );
     }
     else
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
@@ -6087,7 +6103,7 @@
             ssl->conf->cert_profile,
             ssl->hostname,
             &ssl->session_negotiate->verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
+            f_vrfy, p_vrfy, rs_ctx );
     }
 
     if( ret != 0 )
@@ -7949,6 +7965,16 @@
 }
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
 
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    ssl->f_vrfy = f_vrfy;
+    ssl->p_vrfy = p_vrfy;
+}
+#endif
+
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 /*
  * Set EC J-PAKE password for current handshake