Adding delayed server cert verification to client state machine
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index cec2f09..eaba905 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -4218,6 +4218,11 @@
int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
{
int ret = 0;
+#if defined(MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION)
+ void *rs_ctx = NULL;
+ int authmode;
+ mbedtls_x509_crt *chain = NULL;
+#endif /* MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION */
if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -4310,6 +4315,29 @@
break;
case MBEDTLS_SSL_CLIENT_FINISHED:
+
+#if defined(MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION)
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+ ? ssl->handshake->sni_authmode
+ : mbedtls_ssl_conf_get_authmode( ssl->conf );
+#else
+ authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
+#endif
+/* authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+ ? ssl->handshake->sni_authmode
+ : ssl->conf->authmode;
+*/
+ chain = ssl->session_negotiate->peer_cert;
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "execute delayed server certificate verification" ) );
+
+ ret = ssl_parse_delayed_certificate_verify( ssl, authmode,
+ chain, rs_ctx );
+ if( ret != 0 )
+ break;
+#endif /* MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION */
+
ret = mbedtls_ssl_write_finished( ssl );
break;