TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9ec3fe0d4371b3d384b53da199775def7ab3abee^! / . / include / mbedtls
commit9ec3fe0d4371b3d384b53da199775def7ab3abee[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Mon Jul 01 17:36:12 2019 +0100
committerHanno Becker <hanno.becker@arm.com>Mon Sep 09 09:55:31 2019 +0100
tree1b9623cc2ef68484502afb0a1befe907bb51db39
parent0e895727be97b3679e8bfef86a264e3300700db1 [diff]
Introduce configuration option to remove CRT verification callbacks

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index f32498b..22b6e54 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h

@@ -2019,6 +2019,17 @@
 //#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
 
 /**
+ * \def MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
+ *
+ * Remove support for X.509 certificate verification callbacks.
+ *
+ * Uncomment to save some bytes of code by removing support for X.509
+ * certificate verification callbacks in mbedtls_x509_crt_verify() and
+ * related verification API.
+ */
+#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
+
+/**
  * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
  *
  * Enable parsing and verification of X.509 certificates, CRLs and CSRS

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 40ad4b1..db5465a 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -1033,7 +1033,8 @@
     void *p_sni;                    /*!< context for SNI callback           */
 #endif
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
     /** Callback to customize X.509 certificate chain verification          */
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
     void *p_vrfy;                   /*!< context for X.509 verify calllback */
@@ -1588,7 +1589,8 @@
  */
 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
 /**
  * \brief          Set the verification callback (Optional).
  *
@@ -1603,7 +1605,7 @@
 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
 
 #if !defined(MBEDTLS_SSL_CONF_RNG)
 /**

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 182ab15..f0801df 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h

@@ -502,14 +502,17 @@
  *                 verification process.
  */
 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
-                     mbedtls_x509_crt *trust_ca,
-                     mbedtls_x509_crl *ca_crl,
+                   mbedtls_x509_crt *trust_ca,
+                   mbedtls_x509_crl *ca_crl,
 #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
-                     const char *cn,
+                   const char *cn,
 #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
-                     uint32_t *flags,
-                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
-                     void *p_vrfy );
+                   uint32_t *flags
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+                   , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                   void *p_vrfy
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+    );
 
 /**
  * \brief          Verify the certificate signature according to profile
@@ -545,9 +548,12 @@
 #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
                      const char *cn,
 #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
-                     uint32_t *flags,
-                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
-                     void *p_vrfy );
+                     uint32_t *flags
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+                     , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+    );
 
 /**
  * \brief          Restartable version of \c mbedtls_crt_verify_with_profile()
@@ -579,8 +585,10 @@
                      const char *cn,
 #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
                      uint32_t *flags,
-                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
-                     void *p_vrfy,
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+                   int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                   void *p_vrfy,
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
                      mbedtls_x509_crt_restart_ctx *rs_ctx );
 
 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)