Introduce configuration option to remove CRT verification callbacks
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e47c456..6aebc08 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7181,7 +7181,10 @@
ssl->hostname,
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&ssl->session_negotiate->verify_result,
- ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+ ssl->conf->f_vrfy, ssl->conf->p_vrfy,
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+ rs_ctx );
if( verify_ret != 0 )
{
@@ -8523,7 +8526,8 @@
#endif /* MBEDTLS_SSL_CONF_AUTHMODE */
}
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+ !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
@@ -8531,7 +8535,7 @@
conf->f_vrfy = f_vrfy;
conf->p_vrfy = p_vrfy;
}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#if !defined(MBEDTLS_SSL_CONF_RNG)
void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
diff --git a/library/version_features.c b/library/version_features.c
index bb655c0..23aaa2a 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -576,6 +576,9 @@
#if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
"MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION",
#endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+ "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK",
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
"MBEDTLS_X509_RSASSA_PSS_SUPPORT",
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
diff --git a/library/x509.c b/library/x509.c
index 19cc64b..0eca059 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -1250,11 +1250,20 @@
if( verbose != 0 )
mbedtls_printf( "passed\n X.509 signature verify: ");
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, NULL, NULL );
+#else
+ ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ NULL,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+ &flags );
+#endif
+
if( ret != 0 )
{
if( verbose != 0 )
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 0089ef2..730126b 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -3590,9 +3590,12 @@
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
- uint32_t *flags,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
- void *p_vrfy )
+ uint32_t *flags
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+ , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *)
+ , void *p_vrfy
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+ )
{
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
&mbedtls_x509_crt_profile_default,
@@ -3600,7 +3603,10 @@
cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
flags,
- f_vrfy, p_vrfy, NULL ) );
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+ f_vrfy, p_vrfy,
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+ NULL ) );
}
/*
@@ -3613,16 +3619,23 @@
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
- uint32_t *flags,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
- void *p_vrfy )
+ uint32_t *flags
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+ , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *)
+ , void *p_vrfy
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+ )
{
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
profile,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
- flags, f_vrfy, p_vrfy, NULL ) );
+ flags,
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+ f_vrfy, p_vrfy,
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+ NULL ) );
}
/*
@@ -3643,8 +3656,10 @@
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
uint32_t *flags,
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy,
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
mbedtls_x509_crt_restart_ctx *rs_ctx )
{
int ret;
@@ -3702,7 +3717,11 @@
ver_chain.items[0].flags |= ee_flags;
/* Build final flags, calling callback on the way if any */
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
+#else
+ ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, NULL, NULL );
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
exit:
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)