Introduce configuration option to remove CRT verification callbacks

commit: 9ec3fe0d4371b3d384b53da199775def7ab3abee [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Mon Jul 01 17:36:12 2019 +0100
committer: Hanno Becker <hanno.becker@arm.com> Mon Sep 09 09:55:31 2019 +0100
tree: 1b9623cc2ef68484502afb0a1befe907bb51db39
parent: 0e895727be97b3679e8bfef86a264e3300700db1 [diff]
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index dd50514..0f555b7 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c

@@ -1578,6 +1578,14 @@
     }
 #endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
 
+#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+    if( strcmp( "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_REMOVE_VERIFY_CALLBACK );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
     if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
     {

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 788793a..6fa051a 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c

@@ -664,6 +664,8 @@
           !MBEDTLS_SSL_CONF_RECV_TIMEOUT */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
 static unsigned char peer_crt_info[1024];
 
 /*
@@ -704,6 +706,7 @@
 
     return( 0 );
 }
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
 
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
@@ -1894,8 +1897,10 @@
 #endif
     }
 
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
     mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
     memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
@@ -2316,10 +2321,11 @@
     else
         mbedtls_printf( " ok\n" );
 
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#if !defined(MBEDTLS_X509_REMOVE_INFO) && \
+    !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
     mbedtls_printf( "  . Peer certificate information    ...\n" );
     mbedtls_printf( "%s\n", peer_crt_info );
-#endif /* !MBEDTLS_X509_REMOVE_INFO */
+#endif /* !MBEDTLS_X509_REMOVE_INFO && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@@ -2648,9 +2654,10 @@
         mbedtls_printf( "  . Restarting connection from same port..." );
         fflush( stdout );
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
         memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
 
         if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
         {
@@ -2825,9 +2832,10 @@
 
         mbedtls_printf( "  . Reconnecting with saved session..." );
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
         memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
 
         if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
         {

diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index 74efea3..b82f83f 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c

@@ -129,6 +129,7 @@
 }
 #endif /* MBEDTLS_DEBUG_C */
 
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
 static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
 {
     char buf[1024];
@@ -148,6 +149,7 @@
 
     return( 0 );
 }
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
 
 #if defined(MBEDTLS_SSL_CONF_RNG)
 int rng_wrap( void *ctx, unsigned char *dst, size_t len );
@@ -363,11 +365,21 @@
         {
             mbedtls_printf( "  . Verifying X.509 certificate..." );
 
-            if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+            ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
 #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
                                         NULL,
 #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
-                                        &flags, my_verify, NULL ) ) != 0 )
+                                        &flags,
+                                        my_verify, NULL );
+#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+            ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+                                           NULL,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+                                           &flags );
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+            if( ret != 0 )
             {
                 char vrfy_buf[512];
 
@@ -436,7 +448,10 @@
         {
             mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
             mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
+
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
             mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
+#endif
         }
         else
             mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
commit	9ec3fe0d4371b3d384b53da199775def7ab3abee	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Mon Jul 01 17:36:12 2019 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Mon Sep 09 09:55:31 2019 +0100
tree	1b9623cc2ef68484502afb0a1befe907bb51db39
parent	0e895727be97b3679e8bfef86a264e3300700db1 [diff]