From 843a00dec68c5c90fd00ce18dab975115fd9517d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Fri, 16 Aug 2024 09:53:41 +0200
Subject: [PATCH] Add support for context f_vrfy callback in 1.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This was only supported in 1.2 for no good reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 library/ssl_tls.c           |  1 +
 library/ssl_tls13_generic.c | 17 +++++++++++++++--
 tests/ssl-opt.sh            |  4 ++--
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 148924ab0d..7db0f6dd40 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7953,6 +7953,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
         return 0;
     }
 
+    /* Verify callback: precedence order is SSL context, else conf struct. */
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
     void *p_vrfy;
     if (ssl->f_vrfy != NULL) {
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 6ea5e01d47..fb57aa4a75 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -695,6 +695,19 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
         return 0;
     }
 
+    /* Verify callback: precedence order is SSL context, else conf struct. */
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;
+    if (ssl->f_vrfy != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
+        f_vrfy = ssl->f_vrfy;
+        p_vrfy = ssl->p_vrfy;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
+        f_vrfy = ssl->conf->f_vrfy;
+        p_vrfy = ssl->conf->p_vrfy;
+    }
+
     /*
      * Main check: verify certificate
      */
@@ -710,7 +723,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
             ssl->conf->cert_profile,
             ssl->hostname,
             &verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy);
+            f_vrfy, p_vrfy);
     } else
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
     {
@@ -737,7 +750,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
             ssl->conf->cert_profile,
             ssl->hostname,
             &verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy);
+            f_vrfy, p_vrfy);
     }
 
     if (ret != 0) {
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 5537662486..6b93fda4bf 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2724,7 +2724,7 @@ run_test    "Single supported algorithm sending: openssl client" \
 # Tests for certificate verification callback
 run_test    "Configuration-specific CRT verification callback" \
             "$P_SRV debug_level=3" \
-            "$P_CLI force_version=tls12 context_crt_cb=0 debug_level=3" \
+            "$P_CLI context_crt_cb=0 debug_level=3" \
             0 \
             -S "error" \
             -c "Verify requested for " \
@@ -2734,7 +2734,7 @@ run_test    "Configuration-specific CRT verification callback" \
 
 run_test    "Context-specific CRT verification callback" \
             "$P_SRV debug_level=3" \
-            "$P_CLI force_version=tls12 context_crt_cb=1 debug_level=3" \
+            "$P_CLI context_crt_cb=1 debug_level=3" \
             0 \
             -S "error" \
             -c "Verify requested for " \