Re-implement verify chain if vrfy cbs are disabled

This commit re-implements the previously introduced internal verification chain API in the case where verification callbacks are disabled. In this situation, it is not necessary to maintain the list of individual certificates and flags comprising the verification chain - instead, it suffices to just keep track of the length and the total (=merged) flags.
2026-05-11 14:38:17 +02:00 · 2019-08-16 17:18:15 +01:00
parent adc282a5e8
commit 8d6d320603
2 changed files with 70 additions and 0 deletions
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -214,6 +214,8 @@ typedef struct mbedtls_x509write_cert
 mbedtls_x509write_cert;
 #endif /* MBEDTLS_X509_CRT_WRITE_C */

+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+
 /**
 * Item in a verification chain: cert and flags for it
 */
@@ -236,6 +238,16 @@ typedef struct
    unsigned len;
 } mbedtls_x509_crt_verify_chain;

+#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
+typedef struct
+{
+    unsigned len;
+    uint32_t flags;
+} mbedtls_x509_crt_verify_chain;
+
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)

 /**