Add async certificate verification callback. This also serves as a certificate verification callback for CRYPTO_BUFFER-based consumers. Remove the silly SSL_CTX_i_promise_to_verify_certs_after_the_handshake placeholder. Bug: 54, chromium:347402 Change-Id: I4c6b445cb9cd7204218acb2e5d1625e6f37aff6f Reviewed-on: https://boringssl-review.googlesource.com/17964 Reviewed-by: David Benjamin <davidben@google.com>

commit: 3a1dd46e4e902ce669616a9bb5f54a9e7c801df6 [log] [tgz]
author: David Benjamin <davidben@google.com> Tue Jul 11 16:13:10 2017 -0400
committer: David Benjamin <davidben@google.com> Mon Jul 17 20:55:23 2017 +0000
tree: 832ab83303faf744df8acdae397107fbcf9b9206
parent: 7e9e06a7393298c65a2a33e0cb3d13e957c06e4a [diff] [blame]
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index 7f961bf..9153dd7 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc

@@ -494,6 +494,16 @@
 static enum ssl_hs_wait_t do_process_server_certificate_verify(
     SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
+  switch (ssl_verify_peer_cert(hs)) {
+    case ssl_verify_ok:
+      break;
+    case ssl_verify_invalid:
+      return ssl_hs_error;
+    case ssl_verify_retry:
+      hs->tls13_state = state_process_server_certificate_verify;
+      return ssl_hs_certificate_verify;
+  }
+
   if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
       !tls13_process_certificate_verify(hs) ||
       !ssl_hash_current_message(hs)) {
commit	3a1dd46e4e902ce669616a9bb5f54a9e7c801df6	[log] [tgz]
author	David Benjamin <davidben@google.com>	Tue Jul 11 16:13:10 2017 -0400
committer	David Benjamin <davidben@google.com>	Mon Jul 17 20:55:23 2017 +0000
tree	832ab83303faf744df8acdae397107fbcf9b9206
parent	7e9e06a7393298c65a2a33e0cb3d13e957c06e4a [diff] [blame]