Allow users of the |CRYPTO_BUFFER|-based methods to verify certs after the handshake. Previously, the |CRYPTO_BUFFER|-based methods always rejected certificate chains because none of the current callbacks is suitable to use. In the medium-term, we want an async callback for this but, for now, we would like to get Chromium working. Chromium already installs a no-op callback (except for the logic that was moved into BoringSSL in a58baaf9e68f887a9e1daf88cb25d911a376851f) and so this hack will suffice for Chromium. Change-Id: Ie44b7b32b9e42f503c47b072e958507754136d72 Reviewed-on: https://boringssl-review.googlesource.com/14125 Commit-Queue: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 7ead554..856fba2 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -1598,6 +1598,10 @@ ctx->signed_cert_timestamps_enabled = 1; } +void SSL_CTX_i_promise_to_verify_certs_after_the_handshake(SSL_CTX *ctx) { + ctx->i_promise_to_verify_certs_after_the_handshake = 1; +} + void SSL_enable_signed_cert_timestamps(SSL *ssl) { ssl->signed_cert_timestamps_enabled = 1; }