- A copy of the const peercert must be made in order to pass a non-const
public key to mbedtls_pk_write_pubkey_der.
FAIL: Currently this runs but all pinned key verification fails. I have
yet to debug it.
- More correct cleanup pattern for the copy of peer cert *p.
- Add some descriptive error messages where appropriate.
- Change name ret => result to eliminate variable shadowing warning.
- Remove comment about no peer cert on session resume, since that's not
true of mbedTLS (the comment was carried over from PolarSSL code).
- Allocate cert info buffer on heap instead of stack.
Prior to these changes: In draft 2 the code worked fine, however I
marked it as 'FAIL' because all my tests failed due to what I later
realized was just a copy&paste error on my part: I hadn't enabled
curlssl_sha256sum even though I was running the sha256// tests.
- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.
The callback method had three problems:
1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.
2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.
3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.
Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.