Return per-certificate chain if extra chain is NULL.

If an application calls the macro SSL_CTX_get_extra_chain_certs return either the old "shared" extra certificates or those associated with the current certificate. This means applications which call SSL_CTX_use_certificate_chain_file and retrieve the additional chain using SSL_CTX_get_extra_chain_certs will still work. An application which only wants to check the shared extra certificates can call the new macro SSL_CTX_get_extra_chain_certs_only (Imported from upstream's e0d4272a583c760ce008b661b79baf8b3ff24561 and 3bff195dca617c4ec1630945fef93b792b418cc8)
2014-06-20 12:00:00 -07:00 · 2014-06-20 12:00:00 -07:00 · b6333d600e
commit b6333d600e
parent 6d43d0c4d6
2 changed files with 6 additions and 1 deletions
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -3586,7 +3586,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 		break;

 	case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
-		*(STACK_OF(X509) **)parg =  ctx->extra_certs;
+		if (ctx->extra_certs == NULL && larg == 0)
+			*(STACK_OF(X509) **)parg =  ctx->cert->key->chain;
+		else
+			*(STACK_OF(X509) **)parg =  ctx->extra_certs;
 		break;

 	case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@ -2020,6 +2020,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 	SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
 #define SSL_CTX_get_extra_chain_certs(ctx,px509) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
+#define SSL_CTX_get_extra_chain_certs_only(ctx,px509) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,1,px509)
 #define SSL_CTX_clear_extra_chain_certs(ctx) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)