From b6333d600e0f54707cba962093ef3eca0312d6bc Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Fri, 20 Jun 2014 12:00:00 -0700 Subject: [PATCH] Return per-certificate chain if extra chain is NULL. If an application calls the macro SSL_CTX_get_extra_chain_certs return either the old "shared" extra certificates or those associated with the current certificate. This means applications which call SSL_CTX_use_certificate_chain_file and retrieve the additional chain using SSL_CTX_get_extra_chain_certs will still work. An application which only wants to check the shared extra certificates can call the new macro SSL_CTX_get_extra_chain_certs_only (Imported from upstream's e0d4272a583c760ce008b661b79baf8b3ff24561 and 3bff195dca617c4ec1630945fef93b792b418cc8) --- ssl/s3_lib.c | 5 ++++- ssl/ssl.h | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 8cc710c5..93107bbf 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3586,7 +3586,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: - *(STACK_OF(X509) **)parg = ctx->extra_certs; + if (ctx->extra_certs == NULL && larg == 0) + *(STACK_OF(X509) **)parg = ctx->cert->key->chain; + else + *(STACK_OF(X509) **)parg = ctx->extra_certs; break; case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: diff --git a/ssl/ssl.h b/ssl/ssl.h index 3066daa7..d4486187 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2020,6 +2020,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) #define SSL_CTX_get_extra_chain_certs(ctx,px509) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509) +#define SSL_CTX_get_extra_chain_certs_only(ctx,px509) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,1,px509) #define SSL_CTX_clear_extra_chain_certs(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)