Option to disable auto SSL chain building.

diff --git a/CHANGES b/CHANGES
index 303d15ec28e4471360e9ce1a21654c89319bced3..5cf2b565bd76ada4f2c6c2511cd76c5345da7f0b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,24 @@
 
  Changes between 0.9.7 and 0.9.7a  [XX xxx 2003]
 
+  *) Allow an application to disable the automatic SSL chain building.
+     Before this a rather primitive chain build was always performed in
+     ssl3_output_cert_chain(): an application had no way to send the 
+     correct chain if the automatic operation produced an incorrect result.
+
+     Now the chain builder is disabled if either:
+
+     1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
+
+     2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
+
+     The reasoning behind this is that an application would not want the
+     auto chain building to take place if extra chain certificates are
+     present and it might also want a means of sending no additional
+     certificates (for example the chain has two certificates and the
+     root is omitted).
+     [Steve Henson]
+
   *) Add the possibility to build without the ENGINE framework.
      [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
 

diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 38a7152814ffb71ce2ec4bc7924cb8a1ce1f3762..64d317b7ac351fb7f43479ce9a11e3ec12884264 100644 (file)
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -268,6 +268,13 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
        X509_STORE_CTX xs_ctx;
        X509_OBJECT obj;
 
+       int no_chain;
+
+       if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
+               no_chain = 1;
+       else
+               no_chain = 0;
+
        /* TLSv1 sends a chain with nothing in it, instead of an alert */
        buf=s->init_buf;
        if (!BUF_MEM_grow_clean(buf,10))
@@ -277,7 +284,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                }
        if (x != NULL)
                {
-               if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
+               if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
                        {
                        SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
                        return(0);
@@ -295,6 +302,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                        l2n3(n,p);
                        i2d_X509(x,&p);
                        l+=n+3;
+
+                       if (no_chain)
+                               break;
+
                        if (X509_NAME_cmp(X509_get_subject_name(x),
                                X509_get_issuer_name(x)) == 0) break;
 
@@ -306,8 +317,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                         * ref count */
                        X509_free(x);
                        }
-
-               X509_STORE_CTX_cleanup(&xs_ctx);
+               if (!no_chain)
+                       X509_STORE_CTX_cleanup(&xs_ctx);
                }
 
        /* Thawte special :-) */

diff --git a/ssl/ssl.h b/ssl/ssl.h
index fe6ad6593e73ff86a5df9fb8f5a8d2841a12ed9a..4ae84582594990df9173aeef93d8b90c376d14d4 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -521,6 +521,8 @@ typedef struct ssl_session_st
 /* Never bother the application with retries if the transport
  * is blocking: */
 #define SSL_MODE_AUTO_RETRY 0x00000004L
+/* Don't attempt to automatically build certificate chain */
+#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
 
 
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,