Add flag to inhibit checking for alternate certificate chains. Setting this behaviour...

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 5c67ae6c570f374294af27f79ede11ae4ec7695c..29dd86c783a444470d426d1145fe4fa4d2ac8e6a 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -302,10 +302,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
         /*
          * If we haven't got a least one certificate from our store then check
-         * if there is an alternative chain that could be used.
+         * if there is an alternative chain that could be used.  We only do this
+         * if the user hasn't switched off alternate chain checking
          */
         retry = 0;
-        if (j == ctx->last_untrusted) {
+        if (j == ctx->last_untrusted &&
+            !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
             while (j-- > 1) {
                 xtmp2 = sk_X509_value(ctx->chain, j - 1);
                 ok = ctx->get_issuer(&xtmp, ctx, xtmp2);

diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 1f8c0eccbf3478c38b945640f7f713daca0ecd72..aacdf55aa27981e7411d7aad1063c5d1a9e8470f 100644 (file)
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -405,6 +405,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define X509_V_FLAG_USE_DELTAS                  0x2000
 /* Check selfsigned CA signature */
 # define X509_V_FLAG_CHECK_SS_SIGNATURE          0x4000
+/*
+ * If the initial chain is not trusted, do not attempt to build an alternative
+ * chain. Alternate chain checking was introduced in 1.0.1n/1.0.2b. Setting
+ * this flag will force the behaviour to match that of previous versions.
+ */
+# define X509_V_FLAG_NO_ALT_CHAINS               0x100000
 
 # define X509_VP_FLAG_DEFAULT                    0x1
 # define X509_VP_FLAG_OVERWRITE                  0x2