Return per-certificate chain if extra chain is NULL.

If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.

This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only
(cherry picked from commit a51f767645c117667d337f77fe1dd9c0a66d8410)

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index bb1d50810d541c1b36131e29c879ff040526c34d..e35f18c5d89c05d24b44def96b9e2ef3b521a233 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3915,6 +3915,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 
        case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
                *(STACK_OF(X509) **)parg =  ctx->extra_certs;
+               if (parg == NULL && larg == 0)
+                       *(STACK_OF(X509) **)parg =  ctx->cert->key->chain;
                break;
 
        case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:

diff --git a/ssl/ssl.h b/ssl/ssl.h
index e46f8c967b69dc7ba21356c56a7cae2f87f4c0e5..247d4cfb348cdea4c3a68781296d05cdc6810c5f 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1913,6 +1913,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
        SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
 #define SSL_CTX_get_extra_chain_certs(ctx,px509) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
+#define SSL_CTX_get_extra_chain_certs_only(ctx,px509) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,1,px509)
 #define SSL_CTX_clear_extra_chain_certs(ctx) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)