From c13eba970c7d2c1ca1695d1df8b2419368cf82f8 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 12 Feb 2003 17:05:17 +0000 Subject: [PATCH] Option to disable auto SSL chain building. --- CHANGES | 18 ++++++++++++++++++ ssl/s3_both.c | 17 ++++++++++++++--- ssl/ssl.h | 2 ++ 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 303d15ec28..5cf2b565bd 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,24 @@ Changes between 0.9.7 and 0.9.7a [XX xxx 2003] + *) Allow an application to disable the automatic SSL chain building. + Before this a rather primitive chain build was always performed in + ssl3_output_cert_chain(): an application had no way to send the + correct chain if the automatic operation produced an incorrect result. + + Now the chain builder is disabled if either: + + 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). + + 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. + + The reasoning behind this is that an application would not want the + auto chain building to take place if extra chain certificates are + present and it might also want a means of sending no additional + certificates (for example the chain has two certificates and the + root is omitted). + [Steve Henson] + *) Add the possibility to build without the ENGINE framework. [Steven Reddie via Richard Levitte] diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 38a7152814..64d317b7ac 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -268,6 +268,13 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) X509_STORE_CTX xs_ctx; X509_OBJECT obj; + int no_chain; + + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) + no_chain = 1; + else + no_chain = 0; + /* TLSv1 sends a chain with nothing in it, instead of an alert */ buf=s->init_buf; if (!BUF_MEM_grow_clean(buf,10)) @@ -277,7 +284,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) } if (x != NULL) { - if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) + if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); return(0); @@ -295,6 +302,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) l2n3(n,p); i2d_X509(x,&p); l+=n+3; + + if (no_chain) + break; + if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) break; @@ -306,8 +317,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) * ref count */ X509_free(x); } - - X509_STORE_CTX_cleanup(&xs_ctx); + if (!no_chain) + X509_STORE_CTX_cleanup(&xs_ctx); } /* Thawte special :-) */ diff --git a/ssl/ssl.h b/ssl/ssl.h index fe6ad6593e..4ae8458259 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -521,6 +521,8 @@ typedef struct ssl_session_st /* Never bother the application with retries if the transport * is blocking: */ #define SSL_MODE_AUTO_RETRY 0x00000004L +/* Don't attempt to automatically build certificate chain */ +#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, -- 2.25.1