From cf1bf3f03250113c04dcfb929a1e83c744a14e9d Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 27 Jan 2015 10:35:27 +0000 Subject: [PATCH] Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL Reviewed-by: Dr. Stephen Henson Reviewed-by: Kurt Roeckx --- crypto/x509/x509_vfy.c | 6 ++++-- crypto/x509/x509_vfy.h | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 5c67ae6c57..29dd86c783 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -302,10 +302,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* * If we haven't got a least one certificate from our store then check - * if there is an alternative chain that could be used. + * if there is an alternative chain that could be used. We only do this + * if the user hasn't switched off alternate chain checking */ retry = 0; - if (j == ctx->last_untrusted) { + if (j == ctx->last_untrusted && + !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { while (j-- > 1) { xtmp2 = sk_X509_value(ctx->chain, j - 1); ok = ctx->get_issuer(&xtmp, ctx, xtmp2); diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 1f8c0eccbf..aacdf55aa2 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -405,6 +405,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ # define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 +/* + * If the initial chain is not trusted, do not attempt to build an alternative + * chain. Alternate chain checking was introduced in 1.0.1n/1.0.2b. Setting + * this flag will force the behaviour to match that of previous versions. + */ +# define X509_V_FLAG_NO_ALT_CHAINS 0x100000 # define X509_VP_FLAG_DEFAULT 0x1 # define X509_VP_FLAG_OVERWRITE 0x2 -- 2.25.1