From e0d4272a583c760ce008b661b79baf8b3ff24561 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 5 Feb 2014 16:56:58 +0000 Subject: [PATCH] Return per-certificate chain if extra chain is NULL. If an application calls the macro SSL_CTX_get_extra_chain_certs return either the old "shared" extra certificates or those associated with the current certificate. This means applications which call SSL_CTX_use_certificate_chain_file and retrieve the additional chain using SSL_CTX_get_extra_chain_certs will still work. An application which only wants to check the shared extra certificates can call the new macro SSL_CTX_get_extra_chain_certs_only (cherry picked from commit a51f767645c117667d337f77fe1dd9c0a66d8410) --- ssl/s3_lib.c | 2 ++ ssl/ssl.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index bb1d50810d..e35f18c5d8 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3915,6 +3915,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: *(STACK_OF(X509) **)parg = ctx->extra_certs; + if (parg == NULL && larg == 0) + *(STACK_OF(X509) **)parg = ctx->cert->key->chain; break; case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: diff --git a/ssl/ssl.h b/ssl/ssl.h index e46f8c967b..247d4cfb34 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1913,6 +1913,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) #define SSL_CTX_get_extra_chain_certs(ctx,px509) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509) +#define SSL_CTX_get_extra_chain_certs_only(ctx,px509) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,1,px509) #define SSL_CTX_clear_extra_chain_certs(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL) -- 2.40.0