diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2003-02-12 17:06:02 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2003-02-12 17:06:02 +0000 |
| commit | cf56663fb71ce279eb8ea603faf0a3c98cc7bc47 (patch) | |
| tree | 1cdf49d65353717e05dfd83005506bae9780c617 | |
| parent | ea513641d05cfaa3f787de4ad19fdf9307869ad3 (diff) | |
Option to disable SSL auto chain build
| -rw-r--r-- | CHANGES | 18 | ||||
| -rw-r--r-- | ssl/s3_both.c | 17 | ||||
| -rw-r--r-- | ssl/ssl.h | 2 |
3 files changed, 34 insertions, 3 deletions
@@ -420,6 +420,24 @@ TODO: bug: pad x with leading zeros if necessary Changes between 0.9.7 and 0.9.7a [XX xxx 2003] + *) Allow an application to disable the automatic SSL chain building. + Before this a rather primitive chain build was always performed in + ssl3_output_cert_chain(): an application had no way to send the + correct chain if the automatic operation produced an incorrect result. + + Now the chain builder is disabled if either: + + 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). + + 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. + + The reasoning behind this is that an application would not want the + auto chain building to take place if extra chain certificates are + present and it might also want a means of sending no additional + certificates (for example the chain has two certificates and the + root is omitted). + [Steve Henson] + *) Add the possibility to build without the ENGINE framework. [Steven Reddie <smr@essemer.com.au> via Richard Levitte] diff --git a/ssl/s3_both.c b/ssl/s3_both.c index a17b87273a..94df0e5c6c 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -273,6 +273,13 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) X509_STORE_CTX xs_ctx; X509_OBJECT obj; + int no_chain; + + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) + no_chain = 1; + else + no_chain = 0; + /* TLSv1 sends a chain with nothing in it, instead of an alert */ buf=s->init_buf; if (!BUF_MEM_grow_clean(buf,10)) @@ -282,7 +289,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) } if (x != NULL) { - if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) + if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); return(0); @@ -300,6 +307,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) l2n3(n,p); i2d_X509(x,&p); l+=n+3; + + if (no_chain) + break; + if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) break; @@ -311,8 +322,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) * ref count */ X509_free(x); } - - X509_STORE_CTX_cleanup(&xs_ctx); + if (!no_chain) + X509_STORE_CTX_cleanup(&xs_ctx); } /* Thawte special :-) */ @@ -529,6 +529,8 @@ typedef struct ssl_session_st /* Never bother the application with retries if the transport * is blocking: */ #define SSL_MODE_AUTO_RETRY 0x00000004L +/* Don't attempt to automatically build certificate chain */ +#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, |