Return per-certificate chain if extra chain is NULL.

If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.

This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ed50be1819cac2857d4c5b51d898b34ce094269a..82f715bfd0c1fd1d998266bb9a5672d6a331d9a4 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3909,6 +3909,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 
        case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
                *(STACK_OF(X509) **)parg =  ctx->extra_certs;
+               if (parg == NULL && larg == 0)
+                       *(STACK_OF(X509) **)parg =  ctx->cert->key->chain;
                break;
 
        case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:

diff --git a/ssl/ssl.h b/ssl/ssl.h
index ee5e99694a32ab7c6e17fedbf53c2877cf8c3835..296c1660b18a40fcddc02a512a459755c5dcf0d0 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1985,6 +1985,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
        SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
 #define SSL_CTX_get_extra_chain_certs(ctx,px509) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
+#define SSL_CTX_get_extra_chain_certs_only(ctx,px509) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,1,px509)
 #define SSL_CTX_clear_extra_chain_certs(ctx) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)