From cf56663fb71ce279eb8ea603faf0a3c98cc7bc47 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 12 Feb 2003 17:06:02 +0000 Subject: [PATCH 1/1] Option to disable SSL auto chain build --- CHANGES | 18 ++++++++++++++++++ ssl/s3_both.c | 17 ++++++++++++++--- ssl/ssl.h | 2 ++ 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index d3765179a9..cde8cca58b 100644 --- a/CHANGES +++ b/CHANGES @@ -420,6 +420,24 @@ TODO: bug: pad x with leading zeros if necessary Changes between 0.9.7 and 0.9.7a [XX xxx 2003] + *) Allow an application to disable the automatic SSL chain building. + Before this a rather primitive chain build was always performed in + ssl3_output_cert_chain(): an application had no way to send the + correct chain if the automatic operation produced an incorrect result. + + Now the chain builder is disabled if either: + + 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). + + 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. + + The reasoning behind this is that an application would not want the + auto chain building to take place if extra chain certificates are + present and it might also want a means of sending no additional + certificates (for example the chain has two certificates and the + root is omitted). + [Steve Henson] + *) Add the possibility to build without the ENGINE framework. [Steven Reddie via Richard Levitte] diff --git a/ssl/s3_both.c b/ssl/s3_both.c index a17b87273a..94df0e5c6c 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -273,6 +273,13 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) X509_STORE_CTX xs_ctx; X509_OBJECT obj; + int no_chain; + + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) + no_chain = 1; + else + no_chain = 0; + /* TLSv1 sends a chain with nothing in it, instead of an alert */ buf=s->init_buf; if (!BUF_MEM_grow_clean(buf,10)) @@ -282,7 +289,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) } if (x != NULL) { - if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) + if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); return(0); @@ -300,6 +307,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) l2n3(n,p); i2d_X509(x,&p); l+=n+3; + + if (no_chain) + break; + if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) break; @@ -311,8 +322,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) * ref count */ X509_free(x); } - - X509_STORE_CTX_cleanup(&xs_ctx); + if (!no_chain) + X509_STORE_CTX_cleanup(&xs_ctx); } /* Thawte special :-) */ diff --git a/ssl/ssl.h b/ssl/ssl.h index 466b8a7122..97b313fd87 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -529,6 +529,8 @@ typedef struct ssl_session_st /* Never bother the application with retries if the transport * is blocking: */ #define SSL_MODE_AUTO_RETRY 0x00000004L +/* Don't attempt to automatically build certificate chain */ +#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, -- 2.34.1