From 017a06c7d1ed92a5dfbe2586ca96bef268c04895 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 27 Jan 2015 10:50:38 +0000
Subject: [PATCH] Add -no_alt_chains option to apps to implement the new
 X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
 certificate chains, the first chain found will be the one used. Without this
 flag, if the first chain found is not trusted then we will keep looking to
 see if we can build an alternative chain instead.

Conflicts:
	apps/cms.c
	apps/ocsp.c
	apps/s_client.c
	apps/s_server.c
	apps/smime.c
	apps/verify.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 apps/apps.c     | 2 ++
 apps/cms.c      | 2 ++
 apps/ocsp.c     | 2 ++
 apps/s_client.c | 2 ++
 apps/s_server.c | 2 ++
 apps/smime.c    | 2 ++
 apps/verify.c   | 2 +-
 7 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/apps/apps.c b/apps/apps.c
index 6d22a0802..7478fc379 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *pargc,
         flags |= X509_V_FLAG_SUITEB_192_LOS;
     else if (!strcmp(arg, "-partial_chain"))
         flags |= X509_V_FLAG_PARTIAL_CHAIN;
+    else if (!strcmp(arg, "-no_alt_chains"))
+        flags |= X509_V_FLAG_NO_ALT_CHAINS;
     else
         return 0;
 
diff --git a/apps/cms.c b/apps/cms.c
index d287a2ba4..60479374c 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -645,6 +645,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,
diff --git a/apps/ocsp.c b/apps/ocsp.c
index ebb3732cd..b858b8d3e 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -535,6 +535,8 @@ int MAIN(int argc, char **argv)
                    "-CApath dir          trusted certificates directory\n");
         BIO_printf(bio_err,
                    "-CAfile file         trusted certificates file\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains       only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-VAfile file         validator certificates file\n");
         BIO_printf(bio_err,
diff --git a/apps/s_client.c b/apps/s_client.c
index d53bca14a..e55f2c5ab 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -331,6 +331,8 @@ static void sc_usage(void)
                " -pass arg     - private key file pass phrase source\n");
     BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
+    BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
     BIO_printf(bio_err,
                " -reconnect    - Drop and re-make the connection with the same Session-ID\n");
     BIO_printf(bio_err,
diff --git a/apps/s_server.c b/apps/s_server.c
index 2597e8c70..5d58fe0bd 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -553,6 +553,8 @@ static void sv_usage(void)
     BIO_printf(bio_err, " -state        - Print the SSL states\n");
     BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
+    BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
     BIO_printf(bio_err,
                " -nocert       - Don't use any certificates (Anon-DH)\n");
     BIO_printf(bio_err,
diff --git a/apps/smime.c b/apps/smime.c
index 764509f23..6044ccf5f 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -441,6 +441,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,
diff --git a/apps/verify.c b/apps/verify.c
index b3ba53d97..78e729fc8 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -232,7 +232,7 @@ int MAIN(int argc, char **argv)
     if (ret == 1) {
         BIO_printf(bio_err,
                    "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
-        BIO_printf(bio_err, " [-attime timestamp]");
+        BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
 #ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err, " [-engine e]");
 #endif