Add support for distinct certificate chains per key type and per SSL

structure. Before this the only way to add a custom chain was in the parent SSL_CTX (which is shared by all key types and SSL structures) or rely on auto chain building (which is performed on each handshake) from the trust store. (backport from HEAD)
2012-04-06 17:22:48 +00:00
parent 0ac89e8f54
commit 37b16c84bb
5 changed files with 145 additions and 7 deletions
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3350,6 +3350,21 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 #endif

 #endif /* !OPENSSL_NO_TLSEXT */
+
+	case SSL_CTRL_CHAIN:
+		if (larg)
+			return ssl_cert_set1_chain(s->cert,
+						(STACK_OF (X509) *)parg);
+		else
+			return ssl_cert_set0_chain(s->cert,
+						(STACK_OF (X509) *)parg);
+
+	case SSL_CTRL_CHAIN_CERT:
+		if (larg)
+			return ssl_cert_add1_chain_cert(s->cert, (X509 *)parg);
+		else
+			return ssl_cert_add0_chain_cert(s->cert, (X509 *)parg);
+
 	default:
 		break;
 		}
@@ -3637,6 +3652,20 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 			}
 		break;

+	case SSL_CTRL_CHAIN:
+		if (larg)
+			return ssl_cert_set1_chain(ctx->cert,
+						(STACK_OF (X509) *)parg);
+		else
+			return ssl_cert_set0_chain(ctx->cert,
+						(STACK_OF (X509) *)parg);
+
+	case SSL_CTRL_CHAIN_CERT:
+		if (larg)
+			return ssl_cert_add1_chain_cert(ctx->cert, (X509 *)parg);
+		else
+			return ssl_cert_add0_chain_cert(ctx->cert, (X509 *)parg);
+
 	default:
 		return(0);
 		}