Add support for certificate stores in CERT structure. This makes it

possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.

ssl/s3_lib.c

@@ -3449,6 +3449,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 			return 0;
 		return ssl3_set_req_cert_type(s->cert, parg, larg);
 
+	case SSL_CTRL_BUILD_CERT_CHAIN:
+		return ssl_build_cert_chain(s->cert, s->ctx->cert_store, larg);
+
+	case SSL_CTRL_SET_VERIFY_CERT_STORE:
+		return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
+
+	case SSL_CTRL_SET_CHAIN_CERT_STORE:
+		return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
+
 	default:
 		break;
 		}
@@ -3746,6 +3755,15 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 	case SSL_CTRL_SET_CLIENT_CERT_TYPES:
 		return ssl3_set_req_cert_type(ctx->cert, parg, larg);
 
+	case SSL_CTRL_BUILD_CERT_CHAIN:
+		return ssl_build_cert_chain(ctx->cert, ctx->cert_store, larg);
+
+	case SSL_CTRL_SET_VERIFY_CERT_STORE:
+		return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
+
+	case SSL_CTRL_SET_CHAIN_CERT_STORE:
+		return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
+
 	case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG:
 		ctx->tlsext_authz_server_audit_proof_cb_arg = parg;
 		break;