generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Option to disable SSL auto chain build

Browse Source
This commit is contained in:
Dr. Stephen Henson 2003-02-12 17:06:02 +00:00
parent ea513641d0
commit cf56663fb7
3 changed files with 34 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
CHANGES
View File

@ -420,6 +420,24 @@ TODO: bug: pad x with leading zeros if necessary
Changes between 0.9.7 and 0.9.7a [XX xxx 2003] Changes between 0.9.7 and 0.9.7a [XX xxx 2003]
*) Allow an application to disable the automatic SSL chain building.
Before this a rather primitive chain build was always performed in
ssl3_output_cert_chain(): an application had no way to send the
correct chain if the automatic operation produced an incorrect result.
Now the chain builder is disabled if either:
1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
The reasoning behind this is that an application would not want the
auto chain building to take place if extra chain certificates are
present and it might also want a means of sending no additional
certificates (for example the chain has two certificates and the
root is omitted).
[Steve Henson]
*) Add the possibility to build without the ENGINE framework. *) Add the possibility to build without the ENGINE framework.
[Steven Reddie <smr@essemer.com.au> via Richard Levitte] [Steven Reddie <smr@essemer.com.au> via Richard Levitte]

15
ssl/s3_both.c
View File

@ -273,6 +273,13 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
X509_STORE_CTX xs_ctx; X509_STORE_CTX xs_ctx;
X509_OBJECT obj; X509_OBJECT obj;
int no_chain;
if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
no_chain = 1;
else
no_chain = 0;
/* TLSv1 sends a chain with nothing in it, instead of an alert */ /* TLSv1 sends a chain with nothing in it, instead of an alert */
buf=s->init_buf; buf=s->init_buf;
if (!BUF_MEM_grow_clean(buf,10)) if (!BUF_MEM_grow_clean(buf,10))
@ -282,7 +289,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
} }
if (x != NULL) if (x != NULL)
{ {
if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
{ {
SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
return(0); return(0);
@ -300,6 +307,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
l2n3(n,p); l2n3(n,p);
i2d_X509(x,&p); i2d_X509(x,&p);
l+=n+3; l+=n+3;
if (no_chain)
break;
if (X509_NAME_cmp(X509_get_subject_name(x), if (X509_NAME_cmp(X509_get_subject_name(x),
X509_get_issuer_name(x)) == 0) break; X509_get_issuer_name(x)) == 0) break;
@ -311,7 +322,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
* ref count */ * ref count */
X509_free(x); X509_free(x);
} }
if (!no_chain)
X509_STORE_CTX_cleanup(&xs_ctx); X509_STORE_CTX_cleanup(&xs_ctx);
} }

2
ssl/ssl.h
View File

@ -529,6 +529,8 @@ typedef struct ssl_session_st
/* Never bother the application with retries if the transport /* Never bother the application with retries if the transport
* is blocking: */ * is blocking: */
#define SSL_MODE_AUTO_RETRY 0x00000004L #define SSL_MODE_AUTO_RETRY 0x00000004L
/* Don't attempt to automatically build certificate chain */
#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,