Option to disable SSL auto chain build

cf56663f · Dr. Stephen Henson · ea513641 · cf56663f · cf56663f · cf56663f
隐藏空白更改
内联并排

Showing with 34 addition and 3 deletion

CHANGES CHANGES +18 -0

ssl/s3_both.c ssl/s3_both.c +14 -3

ssl/ssl.h ssl/ssl.h +2 -0

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -420,6 +420,24 @@ TODO: bug: pad  x  with leading zeros if necessary

 Changes between 0.9.7 and 0.9.7a  [XX xxx 2003]

+  *) Allow an application to disable the automatic SSL chain building.
+     Before this a rather primitive chain build was always performed in
+     ssl3_output_cert_chain(): an application had no way to send the 
+     correct chain if the automatic operation produced an incorrect result.
+
+     Now the chain builder is disabled if either:
+
+     1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
+
+     2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
+
+     The reasoning behind this is that an application would not want the
+     auto chain building to take place if extra chain certificates are
+     present and it might also want a means of sending no additional
+     certificates (for example the chain has two certificates and the
+     root is omitted).
+     [Steve Henson]
+
  *) Add the possibility to build without the ENGINE framework.
     [Steven Reddie <smr@essemer.com.au> via Richard Levitte]


--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -273,6 +273,13 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
 	X509_STORE_CTX xs_ctx;
 	X509_OBJECT obj;

+	int no_chain;
+
+	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
+		no_chain = 1;
+	else
+		no_chain = 0;
+
 	/* TLSv1 sends a chain with nothing in it, instead of an alert */
 	buf=s->init_buf;
 	if (!BUF_MEM_grow_clean(buf,10))
@@ -282,7 +289,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
 		}
 	if (x != NULL)
 		{
-		if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
+		if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
 			{
 			SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
 			return(0);
@@ -300,6 +307,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
 			l2n3(n,p);
 			i2d_X509(x,&p);
 			l+=n+3;
+
+			if (no_chain)
+				break;
+
 			if (X509_NAME_cmp(X509_get_subject_name(x),
 				X509_get_issuer_name(x)) == 0) break;

@@ -311,8 +322,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
 			 * ref count */
 			X509_free(x);
 			}
-
-		X509_STORE_CTX_cleanup(&xs_ctx);
+		if (!no_chain)
+			X509_STORE_CTX_cleanup(&xs_ctx);
 		}

 	/* Thawte special :-) */

--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -529,6 +529,8 @@ typedef struct ssl_session_st
 /* Never bother the application with retries if the transport
 * is blocking: */
 #define SSL_MODE_AUTO_RETRY 0x00000004L
+/* Don't attempt to automatically build certificate chain */
+#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L


 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,