Commit cf1bf3f0 authored Jan 27, 2015 by Matt Caswell Committed by Kurt Roeckx May 20, 2015

Add flag to inhibit checking for alternate certificate chains. Setting this...

Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

parent f7bf8e02

crypto/x509/x509_vfy.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -302,10 +302,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)

		/*
		* If we haven't got a least one certificate from our store then check
		* if there is an alternative chain that could be used.
		* if there is an alternative chain that could be used. We only do this
		* if the user hasn't switched off alternate chain checking
		*/
		retry = 0;
		if (j == ctx->last_untrusted) {
		if (j == ctx->last_untrusted &&
		!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
		while (j-- > 1) {
		xtmp2 = sk_X509_value(ctx->chain, j - 1);
		ok = ctx->get_issuer(&xtmp, ctx, xtmp2);

crypto/x509/x509_vfy.h

+6 −0

Original line number	Diff line number	Diff line
		@@ -405,6 +405,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
		# define X509_V_FLAG_USE_DELTAS 0x2000
		/* Check selfsigned CA signature */
		# define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
		/*
		* If the initial chain is not trusted, do not attempt to build an alternative
		* chain. Alternate chain checking was introduced in 1.0.1n/1.0.2b. Setting
		* this flag will force the behaviour to match that of previous versions.
		*/
		# define X509_V_FLAG_NO_ALT_CHAINS 0x100000

		# define X509_VP_FLAG_DEFAULT 0x1
		# define X509_VP_FLAG_OVERWRITE 0x2