Commit dfd3322d authored by Matt Caswell's avatar Matt Caswell
Browse files

Add flag to inhibit checking for alternate certificate chains. Setting this 


behaviour will force behaviour as per previous versions of OpenSSL

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent 6281abc7

crypto/x509/x509_vfy.c

+4 −2
Original line number Diff line number Diff line
@@ -362,11 +362,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) 
        /*

         * If it's not explicitly trusted then check if there is an alternative

         * chain that could be used. We only do this if we haven't already

         * checked via TRUSTED_FIRST

         * checked via TRUSTED_FIRST and the user hasn't switched off alternate

         * chain checking

         */

        retry = 0;

        if (i != X509_TRUST_TRUSTED

            && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)) {

            && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)

            && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {

            while (j-- > 1) {

                xtmp2 = sk_X509_value(ctx->chain, j - 1);

                ok = ctx->get_issuer(&xtmp, ctx, xtmp2);

crypto/x509/x509_vfy.h

+6 −0
Original line number Diff line number Diff line
@@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); 


/* Allow partial chains if at least one certificate is in trusted store */

# define X509_V_FLAG_PARTIAL_CHAIN               0x80000

/*

 * If the initial chain is not trusted, do not attempt to build an alternative

 * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag

 * will force the behaviour to match that of previous versions.

 */

# define X509_V_FLAG_NO_ALT_CHAINS               0x100000



# define X509_VP_FLAG_DEFAULT                    0x1

# define X509_VP_FLAG_OVERWRITE                  0x2