From d7e8782493bda5a46e15fb13e492e89970fed909 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 2 Jan 2020 06:37:13 +0000 Subject: Revise SSL_CTX_get_extra_chain_certs() to match OpenSSL behaviour. In OpenSSL, SSL_CTX_get_extra_chain_certs() really means return extra certs, unless there are none, in which case return the chain associated with the certificate. If you really just want the extra certs, including knowing if there are no extra certs, then you need to call SSL_CTX_get_extra_chain_certs_only()! And to make this even more entertaining, these functions are not documented in any OpenSSL release. Reported by sephiroth-j on github, since the difference in behaviour apparently breaks OCSP stapling with nginx. ok beck@ inoguchi@ tb@ --- src/lib/libssl/s3_lib.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'src/lib/libssl/s3_lib.c') diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 2943842ce7..9adf257ff3 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.187 2019/10/04 17:21:24 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.188 2020/01/02 06:37:13 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2240,6 +2240,16 @@ _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) static int _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) +{ + *certs = ctx->extra_certs; + if (*certs == NULL) + *certs = ctx->internal->cert->key->chain; + + return 1; +} + +static int +_SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) { *certs = ctx->extra_certs; return 1; @@ -2325,7 +2335,10 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return _SSL_CTX_add_extra_chain_cert(ctx, parg); case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: - return _SSL_CTX_get_extra_chain_certs(ctx, parg); + if (larg == 0) + return _SSL_CTX_get_extra_chain_certs(ctx, parg); + else + return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: return _SSL_CTX_clear_extra_chain_certs(ctx); -- cgit v1.2.3-55-g6feb