Update chain building function.

Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.

If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR
is set return 2 so applications can issue warnings.
This commit is contained in:
Dr. Stephen Henson 2014-03-27 14:20:16 +00:00
parent 662239183d
commit 2dd6976f6d
3 changed files with 18 additions and 3 deletions

View file

@ -60,7 +60,9 @@ existing chain certificates as untrusted CAs, B<SSL_BUILD_CHAIN_FLAG_NO_ROOT>
to omit the root CA from the built chain, B<SSL_BUILD_CHAIN_FLAG_CHECK> to
use all existing chain certificates only to build the chain (effectively
sanity checking and rearranging them if necessary), the flag
B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> ignores any errors during verification.
B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> ignores any errors during verification:
if flag B<SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR> is also set verification errors
are cleared from the error queue.
Each of these functions operates on the I<current> end entity
(i.e. server or client) certificate. This is the last certificate loaded or
@ -113,6 +115,10 @@ For example an application can add any set of certificates using
SSL_CTX_use_certificate_chain_file() then call SSL_CTX_build_cert_chain()
with the option B<SSL_BUILD_CHAIN_FLAG_CHECK> to check and reorder them.
Applications can issue non fatal warnings when checking chains by setting
the flag B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERRORS> and checking the return
value.
Calling SSL_CTX_build_cert_chain() or SSL_build_cert_chain() is more
efficient than the automatic chain building as it is only performed once.
Automatic chain building is performed on each new session.
@ -126,6 +132,10 @@ SSL_set_current_cert() with B<SSL_CERT_SET_SERVER> return 1 for success, 2 if
no server certificate is used because the ciphersuites is anonymous and 0
for failure.
SSL_CTX_build_cert_chain() and SSL_build_cert_chain() return 1 for success
and 0 for failure. If the flag B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> and
a verification error occurs then 2 is returned.
All other functions return 1 for success and 0 for failure.
=back

View file

@ -787,6 +787,8 @@ struct ssl_session_st
#define SSL_BUILD_CHAIN_FLAG_CHECK 0x4
/* Ignore verification errors */
#define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8
/* Clear verification errors from queue */
#define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10
/* Flags returned by SSL_check_chain */
/* Certificate can be used with this session */

View file

@ -1538,8 +1538,10 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
i = X509_verify_cert(&xs_ctx);
if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)
{
ERR_clear_error();
if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR)
ERR_clear_error();
i = 1;
rv = 2;
}
if (i > 0)
chain = X509_STORE_CTX_get1_chain(&xs_ctx);
@ -1574,7 +1576,8 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
}
}
cpk->chain = chain;
rv = 1;
if (rv == 0)
rv = 1;
err:
if (flags & SSL_BUILD_CHAIN_FLAG_CHECK)
X509_STORE_free(chain_store);