Return per-certificate chain if extra chain is NULL.
If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.
This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ed50be1..82f715b 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3909,6 +3909,8 @@
case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
*(STACK_OF(X509) **)parg = ctx->extra_certs;
+ if (parg == NULL && larg == 0)
+ *(STACK_OF(X509) **)parg = ctx->cert->key->chain;
break;
case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
diff --git a/ssl/ssl.h b/ssl/ssl.h
index ee5e996..296c166 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1985,6 +1985,8 @@
SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
#define SSL_CTX_get_extra_chain_certs(ctx,px509) \
SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
+#define SSL_CTX_get_extra_chain_certs_only(ctx,px509) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,1,px509)
#define SSL_CTX_clear_extra_chain_certs(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
