Google Git
Sign in
boringssl/boringssl.git/3a39b06011d31357c98091687e24ab38a3e8514e^!/./include/openssl/x509_vfy.h
commit
3a39b06011d31357c98091687e24ab38a3e8514e
[log]
author
Adam Langley <agl@google.com>
Thu Jan 14 14:08:58 2016 -0800
committer
Adam Langley <agl@google.com>
Tue Jan 19 17:02:31 2016 +0000
tree
cebb750b93c4a69055d14aa2f9229983b522f00d
parent
57707c70dc137471b8850c8287839ad13a0d2a19 [diff] [blame]
Import “altchains” support.

This change imports the following changes from upstream:

6281abc79623419eae6a64768c478272d5d3a426
dfd3322d72a2d49f597b86dab6f37a8cf0f26dbf
f34b095fab1569d093b639bfcc9a77d6020148ff
21376d8ae310cf0455ca2b73c8e9f77cafeb28dd
25efcb44ac88ab34f60047e16a96c9462fad39c1
56353962e7da7e385c3d577581ccc3015ed6d1dc
39c76ceb2d3e51eaff95e04d6e4448f685718f8d
a3d74afcae435c549de8dbaa219fcb30491c1bfb

These contain the “altchains” functionality which allows OpenSSL to
backtrack when chain building.

Change-Id: I8d4bc2ac67b90091f9d46e7355cae878b4ccf37d
Reviewed-on: https://boringssl-review.googlesource.com/6905
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index b39ef49..bd7ded7 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h

@@ -412,6 +412,11 @@
 /* Allow partial chains if at least one certificate is in trusted store */
 #define X509_V_FLAG_PARTIAL_CHAIN		0x80000
 
+/* If the initial chain is not trusted, do not attempt to build an alternative
+ * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
+ * will force the behaviour to match that of previous versions. */
+#define X509_V_FLAG_NO_ALT_CHAINS		0x100000
+
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2
 #define X509_VP_FLAG_RESET_FLAGS		0x4