Add |SSL_get_peer_full_cert_chain|.
This function always returns the full chain and will hopefully eliminate
the need for some code in Conscrypt.
Change-Id: Ib662005322c40824edf09d100a784ff00492896a
Reviewed-on: https://boringssl-review.googlesource.com/12780
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index cffa827..2a76fe2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1388,6 +1388,20 @@
* If a client, it does. */
OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
+/* SSL_get_peer_full_cert_chain returns the peer's certificate chain, or NULL if
+ * unavailable or the peer did not use certificates. This is the unverified
+ * list of certificates as sent by the peer, not the final chain built during
+ * verification. For historical reasons, this value may not be available if
+ * resuming a serialized |SSL_SESSION|. The caller does not take ownership of
+ * the result.
+ *
+ * This is the same as |SSL_get_peer_cert_chain| except that this function
+ * always returns the full chain, i.e. the first element of the return value
+ * (if any) will be the leaf certificate. In constrast,
+ * |SSL_get_peer_cert_chain| returns only the intermediate certificates if the
+ * |ssl| is a server. */
+OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl);
+
/* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to
* |*out_len| bytes of SCT information from the server. This is only valid if
* |ssl| is a client. The SCT information is a SignedCertificateTimestampList
