From 564d88a8bd190a21b362d6da535fccf74d33394d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 2 Dec 2019 10:55:33 +0100
Subject: openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains

Closes #4655
---
 lib/setopt.c       |  1 +
 lib/urldata.h      |  1 +
 lib/vtls/openssl.c | 14 ++++++++------
 3 files changed, 10 insertions(+), 6 deletions(-)

(limited to 'lib')

diff --git a/lib/setopt.c b/lib/setopt.c
index 64c29e333..d7b9ca285 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -2133,6 +2133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
     data->set.ssl.enable_beast =
       (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+    data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
     break;
 
 #ifndef CURL_DISABLE_PROXY
diff --git a/lib/urldata.h b/lib/urldata.h
index a70b2b09a..3effb1626 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -257,6 +257,7 @@ struct ssl_config_data {
   BIT(falsestart);
   BIT(enable_beast); /* allow this flaw for interoperability's sake*/
   BIT(no_revoke);    /* disable SSL certificate revocation checks */
+  BIT(no_partialchain); /* don't accept partial certificate chains */
 };
 
 struct ssl_general_config {
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index fb725716c..726ff6e7c 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2786,12 +2786,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
                          X509_V_FLAG_TRUSTED_FIRST);
 #endif
 #ifdef X509_V_FLAG_PARTIAL_CHAIN
-    /* Have intermediate certificates in the trust store be treated as
-       trust-anchors, in the same way as self-signed root CA certificates
-       are. This allows users to verify servers using the intermediate cert
-       only, instead of needing the whole chain. */
-    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
-                         X509_V_FLAG_PARTIAL_CHAIN);
+    if(!SSL_SET_OPTION(no_partialchain)) {
+      /* Have intermediate certificates in the trust store be treated as
+         trust-anchors, in the same way as self-signed root CA certificates
+         are. This allows users to verify servers using the intermediate cert
+         only, instead of needing the whole chain. */
+      X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+                           X509_V_FLAG_PARTIAL_CHAIN);
+    }
 #endif
   }
 
-- 
cgit v1.2.3