diff mbox series

[v2] OpenSSL: Allow ca_cert_blob in PEM format

Message ID 20190522064832.19996-1-santtu.lakkala@jolla.com
State Changes Requested
Headers show
Series [v2] OpenSSL: Allow ca_cert_blob in PEM format | expand

Commit Message

Santtu Lakkala May 22, 2019, 6:48 a.m. UTC 
GnuTLS backend already accepts CA cert blobs in both DER and PEM formats.
Implement similar trial-and-error handling in OpenSSL backend.
---
 src/crypto/tls_openssl.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

Comments

Jouni Malinen May 25, 2019, 1:09 p.m. UTC | #1 
On Wed, May 22, 2019 at 09:48:32AM +0300, Santtu Lakkala wrote:
> GnuTLS backend already accepts CA cert blobs in both DER and PEM formats.
> Implement similar trial-and-error handling in OpenSSL backend.
> ---

Could you please read the top level CONTRIBUTIONS file (*) and provide a 
Signed-off-by: line for the commit message so that I can apply this?

(*) http://w1.fi/cgit/hostap/plain/CONTRIBUTIONS
diff mbox series

Patch

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index bf2407421..bf26f67ba 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2577,9 +2577,22 @@  static int tls_connection_ca_cert(struct tls_data *data,
 				      (const unsigned char **) &ca_cert_blob,
 				      ca_cert_blob_len);
 		if (cert == NULL) {
-			tls_show_errors(MSG_WARNING, __func__,
-					"Failed to parse ca_cert_blob");
-			return -1;
+			BIO *bio = BIO_new_mem_buf(ca_cert_blob, ca_cert_blob_len);
+
+			if (bio != NULL) {
+				cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+				BIO_free(bio);
+			}
+
+			if (cert == NULL) {
+				tls_show_errors(MSG_WARNING, __func__,
+						"Failed to parse ca_cert_blob");
+				return -1;
+			}
+
+			while (ERR_get_error()) {
+				/* Ignore errors from DER conversion. */
+			}
 		}
 
 		if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),