Message ID | 20190522064832.19996-1-santtu.lakkala@jolla.com |
---|---|
State | Changes Requested |
Headers | show |
Series | [v2] OpenSSL: Allow ca_cert_blob in PEM format | expand |
On Wed, May 22, 2019 at 09:48:32AM +0300, Santtu Lakkala wrote: > GnuTLS backend already accepts CA cert blobs in both DER and PEM formats. > Implement similar trial-and-error handling in OpenSSL backend. > --- Could you please read the top level CONTRIBUTIONS file (*) and provide a Signed-off-by: line for the commit message so that I can apply this? (*) http://w1.fi/cgit/hostap/plain/CONTRIBUTIONS
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index bf2407421..bf26f67ba 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2577,9 +2577,22 @@ static int tls_connection_ca_cert(struct tls_data *data, (const unsigned char **) &ca_cert_blob, ca_cert_blob_len); if (cert == NULL) { - tls_show_errors(MSG_WARNING, __func__, - "Failed to parse ca_cert_blob"); - return -1; + BIO *bio = BIO_new_mem_buf(ca_cert_blob, ca_cert_blob_len); + + if (bio != NULL) { + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + BIO_free(bio); + } + + if (cert == NULL) { + tls_show_errors(MSG_WARNING, __func__, + "Failed to parse ca_cert_blob"); + return -1; + } + + while (ERR_get_error()) { + /* Ignore errors from DER conversion. */ + } } if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),