OpenSSL/BoringSSL: Read certificate chain from client_cert on Android

If the keychain holds additional certificates other than the end
certificate, read them into the certificate chain.

Signed-off-by: Paul Stewart <pstew@google.com>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e2749755f58c128950f7118561c958d366c03e04..7876134232594a8fcb5fb30ede667bdb66d8b46c 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2371,13 +2371,24 @@ static int tls_connection_client_cert(struct tls_connection *conn,
                int ret = -1;
                if (bio) {
                        x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
-                       BIO_free(bio);
                }
                if (x509) {
                        if (SSL_use_certificate(conn->ssl, x509) == 1)
                                ret = 0;
                        X509_free(x509);
                }
+
+               /* Read additional certificates into the chain. */
+               while (bio) {
+                       x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+                       if (x509) {
+                               /* Takes ownership of x509 */
+                               SSL_add0_chain_cert(conn->ssl, x509);
+                       } else {
+                               BIO_free(bio);
+                               bio = NULL;
+                       }
+               }
                return ret;
        }
 #endif /* ANDROID */