From: Santtu Lakkala <santtu.lakkala@jolla.com>
Date: Mon, 27 May 2019 07:06:28 +0000 (+0300)
Subject: OpenSSL: Allow ca_cert_blob in PEM format
X-Git-Tag: hostap_2_9~223
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ba809f67b94c8e1e54edb83fd5fcf5b00957f65;p=thirdparty%2Fhostap.git

OpenSSL: Allow ca_cert_blob in PEM format

GnuTLS backend already accepts CA cert blobs in both DER and PEM
formats. Implement similar trial-and-error handling in OpenSSL backend.

Signed-off-by: Santtu Lakkala <santtu.lakkala@jolla.com>
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index c71979f8b..f1f979348 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2577,9 +2577,23 @@ static int tls_connection_ca_cert(struct tls_data *data,
 				      (const unsigned char **) &ca_cert_blob,
 				      ca_cert_blob_len);
 		if (cert == NULL) {
-			tls_show_errors(MSG_WARNING, __func__,
-					"Failed to parse ca_cert_blob");
-			return -1;
+			BIO *bio = BIO_new_mem_buf(ca_cert_blob,
+						   ca_cert_blob_len);
+
+			if (bio) {
+				cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+				BIO_free(bio);
+			}
+
+			if (!cert) {
+				tls_show_errors(MSG_WARNING, __func__,
+						"Failed to parse ca_cert_blob");
+				return -1;
+			}
+
+			while (ERR_get_error()) {
+				/* Ignore errors from DER conversion. */
+			}
 		}
 
 		if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),