From: Christopher Wiley <wiley@chromium.org>
Date: Sat, 4 Aug 2012 21:36:08 +0000 (+0300)
Subject: OpenSSL: Fix ca_cert_verify for TPM
X-Git-Tag: hostap_2_0~496
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8858cadeb6159105c25348e3476ea9d7781a23d;p=thirdparty%2Fhostap.git

OpenSSL: Fix ca_cert_verify for TPM

This bit is set in the code path that handles keys and certs from places
other than OpenSSL authentication engines. Setting this bit causes
authentication to fail when the server provides certificates that don't
match the client certificate authority.
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 3bbd45706..860adee4b 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1922,6 +1922,8 @@ static int tls_connection_engine_ca_cert(void *_ssl_ctx,
 	wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine "
 		   "to certificate store", __func__);
 	SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
+	conn->ca_cert_verify = 1;
+
 	return 0;
 
 #else /* OPENSSL_NO_ENGINE */