GnuTLS backend already accepts CA cert blobs in both DER and PEM formats.
Implement similar trial-and-error handling in OpenSSL backend.
Signed-off-by: Santtu Lakkala <santtu.lakkala@xxxxxxxxx>
---
src/crypto/tls_openssl.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index bf2407421..bf26f67ba 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2577,9 +2577,22 @@ static int tls_connection_ca_cert(struct tls_data *data,
(const unsigned char **) &ca_cert_blob,
ca_cert_blob_len);
if (cert == NULL) {
- tls_show_errors(MSG_WARNING, __func__,
- "Failed to parse ca_cert_blob");
- return -1;
+ BIO *bio = BIO_new_mem_buf(ca_cert_blob, ca_cert_blob_len);
+
+ if (bio != NULL) {
+ cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+ BIO_free(bio);
+ }
+
+ if (cert == NULL) {
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed to parse ca_cert_blob");
+ return -1;
+ }
+
+ while (ERR_get_error()) {
+ /* Ignore errors from DER conversion. */
+ }
}
if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
--
2.20.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
