From 21cb63fffd1e766c8b989125394ed0bfb05e5a4b Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 7 Jan 2016 17:51:40 +0200 Subject: [PATCH] OpenSSL: Fix client certificate chain building after PKCS#12 use If wpa_supplicant was first configured with PKCS #12 -based client certificate chain and then used with another network profile that used a different certificate chain from a X.509 certificate PEM file instead of PKCS#12, the extra certificate chain was not reconstructed properly with older versions of OpenSSL that 1.0.2. This could result in the authentication failing due to the client certificate chain not being complete or including incorrect certificates. Fix this by clearing the extra certificate chain when setting up a new TLS connection with OpenSSL 1.0.1. This allows OpenSSL to build the chain using the default mechanism in case the new TLS exchange does not use PKCS#12. The following hwsim test case sequence was able to find the issue: ap_wpa2_eap_tls_pkcs12 ap_wpa2_eap_tls_intermediate_ca_ocsp Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index f4a8ff99f..22d6dc40f 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2234,6 +2234,17 @@ static int tls_connection_client_cert(struct tls_connection *conn, if (client_cert == NULL && client_cert_blob == NULL) return 0; +#ifdef PKCS12_FUNCS +#if OPENSSL_VERSION_NUMBER < 0x10002000L + /* + * Clear previously set extra chain certificates, if any, from PKCS#12 + * processing in tls_parse_pkcs12() to allow OpenSSL to build a new + * chain properly. + */ + SSL_CTX_clear_extra_chain_certs(conn->ssl_ctx); +#endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */ +#endif /* PKCS12_FUNCS */ + if (client_cert_blob && SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob, client_cert_blob_len) == 1) {