[PATCH] ignore duplicate OpenSSL client cert and private key addition

Dan Williams dcbw at redhat.com
Thu Jan 3 12:32:34 EST 2008


Ignore duplicate certificate addition errors for client certificates and
private keys too, as is done for CA certs.  Applies to both 0.6.x and
0.5.x.


diff -up wpa_supplicant-0.5.7/tls_openssl.c.ignore-dup-ca-cert-addition wpa_supplicant-0.5.7/tls_openssl.c
--- src/crypto/tls_openssl.c.ignore-dup-ca-cert-addition	2006-11-29 23:50:28.000000000 -0500
+++ src/crypto/tls_openssl.c	2007-11-13 11:19:30.000000000 -0500
@@ -1259,15 +1269,28 @@ static int tls_connection_client_cert(st
 	if (client_cert == NULL && client_cert_blob == NULL)
 		return 0;
 
-	if (client_cert_blob &&
-	    SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob,
+	if (client_cert_blob) {
+		if (SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob,
 				     client_cert_blob_len) == 1) {
-		wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_ASN1 --> "
-			   "OK");
-		return 0;
-	} else if (client_cert_blob) {
-		tls_show_errors(MSG_DEBUG, __func__,
-				"SSL_use_certificate_ASN1 failed");
+			wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_ASN1"
+				   " --> OK");
+			return 0;
+		} else {
+			unsigned long err = ERR_peek_error();
+
+			if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+			    ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+				wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
+					   "cert already in hash table error",
+					   __func__);
+				wpa_printf(MSG_DEBUG, "OpenSSL: "
+					   "SSL_use_certificate_ASN1 --> OK");
+				return 0;
+			}
+
+			tls_show_errors(MSG_DEBUG, __func__,
+					"SSL_use_certificate_ASN1 failed");
+		}
 	}
 
 	if (client_cert == NULL)
@@ -1515,40 +1538,73 @@ static int tls_connection_private_key(vo
 	while (private_key_blob) {
 		if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl,
 					    (u8 *) private_key_blob,
-					    private_key_blob_len) == 1) {
-			wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
-				   "ASN1(EVP_PKEY_RSA) --> OK");
-			ok = 1;
-			break;
-		} else {
+					    private_key_blob_len) != 1) {
+			unsigned long err = ERR_peek_error();
+
 			tls_show_errors(MSG_DEBUG, __func__,
 					"SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA)"
 					" failed");
+			if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+			    ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+				wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
+					   "cert already in hash table error",
+					   __func__);
+				ok = 1;
+			}
+		} else
+			ok = 1;
+
+		if (ok == 1) {
+			wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
+				   "ASN1(EVP_PKEY_RSA) --> OK");
+			break;
 		}
 
 		if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl,
 					    (u8 *) private_key_blob,
-					    private_key_blob_len) == 1) {
-			wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
-				   "ASN1(EVP_PKEY_DSA) --> OK");
-			ok = 1;
-			break;
-		} else {
+					    private_key_blob_len) != 1) {
+			unsigned long err = ERR_peek_error();
+
 			tls_show_errors(MSG_DEBUG, __func__,
 					"SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA)"
 					" failed");
+			if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+			    ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+				wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
+					   "cert already in hash table error",
+					   __func__);
+				ok = 1;
+			}
+		} else
+			ok = 1;
+
+		if (ok == 1) {
+			wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
+				   "ASN1(EVP_PKEY_DSA) --> OK");
+			break;
 		}
 
 		if (SSL_use_RSAPrivateKey_ASN1(conn->ssl,
 					       (u8 *) private_key_blob,
-					       private_key_blob_len) == 1) {
+					       private_key_blob_len) != 1) {
+			unsigned long err = ERR_peek_error();
+
+			tls_show_errors(MSG_DEBUG, __func__,
+					"SSL_use_RSAPrivateKey_ASN1 failed");
+			if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+			    ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+				wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
+					   "cert already in hash table error",
+					   __func__);
+				ok = 1;
+			}
+		} else
+			ok = 1;
+
+		if (ok == 1) {
 			wpa_printf(MSG_DEBUG, "OpenSSL: "
 				   "SSL_use_RSAPrivateKey_ASN1 --> OK");
-			ok = 1;
 			break;
-		} else {
-			tls_show_errors(MSG_DEBUG, __func__,
-					"SSL_use_RSAPrivateKey_ASN1 failed");
 		}
 
 		if (tls_read_pkcs12_blob(ssl_ctx, conn->ssl, private_key_blob,




More information about the HostAP mailing list