From 6d08f23f0a38ded75935202251e8c049308ce08a Mon Sep 17 00:00:00 2001
From: Paul Stewart <pstew@google.com>
Date: Wed, 25 Jan 2017 13:59:16 -0800
Subject: [PATCH] OpenSSL/BoringSSL: Read certificate chain from client_cert on
 Android

If the keychain holds additional certificates other than the end
certificate, read them into the certificate chain.

Signed-off-by: Paul Stewart <pstew@google.com>
---
 src/crypto/tls_openssl.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e2749755f..787613423 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2371,13 +2371,24 @@ static int tls_connection_client_cert(struct tls_connection *conn,
 		int ret = -1;
 		if (bio) {
 			x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
-			BIO_free(bio);
 		}
 		if (x509) {
 			if (SSL_use_certificate(conn->ssl, x509) == 1)
 				ret = 0;
 			X509_free(x509);
 		}
+
+		/* Read additional certificates into the chain. */
+		while (bio) {
+			x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+			if (x509) {
+				/* Takes ownership of x509 */
+				SSL_add0_chain_cert(conn->ssl, x509);
+			} else {
+				BIO_free(bio);
+				bio = NULL;
+			}
+		}
 		return ret;
 	}
 #endif /* ANDROID */