From 662239183da08d687dc939211ac09d0a5c3a5b93 Mon Sep 17 00:00:00 2001
From: Emilia Kasper <ekasper@google.com>
Date: Mon, 24 Mar 2014 12:33:54 +0100
Subject: [PATCH] Allow duplicate certs in ssl_build_cert_chain

---
 ssl/ssl_cert.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 6ccf755f7a..2965a44ff5 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1483,6 +1483,7 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
 	STACK_OF(X509) *chain = NULL, *untrusted = NULL;
 	X509 *x;
 	int i, rv = 0;
+	unsigned long error;
 
 	if (!cpk->x509)
 		{
@@ -1499,11 +1500,23 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
 			{
 			x = sk_X509_value(cpk->chain, i);
 			if (!X509_STORE_add_cert(chain_store, x))
-				goto err;
+				{
+				error = ERR_peek_last_error();
+				if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
+				    ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
+					goto err;
+				ERR_clear_error();
+				}
 			}
 		/* Add EE cert too: it might be self signed */
 		if (!X509_STORE_add_cert(chain_store, cpk->x509))
-			goto err;
+			{
+			error = ERR_peek_last_error();
+			if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
+			    ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
+				goto err;
+			ERR_clear_error();
+			}
 		}
 	else
 		{
-- 
2.25.1