From dff7b9e11b9c63558710e333f29ef7b726e1d3bc Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@chromium.org>
Date: Fri, 20 Jun 2014 12:00:00 -0700
Subject: [PATCH] Allow duplicate certs in ssl_build_cert_chain

(Imported from upstream's 662239183da08d687dc939211ac09d0a5c3a5b93)
---
 ssl/ssl_cert.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index a1b743af..6b19efa1 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1338,6 +1338,7 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
 	STACK_OF(X509) *chain = NULL, *untrusted = NULL;
 	X509 *x;
 	int i, rv = 0;
+	unsigned long error;
 
 	if (!cpk->x509)
 		{
@@ -1354,11 +1355,23 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)
 			{
 			x = sk_X509_value(cpk->chain, i);
 			if (!X509_STORE_add_cert(chain_store, x))
-				goto err;
+				{
+				error = ERR_peek_last_error();
+				if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
+				    ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
+					goto err;
+				ERR_clear_error();
+				}
 			}
 		/* Add EE cert too: it might be self signed */
 		if (!X509_STORE_add_cert(chain_store, cpk->x509))
-			goto err;
+			{
+			error = ERR_peek_last_error();
+			if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
+			    ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
+				goto err;
+			ERR_clear_error();
+			}
 		}
 	else
 		{