Notify the framework when TLS certificate
verification fails.
Notification can be sent using the existing
OpenSSL failure callback. See ag/17108489
for more information about the existing
callbacks.
Bug: 296398808
Test: Manual Test
1. Follow the Test Setup Instructions
doc to connect to WPA-Enterprise
using EAP-TTLS.
2. Set all fields correctly, but select
"Use system certificates" for the
CA Certificate field.
3. Check that the expected OpenSSL
failure event is generated.
Change-Id: I6c67240887ad5198c021689fe68f6ad1cd3d114d
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 23bbe68..b378356 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -201,6 +201,7 @@
static struct tls_context *tls_global = NULL;
static tls_get_certificate_cb certificate_callback_global = NULL;
+static tls_openssl_failure_cb openssl_failure_callback_global = NULL;
#ifdef ANDROID
#include <openssl/pem.h>
@@ -2634,9 +2635,19 @@
if (chain)
sk_X509_pop_free(chain, X509_free);
- wpa_printf(MSG_WARNING, "TLS: Certificate verification failed,"
- " error %d (%s) depth %d for '%s'", err, err_str,
- depth, buf);
+ char *format_str = "TLS: Certificate verification failed,"
+ " error %d (%s) depth %d for '%s'";
+ int msg_len = snprintf(NULL, 0, format_str, err, err_str, depth, buf) + 1;
+ char *msg = os_malloc(msg_len);
+ snprintf(msg, msg_len, format_str, err, err_str, depth, buf);
+
+ wpa_printf(MSG_WARNING, "%s", msg);
+ if (conn != NULL && conn->context != NULL
+ && openssl_failure_callback_global != NULL) {
+ (*openssl_failure_callback_global)(conn->context->cb_ctx, msg);
+ }
+ os_free(msg);
+
openssl_tls_fail_event(conn, err_cert, err, depth, buf,
err_str, TLS_FAIL_UNSPECIFIED);
return preverify_ok;
@@ -6048,3 +6059,8 @@
{
certificate_callback_global = cb;
}
+
+void tls_register_openssl_failure_callback(tls_openssl_failure_cb cb)
+{
+ openssl_failure_callback_global = cb;
+}