From 100b2edb2806c35de8f941859e212b86d1658382 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 19 Aug 2019 16:34:22 +0300 Subject: [PATCH] OpenSSL: Write peer certificate chain details in debug log This makes it more convenient to debug TLS certificate validation issues. Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 69 ++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 35 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index e67756af6..5661e42d1 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2296,6 +2296,38 @@ static void openssl_tls_cert_event(struct tls_connection *conn, } +static void debug_print_cert(X509 *cert, const char *title) +{ +#ifndef CONFIG_NO_STDOUT_DEBUG + BIO *out; + size_t rlen; + char *txt; + int res; + + if (wpa_debug_level > MSG_DEBUG) + return; + + out = BIO_new(BIO_s_mem()); + if (!out) + return; + + X509_print(out, cert); + rlen = BIO_ctrl_pending(out); + txt = os_malloc(rlen + 1); + if (txt) { + res = BIO_read(out, txt, rlen); + if (res > 0) { + txt[res] = '\0'; + wpa_printf(MSG_DEBUG, "OpenSSL: %s\n%s", title, txt); + } + os_free(txt); + } + + BIO_free(out); +#endif /* CONFIG_NO_STDOUT_DEBUG */ +} + + static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) { char buf[256]; @@ -2316,6 +2348,8 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) depth = X509_STORE_CTX_get_error_depth(x509_ctx); ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + os_snprintf(buf, sizeof(buf), "Peer certificate - depth %d", depth); + debug_print_cert(err_cert, buf); X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); conn = SSL_get_app_data(ssl); @@ -4658,41 +4692,6 @@ static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp) } -static void debug_print_cert(X509 *cert, const char *title) -{ -#ifndef CONFIG_NO_STDOUT_DEBUG - BIO *out; - size_t rlen; - char *txt; - int res; - - if (wpa_debug_level > MSG_DEBUG) - return; - - out = BIO_new(BIO_s_mem()); - if (!out) - return; - - X509_print(out, cert); - rlen = BIO_ctrl_pending(out); - txt = os_malloc(rlen + 1); - if (!txt) { - BIO_free(out); - return; - } - - res = BIO_read(out, txt, rlen); - if (res > 0) { - txt[res] = '\0'; - wpa_printf(MSG_DEBUG, "OpenSSL: %s\n%s", title, txt); - } - os_free(txt); - - BIO_free(out); -#endif /* CONFIG_NO_STDOUT_DEBUG */ -} - - static int ocsp_resp_cb(SSL *s, void *arg) { struct tls_connection *conn = arg;