OpenSSL: Fix OCSP certificate debug print to use wpa_printf

Instead of using X509_print_fp() to print directly to stdout, print the certificate dump to a memory BIO and use wpa_printf() to get this into the debug log. This allows redirection of debug log to work better and avoids undesired stdout prints when debugging is not enabled. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-29 13:51:19 +03:00 · 2014-05-29 13:51:19 +03:00 · 4eb3b76b0f
parent 9e669cb5ff
commit 4eb3b76b0f
1 changed files with 36 additions and 2 deletions
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -2968,6 +2968,41 @@ static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
 }


+static void debug_print_cert(X509 *cert, const char *title)
+{
+#ifndef CONFIG_NO_STDOUT_DEBUG
+	BIO *out;
+	size_t rlen;
+	char *txt;
+	int res;
+
+	if (wpa_debug_level > MSG_DEBUG)
+		return;
+
+	out = BIO_new(BIO_s_mem());
+	if (!out)
+		return;
+
+	X509_print(out, cert);
+	rlen = BIO_ctrl_pending(out);
+	txt = os_malloc(rlen + 1);
+	if (!txt) {
+		BIO_free(out);
+		return;
+	}
+
+	res = BIO_read(out, txt, rlen);
+	if (res > 0) {
+		txt[res] = '\0';
+		wpa_printf(MSG_DEBUG, "OpenSSL: %s\n%s", title, txt);
+	}
+	os_free(txt);
+
+	BIO_free(out);
+#endif /* CONFIG_NO_STDOUT_DEBUG */
+}
+
+
 static int ocsp_resp_cb(SSL *s, void *arg)
 {
 	struct tls_connection *conn = arg;
@ -3011,8 +3046,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)

 	store = SSL_CTX_get_cert_store(s->ctx);
 	if (conn->peer_issuer) {
-		wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer");
-		X509_print_fp(stdout, conn->peer_issuer);
+		debug_print_cert(conn->peer_issuer, "Add OCSP issuer");

 		if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) {
 			tls_show_errors(MSG_INFO, __func__,