From 84db90e484463cfafd54c46a9f4a9646e863d3f7 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 20 Jun 2019 23:44:51 +0300 Subject: [PATCH] OpenSSL: Send cert event for the peer even on CA cert failure This adds a CTRL-EVENT-EAP-PEER-CERT even for depth=0 even if a depth > 0 certificate results in peer certificate validation error. Previously, this case resulted in the upper layers not getting any information about the used peer certificate. Now that information is available, e.g., to allow server certificate -based overriding of the trust to be done. Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 3c142d34d..1073f6450 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2378,6 +2378,27 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) openssl_tls_cert_event(conn, err_cert, depth, buf); if (!preverify_ok) { + if (depth > 0) { + /* Send cert event for the peer certificate so that + * the upper layers get information about it even if + * validation of a CA certificate fails. */ + STACK_OF(X509) *chain; + + chain = X509_STORE_CTX_get1_chain(x509_ctx); + if (chain && sk_X509_num(chain) > 0) { + char buf2[256]; + X509 *cert; + + cert = sk_X509_value(chain, 0); + X509_NAME_oneline(X509_get_subject_name(cert), + buf2, sizeof(buf2)); + + openssl_tls_cert_event(conn, cert, 0, buf2); + } + if (chain) + sk_X509_pop_free(chain, X509_free); + } + wpa_printf(MSG_WARNING, "TLS: Certificate verification failed," " error %d (%s) depth %d for '%s'", err, err_str, depth, buf);