Notify the framework when TLS certificate

verification fails.

Notification can be sent using the existing
OpenSSL failure callback. See ag/17108489
for more information about the existing
callbacks.

Bug: 296398808
Test: Manual Test
       1. Follow the Test Setup Instructions
          doc to connect to WPA-Enterprise
	  using EAP-TTLS.
       2. Set all fields correctly, but select
          "Use system certificates" for the
	  CA Certificate field.
       3. Check that the expected OpenSSL
          failure event is generated.
Change-Id: I6c67240887ad5198c021689fe68f6ad1cd3d114d

3 files changed, 38 insertions, 3 deletions

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index c201dcd6..82276c5f 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -693,4 +693,14 @@ typedef ssize_t (*tls_get_certificate_cb)
 
 void tls_register_cert_callback(tls_get_certificate_cb cb);
 
+/**
+ * tls_register_openssl_failure_callback - Register a callback to indicate
+ * that an OpenSSL failure has occurred
+ * @cb: Callback object to register
+ */
+typedef void (*tls_openssl_failure_cb)
+(void* ctx, const char* msg);
+
+void tls_register_openssl_failure_callback(tls_openssl_failure_cb cb);
+
 #endif /* TLS_H */
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 23bbe687..b378356d 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -201,6 +201,7 @@ struct tls_connection {
 
 static struct tls_context *tls_global = NULL;
 static tls_get_certificate_cb certificate_callback_global = NULL;
+static tls_openssl_failure_cb openssl_failure_callback_global = NULL;
 
 #ifdef ANDROID
 #include <openssl/pem.h>
@@ -2634,9 +2635,19 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
 		if (chain)
 			sk_X509_pop_free(chain, X509_free);
 
-		wpa_printf(MSG_WARNING, "TLS: Certificate verification failed,"
-			   " error %d (%s) depth %d for '%s'", err, err_str,
-			   depth, buf);
+		char *format_str = "TLS: Certificate verification failed,"
+			   " error %d (%s) depth %d for '%s'";
+		int msg_len = snprintf(NULL, 0, format_str, err, err_str, depth, buf) + 1;
+		char *msg = os_malloc(msg_len);
+		snprintf(msg, msg_len, format_str, err, err_str, depth, buf);
+
+		wpa_printf(MSG_WARNING, "%s", msg);
+		if (conn != NULL && conn->context != NULL
+				&& openssl_failure_callback_global != NULL) {
+			(*openssl_failure_callback_global)(conn->context->cb_ctx, msg);
+		}
+		os_free(msg);
+
 		openssl_tls_fail_event(conn, err_cert, err, depth, buf,
 				       err_str, TLS_FAIL_UNSPECIFIED);
 		return preverify_ok;
@@ -6048,3 +6059,8 @@ void tls_register_cert_callback(tls_get_certificate_cb cb)
 {
 	certificate_callback_global = cb;
 }
+
+void tls_register_openssl_failure_callback(tls_openssl_failure_cb cb)
+{
+	openssl_failure_callback_global = cb;
+}
diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 8338c47b..ff7dc1e2 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -2207,6 +2207,14 @@ ssize_t tls_certificate_callback(void* ctx, const char* alias, uint8_t** value)
 	return -1;
 }
 
+void tls_openssl_failure_callback(void* ctx, const char* msg) {
+	if (ctx == NULL || msg == NULL) return;
+	struct eap_sm *sm = (struct eap_sm*) ctx;
+	if (sm->eapol_cb && sm->eapol_cb->notify_open_ssl_failure) {
+		sm->eapol_cb->notify_open_ssl_failure(sm->eapol_ctx, msg);
+	}
+}
+
 /**
  * eap_peer_sm_init - Allocate and initialize EAP peer state machine
  * @eapol_ctx: Context data to be used with eapol_cb calls
@@ -2251,6 +2259,7 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx,
 	tlsconf.cb_ctx = sm;
 	tlsconf.cert_in_cb = conf->cert_in_cb;
 	tls_register_cert_callback(&tls_certificate_callback);
+	tls_register_openssl_failure_callback(&tls_openssl_failure_callback);
 	sm->ssl_ctx = tls_init(&tlsconf);
 	if (sm->ssl_ctx == NULL) {
 		wpa_printf(MSG_WARNING, "SSL: Failed to initialize TLS "