diff options
author | Gabriel Biren <gbiren@google.com> | 2023-11-01 22:04:12 +0000 |
---|---|---|
committer | Gabriel Biren <gbiren@google.com> | 2023-11-01 22:13:56 +0000 |
commit | 60ae06809e045f797503aacaa5a255099afbddea (patch) | |
tree | 131f49dbb3dfc3b1c45755e926b69a63f32f4d7b | |
parent | 7dea1e9a66f93a473530d618a2b2688fa44785dc (diff) | |
download | wpa_supplicant_8-60ae06809e045f797503aacaa5a255099afbddea.tar.gz |
Notify the framework when TLS certificate
verification fails.
Notification can be sent using the existing
OpenSSL failure callback. See ag/17108489
for more information about the existing
callbacks.
Bug: 296398808
Test: Manual Test
1. Follow the Test Setup Instructions
doc to connect to WPA-Enterprise
using EAP-TTLS.
2. Set all fields correctly, but select
"Use system certificates" for the
CA Certificate field.
3. Check that the expected OpenSSL
failure event is generated.
Change-Id: I6c67240887ad5198c021689fe68f6ad1cd3d114d
-rw-r--r-- | src/crypto/tls.h | 10 | ||||
-rw-r--r-- | src/crypto/tls_openssl.c | 22 | ||||
-rw-r--r-- | src/eap_peer/eap.c | 9 |
3 files changed, 38 insertions, 3 deletions
diff --git a/src/crypto/tls.h b/src/crypto/tls.h index c201dcd6..82276c5f 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -693,4 +693,14 @@ typedef ssize_t (*tls_get_certificate_cb) void tls_register_cert_callback(tls_get_certificate_cb cb); +/** + * tls_register_openssl_failure_callback - Register a callback to indicate + * that an OpenSSL failure has occurred + * @cb: Callback object to register + */ +typedef void (*tls_openssl_failure_cb) +(void* ctx, const char* msg); + +void tls_register_openssl_failure_callback(tls_openssl_failure_cb cb); + #endif /* TLS_H */ diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 23bbe687..b378356d 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -201,6 +201,7 @@ struct tls_connection { static struct tls_context *tls_global = NULL; static tls_get_certificate_cb certificate_callback_global = NULL; +static tls_openssl_failure_cb openssl_failure_callback_global = NULL; #ifdef ANDROID #include <openssl/pem.h> @@ -2634,9 +2635,19 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) if (chain) sk_X509_pop_free(chain, X509_free); - wpa_printf(MSG_WARNING, "TLS: Certificate verification failed," - " error %d (%s) depth %d for '%s'", err, err_str, - depth, buf); + char *format_str = "TLS: Certificate verification failed," + " error %d (%s) depth %d for '%s'"; + int msg_len = snprintf(NULL, 0, format_str, err, err_str, depth, buf) + 1; + char *msg = os_malloc(msg_len); + snprintf(msg, msg_len, format_str, err, err_str, depth, buf); + + wpa_printf(MSG_WARNING, "%s", msg); + if (conn != NULL && conn->context != NULL + && openssl_failure_callback_global != NULL) { + (*openssl_failure_callback_global)(conn->context->cb_ctx, msg); + } + os_free(msg); + openssl_tls_fail_event(conn, err_cert, err, depth, buf, err_str, TLS_FAIL_UNSPECIFIED); return preverify_ok; @@ -6048,3 +6059,8 @@ void tls_register_cert_callback(tls_get_certificate_cb cb) { certificate_callback_global = cb; } + +void tls_register_openssl_failure_callback(tls_openssl_failure_cb cb) +{ + openssl_failure_callback_global = cb; +} diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index 8338c47b..ff7dc1e2 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -2207,6 +2207,14 @@ ssize_t tls_certificate_callback(void* ctx, const char* alias, uint8_t** value) return -1; } +void tls_openssl_failure_callback(void* ctx, const char* msg) { + if (ctx == NULL || msg == NULL) return; + struct eap_sm *sm = (struct eap_sm*) ctx; + if (sm->eapol_cb && sm->eapol_cb->notify_open_ssl_failure) { + sm->eapol_cb->notify_open_ssl_failure(sm->eapol_ctx, msg); + } +} + /** * eap_peer_sm_init - Allocate and initialize EAP peer state machine * @eapol_ctx: Context data to be used with eapol_cb calls @@ -2251,6 +2259,7 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx, tlsconf.cb_ctx = sm; tlsconf.cert_in_cb = conf->cert_in_cb; tls_register_cert_callback(&tls_certificate_callback); + tls_register_openssl_failure_callback(&tls_openssl_failure_callback); sm->ssl_ctx = tls_init(&tlsconf); if (sm->ssl_ctx == NULL) { wpa_printf(MSG_WARNING, "SSL: Failed to initialize TLS " |