OpenSSL: Send cert event for the peer even on CA cert failure

This adds a CTRL-EVENT-EAP-PEER-CERT even for depth=0 even if a depth >
0 certificate results in peer certificate validation error. Previously,
this case resulted in the upper layers not getting any information about
the used peer certificate. Now that information is available, e.g., to
allow server certificate -based overriding of the trust to be done.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 3c142d34dd0167d7a037eab8c53fb9a8cf79ed34..1073f64501f52b630ee14ef10381ea13f1f7c2e8 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2378,6 +2378,27 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
        openssl_tls_cert_event(conn, err_cert, depth, buf);
 
        if (!preverify_ok) {
+               if (depth > 0) {
+                       /* Send cert event for the peer certificate so that
+                        * the upper layers get information about it even if
+                        * validation of a CA certificate fails. */
+                       STACK_OF(X509) *chain;
+
+                       chain = X509_STORE_CTX_get1_chain(x509_ctx);
+                       if (chain && sk_X509_num(chain) > 0) {
+                               char buf2[256];
+                               X509 *cert;
+
+                               cert = sk_X509_value(chain, 0);
+                               X509_NAME_oneline(X509_get_subject_name(cert),
+                                                 buf2, sizeof(buf2));
+
+                               openssl_tls_cert_event(conn, cert, 0, buf2);
+                       }
+                       if (chain)
+                               sk_X509_pop_free(chain, X509_free);
+               }
+
                wpa_printf(MSG_WARNING, "TLS: Certificate verification failed,"
                           " error %d (%s) depth %d for '%s'", err, err_str,
                           depth, buf);