From: Jouni Malinen <j@w1.fi>
Date: Sat, 1 Mar 2025 18:22:18 +0000 (+0200)
Subject: OpenSSL: Print more failure details for EC failures
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1592d3416dcbc82818561709be463762a78b51f1;p=thirdparty%2Fhostap.git

OpenSSL: Print more failure details for EC failures

These cases can fail when OpenSSL is forced to use FIPS mode or FIPS
provider. It is helpful to get more explicit error details about these
cases into the debug log.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index 3333f727a..600c1a82e 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -2665,8 +2665,12 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
 		goto fail;
 
 	ecdh->pkey = EVP_EC_gen(name);
-	if (!ecdh->pkey)
+	if (!ecdh->pkey) {
+		wpa_printf(MSG_INFO,
+			   "OpenSSL: EVP_EC_gen(group=%d) failed: %s",
+			   group, ERR_error_string(ERR_get_error(), NULL));
 		goto fail;
+	}
 
 done:
 	return ecdh;
@@ -3431,8 +3435,8 @@ struct crypto_ec_key * crypto_ec_key_gen(int group)
 	    EVP_PKEY_CTX_set_params(ctx, params) != 1 ||
 	    EVP_PKEY_generate(ctx, &pkey) != 1) {
 		wpa_printf(MSG_INFO,
-			   "OpenSSL: failed to generate EC keypair: %s",
-			   ERR_error_string(ERR_get_error(), NULL));
+			   "OpenSSL: Failed to generate EC keypair (group=%d): %s",
+			   group, ERR_error_string(ERR_get_error(), NULL));
 		pkey = NULL;
 	}
 
@@ -3695,6 +3699,8 @@ struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key,
 	ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER",
 					    "type-specific", NULL);
 	if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) {
+		wpa_printf(MSG_INFO, "OpenSSL: OSSL_ENCODER failed: %s",
+			   ERR_error_string(ERR_get_error(), NULL));
 		OSSL_ENCODER_CTX_free(ctx);
 		EVP_PKEY_free(copy);
 		return NULL;