From 1592d3416dcbc82818561709be463762a78b51f1 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 1 Mar 2025 20:22:18 +0200 Subject: [PATCH] OpenSSL: Print more failure details for EC failures These cases can fail when OpenSSL is forced to use FIPS mode or FIPS provider. It is helpful to get more explicit error details about these cases into the debug log. Signed-off-by: Jouni Malinen --- src/crypto/crypto_openssl.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index 3333f727a..600c1a82e 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -2665,8 +2665,12 @@ struct crypto_ecdh * crypto_ecdh_init(int group) goto fail; ecdh->pkey = EVP_EC_gen(name); - if (!ecdh->pkey) + if (!ecdh->pkey) { + wpa_printf(MSG_INFO, + "OpenSSL: EVP_EC_gen(group=%d) failed: %s", + group, ERR_error_string(ERR_get_error(), NULL)); goto fail; + } done: return ecdh; @@ -3431,8 +3435,8 @@ struct crypto_ec_key * crypto_ec_key_gen(int group) EVP_PKEY_CTX_set_params(ctx, params) != 1 || EVP_PKEY_generate(ctx, &pkey) != 1) { wpa_printf(MSG_INFO, - "OpenSSL: failed to generate EC keypair: %s", - ERR_error_string(ERR_get_error(), NULL)); + "OpenSSL: Failed to generate EC keypair (group=%d): %s", + group, ERR_error_string(ERR_get_error(), NULL)); pkey = NULL; } @@ -3695,6 +3699,8 @@ struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key, ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER", "type-specific", NULL); if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) { + wpa_printf(MSG_INFO, "OpenSSL: OSSL_ENCODER failed: %s", + ERR_error_string(ERR_get_error(), NULL)); OSSL_ENCODER_CTX_free(ctx); EVP_PKEY_free(copy); return NULL; -- 2.47.2