diff options
| author | Selva Nair | 2023-10-01 13:49:20 -0400 |
|---|---|---|
| committer | Gert Doering | 2023-10-02 10:08:56 +0200 |
| commit | 2671dcb69837ae58b3303f11c1b6ba4cee8eea00 (patch) | |
| tree | 039e0a09d4041abb4f45bb37a95550e6331ddceb /tests | |
| parent | 607ae9b821665dadb6bd0a3ceb6288bda10d5e67 (diff) | |
| download | openvpn-2671dcb69837ae58b3303f11c1b6ba4cee8eea00.zip openvpn-2671dcb69837ae58b3303f11c1b6ba4cee8eea00.tar.gz | |
Log OpenSSL errors on failure to set certificate
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/unit_tests/openvpn/test_cryptoapi.c | 11 | ||||
| -rw-r--r-- | tests/unit_tests/openvpn/test_pkcs11.c | 11 |
2 files changed, 22 insertions, 0 deletions
diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c index 008f41c..d90bfc3 100644 --- a/tests/unit_tests/openvpn/test_cryptoapi.c +++ b/tests/unit_tests/openvpn/test_cryptoapi.c @@ -58,6 +58,17 @@ management_query_pk_sig(struct management *man, const char *b64_data, return NULL; } +/* replacement for crypto_print_openssl_errors() */ +void +crypto_print_openssl_errors(const unsigned int flags) +{ + unsigned long e; + while ((e = ERR_get_error())) + { + msg(flags, "OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL)); + } +} + /* tls_libctx is defined in ssl_openssl.c which we do not want to compile in */ OSSL_LIB_CTX *tls_libctx; diff --git a/tests/unit_tests/openvpn/test_pkcs11.c b/tests/unit_tests/openvpn/test_pkcs11.c index 235cc43..b6c130e 100644 --- a/tests/unit_tests/openvpn/test_pkcs11.c +++ b/tests/unit_tests/openvpn/test_pkcs11.c @@ -44,6 +44,17 @@ struct management *management; /* global */ +/* replacement for crypto_print_openssl_errors() */ +void +crypto_print_openssl_errors(const unsigned int flags) +{ + unsigned long e; + while ((e = ERR_get_error())) + { + msg(flags, "OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL)); + } +} + /* stubs for some unused functions instead of pulling in too many dependencies */ int parse_line(const char *line, char **p, const int n, const char *file, |