AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2025-07-06 07:44:57 +03:00
Code Releases Activity

* Implementing user search by certificate common name.

Browse Source 
* Reworking EAP-TLS flow
* Implementing iterative TLS downgrade supporting PPPD TLS 1.3+Tickets, Windows TLS 1.3 w/o Tickets, VPN Client Pro TLS 1.2.
This commit is contained in:
Evengard
2023-01-22 22:58:14 +03:00
parent 8362637353
commit 149096e13c
6 changed files with 262 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/Mayaqua/Network.c
View File

@ -5713,7 +5713,13 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
{
return NewSslPipeEx2(server_mode, x, k, NULL, dh, verify_peer, clientcert);
}
SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert)
SSL_PIPE* NewSslPipeEx2(bool server_mode, X* x, K* k, LIST* chain, DH_CTX* dh, bool verify_peer, struct SslClientCertInfo* clientcert)
{
return NewSslPipeEx3(server_mode, x, k, chain, dh, verify_peer, clientcert, false, false);
}
SSL_PIPE *NewSslPipeEx3(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert, bool disableTls13Tickets, bool disableTls13)
{
SSL_PIPE *s;
SSL *ssl;
@ -5723,10 +5729,6 @@ SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, b
{
if (server_mode)
{
#ifdef SSL_OP_NO_TLSv1_3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); // For some reason pppd under linux doesn't like it
#endif
if (chain == NULL)
{
AddChainSslCertOnDirectory(ssl_ctx);
@ -5784,6 +5786,18 @@ SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, b
SSL_CTX_set_options(ssl_ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
}
#ifdef SSL_OP_NO_TLSv1_3
if (disableTls13)
{
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
}
if (disableTls13Tickets)
{
SSL_CTX_set_num_tickets(ssl_ctx, 0);
}
#endif
ssl = SSL_new(ssl_ctx);
SSL_set_ex_data(ssl, GetSslClientCertIndex(), clientcert);
@ -15832,6 +15846,14 @@ DH *TmpDhCallback(SSL *ssl, int is_export, int keylength)
return ret;
}
// Log SSL keys
void keylog_cb_func(const SSL* ssl, const char* line)
{
Debug("SSL_KEYLOG_BEGIN\n");
Debug(line);
Debug("\nSSL_KEYLOG_END\n");
}
// Create the SSL_CTX
struct ssl_ctx_st *NewSSLCtx(bool server_mode)
{
@ -15868,6 +15890,8 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode)
SSL_CTX_set_ecdh_auto(ctx, 1);
#endif // SSL_CTX_set_ecdh_auto
SSL_CTX_set_keylog_callback(ctx, &keylog_cb_func);
return ctx;
}

1
src/Mayaqua/Network.h
View File

@ -1407,6 +1407,7 @@ struct SslClientCertInfo {
SSL_PIPE *NewSslPipe(bool server_mode, X *x, K *k, DH_CTX *dh);
SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert);
SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert);
SSL_PIPE* NewSslPipeEx3(bool server_mode, X* x, K* k, LIST* chain, DH_CTX* dh, bool verify_peer, struct SslClientCertInfo* clientcert, bool disableTls13Tickets, bool disableTls13);
void FreeSslPipe(SSL_PIPE *s);
bool SyncSslPipe(SSL_PIPE *s);