1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-23 01:49:53 +03:00

* Implementing user search by certificate common name.

* Reworking EAP-TLS flow
* Implementing iterative TLS downgrade supporting PPPD TLS 1.3+Tickets, Windows TLS 1.3 w/o Tickets, VPN Client Pro TLS 1.2.
This commit is contained in:
Evengard 2023-01-22 22:58:14 +03:00
parent 8362637353
commit 149096e13c
6 changed files with 262 additions and 126 deletions

View File

@ -897,6 +897,32 @@ USER *AcGetUser(HUB *h, char *name)
return u; return u;
} }
USER* AcGetUserByCert(HUB *h, char *common_name)
{
int i;
for (i = 0; i < LIST_NUM(h->HubDb->UserList); i++)
{
USER* u = LIST_DATA(h->HubDb->UserList, i);
if (u->AuthType == AUTHTYPE_USERCERT)
{
X* cert = ((AUTHUSERCERT*)u->AuthData)->UserX;
if (cert != NULL)
{
char cname[MAX_SIZE];
UniToStr(cname, sizeof(cname), cert->subject_name->CommonName);
if (StrCmp(common_name, cname) == 0)
{
AddRef(u->ref);
return u;
}
}
}
}
return NULL;
}
// Delete the user // Delete the user
bool AcDeleteUser(HUB *h, char *name) bool AcDeleteUser(HUB *h, char *name)
{ {

View File

@ -177,6 +177,7 @@ void FreeAuthData(UINT authtype, void *authdata);
bool AcAddUser(HUB *h, USER *u); bool AcAddUser(HUB *h, USER *u);
bool AcAddGroup(HUB *h, USERGROUP *g); bool AcAddGroup(HUB *h, USERGROUP *g);
USER *AcGetUser(HUB *h, char *name); USER *AcGetUser(HUB *h, char *name);
USER* AcGetUserByCert(HUB* h, char *common_name);
USERGROUP *AcGetGroup(HUB *h, char *name); USERGROUP *AcGetGroup(HUB *h, char *name);
bool AcIsUser(HUB *h, char *name); bool AcIsUser(HUB *h, char *name);
bool AcIsGroup(HUB *h, char *name); bool AcIsGroup(HUB *h, char *name);

View File

@ -13,7 +13,6 @@
#include "Hub.h" #include "Hub.h"
#include "IPC.h" #include "IPC.h"
#include "Logging.h" #include "Logging.h"
#include "Proto_IPsec.h"
#include "Radius.h" #include "Radius.h"
#include "Server.h" #include "Server.h"
@ -599,6 +598,9 @@ THREAD *NewPPPSession(CEDAR *cedar, IP *client_ip, UINT client_port, IP *server_
p->AuthProtocol = PPP_UNSPECIFIED; p->AuthProtocol = PPP_UNSPECIFIED;
p->MsChapV2_ErrorCode = 691; p->MsChapV2_ErrorCode = 691;
p->EapClient = NULL; p->EapClient = NULL;
Zero(&p->Eap_Identity, sizeof(p->Eap_Identity));
p->Eap_TlsCtx.DisableTls13 = false;
p->Eap_TlsCtx.DisableTls13SessionTickets = false;
p->DataTimeout = PPP_DATA_TIMEOUT; p->DataTimeout = PPP_DATA_TIMEOUT;
p->PacketRecvTimeout = PPP_PACKET_RECV_TIMEOUT; p->PacketRecvTimeout = PPP_PACKET_RECV_TIMEOUT;
@ -1263,12 +1265,12 @@ bool PPPProcessEAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req
UINT64 offer = 0; UINT64 offer = 0;
PPP_LCP *c; PPP_LCP *c;
UCHAR ms_chap_v2_code[3]; UCHAR ms_chap_v2_code[3];
ETHERIP_ID d;
char username[MAX_SIZE]; char username[MAX_SIZE];
char hubname[MAX_SIZE]; char hubname[MAX_SIZE];
HUB *hub; HUB *hub;
bool found = false; bool found = false;
UINT authtype; UINT authtype;
UCHAR eapidentitypkt[MAX_SIZE] = { 0 };
WRITE_USHORT(ms_chap_v2_code, PPP_LCP_AUTH_CHAP); WRITE_USHORT(ms_chap_v2_code, PPP_LCP_AUTH_CHAP);
ms_chap_v2_code[2] = PPP_CHAP_ALG_MS_CHAP_V2; ms_chap_v2_code[2] = PPP_CHAP_ALG_MS_CHAP_V2;
@ -1277,24 +1279,31 @@ bool PPPProcessEAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req
{ {
case PPP_EAP_TYPE_IDENTITY: case PPP_EAP_TYPE_IDENTITY:
// Parse username // Parse username
Copy(p->Eap_Identity, eap_packet->Data, MIN(MAX_SIZE, eap_datasize)); Copy(eapidentitypkt, eap_packet->Data, MIN(MAX_SIZE, eap_datasize));
Zero(&d, sizeof(d)); Zero(&p->Eap_Identity, sizeof(p->Eap_Identity));
PPPParseUsername(p->Cedar, p->Eap_Identity, &d); PPPParseUsername(p->Cedar, eapidentitypkt, &p->Eap_Identity);
StrCpy(username, sizeof(username), d.UserName); Debug("EAP: username=%s, hubname=%s\n", p->Eap_Identity.UserName, p->Eap_Identity.HubName);
StrCpy(hubname, sizeof(hubname), d.HubName);
Debug("EAP: username=%s, hubname=%s\n", username, hubname);
// Locate user // Locate user
LockHubList(p->Cedar); LockHubList(p->Cedar);
{ {
hub = GetHub(p->Cedar, hubname); hub = GetHub(p->Cedar, p->Eap_Identity.HubName);
} }
UnlockHubList(p->Cedar); UnlockHubList(p->Cedar);
if (hub != NULL) if (hub != NULL)
{ {
AcLock(hub); AcLock(hub);
{ {
USER *user = AcGetUser(hub, username); USER *user = AcGetUser(hub, p->Eap_Identity.UserName);
if (user == NULL)
{
user = AcGetUserByCert(hub, p->Eap_Identity.UserName);
if (user != NULL)
{
// We overwrite the identity by the one we found
StrCpy(p->Eap_Identity.UserName, sizeof(p->Eap_Identity.UserName), user->Name);
}
}
if (user == NULL) if (user == NULL)
{ {
user = AcGetUser(hub, "*"); user = AcGetUser(hub, "*");
@ -3422,7 +3431,7 @@ bool PPPGetIPAddressValueFromLCP(PPP_LCP *c, UINT type, IP *ip)
} }
// EAP packet utilities // EAP packet utilities
bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSize) bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
{ {
UCHAR *dataBuffer; UCHAR *dataBuffer;
UINT dataSize; UINT dataSize;
@ -3432,8 +3441,8 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSi
PPP_EAP *eap; PPP_EAP *eap;
UCHAR flags = PPP_EAP_TLS_FLAG_NONE; UCHAR flags = PPP_EAP_TLS_FLAG_NONE;
UINT sizeLeft = 0; UINT sizeLeft = 0;
Debug("Got EAP-TLS size=%i\n", eapTlsSize); Debug("Got EAP-TLS size=%i\n", eapSize);
if (eapTlsSize == 1) if (eapSize == 1 && p->Eap_TlsCtx.ClientCert.X == NULL)
{ {
// This is an EAP-TLS message ACK // This is an EAP-TLS message ACK
if (p->Eap_TlsCtx.CachedBufferSend != NULL) if (p->Eap_TlsCtx.CachedBufferSend != NULL)
@ -3471,116 +3480,25 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSi
p->Eap_TlsCtx.CachedBufferSendPntr = NULL; p->Eap_TlsCtx.CachedBufferSendPntr = NULL;
} }
} }
else else if (p->Eap_TlsCtx.ClientCert.X == NULL)
{ {
// It probably should be the final ACK on closed SSL pipe // Some clients needs a little help it seems - namely VPN Client Pro on Android
SyncSslPipe(p->Eap_TlsCtx.SslPipe); flags |= PPP_EAP_TLS_FLAG_SSLSTARTED;
if (p->Eap_TlsCtx.ClientCert.X != NULL) p->Eap_PacketId = p->NextId++;
lcp = BuildEAPTlsRequest(p->Eap_PacketId, 0, flags);
PPPSetStatus(p, PPP_STATUS_AUTHENTICATING);
if (PPPSendAndRetransmitRequest(p, PPP_PROTOCOL_EAP, lcp) == false)
{ {
IPC *ipc; PPPSetStatus(p, PPP_STATUS_FAIL);
ETHERIP_ID d; WHERE;
UINT error_code; return false;
/*if (!p->Eap_TlsCtx.SslPipe->IsDisconnected)
{
dataSize = FifoSize(p->Eap_TlsCtx.SslPipe->RawOut->RecvFifo);
p->Eap_PacketId = p->NextId++;
lcp = BuildEAPTlsRequest(p->Eap_PacketId, dataSize, 0);
eap = lcp->Data;
ReadFifo(p->Eap_TlsCtx.SslPipe->RawOut->RecvFifo, &(eap->Tls.TlsDataWithoutLength), dataSize);
if (!PPPSendAndRetransmitRequest(p, PPP_PROTOCOL_EAP, lcp))
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
Debug("Sent EAP-TLS size=%i type=%i flag=%i\n", lcp->DataSize, eap->Type, eap->Tls.Flags);
return true;
}*/
PPPParseUsername(p->Cedar, p->Eap_Identity, &d);
ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, d.HubName, d.UserName, "", NULL,
&error_code, &p->ClientIP, p->ClientPort, &p->ServerIP, p->ServerPort,
p->ClientHostname, p->CryptName, false, p->AdjustMss, NULL, p->Eap_TlsCtx.ClientCert.X,
IPC_LAYER_3);
if (ipc != NULL)
{
PPP_PACKET *pack;
UINT identificator = p->Eap_PacketId;
p->Ipc = ipc;
PPPSetStatus(p, PPP_STATUS_AUTH_SUCCESS);
// Setting user timeouts
p->PacketRecvTimeout = (UINT64)p->Ipc->Policy->TimeOut * 1000 * 3 / 4; // setting to 3/4 of the user timeout
p->DataTimeout = (UINT64)p->Ipc->Policy->TimeOut * 1000;
if (p->TubeRecv != NULL)
{
p->TubeRecv->DataTimeout = p->DataTimeout;
}
p->UserConnectionTimeout = (UINT64)p->Ipc->Policy->AutoDisconnect * 1000;
p->UserConnectionTick = Tick64();
// Just send an EAP-Success
pack = ZeroMalloc(sizeof(PPP_PACKET));
pack->IsControl = true;
pack->Protocol = PPP_PROTOCOL_EAP;
lcp = NewPPPLCP(PPP_EAP_CODE_SUCCESS, identificator);
pack->Lcp = lcp;
Debug("Sent EAP-TLS size=%i SUCCESS\n", lcp->DataSize);
if (PPPSendPacketAndFree(p, pack) == false)
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
return true;
}
else
{
PPP_PACKET *pack;
UINT identificator = p->Eap_PacketId;
PPPSetStatus(p, PPP_STATUS_AUTH_FAIL);
pack = ZeroMalloc(sizeof(PPP_PACKET));
pack->IsControl = true;
pack->Protocol = PPP_PROTOCOL_EAP;
lcp = NewPPPLCP(PPP_EAP_CODE_FAILURE, identificator);
pack->Lcp = lcp;
Debug("Sent EAP-TLS size=%i FAILURE\n", lcp->DataSize);
if (PPPSendPacketAndFree(p, pack) == false)
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
return false;
}
}
else
{
// Some clients needs a little help it seems - namely VPN Client Pro on Android
flags |= PPP_EAP_TLS_FLAG_SSLSTARTED;
p->Eap_PacketId = p->NextId++;
lcp = BuildEAPTlsRequest(p->Eap_PacketId, 0, flags);
PPPSetStatus(p, PPP_STATUS_AUTHENTICATING);
if (PPPSendAndRetransmitRequest(p, PPP_PROTOCOL_EAP, lcp) == false)
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
Debug("Sent EAP-TLS size=%i\n", lcp->DataSize);
return true;
} }
Debug("Sent EAP-TLS size=%i\n", lcp->DataSize);
} }
return true; return true;
} }
dataBuffer = eap_packet->Tls.TlsDataWithoutLength; dataBuffer = eap_packet->Tls.TlsDataWithoutLength;
dataSize = eapTlsSize - 1; dataSize = eapSize - 1;
if (eap_packet->Tls.Flags & PPP_EAP_TLS_FLAG_TLS_LENGTH) if (eap_packet->Tls.Flags & PPP_EAP_TLS_FLAG_TLS_LENGTH)
{ {
dataBuffer = eap_packet->Tls.TlsDataWithLength.Data; dataBuffer = eap_packet->Tls.TlsDataWithLength.Data;
@ -3605,7 +3523,7 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSi
if (p->Eap_TlsCtx.SslPipe == NULL) if (p->Eap_TlsCtx.SslPipe == NULL)
{ {
p->Eap_TlsCtx.Dh = DhNewFromBits(DH_PARAM_BITS_DEFAULT); p->Eap_TlsCtx.Dh = DhNewFromBits(DH_PARAM_BITS_DEFAULT);
p->Eap_TlsCtx.SslPipe = NewSslPipeEx2(true, p->Cedar->ServerX, p->Cedar->ServerK, p->Cedar->ServerChain, p->Eap_TlsCtx.Dh, true, &(p->Eap_TlsCtx.ClientCert)); p->Eap_TlsCtx.SslPipe = NewSslPipeEx3(true, p->Cedar->ServerX, p->Cedar->ServerK, p->Cedar->ServerChain, p->Eap_TlsCtx.Dh, true, &(p->Eap_TlsCtx.ClientCert), p->Eap_TlsCtx.DisableTls13SessionTickets, p->Eap_TlsCtx.DisableTls13);
} }
// If the current frame is fragmented, or it is a possible last of a fragmented series, bufferize it // If the current frame is fragmented, or it is a possible last of a fragmented series, bufferize it
@ -3652,9 +3570,11 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSi
return false; return false;
} }
Debug("Sent EAP-TLS size=%i\n", lcp->DataSize); Debug("Sent EAP-TLS size=%i\n", lcp->DataSize);
return true;
} }
else else
{ {
bool syncOk;
/*Debug("=======RECV EAP-TLS FIFO DUMP=======\n"); /*Debug("=======RECV EAP-TLS FIFO DUMP=======\n");
for (i = 0; i < dataSize; i++) for (i = 0; i < dataSize; i++)
{ {
@ -3663,7 +3583,8 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSi
} }
Debug("\n=======RECV EAP-TLS PACKET FIFO END=======\n");*/ Debug("\n=======RECV EAP-TLS PACKET FIFO END=======\n");*/
WriteFifo(p->Eap_TlsCtx.SslPipe->RawIn->SendFifo, dataBuffer, dataSize); WriteFifo(p->Eap_TlsCtx.SslPipe->RawIn->SendFifo, dataBuffer, dataSize);
SyncSslPipe(p->Eap_TlsCtx.SslPipe); syncOk = SyncSslPipe(p->Eap_TlsCtx.SslPipe);
// Delete the cached buffer after we fed it into the pipe // Delete the cached buffer after we fed it into the pipe
if (p->Eap_TlsCtx.CachedBufferRecv != NULL) if (p->Eap_TlsCtx.CachedBufferRecv != NULL)
{ {
@ -3672,6 +3593,36 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSi
p->Eap_TlsCtx.CachedBufferRecvPntr = NULL; p->Eap_TlsCtx.CachedBufferRecvPntr = NULL;
} }
// Very special case - we attempt to restart without TLS 1.3
if (!syncOk && (p->Eap_TlsCtx.DisableTls13 == false || p->Eap_TlsCtx.DisableTls13SessionTickets == false))
{
FreeSslPipe(p->Eap_TlsCtx.SslPipe);
DhFree(p->Eap_TlsCtx.Dh);
p->Eap_TlsCtx.SslPipe = NULL;
p->Eap_TlsCtx.Dh = NULL;
if (p->Eap_TlsCtx.DisableTls13SessionTickets == true)
{
p->Eap_TlsCtx.DisableTls13 = true;
}
else
{
p->Eap_TlsCtx.DisableTls13SessionTickets = true;
}
flags |= PPP_EAP_TLS_FLAG_SSLSTARTED;
p->Eap_PacketId = p->NextId++;
lcp = BuildEAPTlsRequest(p->Eap_PacketId, 0, flags);
if (PPPSendAndRetransmitRequest(p, PPP_PROTOCOL_EAP, lcp) == false)
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
Debug("EAP-TLS: Restarting the handshake! DisableTls13SessionTickets = %d, DisableTls13 = %d\n", p->Eap_TlsCtx.DisableTls13SessionTickets, p->Eap_TlsCtx.DisableTls13);
Debug("Sent EAP-TLS size=%i\n", lcp->DataSize);
return false;
}
// We continue the TLS handshake
if (p->Eap_TlsCtx.SslPipe->IsDisconnected == false) if (p->Eap_TlsCtx.SslPipe->IsDisconnected == false)
{ {
dataSize = FifoSize(p->Eap_TlsCtx.SslPipe->RawOut->RecvFifo); dataSize = FifoSize(p->Eap_TlsCtx.SslPipe->RawOut->RecvFifo);
@ -3703,8 +3654,9 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSi
return false; return false;
} }
Debug("Sent EAP-TLS size=%i type=%i flag=%i\n", lcp->DataSize, eap->Type, eap->Tls.Flags); Debug("Sent EAP-TLS size=%i type=%i flag=%i\n", lcp->DataSize, eap->Type, eap->Tls.Flags);
return true;
} }
else else if (dataSize > 0 || p->Eap_TlsCtx.ClientCert.X == NULL)
{ {
p->Eap_PacketId = p->NextId++; p->Eap_PacketId = p->NextId++;
lcp = BuildEAPTlsRequest(p->Eap_PacketId, dataSize, 0); lcp = BuildEAPTlsRequest(p->Eap_PacketId, dataSize, 0);
@ -3717,8 +3669,137 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSi
return false; return false;
} }
Debug("Sent EAP-TLS size=%i type=%i flag=%i\n", lcp->DataSize, eap->Type, eap->Tls.Flags); Debug("Sent EAP-TLS size=%i type=%i flag=%i\n", lcp->DataSize, eap->Type, eap->Tls.Flags);
return true;
} }
} }
// Check if we received the client certificate and the handshake is finished
// If yes, we ignore everything else
if (p->Eap_TlsCtx.ClientCert.X != NULL)
{
IPC* ipc;
UINT error_code;
/*PPP_PACKET* pack;
// Send an ACK that we received the last packet
if (!p->Eap_TlsCtx.SslPipe->IsDisconnected)
{
p->Eap_PacketId = p->NextId++;
lcp = BuildEAPTlsRequest(p->Eap_PacketId, 0, 0);
eap = lcp->Data;
pack = ZeroMalloc(sizeof(PPP_PACKET));
pack->IsControl = true;
pack->Protocol = PPP_PROTOCOL_EAP;
pack->Lcp = lcp;
Debug("Sent EAP-TLS size=%i type=%i flag=%i\n", lcp->DataSize, eap->Type, eap->Tls.Flags);
if (PPPSendPacketAndFree(p, pack) == false)
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
}*/
/*if (!p->Eap_TlsCtx.SslPipe->IsDisconnected)
{
dataSize = FifoSize(p->Eap_TlsCtx.SslPipe->RawOut->RecvFifo);
p->Eap_PacketId = p->NextId++;
lcp = BuildEAPTlsRequest(p->Eap_PacketId, dataSize, 0);
eap = lcp->Data;
ReadFifo(p->Eap_TlsCtx.SslPipe->RawOut->RecvFifo, &(eap->Tls.TlsDataWithoutLength), dataSize);
if (!PPPSendAndRetransmitRequest(p, PPP_PROTOCOL_EAP, lcp))
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
Debug("Sent EAP-TLS size=%i type=%i flag=%i\n", lcp->DataSize, eap->Type, eap->Tls.Flags);
return true;
}*/
ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, p->Eap_Identity.HubName, p->Eap_Identity.UserName, "", NULL,
&error_code, &p->ClientIP, p->ClientPort, &p->ServerIP, p->ServerPort,
p->ClientHostname, p->CryptName, false, p->AdjustMss, NULL, p->Eap_TlsCtx.ClientCert.X,
IPC_LAYER_3);
if (ipc != NULL)
{
PPP_PACKET* pack;
UINT identificator = p->Eap_PacketId;
p->Ipc = ipc;
PPPSetStatus(p, PPP_STATUS_AUTH_SUCCESS);
// Setting user timeouts
p->PacketRecvTimeout = (UINT64)p->Ipc->Policy->TimeOut * 1000 * 3 / 4; // setting to 3/4 of the user timeout
p->DataTimeout = (UINT64)p->Ipc->Policy->TimeOut * 1000;
if (p->TubeRecv != NULL)
{
p->TubeRecv->DataTimeout = p->DataTimeout;
}
p->UserConnectionTimeout = (UINT64)p->Ipc->Policy->AutoDisconnect * 1000;
p->UserConnectionTick = Tick64();
// Just send an EAP-Success
pack = ZeroMalloc(sizeof(PPP_PACKET));
pack->IsControl = true;
pack->Protocol = PPP_PROTOCOL_EAP;
lcp = NewPPPLCP(PPP_EAP_CODE_SUCCESS, identificator);
pack->Lcp = lcp;
Debug("Sent EAP-TLS size=%i SUCCESS\n", lcp->DataSize);
if (PPPSendPacketAndFree(p, pack) == false)
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
return true;
}
else
{
PPP_PACKET* pack;
UINT identificator = p->Eap_PacketId;
PPPSetStatus(p, PPP_STATUS_AUTH_FAIL);
pack = ZeroMalloc(sizeof(PPP_PACKET));
pack->IsControl = true;
pack->Protocol = PPP_PROTOCOL_EAP;
lcp = NewPPPLCP(PPP_EAP_CODE_FAILURE, identificator);
pack->Lcp = lcp;
Debug("Sent EAP-TLS size=%i FAILURE\n", lcp->DataSize);
if (PPPSendPacketAndFree(p, pack) == false)
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
return false;
}
}
// If we end up here, we got problems, send an EAP failure
if (p->Eap_TlsCtx.SslPipe->IsDisconnected)
{
PPP_PACKET* pack;
UINT identificator = p->Eap_PacketId;
PPPSetStatus(p, PPP_STATUS_AUTH_FAIL);
pack = ZeroMalloc(sizeof(PPP_PACKET));
pack->IsControl = true;
pack->Protocol = PPP_PROTOCOL_EAP;
lcp = NewPPPLCP(PPP_EAP_CODE_FAILURE, identificator);
pack->Lcp = lcp;
Debug("Sent EAP-TLS size=%i FAILURE\n", lcp->DataSize);
if (PPPSendPacketAndFree(p, pack) == false)
{
PPPSetStatus(p, PPP_STATUS_FAIL);
WHERE;
return false;
}
return false;
}
} }
} }
else else

View File

@ -9,6 +9,7 @@
#define PROTO_PPP_H #define PROTO_PPP_H
#include "CedarType.h" #include "CedarType.h"
#include "Proto_IPsec.h"
#include "Mayaqua/TcpIp.h" #include "Mayaqua/TcpIp.h"
@ -229,6 +230,8 @@ struct PPP_EAP_TLS_CONTEXT
UCHAR *CachedBufferRecvPntr; UCHAR *CachedBufferRecvPntr;
UCHAR *CachedBufferSend; UCHAR *CachedBufferSend;
UCHAR *CachedBufferSendPntr; UCHAR *CachedBufferSendPntr;
bool DisableTls13;
bool DisableTls13SessionTickets;
}; };
// PPP request resend // PPP request resend
@ -302,7 +305,7 @@ struct PPP_SESSION
// EAP contexts // EAP contexts
UINT Eap_Protocol; // Current EAP Protocol used UINT Eap_Protocol; // Current EAP Protocol used
UINT Eap_PacketId; // EAP Packet ID; UINT Eap_PacketId; // EAP Packet ID;
UCHAR Eap_Identity[MAX_SIZE]; // Received from client identity ETHERIP_ID Eap_Identity; // Received from client identity
PPP_EAP_TLS_CONTEXT Eap_TlsCtx; // Context information for EAP TLS. May be possibly reused for EAP TTLS? PPP_EAP_TLS_CONTEXT Eap_TlsCtx; // Context information for EAP TLS. May be possibly reused for EAP TTLS?
LIST *SentReqPacketList; // Sent requests list LIST *SentReqPacketList; // Sent requests list
@ -387,7 +390,7 @@ bool PPPSetIPOptionToLCP(PPP_IPOPTION *o, PPP_LCP *c, bool only_modify);
bool PPPGetIPAddressValueFromLCP(PPP_LCP *c, UINT type, IP *ip); bool PPPGetIPAddressValueFromLCP(PPP_LCP *c, UINT type, IP *ip);
bool PPPSetIPAddressValueToLCP(PPP_LCP *c, UINT type, IP *ip, bool only_modify); bool PPPSetIPAddressValueToLCP(PPP_LCP *c, UINT type, IP *ip, bool only_modify);
// EAP packet utilities // EAP packet utilities
bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSize); bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize);
PPP_LCP *BuildEAPPacketEx(UCHAR code, UCHAR id, UCHAR type, UINT datasize); PPP_LCP *BuildEAPPacketEx(UCHAR code, UCHAR id, UCHAR type, UINT datasize);
PPP_LCP *BuildEAPTlsPacketEx(UCHAR code, UCHAR id, UCHAR type, UINT datasize, UCHAR flags); PPP_LCP *BuildEAPTlsPacketEx(UCHAR code, UCHAR id, UCHAR type, UINT datasize, UCHAR flags);
PPP_LCP *BuildEAPTlsRequest(UCHAR id, UINT datasize, UCHAR flags); PPP_LCP *BuildEAPTlsRequest(UCHAR id, UINT datasize, UCHAR flags);

View File

@ -5713,7 +5713,13 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
{ {
return NewSslPipeEx2(server_mode, x, k, NULL, dh, verify_peer, clientcert); return NewSslPipeEx2(server_mode, x, k, NULL, dh, verify_peer, clientcert);
} }
SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert)
SSL_PIPE* NewSslPipeEx2(bool server_mode, X* x, K* k, LIST* chain, DH_CTX* dh, bool verify_peer, struct SslClientCertInfo* clientcert)
{
return NewSslPipeEx3(server_mode, x, k, chain, dh, verify_peer, clientcert, false, false);
}
SSL_PIPE *NewSslPipeEx3(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert, bool disableTls13Tickets, bool disableTls13)
{ {
SSL_PIPE *s; SSL_PIPE *s;
SSL *ssl; SSL *ssl;
@ -5723,10 +5729,6 @@ SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, b
{ {
if (server_mode) if (server_mode)
{ {
#ifdef SSL_OP_NO_TLSv1_3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); // For some reason pppd under linux doesn't like it
#endif
if (chain == NULL) if (chain == NULL)
{ {
AddChainSslCertOnDirectory(ssl_ctx); AddChainSslCertOnDirectory(ssl_ctx);
@ -5784,6 +5786,18 @@ SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, b
SSL_CTX_set_options(ssl_ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); SSL_CTX_set_options(ssl_ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
} }
#ifdef SSL_OP_NO_TLSv1_3
if (disableTls13)
{
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
}
if (disableTls13Tickets)
{
SSL_CTX_set_num_tickets(ssl_ctx, 0);
}
#endif
ssl = SSL_new(ssl_ctx); ssl = SSL_new(ssl_ctx);
SSL_set_ex_data(ssl, GetSslClientCertIndex(), clientcert); SSL_set_ex_data(ssl, GetSslClientCertIndex(), clientcert);
@ -15832,6 +15846,14 @@ DH *TmpDhCallback(SSL *ssl, int is_export, int keylength)
return ret; return ret;
} }
// Log SSL keys
void keylog_cb_func(const SSL* ssl, const char* line)
{
Debug("SSL_KEYLOG_BEGIN\n");
Debug(line);
Debug("\nSSL_KEYLOG_END\n");
}
// Create the SSL_CTX // Create the SSL_CTX
struct ssl_ctx_st *NewSSLCtx(bool server_mode) struct ssl_ctx_st *NewSSLCtx(bool server_mode)
{ {
@ -15868,6 +15890,8 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode)
SSL_CTX_set_ecdh_auto(ctx, 1); SSL_CTX_set_ecdh_auto(ctx, 1);
#endif // SSL_CTX_set_ecdh_auto #endif // SSL_CTX_set_ecdh_auto
SSL_CTX_set_keylog_callback(ctx, &keylog_cb_func);
return ctx; return ctx;
} }

View File

@ -1407,6 +1407,7 @@ struct SslClientCertInfo {
SSL_PIPE *NewSslPipe(bool server_mode, X *x, K *k, DH_CTX *dh); SSL_PIPE *NewSslPipe(bool server_mode, X *x, K *k, DH_CTX *dh);
SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert); SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert);
SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert); SSL_PIPE *NewSslPipeEx2(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, bool verify_peer, struct SslClientCertInfo *clientcert);
SSL_PIPE* NewSslPipeEx3(bool server_mode, X* x, K* k, LIST* chain, DH_CTX* dh, bool verify_peer, struct SslClientCertInfo* clientcert, bool disableTls13Tickets, bool disableTls13);
void FreeSslPipe(SSL_PIPE *s); void FreeSslPipe(SSL_PIPE *s);
bool SyncSslPipe(SSL_PIPE *s); bool SyncSslPipe(SSL_PIPE *s);