fixup! Implement OpenVPN certificate authentication, fixes #55

2025-06-28 11:55:08 +03:00 · 2018-03-18 19:02:08 +03:00 · 2018-03-18 19:02:08 +03:00 · 4d2857974b
commit 4d2857974b
parent 56632b241f
5 changed files with 10 additions and 8 deletions
--- a/src/Cedar/Interop_OpenVPN.c
+++ b/src/Cedar/Interop_OpenVPN.c
@ -797,13 +797,13 @@ void OvsSetupSessionParameters(OPENVPN_SERVER *s, OPENVPN_SESSION *se, OPENVPN_C
 			OvsLog(s, se, c, "LO_CLIENT_CERT", "(unknown CN)");
 		}
 	}
-	else if (!!c->ClientCert.PreverifyErr)
+	else if (!c->ClientCert.PreverifyErr)
 	{
-		OvsLog(s, se, c, "LO_CLIENT_UNVERIFIED_CERT", c->ClientCert.PreverifyErrMessage);
+		OvsLog(s, se, c, "LO_CLIENT_NO_CERT");
 	}
 	else
 	{
-		OvsLog(s, se, c, "LO_CLIENT_NO_CERT");
+		OvsLog(s, se, c, "LO_CLIENT_UNVERIFIED_CERT", c->ClientCert.PreverifyErrMessage);
 	}

 	Zero(opt_str, sizeof(opt_str));
--- a/src/Cedar/Protocol.c
+++ b/src/Cedar/Protocol.c
@ -2073,7 +2073,6 @@ bool ServerAccept(CONNECTION *c)
 					{
 						// Certificate authentication
 						cert_size = PackGetDataSize(p, "cert");
-
 						if (cert_size >= 1 && cert_size <= 100000)
 						{
 							cert_buf = ZeroMalloc(cert_size);
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@ -5822,7 +5822,6 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)

 	if (clientcert != NULL)
 	{
-		clientcert->PreverifyOk = preverify_ok;
 		clientcert->PreverifyErr = 0;
 		clientcert->PreverifyErrMessage[0] = '\0';
 		if (!preverify_ok)
@ -5845,7 +5844,7 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
 		}
 	}

-	return 1;
+	return 1; /* allow the verification process to continue */
 }

 // Create a new SSL pipe
@ -5880,7 +5879,8 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
 			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
 		}

-		if (verify_peer) {  
+		if (verify_peer)
+		{
 			SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, SslCertVerifyCallback);
 		}

--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@ -1618,7 +1618,6 @@ void UnixWaitForTubes(TUBE **tubes, UINT num, UINT timeout);
 #define PREVERIFY_ERR_MESSAGE_SIZE 100
 // Info on client certificate collected during TLS handshake
 struct SslClientCertInfo {
-	int PreverifyOk;
 	int PreverifyErr;
 	char PreverifyErrMessage[PREVERIFY_ERR_MESSAGE_SIZE];
 	X *X;
--- a/src/bin/hamcore/strtable_tw.stb
+++ b/src/bin/hamcore/strtable_tw.stb
@ -1812,6 +1812,9 @@ LO_PREFIX_CHANNEL		OpenVPN 會話%u (%r:%u -> %r:%u) 通道 %u:
 LO_NEW_CHANNEL			已創建一個新通道。
 LO_CHANNEL_ESTABLISHED_NEWKEY	通道已建立。(觸發器: Re-key完成。)
 LO_OPTION_STR_RECV		接收到的選項字串："%S"
+LO_CLIENT_CERT			Client certificate received (subject: CN="%s"), will use certificate authentication.
+LO_CLIENT_UNVERIFIED_CERT		Client certificate was provided but did not pass verification (error="%S"), will use password authentication.
+LO_CLIENT_NO_CERT		Client certificate is not provided, will use password authentication.
 LO_OPTION_STR_SEND		發送選項字串："%S"
 LO_NEW_SESSION			已創建新的會話。協議：%S
 LO_INITIATE_REKEY			re-keying 進程已開始。
@ -1908,6 +1911,7 @@ LH_AUTH_PASSWORD		密碼驗證
 LH_AUTH_PLAIN_PASSWORD	外部伺服器身份驗證
 LH_AUTH_CERT			證書驗證
 LH_AUTH_TICKET			票證驗證
+LH_AUTH_OPENVPN_CERT			OpenVPN certificate authentication
 LH_AUTH_RADIUS_NOT_SUPPORT	連接 "%S": 用戶 "%S" 身份驗證方法 RADIUS 或 Active Directory (NT 域)，但 VPN Server 是 "%S"，因為 RADIUS 或 Active Directory (NT 域)不能使用。連接被拒絕。
 LH_AUTH_RADIUS_NOT_SUPPORT_ON_OPEN_SOURCE	"%S" 的連接方法: 用戶 "%S" 的身份驗證方法被指定為 RADIUS 身份驗證或 Active Directory 身份驗證 (NT 域驗證)。然而，這樣一個外部用戶身份驗證功能尚未在 SoftEther VPN 的開源版本上實施。該連接將被拒絕。
 LH_AUTH_CERT_NOT_SUPPORT_ON_OPEN_SOURCE	"%S" 的連接方法: 用戶 "%S" 的身份驗證方法被指定為證書認證。然而，證書驗證功能尚未在 SoftEther VPN 的開源版本上實施。該連接將被拒絕。