From 65bcbc8db34da65fbe97ee3d9054d26b6752a6e3 Mon Sep 17 00:00:00 2001 From: domosekai <54519668+domosekai@users.noreply.github.com> Date: Mon, 21 Jun 2021 09:51:22 +0000 Subject: [PATCH] Mayaqua/Network.c: Fix EAP-TLS chain certificate verification --- src/Mayaqua/Network.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 3c20154f..a3059827 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -5670,7 +5670,7 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx) StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg); Debug("SslCertVerifyCallback preverify error: '%s'\n", msg); } - else + else if (X509_STORE_CTX_get_error_depth(ctx) == 0) { cert = X509_STORE_CTX_get0_cert(ctx); if (cert != NULL) @@ -5736,6 +5736,13 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee if (verify_peer) { SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, SslCertVerifyCallback); + + if (server_mode) + { + // Allow incomplete client trust chain + X509_VERIFY_PARAM *vpm = SSL_CTX_get0_param(ssl_ctx); + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN); + } } if (dh != NULL) @@ -11610,16 +11617,7 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x) if (x_copy != NULL) { - if (x_copy->root_cert) - { - X509_STORE *store = SSL_CTX_get_cert_store(ctx); - X509_STORE_add_cert(store, x_copy->x509); - X509_free(x_copy->x509); - } - else - { - SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509); - } + SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509); x_copy->do_not_free = true; ret = true;