AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-09-19 18:20:40 +03:00
Code Releases Activity

Mayaqua/Network.c: Fix EAP-TLS chain certificate verification

Browse Source
This commit is contained in:
domosekai 2021-06-21 09:51:22 +00:00
parent 43a80702a9
commit 65bcbc8db3
1 changed files with 9 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/Mayaqua/Network.c
View File

@ -5670,7 +5670,7 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg); StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg);
Debug("SslCertVerifyCallback preverify error: '%s'\n", msg); Debug("SslCertVerifyCallback preverify error: '%s'\n", msg);
} }
else else if (X509_STORE_CTX_get_error_depth(ctx) == 0)
{ {
cert = X509_STORE_CTX_get0_cert(ctx); cert = X509_STORE_CTX_get0_cert(ctx);
if (cert != NULL) if (cert != NULL)
@ -5736,6 +5736,13 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
if (verify_peer) if (verify_peer)
{ {
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, SslCertVerifyCallback); SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, SslCertVerifyCallback);
if (server_mode)
{
// Allow incomplete client trust chain
X509_VERIFY_PARAM *vpm = SSL_CTX_get0_param(ssl_ctx);
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
}
} }
if (dh != NULL) if (dh != NULL)
@ -11610,16 +11617,7 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)
if (x_copy != NULL) if (x_copy != NULL)
{ {
if (x_copy->root_cert) SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
{
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_cert(store, x_copy->x509);
X509_free(x_copy->x509);
}
else
{
SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
}
x_copy->do_not_free = true; x_copy->do_not_free = true;
ret = true; ret = true;