From 65bcbc8db34da65fbe97ee3d9054d26b6752a6e3 Mon Sep 17 00:00:00 2001
From: domosekai <54519668+domosekai@users.noreply.github.com>
Date: Mon, 21 Jun 2021 09:51:22 +0000
Subject: [PATCH] Mayaqua/Network.c: Fix EAP-TLS chain certificate verification

---
 src/Mayaqua/Network.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c
index 3c20154f..a3059827 100644
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@@ -5670,7 +5670,7 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
 			StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg);
 			Debug("SslCertVerifyCallback preverify error: '%s'\n", msg);
 		}
-		else
+		else if (X509_STORE_CTX_get_error_depth(ctx) == 0)
 		{
 			cert = X509_STORE_CTX_get0_cert(ctx);
 			if (cert != NULL)
@@ -5736,6 +5736,13 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
 		if (verify_peer)
 		{
 			SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, SslCertVerifyCallback);
+
+			if (server_mode)
+			{
+				// Allow incomplete client trust chain
+				X509_VERIFY_PARAM *vpm = SSL_CTX_get0_param(ssl_ctx);
+				X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
+			}
 		}
 
 		if (dh != NULL)
@@ -11610,16 +11617,7 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)
 
 	if (x_copy != NULL)
 	{
-		if (x_copy->root_cert)
-		{
-			X509_STORE *store = SSL_CTX_get_cert_store(ctx);
-			X509_STORE_add_cert(store, x_copy->x509);
-			X509_free(x_copy->x509);
-		}
-		else
-		{
-			SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
-		}
+		SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
 		x_copy->do_not_free = true;
 
 		ret = true;