mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-11-22 17:39:53 +03:00
Added possibility to load CA certificates from chain_certs folder to allow verifying the client certificates against it.
This commit is contained in:
parent
24bd2b3198
commit
a2b7cb0148
@ -251,7 +251,7 @@ void PPPThread(THREAD *thread, void *param)
|
|||||||
{
|
{
|
||||||
PPPSetStatus(p, PPP_STATUS_FAIL);
|
PPPSetStatus(p, PPP_STATUS_FAIL);
|
||||||
WHERE;
|
WHERE;
|
||||||
return false;
|
break;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case PPP_EAP_TYPE_IDENTITY:
|
case PPP_EAP_TYPE_IDENTITY:
|
||||||
@ -265,7 +265,7 @@ void PPPThread(THREAD *thread, void *param)
|
|||||||
{
|
{
|
||||||
PPPSetStatus(p, PPP_STATUS_FAIL);
|
PPPSetStatus(p, PPP_STATUS_FAIL);
|
||||||
WHERE;
|
WHERE;
|
||||||
return false;
|
break;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -407,7 +407,7 @@ void PPPThread(THREAD *thread, void *param)
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
WaitForTubes(tubes, 1, 1000); // Increasing timeout to make the ticks a bit slower
|
WaitForTubes(tubes, 1, 300); // Increasing timeout to make the ticks a bit slower
|
||||||
}
|
}
|
||||||
|
|
||||||
if (IsTubeConnected(p->TubeRecv) == false || IsTubeConnected(p->TubeSend) == false)
|
if (IsTubeConnected(p->TubeRecv) == false || IsTubeConnected(p->TubeSend) == false)
|
||||||
@ -3053,7 +3053,7 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION* p, PPP_EAP* eap_packet, UINT eapTlsSi
|
|||||||
|
|
||||||
ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, d.HubName, d.UserName, "",
|
ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, d.HubName, d.UserName, "",
|
||||||
&error_code, &p->ClientIP, p->ClientPort, &p->ServerIP, p->ServerPort,
|
&error_code, &p->ClientIP, p->ClientPort, &p->ServerIP, p->ServerPort,
|
||||||
p->ClientHostname, p->CryptName, false, p->AdjustMss, NULL, NULL,
|
p->ClientHostname, p->CryptName, false, p->AdjustMss, NULL, p->Eap_TlsCtx.clientCert.X,
|
||||||
IPC_LAYER_3);
|
IPC_LAYER_3);
|
||||||
|
|
||||||
if (ipc != NULL)
|
if (ipc != NULL)
|
||||||
@ -3112,7 +3112,6 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION* p, PPP_EAP* eap_packet, UINT eapTlsSi
|
|||||||
// First we initialize the SslPipe if it is not already inited
|
// First we initialize the SslPipe if it is not already inited
|
||||||
if (p->Eap_TlsCtx.SslPipe == NULL)
|
if (p->Eap_TlsCtx.SslPipe == NULL)
|
||||||
{
|
{
|
||||||
p->Eap_TlsCtx.clientCert.IgnorePreverifyErr = true;
|
|
||||||
p->Eap_TlsCtx.Dh = DhNewFromBits(DH_PARAM_BITS_DEFAULT);
|
p->Eap_TlsCtx.Dh = DhNewFromBits(DH_PARAM_BITS_DEFAULT);
|
||||||
p->Eap_TlsCtx.SslPipe = NewSslPipeEx(true, p->Cedar->ServerX, p->Cedar->ServerK, p->Eap_TlsCtx.Dh, true, &(p->Eap_TlsCtx.clientCert));
|
p->Eap_TlsCtx.SslPipe = NewSslPipeEx(true, p->Cedar->ServerX, p->Cedar->ServerK, p->Eap_TlsCtx.Dh, true, &(p->Eap_TlsCtx.clientCert));
|
||||||
}
|
}
|
||||||
|
@ -5689,7 +5689,7 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
|
|||||||
{
|
{
|
||||||
clientcert->PreverifyErr = X509_STORE_CTX_get_error(ctx);
|
clientcert->PreverifyErr = X509_STORE_CTX_get_error(ctx);
|
||||||
clientcert->PreverifyErrMessage[0] = '\0';
|
clientcert->PreverifyErrMessage[0] = '\0';
|
||||||
if (!preverify_ok && !clientcert->IgnorePreverifyErr)
|
if (!preverify_ok)
|
||||||
{
|
{
|
||||||
const char *msg = X509_verify_cert_error_string(clientcert->PreverifyErr);
|
const char *msg = X509_verify_cert_error_string(clientcert->PreverifyErr);
|
||||||
StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg);
|
StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg);
|
||||||
@ -11785,7 +11785,15 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)
|
|||||||
|
|
||||||
if (x_copy != NULL)
|
if (x_copy != NULL)
|
||||||
{
|
{
|
||||||
SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
|
if (x_copy->root_cert)
|
||||||
|
{
|
||||||
|
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
|
||||||
|
X509_STORE_add_cert(store, x->x509);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
|
||||||
|
}
|
||||||
x_copy->do_not_free = true;
|
x_copy->do_not_free = true;
|
||||||
|
|
||||||
ret = true;
|
ret = true;
|
||||||
|
@ -1403,7 +1403,6 @@ void UnixWaitForTubes(TUBE **tubes, UINT num, UINT timeout);
|
|||||||
#define PREVERIFY_ERR_MESSAGE_SIZE 100
|
#define PREVERIFY_ERR_MESSAGE_SIZE 100
|
||||||
// Info on client certificate collected during TLS handshake
|
// Info on client certificate collected during TLS handshake
|
||||||
struct SslClientCertInfo {
|
struct SslClientCertInfo {
|
||||||
bool IgnorePreverifyErr;
|
|
||||||
int PreverifyErr;
|
int PreverifyErr;
|
||||||
char PreverifyErrMessage[PREVERIFY_ERR_MESSAGE_SIZE];
|
char PreverifyErrMessage[PREVERIFY_ERR_MESSAGE_SIZE];
|
||||||
X *X;
|
X *X;
|
||||||
|
Loading…
Reference in New Issue
Block a user