mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-12-27 02:29:52 +03:00
Merge pull request #1109 from Evengard/ppp-eap-tls
Implementation of EAP-TLS for PPP
This commit is contained in:
commit
b41c17f45a
@ -500,6 +500,8 @@ typedef struct PPP_IPOPTION PPP_IPOPTION;
|
||||
typedef struct PPP_IPV6OPTION PPP_IPV6OPTION;
|
||||
typedef struct PPP_REQUEST_RESEND PPP_REQUEST_RESEND;
|
||||
typedef struct PPP_DELAYED_PACKET PPP_DELAYED_PACKET;
|
||||
typedef struct PPP_EAP PPP_EAP;
|
||||
typedef struct PPP_EAP_TLS_CONTEXT PPP_EAP_TLS_CONTEXT;
|
||||
|
||||
|
||||
// ==============================================================
|
||||
|
@ -948,7 +948,7 @@ DHCPV4_DATA *IPCSendDhcpRequest(IPC *ipc, IP *dest_ip, UINT tran_id, DHCP_OPTION
|
||||
BUF *IPCBuildDhcpRequest(IPC *ipc, IP *dest_ip, UINT tran_id, DHCP_OPTION_LIST *opt)
|
||||
{
|
||||
IPV4_HEADER ip;
|
||||
UDP_HEADER* udp;
|
||||
UDP_HEADER *udp;
|
||||
DHCPV4_HEADER dhcp;
|
||||
UINT blank_size = 128 + 64;
|
||||
BUF *ret;
|
||||
|
@ -1995,6 +1995,7 @@ UINT CalcL2TPMss(L2TP_SERVER *l2tp, L2TP_TUNNEL *t, L2TP_SESSION *s)
|
||||
// Start the L2TP thread
|
||||
void StartL2TPThread(L2TP_SERVER *l2tp, L2TP_TUNNEL *t, L2TP_SESSION *s)
|
||||
{
|
||||
PPP_SESSION* underlyingSession;
|
||||
// Validate arguments
|
||||
if (l2tp == NULL || t == NULL || s == NULL)
|
||||
{
|
||||
@ -2023,9 +2024,11 @@ void StartL2TPThread(L2TP_SERVER *l2tp, L2TP_TUNNEL *t, L2TP_SESSION *s)
|
||||
}
|
||||
|
||||
// Create a PPP thread
|
||||
s->Thread = NewPPPSession(l2tp->Cedar, &t->ClientIp, t->ClientPort, &t->ServerIp, t->ServerPort,
|
||||
underlyingSession = NewPPPSession(l2tp->Cedar, &t->ClientIp, t->ClientPort, &t->ServerIp, t->ServerPort,
|
||||
s->TubeSend, s->TubeRecv, L2TP_IPC_POSTFIX, tmp, t->HostName, l2tp->CryptName,
|
||||
CalcL2TPMss(l2tp, t, s));
|
||||
s->Thread = underlyingSession->SessionThread;
|
||||
s->PPPSession = underlyingSession;
|
||||
}
|
||||
}
|
||||
|
||||
@ -2122,8 +2125,21 @@ void L2TPProcessInterrupts(L2TP_SERVER *l2tp)
|
||||
{
|
||||
L2TP_TUNNEL *t = LIST_DATA(l2tp->TunnelList, i);
|
||||
LIST *delete_session_list = NULL;
|
||||
UINT64 l2tpTimeout = L2TP_TUNNEL_TIMEOUT;
|
||||
|
||||
if ((l2tp->Now >= (t->LastRecvTick + (UINT64)L2TP_TUNNEL_TIMEOUT)) && t->Timedout == false)
|
||||
// If we got on ANY session a higher timeout than the default L2TP tunnel timeout, increase it
|
||||
for (i = 0; i < LIST_NUM(t->SessionList); i++)
|
||||
{
|
||||
L2TP_SESSION* s = LIST_DATA(t->SessionList, i);
|
||||
|
||||
if (s->PPPSession != NULL && s->PPPSession->DataTimeout > l2tpTimeout)
|
||||
{
|
||||
l2tpTimeout = s->PPPSession->DataTimeout;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ((l2tp->Now >= (t->LastRecvTick + (UINT64)l2tpTimeout)) && t->Timedout == false)
|
||||
{
|
||||
// Disconnect the tunnel forcibly if data can not be received for a certain period of time
|
||||
t->Timedout = true;
|
||||
|
@ -169,6 +169,7 @@ struct L2TP_SESSION
|
||||
UINT64 DisconnectTimeout; // Disconnection completion time-out
|
||||
bool HasThread; // Whether have a thread
|
||||
THREAD *Thread; // Thread
|
||||
PPP_SESSION* PPPSession; // Underlying PPP session
|
||||
TUBE *TubeSend; // Tube of PPP to L2TP direction
|
||||
TUBE *TubeRecv; // Tube of L2TP to PPP direction
|
||||
UINT PseudowireType; // Type of L2TPv3 virtual line
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -21,22 +21,25 @@
|
||||
#define PPP_CHAP_CODE_IS_REQUEST(c) ((c) == PPP_CHAP_CODE_CHALLENGE || (c) == PPP_CHAP_CODE_SUCCESS || (c) == PPP_CHAP_CODE_FAILURE)
|
||||
#define PPP_CHAP_CODE_IS_RESPONSE(c) ((c) == PPP_CHAP_CODE_RESPONSE)
|
||||
|
||||
#define PPP_CODE_IS_RESPONSE(protocol, c) ((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_PAP) && PPP_PAP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_CHAP) && PPP_CHAP_CODE_IS_RESPONSE(c)))
|
||||
#define PPP_CODE_IS_REQUEST(protocol, c) ((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_PAP) && PPP_PAP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_CHAP) && PPP_CHAP_CODE_IS_REQUEST(c)))
|
||||
#define PPP_EAP_CODE_IS_REQUEST(c) ((c) == PPP_EAP_CODE_REQUEST)
|
||||
#define PPP_EAP_CODE_IS_RESPONSE(c) ((c) == PPP_EAP_CODE_RESPONSE || (c) == PPP_EAP_CODE_SUCCESS || (c) == PPP_EAP_CODE_FAILURE)
|
||||
|
||||
#define PPP_CODE_IS_RESPONSE(protocol, c) ((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_PAP) && PPP_PAP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_CHAP) && PPP_CHAP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_EAP) && PPP_EAP_CODE_IS_RESPONSE(c)))
|
||||
#define PPP_CODE_IS_REQUEST(protocol, c) ((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_PAP) && PPP_PAP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_CHAP) && PPP_CHAP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_EAP) && PPP_EAP_CODE_IS_REQUEST(c)))
|
||||
#define PPP_CODE_IS_WITH_OPTION_LIST(protocol, c) ((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_WITH_OPTION_LIST(c)) || false)
|
||||
|
||||
#define PPP_IS_SUPPORTED_PROTOCOL(p) ((p) == PPP_PROTOCOL_LCP || (p) == PPP_PROTOCOL_PAP || (p) == PPP_PROTOCOL_CHAP || (p) == PPP_PROTOCOL_IPCP || (p) == PPP_PROTOCOL_IPV6CP || (p) == PPP_PROTOCOL_IP || (p) == PPP_PROTOCOL_IPV6)
|
||||
#define PPP_IS_SUPPORTED_PROTOCOL(p) ((p) == PPP_PROTOCOL_LCP || (p) == PPP_PROTOCOL_PAP || (p) == PPP_PROTOCOL_CHAP || (p) == PPP_PROTOCOL_IPCP || (p) == PPP_PROTOCOL_IPV6CP || (p) == PPP_PROTOCOL_IP || (p) == PPP_PROTOCOL_IPV6 || (p) == PPP_PROTOCOL_EAP )
|
||||
|
||||
#define PPP_STATUS_IS_UNAVAILABLE(c) ((c) == PPP_STATUS_FAIL || (c) == PPP_STATUS_AUTH_FAIL || (c) == PPP_STATUS_CLOSING || (c) == PPP_STATUS_CLOSING_WAIT || (c) == PPP_STATUS_CLOSED)
|
||||
|
||||
//// Constants
|
||||
|
||||
// Time-out value
|
||||
#define PPP_PACKET_RECV_TIMEOUT (30 * 1000) // Timeout until the next packet is received
|
||||
#define PPP_PACKET_RESEND_INTERVAL (5 * 1000) // Retransmission interval of the last packet
|
||||
#define PPP_PACKET_RECV_TIMEOUT (15 * 1000) // Timeout until the next packet is received (3/4 of default policy)
|
||||
#define PPP_PACKET_RESEND_INTERVAL (3 * 1000) // Retransmission interval of the last packet
|
||||
#define PPP_TERMINATE_TIMEOUT 2000 // Timeout value to complete disconnection after requesting to disconnect in the PPP
|
||||
#define PPP_ECHO_SEND_INTERVAL 4792 // Transmission interval of PPP Echo Request
|
||||
#define PPP_DATA_TIMEOUT (60 * 1000) // Communication time-out
|
||||
#define PPP_DATA_TIMEOUT (20 * 1000) // Communication time-out (from default policy)
|
||||
|
||||
// MRU
|
||||
#define PPP_MRU_DEFAULT 1500 // Default value
|
||||
@ -48,6 +51,7 @@
|
||||
#define PPP_PROTOCOL_PAP 0xc023
|
||||
#define PPP_PROTOCOL_IPCP 0x8021
|
||||
#define PPP_PROTOCOL_CHAP 0xc223
|
||||
#define PPP_PROTOCOL_EAP 0xc227
|
||||
#define PPP_PROTOCOL_IPV6CP 0x8057
|
||||
|
||||
// PPP protocol (for transfer)
|
||||
@ -93,9 +97,28 @@
|
||||
// IPV6CP option type
|
||||
#define PPP_IPV6CP_OPTION_IID 1
|
||||
|
||||
// EAP codes
|
||||
#define PPP_EAP_CODE_REQUEST 1
|
||||
#define PPP_EAP_CODE_RESPONSE 2
|
||||
#define PPP_EAP_CODE_SUCCESS 3
|
||||
#define PPP_EAP_CODE_FAILURE 4
|
||||
|
||||
// EAP types
|
||||
#define PPP_EAP_TYPE_IDENTITY 1
|
||||
#define PPP_EAP_TYPE_NOTIFICATION 2
|
||||
#define PPP_EAP_TYPE_NAK 3
|
||||
#define PPP_EAP_TYPE_TLS 13
|
||||
|
||||
// EAP-TLS Flags
|
||||
#define PPP_EAP_TLS_FLAG_NONE 0
|
||||
#define PPP_EAP_TLS_FLAG_TLS_LENGTH 1 << 7
|
||||
#define PPP_EAP_TLS_FLAG_FRAGMENTED 1 << 6
|
||||
#define PPP_EAP_TLS_FLAG_SSLSTARTED 1 << 5
|
||||
|
||||
// Authentication protocol
|
||||
#define PPP_LCP_AUTH_PAP PPP_PROTOCOL_PAP
|
||||
#define PPP_LCP_AUTH_CHAP PPP_PROTOCOL_CHAP
|
||||
#define PPP_LCP_AUTH_EAP PPP_PROTOCOL_EAP
|
||||
|
||||
// Algorithm of CHAP
|
||||
#define PPP_CHAP_ALG_MS_CHAP_V2 0x81
|
||||
@ -164,6 +187,53 @@ struct PPP_OPTION
|
||||
UINT AltDataSize; // Alternate data size
|
||||
};
|
||||
|
||||
#ifdef OS_WIN32
|
||||
#pragma pack(push, 1)
|
||||
#else // OS_WIN32
|
||||
#pragma pack(1)
|
||||
#endif
|
||||
|
||||
|
||||
// PPP EAP packet
|
||||
// EAP is a subset of LCP, sharing Code and Id. The Data field is then mapped to this structure
|
||||
// We got 8 bytes of size before this structure
|
||||
struct PPP_EAP
|
||||
{
|
||||
UCHAR Type;
|
||||
union {
|
||||
UCHAR Data[0];
|
||||
struct PPP_EAP_TLS
|
||||
{
|
||||
UCHAR Flags;
|
||||
union {
|
||||
UCHAR TlsDataWithoutLength[0];
|
||||
struct
|
||||
{
|
||||
UINT32 TlsLength;
|
||||
UCHAR Data[0];
|
||||
} TlsDataWithLength;
|
||||
};
|
||||
} Tls;
|
||||
};
|
||||
} GCC_PACKED;
|
||||
|
||||
#ifdef OS_WIN32
|
||||
#pragma pack(pop)
|
||||
#else // OS_WIN32
|
||||
#pragma pack()
|
||||
#endif
|
||||
|
||||
struct PPP_EAP_TLS_CONTEXT
|
||||
{
|
||||
SSL_PIPE *SslPipe;
|
||||
DH_CTX *Dh;
|
||||
struct SslClientCertInfo ClientCert;
|
||||
UCHAR *CachedBufferRecv;
|
||||
UCHAR *CachedBufferRecvPntr;
|
||||
UCHAR *CachedBufferSend;
|
||||
UCHAR *CachedBufferSendPntr;
|
||||
};
|
||||
|
||||
// PPP request resend
|
||||
struct PPP_REQUEST_RESEND
|
||||
{
|
||||
@ -234,10 +304,23 @@ struct PPP_SESSION
|
||||
UINT IPv4_State;
|
||||
UINT IPv6_State;
|
||||
|
||||
// EAP contexts
|
||||
UINT Eap_Protocol; // Current EAP Protocol used
|
||||
UINT Eap_PacketId; // EAP Packet ID;
|
||||
UCHAR Eap_Identity[MAX_SIZE]; // Received from client identity
|
||||
PPP_EAP_TLS_CONTEXT Eap_TlsCtx; // Context information for EAP TLS. May be possibly reused for EAP TTLS?
|
||||
|
||||
LIST *SentReqPacketList; // Sent requests list
|
||||
|
||||
PPP_PACKET *CurrentPacket;
|
||||
LIST *DelayedPackets;
|
||||
|
||||
UINT64 PacketRecvTimeout;
|
||||
UINT64 DataTimeout;
|
||||
UINT64 UserConnectionTimeout;
|
||||
UINT64 UserConnectionTick;
|
||||
|
||||
THREAD *SessionThread; // Thread of the PPP session
|
||||
};
|
||||
|
||||
|
||||
@ -248,7 +331,7 @@ struct PPP_SESSION
|
||||
void PPPThread(THREAD *thread, void *param);
|
||||
|
||||
// Entry point
|
||||
THREAD *NewPPPSession(CEDAR *cedar, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, TUBE *send_tube, TUBE *recv_tube, char *postfix, char *client_software_name, char *client_hostname, char *crypt_name, UINT adjust_mss);
|
||||
PPP_SESSION *NewPPPSession(CEDAR *cedar, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, TUBE *send_tube, TUBE *recv_tube, char *postfix, char *client_software_name, char *client_hostname, char *crypt_name, UINT adjust_mss);
|
||||
|
||||
// PPP processing functions
|
||||
bool PPPRejectUnsupportedPacket(PPP_SESSION *p, PPP_PACKET *pp);
|
||||
@ -260,21 +343,22 @@ bool PPPProcessResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
|
||||
bool PPPProcessLCPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
|
||||
bool PPPProcessCHAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
|
||||
bool PPPProcessIPCPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
|
||||
bool PPPProcessEAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
|
||||
// Request packets
|
||||
bool PPPProcessRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
|
||||
bool PPPProcessLCPRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
|
||||
bool PPPProcessPAPRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
|
||||
bool PPPProcessIPCPRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
|
||||
bool PPPProcessEAPRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
|
||||
|
||||
// LCP option based packets utility
|
||||
bool PPPRejectLCPOptions(PPP_SESSION *p, PPP_PACKET *pp);
|
||||
bool PPPRejectLCPOptionsEx(PPP_SESSION *p, PPP_PACKET *pp, bool simulate);
|
||||
bool PPPNackLCPOptions(PPP_SESSION *p, PPP_PACKET *pp);
|
||||
bool PPPNackLCPOptionsEx(PPP_SESSION *p, PPP_PACKET* pp, bool simulate);
|
||||
bool PPPNackLCPOptionsEx(PPP_SESSION *p, PPP_PACKET *pp, bool simulate);
|
||||
bool PPPAckLCPOptions(PPP_SESSION *p, PPP_PACKET *pp);
|
||||
bool PPPAckLCPOptionsEx(PPP_SESSION *p, PPP_PACKET *pp, bool simulate);
|
||||
|
||||
|
||||
// PPP networking functions
|
||||
// Send packets
|
||||
bool PPPSendAndRetransmitRequest(PPP_SESSION *p, USHORT protocol, PPP_LCP *c);
|
||||
@ -305,6 +389,11 @@ bool PPPGetIPOptionFromLCP(PPP_IPOPTION *o, PPP_LCP *c);
|
||||
bool PPPSetIPOptionToLCP(PPP_IPOPTION *o, PPP_LCP *c, bool only_modify);
|
||||
bool PPPGetIPAddressValueFromLCP(PPP_LCP *c, UINT type, IP *ip);
|
||||
bool PPPSetIPAddressValueToLCP(PPP_LCP *c, UINT type, IP *ip, bool only_modify);
|
||||
// EAP packet utilities
|
||||
bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSize);
|
||||
PPP_LCP *BuildEAPPacketEx(UCHAR code, UCHAR id, UCHAR type, UINT datasize);
|
||||
PPP_LCP *BuildEAPTlsPacketEx(UCHAR code, UCHAR id, UCHAR type, UINT datasize, UCHAR flags);
|
||||
PPP_LCP *BuildEAPTlsRequest(UCHAR id, UINT datasize, UCHAR flags);
|
||||
// Other packet utilities
|
||||
PPP_OPTION *PPPGetOptionValue(PPP_LCP *c, UCHAR type);
|
||||
bool IsHubExistsWithLock(CEDAR *cedar, char *hubname);
|
||||
|
@ -97,6 +97,8 @@ void SstpProcessControlPacket(SSTP_SERVER *s, SSTP_PACKET *p)
|
||||
// Process the SSTP received data packet
|
||||
void SstpProcessDataPacket(SSTP_SERVER *s, SSTP_PACKET *p)
|
||||
{
|
||||
PPP_SESSION *underlyingSession;
|
||||
|
||||
// Validate arguments
|
||||
if (s == NULL || p == NULL || p->IsControl)
|
||||
{
|
||||
@ -108,9 +110,11 @@ void SstpProcessDataPacket(SSTP_SERVER *s, SSTP_PACKET *p)
|
||||
if (s->PPPThread == NULL)
|
||||
{
|
||||
// Create a thread to initialize the new PPP module
|
||||
s->PPPThread = NewPPPSession(s->Cedar, &s->ClientIp, s->ClientPort, &s->ServerIp, s->ServerPort,
|
||||
underlyingSession = NewPPPSession(s->Cedar, &s->ClientIp, s->ClientPort, &s->ServerIp, s->ServerPort,
|
||||
s->TubeSend, s->TubeRecv, SSTP_IPC_POSTFIX, SSTP_IPC_CLIENT_NAME,
|
||||
s->ClientHostName, s->ClientCipherName, 0);
|
||||
s->PPPSession = underlyingSession;
|
||||
s->PPPThread = underlyingSession->SessionThread;
|
||||
}
|
||||
|
||||
// Pass the received data to the PPP module
|
||||
@ -177,6 +181,7 @@ void SstpSendPacket(SSTP_SERVER *s, SSTP_PACKET *p)
|
||||
// Process the timer interrupt
|
||||
void SstpProcessInterrupt(SSTP_SERVER *s)
|
||||
{
|
||||
UINT64 sstpTimeout = SSTP_TIMEOUT;
|
||||
// Validate arguments
|
||||
if (s == NULL)
|
||||
{
|
||||
@ -261,7 +266,12 @@ void SstpProcessInterrupt(SSTP_SERVER *s)
|
||||
}
|
||||
}
|
||||
|
||||
if ((s->LastRecvTick + (UINT64)SSTP_TIMEOUT) <= s->Now)
|
||||
if (s->PPPSession != NULL && s->PPPSession->DataTimeout > sstpTimeout)
|
||||
{
|
||||
sstpTimeout = s->PPPSession->DataTimeout;
|
||||
}
|
||||
|
||||
if ((s->LastRecvTick + sstpTimeout) <= s->Now)
|
||||
{
|
||||
// Disconnect the SSTP because a timeout occurred
|
||||
SstpAbort(s);
|
||||
|
@ -16,7 +16,7 @@
|
||||
#define SSTP_IPC_POSTFIX "SSTP"
|
||||
#define SSTP_ECHO_SEND_INTERVAL_MIN 2500 // Transmission interval of Echo Request (minimum)
|
||||
#define SSTP_ECHO_SEND_INTERVAL_MAX 4792 // Transmission interval of Echo Request (maximum)
|
||||
#define SSTP_TIMEOUT 10000 // Communication time-out of SSTP
|
||||
#define SSTP_TIMEOUT 20 * 1000 // Communication time-out of SSTP (from default policy)
|
||||
|
||||
// SSTP Message Type
|
||||
#define SSTP_MSG_CALL_CONNECT_REQUEST 0x0001
|
||||
@ -116,6 +116,7 @@ struct SSTP_SERVER
|
||||
UINT64 LastRecvTick; // Tick when some data has received at the end
|
||||
bool FlushRecvTube; // Flag whether to flush the reception tube
|
||||
UINT EstablishedCount; // Number of session establishment
|
||||
PPP_SESSION *PPPSession; // Underlying PPP Session
|
||||
};
|
||||
|
||||
|
||||
|
@ -5701,10 +5701,17 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
|
||||
if (cert != NULL)
|
||||
{
|
||||
X *tmpX = X509ToX(cert); // this only wraps cert, but we need to make a copy
|
||||
X *copyX = CloneX(tmpX);
|
||||
if (!CompareX(tmpX, clientcert->X))
|
||||
{
|
||||
X* copyX = CloneX(tmpX);
|
||||
if (clientcert->X != NULL)
|
||||
{
|
||||
FreeX(clientcert->X);
|
||||
}
|
||||
clientcert->X = copyX;
|
||||
}
|
||||
tmpX->do_not_free = true; // do not release inner X509 object
|
||||
FreeX(tmpX);
|
||||
clientcert->X = copyX;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -5729,9 +5736,13 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
|
||||
{
|
||||
if (server_mode)
|
||||
{
|
||||
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
|
||||
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method());
|
||||
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
|
||||
|
||||
#ifdef SSL_OP_NO_TLSv1_3
|
||||
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); // For some reason pppd under linux doesn't like it
|
||||
#endif
|
||||
|
||||
AddChainSslCertOnDirectory(ssl_ctx);
|
||||
|
||||
if (dh != NULL)
|
||||
@ -11784,8 +11795,17 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)
|
||||
x_copy = CloneX(x);
|
||||
|
||||
if (x_copy != NULL)
|
||||
{
|
||||
if (x_copy->root_cert)
|
||||
{
|
||||
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
|
||||
X509_STORE_add_cert(store, x_copy->x509);
|
||||
X509_free(x_copy->x509);
|
||||
}
|
||||
else
|
||||
{
|
||||
SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
|
||||
}
|
||||
x_copy->do_not_free = true;
|
||||
|
||||
ret = true;
|
||||
|
Loading…
Reference in New Issue
Block a user