ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

tls-server: Add flag that makes client authentication optional 

This allows clients to send an empty certificate payload if the server
sent a certificate request.  If an identity was set previously, it will
be reset so get_peer_id() may be used to check if the client was
authenticated.
This commit is contained in:
Tobias Brunner 2021-02-18 15:10:42 +01:00
parent 11a4687930
commit 760f3b730f
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libtls/tls.h
View File

@ -207,6 +207,8 @@ enum tls_name_type_t {
enum tls_flag_t {
/** set if cipher suites with null encryption are acceptable */
TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
/** set if client authentication is optional even if cert req sent */
TLS_FLAG_CLIENT_AUTH_OPTIONAL = 2,
};
/**

15
src/libtls/tls_server.c
View File

@ -705,9 +705,18 @@ static status_t process_certificate(private_tls_server_t *this,
certs = bio_reader_create(data);
if (!certs->remaining(certs))
{
DBG1(DBG_TLS, "no certificate sent by peer");
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
return NEED_MORE;
if (this->tls->get_flags(this->tls) & TLS_FLAG_CLIENT_AUTH_OPTIONAL)
{
/* client authentication is not required so we clear the identity */
DESTROY_IF(this->peer);
this->peer = NULL;
}
else
{
DBG1(DBG_TLS, "no certificate sent by peer");
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
return NEED_MORE;
}
}
while (certs->remaining(certs))
{