tls-server: Add flag that makes client authentication optional
This allows clients to send an empty certificate payload if the server sent a certificate request. If an identity was set previously, it will be reset so get_peer_id() may be used to check if the client was authenticated.
This commit is contained in:
parent
11a4687930
commit
760f3b730f
|
@ -207,6 +207,8 @@ enum tls_name_type_t {
|
|||
enum tls_flag_t {
|
||||
/** set if cipher suites with null encryption are acceptable */
|
||||
TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
|
||||
/** set if client authentication is optional even if cert req sent */
|
||||
TLS_FLAG_CLIENT_AUTH_OPTIONAL = 2,
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -705,9 +705,18 @@ static status_t process_certificate(private_tls_server_t *this,
|
|||
certs = bio_reader_create(data);
|
||||
if (!certs->remaining(certs))
|
||||
{
|
||||
DBG1(DBG_TLS, "no certificate sent by peer");
|
||||
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
|
||||
return NEED_MORE;
|
||||
if (this->tls->get_flags(this->tls) & TLS_FLAG_CLIENT_AUTH_OPTIONAL)
|
||||
{
|
||||
/* client authentication is not required so we clear the identity */
|
||||
DESTROY_IF(this->peer);
|
||||
this->peer = NULL;
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_TLS, "no certificate sent by peer");
|
||||
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
|
||||
return NEED_MORE;
|
||||
}
|
||||
}
|
||||
while (certs->remaining(certs))
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue