tls-server: Add flag that makes client authentication optional
This allows clients to send an empty certificate payload if the server sent a certificate request. If an identity was set previously, it will be reset so get_peer_id() may be used to check if the client was authenticated.
This commit is contained in:
parent
11a4687930
commit
760f3b730f
|
@ -207,6 +207,8 @@ enum tls_name_type_t {
|
||||||
enum tls_flag_t {
|
enum tls_flag_t {
|
||||||
/** set if cipher suites with null encryption are acceptable */
|
/** set if cipher suites with null encryption are acceptable */
|
||||||
TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
|
TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
|
||||||
|
/** set if client authentication is optional even if cert req sent */
|
||||||
|
TLS_FLAG_CLIENT_AUTH_OPTIONAL = 2,
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -705,9 +705,18 @@ static status_t process_certificate(private_tls_server_t *this,
|
||||||
certs = bio_reader_create(data);
|
certs = bio_reader_create(data);
|
||||||
if (!certs->remaining(certs))
|
if (!certs->remaining(certs))
|
||||||
{
|
{
|
||||||
DBG1(DBG_TLS, "no certificate sent by peer");
|
if (this->tls->get_flags(this->tls) & TLS_FLAG_CLIENT_AUTH_OPTIONAL)
|
||||||
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
|
{
|
||||||
return NEED_MORE;
|
/* client authentication is not required so we clear the identity */
|
||||||
|
DESTROY_IF(this->peer);
|
||||||
|
this->peer = NULL;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
DBG1(DBG_TLS, "no certificate sent by peer");
|
||||||
|
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
|
||||||
|
return NEED_MORE;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
while (certs->remaining(certs))
|
while (certs->remaining(certs))
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue