Set client identity with TLS certificate authentication
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 12 Aug 2013 09:53:46 +0000 (11:53 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 15 Aug 2013 21:34:23 +0000 (23:34 +0200)
src/libpttls/pt_tls_server.c

index 78937b1..32b5073 100644 (file)
@@ -321,34 +321,45 @@ static status_t read_sasl_mech_selection(private_pt_tls_server_t *this,
 static bool do_sasl(private_pt_tls_server_t *this)
 {
        sasl_mechanism_t *sasl;
+       identification_t *client_id;
+       tnccs_t *tnccs;
        status_t status;
 
+       client_id = this->tls->get_peer_id(this->tls);
+       tnccs = (tnccs_t*)this->tnccs;
+
        switch (this->auth)
        {
                case PT_TLS_AUTH_NONE:
                        return TRUE;
                case PT_TLS_AUTH_TLS:
-                       if (this->tls->get_peer_id(this->tls))
+                       if (client_id)
                        {
+                               this->tnccs->set_peer_id(this->tnccs, client_id);
+                               tnccs->set_auth_type(tnccs, TNC_AUTH_X509_CERT);
                                return TRUE;
                        }
-                       DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+                       DBG1(DBG_TNC, "requiring TLS certificate-based "
+                                                 "client authentication");
                        return FALSE;
                case PT_TLS_AUTH_SASL:
                        break;
                case PT_TLS_AUTH_TLS_OR_SASL:
-                       if (this->tls->get_peer_id(this->tls))
+                       if (client_id)
                        {
-                               DBG1(DBG_TNC, "skipping SASL, client authenticated with TLS "
-                                        "certificate");
+                               this->tnccs->set_peer_id(this->tnccs, client_id);
+                               tnccs->set_auth_type(tnccs, TNC_AUTH_X509_CERT);
+                               DBG1(DBG_TNC, "skipping SASL, client already authenticated by "
+                                                         "TLS certificate");
                                return TRUE;
                        }
                        break;
                case PT_TLS_AUTH_TLS_AND_SASL:
                default:
-                       if (!this->tls->get_peer_id(this->tls))
+                       if (!client_id)
                        {
-                               DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+                               DBG1(DBG_TNC, "requiring TLS certificate-based "
+                                                         "client authentication");
                                return FALSE;
                        }
                        break;