tls-server: Use subject DN as peer identity if it was ID_ANY
authorTobias Brunner <tobias@strongswan.org>
Thu, 18 Feb 2021 11:31:17 +0000 (12:31 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 18 Feb 2021 11:34:05 +0000 (12:34 +0100)
To request client authentication if we don't know the client's identity,
it's possible to use ID_ANY.  However, if we don't change the identity
get_peer_id() would still report ID_ANY after the authentication.

src/libtls/tls_server.c

index 687fd0c..247b9f6 100644 (file)
@@ -729,6 +729,12 @@ static status_t process_certificate(private_tls_server_t *this,
                                DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
                                         cert->get_subject(cert));
                                first = FALSE;
+                               if (this->peer && this->peer->get_type(this->peer) == ID_ANY)
+                               {
+                                       this->peer->destroy(this->peer);
+                                       this->peer = cert->get_subject(cert);
+                                       this->peer = this->peer->clone(this->peer);
+                               }
                        }
                        else
                        {