tls-server: Add flag that makes client authentication optional
authorTobias Brunner <tobias@strongswan.org>
Thu, 18 Feb 2021 14:10:42 +0000 (15:10 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 18 Feb 2021 14:35:46 +0000 (15:35 +0100)
This allows clients to send an empty certificate payload if the server
sent a certificate request.  If an identity was set previously, it will
be reset so get_peer_id() may be used to check if the client was
authenticated.

src/libtls/tls.h
src/libtls/tls_server.c

index 0d9e1ff..f2b7936 100644 (file)
@@ -207,6 +207,8 @@ enum tls_name_type_t {
 enum tls_flag_t {
        /** set if cipher suites with null encryption are acceptable */
        TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
+       /** set if client authentication is optional even if cert req sent */
+       TLS_FLAG_CLIENT_AUTH_OPTIONAL = 2,
 };
 
 /**
index 247b9f6..f067549 100644 (file)
@@ -705,9 +705,18 @@ static status_t process_certificate(private_tls_server_t *this,
        certs = bio_reader_create(data);
        if (!certs->remaining(certs))
        {
-               DBG1(DBG_TLS, "no certificate sent by peer");
-               this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
-               return NEED_MORE;
+               if (this->tls->get_flags(this->tls) & TLS_FLAG_CLIENT_AUTH_OPTIONAL)
+               {
+                       /* client authentication is not required so we clear the identity */
+                       DESTROY_IF(this->peer);
+                       this->peer = NULL;
+               }
+               else
+               {
+                       DBG1(DBG_TLS, "no certificate sent by peer");
+                       this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+                       return NEED_MORE;
+               }
        }
        while (certs->remaining(certs))
        {