tls-server: Add flag that makes client authentication optional

This allows clients to send an empty certificate payload if the server
sent a certificate request.  If an identity was set previously, it will
be reset so get_peer_id() may be used to check if the client was
authenticated.

diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index 0d9e1ff0c8ec2b4f7d8524102161cb7a9bb6634e..f2b79361dbf740f1be15c4e2beeeda9135507465 100644 (file)
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -207,6 +207,8 @@ enum tls_name_type_t {
 enum tls_flag_t {
        /** set if cipher suites with null encryption are acceptable */
        TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
+       /** set if client authentication is optional even if cert req sent */
+       TLS_FLAG_CLIENT_AUTH_OPTIONAL = 2,
 };
 
 /**

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 247b9f636b6021aab42f44be95571996afda57ea..f067549e3911cf98f4bcd1548994854519b4d4c6 100644 (file)
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -705,9 +705,18 @@ static status_t process_certificate(private_tls_server_t *this,
        certs = bio_reader_create(data);
        if (!certs->remaining(certs))
        {
-               DBG1(DBG_TLS, "no certificate sent by peer");
-               this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
-               return NEED_MORE;
+               if (this->tls->get_flags(this->tls) & TLS_FLAG_CLIENT_AUTH_OPTIONAL)
+               {
+                       /* client authentication is not required so we clear the identity */
+                       DESTROY_IF(this->peer);
+                       this->peer = NULL;
+               }
+               else
+               {
+                       DBG1(DBG_TLS, "no certificate sent by peer");
+                       this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+                       return NEED_MORE;
+               }
        }
        while (certs->remaining(certs))
        {