.is_server = is_server,
);
/* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
- this->tls = tls_create(is_server, server, peer, "client EAP encryption",
- NULL);
+ this->tls = tls_create(is_server, server, peer, TRUE,
+ "client EAP encryption", NULL);
return &this->public;
}
.is_server = is_server,
);
/* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
- this->tls = tls_create(is_server, server, peer, "ttls keying material",
- application);
+ this->tls = tls_create(is_server, server, peer, FALSE,
+ "ttls keying material", application);
return &this->public;
}
* See header
*/
tls_t *tls_create(bool is_server, identification_t *server,
- identification_t *peer, char *msk_label,
- tls_application_t *application)
+ identification_t *peer, bool request_peer_auth,
+ char *msk_label, tls_application_t *application)
{
private_tls_t *this;
if (is_server)
{
this->handshake = &tls_server_create(&this->public, this->crypto,
- this->server, this->peer)->handshake;
+ this->server, this->peer,
+ request_peer_auth)->handshake;
}
else
{
/**
* Create a tls instance.
*
- * @param is_server TRUE to act as server, FALSE for client
- * @param server server identity
- * @param peer peer identity
- * @param msk_label ASCII string constant used as seed for MSK PRF
- * @param application higher layer application or NULL if none
- * @return TLS stack
+ * @param is_server TRUE to act as server, FALSE for client
+ * @param server server identity
+ * @param peer peer identity
+ * @param request_peer_auth TRUE to request certificate-based peer authentication
+ * @param msk_label ASCII string constant used as seed for MSK PRF
+ * @param application higher layer application or NULL if none
+ * @return TLS stack
*/
tls_t *tls_create(bool is_server, identification_t *server,
- identification_t *peer, char *msk_label,
- tls_application_t *application);
+ identification_t *peer, bool request_peer_auth,
+ char *msk_label, tls_application_t *application);
#endif /** TLS_H_ @}*/
*/
char server_random[32];
+ /**
+ * Does the server request a peer authentication?
+ */
+ bool request_peer_auth;
+
/**
* Auth helper for peer authentication
*/
{
return process_certificate(this, reader);
}
- expected = TLS_CERTIFICATE;
- break;
+ if (this->request_peer_auth)
+ {
+ expected = TLS_CERTIFICATE;
+ break;
+ }
+ /* otherwise fall through to next state */
case STATE_CERT_RECEIVED:
if (type == TLS_CLIENT_KEY_EXCHANGE)
{
{
return process_cert_verify(this, reader);
}
- expected = TLS_CERTIFICATE_VERIFY;
- break;
+ if (this->request_peer_auth)
+ {
+ expected = TLS_CERTIFICATE_VERIFY;
+ break;
+ }
+ else
+ {
+ return INVALID_STATE;
+ }
case STATE_CIPHERSPEC_CHANGED_IN:
if (type == TLS_FINISHED)
{
case STATE_HELLO_SENT:
return send_certificate(this, type, writer);
case STATE_CERT_SENT:
- return send_certificate_request(this, type, writer);
+ if (this->request_peer_auth)
+ {
+ return send_certificate_request(this, type, writer);
+ }
+ /* otherwise fall through to next state */
case STATE_CERTREQ_SENT:
return send_hello_done(this, type, writer);
case STATE_CIPHERSPEC_CHANGED_OUT:
METHOD(tls_handshake_t, change_cipherspec, bool,
private_tls_server_t *this)
{
- if (this->state == STATE_CERT_VERIFY_RECEIVED)
+ if ((this->request_peer_auth && this->state == STATE_CERT_VERIFY_RECEIVED) ||
+ (!this->request_peer_auth && this->state == STATE_KEY_EXCHANGE_RECEIVED))
{
this->crypto->change_cipher(this->crypto, TRUE);
this->state = STATE_CIPHERSPEC_CHANGED_IN;
* See header
*/
tls_server_t *tls_server_create(tls_t *tls, tls_crypto_t *crypto,
- identification_t *server, identification_t *peer)
+ identification_t *server, identification_t *peer,
+ bool request_peer_auth)
{
private_tls_server_t *this;
.server = server,
.peer = peer,
.state = STATE_INIT,
+ .request_peer_auth = request_peer_auth,
.peer_auth = auth_cfg_create(),
.server_auth = auth_cfg_create(),
);
* Create a tls_server instance.
*/
tls_server_t *tls_server_create(tls_t *tls, tls_crypto_t *crypto,
- identification_t *server, identification_t *peer);
+ identification_t *server, identification_t *peer,
+ bool request_peer_auth);
#endif /** TLS_SERVER_H_ @}*/
projects / thirdparty / strongswan.git / commitdiff
