From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 18 Feb 2021 11:31:17 +0000 (+0100)
Subject: tls-server: Use subject DN as peer identity if it was ID_ANY
X-Git-Tag: 5.9.2rc1^2~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b7cfb252e583c9ef46ebf5a569faa53cb747a8d;p=thirdparty%2Fstrongswan.git

tls-server: Use subject DN as peer identity if it was ID_ANY

To request client authentication if we don't know the client's identity,
it's possible to use ID_ANY.  However, if we don't change the identity
get_peer_id() would still report ID_ANY after the authentication.
---

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 687fd0ce23..247b9f636b 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -729,6 +729,12 @@ static status_t process_certificate(private_tls_server_t *this,
 				DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
 					 cert->get_subject(cert));
 				first = FALSE;
+				if (this->peer && this->peer->get_type(this->peer) == ID_ANY)
+				{
+					this->peer->destroy(this->peer);
+					this->peer = cert->get_subject(cert);
+					this->peer = this->peer->clone(this->peer);
+				}
 			}
 			else
 			{