typedef enum pt_tls_message_type_t pt_tls_message_type_t;
typedef enum pt_tls_sasl_result_t pt_tls_sasl_result_t;
+typedef enum pt_tls_auth_t pt_tls_auth_t;
/**
* Message types, as defined by NEA PT-TLS
PT_TLS_SASL_RESULT_MECH_FAILURE = 3,
};
+/**
+ * Client authentication to require as PT-TLS server.
+ */
+enum pt_tls_auth_t {
+ /** don't require TLS client certificate or request SASL authentication */
+ PT_TLS_AUTH_NONE,
+ /** require TLS certificate authentication, no SASL */
+ PT_TLS_AUTH_TLS,
+ /** do SASL regardless of TLS certificate authentication */
+ PT_TLS_AUTH_SASL,
+ /* if client does not authenticate with a TLS certificate, request SASL */
+ PT_TLS_AUTH_TLS_OR_SASL,
+ /* require both, TLS certificate authentication and SASL */
+ PT_TLS_AUTH_TLS_AND_SASL,
+};
+
/**
* Read a PT-TLS message, create reader over Message Value.
*
*/
int fd;
+ /**
+ * Client authentication requirements
+ */
+ pt_tls_auth_t auth;
+
/**
* Server identity
*/
close(fd);
continue;
}
- connection = pt_tls_server_create(this->server, fd, tnccs);
+ connection = pt_tls_server_create(this->server, fd, this->auth, tnccs);
if (!connection)
{
close(fd);
* See header
*/
pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
- identification_t *id)
+ identification_t *id, pt_tls_auth_t auth)
{
private_pt_tls_dispatcher_t *this;
/* we currently don't authenticate the peer, use %any identity */
.peer = identification_create_from_encoding(ID_ANY, chunk_empty),
.fd = -1,
+ .auth = auth,
);
if (!open_socket(this, address))
#include <tnc/tnccs/tnccs.h>
+#include "pt_tls.h"
+
typedef struct pt_tls_dispatcher_t pt_tls_dispatcher_t;
/**
*
* @param address server address with port to listen on, gets owned
* @param id TLS server identity, gets owned
+ * @param auth client authentication to perform
* @return dispatcher service
*/
pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
- identification_t *id);
+ identification_t *id, pt_tls_auth_t auth);
#endif /** PT_TLS_DISPATCHER_H_ @}*/
*/
#include "pt_tls_server.h"
-#include "pt_tls.h"
#include <sasl/sasl_mechanism.h>
*/
tls_socket_t *tls;
+ /**
+ * Client authentication requirements
+ */
+ pt_tls_auth_t auth;
+
enum {
/* expecting version negotiation */
PT_TLS_SERVER_VERSION,
sasl_mechanism_t *sasl;
status_t status;
+ switch (this->auth)
+ {
+ case PT_TLS_AUTH_NONE:
+ return TRUE;
+ case PT_TLS_AUTH_TLS:
+ if (this->tls->get_peer_id(this->tls))
+ {
+ return TRUE;
+ }
+ DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+ return FALSE;
+ case PT_TLS_AUTH_SASL:
+ break;
+ case PT_TLS_AUTH_TLS_OR_SASL:
+ if (this->tls->get_peer_id(this->tls))
+ {
+ DBG1(DBG_TNC, "skipping SASL, client authenticated with TLS "
+ "certificate");
+ return TRUE;
+ }
+ break;
+ case PT_TLS_AUTH_TLS_AND_SASL:
+ default:
+ if (!this->tls->get_peer_id(this->tls))
+ {
+ DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+ return FALSE;
+ }
+ break;
+ }
+
if (!send_sasl_mechs(this))
{
return FALSE;
* See header
*/
pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
- tnccs_t *tnccs)
+ pt_tls_auth_t auth, tnccs_t *tnccs)
{
private_pt_tls_server_t *this;
.state = PT_TLS_SERVER_VERSION,
.tls = tls_socket_create(TRUE, server, NULL, fd, NULL),
.tnccs = (tls_t*)tnccs,
+ .auth = auth,
);
if (!this->tls)
#include <tnc/tnccs/tnccs.h>
+#include "pt_tls.h"
+
typedef struct pt_tls_server_t pt_tls_server_t;
/**
*
* @param server TLS server identity
* @param fd client connection socket
+ * @param auth client authentication requirements
* @param tnccs inner TNCCS protocol handler to use for this connection
* @return PT-TLS server
*/
pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
- tnccs_t *tnccs);
+ pt_tls_auth_t auth, tnccs_t *tnccs);
#endif /** PT_TLS_SERVER_H_ @}*/
projects / thirdparty / strongswan.git / commitdiff
