From: Martin Willi <martin@revosec.ch>
Date: Wed, 6 Mar 2013 13:39:51 +0000 (+0100)
Subject: If TLS peer authentication not required, the client does nonetheless, allow it to... 
X-Git-Tag: 5.0.3dr3~4^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1db6bf2f3f8fe0240a63dbd7c79323140daa622e;p=thirdparty%2Fstrongswan.git

If TLS peer authentication not required, the client does nonetheless, allow it to fail
---

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 6615a37eda..aeb5a714f9 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -79,6 +79,11 @@ struct private_tls_server_t {
 	 */
 	identification_t *peer;
 
+	/**
+	 * Is it acceptable if we couldn't verify the peer certificate?
+	 */
+	bool peer_auth_optional;
+
 	/**
 	 * State we are in
 	 */
@@ -371,6 +376,7 @@ static status_t process_certificate(private_tls_server_t *this,
 				{	/* apply identity to authenticate */
 					this->peer = cert->get_subject(cert);
 					this->peer = this->peer->clone(this->peer);
+					this->peer_auth_optional = TRUE;
 				}
 			}
 			else
@@ -555,13 +561,22 @@ static status_t process_cert_verify(private_tls_server_t *this,
 	{
 		DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
 			 this->peer);
-		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
-		return NEED_MORE;
+		if (!this->peer_auth_optional)
+		{	/* client authentication is required */
+			this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+			return NEED_MORE;
+		}
+		/* reset peer identity, we couldn't authenticate it */
+		this->peer->destroy(this->peer);
+		this->peer = NULL;
+		this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	}
+	else
+	{
+		this->state = STATE_CERT_VERIFY_RECEIVED;
 	}
-
 	this->crypto->append_handshake(this->crypto,
 								   TLS_CERTIFICATE_VERIFY, reader->peek(reader));
-	this->state = STATE_CERT_VERIFY_RECEIVED;
 	return NEED_MORE;
 }