From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 18 Feb 2021 14:41:52 +0000 (+0100)
Subject: pt-tls-server: Make TLS client authentication optional as appropriate
X-Git-Tag: 5.9.2rc1^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48f4f9f66715ef9ed3e674a777b81cef32b6f44c;p=thirdparty%2Fstrongswan.git

pt-tls-server: Make TLS client authentication optional as appropriate
---

diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index d592403343..76180c8a47 100644
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -525,11 +525,14 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
 {
 	private_pt_tls_server_t *this;
 	identification_t *client = NULL;
+	tls_flag_t flags = 0;
 
 	switch (auth)
 	{
-		case PT_TLS_AUTH_TLS:
 		case PT_TLS_AUTH_TLS_OR_SASL:
+			flags |= TLS_FLAG_CLIENT_AUTH_OPTIONAL;
+			/* fall-through */
+		case PT_TLS_AUTH_TLS:
 		case PT_TLS_AUTH_TLS_AND_SASL:
 			client = identification_create_from_encoding(ID_ANY, chunk_empty);
 			break;
@@ -545,7 +548,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
 		},
 		.state = PT_TLS_SERVER_VERSION,
 		.tls = tls_socket_create(TRUE, server, client, fd, NULL, TLS_UNSPEC,
-								 TLS_UNSPEC, 0),
+								 TLS_UNSPEC, flags),
 		.tnccs = (tls_t*)tnccs,
 		.auth = auth,
 	);