From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 18 Feb 2021 11:34:29 +0000 (+0100)
Subject: pt-tls-server: Explicitly request client authentication if necessary
X-Git-Tag: 5.9.2rc1^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=602947d48acdb1cfb4835a654721fb040ccc8101;p=thirdparty%2Fstrongswan.git

pt-tls-server: Explicitly request client authentication if necessary

The PT_TLS_AUTH_TLS_OR_SASL case currently can't be implemented properly
as TLS authentication will be enforced if a client identity is configured
on the TLS server socket.
---

diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index 1ad6165f6c..ba217aa9b8 100644
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -524,6 +524,18 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
 									  pt_tls_auth_t auth, tnccs_t *tnccs)
 {
 	private_pt_tls_server_t *this;
+	identification_t *client = NULL;
+
+	switch (auth)
+	{
+		case PT_TLS_AUTH_TLS:
+		case PT_TLS_AUTH_TLS_OR_SASL:
+		case PT_TLS_AUTH_TLS_AND_SASL:
+			client = identification_create_from_encoding(ID_ANY, chunk_empty);
+			break;
+		default:
+			break;
+	}
 
 	INIT(this,
 		.public = {
@@ -532,12 +544,14 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
 			.destroy = _destroy,
 		},
 		.state = PT_TLS_SERVER_VERSION,
-		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_UNSPEC,
+		.tls = tls_socket_create(TRUE, server, client, fd, NULL, TLS_UNSPEC,
 								 TLS_UNSPEC, FALSE),
 		.tnccs = (tls_t*)tnccs,
 		.auth = auth,
 	);
 
+	DESTROY_IF(client);
+
 	if (!this->tls)
 	{
 		this->tnccs->destroy(this->tnccs);