From: Tobias Brunner Date: Thu, 18 Feb 2021 14:10:42 +0000 (+0100) Subject: tls-server: Add flag that makes client authentication optional X-Git-Tag: 5.9.2rc1^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=760f3b730fa69a1f8fc5075fcbb34f037d313b16;p=thirdparty%2Fstrongswan.git tls-server: Add flag that makes client authentication optional This allows clients to send an empty certificate payload if the server sent a certificate request. If an identity was set previously, it will be reset so get_peer_id() may be used to check if the client was authenticated. --- diff --git a/src/libtls/tls.h b/src/libtls/tls.h index 0d9e1ff0c8..f2b79361db 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -207,6 +207,8 @@ enum tls_name_type_t { enum tls_flag_t { /** set if cipher suites with null encryption are acceptable */ TLS_FLAG_ENCRYPTION_OPTIONAL = 1, + /** set if client authentication is optional even if cert req sent */ + TLS_FLAG_CLIENT_AUTH_OPTIONAL = 2, }; /** diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index 247b9f636b..f067549e39 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -705,9 +705,18 @@ static status_t process_certificate(private_tls_server_t *this, certs = bio_reader_create(data); if (!certs->remaining(certs)) { - DBG1(DBG_TLS, "no certificate sent by peer"); - this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); - return NEED_MORE; + if (this->tls->get_flags(this->tls) & TLS_FLAG_CLIENT_AUTH_OPTIONAL) + { + /* client authentication is not required so we clear the identity */ + DESTROY_IF(this->peer); + this->peer = NULL; + } + else + { + DBG1(DBG_TLS, "no certificate sent by peer"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + return NEED_MORE; + } } while (certs->remaining(certs)) {