.is_server = is_server,
);
+ if (is_server && !lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-ttls.request_peer_auth", FALSE))
+ { /* don't request peer authentication */
+ peer = NULL;
+ }
this->tls = tls_create(is_server, server, peer,
TLS_PURPOSE_EAP_TTLS, application);
if (!this->tls)
}
/* parse AVP header */
- header = tls_reader_create(this->input);
+ header = tls_reader_create(this->input);
success = header->read_uint32(header, &avp_code) &&
header->read_uint8(header, &avp_flags) &&
header->read_uint24(header, &avp_len);
this->inpos = 0;
this->process_header = TRUE;
- return SUCCESS;
+ return SUCCESS;
}
METHOD(eap_ttls_avp_t, destroy, void,
this->fragmentation->destroy(this->fragmentation);
this->crypto->destroy(this->crypto);
this->handshake->destroy(this->handshake);
- this->peer->destroy(this->peer);
+ DESTROY_IF(this->peer);
this->server->destroy(this->server);
DESTROY_IF(this->application);
this->alert->destroy(this->alert);
.is_server = is_server,
.version = TLS_1_2,
.server = server->clone(server),
- .peer = peer->clone(peer),
+ .peer = peer ? peer->clone(peer) : NULL,
.application = application,
.purpose = purpose,
);
TLS_PURPOSE_EAP_TLS,
/** outer authentication and protection in EAP-TTLS */
TLS_PURPOSE_EAP_TTLS,
- /** EAP-TTLS with client authentication */
- TLS_PURPOSE_EAP_TTLS_CLIENT_AUTH,
- /** non-EAP TLS without client authentication */
+ /** non-EAP TLS */
TLS_PURPOSE_GENERIC,
- /** non-EAP TLS with client authentication */
- TLS_PURPOSE_GENERIC_CLIENT_AUTH,
};
/**
*
* @param is_server TRUE to act as server, FALSE for client
* @param server server identity
- * @param peer peer identity
+ * @param peer peer identity, NULL for no client authentication
* @param purpse purpose this TLS stack instance is used for
* @param application higher layer application or NULL if none
* @return TLS stack
build_cipher_suite_list(this, FALSE);
break;
case TLS_PURPOSE_EAP_TTLS:
- case TLS_PURPOSE_EAP_TTLS_CLIENT_AUTH:
/* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
this->msk_label = "ttls keying material";
build_cipher_suite_list(this, TRUE);
break;
case TLS_PURPOSE_GENERIC:
- case TLS_PURPOSE_GENERIC_CLIENT_AUTH:
build_cipher_suite_list(this, TRUE);
break;
}
tls_alert_t *alert;
/**
- * Peer identity
+ * Peer identity, NULL for no client authentication
*/
identification_t *peer;
*/
char server_random[32];
- /**
- * Does the server request a peer authentication?
- */
- bool peer_auth_requested;
-
/**
* Auth helper for peer authentication
*/
}
/**
- * Process a Certificate message
+ * Process a Certificate Request message
*/
static status_t process_certreq(private_tls_peer_t *this, tls_reader_t *reader)
{
identification_t *id;
certificate_t *cert;
+ if (!this->peer)
+ {
+ DBG1(DBG_TLS, "server requested a certificate, but client "
+ "authentication disabled");
+ this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+ return NEED_MORE;
+ }
this->crypto->append_handshake(this->crypto,
TLS_CERTIFICATE_REQUEST, reader->peek(reader));
case STATE_CERT_RECEIVED:
if (type == TLS_CERTIFICATE_REQUEST)
{
- this->peer_auth_requested = TRUE;
return process_certreq(this, reader);
}
+ this->peer = NULL;
/* fall through since TLS_CERTIFICATE_REQUEST is optional */
case STATE_CERTREQ_RECEIVED:
if (type == TLS_SERVER_HELLO_DONE)
tls_writer_t *certs;
chunk_t data;
- this->private = lib->credmgr->get_private(lib->credmgr,
+ if (this->peer)
+ {
+ this->private = lib->credmgr->get_private(lib->credmgr,
KEY_ANY, this->peer, this->peer_auth);
+ }
if (!this->private)
{
DBG1(DBG_TLS, "no TLS peer certificate found for '%Y'", this->peer);
- this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
- return NEED_MORE;
+ return FAILED;
}
/* generate certificate payload */
case STATE_INIT:
return send_client_hello(this, type, writer);
case STATE_HELLO_DONE:
- if (this->peer_auth_requested)
+ if (this->peer)
{
return send_certificate(this, type, writer);
}
case STATE_CERT_SENT:
return send_key_exchange(this, type, writer);
case STATE_KEY_EXCHANGE_SENT:
- if (this->peer_auth_requested)
+ if (this->peer)
{
return send_certificate_verify(this, type, writer);
}
METHOD(tls_handshake_t, cipherspec_changed, bool,
private_tls_peer_t *this)
{
- if ((this->peer_auth_requested && this->state == STATE_VERIFY_SENT) ||
- (!this->peer_auth_requested && this->state == STATE_KEY_EXCHANGE_SENT))
+ if ((this->peer && this->state == STATE_VERIFY_SENT) ||
+ (!this->peer && this->state == STATE_KEY_EXCHANGE_SENT))
{
this->crypto->change_cipher(this->crypto, FALSE);
this->state = STATE_CIPHERSPEC_CHANGED_OUT;
identification_t *server;
/**
- * Peer identity
+ * Peer identity, NULL for no client authentication
*/
identification_t *peer;
*/
char server_random[32];
- /**
- * Does the server request a peer authentication?
- */
- bool request_peer_auth;
-
/**
* Auth helper for peer authentication
*/
{
return process_certificate(this, reader);
}
- if (this->request_peer_auth)
+ if (this->peer)
{
expected = TLS_CERTIFICATE;
break;
{
return process_cert_verify(this, reader);
}
- if (this->request_peer_auth)
+ if (this->peer)
{
expected = TLS_CERTIFICATE_VERIFY;
break;
case STATE_HELLO_SENT:
return send_certificate(this, type, writer);
case STATE_CERT_SENT:
- if (this->request_peer_auth)
+ if (this->peer)
{
return send_certificate_request(this, type, writer);
}
METHOD(tls_handshake_t, change_cipherspec, bool,
private_tls_server_t *this)
{
- if ((this->request_peer_auth && this->state == STATE_CERT_VERIFY_RECEIVED) ||
- (!this->request_peer_auth && this->state == STATE_KEY_EXCHANGE_RECEIVED))
+ if ((this->peer && this->state == STATE_CERT_VERIFY_RECEIVED) ||
+ (!this->peer && this->state == STATE_KEY_EXCHANGE_RECEIVED))
{
this->crypto->change_cipher(this->crypto, TRUE);
this->state = STATE_CIPHERSPEC_CHANGED_IN;
.server_auth = auth_cfg_create(),
);
- switch (tls->get_purpose(tls))
- {
- case TLS_PURPOSE_EAP_TLS:
- case TLS_PURPOSE_EAP_TTLS_CLIENT_AUTH:
- case TLS_PURPOSE_GENERIC_CLIENT_AUTH:
- this->request_peer_auth = TRUE;
- break;
- case TLS_PURPOSE_EAP_TTLS:
- case TLS_PURPOSE_GENERIC:
- break;
- }
return &this->public;
}
projects / people / ms / strongswan.git / commitdiff
