From: Martin Willi <martin@revosec.ch>
Date: Mon, 16 Aug 2010 07:19:29 +0000 (+0200)
Subject: Only include certificates with CA flag in TLS cert request
X-Git-Tag: 4.5.0~486
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=714d0bfd378b6a9f0544dda011855846d0ba8379;p=thirdparty%2Fstrongswan.git

Only include certificates with CA flag in TLS cert request
---

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 2b2845ea13..faaecb5a07 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -18,6 +18,7 @@
 #include <time.h>
 
 #include <debug.h>
+#include <credentials/certificates/x509.h>
 
 typedef struct private_tls_server_t private_tls_server_t;
 
@@ -489,6 +490,7 @@ static status_t send_certificate_request(private_tls_server_t *this,
 	tls_writer_t *authorities;
 	enumerator_t *enumerator;
 	certificate_t *cert;
+	x509_t *x509;
 	identification_t *id;
 
 	/* currently only RSA signatures are supported */
@@ -504,8 +506,12 @@ static status_t send_certificate_request(private_tls_server_t *this,
 												CERT_X509, KEY_RSA, NULL, TRUE);
 	while (enumerator->enumerate(enumerator, &cert))
 	{
-		id = cert->get_subject(cert);
-		authorities->write_data16(authorities, id->get_encoding(id));
+		x509 = (x509_t*)cert;
+		if (x509->get_flags(x509) & X509_CA)
+		{
+			id = cert->get_subject(cert);
+			authorities->write_data16(authorities, id->get_encoding(id));
+		}
 	}
 	enumerator->destroy(enumerator);
 	writer->write_data16(writer, authorities->get_buf(authorities));