summaryrefslogtreecommitdiff
path: root/src/irmd/oap/cli.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/irmd/oap/cli.c')
-rw-r--r--src/irmd/oap/cli.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c
index 7a202da7..d38f38dd 100644
--- a/src/irmd/oap/cli.c
+++ b/src/irmd/oap/cli.c
@@ -93,6 +93,11 @@ int load_cli_kex_config(const struct name_info * info,
assert(info != NULL);
assert(cfg != NULL);
+ memset(cfg, 0, sizeof(*cfg));
+
+ /* A client authenticates the server by default, like an https client */
+ cfg->req_auth = OAP_CLIENT_AUTH_DEFAULT;
+
return load_kex_config(info->name, info->c.enc, cfg);
}
@@ -534,6 +539,12 @@ int oap_cli_complete(void * ctx,
goto fail_oap;
}
+ /* Required peer auth makes sig and name binding mandatory */
+ if (s->kcfg.req_auth && peer_hdr.crt.len == 0) {
+ log_err_id(id, "Server did not provide a certificate.");
+ goto fail_oap;
+ }
+
/* Verify request hash in authenticated response */
if (peer_hdr.req_hash.len == 0) {
log_err_id(id, "Response missing req_hash.");