tls: Support a null encryption flag on TLS socket abstraction

5 files changed, 21 insertions, 7 deletions

diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index 5206ba4e7..af1b28adf 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -876,7 +876,8 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 	}
 
 	/* open TLS socket */
-	this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, NULL);
+	this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
+								  NULL, FALSE);
 	if (!this->tls)
 	{
 		DBG1(DBG_TNC, "creating TLS socket failed");
@@ -923,4 +924,3 @@ tnc_ifmap_soap_t *tnc_ifmap_soap_create()
 
 	return &this->public;
 }
-
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
index 01a84cd14..98a2f4b47 100644
--- a/src/libpttls/pt_tls_client.c
+++ b/src/libpttls/pt_tls_client.c
@@ -84,7 +84,8 @@ static bool make_connection(private_pt_tls_client_t *this)
 		return FALSE;
 	}
 
-	this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL);
+	this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
+								  NULL, FALSE);
 	if (!this->tls)
 	{
 		close(fd);
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index 9af00e7c2..3c07475d9 100644
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -532,7 +532,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
 			.destroy = _destroy,
 		},
 		.state = PT_TLS_SERVER_VERSION,
-		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL),
+		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL, FALSE),
 		.tnccs = (tls_t*)tnccs,
 		.auth = auth,
 	);
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 19232750b..4b18fa60e 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -406,9 +406,11 @@ METHOD(tls_socket_t, destroy, void,
  * See header
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
-							identification_t *peer, int fd, tls_cache_t *cache)
+							identification_t *peer, int fd, tls_cache_t *cache,
+							bool nullok)
 {
 	private_tls_socket_t *this;
+	tls_purpose_t purpose;
 
 	INIT(this,
 		.public = {
@@ -430,7 +432,16 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 		.fd = fd,
 	);
 
-	this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
+	if (nullok)
+	{
+		purpose = TLS_PURPOSE_GENERIC_NULLOK;
+	}
+	else
+	{
+		purpose = TLS_PURPOSE_GENERIC;
+	}
+
+	this->tls = tls_create(is_server, server, peer, purpose,
 						   &this->app.application, cache);
 	if (!this->tls)
 	{
diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
index 75130a4d3..54278dd01 100644
--- a/src/libtls/tls_socket.h
+++ b/src/libtls/tls_socket.h
@@ -104,9 +104,11 @@ struct tls_socket_t {
  * @param peer				client identity, NULL for no client authentication
  * @param fd				socket to read/write from
  * @param cache				session cache to use, or NULL
+ * @param nullok			accept NULL encryption ciphers
  * @return					TLS socket wrapper
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
-							identification_t *peer, int fd, tls_cache_t *cache);
+							identification_t *peer, int fd, tls_cache_t *cache,
+							bool nullok);
 
 #endif /** TLS_SOCKET_H_ @}*/