$OpenBSD: patch-src_crypto_tls_openssl_c,v 1.1 2014/03/18 05:57:22 dcoppa Exp $

commit b62d5b5450101676a0c05691b4bcd94e11426397
Author: Jouni Malinen <j@w1.fi>
Date:   Wed Feb 19 11:56:02 2014 +0200

Revert "OpenSSL: Do not accept SSL Client certificate for server"

This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are
too many deployed AAA servers that include both id-kp-clientAuth and
id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
for AAA authentication server validation. OpenSSL enforces the policy of
not connecting if only id-kp-clientAuth is included. If a valid EKU is
listed with it, the connection needs to be accepted.

Signed-off-by: Jouni Malinen <j@w1.fi>

--- src/crypto/tls_openssl.c.orig	Tue Feb  4 12:23:35 2014
+++ src/crypto/tls_openssl.c	Fri Mar 14 14:33:33 2014
@@ -105,7 +105,6 @@ struct tls_connection {
 	unsigned int ca_cert_verify:1;
 	unsigned int cert_probe:1;
 	unsigned int server_cert_only:1;
-	unsigned int server:1;
 
 	u8 srv_cert_hash[32];
 
@@ -1477,16 +1476,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_
 				       TLS_FAIL_SERVER_CHAIN_PROBE);
 	}
 
-	if (!conn->server && err_cert && preverify_ok && depth == 0 &&
-	    (err_cert->ex_flags & EXFLAG_XKUSAGE) &&
-	    (err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
-		wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
-		openssl_tls_fail_event(conn, err_cert, err, depth, buf,
-				       "Server used client certificate",
-				       TLS_FAIL_SERVER_USED_CLIENT_CERT);
-		preverify_ok = 0;
-	}
-
 	if (preverify_ok && context->event_cb != NULL)
 		context->event_cb(context->cb_ctx,
 				  TLS_CERT_CHAIN_SUCCESS, NULL);
@@ -2537,8 +2526,6 @@ openssl_handshake(struct tls_connection *conn, const s
 {
 	int res;
 	struct wpabuf *out_data;
-
-	conn->server = !!server;
 
 	/*
 	 * Give TLS handshake data from the server (if available) to OpenSSL
