From 7aa9ab0be913a433a42f4815d2ec49111abc9e4d Mon Sep 17 00:00:00 2001
From: Michal Orzel <michalx.orzel@intel.com>
Date: Fri, 18 Aug 2023 16:59:11 +0200
Subject: mTLS: Fix handshake failures

Change introduced in [1] has exposed significant problem in mTLS
verification process, during which an attempt to an uninitialized object
was made. This change removes that attempt and replaces it with resource
that is available at this specific moment of connection lifetime.

Tested:

1. Created and uploaded a set of certificates by following instructions
from TLS Configuration guide [2].
2. Attempted to access /redfish/v1/SessionService/Sessions endpoint
using mTLS authentication method.

With this fix connection has been successful.

[1] https://github.com/openbmc/bmcweb/commit/e01d0c36af115ed46d54b5dbbacfe3ad92226bd3
[2] https://github.com/openbmc/docs/blob/master/security/TLS-configuration.md

Change-Id: I434dbf27169d7ea0207dfd139868d5bf398d24b0
Signed-off-by: Michal Orzel <michalx.orzel@intel.com>
---
 http/http_connection.hpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/http/http_connection.hpp b/http/http_connection.hpp
index ba4af3f747..2a6afeb635 100644
--- a/http/http_connection.hpp
+++ b/http/http_connection.hpp
@@ -94,11 +94,13 @@ class Connection :
         // don't require auth
         if (preverified)
         {
-            if (!req)
+            boost::asio::ip::address ipAddress;
+            if (getClientIp(ipAddress))
             {
-                return false;
+                return true;
             }
-            mtlsSession = verifyMtlsUser(req->ipAddress, ctx);
+
+            mtlsSession = verifyMtlsUser(ipAddress, ctx);
             if (mtlsSession)
             {
                 BMCWEB_LOG_DEBUG("{} Generating TLS session: {}", logPtr(this),
-- 
cgit v1.2.3