lib: tstream_tls_verify_peer_trusted()

We can only trust a tls connection if at connection setup we checked
the certificates

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h
index 3a0035723f24682fed57a3699b4abeb09fa2e876..2fc74f75c292f612a87806de52cee0a53fa85776 100644 (file)
--- a/source4/lib/tls/tls.h
+++ b/source4/lib/tls/tls.h
@@ -92,6 +92,7 @@ bool tstream_tls_params_enabled(struct tstream_tls_params *params);
 bool tstream_tls_params_quic_enabled(struct tstream_tls_params *params);
 enum tls_verify_peer_state tstream_tls_params_verify_peer(
        struct tstream_tls_params *tls_params);
+bool tstream_tls_verify_peer_trusted(enum tls_verify_peer_state verify_peer);
 const char *tstream_tls_params_peer_name(
        const struct tstream_tls_params *params);
 

diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index 39ecade18988dc7d37e40ad9608ba4e354a01ae1..1206bbdd58ecb2b25ff70d80fe476c9fbe67e0a6 100644 (file)
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -936,6 +936,11 @@ enum tls_verify_peer_state tstream_tls_params_verify_peer(
 #endif /* HAVE_LIBQUIC */
 }
 
+bool tstream_tls_verify_peer_trusted(enum tls_verify_peer_state verify_peer)
+{
+       return (verify_peer >= TLS_VERIFY_PEER_CA_AND_NAME);
+}
+
 const char *tstream_tls_params_peer_name(
        const struct tstream_tls_params *params)
 {