lib-ssl-iostream: Replace ssl_iostream_has_broken_client_cert() with ssl_iostream_has...

Broken cert does not do anything different from valid cert, but we need
to know if there was cert in the first place.

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index dc04eb5c81151d4be148e1668dd27db133724615..593b3d83365a749aa40ceddbf4a4c2d4c54e2881 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -701,9 +701,9 @@ openssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io)
 }
 
 static bool
-openssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io)
+openssl_iostream_has_client_cert(struct ssl_iostream *ssl_io)
 {
-       return ssl_io->cert_received && ssl_io->cert_broken;
+       return ssl_io->cert_received;
 }
 
 static bool
@@ -1087,7 +1087,7 @@ static const struct iostream_ssl_vfuncs ssl_vfuncs = {
        .is_handshaked = openssl_iostream_is_handshaked,
        .has_handshake_failed = openssl_iostream_has_handshake_failed,
        .has_valid_client_cert = openssl_iostream_has_valid_client_cert,
-       .has_broken_client_cert = openssl_iostream_has_broken_client_cert,
+       .has_client_cert = openssl_iostream_has_client_cert,
        .cert_match_name = openssl_iostream_cert_match_name,
        .get_allow_invalid_cert = openssl_iostream_get_allow_invalid_cert,
        .get_peer_username = openssl_iostream_get_peer_username,

diff --git a/src/lib-ssl-iostream/iostream-ssl-private.h b/src/lib-ssl-iostream/iostream-ssl-private.h
index 29375f4dff5711c13ede869724289a1f807f37ef..d62e7168df1221e25e4202f8670d5aad179d3395 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl-private.h
+++ b/src/lib-ssl-iostream/iostream-ssl-private.h
@@ -39,7 +39,7 @@ struct iostream_ssl_vfuncs {
        bool (*is_handshaked)(const struct ssl_iostream *ssl_io);
        bool (*has_handshake_failed)(const struct ssl_iostream *ssl_io);
        bool (*has_valid_client_cert)(const struct ssl_iostream *ssl_io);
-       bool (*has_broken_client_cert)(struct ssl_iostream *ssl_io);
+       bool (*has_client_cert)(struct ssl_iostream *ssl_io);
        bool (*cert_match_name)(struct ssl_iostream *ssl_io, const char *name,
                                const char **reason_r);
        bool (*get_allow_invalid_cert)(struct ssl_iostream *ssl_io);

diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c
index e42765bdd9236a9678457cd07e5f023a615f2624..e3651e809c66052f2fdbf29a2b16edaa3b84ba90 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl.c
+++ b/src/lib-ssl-iostream/iostream-ssl.c
@@ -273,9 +273,9 @@ bool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io)
        return ssl_vfuncs->has_valid_client_cert(ssl_io);
 }
 
-bool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io)
+bool ssl_iostream_has_client_cert(struct ssl_iostream *ssl_io)
 {
-       return ssl_vfuncs->has_broken_client_cert(ssl_io);
+       return ssl_vfuncs->has_client_cert(ssl_io);
 }
 
 bool ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name,
@@ -290,7 +290,7 @@ int ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
        const char *reason;
 
        if (!ssl_iostream_has_valid_client_cert(ssl_io)) {
-               if (!ssl_iostream_has_broken_client_cert(ssl_io))
+               if (!ssl_iostream_has_client_cert(ssl_io))
                        *error_r = "SSL certificate not received";
                else {
                        *error_r = t_strdup(ssl_iostream_get_last_error(ssl_io));

diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index 98379ed1d588fbd8040b661e82f9217f24072951..5c964d6f6a13d0e3387939254fdb04207fd667d0 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -178,7 +178,7 @@ bool ssl_iostream_is_handshaked(const struct ssl_iostream *ssl_io);
    failure. */
 bool ssl_iostream_has_handshake_failed(const struct ssl_iostream *ssl_io);
 bool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io);
-bool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io);
+bool ssl_iostream_has_client_cert(struct ssl_iostream *ssl_io);
 /* Checks certificate validity based, also performs name checking. Called by
    default in handshake, unless handshake callback is set with
    ssl_iostream_check_cert_validity().

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index c4265f4d36891e4b61724af96b5d47a811ca7395..fd11cb27b58183972172f94e028fd6075f86c337 100644 (file)
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -1323,14 +1323,14 @@ bool client_get_extra_disconnect_reason(struct client *client,
                        *human_reason_r = "cert required, client didn't start TLS";
                        return TRUE;
                }
-               if (ssl_iostream_has_broken_client_cert(client->ssl_iostream)) {
-                       *event_reason_r = "client_ssl_cert_untrusted";
-                       *human_reason_r = "client sent an untrusted cert";
+               if (!ssl_iostream_has_client_cert(client->ssl_iostream)) {
+                       *event_reason_r = "client_ssl_cert_missing";
+                       *human_reason_r = "client didn't send a cert";
                        return TRUE;
                }
                if (!ssl_iostream_has_valid_client_cert(client->ssl_iostream)) {
-                       *event_reason_r = "client_ssl_cert_missing";
-                       *human_reason_r = "client didn't send a cert";
+                       *event_reason_r = "client_ssl_cert_untrusted";
+                       *human_reason_r = "client sent an untrusted cert";
                        return TRUE;
                }
        }