From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 14 Feb 2025 12:54:31 +0000 (+0200)
Subject: lib-ssl-iostream: Replace ssl_iostream_has_broken_client_cert() with ssl_iostream_has... 
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b816801c6201ce1864c93c889a409c332ec0958;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Replace ssl_iostream_has_broken_client_cert() with ssl_iostream_has_client_cert()

Broken cert does not do anything different from valid cert, but we need
to know if there was cert in the first place.
---

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index dc04eb5c81..593b3d8336 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -701,9 +701,9 @@ openssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io)
 }
 
 static bool
-openssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io)
+openssl_iostream_has_client_cert(struct ssl_iostream *ssl_io)
 {
-	return ssl_io->cert_received && ssl_io->cert_broken;
+	return ssl_io->cert_received;
 }
 
 static bool
@@ -1087,7 +1087,7 @@ static const struct iostream_ssl_vfuncs ssl_vfuncs = {
 	.is_handshaked = openssl_iostream_is_handshaked,
 	.has_handshake_failed = openssl_iostream_has_handshake_failed,
 	.has_valid_client_cert = openssl_iostream_has_valid_client_cert,
-	.has_broken_client_cert = openssl_iostream_has_broken_client_cert,
+	.has_client_cert = openssl_iostream_has_client_cert,
 	.cert_match_name = openssl_iostream_cert_match_name,
 	.get_allow_invalid_cert = openssl_iostream_get_allow_invalid_cert,
 	.get_peer_username = openssl_iostream_get_peer_username,
diff --git a/src/lib-ssl-iostream/iostream-ssl-private.h b/src/lib-ssl-iostream/iostream-ssl-private.h
index 29375f4dff..d62e7168df 100644
--- a/src/lib-ssl-iostream/iostream-ssl-private.h
+++ b/src/lib-ssl-iostream/iostream-ssl-private.h
@@ -39,7 +39,7 @@ struct iostream_ssl_vfuncs {
 	bool (*is_handshaked)(const struct ssl_iostream *ssl_io);
 	bool (*has_handshake_failed)(const struct ssl_iostream *ssl_io);
 	bool (*has_valid_client_cert)(const struct ssl_iostream *ssl_io);
-	bool (*has_broken_client_cert)(struct ssl_iostream *ssl_io);
+	bool (*has_client_cert)(struct ssl_iostream *ssl_io);
 	bool (*cert_match_name)(struct ssl_iostream *ssl_io, const char *name,
 				const char **reason_r);
 	bool (*get_allow_invalid_cert)(struct ssl_iostream *ssl_io);
diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c
index e42765bdd9..e3651e809c 100644
--- a/src/lib-ssl-iostream/iostream-ssl.c
+++ b/src/lib-ssl-iostream/iostream-ssl.c
@@ -273,9 +273,9 @@ bool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io)
 	return ssl_vfuncs->has_valid_client_cert(ssl_io);
 }
 
-bool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io)
+bool ssl_iostream_has_client_cert(struct ssl_iostream *ssl_io)
 {
-	return ssl_vfuncs->has_broken_client_cert(ssl_io);
+	return ssl_vfuncs->has_client_cert(ssl_io);
 }
 
 bool ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name,
@@ -290,7 +290,7 @@ int ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
 	const char *reason;
 
 	if (!ssl_iostream_has_valid_client_cert(ssl_io)) {
-		if (!ssl_iostream_has_broken_client_cert(ssl_io))
+		if (!ssl_iostream_has_client_cert(ssl_io))
 			*error_r = "SSL certificate not received";
 		else {
 			*error_r = t_strdup(ssl_iostream_get_last_error(ssl_io));
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index 98379ed1d5..5c964d6f6a 100644
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -178,7 +178,7 @@ bool ssl_iostream_is_handshaked(const struct ssl_iostream *ssl_io);
    failure. */
 bool ssl_iostream_has_handshake_failed(const struct ssl_iostream *ssl_io);
 bool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io);
-bool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io);
+bool ssl_iostream_has_client_cert(struct ssl_iostream *ssl_io);
 /* Checks certificate validity based, also performs name checking. Called by
    default in handshake, unless handshake callback is set with
    ssl_iostream_check_cert_validity().
diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index c4265f4d36..fd11cb27b5 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -1323,14 +1323,14 @@ bool client_get_extra_disconnect_reason(struct client *client,
 			*human_reason_r = "cert required, client didn't start TLS";
 			return TRUE;
 		}
-		if (ssl_iostream_has_broken_client_cert(client->ssl_iostream)) {
-			*event_reason_r = "client_ssl_cert_untrusted";
-			*human_reason_r = "client sent an untrusted cert";
+		if (!ssl_iostream_has_client_cert(client->ssl_iostream)) {
+			*event_reason_r = "client_ssl_cert_missing";
+			*human_reason_r = "client didn't send a cert";
 			return TRUE;
 		}
 		if (!ssl_iostream_has_valid_client_cert(client->ssl_iostream)) {
-			*event_reason_r = "client_ssl_cert_missing";
-			*human_reason_r = "client didn't send a cert";
+			*event_reason_r = "client_ssl_cert_untrusted";
+			*human_reason_r = "client sent an untrusted cert";
 			return TRUE;
 		}
 	}