From: Timo Sirainen Date: Fri, 8 Aug 2025 12:30:58 +0000 (+0300) Subject: lib-ssl-iostream, global: Rename ssl_iostream_has_[valid_]client_cert() to ssl_iostre... X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e2952f107313361432cea7e9a540641e06358eb2;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream, global: Rename ssl_iostream_has_[valid_]client_cert() to ssl_iostream_has_[valid_]cert() These functions can be used (and are used) for both client and server connections, so it's confusing having the "client" in the function name. --- diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 6122731072..c0da08388e 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -577,7 +577,7 @@ static bool openssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *verify_name, const char **reason_r) { - if (!ssl_iostream_has_valid_client_cert(ssl_io)) { + if (!ssl_iostream_has_valid_cert(ssl_io)) { *reason_r = "Invalid certificate"; return FALSE; } @@ -730,7 +730,7 @@ openssl_iostream_get_peer_username(struct ssl_iostream *ssl_io) char *name; int len; - if (!ssl_iostream_has_valid_client_cert(ssl_io)) + if (!ssl_iostream_has_valid_cert(ssl_io)) return NULL; #ifdef HAVE_SSL_get1_peer_certificate diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index df5d218f23..bac0fa09ac 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -269,12 +269,12 @@ bool ssl_iostream_is_handshaked(const struct ssl_iostream *ssl_io) return ssl_iostream_get_state(ssl_io) == SSL_IOSTREAM_STATE_OK; } -bool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io) +bool ssl_iostream_has_valid_cert(const struct ssl_iostream *ssl_io) { return ssl_vfuncs->get_cert_validity(ssl_io) == SSL_IOSTREAM_CERT_VALIDITY_OK; } -bool ssl_iostream_has_client_cert(struct ssl_iostream *ssl_io) +bool ssl_iostream_has_cert(struct ssl_iostream *ssl_io) { return ssl_vfuncs->get_cert_validity(ssl_io) != SSL_IOSTREAM_CERT_VALIDITY_NO_CERT; } @@ -291,8 +291,8 @@ ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io, { const char *reason; - if (!ssl_iostream_has_valid_client_cert(ssl_io)) { - if (!ssl_iostream_has_client_cert(ssl_io)) { + if (!ssl_iostream_has_valid_cert(ssl_io)) { + if (!ssl_iostream_has_cert(ssl_io)) { *error_r = "SSL certificate not received"; return SSL_IOSTREAM_CERT_VALIDITY_NO_CERT; } else { diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index 3c5f2d616a..6fd06a9ef4 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -205,8 +205,13 @@ ssl_iostream_get_state(const struct ssl_iostream *ssl_io); /* Returns TRUE if SSL iostream handshake is finished and certificate is valid. This is the same as state being SSL_IOSTREAM_STATE_OK. */ bool ssl_iostream_is_handshaked(const struct ssl_iostream *ssl_io); -bool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io); -bool ssl_iostream_has_client_cert(struct ssl_iostream *ssl_io); +/* Returns TRUE if SSL (client or server) certificate was received, + valid or not. */ +bool ssl_iostream_has_cert(struct ssl_iostream *ssl_io); +/* Returns TRUE if a valid SSL (client or server) certificate was received. + Certificate name validity isn't checked, ssl_iostream_cert_match_name() must + be used for that. */ +bool ssl_iostream_has_valid_cert(const struct ssl_iostream *ssl_io); /* Checks certificate validity based, also performs name checking. Called by default in handshake, unless handshake callback is set with ssl_iostream_check_cert_validity(). @@ -214,7 +219,7 @@ bool ssl_iostream_has_client_cert(struct ssl_iostream *ssl_io); Host should be set as the name you want to validate the certificate name(s) against. Usually this is the host name you connected to. - This function is same as calling ssl_iostream_has_valid_client_cert() + This function is same as calling ssl_iostream_has_valid_cert() and ssl_iostream_cert_match_name(). */ enum ssl_iostream_cert_validity diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c index 508b799d00..821314b0a6 100644 --- a/src/login-common/client-common.c +++ b/src/login-common/client-common.c @@ -1392,13 +1392,13 @@ bool client_get_extra_disconnect_reason(struct client *client, *human_reason_r = "cert required, client didn't start TLS"; return TRUE; } - if (!ssl_iostream_has_client_cert(client->ssl_iostream)) { + if (!ssl_iostream_has_cert(client->ssl_iostream)) { *event_reason_r = "client_ssl_cert_missing"; *human_reason_r = "client didn't send a cert"; return TRUE; } if (client->ssl_server_set->parsed_opts.verify_client_cert && - !ssl_iostream_has_valid_client_cert(client->ssl_iostream)) { + !ssl_iostream_has_valid_cert(client->ssl_iostream)) { *event_reason_r = "client_ssl_cert_untrusted"; *human_reason_r = "client sent an untrusted cert"; return TRUE; diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index 9d4bb024e3..c1cfebf70c 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -124,7 +124,7 @@ client_get_auth_flags(struct client *client) enum auth_request_flags auth_flags = 0; if (client->ssl_iostream != NULL && - ssl_iostream_has_valid_client_cert(client->ssl_iostream)) + ssl_iostream_has_valid_cert(client->ssl_iostream)) auth_flags |= AUTH_REQUEST_FLAG_VALID_CLIENT_CERT; if (client->connection_tls_secured) auth_flags |= AUTH_REQUEST_FLAG_CONN_SECURED_TLS; @@ -477,7 +477,7 @@ get_cert_username(struct client *client, const char **username_r, } /* no client certificate */ - if (!ssl_iostream_has_valid_client_cert(client->ssl_iostream)) { + if (!ssl_iostream_has_valid_cert(client->ssl_iostream)) { *username_r = NULL; return TRUE; }