Added %k variable to display valid-client-cert status. It expands to "valid" or empty.

--HG--
branch : HEAD

diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
index 6568b46393b94a8b386aca64377fccd5dd9cee83..a06e0475541e3e18cef32d19e5d0329b184adebb 100644 (file)
--- a/src/auth/auth-request-handler.c
+++ b/src/auth/auth-request-handler.c
@@ -276,7 +276,6 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
        size_t initial_resp_len;
        unsigned int id;
        buffer_t *buf;
-       bool valid_client_cert;
 
        /* <id> <mechanism> [...] */
        list = t_strsplit(args, "\t");
@@ -304,7 +303,6 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
 
        /* parse optional parameters */
        initial_resp = NULL;
-       valid_client_cert = FALSE;
        for (list += 2; *list != NULL; list++) {
                arg = strchr(*list, '=');
                if (arg == NULL) {
@@ -317,8 +315,6 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
 
                if (auth_request_import(request, name, arg))
                        ;
-               else if (strcmp(name, "valid-client-cert") == 0)
-                       valid_client_cert = TRUE;
                else if (strcmp(name, "resp") == 0) {
                        initial_resp = arg;
                        /* this must be the last parameter */
@@ -343,7 +339,8 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
 
        hash_insert(handler->requests, POINTER_CAST(id), request);
 
-       if (request->auth->ssl_require_client_cert && !valid_client_cert) {
+       if (request->auth->ssl_require_client_cert &&
+           !request->valid_client_cert) {
                /* we fail without valid certificate */
                 auth_request_handler_auth_fail(handler, request,
                        "Client didn't present valid SSL certificate");

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index e3d3ccee53211f7eb842a11dcaa9afa359b5eea9..5caffc5c98f5cbddb8f21309890ac5f3724c6f74 100644 (file)
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -147,6 +147,8 @@ void auth_request_export(struct auth_request *request,
                auth_stream_reply_add(reply, "secured", "1");
        if (request->skip_password_check)
                auth_stream_reply_add(reply, "skip_password_check", "1");
+       if (request->valid_client_cert)
+               auth_stream_reply_add(reply, "valid-client-cert", "1");
        if (request->mech_name != NULL)
                auth_stream_reply_add(reply, "mech", request->mech_name);
 }
@@ -179,6 +181,8 @@ bool auth_request_import(struct auth_request *request,
                request->secured = TRUE;
        else if (strcmp(key, "nologin") == 0)
                request->no_login = TRUE;
+       else if (strcmp(key, "valid-client-cert") == 0)
+               request->valid_client_cert = TRUE;
        else if (strcmp(key, "skip_password_check") == 0) {
                i_assert(request->master_user !=  NULL);
                request->skip_password_check = TRUE;
@@ -1347,6 +1351,7 @@ auth_request_get_var_expand_table(const struct auth_request *auth_request,
                { 'c', NULL },
                { 'a', NULL },
                { 'b', NULL },
+               { 'k', NULL },
                { '\0', NULL }
        };
        struct var_expand_table *tab;
@@ -1386,6 +1391,7 @@ auth_request_get_var_expand_table(const struct auth_request *auth_request,
        tab[11].value = auth_request->secured ? "secured" : "";
        tab[12].value = dec2str(auth_request->local_port);
        tab[13].value = dec2str(auth_request->remote_port);
+       tab[14].value = auth_request->valid_client_cert ? "valid" : "";
        return tab;
 }
 

diff --git a/src/auth/auth-request.h b/src/auth/auth-request.h
index edf1170226ea005d56df6da42d79a6f267bd6272..659db8153770f26a7f5b4627384342ed157ae300 100644 (file)
--- a/src/auth/auth-request.h
+++ b/src/auth/auth-request.h
@@ -91,6 +91,7 @@ struct auth_request {
        unsigned int skip_password_check:1;
        unsigned int proxy:1;
        unsigned int proxy_maybe:1;
+       unsigned int valid_client_cert:1;
        unsigned int cert_username:1;
        unsigned int userdb_lookup:1;
        unsigned int userdb_lookup_failed:1;