mirror of
https://github.com/sudo-project/sudo.git
synced 2025-09-03 07:45:47 +00:00
Rename tls_checkpeer to tls_reqcert in ServerHello message
This commit is contained in:
Laszlo Orban
committed by
Todd C. Miller
Todd C. Miller
parent
c9b68ccb34
commit
9935a7e2ff
@@ -412,7 +412,7 @@ struct _ServerHello
|
|||||||
/*
|
/*
|
||||||
* true if client auth is required with signed cert
|
* true if client auth is required with signed cert
|
||||||
*/
|
*/
|
||||||
protobuf_c_boolean tls_checkpeer;
|
protobuf_c_boolean tls_reqcert;
|
||||||
};
|
};
|
||||||
#define SERVER_HELLO__INIT \
|
#define SERVER_HELLO__INIT \
|
||||||
{ PROTOBUF_C_MESSAGE_INIT (&server_hello__descriptor) \
|
{ PROTOBUF_C_MESSAGE_INIT (&server_hello__descriptor) \
|
||||||
|
|||||||
@@ -1629,12 +1629,12 @@ static const ProtobufCFieldDescriptor server_hello__field_descriptors[5] =
|
|||||||
0,NULL,NULL /* reserved1,reserved2, etc */
|
0,NULL,NULL /* reserved1,reserved2, etc */
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"tls_checkpeer",
|
"tls_reqcert",
|
||||||
5,
|
5,
|
||||||
PROTOBUF_C_LABEL_NONE,
|
PROTOBUF_C_LABEL_NONE,
|
||||||
PROTOBUF_C_TYPE_BOOL,
|
PROTOBUF_C_TYPE_BOOL,
|
||||||
0, /* quantifier_offset */
|
0, /* quantifier_offset */
|
||||||
offsetof(ServerHello, tls_checkpeer),
|
offsetof(ServerHello, tls_reqcert),
|
||||||
NULL,
|
NULL,
|
||||||
NULL,
|
NULL,
|
||||||
0, /* flags */
|
0, /* flags */
|
||||||
@@ -1646,7 +1646,7 @@ static const unsigned server_hello__field_indices_by_name[] = {
|
|||||||
0, /* field[0] = server_id */
|
0, /* field[0] = server_id */
|
||||||
2, /* field[2] = servers */
|
2, /* field[2] = servers */
|
||||||
3, /* field[3] = tls */
|
3, /* field[3] = tls */
|
||||||
4, /* field[4] = tls_checkpeer */
|
4, /* field[4] = tls_reqcert */
|
||||||
};
|
};
|
||||||
static const ProtobufCIntRange server_hello__number_ranges[1 + 1] =
|
static const ProtobufCIntRange server_hello__number_ranges[1 + 1] =
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -126,5 +126,5 @@ message ServerHello {
|
|||||||
string redirect = 2; /* optional redirect if busy */
|
string redirect = 2; /* optional redirect if busy */
|
||||||
repeated string servers = 3; /* optional list of known servers */
|
repeated string servers = 3; /* optional list of known servers */
|
||||||
bool tls = 4; /* true if server uses tls protocol */
|
bool tls = 4; /* true if server uses tls protocol */
|
||||||
bool tls_checkpeer = 5; /* true if client auth is required with signed cert */
|
bool tls_reqcert = 5; /* true if client auth is required with signed cert */
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -178,10 +178,10 @@ fmt_hello_message(struct connection_buffer *buf)
|
|||||||
hello.server_id = (char *)server_id;
|
hello.server_id = (char *)server_id;
|
||||||
#if defined(HAVE_OPENSSL)
|
#if defined(HAVE_OPENSSL)
|
||||||
hello.tls = logsrvd_conf_get_tls_opt();
|
hello.tls = logsrvd_conf_get_tls_opt();
|
||||||
hello.tls_checkpeer = logsrvd_get_tls_config()->check_peer;
|
hello.tls_reqcert = logsrvd_get_tls_config()->check_peer;
|
||||||
#else
|
#else
|
||||||
hello.tls = false;
|
hello.tls = false;
|
||||||
hello.tls_checkpeer = false;
|
hello.tls_reqcert = false;
|
||||||
#endif
|
#endif
|
||||||
msg.hello = &hello;
|
msg.hello = &hello;
|
||||||
msg.type_case = SERVER_MESSAGE__TYPE_HELLO;
|
msg.type_case = SERVER_MESSAGE__TYPE_HELLO;
|
||||||
|
|||||||
@@ -76,7 +76,7 @@ static char *iolog_dir;
|
|||||||
|
|
||||||
#if defined(HAVE_OPENSSL)
|
#if defined(HAVE_OPENSSL)
|
||||||
static bool tls = false;
|
static bool tls = false;
|
||||||
static bool tls_checkpeer = false;
|
static bool tls_reqcert = false;
|
||||||
static SSL_CTX *ssl_ctx = NULL;
|
static SSL_CTX *ssl_ctx = NULL;
|
||||||
static SSL *ssl = NULL;
|
static SSL *ssl = NULL;
|
||||||
const char *ca_bundle = NULL;
|
const char *ca_bundle = NULL;
|
||||||
@@ -301,7 +301,7 @@ do_tls_handshake(struct client_closure *closure)
|
|||||||
sudo_warnx("%s", U_("CA bundle file was not specified"));
|
sudo_warnx("%s", U_("CA bundle file was not specified"));
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
if (tls_checkpeer && (cert == NULL)) {
|
if (tls_reqcert && (cert == NULL)) {
|
||||||
sudo_warnx("%s", U_("Client certificate was not specified"));
|
sudo_warnx("%s", U_("Client certificate was not specified"));
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
@@ -982,10 +982,10 @@ handle_server_hello(ServerHello *msg, struct client_closure *closure)
|
|||||||
|
|
||||||
#if defined(HAVE_OPENSSL)
|
#if defined(HAVE_OPENSSL)
|
||||||
tls = msg->tls;
|
tls = msg->tls;
|
||||||
tls_checkpeer = msg->tls_checkpeer;
|
tls_reqcert = msg->tls_reqcert;
|
||||||
if (tls) {
|
if (tls) {
|
||||||
printf("Requested protocol: TLS\n");
|
printf("Requested protocol: TLS\n");
|
||||||
if (tls_checkpeer)
|
if (tls_reqcert)
|
||||||
printf("Client auth is required with signed certificate\n");
|
printf("Client auth is required with signed certificate\n");
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@@ -281,7 +281,7 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
tls_init(struct client_closure *closure, bool peer_auth)
|
tls_init(struct client_closure *closure, bool cert_required)
|
||||||
{
|
{
|
||||||
debug_decl(tls_init, SUDOERS_DEBUG_PLUGIN);
|
debug_decl(tls_init, SUDOERS_DEBUG_PLUGIN);
|
||||||
|
|
||||||
@@ -326,7 +326,7 @@ tls_init(struct client_closure *closure, bool peer_auth)
|
|||||||
SSL_CTX_set_verify(closure->ssl_ctx, SSL_VERIFY_PEER, verify_peer_identity);
|
SSL_CTX_set_verify(closure->ssl_ctx, SSL_VERIFY_PEER, verify_peer_identity);
|
||||||
|
|
||||||
/* if the server requests client authentication with signed certificate */
|
/* if the server requests client authentication with signed certificate */
|
||||||
if (peer_auth) {
|
if (cert_required) {
|
||||||
/* if no certificate file is set in sudoers */
|
/* if no certificate file is set in sudoers */
|
||||||
if (closure->log_details->cert_file == NULL) {
|
if (closure->log_details->cert_file == NULL) {
|
||||||
sudo_warnx(U_("Signed certificate file is not set in sudoers"));
|
sudo_warnx(U_("Signed certificate file is not set in sudoers"));
|
||||||
@@ -1057,7 +1057,7 @@ handle_server_hello(ServerHello *msg, struct client_closure *closure)
|
|||||||
#if defined(HAVE_OPENSSL)
|
#if defined(HAVE_OPENSSL)
|
||||||
/* if server requested TLS */
|
/* if server requested TLS */
|
||||||
if (msg->tls) {
|
if (msg->tls) {
|
||||||
if (!tls_init(closure, msg->tls_checkpeer)) {
|
if (!tls_init(closure, msg->tls_reqcert)) {
|
||||||
sudo_warnx(U_("TLS initialization was unsuccessful"));
|
sudo_warnx(U_("TLS initialization was unsuccessful"));
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user