Rename tls_checkpeer to tls_reqcert in ServerHello message

2025-09-03 15:55:40 +00:00 · 2020-01-22 15:40:56 +01:00
parent c9b68ccb34
commit 9935a7e2ff
6 changed files with 14 additions and 14 deletions
--- a/include/log_server.pb-c.h
+++ b/include/log_server.pb-c.h
@@ -412,7 +412,7 @@ struct  _ServerHello
  /*
   * true if client auth is required with signed cert 
   */
-  protobuf_c_boolean tls_checkpeer;
+  protobuf_c_boolean tls_reqcert;
 };
 #define SERVER_HELLO__INIT \
 { PROTOBUF_C_MESSAGE_INIT (&server_hello__descriptor) \
--- a/lib/logsrv/log_server.pb-c.c
+++ b/lib/logsrv/log_server.pb-c.c
@@ -1629,12 +1629,12 @@ static const ProtobufCFieldDescriptor server_hello__field_descriptors[5] =
    0,NULL,NULL    /* reserved1,reserved2, etc */
  },
  {
-    "tls_checkpeer",
+    "tls_reqcert",
    5,
    PROTOBUF_C_LABEL_NONE,
    PROTOBUF_C_TYPE_BOOL,
    0,   /* quantifier_offset */
-    offsetof(ServerHello, tls_checkpeer),
+    offsetof(ServerHello, tls_reqcert),
    NULL,
    NULL,
    0,             /* flags */
@@ -1646,7 +1646,7 @@ static const unsigned server_hello__field_indices_by_name[] = {
  0,   /* field[0] = server_id */
  2,   /* field[2] = servers */
  3,   /* field[3] = tls */
-  4,   /* field[4] = tls_checkpeer */
+  4,   /* field[4] = tls_reqcert */
 };
 static const ProtobufCIntRange server_hello__number_ranges[1 + 1] =
 {
--- a/lib/logsrv/log_server.proto
+++ b/lib/logsrv/log_server.proto
@@ -126,5 +126,5 @@ message ServerHello {
  string redirect = 2;		/* optional redirect if busy */
  repeated string servers = 3;	/* optional list of known servers */
  bool tls = 4;             /* true if server uses tls protocol */
-  bool tls_checkpeer = 5;   /* true if client auth is required with signed cert */
+  bool tls_reqcert = 5;   /* true if client auth is required with signed cert */
 }
--- a/logsrvd/logsrvd.c
+++ b/logsrvd/logsrvd.c
@@ -178,10 +178,10 @@ fmt_hello_message(struct connection_buffer *buf)
    hello.server_id = (char *)server_id;
 #if defined(HAVE_OPENSSL)
    hello.tls = logsrvd_conf_get_tls_opt();
-    hello.tls_checkpeer = logsrvd_get_tls_config()->check_peer;
+    hello.tls_reqcert = logsrvd_get_tls_config()->check_peer;
 #else
    hello.tls = false;
-    hello.tls_checkpeer = false;
+    hello.tls_reqcert = false;
 #endif
    msg.hello = &hello;
    msg.type_case = SERVER_MESSAGE__TYPE_HELLO;
--- a/logsrvd/sendlog.c
+++ b/logsrvd/sendlog.c
@@ -76,7 +76,7 @@ static char *iolog_dir;

 #if defined(HAVE_OPENSSL)
 static bool tls = false;
-static bool tls_checkpeer = false;
+static bool tls_reqcert = false;
 static SSL_CTX *ssl_ctx = NULL;
 static SSL *ssl = NULL;
 const char *ca_bundle = NULL;
@@ -301,7 +301,7 @@ do_tls_handshake(struct client_closure *closure)
        sudo_warnx("%s", U_("CA bundle file was not specified"));
        goto bad;
    }
-    if (tls_checkpeer && (cert == NULL)) {
+    if (tls_reqcert && (cert == NULL)) {
        sudo_warnx("%s", U_("Client certificate was not specified"));
        goto bad;
    }
@@ -982,10 +982,10 @@ handle_server_hello(ServerHello *msg, struct client_closure *closure)

 #if defined(HAVE_OPENSSL)
    tls = msg->tls;
-    tls_checkpeer = msg->tls_checkpeer;
+    tls_reqcert = msg->tls_reqcert;
    if (tls) {
        printf("Requested protocol: TLS\n");
-        if (tls_checkpeer)
+        if (tls_reqcert)
            printf("Client auth is required with signed certificate\n");
    }
 #endif
--- a/plugins/sudoers/iolog_client.c
+++ b/plugins/sudoers/iolog_client.c
@@ -281,7 +281,7 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
 }

 static bool
-tls_init(struct client_closure *closure, bool peer_auth)
+tls_init(struct client_closure *closure, bool cert_required)
 {
    debug_decl(tls_init, SUDOERS_DEBUG_PLUGIN);

@@ -326,7 +326,7 @@ tls_init(struct client_closure *closure, bool peer_auth)
    SSL_CTX_set_verify(closure->ssl_ctx, SSL_VERIFY_PEER, verify_peer_identity);

    /* if the server requests client authentication with signed certificate */
-    if (peer_auth) {
+    if (cert_required) {
        /* if no certificate file is set in sudoers */
        if (closure->log_details->cert_file == NULL) {
            sudo_warnx(U_("Signed certificate file is not set in sudoers"));
@@ -1057,7 +1057,7 @@ handle_server_hello(ServerHello *msg, struct client_closure *closure)
 #if defined(HAVE_OPENSSL)
    /* if server requested TLS */
    if (msg->tls) {
-        if (!tls_init(closure, msg->tls_checkpeer)) {
+        if (!tls_init(closure, msg->tls_reqcert)) {
            sudo_warnx(U_("TLS initialization was unsuccessful"));
            debug_return_bool(false);
        }