From 4f7969b562dee953c311f0d28b49ad2cf4ade2cf Mon Sep 17 00:00:00 2001
From: Koichiro IWAO <meta@vmeta.jp>
Date: Wed, 8 Mar 2017 22:42:41 +0900
Subject: [PATCH] Check certificate/privkey readability not existence

to fail RDP security negotiation if certificate/privkey is not readable
---
 libxrdp/xrdp_iso.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/libxrdp/xrdp_iso.c b/libxrdp/xrdp_iso.c
index 7cff94a3..469025cc 100644
--- a/libxrdp/xrdp_iso.c
+++ b/libxrdp/xrdp_iso.c
@@ -78,12 +78,12 @@ xrdp_iso_negotiate_security(struct xrdp_iso *self)
         case PROTOCOL_SSL:
             if (self->requestedProtocol & PROTOCOL_SSL)
             {
-
-                if(!g_file_exist(client_info->certificate) ||
-                   !g_file_exist(client_info->key_file))
+                if (!g_file_readable(client_info->certificate) ||
+                    !g_file_readable(client_info->key_file))
                 {
-                    /* certificate file doesn't exist */
-                    LLOGLN(0, ("xrdp_iso_negotiate_security: TLS certificate not found on server"));
+                    /* certificate or privkey is not readable */
+                    log_message(LOG_LEVEL_DEBUG, "No readable certificates or "
+                                "private keys, cannot accept TLS connections");
                     self->failureCode = SSL_CERT_NOT_ON_SERVER;
                     rv = 1; /* error */
                 }
@@ -102,8 +102,8 @@ xrdp_iso_negotiate_security(struct xrdp_iso *self)
         case PROTOCOL_HYBRID_EX:
         default:
             if ((self->requestedProtocol & PROTOCOL_SSL) &&
-                g_file_exist(client_info->certificate) &&
-                g_file_exist(client_info->key_file))
+                g_file_readable(client_info->certificate) &&
+                g_file_readable(client_info->key_file))
             {
                 /* that's a patch since we don't support CredSSP for now */
                 self->selectedProtocol = PROTOCOL_SSL;