dovecot-2.2: login: Don't allow STARTTLS if ssl=no in client's s...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/258c2e231357
changeset: 14800:258c2e231357
user:      Timo Sirainen <tss at iki.fi>
date:      Tue Jul 17 15:28:24 2012 +0300
description:
login: Don't allow STARTTLS if ssl=no in client's settings, even if ssl=yes globally.

diffstat:

 src/imap-login/client.c              |  2 +-
 src/login-common/client-common.c     |  7 ++++++-
 src/login-common/client-common.h     |  1 +
 src/pop3-login/client-authenticate.c |  2 +-
 4 files changed, 9 insertions(+), 3 deletions(-)

diffs (59 lines):

diff -r 77b52599e883 -r 258c2e231357 src/imap-login/client.c
--- a/src/imap-login/client.c	Tue Jul 17 15:21:32 2012 +0300
+++ b/src/imap-login/client.c	Tue Jul 17 15:28:24 2012 +0300
@@ -62,7 +62,7 @@
 		str_append(cap_str, imap_client->set->imap_capability + 1);
 	}
 
-	if (ssl_initialized && !client->tls)
+	if (client_is_tls_enabled(client) && !client->tls)
 		str_append(cap_str, " STARTTLS");
 	if (client->set->disable_plaintext_auth && !client->secured)
 		str_append(cap_str, " LOGINDISABLED");
diff -r 77b52599e883 -r 258c2e231357 src/login-common/client-common.c
--- a/src/login-common/client-common.c	Tue Jul 17 15:21:32 2012 +0300
+++ b/src/login-common/client-common.c	Tue Jul 17 15:28:24 2012 +0300
@@ -346,7 +346,7 @@
 		return;
 	}
 
-	if (!ssl_initialized) {
+	if (!client_is_tls_enabled(client)) {
 		client_send_line(client, CLIENT_CMD_REPLY_BAD,
 				 "TLS support isn't enabled.");
 		return;
@@ -591,6 +591,11 @@
 	return FALSE;
 }
 
+bool client_is_tls_enabled(struct client *client)
+{
+	return ssl_initialized && strcmp(client->set->ssl, "no") != 0;
+}
+
 const char *client_get_extra_disconnect_reason(struct client *client)
 {
 	unsigned int auth_secs = client->auth_first_started == 0 ? 0 :
diff -r 77b52599e883 -r 258c2e231357 src/login-common/client-common.h
--- a/src/login-common/client-common.h	Tue Jul 17 15:21:32 2012 +0300
+++ b/src/login-common/client-common.h	Tue Jul 17 15:28:24 2012 +0300
@@ -168,6 +168,7 @@
 const char *client_get_extra_disconnect_reason(struct client *client);
 bool client_is_trusted(struct client *client);
 void client_auth_failed(struct client *client);
+bool client_is_tls_enabled(struct client *client);
 const char *client_get_session_id(struct client *client);
 
 bool client_read(struct client *client);
diff -r 77b52599e883 -r 258c2e231357 src/pop3-login/client-authenticate.c
--- a/src/pop3-login/client-authenticate.c	Tue Jul 17 15:21:32 2012 +0300
+++ b/src/pop3-login/client-authenticate.c	Tue Jul 17 15:28:24 2012 +0300
@@ -33,7 +33,7 @@
 	str_append(str, "+OK\r\n");
 	str_append(str, capability_string);
 
-	if (ssl_initialized && !client->common.tls)
+	if (client_is_tls_enabled(&client->common) && !client->common.tls)
 		str_append(str, "STLS\r\n");
 	if (!client->common.set->disable_plaintext_auth ||
 	    client->common.secured)