From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 3 Feb 2025 12:15:58 +0000 (+0200)
Subject: global: Set application protocol on new context only
X-Git-Tag: 2.4.1~221
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec4e85fdf3216da430518bcf56d9443713d0e2c3;p=thirdparty%2Fdovecot%2Fcore.git

global: Set application protocol on new context only
---

diff --git a/src/lib-http/http-client.c b/src/lib-http/http-client.c
index 70df64b098..b626d50e2d 100644
--- a/src/lib-http/http-client.c
+++ b/src/lib-http/http-client.c
@@ -363,11 +363,13 @@ int http_client_init_ssl_ctx(struct http_client *client, const char **error_r)
 		return 0;
 
 	if (client->ssl_set != NULL) {
-		if (ssl_iostream_client_context_cache_get(client->ssl_set,
-							  &client->ssl_ctx,
-							  error_r) < 0)
+		int ret;
+		if ((ret = ssl_iostream_client_context_cache_get(client->ssl_set,
+								 &client->ssl_ctx,
+								 error_r)) < 0)
 			return -1;
-		ssl_iostream_context_set_application_protocols(client->ssl_ctx, names);
+		else if (ret > 0)
+			ssl_iostream_context_set_application_protocols(client->ssl_ctx, names);
 		return 0;
 	}
 	/* no ssl settings given via http_client_settings -
@@ -378,14 +380,14 @@ int http_client_init_ssl_ctx(struct http_client *client, const char **error_r)
 
 	int ret = ssl_iostream_client_context_cache_get(set, &client->ssl_ctx,
 							error_r);
-	if (ret == 0) {
+	if (ret > 0) {
 		ssl_iostream_context_set_application_protocols(client->ssl_ctx,
 							       names);
 	}
 
 	settings_free(set);
 	settings_free(ssl_set);
-	return ret;
+	return ret < 0 ? -1 : 0;
 }
 
 /*
diff --git a/src/lib-http/http-server-connection.c b/src/lib-http/http-server-connection.c
index 2aa19c4300..d397ea0a41 100644
--- a/src/lib-http/http-server-connection.c
+++ b/src/lib-http/http-server-connection.c
@@ -383,11 +383,12 @@ http_server_connection_ssl_init(struct http_server_connection *conn)
 						      &conn->conn.output,
 						      &conn->ssl_iostream,
 						      &error);
-	} else if (ssl_iostream_server_context_cache_get(server->ssl_set,
-							 &ssl_ctx, &error) < 0)
-		ret = -1;
-	else {
-		ssl_iostream_context_set_application_protocols(ssl_ctx, names);
+	} else if ((ret = ssl_iostream_server_context_cache_get(server->ssl_set,
+								&ssl_ctx, &error)) < 0) {
+		/* pass */
+	} else {
+		if (ret > 0)
+			ssl_iostream_context_set_application_protocols(ssl_ctx, names);
 		ret = io_stream_create_ssl_server(ssl_ctx,
 						  server->event,
 						  &conn->conn.input,
diff --git a/src/lib-smtp/smtp-client-connection.c b/src/lib-smtp/smtp-client-connection.c
index 7685c3107f..81a945bdd9 100644
--- a/src/lib-smtp/smtp-client-connection.c
+++ b/src/lib-smtp/smtp-client-connection.c
@@ -1573,6 +1573,7 @@ smtp_client_connection_init_ssl_ctx(struct smtp_client_connection *conn,
 				    const char **error_r)
 {
 	struct smtp_client *client = conn->client;
+	int ret;
 
 	if (conn->ssl_ctx != NULL)
 		return 0;
@@ -1590,9 +1591,9 @@ smtp_client_connection_init_ssl_ctx(struct smtp_client_connection *conn,
 			"Requested SSL connection, but no SSL settings given";
 		return -1;
 	}
-	if (ssl_iostream_client_context_cache_get(conn->set.ssl, &conn->ssl_ctx,
-						  error_r) < 0)
-		return -1;
+	if ((ret = ssl_iostream_client_context_cache_get(conn->set.ssl, &conn->ssl_ctx,
+							 error_r)) <= 0)
+		return ret;
 	const char *application_protocol = smtp_protocol_name(conn->protocol);
 	const char *const names[] = {
 		application_protocol,
diff --git a/src/lib-smtp/smtp-server-connection.c b/src/lib-smtp/smtp-server-connection.c
index c0d77cca6c..8b879c92cb 100644
--- a/src/lib-smtp/smtp-server-connection.c
+++ b/src/lib-smtp/smtp-server-connection.c
@@ -375,20 +375,23 @@ smtp_server_connection_sni_callback(const char *name, const char **error_r,
 	ssl_server_settings_to_iostream_set(ssl_set, ssl_server_set,
 					    &conn->set.ssl);
 
-	if (ssl_iostream_server_context_cache_get(conn->set.ssl, &ssl_ctx,
-						  error_r) < 0) {
+	int ret;
+	if ((ret = ssl_iostream_server_context_cache_get(conn->set.ssl, &ssl_ctx,
+							 error_r)) < 0) {
 		settings_free(ssl_set);
 		settings_free(ssl_server_set);
 		return -1;
 	}
 	settings_free(ssl_set);
 	settings_free(ssl_server_set);
-	const char *application_protocol = smtp_protocol_name(conn->set.protocol);
-	const char *const names[] = {
-		application_protocol,
-		NULL
-	};
-	ssl_iostream_context_set_application_protocols(ssl_ctx, names);
+	if (ret == 1) {
+		const char *application_protocol = smtp_protocol_name(conn->set.protocol);
+		const char *const names[] = {
+			application_protocol,
+			NULL
+		};
+		ssl_iostream_context_set_application_protocols(ssl_ctx, names);
+	}
 	ssl_iostream_change_context(conn->ssl_iostream, ssl_ctx);
 	ssl_iostream_context_unref(&ssl_ctx);
 	return 0;
diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c
index 59acac4f26..52e2996558 100644
--- a/src/lib-ssl-iostream/iostream-ssl.c
+++ b/src/lib-ssl-iostream/iostream-ssl.c
@@ -161,7 +161,7 @@ int io_stream_autocreate_ssl_client(
 	settings_free(set);
 	if (ret < 0)
 		return -1;
-	if (parameters->application_protocols != NULL) {
+	if (ret > 0 && parameters->application_protocols != NULL) {
 		ssl_iostream_context_set_application_protocols(ctx,
 				parameters->application_protocols);
 	}
@@ -197,7 +197,7 @@ int io_stream_autocreate_ssl_server(
 	settings_free(set);
 	if (ret < 0)
 		return -1;
-	if (parameters->application_protocols != NULL) {
+	if (ret > 0 && parameters->application_protocols != NULL) {
 		ssl_iostream_context_set_application_protocols(ctx,
 				parameters->application_protocols);
 	}
diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 715d110237..c4265f4d36 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -683,6 +683,7 @@ int client_sni_callback(const char *name, const char **error_r,
 	struct client *client = context;
 	struct ssl_iostream_context *ssl_ctx;
 	const struct ssl_iostream_settings *ssl_set;
+	int ret;
 
 	if (client->ssl_servername_settings_read)
 		return 0;
@@ -718,12 +719,12 @@ int client_sni_callback(const char *name, const char **error_r,
 
 	ssl_server_settings_to_iostream_set(client->ssl_set,
 		client->ssl_server_set, &ssl_set);
-	if (ssl_iostream_server_context_cache_get(ssl_set, &ssl_ctx, error_r) < 0) {
+	if ((ret = ssl_iostream_server_context_cache_get(ssl_set, &ssl_ctx, error_r)) < 0) {
 		settings_free(ssl_set);
 		return -1;
 	}
 	settings_free(ssl_set);
-	if (login_binary->application_protocols != NULL) {
+	if (ret > 0 && login_binary->application_protocols != NULL) {
 		ssl_iostream_context_set_application_protocols(ssl_ctx,
 			login_binary->application_protocols);
 	}