login-common: Rename client.tls to connection_tls_secured

diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
index bb736ceec406c81589b9ffcc40f5943fb2568678..a6aba6b43183e8191ba61c1349b6db498659dbfe 100644 (file)
--- a/src/imap-login/imap-login-client.c
+++ b/src/imap-login/imap-login-client.c
@@ -112,7 +112,7 @@ static const char *get_capability(struct client *client)
                        str_append(cap_str, " LITERAL+");
        }
 
-       if (client_is_tls_enabled(client) && !client->tls)
+       if (client_is_tls_enabled(client) && !client->connection_tls_secured)
                str_append(cap_str, " STARTTLS");
        if (is_login_cmd_disabled(client))
                str_append(cap_str, " LOGINDISABLED");

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index f795561fa710383549f78e6ff648216a0444c910..eaa46bdb8a3185319402f1da0ab833db7b48e25b 100644 (file)
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -589,7 +589,7 @@ int client_init_ssl(struct client *client)
        ssl_iostream_set_sni_callback(client->ssl_iostream,
                                      client_sni_callback, client);
 
-       client->tls = TRUE;
+       client->connection_tls_secured = TRUE;
        client->connection_secured = TRUE;
        client->end_client_tls_secured = TRUE;
 
@@ -636,7 +636,7 @@ static int client_output_starttls(struct client *client)
 
 void client_cmd_starttls(struct client *client)
 {
-       if (client->tls) {
+       if (client->connection_tls_secured) {
                client->v.notify_starttls(client, FALSE, "TLS is already active.");
                return;
        }
@@ -681,7 +681,7 @@ int client_get_plaintext_fd(struct client *client, int *fd_r, bool *close_fd_r)
 {
        int fds[2];
 
-       if (!client->tls) {
+       if (!client->connection_tls_secured) {
                /* Plaintext connection - We can send the fd directly to
                   the post-login process without any proxying. */
                *fd_r = client->fd;
@@ -887,7 +887,7 @@ get_var_expand_table(struct client *client)
                dec2str(client->local_port);
        tab[VAR_EXPAND_ALIAS_INDEX_START + 3].value = tab[10].value =
                dec2str(client->remote_port);
-       if (!client->tls) {
+       if (!client->connection_tls_secured) {
                tab[11].value = client->connection_secured ? "secured" : NULL;
                tab[12].value = "";
        } else if (client->proxied_ssl) {

diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h
index 57fa89d7fdeeedaea511ffbcfaa5c0ff698ea8ab..d70901110b512b04c934435454c86c91b9306617 100644 (file)
--- a/src/login-common/client-common.h
+++ b/src/login-common/client-common.h
@@ -229,7 +229,9 @@ struct client {
        bool login_success:1;
        bool no_extra_disconnect_reason:1;
        bool starttls:1;
-       bool tls:1;
+       /* Client/proxy connection is using TLS. Dovecot has terminated the
+          TLS connection (not haproxy). */
+       bool connection_tls_secured:1;
        bool proxied_ssl:1;
        /* Connection from the previous hop (client, proxy, haproxy) is
           considered secured. Either because TLS is used, or because the

diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index cc8c152800359ef0a3087a66b0996a7c06e757fa..86e844eca8c75a81694aede1857302ef87433362 100644 (file)
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -106,7 +106,7 @@ client_get_auth_flags(struct client *client)
        if (client->ssl_iostream != NULL &&
            ssl_iostream_has_valid_client_cert(client->ssl_iostream))
                auth_flags |= AUTH_REQUEST_FLAG_VALID_CLIENT_CERT;
-       if (client->tls || client->proxied_ssl)
+       if (client->connection_tls_secured || client->proxied_ssl)
                auth_flags |= AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS;
        if (client->connection_secured)
                auth_flags |= AUTH_REQUEST_FLAG_SECURED;

diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c
index 5e577f2cedc14252c340ebbef6ebe2c08eb29b5f..0ba12b36849125083121cf0049aa0f6e46b926d8 100644 (file)
--- a/src/pop3-login/client-authenticate.c
+++ b/src/pop3-login/client-authenticate.c
@@ -31,7 +31,8 @@ bool cmd_capa(struct pop3_client *client, const char *args ATTR_UNUSED)
        str_append(str, "+OK\r\n");
        str_append(str, capability_string);
 
-       if (client_is_tls_enabled(&client->common) && !client->common.tls)
+       if (client_is_tls_enabled(&client->common) &&
+           !client->common.connection_tls_secured)
                str_append(str, "STLS\r\n");
        if (client->common.set->auth_allow_cleartext ||
            client->common.connection_secured)

diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c
index a5d678828e6133a646ffb0d3bd400cf46a7acbc3..a2f6b9e7fe12fa4335c39f38f290c735ba714f22 100644 (file)
--- a/src/submission-login/client-authenticate.c
+++ b/src/submission-login/client-authenticate.c
@@ -80,7 +80,8 @@ static void cmd_helo_reply(struct submission_client *subm_client,
                        smtp_server_reply_ehlo_add(reply, "SIZE");
                }
 
-               if (client_is_tls_enabled(client) && !client->tls)
+               if (client_is_tls_enabled(client) &&
+                   !client->connection_tls_secured)
                        smtp_server_reply_ehlo_add(reply, "STARTTLS");
                if (!exotic_backend ||
                    (backend_caps & SMTP_CAPABILITY_PIPELINING) != 0)