login-common: Check that ssl=required is not used with auth_allow_cleartext=yes

author Aki Tuomi <aki.tuomi@open-xchange.com>

Thu, 20 Oct 2022 11:02:09 +0000 (14:02 +0300)

committer aki.tuomi <aki.tuomi@open-xchange.com>

Wed, 16 Nov 2022 08:09:54 +0000 (08:09 +0000)
author Aki Tuomi <aki.tuomi@open-xchange.com>
Thu, 20 Oct 2022 11:02:09 +0000 (14:02 +0300)
committer aki.tuomi <aki.tuomi@open-xchange.com>
Wed, 16 Nov 2022 08:09:54 +0000 (08:09 +0000)
diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c

index 285cf3f195157e030de2d8451801e4d6d037384f..6e003b74b1eb2ff4b44fd4da493b321e6c0cdac3 100644 (file)
--- a/src/login-common/client-common-auth.c
+++ b/src/login-common/client-common-auth.c
@@ -1060,8 +1060,10 @@ bool client_check_plaintext_auth(struct client *client, bool pass_sent)
  {
         bool ssl_required = (strcmp(client->ssl_set->ssl, "required") == 0);
  
-       if (client->connection_secured ||
-           (client->set->auth_allow_cleartext && !ssl_required))
+       i_assert(!ssl_required || !client->set->auth_allow_cleartext);
+
+       if (client->set->auth_allow_cleartext ||
+           client->connection_secured)
                 return TRUE;
  
         e_info(client->event_auth, "Login failed: "
diff --git a/src/login-common/login-settings.c b/src/login-common/login-settings.c

index cd5bea4dd1258ec25ff94e5a30349ac72f78e9d8..b24f32c3f2458615decfd91075d3a52e58d41ba6 100644 (file)
--- a/src/login-common/login-settings.c
+++ b/src/login-common/login-settings.c
@@ -42,6 +42,8 @@ static const struct setting_define login_setting_defines[] = {
         DEF(BOOL, auth_debug),
         DEF(BOOL, verbose_proctitle),
  
+       DEF(ENUM, ssl),
+
         DEF(UINT, mail_max_userip_connections),
  
         SETTING_DEFINE_LIST_END
@@ -70,6 +72,8 @@ static const struct login_settings login_default_settings = {
         .auth_debug = FALSE,
         .verbose_proctitle = FALSE,
  
+       .ssl = "yes:no:required",
+
         .mail_max_userip_connections = 10
  };
  
@@ -97,13 +101,18 @@ static struct master_service_settings_cache *set_cache;
  
  /* <settings checks> */
  static bool login_settings_check(void *_set, pool_t pool,
-                                const char **error_r ATTR_UNUSED)
+                                const char **error_r)
  {
         struct login_settings *set = _set;
  
         set->log_format_elements_split =
                 p_strsplit(pool, set->login_log_format_elements, " ");
  
+       if (strcmp(set->ssl, "required") == 0 && set->auth_allow_cleartext) {
+               *error_r = "auth_allow_cleartext=yes has no effect with ssl=required";
+               return FALSE;
+       }
+
         return TRUE;
  }
  /* </settings checks> */
diff --git a/src/login-common/login-settings.h b/src/login-common/login-settings.h

index 027065ead978fcc41ba036c3c69d0c2779dc4d7c..66711411b255ff82a1ae09049fff0aa4cc946635 100644 (file)
--- a/src/login-common/login-settings.h
+++ b/src/login-common/login-settings.h
@@ -18,6 +18,7 @@ struct login_settings {
         unsigned int login_proxy_max_disconnect_delay;
         const char *login_proxy_rawlog_dir;
         const char *login_auth_socket_path;
+       const char *ssl; /* for settings check */
  
         bool auth_ssl_require_client_cert;
         bool auth_ssl_username_from_cert;
author	Aki Tuomi <aki.tuomi@open-xchange.com>
	Thu, 20 Oct 2022 11:02:09 +0000 (14:02 +0300)
committer	aki.tuomi <aki.tuomi@open-xchange.com>
	Wed, 16 Nov 2022 08:09:54 +0000 (08:09 +0000)
src/login-common/client-common-auth.c		patch \| blob \| blame \| history
src/login-common/login-settings.c		patch \| blob \| blame \| history
src/login-common/login-settings.h		patch \| blob \| blame \| history