From: Timo Sirainen Date: Thu, 3 Nov 2022 16:57:22 +0000 (+0200) Subject: login-common: Rename client.ssl_secured to end_client_tls_secured X-Git-Tag: 2.4.0~3429 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ec1183741a8ac0bd0451cb52dc009dc70a6fad2;p=thirdparty%2Fdovecot%2Fcore.git login-common: Rename client.ssl_secured to end_client_tls_secured Also note in the comment that this behavior is currently broken on a proxying setup. --- diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c index 59078b50fc..f795561fa7 100644 --- a/src/login-common/client-common.c +++ b/src/login-common/client-common.c @@ -219,7 +219,7 @@ client_alloc(int fd, pool_t pool, if (conn->haproxied) { client->proxied_ssl = conn->haproxy.ssl; client->connection_secured = conn->haproxy.ssl || client->trusted; - client->ssl_secured = conn->haproxy.ssl; + client->end_client_tls_secured = conn->haproxy.ssl; client->local_name = conn->haproxy.hostname; client->client_cert_common_name = conn->haproxy.cert_common_name; } else { @@ -591,7 +591,7 @@ int client_init_ssl(struct client *client) client->tls = TRUE; client->connection_secured = TRUE; - client->ssl_secured = TRUE; + client->end_client_tls_secured = TRUE; if (client->starttls) { io_remove(&client->io); diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h index 62006bf75f..57fa89d7fd 100644 --- a/src/login-common/client-common.h +++ b/src/login-common/client-common.h @@ -237,7 +237,12 @@ struct client { doesn't necessarily mean that the client connection behind the previous hop is secured. */ bool connection_secured:1; - bool ssl_secured:1; + /* End client is using TLS connection. The TLS termination may be either + on Dovecot side or HAProxy side. FIXME: This is broken on a proxying + setup, because it indicates whether the previous hop connection is + TLS secured, not whether the original client connection is TLS + secured. */ + bool end_client_tls_secured:1; bool trusted:1; bool ssl_servername_settings_read:1; bool banner_sent:1; diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index 1d7eb2feca..cc8c152800 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -183,7 +183,7 @@ static int master_send_request(struct anvil_request *anvil_request) req.flags |= LOGIN_REQUEST_FLAG_TLS_COMPRESSION; if (client->connection_secured) req.flags |= LOGIN_REQUEST_FLAG_CONN_SECURED; - if (client->ssl_secured) + if (client->end_client_tls_secured) req.flags |= LOGIN_REQUEST_FLAG_CONN_SSL_SECURED; if (HAS_ALL_BITS(client->auth_flags, SASL_SERVER_AUTH_FLAG_IMPLICIT)) req.flags |= LOGIN_REQUEST_FLAG_IMPLICIT;