From: Timo Sirainen Date: Thu, 3 Nov 2022 16:49:18 +0000 (+0200) Subject: login-common: Rename client.secured to connection_secured X-Git-Tag: 2.4.0~3431 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=465a78e67041a28533b5912a605df840db0ab0af;p=thirdparty%2Fdovecot%2Fcore.git login-common: Rename client.secured to connection_secured --- diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c index 615e0f275e..bb736ceec4 100644 --- a/src/imap-login/imap-login-client.c +++ b/src/imap-login/imap-login-client.c @@ -74,7 +74,7 @@ bool client_handle_parser_error(struct imap_client *client, static bool is_login_cmd_disabled(struct client *client) { - if (client->secured) { + if (client->connection_secured) { if (sasl_server_find_available_mech(client, "PLAIN") == NULL) { /* no PLAIN authentication, can't use LOGIN command */ return TRUE; diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c index d8c1ae15a4..761ba17dbd 100644 --- a/src/login-common/client-common-auth.c +++ b/src/login-common/client-common-auth.c @@ -1009,7 +1009,8 @@ client_auth_begin_common(struct client *client, const char *mech_name, enum sasl_server_auth_flags auth_flags, const char *init_resp) { - if (!client->secured && strcmp(client->ssl_set->ssl, "required") == 0) { + if (!client->connection_secured && + strcmp(client->ssl_set->ssl, "required") == 0) { e_info(client->event_auth, "Login failed: " "SSL required for authentication"); client->auth_attempts++; @@ -1059,8 +1060,8 @@ bool client_check_plaintext_auth(struct client *client, bool pass_sent) { bool ssl_required = (strcmp(client->ssl_set->ssl, "required") == 0); - if (client->secured || (client->set->auth_allow_cleartext && - !ssl_required)) + if (client->connection_secured || + (client->set->auth_allow_cleartext && !ssl_required)) return TRUE; e_info(client->event_auth, "Login failed: " diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c index 50c90046c2..e4da3a2153 100644 --- a/src/login-common/client-common.c +++ b/src/login-common/client-common.c @@ -218,12 +218,12 @@ client_alloc(int fd, pool_t pool, if (conn->proxied) { client->proxied_ssl = conn->proxy.ssl; - client->secured = conn->proxy.ssl || client->trusted; + client->connection_secured = conn->proxy.ssl || client->trusted; client->ssl_secured = conn->proxy.ssl; client->local_name = conn->proxy.hostname; client->client_cert_common_name = conn->proxy.cert_common_name; } else { - client->secured = client->trusted || + client->connection_secured = client->trusted || net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip); } client->proxy_ttl = LOGIN_PROXY_TTL; @@ -590,7 +590,7 @@ int client_init_ssl(struct client *client) client_sni_callback, client); client->tls = TRUE; - client->secured = TRUE; + client->connection_secured = TRUE; client->ssl_secured = TRUE; if (client->starttls) { @@ -888,7 +888,7 @@ get_var_expand_table(struct client *client) tab[VAR_EXPAND_ALIAS_INDEX_START + 3].value = tab[10].value = dec2str(client->remote_port); if (!client->tls) { - tab[11].value = client->secured ? "secured" : NULL; + tab[11].value = client->connection_secured ? "secured" : NULL; tab[12].value = ""; } else if (client->proxied_ssl) { tab[11].value = "TLS"; diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h index 689593ca02..62006bf75f 100644 --- a/src/login-common/client-common.h +++ b/src/login-common/client-common.h @@ -231,7 +231,12 @@ struct client { bool starttls:1; bool tls:1; bool proxied_ssl:1; - bool secured:1; + /* Connection from the previous hop (client, proxy, haproxy) is + considered secured. Either because TLS is used, or because the + connection is otherwise considered not to need TLS. Note that this + doesn't necessarily mean that the client connection behind the + previous hop is secured. */ + bool connection_secured:1; bool ssl_secured:1; bool trusted:1; bool ssl_servername_settings_read:1; diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index a1d30d1172..1d7eb2feca 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -50,7 +50,7 @@ sasl_server_get_advertised_mechs(struct client *client, unsigned int *count_r) unsigned int i, j, count; mech = auth_client_get_available_mechs(auth_client, &count); - if (count == 0 || (!client->secured && + if (count == 0 || (!client->connection_secured && strcmp(client->ssl_set->ssl, "required") == 0)) { *count_r = 0; return NULL; @@ -68,7 +68,7 @@ sasl_server_get_advertised_mechs(struct client *client, unsigned int *count_r) c) we allow insecure authentication */ if ((fmech.flags & MECH_SEC_PRIVATE) == 0 && - (client->secured || client->set->auth_allow_cleartext || + (client->connection_secured || client->set->auth_allow_cleartext || (fmech.flags & MECH_SEC_PLAINTEXT) == 0)) ret_mech[j++] = fmech; } @@ -108,7 +108,7 @@ client_get_auth_flags(struct client *client) auth_flags |= AUTH_REQUEST_FLAG_VALID_CLIENT_CERT; if (client->tls || client->proxied_ssl) auth_flags |= AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS; - if (client->secured) + if (client->connection_secured) auth_flags |= AUTH_REQUEST_FLAG_SECURED; if (login_binary->sasl_support_final_reply) auth_flags |= AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP; @@ -181,7 +181,7 @@ static int master_send_request(struct anvil_request *anvil_request) if (client->ssl_iostream != NULL && ssl_iostream_get_compression(client->ssl_iostream) != NULL) req.flags |= LOGIN_REQUEST_FLAG_TLS_COMPRESSION; - if (client->secured) + if (client->connection_secured) req.flags |= LOGIN_REQUEST_FLAG_CONN_SECURED; if (client->ssl_secured) req.flags |= LOGIN_REQUEST_FLAG_CONN_SSL_SECURED; @@ -519,7 +519,7 @@ void sasl_server_auth_begin(struct client *client, const char *mech_name, i_assert(!private || (mech->flags & MECH_SEC_PRIVATE) != 0); - if (!client->secured && !client->set->auth_allow_cleartext && + if (!client->connection_secured && !client->set->auth_allow_cleartext && (mech->flags & MECH_SEC_PLAINTEXT) != 0) { client_notify_status(client, TRUE, "cleartext authentication not allowed " diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c index d70c912523..5e577f2ced 100644 --- a/src/pop3-login/client-authenticate.c +++ b/src/pop3-login/client-authenticate.c @@ -34,7 +34,7 @@ bool cmd_capa(struct pop3_client *client, const char *args ATTR_UNUSED) if (client_is_tls_enabled(&client->common) && !client->common.tls) str_append(str, "STLS\r\n"); if (client->common.set->auth_allow_cleartext || - client->common.secured) + client->common.connection_secured) str_append(str, "USER\r\n"); str_append(str, "SASL"); diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c index d8a27bd47f..a5d678828e 100644 --- a/src/submission-login/client-authenticate.c +++ b/src/submission-login/client-authenticate.c @@ -34,7 +34,7 @@ static void cmd_helo_reply(struct submission_client *subm_client, if ((backend_caps & SMTP_CAPABILITY_8BITMIME) != 0) smtp_server_reply_ehlo_add(reply, "8BITMIME"); - if (client->secured || + if (client->connection_secured || strcmp(client->ssl_set->ssl, "required") != 0) { const struct auth_mech_desc *mechs; unsigned int count, i; diff --git a/src/submission-login/client.c b/src/submission-login/client.c index 3bbec15f39..c5843e7608 100644 --- a/src/submission-login/client.c +++ b/src/submission-login/client.c @@ -110,7 +110,7 @@ static void submission_client_create(struct client *client, smtp_set.capabilities |= SMTP_CAPABILITY_STARTTLS; smtp_set.hostname = subm_client->set->hostname; smtp_set.login_greeting = client->set->login_greeting; - smtp_set.tls_required = !client->secured && + smtp_set.tls_required = !client->connection_secured && (strcmp(client->ssl_set->ssl, "required") == 0); smtp_set.xclient_extensions = xclient_extensions; smtp_set.command_limits.max_parameters_size = LOGIN_MAX_INBUF_SIZE;