From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Thu, 22 Dec 2022 10:12:11 +0000 (+0200)
Subject: login-common: Disconnect reason - Check for missing SSL certs before auth attempts
X-Git-Tag: 2.4.0~2908
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d79cb13fd59c9cc01d5e26b006dccb7a0a9668d0;p=thirdparty%2Fdovecot%2Fcore.git

login-common: Disconnect reason - Check for missing SSL certs before auth attempts
---

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 33e42d4370..e962537b96 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -1110,19 +1110,23 @@ const char *client_get_extra_disconnect_reason(struct client *client)
 	unsigned int auth_secs = client->auth_first_started == 0 ? 0 :
 		ioloop_time - client->auth_first_started;
 
-	if (client->set->auth_ssl_require_client_cert &&
-	    client->ssl_iostream != NULL) {
+	if (!client->notified_auth_ready)
+		return t_strdup_printf(
+			"disconnected before auth was ready, waited %u secs",
+			(unsigned int)(ioloop_time - client->created.tv_sec));
+
+	/* Check for missing client SSL certificates before auth attempts.
+	   We may have advertised LOGINDISABLED, which would have prevented
+	   client from even attempting to authenticate. */
+	if (client->set->auth_ssl_require_client_cert) {
+		if (client->ssl_iostream == NULL)
+			return "cert required, client didn't start TLS";
 		if (ssl_iostream_has_broken_client_cert(client->ssl_iostream))
 			return "client sent an invalid cert";
 		if (!ssl_iostream_has_valid_client_cert(client->ssl_iostream))
 			return "client didn't send a cert";
 	}
 
-	if (!client->notified_auth_ready)
-		return t_strdup_printf(
-			"disconnected before auth was ready, waited %u secs",
-			(unsigned int)(ioloop_time - client->created.tv_sec));
-
 	if (client->auth_attempts == 0) {
 		if (!client->banner_sent) {
 			/* disconnected by a plugin */
@@ -1132,11 +1136,6 @@ const char *client_get_extra_disconnect_reason(struct client *client)
 			(unsigned int)(ioloop_time - client->created.tv_sec));
 	}
 
-	/* some auth attempts without SSL/TLS */
-	if (client->set->auth_ssl_require_client_cert &&
-	    client->ssl_iostream == NULL)
-		return "cert required, client didn't start TLS";
-
 	if (client->auth_client_continue_pending && client->auth_attempts == 1) {
 		return t_strdup_printf("client didn't finish SASL auth, "
 				       "waited %u secs", auth_secs);