From 78e53793b98a2f3c807226cf43aef013b56e36a6 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Thu, 3 Nov 2022 19:08:10 +0200
Subject: [PATCH] login-common: Rename client.tls to connection_tls_secured

---
 src/imap-login/imap-login-client.c         | 2 +-
 src/login-common/client-common.c           | 8 ++++----
 src/login-common/client-common.h           | 4 +++-
 src/login-common/sasl-server.c             | 2 +-
 src/pop3-login/client-authenticate.c       | 3 ++-
 src/submission-login/client-authenticate.c | 3 ++-
 6 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
index bb736ceec4..a6aba6b431 100644
--- a/src/imap-login/imap-login-client.c
+++ b/src/imap-login/imap-login-client.c
@@ -112,7 +112,7 @@ static const char *get_capability(struct client *client)
 			str_append(cap_str, " LITERAL+");
 	}
 
-	if (client_is_tls_enabled(client) && !client->tls)
+	if (client_is_tls_enabled(client) && !client->connection_tls_secured)
 		str_append(cap_str, " STARTTLS");
 	if (is_login_cmd_disabled(client))
 		str_append(cap_str, " LOGINDISABLED");
diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index f795561fa7..eaa46bdb8a 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -589,7 +589,7 @@ int client_init_ssl(struct client *client)
 	ssl_iostream_set_sni_callback(client->ssl_iostream,
 				      client_sni_callback, client);
 
-	client->tls = TRUE;
+	client->connection_tls_secured = TRUE;
 	client->connection_secured = TRUE;
 	client->end_client_tls_secured = TRUE;
 
@@ -636,7 +636,7 @@ static int client_output_starttls(struct client *client)
 
 void client_cmd_starttls(struct client *client)
 {
-	if (client->tls) {
+	if (client->connection_tls_secured) {
 		client->v.notify_starttls(client, FALSE, "TLS is already active.");
 		return;
 	}
@@ -681,7 +681,7 @@ int client_get_plaintext_fd(struct client *client, int *fd_r, bool *close_fd_r)
 {
 	int fds[2];
 
-	if (!client->tls) {
+	if (!client->connection_tls_secured) {
 		/* Plaintext connection - We can send the fd directly to
 		   the post-login process without any proxying. */
 		*fd_r = client->fd;
@@ -887,7 +887,7 @@ get_var_expand_table(struct client *client)
 		dec2str(client->local_port);
 	tab[VAR_EXPAND_ALIAS_INDEX_START + 3].value = tab[10].value =
 		dec2str(client->remote_port);
-	if (!client->tls) {
+	if (!client->connection_tls_secured) {
 		tab[11].value = client->connection_secured ? "secured" : NULL;
 		tab[12].value = "";
 	} else if (client->proxied_ssl) {
diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h
index 57fa89d7fd..d70901110b 100644
--- a/src/login-common/client-common.h
+++ b/src/login-common/client-common.h
@@ -229,7 +229,9 @@ struct client {
 	bool login_success:1;
 	bool no_extra_disconnect_reason:1;
 	bool starttls:1;
-	bool tls:1;
+	/* Client/proxy connection is using TLS. Dovecot has terminated the
+	   TLS connection (not haproxy). */
+	bool connection_tls_secured:1;
 	bool proxied_ssl:1;
 	/* Connection from the previous hop (client, proxy, haproxy) is
 	   considered secured. Either because TLS is used, or because the
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index cc8c152800..86e844eca8 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -106,7 +106,7 @@ client_get_auth_flags(struct client *client)
 	if (client->ssl_iostream != NULL &&
 	    ssl_iostream_has_valid_client_cert(client->ssl_iostream))
 		auth_flags |= AUTH_REQUEST_FLAG_VALID_CLIENT_CERT;
-	if (client->tls || client->proxied_ssl)
+	if (client->connection_tls_secured || client->proxied_ssl)
 		auth_flags |= AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS;
 	if (client->connection_secured)
 		auth_flags |= AUTH_REQUEST_FLAG_SECURED;
diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c
index 5e577f2ced..0ba12b3684 100644
--- a/src/pop3-login/client-authenticate.c
+++ b/src/pop3-login/client-authenticate.c
@@ -31,7 +31,8 @@ bool cmd_capa(struct pop3_client *client, const char *args ATTR_UNUSED)
 	str_append(str, "+OK\r\n");
 	str_append(str, capability_string);
 
-	if (client_is_tls_enabled(&client->common) && !client->common.tls)
+	if (client_is_tls_enabled(&client->common) &&
+	    !client->common.connection_tls_secured)
 		str_append(str, "STLS\r\n");
 	if (client->common.set->auth_allow_cleartext ||
 	    client->common.connection_secured)
diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c
index a5d678828e..a2f6b9e7fe 100644
--- a/src/submission-login/client-authenticate.c
+++ b/src/submission-login/client-authenticate.c
@@ -80,7 +80,8 @@ static void cmd_helo_reply(struct submission_client *subm_client,
 			smtp_server_reply_ehlo_add(reply, "SIZE");
 		}
 
-		if (client_is_tls_enabled(client) && !client->tls)
+		if (client_is_tls_enabled(client) &&
+		    !client->connection_tls_secured)
 			smtp_server_reply_ehlo_add(reply, "STARTTLS");
 		if (!exotic_backend ||
 		    (backend_caps & SMTP_CAPABILITY_PIPELINING) != 0)
-- 
2.47.3