From 4579f9e8556f4837002ef10b9409bc7857688c25 Mon Sep 17 00:00:00 2001
From: Jacek Masiulaniec <jacekm@cvs.openbsd.org>
Date: Tue, 19 May 2009 11:42:53 +0000
Subject: - Don't advertise nor accept STARTTLS command when session is secure.
 - Make the condition when STARTTLS and AUTH are advertised & accepted more
 readable.

ok gilles@
---
 usr.sbin/smtpd/smtp_session.c | 28 +++++++++++++++-------------
 usr.sbin/smtpd/smtpd.h        |  7 ++++++-
 2 files changed, 21 insertions(+), 14 deletions(-)

(limited to 'usr.sbin')

diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c
index 8affe5ebeea..47fc8960164 100644
--- a/usr.sbin/smtpd/smtp_session.c
+++ b/usr.sbin/smtpd/smtp_session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtp_session.c,v 1.89 2009/05/18 20:23:35 jacekm Exp $	*/
+/*	$OpenBSD: smtp_session.c,v 1.90 2009/05/19 11:42:52 jacekm Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org>
@@ -111,6 +111,9 @@ struct session_cmd rfc4954_cmdtab[] = {
 int
 session_rfc3207_stls_handler(struct session *s, char *args)
 {
+	if (! ADVERTISE_TLS(s))
+		return 0;
+
 	if (s->s_state == S_GREETED) {
 		session_respond(s, "503 Polite people say HELO first");
 		return 1;
@@ -134,6 +137,9 @@ session_rfc4954_auth_handler(struct session *s, char *args)
 	char	*method;
 	char	*eom;
 
+	if (! ADVERTISE_AUTH(s))
+		return 0;
+
 	if (s->s_state == S_GREETED) {
 		session_respond(s, "503 Polite people say HELO first");
 		return 1;
@@ -323,12 +329,10 @@ session_rfc5321_ehlo_handler(struct session *s, char *args)
 	    s->s_env->sc_hostname, args, ss_to_text(&s->s_ss));
 	session_respond(s, "250-8BITMIME");
 
-	/* only advertise starttls if listener can support it */
-	if (s->s_l->flags & F_STARTTLS)
+	if (ADVERTISE_TLS(s))
 		session_respond(s, "250-STARTTLS");
 
-	/* only advertise auth if session is secure */
-	if ((s->s_l->flags & F_AUTH) && (s->s_flags & F_SECURE))
+	if (ADVERTISE_AUTH(s))
 		session_respond(s, "250-AUTH PLAIN LOGIN");
 
 	session_respond(s, "250 HELP");
@@ -532,14 +536,12 @@ session_command(struct session *s, char *cmd, size_t nr)
 	}
 
 	/* RFC 4954 - AUTH */
-	if ((s->s_l->flags & F_AUTH) && (s->s_flags & F_SECURE)) {
-		for (i = 0; i < nitems(rfc4954_cmdtab); ++i)
-			if (strcasecmp(rfc4954_cmdtab[i].name, cmd) == 0)
-				break;
-		if (i < nitems(rfc4954_cmdtab)) {
-			if (rfc4954_cmdtab[i].func(s, args))
-				return;
-		}
+	for (i = 0; i < nitems(rfc4954_cmdtab); ++i)
+		if (strcasecmp(rfc4954_cmdtab[i].name, cmd) == 0)
+			break;
+	if (i < nitems(rfc4954_cmdtab)) {
+		if (rfc4954_cmdtab[i].func(s, args))
+			return;
 	}
 
 rfc5321:
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 6d5d7540009..c2e785db5d5 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.110 2009/05/19 11:37:44 jacekm Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.111 2009/05/19 11:42:52 jacekm Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org>
@@ -79,6 +79,11 @@
 #define F_AUTH			 0x04
 #define F_SSL			(F_SMTPS|F_STARTTLS)
 
+#define ADVERTISE_TLS(s) \
+	((s)->s_l->flags & F_STARTTLS && !((s)->s_flags & F_SECURE))
+
+#define ADVERTISE_AUTH(s) \
+	((s)->s_l->flags & F_AUTH && ((s)->s_flags & F_SECURE))
 
 struct netaddr {
 	struct sockaddr_storage ss;
-- 
cgit v1.2.3