X-Git-Url: https://diplodocus.org/git/nmh/blobdiff_plain/25967c79a7c6f91ccdaa982a6c3e0d9c12f90412..ef0725fd97369e801a56febfdb7a6ec2eaff73c8:/uip/popsbr.c

diff --git a/uip/popsbr.c b/uip/popsbr.c
index 9ccf6dcc..d61ce767 100644
--- a/uip/popsbr.c
+++ b/uip/popsbr.c
@@ -80,6 +80,58 @@ check_mech(char *server_mechs, size_t server_mechs_size)
     return OK;
 }
 
+/*
+ * If capable, issue the STLS command and start the TLS negotiation
+ */
+
+static int
+pop_start_tls(void)
+{
+    int status;
+    bool stls = false;
+    char *errstr;
+
+    /*
+     * Issue the CAPA command and see if we have the STLS capability
+     */
+
+    if (command("CAPA") == NOTOK) {
+	snprintf(response, sizeof(response),
+		 "The POP CAPA command failed; POP server does not "
+		 "support STLS");
+	return NOTOK;
+    }
+
+    while ((status = multiline()) != DONE) {
+        if (status == NOTOK)
+	    return NOTOK;
+
+	if (strcasecmp(response, "STLS") == 0)
+	    stls = true;
+    }
+
+    if (!stls) {
+	snprintf(response, sizeof(response), "POP server does not support "
+		 "STLS");
+	return NOTOK;
+    }
+
+    /*
+     * Issue STLS and then start the actual TLS negotiation
+     */
+
+    if (command("STLS") == NOTOK)
+    	return NOTOK;
+
+    if (netsec_negotiate_tls(nsc, &errstr) != OK) {
+	snprintf(response, sizeof(response), "%s", errstr);
+	free(errstr);
+	return NOTOK;
+    }
+
+    return OK;
+}
+
 /*
  * Split string containing proxy command into an array of arguments
  * suitable for passing to exec. Returned array must be freed. Shouldn't
@@ -211,17 +263,19 @@ pop_init (char *host, char *port, char *user, char *proxy, int snoop,
     netsec_set_fd(nsc, fd1, fd2);
     netsec_set_snoop(nsc, snoop);
 
-    if (tls & P_INITTLS) {
+    if (tls & P_TLSENABLEMASK) {
 	if (netsec_set_tls(nsc, 1, tls & P_NOVERIFY, &errstr) != OK) {
 	    snprintf(response, sizeof(response), "%s", errstr);
 	    free(errstr);
 	    return NOTOK;
 	}
 
-	if (netsec_negotiate_tls(nsc, &errstr) != OK) {
-	    snprintf(response, sizeof(response), "%s", errstr);
-	    free(errstr);
-	    return NOTOK;
+	if (tls & P_INITTLS) {
+	    if (netsec_negotiate_tls(nsc, &errstr) != OK) {
+		snprintf(response, sizeof(response), "%s", errstr);
+		free(errstr);
+		return NOTOK;
+	    }
 	}
     }
 
@@ -241,6 +295,10 @@ pop_init (char *host, char *port, char *user, char *proxy, int snoop,
 	    if (*response == '+') {
                 nmh_creds_t creds;
 
+		if (tls & P_STARTTLS)
+		    if (pop_start_tls() != OK)
+			return NOTOK;
+
 		if (sasl) {
 		    char server_mechs[256];
 		    if (check_mech(server_mechs, sizeof(server_mechs)) != OK)
@@ -396,7 +454,7 @@ pop_sasl_callback(enum sasl_message_type mtype, unsigned const char *indata,
 	    *outdata = NULL;
 	    *outdatalen = 0;
 	} else {
-	    rc = decodeBase64(line + 2, outdata, &len, 0, NULL);
+	    rc = decodeBase64(line + 2, outdata, &len, 0);
 	    *outdatalen = len;
 	    if (rc != OK) {
 		netsec_err(errstr, "Unable to decode base64 response");