Run S(TART)TLS negotiation under timeout alarm.

Reported missing by Thomas Jarosch.

1 files changed, 5 insertions, 2 deletions

diff --git a/pop3.c b/pop3.c
index 3def391b..9cf84944 100644
--- a/pop3.c
+++ b/pop3.c
@@ -448,9 +448,9 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		* whether TLS is mandatory or opportunistic unless SSLOpen() fails
 		* (see below). */
 	       if (gen_transact(sock, "STLS") == PS_SUCCESS
-		       && SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+		       && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
 			   ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
-			   ctl->server.pollname, &ctl->remotename) != -1)
+			   ctl->server.pollname, &ctl->remotename)) != -1)
 	       {
 		   /*
 		    * RFC 2595 says this:
@@ -465,6 +465,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		    * Now that we're confident in our TLS connection we can
 		    * guarantee a secure capability re-probe.
 		    */
+		   set_timeout(0);
 		   done_capa = FALSE;
 		   ok = capa_probe(sock);
 		   if (ok != PS_SUCCESS) {
@@ -477,6 +478,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 	       } else if (must_tls(ctl)) {
 		   /* Config required TLS but we couldn't guarantee it, so we must
 		    * stop. */
+		   set_timeout(0);
 		   report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
 		   return PS_SOCKET;
 	       } else {
@@ -485,6 +487,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		    * allowed til post-authentication), so leave it in an unknown
 		    * state, mark it as such, and check more carefully if things
 		    * go wrong when we try to authenticate. */
+		   set_timeout(0);
 		   connection_may_have_tls_errors = TRUE;
 		   if (outlevel >= O_VERBOSE)
 		   {