From 250f0ed84ac892ea85654790cb83331dcbd8d44f Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sun, 26 Nov 2006 10:11:39 +0000
Subject: First step towards really fixing TLS vuln, CVE-2006-5867, still
 incomplete.

svn path=/branches/BRANCH_6-3/; revision=4962
---
 tls.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 tls.c

(limited to 'tls.c')

diff --git a/tls.c b/tls.c
new file mode 100644
index 00000000..2a1fee3e
--- /dev/null
+++ b/tls.c
@@ -0,0 +1,33 @@
+/** \file tls.c - collect common TLS functionality 
+ * \author Matthias Andree
+ * \year 2006
+ */
+
+#include "fetchmail.h"
+
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif
+
+/** return true if user allowed TLS */
+int maybe_tls(struct query *ctl) {
+#ifdef SSL_ENABLE
+         /* opportunistic  or forced TLS */
+    return (!ctl->sslproto || !strcasecmp(ctl->sslproto,"tls1"))
+	&& !ctl->use_ssl;
+#else
+    return 0;
+#endif
+}
+
+/** return true if user requires TLS, note though that this code must
+ * always use a logical AND with maybe_tls(). */
+int must_tls(struct query *ctl) {
+#ifdef SSL_ENABLE
+    return maybe_tls(ctl)
+	&& (ctl->sslfingerprint || ctl->sslcertck
+		|| (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
+#else
+    return 0;
+#endif
+}
-- 
cgit v1.2.3