summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-04-20 16:44:52 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2014-04-20 17:04:08 +0100
commit35aba663e3f1eab672a8b2082a83194bf3b7a058 (patch)
tree67e3f8907bc058f721b7ec5956fce57714776b58
parent5a66c31b0ec1f4128df4398e18dfe497c2a34de7 (diff)
Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455
The split of these variables into _in and _out sets introduced by d9b231 in 4.82 was incomplete, leaving the deprecated legacy variables nonfunctional during a transport and associated client authenticator. Fix by repointing the legacy set to the outbound connection set at transport startup (and do not clear out the inbound set at this time, either).
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--src/src/functions.h3
-rw-r--r--src/src/tls.c12
-rw-r--r--src/src/transports/smtp.c13
-rw-r--r--src/src/verify.c17
-rw-r--r--test/confs/34654
6 files changed, 29 insertions, 23 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e41dc3e02..56ff713cb 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -82,6 +82,9 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
is a combined value of both the record presence and the result of the
analysis.
+JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455.
+
+
Exim version 4.82
-----------------
diff --git a/src/src/functions.h b/src/src/functions.h
index 0bd3d7267..be71345a1 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -45,7 +45,7 @@ extern void tls_version_report(FILE *);
#ifndef USE_GNUTLS
extern BOOL tls_openssl_options_parse(uschar *, long *);
#endif
-#endif
+#endif /*SUPPORT_TLS*/
/* Everything else... */
@@ -374,6 +374,7 @@ extern int strncmpic(const uschar *, const uschar *, int);
extern uschar *strstric(uschar *, uschar *, BOOL);
extern uschar *tod_stamp(int);
+extern void tls_modify_variables(tls_support *);
extern BOOL transport_check_waiting(uschar *, uschar *, int, uschar *,
BOOL *);
extern void transport_init(void);
diff --git a/src/src/tls.c b/src/src/tls.c
index 0625c48b8..972785284 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -181,4 +181,16 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
#endif /* SUPPORT_TLS */
+void
+tls_modify_variables(tls_support * dest_tsp)
+{
+modify_variable(US"tls_bits", &dest_tsp->bits);
+modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
+modify_variable(US"tls_cipher", &dest_tsp->cipher);
+modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni", &dest_tsp->sni);
+#endif
+}
+
/* End of tls.c */
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 16e5c022f..0aa95a448 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1213,13 +1213,6 @@ outblock.authenticating = FALSE;
/* Reset the parameters of a TLS session. */
-tls_in.bits = 0;
-tls_in.cipher = NULL; /* for back-compatible behaviour */
-tls_in.peerdn = NULL;
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-tls_in.sni = NULL;
-#endif
-
tls_out.bits = 0;
tls_out.cipher = NULL; /* the one we may use for this transport */
tls_out.peerdn = NULL;
@@ -1227,6 +1220,12 @@ tls_out.peerdn = NULL;
tls_out.sni = NULL;
#endif
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of the transport. Don't bother resetting
+afterward as we're in a subprocess. */
+
+tls_modify_variables(&tls_out);
+
#ifndef SUPPORT_TLS
if (smtps)
{
diff --git a/src/src/verify.c b/src/src/verify.c
index 8cc67f1b1..690bb8f01 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -1576,13 +1576,7 @@ if (address[0] == 0) return OK;
they're used in the context of a transport used by verification. Reset them
at exit from this routine. */
-modify_variable(US"tls_bits", &tls_out.bits);
-modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified);
-modify_variable(US"tls_cipher", &tls_out.cipher);
-modify_variable(US"tls_peerdn", &tls_out.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni", &tls_out.sni);
-#endif
+tls_modify_variables(&tls_out);
/* Save a copy of the sender address for re-instating if we change it to <>
while verifying a sender address (a nice bit of self-reference there). */
@@ -2041,14 +2035,7 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
the -bv or -bt case). */
out:
-
-modify_variable(US"tls_bits", &tls_in.bits);
-modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified);
-modify_variable(US"tls_cipher", &tls_in.cipher);
-modify_variable(US"tls_peerdn", &tls_in.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni", &tls_in.sni);
-#endif
+tls_modify_variables(&tls_in);
return yield;
}
diff --git a/test/confs/3465 b/test/confs/3465
index 161fff526..83592a678 100644
--- a/test/confs/3465
+++ b/test/confs/3465
@@ -70,5 +70,9 @@ t1:
hosts_require_auth = *
allow_localhost
+ # These can be made visible by adding "-d-all+deliver+transport+tls" to the script 1st queuerun
+ headers_add = X-tls-cipher: <$tls_cipher>
+ headers_add = X-tls-out-cipher: <$tls_out_cipher>
+
# End