Add $tls_in_* variables; note the old names as deprecated.

author: Jeremy Harris <jgh146exb@wizmail.org> 2012-06-04 17:48:52 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2012-06-04 17:48:52 +0100
commit: d9b2312be1c63d0bf94dfaea9c82c6def6b45884 (patch)
tree: 33bb9b03150f838f0415d06645eedd5ec94af590 /src
parent: 9940096804c9f3985ca3bc9d862cefa0daa29c96 (diff)
6 files changed, 88 insertions, 13 deletions
diff --git a/src/src/configure.default b/src/src/configure.default
index 963ec1696..0ccbbe855 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -771,7 +771,7 @@ begin authenticators
 #  server_set_id              = $auth2
 #  server_prompts             = :
 #  server_condition           = Authentication is not yet configured
-#  server_advertise_condition = ${if def:tls_cipher }
+#  server_advertise_condition = ${if def:tls_in_cipher }
 
 # LOGIN authentication has traditional prompts and responses. There is no
 # authorization ID in this mechanism, so unlike PLAIN the username and
@@ -783,7 +783,7 @@ begin authenticators
 #  server_set_id              = $auth1
 #  server_prompts             = <| Username: | Password:
 #  server_condition           = Authentication is not yet configured
-#  server_advertise_condition = ${if def:tls_cipher }
+#  server_advertise_condition = ${if def:tls_in_cipher }
 
 
 ######################################################################
diff --git a/src/src/expand.c b/src/src/expand.c
index 1642c67b7..62e8e5747 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -613,9 +613,18 @@ static var_entry var_table[] = {
 #endif
   { "thisaddress",         vtype_stringptr,   &filter_thisaddress },
 
+  /* The non-(in,out) variables are now deprecated */
   { "tls_bits",            vtype_int,         &tls_in.bits },
   { "tls_certificate_verified", vtype_int,    &tls_in.certificate_verified },
   { "tls_cipher",          vtype_stringptr,   &tls_in.cipher },
+
+  { "tls_in_bits",         vtype_int,         &tls_in.bits },
+  { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
+  { "tls_in_cipher",       vtype_stringptr,   &tls_in.cipher },
+  { "tls_in_peerdn",       vtype_stringptr,   &tls_in.peerdn },
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+  { "tls_in_sni",          vtype_stringptr,   &tls_in.sni },
+#endif
   { "tls_out_bits",        vtype_int,         &tls_out.bits },
   { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
   { "tls_out_cipher",      vtype_stringptr,   &tls_out.cipher },
@@ -623,6 +632,7 @@ static var_entry var_table[] = {
 #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
   { "tls_out_sni",         vtype_stringptr,   &tls_out.sni },
 #endif
+
   { "tls_peerdn",          vtype_stringptr,   &tls_in.peerdn },	/* mind the alphabetical order! */
 #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
   { "tls_sni",             vtype_stringptr,   &tls_in.sni },	/* mind the alphabetical order! */
@@ -1688,6 +1698,31 @@ return NULL;          /* Unknown variable name */
 
 
 
+void
+modify_variable(uschar *name, void * value)
+{
+int first = 0;
+int last = var_table_size;
+
+while (last > first)
+  {
+  int middle = (first + last)/2;
+  int c = Ustrcmp(name, var_table[middle].name);
+
+  if (c > 0) { first = middle + 1; continue; }
+  if (c < 0) { last = middle; continue; }
+
+  /* Found an existing variable; change the item it refers to */
+  var_table[middle].value = value;
+  return;
+  }
+return;          /* Unknown variable name, fail silently */
+}
+
+
+
+
+
 /*************************************************
 *           Read and expand substrings           *
 *************************************************/
diff --git a/src/src/functions.h b/src/src/functions.h
index 02d152ad6..09f7ab95c 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -131,6 +131,7 @@ extern BOOL    expand_check_condition(uschar *, uschar *, uschar *);
 extern uschar *expand_string(uschar *);
 extern uschar *expand_string_copy(uschar *);
 extern int_eximarith_t expand_string_integer(uschar *, BOOL);
+extern void    modify_variable(uschar *, void *);
 
 extern int     filter_interpret(uschar *, int, address_item **, uschar **);
 extern BOOL    filter_personal(string_item *, BOOL);
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index f8172e76b..c582af79f 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -649,7 +649,11 @@ if (!state->host)
   {
   if (!state->received_sni)
     {
-    if (state->tls_certificate && Ustrstr(state->tls_certificate, US"tls_sni"))
+    if (state->tls_certificate &&
+        (Ustrstr(state->tls_certificate, US"tls_sni") ||
+         Ustrstr(state->tls_certificate, US"tls_in_sni") ||
+         Ustrstr(state->tls_certificate, US"tls_out_sni")
+       ))
       {
       DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
       state->trigger_sni_changes = TRUE;
@@ -966,7 +970,7 @@ if (rc != OK) return rc;
 /* set SNI in client, only */
 if (host)
   {
-  if (!expand_check(state->tlsp->sni, "tls_sni", &state->exp_tls_sni))
+  if (!expand_check(state->tlsp->sni, "tls_out_sni", &state->exp_tls_sni))
     return DEFER;
   if (state->exp_tls_sni && *state->exp_tls_sni)
     {
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index d5b31e72c..a8a62fe8c 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -543,7 +543,10 @@ uschar *expanded;
 if (cbinfo->certificate == NULL)
   return OK;
 
-if (Ustrstr(cbinfo->certificate, US"tls_sni"))
+if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
+    Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
+    Ustrstr(cbinfo->certificate, US"tls_out_sni")
+   )
   reexpand_tls_files_for_sni = TRUE;
 
 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
diff --git a/src/src/verify.c b/src/src/verify.c
index eaab14dc9..a1b8142a9 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -1521,6 +1521,18 @@ addresses, such rewriting fails. */
 
 if (address[0] == 0) return OK;
 
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of a transport used by verification. Reset them
+at exit from this routine. */
+
+modify_variable(US"tls_bits",                 &tls_out.bits);
+modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified);
+modify_variable(US"tls_cipher",               &tls_out.cipher);
+modify_variable(US"tls_peerdn",               &tls_out.peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni",                  &tls_out.sni);
+#endif
+
 /* Save a copy of the sender address for re-instating if we change it to <>
 while verifying a sender address (a nice bit of self-reference there). */
 
@@ -1769,8 +1781,12 @@ while (addr_new != NULL)
       }
     cancel_cutthrough_connection("routing hard fail");
 
-    if (!full_info) return copy_error(vaddr, addr, FAIL);
-      else yield = FAIL;
+    if (!full_info)
+    {
+      yield = copy_error(vaddr, addr, FAIL);
+      goto out;
+    }
+    else yield = FAIL;
     }
 
   /* Soft failure */
@@ -1804,8 +1820,12 @@ while (addr_new != NULL)
       }
     cancel_cutthrough_connection("routing soft fail");
 
-    if (!full_info) return copy_error(vaddr, addr, DEFER);
-      else if (yield == OK) yield = DEFER;
+    if (!full_info)
+      {
+      yield = copy_error(vaddr, addr, DEFER);
+      goto out;
+      }
+    else if (yield == OK) yield = DEFER;
     }
 
   /* If we are handling EXPN, we do not want to continue to route beyond
@@ -1828,7 +1848,8 @@ while (addr_new != NULL)
       if (addr_new == NULL) ok_prefix = US"250 ";
       respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
       }
-    return OK;
+    yield = OK;
+    goto out;
     }
 
   /* Successful routing other than EXPN. */
@@ -1863,7 +1884,8 @@ while (addr_new != NULL)
       of $address_data to be that of the child */
 
       vaddr->p.address_data = addr->p.address_data;
-      return OK;
+      yield = OK;
+      goto out;
       }
     }
   }     /* Loop for generated addresses */
@@ -1880,7 +1902,7 @@ discarded, usually because of the use of :blackhole: in an alias file. */
 if (allok && addr_local == NULL && addr_remote == NULL)
   {
   fprintf(f, "mail to %s is discarded\n", address);
-  return yield;
+  goto out;
   }
 
 for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
@@ -1964,9 +1986,19 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
     }
   }
 
-/* Will be DEFER or FAIL if any one address has, only for full_info (which is
+/* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
 the -bv or -bt case). */
 
+out:
+
+modify_variable(US"tls_bits",                 &tls_in.bits);
+modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified);
+modify_variable(US"tls_cipher",               &tls_in.cipher);
+modify_variable(US"tls_peerdn",               &tls_in.peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni",                  &tls_in.sni);
+#endif
+
 return yield;
 }
author	Jeremy Harris <jgh146exb@wizmail.org>	2012-06-04 17:48:52 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2012-06-04 17:48:52 +0100
commit	d9b2312be1c63d0bf94dfaea9c82c6def6b45884 (patch)
tree	33bb9b03150f838f0415d06645eedd5ec94af590 /src
parent	9940096804c9f3985ca3bc9d862cefa0daa29c96 (diff)