From d9b2312be1c63d0bf94dfaea9c82c6def6b45884 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 4 Jun 2012 17:48:52 +0100 Subject: Add $tls_in_* variables; note the old names as deprecated. --- src/src/configure.default | 4 ++-- src/src/expand.c | 35 ++++++++++++++++++++++++++++++++++ src/src/functions.h | 1 + src/src/tls-gnu.c | 8 ++++++-- src/src/tls-openssl.c | 5 ++++- src/src/verify.c | 48 +++++++++++++++++++++++++++++++++++++++-------- 6 files changed, 88 insertions(+), 13 deletions(-) (limited to 'src') diff --git a/src/src/configure.default b/src/src/configure.default index 963ec1696..0ccbbe855 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -771,7 +771,7 @@ begin authenticators # server_set_id = $auth2 # server_prompts = : # server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_cipher } +# server_advertise_condition = ${if def:tls_in_cipher } # LOGIN authentication has traditional prompts and responses. There is no # authorization ID in this mechanism, so unlike PLAIN the username and @@ -783,7 +783,7 @@ begin authenticators # server_set_id = $auth1 # server_prompts = <| Username: | Password: # server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_cipher } +# server_advertise_condition = ${if def:tls_in_cipher } ###################################################################### diff --git a/src/src/expand.c b/src/src/expand.c index 1642c67b7..62e8e5747 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -613,9 +613,18 @@ static var_entry var_table[] = { #endif { "thisaddress", vtype_stringptr, &filter_thisaddress }, + /* The non-(in,out) variables are now deprecated */ { "tls_bits", vtype_int, &tls_in.bits }, { "tls_certificate_verified", vtype_int, &tls_in.certificate_verified }, { "tls_cipher", vtype_stringptr, &tls_in.cipher }, + + { "tls_in_bits", vtype_int, &tls_in.bits }, + { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified }, + { "tls_in_cipher", vtype_stringptr, &tls_in.cipher }, + { "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn }, +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) + { "tls_in_sni", vtype_stringptr, &tls_in.sni }, +#endif { "tls_out_bits", vtype_int, &tls_out.bits }, { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified }, { "tls_out_cipher", vtype_stringptr, &tls_out.cipher }, @@ -623,6 +632,7 @@ static var_entry var_table[] = { #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) { "tls_out_sni", vtype_stringptr, &tls_out.sni }, #endif + { "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */ #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) { "tls_sni", vtype_stringptr, &tls_in.sni }, /* mind the alphabetical order! */ @@ -1688,6 +1698,31 @@ return NULL; /* Unknown variable name */ +void +modify_variable(uschar *name, void * value) +{ +int first = 0; +int last = var_table_size; + +while (last > first) + { + int middle = (first + last)/2; + int c = Ustrcmp(name, var_table[middle].name); + + if (c > 0) { first = middle + 1; continue; } + if (c < 0) { last = middle; continue; } + + /* Found an existing variable; change the item it refers to */ + var_table[middle].value = value; + return; + } +return; /* Unknown variable name, fail silently */ +} + + + + + /************************************************* * Read and expand substrings * *************************************************/ diff --git a/src/src/functions.h b/src/src/functions.h index 02d152ad6..09f7ab95c 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -131,6 +131,7 @@ extern BOOL expand_check_condition(uschar *, uschar *, uschar *); extern uschar *expand_string(uschar *); extern uschar *expand_string_copy(uschar *); extern int_eximarith_t expand_string_integer(uschar *, BOOL); +extern void modify_variable(uschar *, void *); extern int filter_interpret(uschar *, int, address_item **, uschar **); extern BOOL filter_personal(string_item *, BOOL); diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index f8172e76b..c582af79f 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -649,7 +649,11 @@ if (!state->host) { if (!state->received_sni) { - if (state->tls_certificate && Ustrstr(state->tls_certificate, US"tls_sni")) + if (state->tls_certificate && + (Ustrstr(state->tls_certificate, US"tls_sni") || + Ustrstr(state->tls_certificate, US"tls_in_sni") || + Ustrstr(state->tls_certificate, US"tls_out_sni") + )) { DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n"); state->trigger_sni_changes = TRUE; @@ -966,7 +970,7 @@ if (rc != OK) return rc; /* set SNI in client, only */ if (host) { - if (!expand_check(state->tlsp->sni, "tls_sni", &state->exp_tls_sni)) + if (!expand_check(state->tlsp->sni, "tls_out_sni", &state->exp_tls_sni)) return DEFER; if (state->exp_tls_sni && *state->exp_tls_sni) { diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index d5b31e72c..a8a62fe8c 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -543,7 +543,10 @@ uschar *expanded; if (cbinfo->certificate == NULL) return OK; -if (Ustrstr(cbinfo->certificate, US"tls_sni")) +if (Ustrstr(cbinfo->certificate, US"tls_sni") || + Ustrstr(cbinfo->certificate, US"tls_in_sni") || + Ustrstr(cbinfo->certificate, US"tls_out_sni") + ) reexpand_tls_files_for_sni = TRUE; if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded)) diff --git a/src/src/verify.c b/src/src/verify.c index eaab14dc9..a1b8142a9 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -1521,6 +1521,18 @@ addresses, such rewriting fails. */ if (address[0] == 0) return OK; +/* Flip the legacy TLS-related variables over to the outbound set in case +they're used in the context of a transport used by verification. Reset them +at exit from this routine. */ + +modify_variable(US"tls_bits", &tls_out.bits); +modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified); +modify_variable(US"tls_cipher", &tls_out.cipher); +modify_variable(US"tls_peerdn", &tls_out.peerdn); +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +modify_variable(US"tls_sni", &tls_out.sni); +#endif + /* Save a copy of the sender address for re-instating if we change it to <> while verifying a sender address (a nice bit of self-reference there). */ @@ -1769,8 +1781,12 @@ while (addr_new != NULL) } cancel_cutthrough_connection("routing hard fail"); - if (!full_info) return copy_error(vaddr, addr, FAIL); - else yield = FAIL; + if (!full_info) + { + yield = copy_error(vaddr, addr, FAIL); + goto out; + } + else yield = FAIL; } /* Soft failure */ @@ -1804,8 +1820,12 @@ while (addr_new != NULL) } cancel_cutthrough_connection("routing soft fail"); - if (!full_info) return copy_error(vaddr, addr, DEFER); - else if (yield == OK) yield = DEFER; + if (!full_info) + { + yield = copy_error(vaddr, addr, DEFER); + goto out; + } + else if (yield == OK) yield = DEFER; } /* If we are handling EXPN, we do not want to continue to route beyond @@ -1828,7 +1848,8 @@ while (addr_new != NULL) if (addr_new == NULL) ok_prefix = US"250 "; respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address); } - return OK; + yield = OK; + goto out; } /* Successful routing other than EXPN. */ @@ -1863,7 +1884,8 @@ while (addr_new != NULL) of $address_data to be that of the child */ vaddr->p.address_data = addr->p.address_data; - return OK; + yield = OK; + goto out; } } } /* Loop for generated addresses */ @@ -1880,7 +1902,7 @@ discarded, usually because of the use of :blackhole: in an alias file. */ if (allok && addr_local == NULL && addr_remote == NULL) { fprintf(f, "mail to %s is discarded\n", address); - return yield; + goto out; } for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) @@ -1964,9 +1986,19 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) } } -/* Will be DEFER or FAIL if any one address has, only for full_info (which is +/* Yield will be DEFER or FAIL if any one address has, only for full_info (which is the -bv or -bt case). */ +out: + +modify_variable(US"tls_bits", &tls_in.bits); +modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified); +modify_variable(US"tls_cipher", &tls_in.cipher); +modify_variable(US"tls_peerdn", &tls_in.peerdn); +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +modify_variable(US"tls_sni", &tls_in.sni); +#endif + return yield; } -- cgit v1.2.3