[exim-cvs] Fix handling of $tls_cipher et.al. in (non-verify…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Git Commits Mailing List
Date:  
À: exim-cvs
Sujet: [exim-cvs] Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455
Gitweb: http://git.exim.org/exim.git/commitdiff/35aba663e3f1eab672a8b2082a83194bf3b7a058
Commit:     35aba663e3f1eab672a8b2082a83194bf3b7a058
Parent:     5a66c31b0ec1f4128df4398e18dfe497c2a34de7
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Apr 20 16:44:52 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Apr 20 17:04:08 2014 +0100


    Fix handling of $tls_cipher et.al. in (non-verify) transport.  Bug 1455


    The split of these variables into _in and _out sets introduced by d9b231
    in 4.82 was incomplete, leaving the deprecated legacy variables nonfunctional
    during a transport and associated client authenticator.


    Fix by repointing the legacy set to the outbound connection set at
    transport startup (and do not clear out the inbound set at this
    time, either).
---
 doc/doc-txt/ChangeLog     |    3 +++
 src/src/functions.h       |    3 ++-
 src/src/tls.c             |   12 ++++++++++++
 src/src/transports/smtp.c |   13 ++++++-------
 src/src/verify.c          |   17 ++---------------
 test/confs/3465           |    4 ++++
 6 files changed, 29 insertions(+), 23 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e41dc3e..56ff713 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -82,6 +82,9 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
       is a combined value of both the record presence and the result of the
       analysis.


+JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455.
+
+
Exim version 4.82
-----------------

diff --git a/src/src/functions.h b/src/src/functions.h
index 0bd3d72..be71345 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -45,7 +45,7 @@ extern void    tls_version_report(FILE *);
 #ifndef USE_GNUTLS
 extern BOOL    tls_openssl_options_parse(uschar *, long *);
 #endif
-#endif
+#endif    /*SUPPORT_TLS*/



 /* Everything else... */
@@ -374,6 +374,7 @@ extern int     strncmpic(const uschar *, const uschar *, int);
 extern uschar *strstric(uschar *, uschar *, BOOL);


 extern uschar *tod_stamp(int);
+extern void    tls_modify_variables(tls_support *);
 extern BOOL    transport_check_waiting(uschar *, uschar *, int, uschar *,
                  BOOL *);
 extern void    transport_init(void);
diff --git a/src/src/tls.c b/src/src/tls.c
index 0625c48..9727852 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -181,4 +181,16 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;


#endif /* SUPPORT_TLS */

+void
+tls_modify_variables(tls_support * dest_tsp)
+{
+modify_variable(US"tls_bits",                 &dest_tsp->bits);
+modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
+modify_variable(US"tls_cipher",               &dest_tsp->cipher);
+modify_variable(US"tls_peerdn",               &dest_tsp->peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni",                  &dest_tsp->sni);
+#endif
+}
+
 /* End of tls.c */
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 16e5c02..0aa95a4 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1213,13 +1213,6 @@ outblock.authenticating = FALSE;


/* Reset the parameters of a TLS session. */

-tls_in.bits = 0;
-tls_in.cipher = NULL;    /* for back-compatible behaviour */
-tls_in.peerdn = NULL;
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-tls_in.sni = NULL;
-#endif
-
 tls_out.bits = 0;
 tls_out.cipher = NULL;    /* the one we may use for this transport */
 tls_out.peerdn = NULL;
@@ -1227,6 +1220,12 @@ tls_out.peerdn = NULL;
 tls_out.sni = NULL;
 #endif


+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of the transport. Don't bother resetting
+afterward as we're in a subprocess. */
+
+tls_modify_variables(&tls_out);
+
#ifndef SUPPORT_TLS
if (smtps)
{
diff --git a/src/src/verify.c b/src/src/verify.c
index 8cc67f1..690bb8f 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -1576,13 +1576,7 @@ if (address[0] == 0) return OK;
they're used in the context of a transport used by verification. Reset them
at exit from this routine. */

-modify_variable(US"tls_bits",                 &tls_out.bits);
-modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified);
-modify_variable(US"tls_cipher",               &tls_out.cipher);
-modify_variable(US"tls_peerdn",               &tls_out.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni",                  &tls_out.sni);
-#endif
+tls_modify_variables(&tls_out);


/* Save a copy of the sender address for re-instating if we change it to <>
while verifying a sender address (a nice bit of self-reference there). */
@@ -2041,14 +2035,7 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
the -bv or -bt case). */

 out:
-
-modify_variable(US"tls_bits",                 &tls_in.bits);
-modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified);
-modify_variable(US"tls_cipher",               &tls_in.cipher);
-modify_variable(US"tls_peerdn",               &tls_in.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni",                  &tls_in.sni);
-#endif
+tls_modify_variables(&tls_in);


return yield;
}
diff --git a/test/confs/3465 b/test/confs/3465
index 161fff5..83592a6 100644
--- a/test/confs/3465
+++ b/test/confs/3465
@@ -70,5 +70,9 @@ t1:
hosts_require_auth = *
allow_localhost

+ # These can be made visible by adding "-d-all+deliver+transport+tls" to the script 1st queuerun
+ headers_add = X-tls-cipher: <$tls_cipher>
+ headers_add = X-tls-out-cipher: <$tls_out_cipher>
+

# End