Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455

The split of these variables into _in and _out sets introduced by d9b231
in 4.82 was incomplete, leaving the deprecated legacy variables nonfunctional
during a transport and associated client authenticator.

Fix by repointing the legacy set to the outbound connection set at
transport startup (and do not clear out the inbound set at this
time, either).

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e41dc3e02d7a3fdc4306f23b4e6ee5d698c169e8..56ff713cb9ed5480be0698cf3dd23f3f87a73593 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -82,6 +82,9 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
       is a combined value of both the record presence and the result of the
       analysis.
 
+JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport.  Bug 1455.
+
+
 Exim version 4.82
 -----------------
 

diff --git a/src/src/functions.h b/src/src/functions.h
index 0bd3d72670bba656a5f42ab6fdf64e7c239351cf..be71345a10357bbcbffb75a8b6a5c89e3c5857e6 100644 (file)
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -45,7 +45,7 @@ extern void    tls_version_report(FILE *);
 #ifndef USE_GNUTLS
 extern BOOL    tls_openssl_options_parse(uschar *, long *);
 #endif
-#endif
+#endif /*SUPPORT_TLS*/
 
 
 /* Everything else... */
@@ -374,6 +374,7 @@ extern int     strncmpic(const uschar *, const uschar *, int);
 extern uschar *strstric(uschar *, uschar *, BOOL);
 
 extern uschar *tod_stamp(int);
+extern void    tls_modify_variables(tls_support *);
 extern BOOL    transport_check_waiting(uschar *, uschar *, int, uschar *,
                  BOOL *);
 extern void    transport_init(void);

diff --git a/src/src/tls.c b/src/src/tls.c
index 0625c48b84d93dda9c3f08aa852b9a4b876f3385..972785284b05c923c6b9d3ea6191a8cefd9f4b0c 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -181,4 +181,16 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
 
 #endif  /* SUPPORT_TLS */
 
+void
+tls_modify_variables(tls_support * dest_tsp)
+{
+modify_variable(US"tls_bits",                 &dest_tsp->bits);
+modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
+modify_variable(US"tls_cipher",               &dest_tsp->cipher);
+modify_variable(US"tls_peerdn",               &dest_tsp->peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni",                  &dest_tsp->sni);
+#endif
+}
+
 /* End of tls.c */

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 16e5c022fe51c24617aab27dc22b2bc74934e9a1..0aa95a44871a7c80e8f4ac48793eb4d345ea8a17 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1213,13 +1213,6 @@ outblock.authenticating = FALSE;
 
 /* Reset the parameters of a TLS session. */
 
-tls_in.bits = 0;
-tls_in.cipher = NULL;  /* for back-compatible behaviour */
-tls_in.peerdn = NULL;
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-tls_in.sni = NULL;
-#endif
-
 tls_out.bits = 0;
 tls_out.cipher = NULL; /* the one we may use for this transport */
 tls_out.peerdn = NULL;
@@ -1227,6 +1220,12 @@ tls_out.peerdn = NULL;
 tls_out.sni = NULL;
 #endif
 
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of the transport.  Don't bother resetting
+afterward as we're in a subprocess. */
+
+tls_modify_variables(&tls_out);
+
 #ifndef SUPPORT_TLS
 if (smtps)
   {

diff --git a/src/src/verify.c b/src/src/verify.c
index 8cc67f1b15974130168f19b687d737d3b18d2ed2..690bb8f011e7071e00a9f7d65dae0993534af0ad 100644 (file)
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -1576,13 +1576,7 @@ if (address[0] == 0) return OK;
 they're used in the context of a transport used by verification. Reset them
 at exit from this routine. */
 
-modify_variable(US"tls_bits",                 &tls_out.bits);
-modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified);
-modify_variable(US"tls_cipher",               &tls_out.cipher);
-modify_variable(US"tls_peerdn",               &tls_out.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni",                  &tls_out.sni);
-#endif
+tls_modify_variables(&tls_out);
 
 /* Save a copy of the sender address for re-instating if we change it to <>
 while verifying a sender address (a nice bit of self-reference there). */
@@ -2041,14 +2035,7 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
 the -bv or -bt case). */
 
 out:
-
-modify_variable(US"tls_bits",                 &tls_in.bits);
-modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified);
-modify_variable(US"tls_cipher",               &tls_in.cipher);
-modify_variable(US"tls_peerdn",               &tls_in.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni",                  &tls_in.sni);
-#endif
+tls_modify_variables(&tls_in);
 
 return yield;
 }

diff --git a/test/confs/3465 b/test/confs/3465
index 161fff526ddd1b09aaa526dc89978fbe396e1e92..83592a678c3a6ebd663fe581fa3c69ea98dbba68 100644 (file)
--- a/test/confs/3465
+++ b/test/confs/3465
@@ -70,5 +70,9 @@ t1:
   hosts_require_auth = *
   allow_localhost
 
+  # These can be made visible by adding "-d-all+deliver+transport+tls" to the script 1st queuerun
+  headers_add = X-tls-cipher: <$tls_cipher>
+  headers_add = X-tls-out-cipher: <$tls_out_cipher>
+
 
 # End