From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 20 Apr 2014 15:44:52 +0000 (+0100)
Subject: Fix handling of $tls_cipher et.al. in (non-verify) transport.  Bug 1455
X-Git-Tag: exim-4_83_RC1~51^2~8
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/35aba663e3f1eab672a8b2082a83194bf3b7a058

Fix handling of $tls_cipher et.al. in (non-verify) transport.  Bug 1455

The split of these variables into _in and _out sets introduced by d9b231
in 4.82 was incomplete, leaving the deprecated legacy variables nonfunctional
during a transport and associated client authenticator.

Fix by repointing the legacy set to the outbound connection set at
transport startup (and do not clear out the inbound set at this
time, either).
---

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e41dc3e02..56ff713cb 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -82,6 +82,9 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
       is a combined value of both the record presence and the result of the
       analysis.
 
+JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport.  Bug 1455.
+
+
 Exim version 4.82
 -----------------
 
diff --git a/src/src/functions.h b/src/src/functions.h
index 0bd3d7267..be71345a1 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -45,7 +45,7 @@ extern void    tls_version_report(FILE *);
 #ifndef USE_GNUTLS
 extern BOOL    tls_openssl_options_parse(uschar *, long *);
 #endif
-#endif
+#endif	/*SUPPORT_TLS*/
 
 
 /* Everything else... */
@@ -374,6 +374,7 @@ extern int     strncmpic(const uschar *, const uschar *, int);
 extern uschar *strstric(uschar *, uschar *, BOOL);
 
 extern uschar *tod_stamp(int);
+extern void    tls_modify_variables(tls_support *);
 extern BOOL    transport_check_waiting(uschar *, uschar *, int, uschar *,
                  BOOL *);
 extern void    transport_init(void);
diff --git a/src/src/tls.c b/src/src/tls.c
index 0625c48b8..972785284 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -181,4 +181,16 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
 
 #endif  /* SUPPORT_TLS */
 
+void
+tls_modify_variables(tls_support * dest_tsp)
+{
+modify_variable(US"tls_bits",                 &dest_tsp->bits);
+modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
+modify_variable(US"tls_cipher",               &dest_tsp->cipher);
+modify_variable(US"tls_peerdn",               &dest_tsp->peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni",                  &dest_tsp->sni);
+#endif
+}
+
 /* End of tls.c */
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 16e5c022f..0aa95a448 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1213,13 +1213,6 @@ outblock.authenticating = FALSE;
 
 /* Reset the parameters of a TLS session. */
 
-tls_in.bits = 0;
-tls_in.cipher = NULL;	/* for back-compatible behaviour */
-tls_in.peerdn = NULL;
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-tls_in.sni = NULL;
-#endif
-
 tls_out.bits = 0;
 tls_out.cipher = NULL;	/* the one we may use for this transport */
 tls_out.peerdn = NULL;
@@ -1227,6 +1220,12 @@ tls_out.peerdn = NULL;
 tls_out.sni = NULL;
 #endif
 
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of the transport.  Don't bother resetting
+afterward as we're in a subprocess. */
+
+tls_modify_variables(&tls_out);
+
 #ifndef SUPPORT_TLS
 if (smtps)
   {
diff --git a/src/src/verify.c b/src/src/verify.c
index 8cc67f1b1..690bb8f01 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -1576,13 +1576,7 @@ if (address[0] == 0) return OK;
 they're used in the context of a transport used by verification. Reset them
 at exit from this routine. */
 
-modify_variable(US"tls_bits",                 &tls_out.bits);
-modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified);
-modify_variable(US"tls_cipher",               &tls_out.cipher);
-modify_variable(US"tls_peerdn",               &tls_out.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni",                  &tls_out.sni);
-#endif
+tls_modify_variables(&tls_out);
 
 /* Save a copy of the sender address for re-instating if we change it to <>
 while verifying a sender address (a nice bit of self-reference there). */
@@ -2041,14 +2035,7 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
 the -bv or -bt case). */
 
 out:
-
-modify_variable(US"tls_bits",                 &tls_in.bits);
-modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified);
-modify_variable(US"tls_cipher",               &tls_in.cipher);
-modify_variable(US"tls_peerdn",               &tls_in.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni",                  &tls_in.sni);
-#endif
+tls_modify_variables(&tls_in);
 
 return yield;
 }
diff --git a/test/confs/3465 b/test/confs/3465
index 161fff526..83592a678 100644
--- a/test/confs/3465
+++ b/test/confs/3465
@@ -70,5 +70,9 @@ t1:
   hosts_require_auth = *
   allow_localhost
 
+  # These can be made visible by adding "-d-all+deliver+transport+tls" to the script 1st queuerun
+  headers_add = X-tls-cipher: <$tls_cipher>
+  headers_add = X-tls-out-cipher: <$tls_out_cipher>
+
 
 # End