From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 30 Oct 2014 12:12:31 +0000 (+0000)
Subject: For connects and certificate-verifies denied by event actions, log
X-Git-Tag: exim-4_85_RC1~18
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/b30275b8a70b539c195a3a12580f29ebdcc12d99

For connects and certificate-verifies denied by event actions, log
the string resulting from the event expansion
---

diff --git a/src/src/deliver.c b/src/src/deliver.c
index 4cc05b4ae..27a4344c5 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -719,7 +719,7 @@ d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr)
 
 
 #ifdef EXPERIMENTAL_EVENT
-int
+uschar *
 event_raise(uschar * action, uschar * event, uschar * ev_data)
 {
 uschar * s;
@@ -747,10 +747,10 @@ if (action)
     {
     DEBUG(D_deliver)
       debug_printf("Event(%s): event_action returned \"%s\"\n", event, s);
-    return DEFER;
+    return s;
     }
   }
-return OK;
+return NULL;
 }
 
 static void
diff --git a/src/src/functions.h b/src/src/functions.h
index ba4760f7a..07d0eb413 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -158,7 +158,7 @@ extern BOOL    dscp_lookup(const uschar *, int, int *, int *, int *);
 extern void    enq_end(uschar *);
 extern BOOL    enq_start(uschar *);
 #ifdef EXPERIMENTAL_EVENT
-extern int     event_raise(uschar *, uschar *, uschar *);
+extern uschar *event_raise(uschar *, uschar *, uschar *);
 #endif
 extern void    exim_exit(int);
 extern void    exim_nullstd(void);
diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c
index e3f2588d7..530fcfec7 100644
--- a/src/src/smtp_out.c
+++ b/src/src/smtp_out.c
@@ -204,10 +204,10 @@ HDEBUG(D_transport|D_acl|D_v)
   }
 
 #ifdef EXPERIMENTAL_EVENT
-  /*XXX Called from both delivery and verify.  Is that status observable? */
   deliver_host_address = host->address;
   deliver_host_port = port;
-  if (event_raise(event, US"tcp:connect", NULL) == DEFER) return -1;
+  if (event_raise(event, US"tcp:connect", NULL)) return -1;
+  /* Logging?  Debug? */
 #endif
 
 /* Create the socket */
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 1966c557d..04de02d74 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1559,6 +1559,7 @@ const gnutls_datum * cert_list;
 unsigned int cert_list_size = 0;
 gnutls_x509_crt_t crt;
 int rc;
+uschar * yield;
 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
 
 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
@@ -1574,11 +1575,12 @@ if (cert_list)
     }
 
   state->tlsp->peercert = crt;
-  if (event_raise(state->event_action,
-	      US"tls:cert", string_sprintf("%d", cert_list_size)) == DEFER)
+  if ((yield = event_raise(state->event_action,
+	      US"tls:cert", string_sprintf("%d", cert_list_size))))
     {
     log_write(0, LOG_MAIN,
-	      "SSL verify denied by event-action: depth=%d", cert_list_size);
+	      "SSL verify denied by event-action: depth=%d: %s",
+	      cert_list_size, yield);
     return 1;                     /* reject */
     }
   state->tlsp->peercert = NULL;
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 25d523274..c489ea51d 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -294,8 +294,11 @@ verify_callback(int state, X509_STORE_CTX *x509ctx,
 {
 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
-uschar * ev;
 static uschar txt[256];
+#ifdef EXPERIMENTAL_EVENT
+uschar * ev;
+uschar * yield;
+#endif
 
 X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
 
@@ -335,10 +338,10 @@ else if (depth != 0)
   if (ev)
     {
     tlsp->peercert = X509_dup(cert);
-    if (event_raise(ev, US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+    if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
       {
       log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
-			      "depth=%d cert=%s", depth, txt);
+			      "depth=%d cert=%s: %s", depth, txt, yield);
       tlsp->certificate_verified = FALSE;
       *calledp = TRUE;
       return 0;			    /* reject */
@@ -402,10 +405,10 @@ else
 #ifdef EXPERIMENTAL_EVENT
   ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
   if (ev)
-    if (event_raise(ev, US"tls:cert", US"0") == DEFER)
+    if ((yield = event_raise(ev, US"tls:cert", US"0")))
       {
       log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
-			      "depth=0 cert=%s", txt);
+			      "depth=0 cert=%s: %s", txt, yield);
       tlsp->certificate_verified = FALSE;
       *calledp = TRUE;
       return 0;			    /* reject */
@@ -446,6 +449,7 @@ X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
 static uschar txt[256];
 #ifdef EXPERIMENTAL_EVENT
 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
+uschar * yield;
 #endif
 
 X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
@@ -457,11 +461,11 @@ tls_out.peercert = X509_dup(cert);
 #ifdef EXPERIMENTAL_EVENT
   if (client_static_cbinfo->event_action)
     {
-    if (event_raise(client_static_cbinfo->event_action,
-		    US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+    if ((yield = event_raise(client_static_cbinfo->event_action,
+		    US"tls:cert", string_sprintf("%d", depth))))
       {
       log_write(0, LOG_MAIN, "DANE verify denied by event-action: "
-			      "depth=%d cert=%s", depth, txt);
+			      "depth=%d cert=%s: %s", depth, txt, yield);
       tls_out.certificate_verified = FALSE;
       return 0;			    /* reject */
       }
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 6886fd518..c57230697 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1414,14 +1414,17 @@ if (continue_hostname == NULL)
       ob->command_timeout)) goto RESPONSE_FAILED;
 
 #ifdef EXPERIMENTAL_EVENT
-    if (event_raise(tblock->event_action, US"smtp:connect", buffer)
-	== DEFER)
+      {
+      uschar * s = event_raise(tblock->event_action, US"smtp:connect", buffer);
+      if (s)
 	{
-	uschar *message = US"deferred by smtp:connect event expansion";
-	set_errno(addrlist, 0, message, DEFER, FALSE, NULL);
+	set_errno(addrlist, 0,
+	  string_sprintf("deferred by smtp:connect event expansion: %s", s),
+	  DEFER, FALSE, NULL);
 	yield = DEFER;
 	goto SEND_QUIT;
 	}
+      }
 #endif
 
     /* Now check if the helo_data expansion went well, and sign off cleanly if
diff --git a/src/src/verify.c b/src/src/verify.c
index f8e176b27..82dc5cc72 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -585,7 +585,7 @@ else
 
 #ifdef EXPERIMENTAL_EVENT
       if (event_raise(addr->transport->event_action,
-			    US"smtp:connect", responsebuffer) == DEFER)
+			    US"smtp:connect", responsebuffer))
 	{
 	/* Logging?  Debug? */
 	goto RESPONSE_FAILED;