summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2016-06-02 21:56:29 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2016-06-02 23:04:29 +0100
commitcfab9d68aba4f5cc5218b1619b4469880c4d6cc5 (patch)
tree91e4571271a925fe46c0a1e1ea658bc3ea133278
parent1ed59855863174523aabfba933434950e051e00a (diff)
Add support for ${sha256:<string>}
-rw-r--r--doc/doc-docbook/spec.xfpt11
-rw-r--r--doc/doc-txt/ChangeLog9
-rw-r--r--src/src/expand.c29
-rw-r--r--test/scripts/2000-GnuTLS/20006
-rw-r--r--test/scripts/2100-OpenSSL/21006
-rw-r--r--test/stdout/20003
-rw-r--r--test/stdout/21003
7 files changed, 52 insertions, 15 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 42e116182..1e5b72e87 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -10490,16 +10490,19 @@ If the string is a single variable of type certificate,
returns the SHA-1 hash fingerprint of the certificate.
-.vitem &*${sha256:*&<&'certificate'&>&*}*&
+.vitem &*${sha256:*&<&'string'&>&*}*&
.cindex "SHA-256 hash"
.cindex certificate fingerprint
.cindex "expansion" "SHA-256 hashing"
.cindex "&%sha256%& expansion item"
-The &%sha256%& operator computes the SHA-256 hash fingerprint of the
-certificate,
+.new
+The &%sha256%& operator computes the SHA-256 hash value of the string
and returns
it as a 64-digit hexadecimal number, in which any letters are in upper case.
-Only arguments which are a single variable of certificate type are supported.
+.wen
+
+If the string is a single variable of type certificate,
+returns the SHA-256 hash fingerprint of the certificate.
.vitem &*${stat:*&<&'string'&>&*}*&
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 254070e26..7a5aab755 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -37,6 +37,9 @@ JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
+JH/10 Support ${sha256:} applied to a string (as well as the previous
+ certificate).
+
Exim version 4.87
-----------------
@@ -303,7 +306,7 @@ JH/18 Bug 1581: Router and transport options headers_add/remove can
now have the list separator specified.
JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
- option values.
+ option values.
JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
under OpenSSL.
@@ -318,7 +321,7 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
JH/24 Verification callouts now attempt to use TLS by default.
-HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
+HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
are generic router options now. The defaults didn't change.
JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
@@ -938,7 +941,7 @@ PP/12 MAIL args handles TAB as well as SP, for better interop with
Analysis and variant patch by Todd Lyons.
NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated
- Bug report from Lars Müller <lars@samba.org> (via SUSE),
+ Bug report from Lars Müller <lars@samba.org> (via SUSE),
Patch from Dirk Mueller <dmueller@suse.com>
PP/13 tls_peerdn now print-escaped for spool files.
diff --git a/src/src/expand.c b/src/src/expand.c
index 40b697a5d..d23e15fa7 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -2506,7 +2506,6 @@ switch(cond_type)
checking for them individually. */
if (!isalpha(name[0]) && yield != NULL)
- {
if (sub[i][0] == 0)
{
num[i] = 0;
@@ -2518,7 +2517,6 @@ switch(cond_type)
num[i] = expanded_string_integer(sub[i], FALSE);
if (expand_string_message != NULL) return NULL;
}
- }
}
/* Result not required */
@@ -2686,7 +2684,7 @@ switch(cond_type)
uschar digest[16];
md5_start(&base);
- md5_end(&base, (uschar *)sub[0], Ustrlen(sub[0]), digest);
+ md5_end(&base, sub[0], Ustrlen(sub[0]), digest);
/* If the length that we are comparing against is 24, the MD5 digest
is expressed as a base64 string. This is the way LDAP does it. However,
@@ -2695,7 +2693,7 @@ switch(cond_type)
if (sublen == 24)
{
- uschar *coded = b64encode((uschar *)digest, 16);
+ uschar *coded = b64encode(digest, 16);
DEBUG(D_auth) debug_printf("crypteq: using MD5+B64 hashing\n"
" subject=%s\n crypted=%s\n", coded, sub[1]+5);
tempcond = (Ustrcmp(coded, sub[1]+5) == 0);
@@ -2725,7 +2723,7 @@ switch(cond_type)
uschar digest[20];
sha1_start(&h);
- sha1_end(&h, (uschar *)sub[0], Ustrlen(sub[0]), digest);
+ sha1_end(&h, sub[0], Ustrlen(sub[0]), digest);
/* If the length that we are comparing against is 28, assume the SHA1
digest is expressed as a base64 string. If the length is 40, assume a
@@ -2733,7 +2731,7 @@ switch(cond_type)
if (sublen == 28)
{
- uschar *coded = b64encode((uschar *)digest, 20);
+ uschar *coded = b64encode(digest, 20);
DEBUG(D_auth) debug_printf("crypteq: using SHA1+B64 hashing\n"
" subject=%s\n crypted=%s\n", coded, sub[1]+6);
tempcond = (Ustrcmp(coded, sub[1]+6) == 0);
@@ -6364,7 +6362,7 @@ while (*s != 0)
sha1_start(&h);
sha1_end(&h, sub, Ustrlen(sub), digest);
for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]);
- yield = string_cat(yield, &size, &ptr, US st);
+ yield = string_catn(yield, &size, &ptr, US st, 40);
}
continue;
@@ -6376,8 +6374,23 @@ while (*s != 0)
yield = string_cat(yield, &size, &ptr, cp);
}
else
+ {
+ hctx h;
+ blob b;
+ char st[3];
+
+ exim_sha_init(&h, HASH_SHA256);
+ exim_sha_update(&h, sub, Ustrlen(sub));
+ exim_sha_finish(&h, &b);
+ while (b.len-- > 0)
+ {
+ sprintf(st, "%02X", *b.data++);
+ yield = string_catn(yield, &size, &ptr, US st, 2);
+ }
+ }
+#else
+ expand_string_message = US"sha256 only supported with TLS";
#endif
- expand_string_message = US"sha256 only supported for certificates";
continue;
/* Convert hex encoding to base64 encoding */
diff --git a/test/scripts/2000-GnuTLS/2000 b/test/scripts/2000-GnuTLS/2000
index a1299e574..5e26e4332 100644
--- a/test/scripts/2000-GnuTLS/2000
+++ b/test/scripts/2000-GnuTLS/2000
@@ -13,3 +13,9 @@ exim -qf
****
killdaemon
no_msglog_check
+#
+#
+exim -be
+sha256: ${sha256:}
+sha256: ${sha256:abc}
+****
diff --git a/test/scripts/2100-OpenSSL/2100 b/test/scripts/2100-OpenSSL/2100
index c2b0f8981..27c6c84d6 100644
--- a/test/scripts/2100-OpenSSL/2100
+++ b/test/scripts/2100-OpenSSL/2100
@@ -8,3 +8,9 @@ exim -qf
****
killdaemon
no_msglog_check
+#
+#
+exim -be
+sha256: ${sha256:}
+sha256: ${sha256:abc}
+****
diff --git a/test/stdout/2000 b/test/stdout/2000
new file mode 100644
index 000000000..effaada83
--- /dev/null
+++ b/test/stdout/2000
@@ -0,0 +1,3 @@
+> sha256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
+> sha256: BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD
+>
diff --git a/test/stdout/2100 b/test/stdout/2100
new file mode 100644
index 000000000..effaada83
--- /dev/null
+++ b/test/stdout/2100
@@ -0,0 +1,3 @@
+> sha256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
+> sha256: BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD
+>