Expansions: add ${sha3:<string>} item

4 files changed, 51 insertions, 26 deletions

diff --git a/src/src/expand.c b/src/src/expand.c
index d23e15fa7..1484a3027 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -231,6 +231,7 @@ static uschar *op_table_main[] = {
   US"s",
   US"sha1",
   US"sha256",
+  US"sha3",
   US"stat",
   US"str2b64",
   US"strlen",
@@ -273,6 +274,7 @@ enum {
   EOP_S,
   EOP_SHA1,
   EOP_SHA256,
+  EOP_SHA3,
   EOP_STAT,
   EOP_STR2B64,
   EOP_STRLEN,
@@ -6367,7 +6369,7 @@ while (*s != 0)
         continue;
 
       case EOP_SHA256:
-#ifdef SUPPORT_TLS
+#ifdef EXIM_HAVE_SHA2
 	if (vp && *(void **)vp->value)
 	  {
 	  uschar * cp = tls_cert_fprt_sha256(*(void **)vp->value);
@@ -6393,6 +6395,40 @@ while (*s != 0)
 #endif
         continue;
 
+      case EOP_SHA3:
+#ifdef EXIM_HAVE_SHA3
+	{
+	hctx h;
+	blob b;
+	char st[3];
+	hashmethod m = !arg ? HASH_SHA3_256
+	  : Ustrcmp(arg, "224") == 0 ? HASH_SHA3_224
+	  : Ustrcmp(arg, "256") == 0 ? HASH_SHA3_256
+	  : Ustrcmp(arg, "384") == 0 ? HASH_SHA3_384
+	  : Ustrcmp(arg, "512") == 0 ? HASH_SHA3_512
+	  : HASH_BADTYPE;
+
+	if (m == HASH_BADTYPE)
+	  {
+	  expand_string_message = US"unrecognised sha3 variant";
+	  goto EXPAND_FAILED;
+	  }
+
+	exim_sha_init(&h, m);
+	exim_sha_update(&h, sub, Ustrlen(sub));
+	exim_sha_finish(&h, &b);
+	while (b.len-- > 0)
+	  {
+	  sprintf(st, "%02X", *b.data++);
+	  yield = string_catn(yield, &size, &ptr, US st, 2);
+	  }
+	}
+        continue;
+#else
+	expand_string_message = US"sha3 only supported with GnuTLS 3.5.0 +";
+	goto EXPAND_FAILED;
+#endif
+
       /* Convert hex encoding to base64 encoding */
 
       case EOP_HEX2B64:
diff --git a/src/src/hash.c b/src/src/hash.c
index a0d69c2f0..c2be85d17 100644
--- a/src/src/hash.c
+++ b/src/src/hash.c
@@ -27,27 +27,6 @@ sha1;
 
 
 
-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
-#endif
-
-
-
-#ifdef notdef
-#ifdef RSA_OPENSSL
-# include <openssl/rsa.h>
-# include <openssl/ssl.h>
-# include <openssl/err.h>
-#elif defined(RSA_GNUTLS)
-# include <gnutls/gnutls.h>
-# include <gnutls/x509.h>
-# ifdef RSA_VERIFY_GNUTLS
-#  include <gnutls/abstract.h>
-# endif
-#endif
-#endif
-
-
 /******************************************************************************/
 #ifdef SHA_OPENSSL
 
@@ -95,9 +74,12 @@ exim_sha_init(hctx * h, hashmethod m)
 {
 switch (h->method = m)
   {
-  case HASH_SHA1:   h->hashlen = 20; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA1); break;
-  case HASH_SHA256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA256); break;
-  default:	    h->hashlen = 0; break;
+  case HASH_SHA1:     h->hashlen = 20; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA1); break;
+  case HASH_SHA256:   h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA256); break;
+#ifdef EXIM_HAVE_SHA3
+  case HASH_SHA3_256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_256); break;
+#endif
+  default: h->hashlen = 0; break;
   }
 }
 
diff --git a/src/src/hash.h b/src/src/hash.h
index f1ebac467..9e91f1aad 100644
--- a/src/src/hash.h
+++ b/src/src/hash.h
@@ -30,9 +30,13 @@
 /* Hash context for the exim_sha_* routines */
 
 typedef enum hashmethod {
+  HASH_BADTYPE,
   HASH_SHA1,
   HASH_SHA256,
-  HASH_SHA3
+  HASH_SHA3_224,
+  HASH_SHA3_256,
+  HASH_SHA3_384,
+  HASH_SHA3_512,
 } hashmethod;
 
 typedef struct {
diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index 630c78d41..fd1a4d083 100644
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -18,6 +18,9 @@
 
 #  if GNUTLS_VERSION_NUMBER >= 0x020a00
 #   define SHA_GNUTLS
+#   if GNUTLS_VERSION_NUMBER >= 0x030500
+#    define EXIM_HAVE_SHA3
+#   endif
 #  else
 #   define SHA_GCRYPT
 #  endif