diff options
69 files changed, 1291 insertions, 608 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 174873d07..9a10d8d21 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -9213,8 +9213,8 @@ The environment is adjusted by the &%keep_environment%& and .cindex "&%extract%&" "substrings by key" The key and <&'string1'&> are first expanded separately. Leading and trailing white space is removed from the key (but not from any of the strings). The key -must not consist entirely of digits. The expanded <&'string1'&> must be of the -form: +must not be empty and must not consist entirely of digits. +The expanded <&'string1'&> must be of the form: .display <&'key1'&> = <&'value1'&> <&'key2'&> = <&'value2'&> ... .endd @@ -10514,7 +10514,7 @@ variables or headers inside regular expressions. .cindex "SHA-1 hash" .cindex "expansion" "SHA-1 hashing" .cindex certificate fingerprint -.cindex "&%sha2%& expansion item" +.cindex "&%sha1%& expansion item" The &%sha1%& operator computes the SHA-1 hash value of the string, and returns it as a 40-digit hexadecimal number, in which any letters are in upper case. @@ -10522,16 +10522,38 @@ If the string is a single variable of type certificate, returns the SHA-1 hash fingerprint of the certificate. -.vitem &*${sha256:*&<&'certificate'&>&*}*& +.vitem &*${sha256:*&<&'string'&>&*}*& .cindex "SHA-256 hash" .cindex certificate fingerprint .cindex "expansion" "SHA-256 hashing" .cindex "&%sha256%& expansion item" -The &%sha256%& operator computes the SHA-256 hash fingerprint of the -certificate, +.new +The &%sha256%& operator computes the SHA-256 hash value of the string and returns it as a 64-digit hexadecimal number, in which any letters are in upper case. -Only arguments which are a single variable of certificate type are supported. +.wen + +If the string is a single variable of type certificate, +returns the SHA-256 hash fingerprint of the certificate. + + +.new +.vitem &*${sha3:*&<&'string'&>&*}*& &&& + &*${sha3_<n>:*&<&'string'&>&*}*& +.cindex "SHA3 hash" +.cindex "expansion" "SHA3 hashing" +.cindex "&%sha3%& expansion item" +The &%sha3%& operator computes the SHA3-256 hash value of the string +and returns +it as a 64-digit hexadecimal number, in which any letters are in upper case. + +If a number is appended, separated by an underbar, it specifies +the output length. Values of 224, 256, 384 and 512 are accepted; +with 256 being the default. + +The &%sha3%& expansion item is only supported if Exim has been +compiled with GnuTLS 3.5.0 or later. +.wen .vitem &*${stat:*&<&'string'&>&*}*& @@ -12816,7 +12838,7 @@ When a message is received from a remote host over an encrypted SMTP connection, this variable is set to the cipher suite that was negotiated, for example DES-CBC3-SHA. In other circumstances, in particular, for message received over unencrypted connections, the variable is empty. Testing -&$tls_cipher$& for emptiness is one way of distinguishing between encrypted and +&$tls_in_cipher$& for emptiness is one way of distinguishing between encrypted and non-encrypted connections during ACL processing. The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during message reception, @@ -28772,13 +28794,18 @@ with &`-d`&, with the output going to a new logfile, by default called &'debuglog'&. The filename can be adjusted with the &'tag'& option, which may access any variables already defined. The logging may be adjusted with the &'opts'& option, which takes the same values as the &`-d`& command-line -option. Some examples (which depend on variables that don't exist in all +option. +.new +Logging may be stopped, and the file removed, with the &'kill'& option. +.wen +Some examples (which depend on variables that don't exist in all contexts): .code control = debug control = debug/tag=.$sender_host_address control = debug/opts=+expand+acl control = debug/tag=.$message_exim_id/opts=+expand + control = debug/kill .endd @@ -35588,6 +35615,7 @@ the following table: &`CV `& certificate verification status &`D `& duration of &"no mail in SMTP session"& &`DN `& distinguished name from peer certificate +&`DS `& DNSSEC secured lookups &`DT `& on &`=>`& lines: time taken for a delivery &`F `& sender address (on delivery lines) &`H `& host name and IP address @@ -35679,6 +35707,7 @@ selection marked by asterisks: &` deliver_time `& time taken to perform delivery &` delivery_size `& add &`S=`&&'nnn'& to => lines &`*dnslist_defer `& defers of DNS list (aka RBL) lookups +&` dnssec `& DNSSEC secured lookups &`*etrn `& ETRN commands &`*host_lookup_failed `& as it says &` ident_timeout `& timeout for ident connection @@ -35786,6 +35815,14 @@ the &"=>"& line, tagged with S=. &%dnslist_defer%&: A log entry is written if an attempt to look up a host in a DNS black list suffers a temporary error. .next +.cindex log dnssec +.cindex dnssec logging +&%dnssec%&: For message acceptance and (attempted) delivery log lines, when +dns lookups gave secure results a tag of DS is added. +For acceptance this covers the reverse and forward lookups for host name verification. +It does not cover helo-name verification. +For delivery this covers the SRV, MX, A and/or AAAA lookups. +.next .cindex "log" "ETRN commands" .cindex "ETRN" "logging" &%etrn%&: Every valid ETRN command that is received is logged, before the ACL @@ -38440,7 +38477,7 @@ form of the name. Log lines and Received-by: header lines will acquire a "utf8" prefix on the protocol element, eg. utf8esmtp. -The following expansion operator can be used: +The following expansion operators can be used: .code ${utf8_domain_to_alabel:str} ${utf8_domain_from_alabel:str} diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 3bf6fc908..7a5aab755 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -29,6 +29,17 @@ JH/05 If main configuration option tls_certificate is unset, generate a JH/06 Bug 165: hide more cases of password exposure - this time in expansions in rewrites and routers. +JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80 + and logged a warning sing 4.83; now they are a configuration file error. + +JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name + (lacking @domain). Apply the same qualification processing as RCPT. + +JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode. + +JH/10 Support ${sha256:} applied to a string (as well as the previous + certificate). + Exim version 4.87 ----------------- @@ -295,7 +306,7 @@ JH/18 Bug 1581: Router and transport options headers_add/remove can now have the list separator specified. JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry - option values. + option values. JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails under OpenSSL. @@ -310,7 +321,7 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size JH/24 Verification callouts now attempt to use TLS by default. -HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) +HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) are generic router options now. The defaults didn't change. JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames. @@ -930,7 +941,7 @@ PP/12 MAIL args handles TAB as well as SP, for better interop with Analysis and variant patch by Todd Lyons. NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated - Bug report from Lars Müller <lars@samba.org> (via SUSE), + Bug report from Lars Müller <lars@samba.org> (via SUSE), Patch from Dirk Mueller <dmueller@suse.com> PP/13 tls_peerdn now print-escaped for spool files. diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 7cc6ace39..2a776b730 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -9,10 +9,19 @@ the documentation is updated, this file is reduced to a short list. Version 4.88 ------------ - 1. The new perl_tainmode option allows to run the embedded perl + 1. The new perl_taintmode option allows to run the embedded perl interpreter in taint mode. - 2. Facility for named queues: A commandline argument can specify + 2. New log_selector: dnssec, adds a "DS" tag to acceptance and delivery lines. + + 3. Speculative debugging, via a "kill" option to the "control=debug" ACL + modifier. + + 4. New expansion item ${sha3:<string>} / ${sha3_<N>:<string>}. + N can be 224, 256 (default), 384, 512. + With GnuTLS 3.5.0 or later, only. + + 5. Facility for named queues: A commandline argument can specify the queue name for a queue operation, and an ACL modifier can set the queue to be used for a message. A $queue_name variable gives visibility. diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base index 2e77adbd5..b9eaabaa6 100644 --- a/src/OS/Makefile-Base +++ b/src/OS/Makefile-Base @@ -279,6 +279,7 @@ exipick: Makefile ../src/exipick.src @rm -f exipick @sed -e "s?PERL_COMMAND?$(PERL_COMMAND)?" \ -e "s?SPOOL_DIRECTORY?$(SPOOL_DIRECTORY)?" \ + -e "s?BIN_DIRECTORY?$(BIN_DIRECTORY)?" \ ../src/exipick.src > exipick-t @mv exipick-t exipick @chmod a+x exipick @@ -330,7 +331,7 @@ OBJ_LOOKUPS = lookups/lf_quote.o lookups/lf_check_file.o lookups/lf_sqlperform.o OBJ_EXIM = acl.o base64.o child.o crypt16.o daemon.o dbfn.o debug.o deliver.o \ directory.o dns.o drtables.o enq.o exim.o expand.o filter.o \ - filtertest.o globals.o dkim.o \ + filtertest.o globals.o dkim.o hash.o \ header.o host.o ip.o log.o lss.o match.o moan.o \ os.o parse.o queue.o \ rda.o readconf.o receive.o retry.o rewrite.o rfc2047.o \ @@ -409,7 +410,7 @@ exim_tidydb: $(OBJ_TIDYDB) exim_dbmbuild: exim_dbmbuild.o @echo "$(LNCC) -o exim_dbmbuild" - $(FE)$(LNCC) -o exim_dbmbuild $(LFLAGS) exim_dbmbuild.o \ + $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_dbmbuild $(LFLAGS) exim_dbmbuild.o \ $(LIBS) $(EXTRALIBS) $(DBMLIB) @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ echo $(STRIP_COMMAND) exim_dbmbuild; \ @@ -478,15 +479,18 @@ eximon.bin: $(EXIMON_EDITME) eximon $(OBJ_MONBIN) \ # in one. This list is overkill, but it doesn't really take much time to # rebuild Exim on a modern computer. -HDRS = config.h \ +HDRS = blob.h \ + config.h \ dbfunctions.h \ dbstuff.h \ exim.h \ functions.h \ globals.h \ + hash.h \ local_scan.h \ macros.h \ mytypes.h \ + sha_ver.h \ structs.h \ os.h PHDRS = ../config.h \ @@ -608,6 +612,7 @@ environment.o: $(HDRS) environment.c filter.o: $(HDRS) filter.c filtertest.o: $(HDRS) filtertest.c globals.o: $(HDRS) globals.c +hash.o: $(HDRS) hash.c header.o: $(HDRS) header.c host.o: $(HDRS) host.c ip.o: $(HDRS) ip.c diff --git a/src/exim_monitor/em_hdr.h b/src/exim_monitor/em_hdr.h index ed95716a3..a7e874a87 100644 --- a/src/exim_monitor/em_hdr.h +++ b/src/exim_monitor/em_hdr.h @@ -92,6 +92,7 @@ the benefit of structs.h. One of these days I should tidy up this interface so that this kind of kludge isn't needed. */ #define MAXPACKET 1024 +typedef void hctx; #include "config.h" #include "mytypes.h" diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks index 68cecf0a9..7a5649ef8 100755 --- a/src/scripts/MakeLinks +++ b/src/scripts/MakeLinks @@ -95,13 +95,14 @@ cd .. # but local_scan.c does not, because its location is taken from the build-time # configuration. Likewise for the os.c file, which gets build dynamically. -for f in dbfunctions.h dbstuff.h exim.h functions.h globals.h local_scan.h \ - macros.h mytypes.h osfunctions.h store.h structs.h lookupapi.h \ +for f in blob.h dbfunctions.h dbstuff.h exim.h functions.h globals.h \ + hash.h local_scan.h \ + macros.h mytypes.h osfunctions.h store.h structs.h lookupapi.h sha_ver.h \ \ acl.c buildconfig.c base64.c child.c crypt16.c daemon.c dbfn.c debug.c deliver.c \ directory.c dns.c drtables.c dummies.c enq.c exim.c exim_dbmbuild.c \ exim_dbutil.c exim_lock.c expand.c filter.c filtertest.c globals.c \ - header.c host.c ip.c log.c lss.c match.c moan.c parse.c perl.c queue.c \ + hash.c header.c host.c ip.c log.c lss.c match.c moan.c parse.c perl.c queue.c \ rda.c readconf.c receive.c retry.c rewrite.c rfc2047.c route.c search.c \ setenv.c environment.c \ sieve.c smtp_in.c smtp_out.c spool_in.c spool_out.c std-crypto.c store.c \ @@ -118,12 +119,6 @@ do ln -s ../src/$f $f done -# WITH_OLD_DEMIME -for f in demime.c demime.h -do - ln -s ../src/$f $f -done - # EXPERIMENTAL_* for f in bmi_spam.c bmi_spam.h dcc.c dcc.h dane.c dane-gnu.c dane-openssl.c \ danessl.h imap_utf7.c spf.c spf.h srs.c srs.h utf8.c diff --git a/src/src/acl.c b/src/src/acl.c index 0972a23fc..381fdccf4 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -2988,8 +2988,6 @@ acl_check_condition(int verb, acl_condition_block *cb, int where, { uschar *user_message = NULL; uschar *log_message = NULL; -uschar *debug_tag = NULL; -uschar *debug_opts = NULL; int rc = OK; #ifdef WITH_CONTENT_SCAN int sep = -'/'; @@ -3341,24 +3339,39 @@ for (; cb != NULL; cb = cb->next) break; case CONTROL_DEBUG: - while (*p == '/') { - if (Ustrncmp(p, "/tag=", 5) == 0) - { - const uschar *pp = p + 5; - while (*pp != '\0' && *pp != '/') pp++; - debug_tag = string_copyn(p+5, pp-p-5); - p = pp; - } - else if (Ustrncmp(p, "/opts=", 6) == 0) + uschar * debug_tag = NULL; + uschar * debug_opts = NULL; + BOOL kill = FALSE; + + while (*p == '/') { - const uschar *pp = p + 6; - while (*pp != '\0' && *pp != '/') pp++; - debug_opts = string_copyn(p+6, pp-p-6); + const uschar * pp = p+1; + if (Ustrncmp(pp, "tag=", 4) == 0) + { + for (pp += 4; *pp && *pp != '/';) pp++; + debug_tag = string_copyn(p+5, pp-p-5); + } + else if (Ustrncmp(pp, "opts=", 5) == 0) + { + for (pp += 5; *pp && *pp != '/';) pp++; + debug_opts = string_copyn(p+6, pp-p-6); + } + else if (Ustrncmp(pp, "kill", 4) == 0) + { + for (pp += 4; *pp && *pp != '/';) pp++; + kill = TRUE; + } + else + while (*pp && *pp != '/') pp++; p = pp; } + + if (kill) + debug_logging_stop(); + else + debug_logging_activate(debug_tag, debug_opts); } - debug_logging_activate(debug_tag, debug_opts); break; case CONTROL_SUPPRESS_LOCAL_FIXUPS: diff --git a/src/src/auths/Makefile b/src/src/auths/Makefile index 358d018e3..62ce9d0a9 100644 --- a/src/src/auths/Makefile +++ b/src/src/auths/Makefile @@ -8,7 +8,7 @@ OBJ = auth-spa.o call_pam.o call_pwcheck.o \ call_radius.o check_serv_cond.o cram_md5.o cyrus_sasl.o dovecot.o \ get_data.o get_no64_data.o gsasl_exim.o heimdal_gssapi.o \ - md5.o plaintext.o pwcheck.o sha1.o \ + md5.o plaintext.o pwcheck.o \ spa.o tls.o xtextdecode.o xtextencode.o auths.a: $(OBJ) @@ -30,7 +30,6 @@ get_data.o: $(HDRS) get_data.c get_no64_data.o: $(HDRS) get_no64_data.c md5.o: $(HDRS) md5.c pwcheck.o: $(HDRS) pwcheck.c pwcheck.h -sha1.o: $(HDRS) sha1.c xtextdecode.o: $(HDRS) xtextdecode.c xtextencode.o: $(HDRS) xtextencode.c diff --git a/src/src/pdkim/blob.h b/src/src/blob.h index e1481c9f4..a3f1e24d4 100644 --- a/src/src/pdkim/blob.h +++ b/src/src/blob.h @@ -1,9 +1,7 @@ /* - * PDKIM - a RFC4871 (DKIM) implementation + * Blob - a general pointer/size item for a memory chunk * * Copyright (C) 2016 Exim maintainers - * - * RSA signing/verification interface */ #ifndef BLOB_H /* entire file */ diff --git a/src/src/deliver.c b/src/src/deliver.c index 0a8d70002..b389c3731 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -708,25 +708,31 @@ return s; static uschar * -d_hostlog(uschar *s, int *sizep, int *ptrp, address_item *addr) +d_hostlog(uschar * s, int * sp, int * pp, address_item * addr) { -s = string_append(s, sizep, ptrp, 5, US" H=", addr->host_used->name, - US" [", addr->host_used->address, US"]"); +host_item * h = addr->host_used; + +s = string_append(s, sp, pp, 2, US" H=", h->name); + +if (LOGGING(dnssec) && h->dnssec == DS_YES) + s = string_cat(s, sp, pp, US" DS"); + +s = string_append(s, sp, pp, 3, US" [", h->address, US"]"); + if (LOGGING(outgoing_port)) - s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d", - addr->host_used->port)); + s = string_append(s, sp, pp, 2, US":", string_sprintf("%d", h->port)); #ifdef SUPPORT_SOCKS if (LOGGING(proxy) && proxy_local_address) { - s = string_append(s, sizep, ptrp, 3, US" PRX=[", proxy_local_address, US"]"); + s = string_append(s, sp, pp, 3, US" PRX=[", proxy_local_address, US"]"); if (LOGGING(outgoing_port)) - s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d", + s = string_append(s, sp, pp, 2, US":", string_sprintf("%d", proxy_local_port)); } #endif -return d_log_interface(s, sizep, ptrp); +return d_log_interface(s, sp, pp); } diff --git a/src/src/exim.c b/src/src/exim.c index 1fb543f1b..08ceab7e1 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -12,6 +12,10 @@ Also a few functions that don't naturally fit elsewhere. */ #include "exim.h" +#ifdef __GLIBC__ +# include <gnu/libc-version.h> +#endif + #ifdef USE_GNUTLS # include <gnutls/gnutls.h> # if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP) @@ -1025,6 +1029,14 @@ DEBUG(D_any) do { fprintf(f, "Compiler: <unknown>\n"); #endif +#ifdef __GLIBC__ + fprintf(f, "Library version: Glibc: Compile: %d.%d\n", + __GLIBC__, __GLIBC_MINOR__); + if (__GLIBC_PREREQ(2, 1)) + fprintf(f, " Runtime: %s\n", + gnu_get_libc_version()); +#endif + #ifdef SUPPORT_TLS tls_version_report(f); #endif @@ -1040,7 +1052,7 @@ DEBUG(D_any) do { characters; unless it's an ancient version of PCRE in which case it is not defined. */ #ifndef PCRE_PRERELEASE -#define PCRE_PRERELEASE +# define PCRE_PRERELEASE #endif #define QUOTE(X) #X #define EXPAND_AND_QUOTE(X) QUOTE(X) @@ -2047,6 +2059,7 @@ for (i = 1; i < argc; i++) sender_host_address = argv[i]; host_checking = checking = log_testing_mode = TRUE; host_checking_callout = argrest[1] == 'c'; + message_logs = FALSE; } /* -bi: This option is used by sendmail to initialize *the* alias file, diff --git a/src/src/exim.h b/src/src/exim.h index 41d377110..9ae96b2a0 100644 --- a/src/src/exim.h +++ b/src/src/exim.h @@ -493,6 +493,7 @@ config.h, mytypes.h, and store.h, so we don't need to mention them explicitly. #include "dbstuff.h" #include "structs.h" #include "globals.h" +#include "hash.h" #include "functions.h" #include "dbfunctions.h" #include "osfunctions.h" diff --git a/src/src/exipick.src b/src/src/exipick.src index 4708ebb4a..bdeba95fc 100644 --- a/src/src/exipick.src +++ b/src/src/exipick.src @@ -1,7 +1,9 @@ #!PERL_COMMAND -# This variable should be set by the building process to Exim's spool directory. -my $spool = 'SPOOL_DIRECTORY'; +# This variables should be set by the building process +my $spool = 'SPOOL_DIRECTORY'; # may be overridden later +my $exim = 'BIN_DIRECTORY/exim'; + # Need to set this dynamically during build, but it's not used right now anyway. my $charset = 'ISO-8859-1'; @@ -111,7 +113,9 @@ $G::and = $G::and; # shut up -w $G::msg_ids = {}; # short circuit when crit is only MID $G::caseless = $G::caseful ? 0 : 1; # nocase by default, case if both @G::recipients_crit = (); # holds per-recip criteria -$spool = $G::spool if ($G::spool); +$spool = defined $G::spool ? $G::spool + : do { chomp($_ = `$exim -n -bP spool_directory`); + $_ // $spool }; my $input_dir = $G::input_dir || ($G::finput ? "Finput" : "input"); my $count_only = 1 if ($G::mailq_bpc || $G::qgrep_c); my $unsorted = 1 if ($G::mailq_bpr || $G::mailq_bpra || @@ -1427,7 +1431,8 @@ Same as '$shown_message_size eq <string>' (exiqgrep) =item --spool <path> -Set the path to the exim spool to use. This value will have the argument to --input or 'input' appended, or be ignored if --input is a full path. +Set the path to the exim spool to use. This value will have the argument to --input or 'input' appended, or be ignored if --input is a full path. If not specified, exipick uses the value from C<exim -bP spool_directory>, and if this fails, the F<SPOOL_DIRECTORY> +from build time (F<Local/Makefile>) is used. =item --show-rules diff --git a/src/src/expand.c b/src/src/expand.c index 249254923..a0b36f7e2 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -231,6 +231,7 @@ static uschar *op_table_main[] = { US"s", US"sha1", US"sha256", + US"sha3", US"stat", US"str2b64", US"strlen", @@ -273,6 +274,7 @@ enum { EOP_S, EOP_SHA1, EOP_SHA256, + EOP_SHA3, EOP_STAT, EOP_STR2B64, EOP_STRLEN, @@ -2507,7 +2509,6 @@ switch(cond_type) checking for them individually. */ if (!isalpha(name[0]) && yield != NULL) - { if (sub[i][0] == 0) { num[i] = 0; @@ -2519,7 +2520,6 @@ switch(cond_type) num[i] = expanded_string_integer(sub[i], FALSE); if (expand_string_message != NULL) return NULL; } - } } /* Result not required */ @@ -2687,7 +2687,7 @@ switch(cond_type) uschar digest[16]; md5_start(&base); - md5_end(&base, (uschar *)sub[0], Ustrlen(sub[0]), digest); + md5_end(&base, sub[0], Ustrlen(sub[0]), digest); /* If the length that we are comparing against is 24, the MD5 digest is expressed as a base64 string. This is the way LDAP does it. However, @@ -2696,7 +2696,7 @@ switch(cond_type) if (sublen == 24) { - uschar *coded = b64encode((uschar *)digest, 16); + uschar *coded = b64encode(digest, 16); DEBUG(D_auth) debug_printf("crypteq: using MD5+B64 hashing\n" " subject=%s\n crypted=%s\n", coded, sub[1]+5); tempcond = (Ustrcmp(coded, sub[1]+5) == 0); @@ -2722,11 +2722,11 @@ switch(cond_type) else if (strncmpic(sub[1], US"{sha1}", 6) == 0) { int sublen = Ustrlen(sub[1]+6); - sha1 base; + hctx h; uschar digest[20]; - sha1_start(&base); - sha1_end(&base, (uschar *)sub[0], Ustrlen(sub[0]), digest); + sha1_start(&h); + sha1_end(&h, sub[0], Ustrlen(sub[0]), digest); /* If the length that we are comparing against is 28, assume the SHA1 digest is expressed as a base64 string. If the length is 40, assume a @@ -2734,7 +2734,7 @@ switch(cond_type) if (sublen == 28) { - uschar *coded = b64encode((uschar *)digest, 20); + uschar *coded = b64encode(digest, 20); DEBUG(D_auth) debug_printf("crypteq: using SHA1+B64 hashing\n" " subject=%s\n crypted=%s\n", coded, sub[1]+6); tempcond = (Ustrcmp(coded, sub[1]+6) == 0); @@ -3339,7 +3339,7 @@ chash_start(int type, void *base) if (type == HMAC_MD5) md5_start((md5 *)base); else - sha1_start((sha1 *)base); + sha1_start((hctx *)base); } static void @@ -3348,7 +3348,7 @@ chash_mid(int type, void *base, uschar *string) if (type == HMAC_MD5) md5_mid((md5 *)base, string); else - sha1_mid((sha1 *)base, string); + sha1_mid((hctx *)base, string); } static void @@ -3357,7 +3357,7 @@ chash_end(int type, void *base, uschar *string, int length, uschar *digest) if (type == HMAC_MD5) md5_end((md5 *)base, string, length, digest); else - sha1_end((sha1 *)base, string, length, digest); + sha1_end((hctx *)base, string, length, digest); } @@ -3416,8 +3416,7 @@ prvs_hmac_sha1(uschar *address, uschar *key, uschar *key_num, uschar *daystamp) { uschar *hash_source, *p; int size = 0,offset = 0,i; -sha1 sha1_base; -void *use_base = &sha1_base; +hctx h; uschar innerhash[20]; uschar finalhash[20]; uschar innerkey[64]; @@ -3446,13 +3445,13 @@ for (i = 0; i < Ustrlen(key); i++) outerkey[i] ^= key[i]; } -chash_start(HMAC_SHA1, use_base); -chash_mid(HMAC_SHA1, use_base, innerkey); -chash_end(HMAC_SHA1, use_base, hash_source, offset, innerhash); +chash_start(HMAC_SHA1, &h); +chash_mid(HMAC_SHA1, &h, innerkey); +chash_end(HMAC_SHA1, &h, hash_source, offset, innerhash); -chash_start(HMAC_SHA1, use_base); -chash_mid(HMAC_SHA1, use_base, outerkey); -chash_end(HMAC_SHA1, use_base, innerhash, 20, finalhash); +chash_start(HMAC_SHA1, &h); +chash_mid(HMAC_SHA1, &h, outerkey); +chash_end(HMAC_SHA1, &h, innerhash, 20, finalhash); p = finalhash_hex; for (i = 0; i < 3; i++) @@ -5145,7 +5144,7 @@ while (*s != 0) { uschar *sub[3]; md5 md5_base; - sha1 sha1_base; + hctx sha1_ctx; void *use_base; int type, i; int hashlen; /* Number of octets for the hash algorithm's output */ @@ -5177,7 +5176,7 @@ while (*s != 0) else if (Ustrcmp(sub[0], "sha1") == 0) { type = HMAC_SHA1; - use_base = &sha1_base; + use_base = &sha1_ctx; hashlen = 20; hashblocklen = 64; } @@ -6359,29 +6358,78 @@ while (*s != 0) else #endif { - sha1 base; + hctx h; uschar digest[20]; int j; char st[41]; - sha1_start(&base); - sha1_end(&base, sub, Ustrlen(sub), digest); + sha1_start(&h); + sha1_end(&h, sub, Ustrlen(sub), digest); for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]); - yield = string_cat(yield, &size, &ptr, US st); + yield = string_catn(yield, &size, &ptr, US st, 40); } continue; case EOP_SHA256: -#ifdef SUPPORT_TLS +#ifdef EXIM_HAVE_SHA2 if (vp && *(void **)vp->value) { uschar * cp = tls_cert_fprt_sha256(*(void **)vp->value); yield = string_cat(yield, &size, &ptr, cp); } else + { + hctx h; + blob b; + char st[3]; + + exim_sha_init(&h, HASH_SHA256); + exim_sha_update(&h, sub, Ustrlen(sub)); + exim_sha_finish(&h, &b); + while (b.len-- > 0) + { + sprintf(st, "%02X", *b.data++); + yield = string_catn(yield, &size, &ptr, US st, 2); + } + } +#else + expand_string_message = US"sha256 only supported with TLS"; #endif - expand_string_message = US"sha256 only supported for certificates"; continue; + case EOP_SHA3: +#ifdef EXIM_HAVE_SHA3 + { + hctx h; + blob b; + char st[3]; + hashmethod m = !arg ? HASH_SHA3_256 + : Ustrcmp(arg, "224") == 0 ? HASH_SHA3_224 + : Ustrcmp(arg, "256") == 0 ? HASH_SHA3_256 + : Ustrcmp(arg, "384") == 0 ? HASH_SHA3_384 + : Ustrcmp(arg, "512") == 0 ? HASH_SHA3_512 + : HASH_BADTYPE; + + if (m == HASH_BADTYPE) + { + expand_string_message = US"unrecognised sha3 variant"; + goto EXPAND_FAILED; + } + + exim_sha_init(&h, m); + exim_sha_update(&h, sub, Ustrlen(sub)); + exim_sha_finish(&h, &b); + while (b.len-- > 0) + { + sprintf(st, "%02X", *b.data++); + yield = string_catn(yield, &size, &ptr, US st, 2); + } + } + continue; +#else + expand_string_message = US"sha3 only supported with GnuTLS 3.5.0 +"; + goto EXPAND_FAILED; +#endif + /* Convert hex encoding to base64 encoding */ case EOP_HEX2B64: diff --git a/src/src/functions.h b/src/src/functions.h index 0956c4069..ebbdc55e2 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -123,6 +123,7 @@ extern int dcc_process(uschar **); #endif extern void debug_logging_activate(uschar *, uschar *); +extern void debug_logging_stop(void); extern void debug_print_argv(const uschar **); extern void debug_print_ids(uschar *); extern void debug_print_string(uschar *); @@ -370,9 +371,9 @@ extern int search_findtype_partial(const uschar *, int *, const uschar **, i extern void *search_open(uschar *, int, int, uid_t *, gid_t *); extern void search_tidyup(void); extern void set_process_info(const char *, ...) PRINTF_FUNCTION(1,2); -extern void sha1_end(sha1 *, const uschar *, int, uschar *); -extern void sha1_mid(sha1 *, const uschar *); -extern void sha1_start(sha1 *); +extern void sha1_end(hctx *, const uschar *, int, uschar *); +extern void sha1_mid(hctx *, const uschar *); +extern void sha1_start(hctx *); extern int sieve_interpret(uschar *, int, uschar *, uschar *, uschar *, uschar *, address_item **, uschar **); extern void sigalrm_handler(int); diff --git a/src/src/globals.c b/src/src/globals.c index 3ba82e0a7..4f5a922b4 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -144,9 +144,6 @@ uschar *dsn_advertise_hosts = NULL; #ifdef SUPPORT_TLS BOOL gnutls_compat_mode = FALSE; BOOL gnutls_allow_auto_pkcs11 = FALSE; -uschar *gnutls_require_mac = NULL; -uschar *gnutls_require_kx = NULL; -uschar *gnutls_require_proto = NULL; uschar *openssl_options = NULL; const pcre *regex_STARTTLS = NULL; uschar *tls_advertise_hosts = US"*"; @@ -864,6 +861,7 @@ bit_table log_options[] = { /* must be in alphabetical order */ BIT_TABLE(L, deliver_time), BIT_TABLE(L, delivery_size), BIT_TABLE(L, dnslist_defer), + BIT_TABLE(L, dnssec), BIT_TABLE(L, etrn), BIT_TABLE(L, host_lookup_failed), BIT_TABLE(L, ident_timeout), diff --git a/src/src/globals.h b/src/src/globals.h index 362c2bfb9..6e42bc3d7 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -108,9 +108,6 @@ extern tls_support tls_out; #ifdef SUPPORT_TLS extern BOOL gnutls_compat_mode; /* Less security, more compatibility */ extern BOOL gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */ -extern uschar *gnutls_require_mac; /* So some can be avoided */ -extern uschar *gnutls_require_kx; /* So some can be avoided */ -extern uschar *gnutls_require_proto; /* So some can be avoided */ extern uschar *openssl_options; /* OpenSSL compatibility options */ extern const pcre *regex_STARTTLS; /* For recognizing STARTTLS settings */ extern uschar *tls_certificate; /* Certificate file */ diff --git a/src/src/auths/sha1.c b/src/src/hash.c index 753bea3db..c2be85d17 100644 --- a/src/src/auths/sha1.c +++ b/src/src/hash.c @@ -1,28 +1,180 @@ -/************************************************* -* Exim - an Internet mail transport agent * -*************************************************/ - -/* Copyright (c) University of Cambridge 1995 - 2016 */ -/* See the file NOTICE for conditions of use and distribution. */ +/* + * Exim - an Internet mail transport agent + * + * Copyright (C) 2016 Exim maintainers + * Copyright (c) University of Cambridge 1995 - 2016 + * + * Hash interface functions + */ #ifndef STAND_ALONE -#include "../exim.h" +# include "exim.h" + +#else /* For stand-alone testing, we need to have the structure defined, and to be able to do I/O */ -#else -#include <stdio.h> -#include <stdlib.h> +# include <stdio.h> +# include <stdlib.h> typedef unsigned char uschar; typedef struct sha1 { unsigned int H[5]; unsigned int length; } sha1; +#endif /*STAND_ALONE*/ + + + +/******************************************************************************/ +#ifdef SHA_OPENSSL + +void +exim_sha_init(hctx * h, hashmethod m) +{ +switch (h->method = m) + { + case HASH_SHA1: h->hashlen = 20; SHA1_Init (&h->u.sha1); break; + case HASH_SHA256: h->hashlen = 32; SHA256_Init(&h->u.sha2); break; + default: h->hashlen = 0; break; + } +} + + +void +exim_sha_update(hctx * h, const uschar * data, int len) +{ +switch (h->method) + { + case HASH_SHA1: SHA1_Update (&h->u.sha1, data, len); break; + case HASH_SHA256: SHA256_Update(&h->u.sha2, data, len); break; + } +} + + +void +exim_sha_finish(hctx * h, blob * b) +{ +b->data = store_get(b->len = h->hashlen); +switch (h->method) + { + case HASH_SHA1: SHA1_Final (b->data, &h->u.sha1); break; + case HASH_SHA256: SHA256_Final(b->data, &h->u.sha2); break; + } +} + + + +#elif defined(SHA_GNUTLS) +/******************************************************************************/ + +void +exim_sha_init(hctx * h, hashmethod m) +{ +switch (h->method = m) + { + case HASH_SHA1: h->hashlen = 20; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA1); break; + case HASH_SHA256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA256); break; +#ifdef EXIM_HAVE_SHA3 + case HASH_SHA3_256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_256); break; #endif + default: h->hashlen = 0; break; + } +} + + +void +exim_sha_update(hctx * h, const uschar * data, int len) +{ +gnutls_hash(h->sha, data, len); +} + + +void +exim_sha_finish(hctx * h, blob * b) +{ +b->data = store_get(b->len = h->hashlen); +gnutls_hash_output(h->sha, b->data); +} + + + +#elif defined(SHA_GCRYPT) +/******************************************************************************/ + +void +exim_sha_init(hctx * h, hashmethod m) +{ +switch (h->method = m) + { + case HASH_SHA1: h->hashlen = 20; gcry_md_open(&h->sha, GCRY_MD_SHA1, 0); break; + case HASH_SHA256: h->hashlen = 32; gcry_md_open(&h->sha, GCRY_MD_SHA256, 0); break; + default: h->hashlen = 0; break; + } +} + + +void +exim_sha_update(hctx * h, const uschar * data, int len) +{ +gcry_md_write(h->sha, data, len); +} + + +void +exim_sha_finish(hctx * h, blob * b) +{ +b->data = store_get(b->len = h->hashlen); +memcpy(b->data, gcry_md_read(h->sha, 0), h->hashlen); +} + + + + +#elif defined(SHA_POLARSSL) +/******************************************************************************/ + +void +exim_sha_init(hctx * h, hashmethod m) +{ +switch (h->method = m) + { + case HASH_SHA1: h->hashlen = 20; sha1_starts(&h->u.sha1); break; + case HASH_SHA256: h->hashlen = 32; sha2_starts(&h->u.sha2, 0); break; + default: h->hashlen = 0; break; + } +} + + +void +exim_sha_update(hctx * h, const uschar * data, int len) +{ +switch (h->method) + { + case HASH_SHA1: sha1_update(h->u.sha1, US data, len); break; + case HASH_SHA256: sha2_update(h->u.sha2, US data, len); break; + } +} + + +void +exim_sha_finish(hctx * h, blob * b) +{ +b->data = store_get(b->len = h->hashlen); +switch (h->method) + { + case HASH_SHA1: sha1_finish(h->u.sha1, b->data); break; + case HASH_SHA256: sha2_finish(h->u.sha2, b->data); break; + } +} + + +#elif defined(SHA_NATIVE) +/******************************************************************************/ +/* Only sha-1 supported */ /************************************************* * Start off a new SHA-1 computation. * @@ -33,8 +185,8 @@ Argument: pointer to sha1 storage structure Returns: nothing */ -void -sha1_start(sha1 *base) +static void +native_sha1_start(sha1 *base) { base->H[0] = 0x67452301; base->H[1] = 0xefcdab89; @@ -59,8 +211,8 @@ Arguments: Returns: nothing */ -void -sha1_mid(sha1 *base, const uschar *text) +static void +native_sha1_mid(sha1 *base, const uschar *text) { int i; uint A, B, C, D, E; @@ -158,8 +310,8 @@ Arguments: Returns: nothing */ -void -sha1_end(sha1 *base, const uschar *text, int length, uschar *digest) +static void +native_sha1_end(sha1 *base, const uschar *text, int length, uschar *digest) { int i; uschar work[64]; @@ -168,7 +320,7 @@ uschar work[64]; while (length >= 64) { - sha1_mid(base, text); + native_sha1_mid(base, text); text += 64; length -= 64; } @@ -184,7 +336,7 @@ work[length] = 0x80; if (length > 55) { memset(work+length+1, 0, 63-length); - sha1_mid(base, work); + native_sha1_mid(base, work); base->length -= 64; memset(work, 0, 56); } @@ -210,7 +362,7 @@ memset(work+56, 0, 4); /* Process the final 64-byte chunk */ -sha1_mid(base, work); +native_sha1_mid(base, work); /* Pass back the result, high-order byte first in each word. */ @@ -226,13 +378,112 @@ for (i = 0; i < 5; i++) + + + +# ifdef notdef +void +exim_sha_init(hctx * h, hashmethod m) +{ +h->hashlen = 20; +native_sha1_start(&h->sha1); +} + + +void +exim_sha_update(hctx * h, const uschar * data, int len) +{ +native_sha1_mid(&h->sha1, US data); /* implicit size always 64 */ +} + + +void +exim_sha_finish(hctx * h, blob * b) +{ +b->data = store_get(b->len = h->hashlen); + +native_sha1_end(&h->sha1, NULL, 0, b->data); +} +# endif + + +#endif +/******************************************************************************/ + +/* Common to all library versions */ +int +exim_sha_hashlen(hctx * h) +{ +return h->method == HASH_SHA1 ? 20 + : h->method == HASH_SHA256 ? 32 + : 0; +} + + +/******************************************************************************/ +/******************************************************************************/ +/******************************************************************************/ +/******************************************************************************/ +/* Original sha-1 interface used by crypteq{shal1}, +${sha1:} ${hmac:} and ${prvs:} */ + +#ifdef SHA_NATIVE + +void +sha1_start(hctx * h) +{ +native_sha1_start(&h->sha1); +} + +void +sha1_mid(hctx * h, const uschar * data) +{ +native_sha1_mid(&h->sha1, data); +} + +void +sha1_end(hctx * h, const uschar * data, int len, uschar *digest) +{ +native_sha1_end(&h->sha1, data, len, digest); +} + +#else + +void +sha1_start(hctx * h) +{ +exim_sha_init(h, HASH_SHA1); +} + +void +sha1_mid(hctx * h, const uschar * data) +{ +exim_sha_update(h, data, 64); +} + +void +sha1_end(hctx * h, const uschar * data, int len, uschar *digest) +{ +blob b; +exim_sha_update(h, data, len); +exim_sha_finish(h, &b); +memcpy(digest, b.data, 20); +} + +#endif + + + + + + /************************************************* ************************************************** * Stand-alone test program * ************************************************** *************************************************/ -#ifdef STAND_ALONE +# ifdef STAND_ALONE /* Test values. The first 128 may contain binary zeros and have increasing length. */ @@ -525,8 +776,8 @@ printf("Checking sha1: %s-endian\n\n", (ctest[0] == 0x04)? "little" : "big"); for (i = 0; i < sizeof(tests)/sizeof(uschar *); i ++) { printf("%d.\nShould be: %s\n", i, hashes[i]); - sha1_start(&base); - sha1_end(&base, tests[i], (i <= 128)? i : strlen(tests[i]), digest); + native_sha1_start(&base); + native_sha1_end(&base, tests[i], (i <= 128)? i : strlen(tests[i]), digest); for (j = 0; j < 20; j++) sprintf(s+2*j, "%02X", digest[j]); printf("Computed: %s\n", s); if (strcmp(s, hashes[i]) != 0) printf("*** No match ***\n"); @@ -540,13 +791,13 @@ memset(ctest, 'a', 1000000); printf("1 000 000 repetitions of 'a'\n"); printf("Should be: %s\n", atest); -sha1_start(&base); -sha1_end(&base, ctest, 1000000, digest); +native_sha1_start(&base); +native_sha1_end(&base, ctest, 1000000, digest); for (j = 0; j < 20; j++) sprintf(s+2*j, "%02X", digest[j]); printf("Computed: %s\n", s); if (strcmp(s, atest) != 0) printf("*** No match ***\n"); } -#endif +# endif /*STAND_ALONE*/ -/* End of sha1.c */ +/* End of File */ diff --git a/src/src/pdkim/hash.h b/src/src/hash.h index 52a5507c3..9e91f1aad 100644 --- a/src/src/pdkim/hash.h +++ b/src/src/hash.h @@ -1,46 +1,47 @@ /* - * PDKIM - a RFC4871 (DKIM) implementation + * Exim - an Internet mail transport agent * * Copyright (C) 2016 Exim maintainers * * Hash interface functions */ -#include "../exim.h" +#include "exim.h" -#if !defined(DISABLE_DKIM) && !defined(PDKIM_HASH_H) /* entire file */ -#define PDKIM_HASH_H +#if !defined(HASH_H) /* entire file */ +#define HASH_H -#ifndef SUPPORT_TLS -# error Need SUPPORT_TLS for DKIM -#endif - -#include "crypt_ver.h" +#include "sha_ver.h" #include "blob.h" -#ifdef RSA_OPENSSL -# include <openssl/rsa.h> -# include <openssl/ssl.h> -# include <openssl/err.h> -#elif defined(RSA_GNUTLS) -# include <gnutls/gnutls.h> -# include <gnutls/x509.h> -#endif - -#ifdef SHA_GNUTLS +#ifdef SHA_OPENSSL +# include <openssl/sha.h> +#elif defined SHA_GNUTLS # include <gnutls/crypto.h> #elif defined(SHA_GCRYPT) # include <gcrypt.h> #elif defined(SHA_POLARSSL) -# include "pdkim.h" -# include "polarssl/sha1.h" -# include "polarssl/sha2.h" +# include "pdkim/pdkim.h" /*XXX ugly */ +# include "pdkim/polarssl/sha1.h" +# include "pdkim/polarssl/sha2.h" #endif -/* Hash context */ + +/* Hash context for the exim_sha_* routines */ + +typedef enum hashmethod { + HASH_BADTYPE, + HASH_SHA1, + HASH_SHA256, + HASH_SHA3_224, + HASH_SHA3_256, + HASH_SHA3_384, + HASH_SHA3_512, +} hashmethod; + typedef struct { - int sha1; - int hashlen; + hashmethod method; + int hashlen; #ifdef SHA_OPENSSL union { @@ -59,21 +60,17 @@ typedef struct { sha1_context sha1; /* SHA1 block */ sha2_context sha2; /* SHA256 block */ } u; -#endif - -} hctx; -#if defined(SHA_OPENSSL) -# include "pdkim.h" -#elif defined(SHA_GCRYPT) -# include "pdkim.h" +#elif defined(SHA_NATIVE) + sha1 sha1; #endif +} hctx; -extern void exim_sha_init(hctx *, BOOL); +extern void exim_sha_init(hctx *, hashmethod); extern void exim_sha_update(hctx *, const uschar *a, int); extern void exim_sha_finish(hctx *, blob *); extern int exim_sha_hashlen(hctx *); -#endif /*DISABLE_DKIM*/ +#endif /* End of File */ diff --git a/src/src/log.c b/src/src/log.c index 9e6809720..b01a179c0 100644 --- a/src/src/log.c +++ b/src/src/log.c @@ -503,6 +503,13 @@ log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: " } +static void +unlink_log(int type) +{ +if (type == lt_debug) unlink(CS debuglog_name); +} + + /************************************************* * Add configuration file info to log line * @@ -1395,7 +1402,7 @@ int fd = -1; if (debug_file) { debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n" - "DEBUG: Tag=\"%s\" Opts=\"%s\"\n", tag_name, opts ? opts : US""); + "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US""); return; } @@ -1426,4 +1433,16 @@ else } +void +debug_logging_stop(void) +{ +if (!debug_file || !debuglog_name[0]) return; + +debug_selector = 0; +fclose(debug_file); +debug_file = NULL; +unlink_log(lt_debug); +} + + /* End of log.c */ diff --git a/src/src/macros.h b/src/src/macros.h index 275458b8f..53abeb5c2 100644 --- a/src/src/macros.h +++ b/src/src/macros.h @@ -446,15 +446,19 @@ enum { LOG_BIT(smtp_protocol_error), LOG_BIT(smtp_syntax_error), - Li_acl_warn_skipped = BITWORDSIZE, + Li_8bitmime = BITWORDSIZE, + Li_acl_warn_skipped, Li_arguments, Li_deliver_time, Li_delivery_size, + Li_dnssec, Li_ident_timeout, Li_incoming_interface, Li_incoming_port, + Li_outgoing_interface, Li_outgoing_port, Li_pid, + Li_proxy, Li_queue_time, Li_queue_time_overall, Li_received_sender, @@ -464,6 +468,7 @@ enum { Li_sender_on_delivery, Li_sender_verify_fail, Li_smtp_confirmation, + Li_smtp_mailauth, Li_smtp_no_mail, Li_subject, Li_tls_certificate_verified, @@ -471,12 +476,8 @@ enum { Li_tls_peerdn, Li_tls_sni, Li_unknown_in_list, - Li_8bitmime, - Li_smtp_mailauth, - Li_proxy, - Li_outgoing_interface, - log_selector_size = BITWORD(Li_outgoing_interface) + 1 + log_selector_size = BITWORD(Li_unknown_in_list) + 1 }; #define LOGGING(opt) BIT_TEST(log_selector, log_selector_size, Li_##opt) diff --git a/src/src/pdkim/Makefile b/src/src/pdkim/Makefile index c72a9426b..c298568ea 100644 --- a/src/src/pdkim/Makefile +++ b/src/src/pdkim/Makefile @@ -1,6 +1,6 @@ # Make file for building the pdkim library. -OBJ = pdkim.o hash.o rsa.o +OBJ = pdkim.o rsa.o pdkim.a: $(OBJ) @$(RM_COMMAND) -f pdkim.a @@ -12,8 +12,7 @@ pdkim.a: $(OBJ) .c.o:; @echo "$(CC) $*.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) -I. $*.c -pdkim.o: $(HDRS) crypt_ver.h hash.h blob.h pdkim.h pdkim.c -hash.o: $(HDRS) crypt_ver.h hash.h blob.h pdkim.h hash.c -rsa.o: $(HDRS) crypt_ver.h rsa.h blob.h rsa.c +pdkim.o: $(HDRS) crypt_ver.h pdkim.h pdkim.c +rsa.o: $(HDRS) crypt_ver.h rsa.h rsa.c # End diff --git a/src/src/pdkim/crypt_ver.h b/src/src/pdkim/crypt_ver.h index 0e1db894f..cd2171c82 100644 --- a/src/src/pdkim/crypt_ver.h +++ b/src/src/pdkim/crypt_ver.h @@ -8,6 +8,7 @@ /* RSA and SHA routine selection for PDKIM */ #include "../exim.h" +#include "../sha_ver.h" #ifdef USE_GNUTLS @@ -19,14 +20,7 @@ # define RSA_GCRYPT # endif -# if GNUTLS_VERSION_NUMBER >= 0x020a00 -# define SHA_GNUTLS -# else -# define SHA_GCRYPT -# endif - #else # define RSA_OPENSSL -# define SHA_OPENSSL #endif diff --git a/src/src/pdkim/hash.c b/src/src/pdkim/hash.c deleted file mode 100644 index 0f7d0f6d4..000000000 --- a/src/src/pdkim/hash.c +++ /dev/null @@ -1,181 +0,0 @@ -/* - * PDKIM - a RFC4871 (DKIM) implementation - * - * Copyright (C) 2016 Exim maintainers - * - * Hash interface functions - */ - -#include "../exim.h" - -#ifndef DISABLE_DKIM /* entire file */ - -#ifndef SUPPORT_TLS -# error Need SUPPORT_TLS for DKIM -#endif - -#include "crypt_ver.h" - -#ifdef RSA_OPENSSL -# include <openssl/rsa.h> -# include <openssl/ssl.h> -# include <openssl/err.h> -#elif defined(RSA_GNUTLS) -# include <gnutls/gnutls.h> -# include <gnutls/x509.h> -# ifdef RSA_VERIFY_GNUTLS -# include <gnutls/abstract.h> -# endif -#endif - -#ifdef SHA_GNUTLS -# include <gnutls/crypto.h> -#endif - -#include "hash.h" - - -/******************************************************************************/ -#ifdef SHA_OPENSSL - -void -exim_sha_init(hctx * h, BOOL sha1) -{ -h->sha1 = sha1; -h->hashlen = sha1 ? 20 : 32; -if (h->sha1) - SHA1_Init (&h->u.sha1); -else - SHA256_Init(&h->u.sha2); -} - - -void -exim_sha_update(hctx * h, const uschar * data, int len) -{ -if (h->sha1) - SHA1_Update (&h->u.sha1, data, len); -else - SHA256_Update(&h->u.sha2, data, len); -} - - -void -exim_sha_finish(hctx * h, blob * b) -{ -b->data = store_get(b->len = h->hashlen); - -if (h->sha1) - SHA1_Final (b->data, &h->u.sha1); -else - SHA256_Final(b->data, &h->u.sha2); -} - - - -#elif defined(SHA_GNUTLS) -/******************************************************************************/ - -void -exim_sha_init(hctx * h, BOOL sha1) -{ -h->sha1 = sha1; -h->hashlen = sha1 ? 20 : 32; -gnutls_hash_init(&h->sha, sha1 ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256); -} - - -void -exim_sha_update(hctx * h, const uschar * data, int len) -{ -gnutls_hash(h->sha, data, len); -} - - -void -exim_sha_finish(hctx * h, blob * b) -{ -b->data = store_get(b->len = h->hashlen); -gnutls_hash_output(h->sha, b->data); -} - - - -#elif defined(SHA_GCRYPT) -/******************************************************************************/ - -void -exim_sha_init(hctx * h, BOOL sha1) -{ -h->sha1 = sha1; -h->hashlen = sha1 ? 20 : 32; -gcry_md_open(&h->sha, sha1 ? GCRY_MD_SHA1 : GCRY_MD_SHA256, 0); -} - - -void -exim_sha_update(hctx * h, const uschar * data, int len) -{ -gcry_md_write(h->sha, data, len); -} - - -void -exim_sha_finish(hctx * h, blob * b) -{ -b->data = store_get(b->len = h->hashlen); -memcpy(b->data, gcry_md_read(h->sha, 0), h->hashlen); -} - - - - -#elif defined(SHA_POLARSSL) -/******************************************************************************/ - -void -exim_sha_init(hctx * h, BOOL sha1) -{ -h->sha1 = sha1; -h->hashlen = sha1 ? 20 : 32; -if (h->sha1) - sha1_starts(&h->u.sha1); -else - sha2_starts(&h->u.sha2, 0); -} - - -void -exim_sha_update(hctx * h, const uschar * data, int len) -{ -if (h->sha1) - sha1_update(h->u.sha1, US data, len); -else - sha2_update(h->u.sha2, US data, len); -} - - -void -exim_sha_finish(hctx * h, blob * b) -{ -b->data = store_get(b->len = h->hashlen); - -if (h->sha1) - sha1_finish(h->u.sha1, b->data); -else - sha2_finish(h->u.sha2, b->data); -} - -#endif -/******************************************************************************/ - -/* Common to all library versions */ -int -exim_sha_hashlen(hctx * h) -{ -return h->sha1 ? 20 : 32; -} - - -#endif /*DISABLE_DKIM*/ -/* End of File */ diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c index ab4973a78..29277baeb 100644 --- a/src/src/pdkim/pdkim.c +++ b/src/src/pdkim/pdkim.c @@ -562,7 +562,7 @@ DEBUG(D_acl) "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); } -exim_sha_init(&sig->body_hash, sig->algo == PDKIM_ALGO_RSA_SHA1); +exim_sha_init(&sig->body_hash, sig->algo == PDKIM_ALGO_RSA_SHA1 ? HASH_SHA1 : HASH_SHA256); return sig; } @@ -1296,7 +1296,7 @@ while (sig) hdata.data = NULL; hdata.len = 0; - exim_sha_init(&hhash_ctx, is_sha1); + exim_sha_init(&hhash_ctx, is_sha1 ? HASH_SHA1 : HASH_SHA256); DEBUG(D_acl) debug_printf( "PDKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>\n"); @@ -1608,7 +1608,7 @@ sig->selector = string_copy(US selector); sig->rsa_privkey = string_copy(US rsa_privkey); sig->algo = algo; -exim_sha_init(&sig->body_hash, algo == PDKIM_ALGO_RSA_SHA1); +exim_sha_init(&sig->body_hash, algo == PDKIM_ALGO_RSA_SHA1 ? HASH_SHA1 : HASH_SHA256); return ctx; } diff --git a/src/src/pdkim/pdkim.h b/src/src/pdkim/pdkim.h index 58f9c1353..ba984c1d9 100644 --- a/src/src/pdkim/pdkim.h +++ b/src/src/pdkim/pdkim.h @@ -23,8 +23,8 @@ #ifndef PDKIM_H #define PDKIM_H -#include "blob.h" -#include "hash.h" +#include "../blob.h" +#include "../hash.h" /* -------------------------------------------------------------------------- */ /* Length of the preallocated buffer for the "answer" from the dns/txt diff --git a/src/src/pdkim/pdkim_hash.h b/src/src/pdkim/pdkim_hash.h new file mode 100644 index 000000000..143cd19df --- /dev/null +++ b/src/src/pdkim/pdkim_hash.h @@ -0,0 +1,38 @@ +/* + * PDKIM - a RFC4871 (DKIM) implementation + * + * Copyright (C) 2016 Exim maintainers + * + * Hash interface functions + */ + +#include "../exim.h" + +#if !defined(HASH_H) /* entire file */ +#define HASH_H + +#ifndef SUPPORT_TLS +# error Need SUPPORT_TLS for DKIM +#endif + +#include "crypt_ver.h" +#include "../blob.h" +#include "../hash.h" + +#ifdef RSA_OPENSSL +# include <openssl/rsa.h> +# include <openssl/ssl.h> +# include <openssl/err.h> +#elif defined(RSA_GNUTLS) +# include <gnutls/gnutls.h> +# include <gnutls/x509.h> +#endif + +#if defined(SHA_OPENSSL) +# include "pdkim.h" +#elif defined(SHA_GCRYPT) +# include "pdkim.h" +#endif + +#endif +/* End of File */ diff --git a/src/src/pdkim/rsa.h b/src/src/pdkim/rsa.h index 32631fdac..6018eba64 100644 --- a/src/src/pdkim/rsa.h +++ b/src/src/pdkim/rsa.h @@ -25,7 +25,7 @@ # include <libtasn1.h> #endif -#include "blob.h" +#include "../blob.h" #ifdef RSA_OPENSSL diff --git a/src/src/readconf.c b/src/src/readconf.c index 63a164122..25ff58eb9 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -271,11 +271,6 @@ static optionlist optionlist_config[] = { #ifdef SUPPORT_TLS { "gnutls_allow_auto_pkcs11", opt_bool, &gnutls_allow_auto_pkcs11 }, { "gnutls_compat_mode", opt_bool, &gnutls_compat_mode }, - /* These three gnutls_require_* options stopped working in Exim 4.80 */ - /* From 4.83 we log a warning; a future relase will remove them */ - { "gnutls_require_kx", opt_stringptr, &gnutls_require_kx }, - { "gnutls_require_mac", opt_stringptr, &gnutls_require_mac }, - { "gnutls_require_protocols", opt_stringptr, &gnutls_require_proto }, #endif { "header_line_maxsize", opt_int, &header_line_maxsize }, { "header_maxsize", opt_int, &header_maxsize }, @@ -3497,11 +3492,6 @@ if (openssl_options != NULL) "openssl_options parse error: %s", openssl_options); # endif } - -if (!nowarn && (gnutls_require_kx || gnutls_require_mac || gnutls_require_proto)) - log_write(0, LOG_MAIN, "WARNING: main options" - " gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols" - " are obsolete\n"); #endif /*SUPPORT_TLS*/ if (!nowarn && !keep_environment && environ && *environ) diff --git a/src/src/receive.c b/src/src/receive.c index 8e4384ae1..52e041c90 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -1123,16 +1123,17 @@ Returns: the extended string */ static uschar * -add_host_info_for_log(uschar *s, int *sizeptr, int *ptrptr) +add_host_info_for_log(uschar * s, int * sizeptr, int * ptrptr) { -if (sender_fullhost != NULL) +if (sender_fullhost) { + if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */ + s = string_cat(s, sizeptr, ptrptr, US" DS"); s = string_append(s, sizeptr, ptrptr, 2, US" H=", sender_fullhost); if (LOGGING(incoming_interface) && interface_address != NULL) { - uschar *ss = string_sprintf(" I=[%s]:%d", interface_address, - interface_port); - s = string_cat(s, sizeptr, ptrptr, ss); + s = string_cat(s, sizeptr, ptrptr, + string_sprintf(" I=[%s]:%d", interface_address, interface_port)); } } if (sender_ident != NULL) diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h new file mode 100644 index 000000000..fd1a4d083 --- /dev/null +++ b/src/src/sha_ver.h @@ -0,0 +1,35 @@ +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) Jeremy Harris 2016 */ +/* See the file NOTICE for conditions of use and distribution. */ + +/* SHA routine selection */ + +#include "exim.h" + +#ifdef SUPPORT_TLS + +# define EXIM_HAVE_SHA2 + +# ifdef USE_GNUTLS +# include <gnutls/gnutls.h> + +# if GNUTLS_VERSION_NUMBER >= 0x020a00 +# define SHA_GNUTLS +# if GNUTLS_VERSION_NUMBER >= 0x030500 +# define EXIM_HAVE_SHA3 +# endif +# else +# define SHA_GCRYPT +# endif + +# else +# define SHA_OPENSSL +# endif + +#else +# define SHA_NATIVE +#endif + diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 565f4b32e..53387011c 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1729,16 +1729,15 @@ while (done <= 0) /* Apply SMTP rewrite, then extract address. Don't allow "<>" as a recipient address */ - recipient = ((rewrite_existflags & rewrite_smtp) != 0)? - rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"", - global_rewrite_rules) : smtp_cmd_data; + recipient = rewrite_existflags & rewrite_smtp + ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"", + global_rewrite_rules) + : smtp_cmd_data; - /* rfc821_domains = TRUE; << no longer needed */ recipient = parse_extract_address(recipient, &errmess, &start, &end, &recipient_domain, FALSE); - /* rfc821_domains = FALSE; << no longer needed */ - if (recipient == NULL) + if (!recipient) /* The function moan_smtp_batch() does not return. */ moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess); @@ -2837,14 +2836,18 @@ is closing if required and return 2. */ if (log_reject_target != 0) { #ifdef SUPPORT_TLS - uschar * s = s_tlslog(NULL, NULL, NULL); - if (!s) s = US""; + uschar * tls = s_tlslog(NULL, NULL, NULL); + if (!tls) tls = US""; #else - uschar * s = US""; + uschar * tls = US""; #endif - log_write(0, log_reject_target, "%s%s %s%srejected %s%s", - host_and_ident(TRUE), s, - sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg); + log_write(0, log_reject_target, "%s%s%s %s%srejected %s%s", + LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"", + host_and_ident(TRUE), + tls, + sender_info, + rc == FAIL ? US"" : US"temporarily ", + what, log_msg); } if (!drop) return 0; @@ -3211,6 +3214,31 @@ return rc; + + +static int +qualify_recipient(uschar ** recipient, uschar * smtp_cmd_data, uschar * tag) +{ +int rd; +if (allow_unqualified_recipient || strcmpic(*recipient, US"postmaster") == 0) + { + DEBUG(D_receive) debug_printf("unqualified address %s accepted\n", + *recipient); + rd = Ustrlen(recipient) + 1; + *recipient = rewrite_address_qualify(*recipient, TRUE); + return rd; + } +smtp_printf("501 %s: recipient address must contain a domain\r\n", + smtp_cmd_data); +log_write(L_smtp_syntax_error, + LOG_MAIN|LOG_REJECT, "unqualified %s rejected: <%s> %s%s", + tag, *recipient, host_and_ident(TRUE), host_lookup_msg); +return 0; +} + + + + /************************************************* * Initialize for SMTP incoming message * *************************************************/ @@ -4097,13 +4125,11 @@ while (done <= 0) global_rewrite_rules) : smtp_cmd_data; - /* rfc821_domains = TRUE; << no longer needed */ raw_sender = parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain, TRUE); - /* rfc821_domains = FALSE; << no longer needed */ - if (raw_sender == NULL) + if (!raw_sender) { done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess); break; @@ -4348,16 +4374,13 @@ while (done <= 0) /* Apply SMTP rewriting then extract the working address. Don't allow "<>" as a recipient address */ - recipient = ((rewrite_existflags & rewrite_smtp) != 0)? - rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"", - global_rewrite_rules) : smtp_cmd_data; - - /* rfc821_domains = TRUE; << no longer needed */ - recipient = parse_extract_address(recipient, &errmess, &start, &end, - &recipient_domain, FALSE); - /* rfc821_domains = FALSE; << no longer needed */ + recipient = rewrite_existflags & rewrite_smtp + ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"", + global_rewrite_rules) + : smtp_cmd_data; - if (recipient == NULL) + if (!(recipient = parse_extract_address(recipient, &errmess, &start, &end, + &recipient_domain, FALSE))) { done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess); rcpt_fail_count++; @@ -4376,27 +4399,12 @@ while (done <= 0) we must always qualify this address, regardless. */ if (recipient_domain == 0) - { - if (allow_unqualified_recipient || - strcmpic(recipient, US"postmaster") == 0) - { - DEBUG(D_receive) debug_printf("unqualified address %s accepted\n", - recipient); - recipient_domain = Ustrlen(recipient) + 1; - recipient = rewrite_address_qualify(recipient, TRUE); - } - else + if (!(recipient_domain = qualify_recipient(&recipient, smtp_cmd_data, + US"recipient"))) { rcpt_fail_count++; - smtp_printf("501 %s: recipient address must contain a domain\r\n", - smtp_cmd_data); - log_write(L_smtp_syntax_error, - LOG_MAIN|LOG_REJECT, "unqualified recipient rejected: " - "<%s> %s%s", recipient, host_and_ident(TRUE), - host_lookup_msg); break; } - } /* Check maximum allowed */ @@ -4582,18 +4590,26 @@ while (done <= 0) HAD(SCH_VRFY); - if(!(address = parse_extract_address(smtp_cmd_data, &errmess, &start, &end, - &recipient_domain, FALSE))) + if (!(address = parse_extract_address(smtp_cmd_data, &errmess, + &start, &end, &recipient_domain, FALSE))) + { smtp_printf("501 %s\r\n", errmess); + break; + } + + if (recipient_domain == 0) + if (!(recipient_domain = qualify_recipient(&address, smtp_cmd_data, + US"verify"))) + break; - else if ((rc = acl_check(ACL_WHERE_VRFY, address, acl_smtp_vrfy, + if ((rc = acl_check(ACL_WHERE_VRFY, address, acl_smtp_vrfy, &user_msg, &log_msg)) != OK) done = smtp_handle_acl_fail(ACL_WHERE_VRFY, rc, user_msg, log_msg); else { - uschar *s = NULL; + uschar * s = NULL; + address_item * addr = deliver_make_addr(address, FALSE); - address_item *addr = deliver_make_addr(address, FALSE); switch(verify_address(addr, NULL, vopt_is_recipient | vopt_qualify, -1, -1, -1, NULL, NULL, NULL)) { diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 45ee1017a..c7c6b2674 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1826,10 +1826,8 @@ state->fd_out = fileno(smtp_out); sigalrm_seen = FALSE; if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout); do - { rc = gnutls_handshake(state->session); - } while ((rc == GNUTLS_E_AGAIN) || - (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen)); +while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen); alarm(0); if (rc != GNUTLS_E_SUCCESS) diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 848a4ce21..3d12988e8 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -72,17 +72,6 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, final_timeout) }, { "gethostbyname", opt_bool, (void *)offsetof(smtp_transport_options_block, gethostbyname) }, -#ifdef SUPPORT_TLS - /* These are no longer honoured, as of Exim 4.80; for now, we silently - ignore; 4.83 will warn, and a later-still release will remove - these options, so that using them becomes an error. */ - { "gnutls_require_kx", opt_stringptr, - (void *)offsetof(smtp_transport_options_block, gnutls_require_kx) }, - { "gnutls_require_mac", opt_stringptr, - (void *)offsetof(smtp_transport_options_block, gnutls_require_mac) }, - { "gnutls_require_protocols", opt_stringptr, - (void *)offsetof(smtp_transport_options_block, gnutls_require_proto) }, -#endif { "helo_data", opt_stringptr, (void *)offsetof(smtp_transport_options_block, helo_data) }, { "hosts", opt_stringptr, @@ -257,9 +246,6 @@ smtp_transport_options_block smtp_transport_option_defaults = { NULL, /* tls_crl */ NULL, /* tls_privatekey */ NULL, /* tls_require_ciphers */ - NULL, /* gnutls_require_kx */ - NULL, /* gnutls_require_mac */ - NULL, /* gnutls_require_proto */ NULL, /* tls_sni */ US"system", /* tls_verify_certificates */ EXIM_CLIENT_DH_DEFAULT_MIN_BITS, @@ -411,15 +397,6 @@ if (ob->hosts_override && ob->hosts != NULL) tblock->overrides_hosts = TRUE; for them, but do not do any lookups at this time. */ host_build_hostlist(&(ob->fallback_hostlist), ob->fallback_hosts, FALSE); - -#ifdef SUPPORT_TLS -if ( ob->gnutls_require_kx - || ob->gnutls_require_mac - || ob->gnutls_require_proto) - log_write(0, LOG_MAIN, "WARNING: smtp transport options" - " gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols" - " are obsolete\n"); -#endif } @@ -1215,6 +1192,13 @@ return FALSE; #ifdef EXPERIMENTAL_DANE +/* Lookup TLSA record for host/port. +Return: OK success with dnssec; DANE mode + DEFER Do not use this host now, may retry later + FAIL_FORCED No TLSA record; DANE not usable + FAIL Do not use this connection +*/ + int tlsa_lookup(const host_item * host, dns_answer * dnsa, BOOL dane_required) { @@ -1227,13 +1211,6 @@ const uschar * fullname = buffer; switch (dns_lookup(dnsa, buffer, T_TLSA, &fullname)) { - case DNS_AGAIN: - return DEFER; /* just defer this TLS'd conn */ - - default: - case DNS_FAIL: - return dane_required ? FAIL : DEFER; - case DNS_SUCCEED: if (!dns_is_secure(dnsa)) { @@ -1241,6 +1218,16 @@ switch (dns_lookup(dnsa, buffer, T_TLSA, &fullname)) return DEFER; } return OK; + + case DNS_AGAIN: + return DEFER; /* just defer this TLS'd conn */ + + case DNS_NOMATCH: + return dane_required ? FAIL : FAIL_FORCED; + + default: + case DNS_FAIL: + return dane_required ? FAIL : DEFER; } } #endif @@ -1542,17 +1529,16 @@ if (continue_hostname == NULL) if( dane_required || verify_check_given_host(&ob->hosts_try_dane, host) == OK ) - { - if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required)) != OK) + switch (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required)) { - set_errno_nohost(addrlist, ERRNO_DNSDEFER, - string_sprintf("DANE error: tlsa lookup %s", - rc == DEFER ? "DEFER" : "FAIL"), - rc, FALSE); - return rc; + case OK: dane = TRUE; break; + case FAIL_FORCED: break; + default: set_errno_nohost(addrlist, ERRNO_DNSDEFER, + string_sprintf("DANE error: tlsa lookup %s", + rc == DEFER ? "DEFER" : "FAIL"), + rc, FALSE); + return rc; } - dane = TRUE; - } } else if (dane_required) { @@ -1903,17 +1889,17 @@ if (tls_out.active >= 0) /* If the host is required to use a secure channel, ensure that we have one. */ -else if ( +else if ( smtps # ifdef EXPERIMENTAL_DANE - dane || + || dane # endif - verify_check_given_host(&ob->hosts_require_tls, host) == OK + || verify_check_given_host(&ob->hosts_require_tls, host) == OK ) { save_errno = ERRNO_TLSREQUIRED; message = string_sprintf("a TLS session is required, but %s", - tls_offered? "an attempt to start TLS failed" : - "the server did not offer TLS support"); + tls_offered ? "an attempt to start TLS failed" + : "the server did not offer TLS support"); goto TLS_FAILED; } #endif /*SUPPORT_TLS*/ @@ -3912,7 +3898,7 @@ If queue_smtp is set, or this transport was called to send a subsequent message down an existing TCP/IP connection, and something caused the host not to be found, we end up here, but can detect these cases and handle them specially. */ -for (addr = addrlist; addr != NULL; addr = addr->next) +for (addr = addrlist; addr; addr = addr->next) { /* If host is not NULL, it means that we stopped processing the host list because of hosts_max_try or hosts_max_try_hardlimit. In the former case, this @@ -3921,8 +3907,7 @@ for (addr = addrlist; addr != NULL; addr = addr->next) However, if we have hit hosts_max_try_hardlimit, we want to behave as if all hosts were tried. */ - if (host != NULL) - { + if (host) if (total_hosts_tried >= ob->hosts_max_try_hardlimit) { DEBUG(D_transport) @@ -3935,7 +3920,6 @@ for (addr = addrlist; addr != NULL; addr = addr->next) debug_printf("hosts_max_try limit caused some hosts to be skipped\n"); setflag(addr, af_retry_skipped); } - } if (queue_smtp) /* no deliveries attempted */ { @@ -3944,28 +3928,28 @@ for (addr = addrlist; addr != NULL; addr = addr->next) addr->message = US"SMTP delivery explicitly queued"; } - else if (addr->transport_return == DEFER && - (addr->basic_errno == ERRNO_UNKNOWNERROR || addr->basic_errno == 0) && - addr->message == NULL) + else if ( addr->transport_return == DEFER + && (addr->basic_errno == ERRNO_UNKNOWNERROR || addr->basic_errno == 0) + && !addr->message + ) { addr->basic_errno = ERRNO_HRETRY; - if (continue_hostname != NULL) - { + if (continue_hostname) addr->message = US"no host found for existing SMTP connection"; - } else if (expired) { setflag(addr, af_pass_message); /* This is not a security risk */ - addr->message = ob->delay_after_cutoff - ? US"retry time not reached for any host after a long failure period" - : US"all hosts have been failing for a long time and were last tried " - "after this message arrived"; + addr->message = string_sprintf( + "all hosts%s have been failing for a long time %s", + addr->domain ? string_sprintf(" for '%s'", addr->domain) : US"", + ob->delay_after_cutoff + ? US"(and retry time not reached)" + : US"and were last tried after this message arrived"); /* If we are already using fallback hosts, or there are no fallback hosts defined, convert the result to FAIL to cause a bounce. */ - if (addr->host_list == addr->fallback_hosts || - addr->fallback_hosts == NULL) + if (addr->host_list == addr->fallback_hosts || !addr->fallback_hosts) addr->transport_return = FAIL; } else diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 07b601a96..8583ab468 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -67,9 +67,6 @@ typedef struct { uschar *tls_crl; uschar *tls_privatekey; uschar *tls_require_ciphers; - uschar *gnutls_require_kx; - uschar *gnutls_require_mac; - uschar *gnutls_require_proto; uschar *tls_sni; uschar *tls_verify_certificates; int tls_dh_min_bits; diff --git a/test/confs/0420 b/test/confs/0420 index 242b00855..204e86e3c 100644 --- a/test/confs/0420 +++ b/test/confs/0420 @@ -14,7 +14,9 @@ tls_advertise_hosts = primary_hostname = mail.test.ex qualify_domain = test.ex +queue_only acl_smtp_rcpt = accept +acl_smtp_data = accept logwrite = h: <$h_Received:> received_header_text = ${if eq{$sender_address}{x@y}{}{Received: some text}} diff --git a/test/confs/0574 b/test/confs/0574 new file mode 100644 index 000000000..6b869514a --- /dev/null +++ b/test/confs/0574 @@ -0,0 +1,34 @@ +# Exim test configuration 0574 + +exim_path = EXIM_PATH +keep_environment = +host_lookup_order = bydns +primary_hostname = myhost.test.ex +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +tls_advertise_hosts = + +# ----- Main settings ----- + +acl_smtp_mail = chk_mail +acl_smtp_rcpt = chk_rcpt +acl_smtp_data = chk_data + +queue_only + +# ----- ACL ----- + +begin acl + +chk_mail: + accept control = debug/tag=_1 + +chk_rcpt: + accept control = debug/kill + +chk_data: + accept control = debug/tag=_2/opts=+all + +# End diff --git a/test/confs/0575 b/test/confs/0575 new file mode 100644 index 000000000..d629e818d --- /dev/null +++ b/test/confs/0575 @@ -0,0 +1,19 @@ +# Exim test configuration 0575 + +exim_path = EXIM_PATH +keep_environment = +host_lookup_order = bydns +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +tls_advertise_hosts = + +# ----- Main settings ----- + +primary_hostname = mail.test.ex +qualify_domain = test.ex + +acl_smtp_rcpt = accept + +# End diff --git a/test/confs/2034 b/test/confs/2034 new file mode 120000 index 000000000..6d0f5c2f1 --- /dev/null +++ b/test/confs/2034 @@ -0,0 +1 @@ +2006
\ No newline at end of file diff --git a/test/confs/4804 b/test/confs/4804 new file mode 100644 index 000000000..a1ba90dd1 --- /dev/null +++ b/test/confs/4804 @@ -0,0 +1,50 @@ +# Exim test configuration 4804 + +SERVER= +OPT= + +exim_path = EXIM_PATH +keep_environment = +host_lookup_order = bydns +primary_hostname = myhost.test.ex +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +timezone = UTC + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = OPT +tls_advertise_hosts = : + +# ------ ACL ------ + +begin acl + +# ----- Routers ----- + +begin routers + +server: + condition = ${if eq {SERVER}{server} {yes}{no}} + driver = redirect + data = :blackhole: + +client: + driver = dnslookup + dnssec_request_domains = * + self = send + transport = send_to_server + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + port = PORT_D + +# End diff --git a/test/log/0420 b/test/log/0420 new file mode 100644 index 000000000..fc68727c1 --- /dev/null +++ b/test/log/0420 @@ -0,0 +1,5 @@ +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaX-0005vi-00 h: <> +1999-03-02 09:44:33 10HmaX-0005vi-00 <= x@y H=(client.test.ex) [127.0.0.1] P=smtp S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 h: <some text; Tue, 2 Mar 1999 09:44:33 +0000> +1999-03-02 09:44:33 10HmaY-0005vi-00 <= a@b H=(client.test.ex) [127.0.0.1] P=smtp S=sss diff --git a/test/log/0461 b/test/log/0461 index 49370d558..840265f82 100644 --- a/test/log/0461 +++ b/test/log/0461 @@ -11,7 +11,7 @@ 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx@test.ex R=r1 T=t1 H=127.0.0.1 [127.0.0.1] C="250 OK" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbA-0005vi-00 ** userx@test.ex R=r1 T=t1: retry time not reached for any host after a long failure period +1999-03-02 09:44:33 10HmbA-0005vi-00 ** userx@test.ex R=r1 T=t1: all hosts for 'test.ex' have been failing for a long time (and retry time not reached) 1999-03-02 09:44:33 10HmbB-0005vi-00 <= <> R=10HmbA-0005vi-00 U=EXIMUSER P=local S=sss 1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER <CALLER@test.ex> R=r0 T=t2 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed @@ -29,7 +29,7 @@ 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbE-0005vi-00 ** userx@test.ex R=r1 T=t1: retry time not reached for any host after a long failure period +1999-03-02 09:44:33 10HmbE-0005vi-00 ** userx@test.ex R=r1 T=t1: all hosts for 'test.ex' have been failing for a long time (and retry time not reached) 1999-03-02 09:44:33 10HmbF-0005vi-00 <= <> R=10HmbE-0005vi-00 U=EXIMUSER P=local S=sss 1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER <CALLER@test.ex> R=r0 T=t2 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed diff --git a/test/log/0574 b/test/log/0574 new file mode 100644 index 000000000..f26f757fc --- /dev/null +++ b/test/log/0574 @@ -0,0 +1,4 @@ + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaX-0005vi-00 <= tester@test.ex H=(test.ex) [127.0.0.1] P=esmtp S=sss diff --git a/test/log/2034 b/test/log/2034 new file mode 100644 index 000000000..f59667e7a --- /dev/null +++ b/test/log/2034 @@ -0,0 +1,4 @@ +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [127.0.0.1] (gnutls_handshake): timed out +1999-03-02 09:44:33 SMTP command timeout on connection from (rhu.barb) [127.0.0.1] +1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [127.0.0.1] (gnutls_handshake): An unexpected TLS packet was received. diff --git a/test/log/4804 b/test/log/4804 new file mode 100644 index 000000000..c7ae7058e --- /dev/null +++ b/test/log/4804 @@ -0,0 +1,19 @@ +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nologging@l-sec.test.ex> R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaX-0005vi-00 => nologging@l-sec.test.ex R=client T=send_to_server H=l-sec.test.ex [127.0.0.1] C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <withlogging@l-sec.test.ex> R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 => withlogging@l-sec.test.ex R=client T=send_to_server H=l-sec.test.ex DS [127.0.0.1] C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <withlogging@thishost.test.ex> R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 => withlogging@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed diff --git a/test/log/5840 b/test/log/5840 index 4e45703ca..65666a14a 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -33,8 +33,10 @@ 1999-03-02 09:44:33 10HmbI-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL 1999-03-02 09:44:33 10HmbI-0005vi-00 CALLER@dane.no.1.test.ex: error ignored 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed -1999-03-02 09:44:33 10HmbJ-0005vi-00 H=dane.no.2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER -1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@dane.no.2.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" +1999-03-02 09:44:33 10HmbJ-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbK-0005vi-00" +1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** @@ -58,3 +60,6 @@ 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbK-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbJ-0005vi-00@myhost.test.ex for CALLER@dane.no.2.test.ex +1999-03-02 09:44:33 10HmbK-0005vi-00 => :blackhole: <CALLER@dane.no.2.test.ex> R=server +1999-03-02 09:44:33 10HmbK-0005vi-00 Completed diff --git a/test/mail/0461.CALLER b/test/mail/0461.CALLER index 35a3ff77a..7321dd6db 100644 --- a/test/mail/0461.CALLER +++ b/test/mail/0461.CALLER @@ -21,7 +21,7 @@ A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: userx@test.ex - retry time not reached for any host after a long failure period + all hosts for 'test.ex' have been failing for a long time (and retry time not reached) --NNNNNNNNNN-eximdsn-MMMMMMMMMM Content-type: message/delivery-status @@ -121,7 +121,7 @@ A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: userx@test.ex - retry time not reached for any host after a long failure period + all hosts for 'test.ex' have been failing for a long time (and retry time not reached) --NNNNNNNNNN-eximdsn-MMMMMMMMMM Content-type: message/delivery-status diff --git a/test/msglog/0420.10HmaX-0005vi-00 b/test/msglog/0420.10HmaX-0005vi-00 index b14f9b1e9..518070603 100644 --- a/test/msglog/0420.10HmaX-0005vi-00 +++ b/test/msglog/0420.10HmaX-0005vi-00 @@ -1 +1 @@ -1999-03-02 09:44:33 Received from x@y H=[V4NET.0.0.0] P=smtp S=sss +1999-03-02 09:44:33 Received from x@y H=(client.test.ex) [127.0.0.1] P=smtp S=sss diff --git a/test/msglog/0420.10HmaY-0005vi-00 b/test/msglog/0420.10HmaY-0005vi-00 index 6c25e0e5d..532c7a67a 100644 --- a/test/msglog/0420.10HmaY-0005vi-00 +++ b/test/msglog/0420.10HmaY-0005vi-00 @@ -1 +1 @@ -1999-03-02 09:44:33 Received from a@b H=[V4NET.0.0.0] P=smtp S=sss +1999-03-02 09:44:33 Received from a@b H=(client.test.ex) [127.0.0.1] P=smtp S=sss diff --git a/test/runtest b/test/runtest index fb93d8de3..6cb90fb7d 100755 --- a/test/runtest +++ b/test/runtest @@ -653,6 +653,9 @@ RESET_AFTER_EXTRA_LINE_READ: s/waiting for children of \d+/waiting for children of pppp/; s/waiting for (\S+) \(\d+\)/waiting for $1 (pppp)/; + # The spool header file name varies with PID + s%^(Writing spool header file: .*/hdr).[0-9]{1,5}%$1.pppp%; + # ======== Port numbers ======== # Incoming port numbers may vary, but not in daemon startup line. @@ -1021,9 +1024,6 @@ RESET_AFTER_EXTRA_LINE_READ: # Environment cleaning next if /\w+ in keep_environment\? (yes|no)/; - # The spool header file name varies with PID - s%^(Writing spool header file: .*/hdr).[0-9]{1,5}%$1.pppp%; - # When Exim is checking the size of directories for maildir, it uses # the check_dir_size() function to scan directories. Of course, the order # of the files that are obtained using readdir() varies from system to @@ -1417,6 +1417,10 @@ $munges = { 'mainlog' => 's/^(.* SMTP protocol synchronization error .* next input=.{8}).*$/$1<suppressed>/', 'rejectlog' => 's/^(.* SMTP protocol synchronization error .* next input=.{8}).*$/$1<suppressed>/'}, + 'debuglog_stdout' => + { 'stdout' => 's/^\d\d:\d\d:\d\d\s+\d+ //; + s/Process \d+ is ready for new message/Process pppp is ready for new message/' + }, }; diff --git a/test/scripts/0000-Basic/0041 b/test/scripts/0000-Basic/0041 index 3495375cb..0f8cdb3b5 100644 --- a/test/scripts/0000-Basic/0041 +++ b/test/scripts/0000-Basic/0041 @@ -2,6 +2,8 @@ exim -bh 1.1.1.1 vrfy userx@test.ex vrfy hardfail@test.ex +vrfy unqual +vrfy expn postmaster quit **** diff --git a/test/scripts/0000-Basic/0420 b/test/scripts/0000-Basic/0420 index c61a23d1e..2f7fe4998 100644 --- a/test/scripts/0000-Basic/0420 +++ b/test/scripts/0000-Basic/0420 @@ -1,14 +1,31 @@ # received_header_text -exim -d -bh V4NET.0.0.0 +exim -bd -DSERVER=server -oX PORT_D +**** +# +client 127.0.0.1 PORT_D +??? 220 +helo client.test.ex +??? 250 mail from:<x@y> +??? 250 rcpt to:<x@y> +??? 250 data +??? 354 Message. . +??? 250 mail from:<a@b> +??? 250 rcpt to:<x@y> +??? 250 data +??? 354 Message. . +??? 250 quit +??? 221 **** +# +killdaemon diff --git a/test/scripts/0000-Basic/0574 b/test/scripts/0000-Basic/0574 new file mode 100644 index 000000000..6784bde56 --- /dev/null +++ b/test/scripts/0000-Basic/0574 @@ -0,0 +1,37 @@ +# debug logging ACL modifier +munge debuglog_stdout +# +exim -DSERVER=server -bd -oX PORT_D +**** +# +client 127.0.0.1 PORT_D +??? 220 +EHLO test.ex +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +MAIL FROM:<tester@test.ex> +??? 250 +RCPT TO:<dest@test.ex> +??? 250 +DATA +??? 354 +Subject: test + +body +. +??? 250 +QUIT +??? 221 +**** +# +killdaemon +# +1 +cat DIR/spool/log/serverdebuglog_1 +# +cat DIR/spool/log/serverdebuglog_2 +# +no_msglog_check diff --git a/test/scripts/0000-Basic/0575 b/test/scripts/0000-Basic/0575 new file mode 100644 index 000000000..e4534af9b --- /dev/null +++ b/test/scripts/0000-Basic/0575 @@ -0,0 +1,10 @@ +# -bh and msglog +# no logfiles, says the docs +exim -d -bh V4NET.0.0.0 +mail from:<x@y> +rcpt to:<x@y> +data +Message. +. +quit +**** diff --git a/test/scripts/2000-GnuTLS/2000 b/test/scripts/2000-GnuTLS/2000 index a1299e574..8717892f2 100644 --- a/test/scripts/2000-GnuTLS/2000 +++ b/test/scripts/2000-GnuTLS/2000 @@ -13,3 +13,16 @@ exim -qf **** killdaemon no_msglog_check +# +# +exim -be +sha256: ${sha256:} +sha256: ${sha256:abc} + +sha3: ${sha3:} +sha3: ${sha3:abc} +sha3_256: ${sha3_256:} +sha3_256: ${sha3_256:abc} +sha3_512: ${sha3_512:} +sha3_512: ${sha3_512:abc} +**** diff --git a/test/scripts/2000-GnuTLS/2034 b/test/scripts/2000-GnuTLS/2034 new file mode 100644 index 000000000..b03c60d93 --- /dev/null +++ b/test/scripts/2000-GnuTLS/2034 @@ -0,0 +1,34 @@ +# TLS server: error in TLS session startup +gnutls +exim -DSERVER=server -bd -oX PORT_D +**** +# timeout case +client 127.0.0.1 PORT_D +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 ++++ 3 +**** +# +# bad TLS negotiation case +client 127.0.0.1 PORT_D +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +bogus +**** +killdaemon diff --git a/test/scripts/2100-OpenSSL/2100 b/test/scripts/2100-OpenSSL/2100 index c2b0f8981..27c6c84d6 100644 --- a/test/scripts/2100-OpenSSL/2100 +++ b/test/scripts/2100-OpenSSL/2100 @@ -8,3 +8,9 @@ exim -qf **** killdaemon no_msglog_check +# +# +exim -be +sha256: ${sha256:} +sha256: ${sha256:abc} +**** diff --git a/test/scripts/4800-dnssec-dnslookup/4804 b/test/scripts/4800-dnssec-dnslookup/4804 new file mode 100644 index 000000000..ea4f2dec0 --- /dev/null +++ b/test/scripts/4800-dnssec-dnslookup/4804 @@ -0,0 +1,11 @@ +# dnssec log_selector (client) +exim -DSERVER=server -bd -oX PORT_D +**** +exim -DOPT= -odf nologging@l-sec.test.ex +**** +exim -DOPT=+dnssec -odf withlogging@l-sec.test.ex +**** +exim -DOPT=+dnssec -odf withlogging@thishost.test.ex +**** +killdaemon +no_msglog_check diff --git a/test/src/cf.c b/test/src/cf.c index 1fce2e351..2b982f10f 100644 --- a/test/src/cf.c +++ b/test/src/cf.c @@ -41,6 +41,7 @@ Translated back into C, March 1990! */ #define version 8 #define defaultstore 100000 /* default recovery buffer size */ #define minstore 500 /* minimum recovery buffer size */ +#define SHOWMAX 20 /* maximum number of diff lines to display */ /* ----- misc defines ----- */ @@ -258,11 +259,11 @@ else if (t1 < 0 && t2 < 0) if (echo) { rule('-', 10); - if (-t1-s1 < 21) write_lines(rootline_one, tline_one); - else fprintf(f_out, "... <more than 20 lines> ...\n"); + if (-t1-s1 < SHOWMAX+1) write_lines(rootline_one, tline_one); + else fprintf(f_out, "... <more than %d lines> ...\n", SHOWMAX); rule('-', 10); - if (-t2-s2 < 21) write_lines(rootline_two, tline_two); - else fprintf(f_out, "... <more than 20 lines> ...\n"); + if (-t2-s2 < SHOWMAX+1) write_lines(rootline_two, tline_two); + else fprintf(f_out, "... <more than %d lines> ...\n", SHOWMAX); } } diff --git a/test/stderr/0420 b/test/stderr/0420 index 42f303134..045fadc9b 100644 --- a/test/stderr/0420 +++ b/test/stderr/0420 @@ -1,84 +1,2 @@ -Exim version x.yz .... -changed uid/gid: forcing real = effective - uid=uuuu gid=CALLER_GID pid=pppp -configuration file is TESTSUITE/test-config -admin user -changed uid/gid: privilege not needed - uid=EXIM_UID gid=EXIM_GID pid=pppp -originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME -sender address = CALLER@test.ex -sender_fullhost = [V4NET.0.0.0] -sender_rcvhost = [V4NET.0.0.0] -host in hosts_connection_nolog? no (option unset) -LOG: smtp_connection MAIN - SMTP connection from [V4NET.0.0.0] -host in host_lookup? no (option unset) -set_process_info: pppp handling incoming connection from [V4NET.0.0.0] -host in host_reject_connection? no (option unset) -host in sender_unqualified_hosts? no (option unset) -host in recipient_unqualified_hosts? no (option unset) -host in helo_verify_hosts? no (option unset) -host in helo_try_verify_hosts? no (option unset) -host in helo_accept_junk_hosts? no (option unset) -SMTP>> 220 mail.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 -smtp_setup_msg entered -SMTP<< mail from:<x@y> -SMTP>> 250 OK -SMTP<< rcpt to:<x@y> -processing "accept" -accept: condition test succeeded in inline ACL -end of inline ACL: ACCEPT -SMTP>> 250 Accepted -DSN: orcpt: NULL flags: 0 -SMTP<< data -SMTP>> 354 Enter message, ending with "." on a line by itself -search_tidyup called -host in ignore_fromline_hosts? no (option unset) ->>Headers received: -search_tidyup called ->>Headers after rewriting and local additions: - -Data file name: TESTSUITE/spool//input//10HmaX-0005vi-00-D -Data file written for message 10HmaX-0005vi-00 ->>Generated Received: header line -* Received: ; Tue, 2 Mar 1999 09:44:33 +0000 -calling local_scan(); timeout=300 -local_scan() returned 0 NULL -LOG: MAIN - <= x@y H=[V4NET.0.0.0] P=smtp S=sss -SMTP>> 250 OK id=10HmaX-0005vi-00 -smtp_setup_msg entered -SMTP<< mail from:<a@b> -SMTP>> 250 OK -SMTP<< rcpt to:<x@y> -processing "accept" -accept: condition test succeeded in inline ACL -end of inline ACL: ACCEPT -SMTP>> 250 Accepted -DSN: orcpt: NULL flags: 0 -SMTP<< data -SMTP>> 354 Enter message, ending with "." on a line by itself -search_tidyup called -host in ignore_fromline_hosts? no (option unset) ->>Headers received: - -search_tidyup called ->>Headers after rewriting and local additions: - -Data file name: TESTSUITE/spool//input//10HmaY-0005vi-00-D -Data file written for message 10HmaY-0005vi-00 ->>Generated Received: header line -P Received: some text; Tue, 2 Mar 1999 09:44:33 +0000 -calling local_scan(); timeout=300 -local_scan() returned 0 NULL -LOG: MAIN - <= a@b H=[V4NET.0.0.0] P=smtp S=sss -SMTP>> 250 OK id=10HmaY-0005vi-00 -smtp_setup_msg entered -SMTP<< quit -SMTP>> 221 mail.test.ex closing connection -LOG: smtp_connection MAIN - SMTP connection from [V4NET.0.0.0] closed by QUIT -search_tidyup called ->>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> +******** SERVER ******** diff --git a/test/stderr/0574 b/test/stderr/0574 new file mode 100644 index 000000000..0d94be4e8 --- /dev/null +++ b/test/stderr/0574 @@ -0,0 +1,3 @@ +cat: TESTSUITE/spool/log/serverdebuglog_1: No such file or directory + +******** SERVER ******** diff --git a/test/stderr/0575 b/test/stderr/0575 new file mode 100644 index 000000000..fb8282a6a --- /dev/null +++ b/test/stderr/0575 @@ -0,0 +1,61 @@ +Exim version x.yz .... +changed uid/gid: forcing real = effective + uid=uuuu gid=CALLER_GID pid=pppp +configuration file is TESTSUITE/test-config +admin user +changed uid/gid: privilege not needed + uid=EXIM_UID gid=EXIM_GID pid=pppp +originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME +sender address = CALLER@test.ex +sender_fullhost = [V4NET.0.0.0] +sender_rcvhost = [V4NET.0.0.0] +host in hosts_connection_nolog? no (option unset) +LOG: smtp_connection MAIN + SMTP connection from [V4NET.0.0.0] +host in host_lookup? no (option unset) +set_process_info: pppp handling incoming connection from [V4NET.0.0.0] +host in host_reject_connection? no (option unset) +host in sender_unqualified_hosts? no (option unset) +host in recipient_unqualified_hosts? no (option unset) +host in helo_verify_hosts? no (option unset) +host in helo_try_verify_hosts? no (option unset) +host in helo_accept_junk_hosts? no (option unset) +SMTP>> 220 mail.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +smtp_setup_msg entered +SMTP<< mail from:<x@y> +SMTP>> 250 OK +SMTP<< rcpt to:<x@y> +processing "accept" +accept: condition test succeeded in inline ACL +end of inline ACL: ACCEPT +SMTP>> 250 Accepted +DSN: orcpt: NULL flags: 0 +SMTP<< data +SMTP>> 354 Enter message, ending with "." on a line by itself +search_tidyup called +host in ignore_fromline_hosts? no (option unset) +>>Headers received: + +search_tidyup called +>>Headers after rewriting and local additions: + +Data file name: TESTSUITE/spool//input//10HmaX-0005vi-00-D +Data file written for message 10HmaX-0005vi-00 +>>Generated Received: header line +P Received: from [V4NET.0.0.0] + by mail.test.ex with smtp (Exim x.yz) + (envelope-from <x@y>) + id 10HmaX-0005vi-00 + for x@y; Tue, 2 Mar 1999 09:44:33 +0000 +calling local_scan(); timeout=300 +local_scan() returned 0 NULL +LOG: MAIN + <= x@y H=[V4NET.0.0.0] P=smtp S=sss +SMTP>> 250 OK id=10HmaX-0005vi-00 +smtp_setup_msg entered +SMTP<< quit +SMTP>> 221 mail.test.ex closing connection +LOG: smtp_connection MAIN + SMTP connection from [V4NET.0.0.0] closed by QUIT +search_tidyup called +>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> diff --git a/test/stdout/0041 b/test/stdout/0041 index b88c93ac7..6b22865b0 100644 --- a/test/stdout/0041 +++ b/test/stdout/0041 @@ -6,6 +6,8 @@ 220 the.local.host.name ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
252 Administrative prohibition
599 custom reject
+501 unqual: recipient address must contain a domain
+501 empty address
550 Administrative prohibition
221 the.local.host.name closing connection
diff --git a/test/stdout/0420 b/test/stdout/0420 index 56c57b692..1d78c1d2d 100644 --- a/test/stdout/0420 +++ b/test/stdout/0420 @@ -1,21 +1,36 @@ - -**** SMTP testing session as if from host V4NET.0.0.0 -**** but without any ident (RFC 1413) callback. -**** This is not for real! - -220 mail.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
-250 OK
-250 Accepted
-354 Enter message, ending with "." on a line by itself
-250 OK id=10HmaX-0005vi-00
- -**** SMTP testing: that is not a real message id! - -250 OK
-250 Accepted
-354 Enter message, ending with "." on a line by itself
-250 OK id=10HmaY-0005vi-00
- -**** SMTP testing: that is not a real message id! - -221 mail.test.ex closing connection
+Connecting to 127.0.0.1 port 1225 ... connected +??? 220 +<<< 220 mail.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> helo client.test.ex +??? 250 +<<< 250 mail.test.ex Hello client.test.ex [127.0.0.1] +>>> mail from:<x@y> +??? 250 +<<< 250 OK +>>> rcpt to:<x@y> +??? 250 +<<< 250 Accepted +>>> data +??? 354 +<<< 354 Enter message, ending with "." on a line by itself +>>> Message. +>>> . +??? 250 +<<< 250 OK id=10HmaX-0005vi-00 +>>> mail from:<a@b> +??? 250 +<<< 250 OK +>>> rcpt to:<x@y> +??? 250 +<<< 250 Accepted +>>> data +??? 354 +<<< 354 Enter message, ending with "." on a line by itself +>>> Message. +>>> . +??? 250 +<<< 250 OK id=10HmaY-0005vi-00 +>>> quit +??? 221 +<<< 221 mail.test.ex closing connection +End of script diff --git a/test/stdout/0574 b/test/stdout/0574 new file mode 100644 index 000000000..aea0754b7 --- /dev/null +++ b/test/stdout/0574 @@ -0,0 +1,61 @@ +Connecting to 127.0.0.1 port 1225 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> EHLO test.ex +??? 250- +<<< 250-myhost.test.ex Hello test.ex [127.0.0.1] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250 +<<< 250 HELP +>>> MAIL FROM:<tester@test.ex> +??? 250 +<<< 250 OK +>>> RCPT TO:<dest@test.ex> +??? 250 +<<< 250 Accepted +>>> DATA +??? 354 +<<< 354 Enter message, ending with "." on a line by itself +>>> Subject: test +>>> +>>> body +>>> . +??? 250 +<<< 250 OK id=10HmaX-0005vi-00 +>>> QUIT +??? 221 +<<< 221 myhost.test.ex closing connection +End of script +accept: condition test succeeded in ACL "chk_data" +end of ACL "chk_data": ACCEPT +calling local_scan(); timeout=300 +local_scan() returned 0 NULL +considering: ${tod_full} + expanding: ${tod_full} + result: Tue, 2 Mar 1999 09:44:33 +0000 +Writing spool header file: TESTSUITE/spool//input//hdr.pppp +DSN: Write SPOOL :-dsn_envid NULL +DSN: Write SPOOL :-dsn_ret 0 +DSN: Flags :0 +DSN: **** SPOOL_OUT - address: |dest@test.ex| errorsto: |NULL| orcpt: |NULL| dsn_flags: 0 +Renaming spool header file: TESTSUITE/spool//input//10HmaX-0005vi-00-H +Size of headers = sss +LOG: MAIN + <= tester@test.ex H=(test.ex) [127.0.0.1] P=esmtp S=sss +SMTP>> 250 OK id=10HmaX-0005vi-00 +search_tidyup called +Sender: tester@test.ex +Recipients: + dest@test.ex +Process pppp is ready for new message +smtp_setup_msg entered +SMTP<< QUIT +SMTP>> 221 myhost.test.ex closing connection +LOG: smtp_connection MAIN + SMTP connection from (test.ex) [127.0.0.1] closed by QUIT +search_tidyup called diff --git a/test/stdout/0575 b/test/stdout/0575 new file mode 100644 index 000000000..d7ad1f324 --- /dev/null +++ b/test/stdout/0575 @@ -0,0 +1,14 @@ + +**** SMTP testing session as if from host V4NET.0.0.0 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 mail.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmaX-0005vi-00
+ +**** SMTP testing: that is not a real message id! + +221 mail.test.ex closing connection
diff --git a/test/stdout/2000 b/test/stdout/2000 new file mode 100644 index 000000000..2279f2e7d --- /dev/null +++ b/test/stdout/2000 @@ -0,0 +1,10 @@ +> sha256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 +> sha256: BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD +> +> Failed: sha3 only supported with GnuTLS 3.5.0 + +> Failed: sha3 only supported with GnuTLS 3.5.0 + +> Failed: sha3 only supported with GnuTLS 3.5.0 + +> Failed: sha3 only supported with GnuTLS 3.5.0 + +> Failed: sha3 only supported with GnuTLS 3.5.0 + +> Failed: sha3 only supported with GnuTLS 3.5.0 + +> diff --git a/test/stdout/2034 b/test/stdout/2034 new file mode 100644 index 000000000..94531616d --- /dev/null +++ b/test/stdout/2034 @@ -0,0 +1,42 @@ +Connecting to 127.0.0.1 port 1225 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead ++++ 3 +End of script +Connecting to 127.0.0.1 port 1225 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead +>>> bogus +End of script diff --git a/test/stdout/2100 b/test/stdout/2100 new file mode 100644 index 000000000..effaada83 --- /dev/null +++ b/test/stdout/2100 @@ -0,0 +1,3 @@ +> sha256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 +> sha256: BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD +> |