returns the SHA-1 hash fingerprint of the certificate.
-.vitem &*${sha256:*&<&'certificate'&>&*}*&
+.vitem &*${sha256:*&<&'string'&>&*}*&
.cindex "SHA-256 hash"
.cindex certificate fingerprint
.cindex "expansion" "SHA-256 hashing"
.cindex "&%sha256%& expansion item"
-The &%sha256%& operator computes the SHA-256 hash fingerprint of the
-certificate,
+.new
+The &%sha256%& operator computes the SHA-256 hash value of the string
and returns
it as a 64-digit hexadecimal number, in which any letters are in upper case.
-Only arguments which are a single variable of certificate type are supported.
+.wen
+
+If the string is a single variable of type certificate,
+returns the SHA-256 hash fingerprint of the certificate.
.vitem &*${stat:*&<&'string'&>&*}*&
JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
+JH/10 Support ${sha256:} applied to a string (as well as the previous
+ certificate).
+
Exim version 4.87
-----------------
now have the list separator specified.
JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
- option values.
+ option values.
JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
under OpenSSL.
JH/24 Verification callouts now attempt to use TLS by default.
-HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
+HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
are generic router options now. The defaults didn't change.
JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
Analysis and variant patch by Todd Lyons.
NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated
- Bug report from Lars Müller <lars@samba.org> (via SUSE),
+ Bug report from Lars Müller <lars@samba.org> (via SUSE),
Patch from Dirk Mueller <dmueller@suse.com>
PP/13 tls_peerdn now print-escaped for spool files.
checking for them individually. */
if (!isalpha(name[0]) && yield != NULL)
- {
if (sub[i][0] == 0)
{
num[i] = 0;
num[i] = expanded_string_integer(sub[i], FALSE);
if (expand_string_message != NULL) return NULL;
}
- }
}
/* Result not required */
uschar digest[16];
md5_start(&base);
- md5_end(&base, (uschar *)sub[0], Ustrlen(sub[0]), digest);
+ md5_end(&base, sub[0], Ustrlen(sub[0]), digest);
/* If the length that we are comparing against is 24, the MD5 digest
is expressed as a base64 string. This is the way LDAP does it. However,
if (sublen == 24)
{
- uschar *coded = b64encode((uschar *)digest, 16);
+ uschar *coded = b64encode(digest, 16);
DEBUG(D_auth) debug_printf("crypteq: using MD5+B64 hashing\n"
" subject=%s\n crypted=%s\n", coded, sub[1]+5);
tempcond = (Ustrcmp(coded, sub[1]+5) == 0);
uschar digest[20];
sha1_start(&h);
- sha1_end(&h, (uschar *)sub[0], Ustrlen(sub[0]), digest);
+ sha1_end(&h, sub[0], Ustrlen(sub[0]), digest);
/* If the length that we are comparing against is 28, assume the SHA1
digest is expressed as a base64 string. If the length is 40, assume a
if (sublen == 28)
{
- uschar *coded = b64encode((uschar *)digest, 20);
+ uschar *coded = b64encode(digest, 20);
DEBUG(D_auth) debug_printf("crypteq: using SHA1+B64 hashing\n"
" subject=%s\n crypted=%s\n", coded, sub[1]+6);
tempcond = (Ustrcmp(coded, sub[1]+6) == 0);
sha1_start(&h);
sha1_end(&h, sub, Ustrlen(sub), digest);
for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]);
- yield = string_cat(yield, &size, &ptr, US st);
+ yield = string_catn(yield, &size, &ptr, US st, 40);
}
continue;
yield = string_cat(yield, &size, &ptr, cp);
}
else
+ {
+ hctx h;
+ blob b;
+ char st[3];
+
+ exim_sha_init(&h, HASH_SHA256);
+ exim_sha_update(&h, sub, Ustrlen(sub));
+ exim_sha_finish(&h, &b);
+ while (b.len-- > 0)
+ {
+ sprintf(st, "%02X", *b.data++);
+ yield = string_catn(yield, &size, &ptr, US st, 2);
+ }
+ }
+#else
+ expand_string_message = US"sha256 only supported with TLS";
#endif
- expand_string_message = US"sha256 only supported for certificates";
continue;
/* Convert hex encoding to base64 encoding */
projects / exim.git / commitdiff