From: Jeremy Harris Date: Sun, 8 Dec 2019 23:36:01 +0000 (+0000) Subject: Merge branch '4.next' X-Git-Tag: exim-4_94_RC0~240 X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=1d717e1c110562fd6bf28478c79f180cafeba776;p=exim.git Merge branch '4.next' --- 1d717e1c110562fd6bf28478c79f180cafeba776 diff --cc doc/doc-docbook/spec.xfpt index abd15d452,0e7d7655c..2946d7013 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@@ -15111,9 -15136,10 +15122,11 @@@ etc. are ignored. If IP literals are en to handle IPv6 literal addresses. - .option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1" + .new + .option dkim_verify_hashes main "string list" "sha256 : sha512" .cindex DKIM "selecting signature algorithms" This option gives a list of hash types which are acceptable in signatures, ++.wen and an order of processing. Signatures with algorithms not in the list will be ignored. diff --cc doc/doc-txt/ChangeLog index 1e8a2d216,9f18a2073..9f8775f0f --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@@ -3,6 -5,28 +3,28 @@@ affect Exim's operation, with an unchan options, and new features, see the NewStuff file next to this ChangeLog. -Exim version 4.next -------------------- ++Exim version 4.94 ++----------------- + + JH/01 Avoid costly startup code when not strictly needed. This reduces time + for some exim process initialisations. It does mean that the logging + of TLS configuration problems is only done for the daemon startup. + + JH/02 Early-pipelining support code is now included unless disabled in Makefile. + + JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to + RFC 8301. They can still be enabled, using the dkim_verify_hashes main + option. + + JH/04 Support CHUNKING from an smtp transport using a transport_filter, when + DKIM signing is being done. Previously a transport_filter would always + disable CHUNKING, falling back to traditional DATA. + + JH/05 Regard command-line receipients as tainted. + + JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM. + + Exim version 4.93 ----------------- diff --cc doc/doc-txt/NewStuff index fc307a3ba,18c3d3024..763a806a5 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@@ -6,6 -6,18 +6,16 @@@ Before a formal release, there may be q test from the snapshots or the Git before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. -Version 4.next --------------- ++Version 4.94 ++------------ + + 1. EXPERIMENTAL_SRS_NATIVE optional build feature. See the experimental.spec + file. + - 2. Variables $tls_in_ver, $tls_out_ver. - - 3. Channel-binding for authenticators is now supported under OpenSSL. ++ 2. Channel-binding for authenticators is now supported under OpenSSL. + Previously it was GnuTLS-only. + + Version 4.93 ------------ diff --cc src/src/functions.h index f4fcd1e19,da21b8779..ea3cf257c --- a/src/src/functions.h +++ b/src/src/functions.h @@@ -539,7 -541,7 +542,8 @@@ extern int strcmpic(const uschar * extern int strncmpic(const uschar *, const uschar *, int); extern uschar *strstric(uschar *, uschar *, BOOL); +extern int test_harness_fudged_queue_time(int); + extern void tcp_init(void); #ifdef EXIM_TFO_PROBE extern void tfo_probe(void); #endif diff --cc src/src/tls.c index a541a3c7a,d47156cdc..f95091218 --- a/src/src/tls.c +++ b/src/src/tls.c @@@ -371,38 -369,79 +369,111 @@@ return FALSE } +/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment +and writes a file by that name. Our OpenSSL code does the same, using keying +info from the library API. +The GnuTLS support only works if exim is run by root, not taking advantage of +the setuid bit. +You can use either the external environment (modulo the keep_environment config) +or the add_environment config option for SSLKEYLOGFILE; the latter takes +precedence. + +If the path is absolute, require it starts with the spooldir; otherwise delete +the env variable. If relative, prefix the spooldir. +*/ +void +tls_clean_env(void) +{ +uschar * path = US getenv("SSLKEYLOGFILE"); +if (path) + if (!*path) + unsetenv("SSLKEYLOGFILE"); + else if (*path != '/') + { + DEBUG(D_tls) + debug_printf("prepending spooldir to env SSLKEYLOGFILE\n"); + setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1); + } + else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0) + { + DEBUG(D_tls) + debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path); + unsetenv("SSLKEYLOGFILE"); + } +} + + /************************************************* + * Drop privs for checking TLS config * + *************************************************/ + + /* We want to validate TLS options during readconf, but do not want to be + root when we call into the TLS library, in case of library linkage errors + which cause segfaults; before this check, those were always done as the Exim + runtime user and it makes sense to continue with that. + + Assumes: tls_require_ciphers has been set, if it will be + exim_user has been set, if it will be + exim_group has been set, if it will be + + Returns: bool for "okay"; false will cause caller to immediately exit. + */ + + BOOL + tls_dropprivs_validate_require_cipher(BOOL nowarn) + { + const uschar *errmsg; + pid_t pid; + int rc, status; + void (*oldsignal)(int); + + /* If TLS will never be used, no point checking ciphers */ + + if ( !tls_advertise_hosts + || !*tls_advertise_hosts + || Ustrcmp(tls_advertise_hosts, ":") == 0 + ) + return TRUE; + else if (!nowarn && !tls_certificate) + log_write(0, LOG_MAIN, + "Warning: No server certificate defined; will use a selfsigned one.\n" + " Suggested action: either install a certificate or change tls_advertise_hosts option"); + + oldsignal = signal(SIGCHLD, SIG_DFL); + + fflush(NULL); + if ((pid = fork()) < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check"); + + if (pid == 0) + { + /* in some modes, will have dropped privilege already */ + if (!geteuid()) + exim_setugid(exim_uid, exim_gid, FALSE, + US"calling tls_validate_require_cipher"); + + if ((errmsg = tls_validate_require_cipher())) + log_write(0, LOG_PANIC_DIE|LOG_CONFIG, + "tls_require_ciphers invalid: %s", errmsg); + fflush(NULL); + exim_underbar_exit(0); + } + + do { + rc = waitpid(pid, &status, 0); + } while (rc < 0 && errno == EINTR); + + DEBUG(D_tls) + debug_printf("tls_validate_require_cipher child %d ended: status=0x%x\n", + (int)pid, status); + + signal(SIGCHLD, oldsignal); + + return status == 0; + } + + + + #endif /*!DISABLE_TLS*/ #endif /*!MACRO_PREDEF*/ diff --cc test/log/2102 index dfcfc1b67,bddb8e973..91761cd68 --- a/test/log/2102 +++ b/test/log/2102 @@@ -41,7 -41,7 +41,11 @@@ 1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY= 1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac ++<<<<<<< HEAD +1999-03-02 09:44:33 ver: TLS1.x ++======= + 1999-03-02 09:44:33 ver: TLSv1.x ++>>>>>>> 4.next 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 Our cert SN: diff --cc test/runtest index 87c78070e,30315044f..f53b9d72b --- a/test/runtest +++ b/test/runtest @@@ -3450,17 -3435,16 +3465,17 @@@ while (not ($parm_ipv4 and $parm_ipv6) { if (/^(?:[0-9]+: )?([a-z0-9]+): /) { $ifname = $1; } - if (not $parm_ipv4 and /^\s*inet(?:\saddr)?:?\s?(\d+\.\d+\.\d+\.\d+)(?:\/\d+)?\s/i) + if (not $parm_ipv4 and /^\s*inet(?:\saddr(?:ess))?:?\s*(\d+\.\d+\.\d+\.\d+)(?:\/\d+)?\s/i) { - # It would ne nice to be able to vary the /16 used for manyhome; we could take + # It would be nice to be able to vary the /16 used for manyhome; we could take # an option to runtest used here - but we'd also have to pass it on to fakens. # Possibly an environment variable? next if $1 eq '0.0.0.0' or $1 =~ /^(?:127|10\.250)\./; $parm_ipv4 = $1; } - if (not $parm_ipv6 and /^\s*inet6(?:\saddr(?:ess))?:?\s*([abcdef\d:]+)(?:%[^ \/]+)?(?:\/\d+)?/i) + if ( (not $parm_ipv6 or $parm_ipv6 =~ /%/) - and /^\s*inet6(?:\saddr)?:?\s?([abcdef\d:]+)(?:%[^ \/]+)?(?:\/\d+)?/i) ++ and /^\s*inet6(?:\saddr(?:ess))?:?\s*([abcdef\d:]+)(?:%[^ \/]+)?(?:\/\d+)?/i) { next if $1 eq '::' or $1 eq '::1' or $1 =~ /^ff00/i or $1 =~ /^fe80::1/i; $parm_ipv6 = $1;