1cd08df899eecdf4b31754be6488dd25da9be8f1
[exim.git] / src / src / expand.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8
9 /* Functions for handling string expansion. */
10
11
12 #include "exim.h"
13
14 /* Recursively called function */
15
16 static uschar *expand_string_internal(const uschar *, BOOL, const uschar **, BOOL, BOOL, BOOL *);
17 static int_eximarith_t expanded_string_integer(const uschar *, BOOL);
18
19 #ifdef STAND_ALONE
20 # ifndef SUPPORT_CRYPTEQ
21 # define SUPPORT_CRYPTEQ
22 # endif
23 #endif
24
25 #ifdef LOOKUP_LDAP
26 # include "lookups/ldap.h"
27 #endif
28
29 #ifdef SUPPORT_CRYPTEQ
30 # ifdef CRYPT_H
31 # include <crypt.h>
32 # endif
33 # ifndef HAVE_CRYPT16
34 extern char* crypt16(char*, char*);
35 # endif
36 #endif
37
38 /* The handling of crypt16() is a mess. I will record below the analysis of the
39 mess that was sent to me. We decided, however, to make changing this very low
40 priority, because in practice people are moving away from the crypt()
41 algorithms nowadays, so it doesn't seem worth it.
42
43 <quote>
44 There is an algorithm named "crypt16" in Ultrix and Tru64. It crypts
45 the first 8 characters of the password using a 20-round version of crypt
46 (standard crypt does 25 rounds). It then crypts the next 8 characters,
47 or an empty block if the password is less than 9 characters, using a
48 20-round version of crypt and the same salt as was used for the first
49 block. Characters after the first 16 are ignored. It always generates
50 a 16-byte hash, which is expressed together with the salt as a string
51 of 24 base 64 digits. Here are some links to peruse:
52
53 http://cvs.pld.org.pl/pam/pamcrypt/crypt16.c?rev=1.2
54 http://seclists.org/bugtraq/1999/Mar/0076.html
55
56 There's a different algorithm named "bigcrypt" in HP-UX, Digital Unix,
57 and OSF/1. This is the same as the standard crypt if given a password
58 of 8 characters or less. If given more, it first does the same as crypt
59 using the first 8 characters, then crypts the next 8 (the 9th to 16th)
60 using as salt the first two base 64 digits from the first hash block.
61 If the password is more than 16 characters then it crypts the 17th to 24th
62 characters using as salt the first two base 64 digits from the second hash
63 block. And so on: I've seen references to it cutting off the password at
64 40 characters (5 blocks), 80 (10 blocks), or 128 (16 blocks). Some links:
65
66 http://cvs.pld.org.pl/pam/pamcrypt/bigcrypt.c?rev=1.2
67 http://seclists.org/bugtraq/1999/Mar/0109.html
68 http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/HTML/AA-Q0R2D-
69 TET1_html/sec.c222.html#no_id_208
70
71 Exim has something it calls "crypt16". It will either use a native
72 crypt16 or its own implementation. A native crypt16 will presumably
73 be the one that I called "crypt16" above. The internal "crypt16"
74 function, however, is a two-block-maximum implementation of what I called
75 "bigcrypt". The documentation matches the internal code.
76
77 I suspect that whoever did the "crypt16" stuff for Exim didn't realise
78 that crypt16 and bigcrypt were different things.
79
80 Exim uses the LDAP-style scheme identifier "{crypt16}" to refer
81 to whatever it is using under that name. This unfortunately sets a
82 precedent for using "{crypt16}" to identify two incompatible algorithms
83 whose output can't be distinguished. With "{crypt16}" thus rendered
84 ambiguous, I suggest you deprecate it and invent two new identifiers
85 for the two algorithms.
86
87 Both crypt16 and bigcrypt are very poor algorithms, btw. Hashing parts
88 of the password separately means they can be cracked separately, so
89 the double-length hash only doubles the cracking effort instead of
90 squaring it. I recommend salted SHA-1 ({SSHA}), or the Blowfish-based
91 bcrypt ({CRYPT}$2a$).
92 </quote>
93 */
94
95
96
97 /*************************************************
98 * Local statics and tables *
99 *************************************************/
100
101 /* Table of item names, and corresponding switch numbers. The names must be in
102 alphabetical order. */
103
104 static uschar *item_table[] = {
105 US"acl",
106 US"authresults",
107 US"certextract",
108 US"dlfunc",
109 US"env",
110 US"extract",
111 US"filter",
112 US"hash",
113 US"hmac",
114 US"if",
115 #ifdef SUPPORT_I18N
116 US"imapfolder",
117 #endif
118 US"length",
119 US"listextract",
120 US"lookup",
121 US"map",
122 US"nhash",
123 US"perl",
124 US"prvs",
125 US"prvscheck",
126 US"readfile",
127 US"readsocket",
128 US"reduce",
129 US"run",
130 US"sg",
131 US"sort",
132 #ifdef EXPERIMENTAL_SRS_NATIVE
133 US"srs_encode",
134 #endif
135 US"substr",
136 US"tr" };
137
138 enum {
139 EITEM_ACL,
140 EITEM_AUTHRESULTS,
141 EITEM_CERTEXTRACT,
142 EITEM_DLFUNC,
143 EITEM_ENV,
144 EITEM_EXTRACT,
145 EITEM_FILTER,
146 EITEM_HASH,
147 EITEM_HMAC,
148 EITEM_IF,
149 #ifdef SUPPORT_I18N
150 EITEM_IMAPFOLDER,
151 #endif
152 EITEM_LENGTH,
153 EITEM_LISTEXTRACT,
154 EITEM_LOOKUP,
155 EITEM_MAP,
156 EITEM_NHASH,
157 EITEM_PERL,
158 EITEM_PRVS,
159 EITEM_PRVSCHECK,
160 EITEM_READFILE,
161 EITEM_READSOCK,
162 EITEM_REDUCE,
163 EITEM_RUN,
164 EITEM_SG,
165 EITEM_SORT,
166 #ifdef EXPERIMENTAL_SRS_NATIVE
167 EITEM_SRS_ENCODE,
168 #endif
169 EITEM_SUBSTR,
170 EITEM_TR };
171
172 /* Tables of operator names, and corresponding switch numbers. The names must be
173 in alphabetical order. There are two tables, because underscore is used in some
174 cases to introduce arguments, whereas for other it is part of the name. This is
175 an historical mis-design. */
176
177 static uschar *op_table_underscore[] = {
178 US"from_utf8",
179 US"local_part",
180 US"quote_local_part",
181 US"reverse_ip",
182 US"time_eval",
183 US"time_interval"
184 #ifdef SUPPORT_I18N
185 ,US"utf8_domain_from_alabel",
186 US"utf8_domain_to_alabel",
187 US"utf8_localpart_from_alabel",
188 US"utf8_localpart_to_alabel"
189 #endif
190 };
191
192 enum {
193 EOP_FROM_UTF8,
194 EOP_LOCAL_PART,
195 EOP_QUOTE_LOCAL_PART,
196 EOP_REVERSE_IP,
197 EOP_TIME_EVAL,
198 EOP_TIME_INTERVAL
199 #ifdef SUPPORT_I18N
200 ,EOP_UTF8_DOMAIN_FROM_ALABEL,
201 EOP_UTF8_DOMAIN_TO_ALABEL,
202 EOP_UTF8_LOCALPART_FROM_ALABEL,
203 EOP_UTF8_LOCALPART_TO_ALABEL
204 #endif
205 };
206
207 static uschar *op_table_main[] = {
208 US"address",
209 US"addresses",
210 US"base32",
211 US"base32d",
212 US"base62",
213 US"base62d",
214 US"base64",
215 US"base64d",
216 US"domain",
217 US"escape",
218 US"escape8bit",
219 US"eval",
220 US"eval10",
221 US"expand",
222 US"h",
223 US"hash",
224 US"hex2b64",
225 US"hexquote",
226 US"ipv6denorm",
227 US"ipv6norm",
228 US"l",
229 US"lc",
230 US"length",
231 US"listcount",
232 US"listnamed",
233 US"mask",
234 US"md5",
235 US"nh",
236 US"nhash",
237 US"quote",
238 US"randint",
239 US"rfc2047",
240 US"rfc2047d",
241 US"rxquote",
242 US"s",
243 US"sha1",
244 US"sha2",
245 US"sha256",
246 US"sha3",
247 US"stat",
248 US"str2b64",
249 US"strlen",
250 US"substr",
251 US"uc",
252 US"utf8clean" };
253
254 enum {
255 EOP_ADDRESS = nelem(op_table_underscore),
256 EOP_ADDRESSES,
257 EOP_BASE32,
258 EOP_BASE32D,
259 EOP_BASE62,
260 EOP_BASE62D,
261 EOP_BASE64,
262 EOP_BASE64D,
263 EOP_DOMAIN,
264 EOP_ESCAPE,
265 EOP_ESCAPE8BIT,
266 EOP_EVAL,
267 EOP_EVAL10,
268 EOP_EXPAND,
269 EOP_H,
270 EOP_HASH,
271 EOP_HEX2B64,
272 EOP_HEXQUOTE,
273 EOP_IPV6DENORM,
274 EOP_IPV6NORM,
275 EOP_L,
276 EOP_LC,
277 EOP_LENGTH,
278 EOP_LISTCOUNT,
279 EOP_LISTNAMED,
280 EOP_MASK,
281 EOP_MD5,
282 EOP_NH,
283 EOP_NHASH,
284 EOP_QUOTE,
285 EOP_RANDINT,
286 EOP_RFC2047,
287 EOP_RFC2047D,
288 EOP_RXQUOTE,
289 EOP_S,
290 EOP_SHA1,
291 EOP_SHA2,
292 EOP_SHA256,
293 EOP_SHA3,
294 EOP_STAT,
295 EOP_STR2B64,
296 EOP_STRLEN,
297 EOP_SUBSTR,
298 EOP_UC,
299 EOP_UTF8CLEAN };
300
301
302 /* Table of condition names, and corresponding switch numbers. The names must
303 be in alphabetical order. */
304
305 static uschar *cond_table[] = {
306 US"<",
307 US"<=",
308 US"=",
309 US"==", /* Backward compatibility */
310 US">",
311 US">=",
312 US"acl",
313 US"and",
314 US"bool",
315 US"bool_lax",
316 US"crypteq",
317 US"def",
318 US"eq",
319 US"eqi",
320 US"exists",
321 US"first_delivery",
322 US"forall",
323 US"forall_json",
324 US"forall_jsons",
325 US"forany",
326 US"forany_json",
327 US"forany_jsons",
328 US"ge",
329 US"gei",
330 US"gt",
331 US"gti",
332 #ifdef EXPERIMENTAL_SRS_NATIVE
333 US"inbound_srs",
334 #endif
335 US"inlist",
336 US"inlisti",
337 US"isip",
338 US"isip4",
339 US"isip6",
340 US"ldapauth",
341 US"le",
342 US"lei",
343 US"lt",
344 US"lti",
345 US"match",
346 US"match_address",
347 US"match_domain",
348 US"match_ip",
349 US"match_local_part",
350 US"or",
351 US"pam",
352 US"pwcheck",
353 US"queue_running",
354 US"radius",
355 US"saslauthd"
356 };
357
358 enum {
359 ECOND_NUM_L,
360 ECOND_NUM_LE,
361 ECOND_NUM_E,
362 ECOND_NUM_EE,
363 ECOND_NUM_G,
364 ECOND_NUM_GE,
365 ECOND_ACL,
366 ECOND_AND,
367 ECOND_BOOL,
368 ECOND_BOOL_LAX,
369 ECOND_CRYPTEQ,
370 ECOND_DEF,
371 ECOND_STR_EQ,
372 ECOND_STR_EQI,
373 ECOND_EXISTS,
374 ECOND_FIRST_DELIVERY,
375 ECOND_FORALL,
376 ECOND_FORALL_JSON,
377 ECOND_FORALL_JSONS,
378 ECOND_FORANY,
379 ECOND_FORANY_JSON,
380 ECOND_FORANY_JSONS,
381 ECOND_STR_GE,
382 ECOND_STR_GEI,
383 ECOND_STR_GT,
384 ECOND_STR_GTI,
385 #ifdef EXPERIMENTAL_SRS_NATIVE
386 ECOND_INBOUND_SRS,
387 #endif
388 ECOND_INLIST,
389 ECOND_INLISTI,
390 ECOND_ISIP,
391 ECOND_ISIP4,
392 ECOND_ISIP6,
393 ECOND_LDAPAUTH,
394 ECOND_STR_LE,
395 ECOND_STR_LEI,
396 ECOND_STR_LT,
397 ECOND_STR_LTI,
398 ECOND_MATCH,
399 ECOND_MATCH_ADDRESS,
400 ECOND_MATCH_DOMAIN,
401 ECOND_MATCH_IP,
402 ECOND_MATCH_LOCAL_PART,
403 ECOND_OR,
404 ECOND_PAM,
405 ECOND_PWCHECK,
406 ECOND_QUEUE_RUNNING,
407 ECOND_RADIUS,
408 ECOND_SASLAUTHD
409 };
410
411
412 /* Types of table entry */
413
414 enum vtypes {
415 vtype_int, /* value is address of int */
416 vtype_filter_int, /* ditto, but recognized only when filtering */
417 vtype_ino, /* value is address of ino_t (not always an int) */
418 vtype_uid, /* value is address of uid_t (not always an int) */
419 vtype_gid, /* value is address of gid_t (not always an int) */
420 vtype_bool, /* value is address of bool */
421 vtype_stringptr, /* value is address of pointer to string */
422 vtype_msgbody, /* as stringptr, but read when first required */
423 vtype_msgbody_end, /* ditto, the end of the message */
424 vtype_msgheaders, /* the message's headers, processed */
425 vtype_msgheaders_raw, /* the message's headers, unprocessed */
426 vtype_localpart, /* extract local part from string */
427 vtype_domain, /* extract domain from string */
428 vtype_string_func, /* value is string returned by given function */
429 vtype_todbsdin, /* value not used; generate BSD inbox tod */
430 vtype_tode, /* value not used; generate tod in epoch format */
431 vtype_todel, /* value not used; generate tod in epoch/usec format */
432 vtype_todf, /* value not used; generate full tod */
433 vtype_todl, /* value not used; generate log tod */
434 vtype_todlf, /* value not used; generate log file datestamp tod */
435 vtype_todzone, /* value not used; generate time zone only */
436 vtype_todzulu, /* value not used; generate zulu tod */
437 vtype_reply, /* value not used; get reply from headers */
438 vtype_pid, /* value not used; result is pid */
439 vtype_host_lookup, /* value not used; get host name */
440 vtype_load_avg, /* value not used; result is int from os_getloadavg */
441 vtype_pspace, /* partition space; value is T/F for spool/log */
442 vtype_pinodes, /* partition inodes; value is T/F for spool/log */
443 vtype_cert /* SSL certificate */
444 #ifndef DISABLE_DKIM
445 ,vtype_dkim /* Lookup of value in DKIM signature */
446 #endif
447 };
448
449 /* Type for main variable table */
450
451 typedef struct {
452 const char *name;
453 enum vtypes type;
454 void *value;
455 } var_entry;
456
457 /* Type for entries pointing to address/length pairs. Not currently
458 in use. */
459
460 typedef struct {
461 uschar **address;
462 int *length;
463 } alblock;
464
465 static uschar * fn_recipients(void);
466 typedef uschar * stringptr_fn_t(void);
467
468 /* This table must be kept in alphabetical order. */
469
470 static var_entry var_table[] = {
471 /* WARNING: Do not invent variables whose names start acl_c or acl_m because
472 they will be confused with user-creatable ACL variables. */
473 { "acl_arg1", vtype_stringptr, &acl_arg[0] },
474 { "acl_arg2", vtype_stringptr, &acl_arg[1] },
475 { "acl_arg3", vtype_stringptr, &acl_arg[2] },
476 { "acl_arg4", vtype_stringptr, &acl_arg[3] },
477 { "acl_arg5", vtype_stringptr, &acl_arg[4] },
478 { "acl_arg6", vtype_stringptr, &acl_arg[5] },
479 { "acl_arg7", vtype_stringptr, &acl_arg[6] },
480 { "acl_arg8", vtype_stringptr, &acl_arg[7] },
481 { "acl_arg9", vtype_stringptr, &acl_arg[8] },
482 { "acl_narg", vtype_int, &acl_narg },
483 { "acl_verify_message", vtype_stringptr, &acl_verify_message },
484 { "address_data", vtype_stringptr, &deliver_address_data },
485 { "address_file", vtype_stringptr, &address_file },
486 { "address_pipe", vtype_stringptr, &address_pipe },
487 #ifdef EXPERIMENTAL_ARC
488 { "arc_domains", vtype_string_func, (void *) &fn_arc_domains },
489 { "arc_oldest_pass", vtype_int, &arc_oldest_pass },
490 { "arc_state", vtype_stringptr, &arc_state },
491 { "arc_state_reason", vtype_stringptr, &arc_state_reason },
492 #endif
493 { "authenticated_fail_id",vtype_stringptr, &authenticated_fail_id },
494 { "authenticated_id", vtype_stringptr, &authenticated_id },
495 { "authenticated_sender",vtype_stringptr, &authenticated_sender },
496 { "authentication_failed",vtype_int, &authentication_failed },
497 #ifdef WITH_CONTENT_SCAN
498 { "av_failed", vtype_int, &av_failed },
499 #endif
500 #ifdef EXPERIMENTAL_BRIGHTMAIL
501 { "bmi_alt_location", vtype_stringptr, &bmi_alt_location },
502 { "bmi_base64_tracker_verdict", vtype_stringptr, &bmi_base64_tracker_verdict },
503 { "bmi_base64_verdict", vtype_stringptr, &bmi_base64_verdict },
504 { "bmi_deliver", vtype_int, &bmi_deliver },
505 #endif
506 { "body_linecount", vtype_int, &body_linecount },
507 { "body_zerocount", vtype_int, &body_zerocount },
508 { "bounce_recipient", vtype_stringptr, &bounce_recipient },
509 { "bounce_return_size_limit", vtype_int, &bounce_return_size_limit },
510 { "caller_gid", vtype_gid, &real_gid },
511 { "caller_uid", vtype_uid, &real_uid },
512 { "callout_address", vtype_stringptr, &callout_address },
513 { "compile_date", vtype_stringptr, &version_date },
514 { "compile_number", vtype_stringptr, &version_cnumber },
515 { "config_dir", vtype_stringptr, &config_main_directory },
516 { "config_file", vtype_stringptr, &config_main_filename },
517 { "csa_status", vtype_stringptr, &csa_status },
518 #ifdef EXPERIMENTAL_DCC
519 { "dcc_header", vtype_stringptr, &dcc_header },
520 { "dcc_result", vtype_stringptr, &dcc_result },
521 #endif
522 #ifndef DISABLE_DKIM
523 { "dkim_algo", vtype_dkim, (void *)DKIM_ALGO },
524 { "dkim_bodylength", vtype_dkim, (void *)DKIM_BODYLENGTH },
525 { "dkim_canon_body", vtype_dkim, (void *)DKIM_CANON_BODY },
526 { "dkim_canon_headers", vtype_dkim, (void *)DKIM_CANON_HEADERS },
527 { "dkim_copiedheaders", vtype_dkim, (void *)DKIM_COPIEDHEADERS },
528 { "dkim_created", vtype_dkim, (void *)DKIM_CREATED },
529 { "dkim_cur_signer", vtype_stringptr, &dkim_cur_signer },
530 { "dkim_domain", vtype_stringptr, &dkim_signing_domain },
531 { "dkim_expires", vtype_dkim, (void *)DKIM_EXPIRES },
532 { "dkim_headernames", vtype_dkim, (void *)DKIM_HEADERNAMES },
533 { "dkim_identity", vtype_dkim, (void *)DKIM_IDENTITY },
534 { "dkim_key_granularity",vtype_dkim, (void *)DKIM_KEY_GRANULARITY },
535 { "dkim_key_length", vtype_int, &dkim_key_length },
536 { "dkim_key_nosubdomains",vtype_dkim, (void *)DKIM_NOSUBDOMAINS },
537 { "dkim_key_notes", vtype_dkim, (void *)DKIM_KEY_NOTES },
538 { "dkim_key_srvtype", vtype_dkim, (void *)DKIM_KEY_SRVTYPE },
539 { "dkim_key_testing", vtype_dkim, (void *)DKIM_KEY_TESTING },
540 { "dkim_selector", vtype_stringptr, &dkim_signing_selector },
541 { "dkim_signers", vtype_stringptr, &dkim_signers },
542 { "dkim_verify_reason", vtype_stringptr, &dkim_verify_reason },
543 { "dkim_verify_status", vtype_stringptr, &dkim_verify_status },
544 #endif
545 #ifdef SUPPORT_DMARC
546 { "dmarc_domain_policy", vtype_stringptr, &dmarc_domain_policy },
547 { "dmarc_status", vtype_stringptr, &dmarc_status },
548 { "dmarc_status_text", vtype_stringptr, &dmarc_status_text },
549 { "dmarc_used_domain", vtype_stringptr, &dmarc_used_domain },
550 #endif
551 { "dnslist_domain", vtype_stringptr, &dnslist_domain },
552 { "dnslist_matched", vtype_stringptr, &dnslist_matched },
553 { "dnslist_text", vtype_stringptr, &dnslist_text },
554 { "dnslist_value", vtype_stringptr, &dnslist_value },
555 { "domain", vtype_stringptr, &deliver_domain },
556 { "domain_data", vtype_stringptr, &deliver_domain_data },
557 #ifndef DISABLE_EVENT
558 { "event_data", vtype_stringptr, &event_data },
559
560 /*XXX want to use generic vars for as many of these as possible*/
561 { "event_defer_errno", vtype_int, &event_defer_errno },
562
563 { "event_name", vtype_stringptr, &event_name },
564 #endif
565 { "exim_gid", vtype_gid, &exim_gid },
566 { "exim_path", vtype_stringptr, &exim_path },
567 { "exim_uid", vtype_uid, &exim_uid },
568 { "exim_version", vtype_stringptr, &version_string },
569 { "headers_added", vtype_string_func, (void *) &fn_hdrs_added },
570 { "home", vtype_stringptr, &deliver_home },
571 { "host", vtype_stringptr, &deliver_host },
572 { "host_address", vtype_stringptr, &deliver_host_address },
573 { "host_data", vtype_stringptr, &host_data },
574 { "host_lookup_deferred",vtype_int, &host_lookup_deferred },
575 { "host_lookup_failed", vtype_int, &host_lookup_failed },
576 { "host_port", vtype_int, &deliver_host_port },
577 { "initial_cwd", vtype_stringptr, &initial_cwd },
578 { "inode", vtype_ino, &deliver_inode },
579 { "interface_address", vtype_stringptr, &interface_address },
580 { "interface_port", vtype_int, &interface_port },
581 { "item", vtype_stringptr, &iterate_item },
582 #ifdef LOOKUP_LDAP
583 { "ldap_dn", vtype_stringptr, &eldap_dn },
584 #endif
585 { "load_average", vtype_load_avg, NULL },
586 { "local_part", vtype_stringptr, &deliver_localpart },
587 { "local_part_data", vtype_stringptr, &deliver_localpart_data },
588 { "local_part_prefix", vtype_stringptr, &deliver_localpart_prefix },
589 { "local_part_suffix", vtype_stringptr, &deliver_localpart_suffix },
590 #ifdef HAVE_LOCAL_SCAN
591 { "local_scan_data", vtype_stringptr, &local_scan_data },
592 #endif
593 { "local_user_gid", vtype_gid, &local_user_gid },
594 { "local_user_uid", vtype_uid, &local_user_uid },
595 { "localhost_number", vtype_int, &host_number },
596 { "log_inodes", vtype_pinodes, (void *)FALSE },
597 { "log_space", vtype_pspace, (void *)FALSE },
598 { "lookup_dnssec_authenticated",vtype_stringptr,&lookup_dnssec_authenticated},
599 { "mailstore_basename", vtype_stringptr, &mailstore_basename },
600 #ifdef WITH_CONTENT_SCAN
601 { "malware_name", vtype_stringptr, &malware_name },
602 #endif
603 { "max_received_linelength", vtype_int, &max_received_linelength },
604 { "message_age", vtype_int, &message_age },
605 { "message_body", vtype_msgbody, &message_body },
606 { "message_body_end", vtype_msgbody_end, &message_body_end },
607 { "message_body_size", vtype_int, &message_body_size },
608 { "message_exim_id", vtype_stringptr, &message_id },
609 { "message_headers", vtype_msgheaders, NULL },
610 { "message_headers_raw", vtype_msgheaders_raw, NULL },
611 { "message_id", vtype_stringptr, &message_id },
612 { "message_linecount", vtype_int, &message_linecount },
613 { "message_size", vtype_int, &message_size },
614 #ifdef SUPPORT_I18N
615 { "message_smtputf8", vtype_bool, &message_smtputf8 },
616 #endif
617 #ifdef WITH_CONTENT_SCAN
618 { "mime_anomaly_level", vtype_int, &mime_anomaly_level },
619 { "mime_anomaly_text", vtype_stringptr, &mime_anomaly_text },
620 { "mime_boundary", vtype_stringptr, &mime_boundary },
621 { "mime_charset", vtype_stringptr, &mime_charset },
622 { "mime_content_description", vtype_stringptr, &mime_content_description },
623 { "mime_content_disposition", vtype_stringptr, &mime_content_disposition },
624 { "mime_content_id", vtype_stringptr, &mime_content_id },
625 { "mime_content_size", vtype_int, &mime_content_size },
626 { "mime_content_transfer_encoding",vtype_stringptr, &mime_content_transfer_encoding },
627 { "mime_content_type", vtype_stringptr, &mime_content_type },
628 { "mime_decoded_filename", vtype_stringptr, &mime_decoded_filename },
629 { "mime_filename", vtype_stringptr, &mime_filename },
630 { "mime_is_coverletter", vtype_int, &mime_is_coverletter },
631 { "mime_is_multipart", vtype_int, &mime_is_multipart },
632 { "mime_is_rfc822", vtype_int, &mime_is_rfc822 },
633 { "mime_part_count", vtype_int, &mime_part_count },
634 #endif
635 { "n0", vtype_filter_int, &filter_n[0] },
636 { "n1", vtype_filter_int, &filter_n[1] },
637 { "n2", vtype_filter_int, &filter_n[2] },
638 { "n3", vtype_filter_int, &filter_n[3] },
639 { "n4", vtype_filter_int, &filter_n[4] },
640 { "n5", vtype_filter_int, &filter_n[5] },
641 { "n6", vtype_filter_int, &filter_n[6] },
642 { "n7", vtype_filter_int, &filter_n[7] },
643 { "n8", vtype_filter_int, &filter_n[8] },
644 { "n9", vtype_filter_int, &filter_n[9] },
645 { "original_domain", vtype_stringptr, &deliver_domain_orig },
646 { "original_local_part", vtype_stringptr, &deliver_localpart_orig },
647 { "originator_gid", vtype_gid, &originator_gid },
648 { "originator_uid", vtype_uid, &originator_uid },
649 { "parent_domain", vtype_stringptr, &deliver_domain_parent },
650 { "parent_local_part", vtype_stringptr, &deliver_localpart_parent },
651 { "pid", vtype_pid, NULL },
652 #ifndef DISABLE_PRDR
653 { "prdr_requested", vtype_bool, &prdr_requested },
654 #endif
655 { "primary_hostname", vtype_stringptr, &primary_hostname },
656 #if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
657 { "proxy_external_address",vtype_stringptr, &proxy_external_address },
658 { "proxy_external_port", vtype_int, &proxy_external_port },
659 { "proxy_local_address", vtype_stringptr, &proxy_local_address },
660 { "proxy_local_port", vtype_int, &proxy_local_port },
661 { "proxy_session", vtype_bool, &proxy_session },
662 #endif
663 { "prvscheck_address", vtype_stringptr, &prvscheck_address },
664 { "prvscheck_keynum", vtype_stringptr, &prvscheck_keynum },
665 { "prvscheck_result", vtype_stringptr, &prvscheck_result },
666 { "qualify_domain", vtype_stringptr, &qualify_domain_sender },
667 { "qualify_recipient", vtype_stringptr, &qualify_domain_recipient },
668 { "queue_name", vtype_stringptr, &queue_name },
669 { "rcpt_count", vtype_int, &rcpt_count },
670 { "rcpt_defer_count", vtype_int, &rcpt_defer_count },
671 { "rcpt_fail_count", vtype_int, &rcpt_fail_count },
672 { "received_count", vtype_int, &received_count },
673 { "received_for", vtype_stringptr, &received_for },
674 { "received_ip_address", vtype_stringptr, &interface_address },
675 { "received_port", vtype_int, &interface_port },
676 { "received_protocol", vtype_stringptr, &received_protocol },
677 { "received_time", vtype_int, &received_time.tv_sec },
678 { "recipient_data", vtype_stringptr, &recipient_data },
679 { "recipient_verify_failure",vtype_stringptr,&recipient_verify_failure },
680 { "recipients", vtype_string_func, (void *) &fn_recipients },
681 { "recipients_count", vtype_int, &recipients_count },
682 #ifdef WITH_CONTENT_SCAN
683 { "regex_match_string", vtype_stringptr, &regex_match_string },
684 #endif
685 { "reply_address", vtype_reply, NULL },
686 { "return_path", vtype_stringptr, &return_path },
687 { "return_size_limit", vtype_int, &bounce_return_size_limit },
688 { "router_name", vtype_stringptr, &router_name },
689 { "runrc", vtype_int, &runrc },
690 { "self_hostname", vtype_stringptr, &self_hostname },
691 { "sender_address", vtype_stringptr, &sender_address },
692 { "sender_address_data", vtype_stringptr, &sender_address_data },
693 { "sender_address_domain", vtype_domain, &sender_address },
694 { "sender_address_local_part", vtype_localpart, &sender_address },
695 { "sender_data", vtype_stringptr, &sender_data },
696 { "sender_fullhost", vtype_stringptr, &sender_fullhost },
697 { "sender_helo_dnssec", vtype_bool, &sender_helo_dnssec },
698 { "sender_helo_name", vtype_stringptr, &sender_helo_name },
699 { "sender_host_address", vtype_stringptr, &sender_host_address },
700 { "sender_host_authenticated",vtype_stringptr, &sender_host_authenticated },
701 { "sender_host_dnssec", vtype_bool, &sender_host_dnssec },
702 { "sender_host_name", vtype_host_lookup, NULL },
703 { "sender_host_port", vtype_int, &sender_host_port },
704 { "sender_ident", vtype_stringptr, &sender_ident },
705 { "sender_rate", vtype_stringptr, &sender_rate },
706 { "sender_rate_limit", vtype_stringptr, &sender_rate_limit },
707 { "sender_rate_period", vtype_stringptr, &sender_rate_period },
708 { "sender_rcvhost", vtype_stringptr, &sender_rcvhost },
709 { "sender_verify_failure",vtype_stringptr, &sender_verify_failure },
710 { "sending_ip_address", vtype_stringptr, &sending_ip_address },
711 { "sending_port", vtype_int, &sending_port },
712 { "smtp_active_hostname", vtype_stringptr, &smtp_active_hostname },
713 { "smtp_command", vtype_stringptr, &smtp_cmd_buffer },
714 { "smtp_command_argument", vtype_stringptr, &smtp_cmd_argument },
715 { "smtp_command_history", vtype_string_func, (void *) &smtp_cmd_hist },
716 { "smtp_count_at_connection_start", vtype_int, &smtp_accept_count },
717 { "smtp_notquit_reason", vtype_stringptr, &smtp_notquit_reason },
718 { "sn0", vtype_filter_int, &filter_sn[0] },
719 { "sn1", vtype_filter_int, &filter_sn[1] },
720 { "sn2", vtype_filter_int, &filter_sn[2] },
721 { "sn3", vtype_filter_int, &filter_sn[3] },
722 { "sn4", vtype_filter_int, &filter_sn[4] },
723 { "sn5", vtype_filter_int, &filter_sn[5] },
724 { "sn6", vtype_filter_int, &filter_sn[6] },
725 { "sn7", vtype_filter_int, &filter_sn[7] },
726 { "sn8", vtype_filter_int, &filter_sn[8] },
727 { "sn9", vtype_filter_int, &filter_sn[9] },
728 #ifdef WITH_CONTENT_SCAN
729 { "spam_action", vtype_stringptr, &spam_action },
730 { "spam_bar", vtype_stringptr, &spam_bar },
731 { "spam_report", vtype_stringptr, &spam_report },
732 { "spam_score", vtype_stringptr, &spam_score },
733 { "spam_score_int", vtype_stringptr, &spam_score_int },
734 #endif
735 #ifdef SUPPORT_SPF
736 { "spf_guess", vtype_stringptr, &spf_guess },
737 { "spf_header_comment", vtype_stringptr, &spf_header_comment },
738 { "spf_received", vtype_stringptr, &spf_received },
739 { "spf_result", vtype_stringptr, &spf_result },
740 { "spf_result_guessed", vtype_bool, &spf_result_guessed },
741 { "spf_smtp_comment", vtype_stringptr, &spf_smtp_comment },
742 #endif
743 { "spool_directory", vtype_stringptr, &spool_directory },
744 { "spool_inodes", vtype_pinodes, (void *)TRUE },
745 { "spool_space", vtype_pspace, (void *)TRUE },
746 #ifdef EXPERIMENTAL_SRS
747 { "srs_db_address", vtype_stringptr, &srs_db_address },
748 { "srs_db_key", vtype_stringptr, &srs_db_key },
749 { "srs_orig_recipient", vtype_stringptr, &srs_orig_recipient },
750 { "srs_orig_sender", vtype_stringptr, &srs_orig_sender },
751 #endif
752 #if defined(EXPERIMENTAL_SRS) || defined(EXPERIMENTAL_SRS_NATIVE)
753 { "srs_recipient", vtype_stringptr, &srs_recipient },
754 #endif
755 #ifdef EXPERIMENTAL_SRS
756 { "srs_status", vtype_stringptr, &srs_status },
757 #endif
758 { "thisaddress", vtype_stringptr, &filter_thisaddress },
759
760 /* The non-(in,out) variables are now deprecated */
761 { "tls_bits", vtype_int, &tls_in.bits },
762 { "tls_certificate_verified", vtype_int, &tls_in.certificate_verified },
763 { "tls_cipher", vtype_stringptr, &tls_in.cipher },
764
765 { "tls_in_bits", vtype_int, &tls_in.bits },
766 { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
767 { "tls_in_cipher", vtype_stringptr, &tls_in.cipher },
768 { "tls_in_cipher_std", vtype_stringptr, &tls_in.cipher_stdname },
769 { "tls_in_ocsp", vtype_int, &tls_in.ocsp },
770 { "tls_in_ourcert", vtype_cert, &tls_in.ourcert },
771 { "tls_in_peercert", vtype_cert, &tls_in.peercert },
772 { "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn },
773 #ifdef EXPERIMENTAL_TLS_RESUME
774 { "tls_in_resumption", vtype_int, &tls_in.resumption },
775 #endif
776 #ifndef DISABLE_TLS
777 { "tls_in_sni", vtype_stringptr, &tls_in.sni },
778 #endif
779 { "tls_out_bits", vtype_int, &tls_out.bits },
780 { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
781 { "tls_out_cipher", vtype_stringptr, &tls_out.cipher },
782 { "tls_out_cipher_std", vtype_stringptr, &tls_out.cipher_stdname },
783 #ifdef SUPPORT_DANE
784 { "tls_out_dane", vtype_bool, &tls_out.dane_verified },
785 #endif
786 { "tls_out_ocsp", vtype_int, &tls_out.ocsp },
787 { "tls_out_ourcert", vtype_cert, &tls_out.ourcert },
788 { "tls_out_peercert", vtype_cert, &tls_out.peercert },
789 { "tls_out_peerdn", vtype_stringptr, &tls_out.peerdn },
790 #ifdef EXPERIMENTAL_TLS_RESUME
791 { "tls_out_resumption", vtype_int, &tls_out.resumption },
792 #endif
793 #ifndef DISABLE_TLS
794 { "tls_out_sni", vtype_stringptr, &tls_out.sni },
795 #endif
796 #ifdef SUPPORT_DANE
797 { "tls_out_tlsa_usage", vtype_int, &tls_out.tlsa_usage },
798 #endif
799
800 { "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */
801 #ifndef DISABLE_TLS
802 { "tls_sni", vtype_stringptr, &tls_in.sni }, /* mind the alphabetical order! */
803 #endif
804
805 { "tod_bsdinbox", vtype_todbsdin, NULL },
806 { "tod_epoch", vtype_tode, NULL },
807 { "tod_epoch_l", vtype_todel, NULL },
808 { "tod_full", vtype_todf, NULL },
809 { "tod_log", vtype_todl, NULL },
810 { "tod_logfile", vtype_todlf, NULL },
811 { "tod_zone", vtype_todzone, NULL },
812 { "tod_zulu", vtype_todzulu, NULL },
813 { "transport_name", vtype_stringptr, &transport_name },
814 { "value", vtype_stringptr, &lookup_value },
815 { "verify_mode", vtype_stringptr, &verify_mode },
816 { "version_number", vtype_stringptr, &version_string },
817 { "warn_message_delay", vtype_stringptr, &warnmsg_delay },
818 { "warn_message_recipient",vtype_stringptr, &warnmsg_recipients },
819 { "warn_message_recipients",vtype_stringptr,&warnmsg_recipients },
820 { "warnmsg_delay", vtype_stringptr, &warnmsg_delay },
821 { "warnmsg_recipient", vtype_stringptr, &warnmsg_recipients },
822 { "warnmsg_recipients", vtype_stringptr, &warnmsg_recipients }
823 };
824
825 static int var_table_size = nelem(var_table);
826 static uschar var_buffer[256];
827 static BOOL malformed_header;
828
829 /* For textual hashes */
830
831 static const char *hashcodes = "abcdefghijklmnopqrtsuvwxyz"
832 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
833 "0123456789";
834
835 enum { HMAC_MD5, HMAC_SHA1 };
836
837 /* For numeric hashes */
838
839 static unsigned int prime[] = {
840 2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
841 31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
842 73, 79, 83, 89, 97, 101, 103, 107, 109, 113};
843
844 /* For printing modes in symbolic form */
845
846 static uschar *mtable_normal[] =
847 { US"---", US"--x", US"-w-", US"-wx", US"r--", US"r-x", US"rw-", US"rwx" };
848
849 static uschar *mtable_setid[] =
850 { US"--S", US"--s", US"-wS", US"-ws", US"r-S", US"r-s", US"rwS", US"rws" };
851
852 static uschar *mtable_sticky[] =
853 { US"--T", US"--t", US"-wT", US"-wt", US"r-T", US"r-t", US"rwT", US"rwt" };
854
855 /* flags for find_header() */
856 #define FH_EXISTS_ONLY BIT(0)
857 #define FH_WANT_RAW BIT(1)
858 #define FH_WANT_LIST BIT(2)
859
860
861 /*************************************************
862 * Tables for UTF-8 support *
863 *************************************************/
864
865 /* Table of the number of extra characters, indexed by the first character
866 masked with 0x3f. The highest number for a valid UTF-8 character is in fact
867 0x3d. */
868
869 static uschar utf8_table1[] = {
870 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
871 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
872 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,
873 3,3,3,3,3,3,3,3,4,4,4,4,5,5,5,5 };
874
875 /* These are the masks for the data bits in the first byte of a character,
876 indexed by the number of additional bytes. */
877
878 static int utf8_table2[] = { 0xff, 0x1f, 0x0f, 0x07, 0x03, 0x01};
879
880 /* Get the next UTF-8 character, advancing the pointer. */
881
882 #define GETUTF8INC(c, ptr) \
883 c = *ptr++; \
884 if ((c & 0xc0) == 0xc0) \
885 { \
886 int a = utf8_table1[c & 0x3f]; /* Number of additional bytes */ \
887 int s = 6*a; \
888 c = (c & utf8_table2[a]) << s; \
889 while (a-- > 0) \
890 { \
891 s -= 6; \
892 c |= (*ptr++ & 0x3f) << s; \
893 } \
894 }
895
896
897
898 static uschar * base32_chars = US"abcdefghijklmnopqrstuvwxyz234567";
899
900 /*************************************************
901 * Binary chop search on a table *
902 *************************************************/
903
904 /* This is used for matching expansion items and operators.
905
906 Arguments:
907 name the name that is being sought
908 table the table to search
909 table_size the number of items in the table
910
911 Returns: the offset in the table, or -1
912 */
913
914 static int
915 chop_match(uschar *name, uschar **table, int table_size)
916 {
917 uschar **bot = table;
918 uschar **top = table + table_size;
919
920 while (top > bot)
921 {
922 uschar **mid = bot + (top - bot)/2;
923 int c = Ustrcmp(name, *mid);
924 if (c == 0) return mid - table;
925 if (c > 0) bot = mid + 1; else top = mid;
926 }
927
928 return -1;
929 }
930
931
932
933 /*************************************************
934 * Check a condition string *
935 *************************************************/
936
937 /* This function is called to expand a string, and test the result for a "true"
938 or "false" value. Failure of the expansion yields FALSE; logged unless it was a
939 forced fail or lookup defer.
940
941 We used to release all store used, but this is not not safe due
942 to ${dlfunc } and ${acl }. In any case expand_string_internal()
943 is reasonably careful to release what it can.
944
945 The actual false-value tests should be replicated for ECOND_BOOL_LAX.
946
947 Arguments:
948 condition the condition string
949 m1 text to be incorporated in panic error
950 m2 ditto
951
952 Returns: TRUE if condition is met, FALSE if not
953 */
954
955 BOOL
956 expand_check_condition(uschar *condition, uschar *m1, uschar *m2)
957 {
958 uschar * ss = expand_string(condition);
959 if (!ss)
960 {
961 if (!f.expand_string_forcedfail && !f.search_find_defer)
962 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand condition \"%s\" "
963 "for %s %s: %s", condition, m1, m2, expand_string_message);
964 return FALSE;
965 }
966 return *ss && Ustrcmp(ss, "0") != 0 && strcmpic(ss, US"no") != 0 &&
967 strcmpic(ss, US"false") != 0;
968 }
969
970
971
972
973 /*************************************************
974 * Pseudo-random number generation *
975 *************************************************/
976
977 /* Pseudo-random number generation. The result is not "expected" to be
978 cryptographically strong but not so weak that someone will shoot themselves
979 in the foot using it as a nonce in some email header scheme or whatever
980 weirdness they'll twist this into. The result should ideally handle fork().
981
982 However, if we're stuck unable to provide this, then we'll fall back to
983 appallingly bad randomness.
984
985 If DISABLE_TLS is not defined then this will not be used except as an emergency
986 fallback.
987
988 Arguments:
989 max range maximum
990 Returns a random number in range [0, max-1]
991 */
992
993 #ifndef DISABLE_TLS
994 # define vaguely_random_number vaguely_random_number_fallback
995 #endif
996 int
997 vaguely_random_number(int max)
998 {
999 #ifndef DISABLE_TLS
1000 # undef vaguely_random_number
1001 #endif
1002 static pid_t pid = 0;
1003 pid_t p2;
1004
1005 if ((p2 = getpid()) != pid)
1006 {
1007 if (pid != 0)
1008 {
1009
1010 #ifdef HAVE_ARC4RANDOM
1011 /* cryptographically strong randomness, common on *BSD platforms, not
1012 so much elsewhere. Alas. */
1013 # ifndef NOT_HAVE_ARC4RANDOM_STIR
1014 arc4random_stir();
1015 # endif
1016 #elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
1017 # ifdef HAVE_SRANDOMDEV
1018 /* uses random(4) for seeding */
1019 srandomdev();
1020 # else
1021 {
1022 struct timeval tv;
1023 gettimeofday(&tv, NULL);
1024 srandom(tv.tv_sec | tv.tv_usec | getpid());
1025 }
1026 # endif
1027 #else
1028 /* Poor randomness and no seeding here */
1029 #endif
1030
1031 }
1032 pid = p2;
1033 }
1034
1035 #ifdef HAVE_ARC4RANDOM
1036 return arc4random() % max;
1037 #elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
1038 return random() % max;
1039 #else
1040 /* This one returns a 16-bit number, definitely not crypto-strong */
1041 return random_number(max);
1042 #endif
1043 }
1044
1045
1046
1047
1048 /*************************************************
1049 * Pick out a name from a string *
1050 *************************************************/
1051
1052 /* If the name is too long, it is silently truncated.
1053
1054 Arguments:
1055 name points to a buffer into which to put the name
1056 max is the length of the buffer
1057 s points to the first alphabetic character of the name
1058 extras chars other than alphanumerics to permit
1059
1060 Returns: pointer to the first character after the name
1061
1062 Note: The test for *s != 0 in the while loop is necessary because
1063 Ustrchr() yields non-NULL if the character is zero (which is not something
1064 I expected). */
1065
1066 static const uschar *
1067 read_name(uschar *name, int max, const uschar *s, uschar *extras)
1068 {
1069 int ptr = 0;
1070 while (*s && (isalnum(*s) || Ustrchr(extras, *s) != NULL))
1071 {
1072 if (ptr < max-1) name[ptr++] = *s;
1073 s++;
1074 }
1075 name[ptr] = 0;
1076 return s;
1077 }
1078
1079
1080
1081 /*************************************************
1082 * Pick out the rest of a header name *
1083 *************************************************/
1084
1085 /* A variable name starting $header_ (or just $h_ for those who like
1086 abbreviations) might not be the complete header name because headers can
1087 contain any printing characters in their names, except ':'. This function is
1088 called to read the rest of the name, chop h[eader]_ off the front, and put ':'
1089 on the end, if the name was terminated by white space.
1090
1091 Arguments:
1092 name points to a buffer in which the name read so far exists
1093 max is the length of the buffer
1094 s points to the first character after the name so far, i.e. the
1095 first non-alphameric character after $header_xxxxx
1096
1097 Returns: a pointer to the first character after the header name
1098 */
1099
1100 static const uschar *
1101 read_header_name(uschar *name, int max, const uschar *s)
1102 {
1103 int prelen = Ustrchr(name, '_') - name + 1;
1104 int ptr = Ustrlen(name) - prelen;
1105 if (ptr > 0) memmove(name, name+prelen, ptr);
1106 while (mac_isgraph(*s) && *s != ':')
1107 {
1108 if (ptr < max-1) name[ptr++] = *s;
1109 s++;
1110 }
1111 if (*s == ':') s++;
1112 name[ptr++] = ':';
1113 name[ptr] = 0;
1114 return s;
1115 }
1116
1117
1118
1119 /*************************************************
1120 * Pick out a number from a string *
1121 *************************************************/
1122
1123 /* Arguments:
1124 n points to an integer into which to put the number
1125 s points to the first digit of the number
1126
1127 Returns: a pointer to the character after the last digit
1128 */
1129 /*XXX consider expanding to int_eximarith_t. But the test for
1130 "overbig numbers" in 0002 still needs to overflow it. */
1131
1132 static uschar *
1133 read_number(int *n, uschar *s)
1134 {
1135 *n = 0;
1136 while (isdigit(*s)) *n = *n * 10 + (*s++ - '0');
1137 return s;
1138 }
1139
1140 static const uschar *
1141 read_cnumber(int *n, const uschar *s)
1142 {
1143 *n = 0;
1144 while (isdigit(*s)) *n = *n * 10 + (*s++ - '0');
1145 return s;
1146 }
1147
1148
1149
1150 /*************************************************
1151 * Extract keyed subfield from a string *
1152 *************************************************/
1153
1154 /* The yield is in dynamic store; NULL means that the key was not found.
1155
1156 Arguments:
1157 key points to the name of the key
1158 s points to the string from which to extract the subfield
1159
1160 Returns: NULL if the subfield was not found, or
1161 a pointer to the subfield's data
1162 */
1163
1164 static uschar *
1165 expand_getkeyed(uschar * key, const uschar * s)
1166 {
1167 int length = Ustrlen(key);
1168 while (isspace(*s)) s++;
1169
1170 /* Loop to search for the key */
1171
1172 while (*s)
1173 {
1174 int dkeylength;
1175 uschar * data;
1176 const uschar * dkey = s;
1177
1178 while (*s && *s != '=' && !isspace(*s)) s++;
1179 dkeylength = s - dkey;
1180 while (isspace(*s)) s++;
1181 if (*s == '=') while (isspace((*(++s))));
1182
1183 data = string_dequote(&s);
1184 if (length == dkeylength && strncmpic(key, dkey, length) == 0)
1185 return data;
1186
1187 while (isspace(*s)) s++;
1188 }
1189
1190 return NULL;
1191 }
1192
1193
1194
1195 static var_entry *
1196 find_var_ent(uschar * name)
1197 {
1198 int first = 0;
1199 int last = var_table_size;
1200
1201 while (last > first)
1202 {
1203 int middle = (first + last)/2;
1204 int c = Ustrcmp(name, var_table[middle].name);
1205
1206 if (c > 0) { first = middle + 1; continue; }
1207 if (c < 0) { last = middle; continue; }
1208 return &var_table[middle];
1209 }
1210 return NULL;
1211 }
1212
1213 /*************************************************
1214 * Extract numbered subfield from string *
1215 *************************************************/
1216
1217 /* Extracts a numbered field from a string that is divided by tokens - for
1218 example a line from /etc/passwd is divided by colon characters. First field is
1219 numbered one. Negative arguments count from the right. Zero returns the whole
1220 string. Returns NULL if there are insufficient tokens in the string
1221
1222 ***WARNING***
1223 Modifies final argument - this is a dynamically generated string, so that's OK.
1224
1225 Arguments:
1226 field number of field to be extracted,
1227 first field = 1, whole string = 0, last field = -1
1228 separators characters that are used to break string into tokens
1229 s points to the string from which to extract the subfield
1230
1231 Returns: NULL if the field was not found,
1232 a pointer to the field's data inside s (modified to add 0)
1233 */
1234
1235 static uschar *
1236 expand_gettokened (int field, uschar *separators, uschar *s)
1237 {
1238 int sep = 1;
1239 int count;
1240 uschar *ss = s;
1241 uschar *fieldtext = NULL;
1242
1243 if (field == 0) return s;
1244
1245 /* Break the line up into fields in place; for field > 0 we stop when we have
1246 done the number of fields we want. For field < 0 we continue till the end of
1247 the string, counting the number of fields. */
1248
1249 count = (field > 0)? field : INT_MAX;
1250
1251 while (count-- > 0)
1252 {
1253 size_t len;
1254
1255 /* Previous field was the last one in the string. For a positive field
1256 number, this means there are not enough fields. For a negative field number,
1257 check that there are enough, and scan back to find the one that is wanted. */
1258
1259 if (sep == 0)
1260 {
1261 if (field > 0 || (-field) > (INT_MAX - count - 1)) return NULL;
1262 if ((-field) == (INT_MAX - count - 1)) return s;
1263 while (field++ < 0)
1264 {
1265 ss--;
1266 while (ss[-1] != 0) ss--;
1267 }
1268 fieldtext = ss;
1269 break;
1270 }
1271
1272 /* Previous field was not last in the string; save its start and put a
1273 zero at its end. */
1274
1275 fieldtext = ss;
1276 len = Ustrcspn(ss, separators);
1277 sep = ss[len];
1278 ss[len] = 0;
1279 ss += len + 1;
1280 }
1281
1282 return fieldtext;
1283 }
1284
1285
1286 static uschar *
1287 expand_getlistele(int field, const uschar * list)
1288 {
1289 const uschar * tlist = list;
1290 int sep = 0;
1291 uschar dummy;
1292
1293 if (field < 0)
1294 {
1295 for (field++; string_nextinlist(&tlist, &sep, &dummy, 1); ) field++;
1296 sep = 0;
1297 }
1298 if (field == 0) return NULL;
1299 while (--field > 0 && (string_nextinlist(&list, &sep, &dummy, 1))) ;
1300 return string_nextinlist(&list, &sep, NULL, 0);
1301 }
1302
1303
1304 /* Certificate fields, by name. Worry about by-OID later */
1305 /* Names are chosen to not have common prefixes */
1306
1307 #ifndef DISABLE_TLS
1308 typedef struct
1309 {
1310 uschar * name;
1311 int namelen;
1312 uschar * (*getfn)(void * cert, uschar * mod);
1313 } certfield;
1314 static certfield certfields[] =
1315 { /* linear search; no special order */
1316 { US"version", 7, &tls_cert_version },
1317 { US"serial_number", 13, &tls_cert_serial_number },
1318 { US"subject", 7, &tls_cert_subject },
1319 { US"notbefore", 9, &tls_cert_not_before },
1320 { US"notafter", 8, &tls_cert_not_after },
1321 { US"issuer", 6, &tls_cert_issuer },
1322 { US"signature", 9, &tls_cert_signature },
1323 { US"sig_algorithm", 13, &tls_cert_signature_algorithm },
1324 { US"subj_altname", 12, &tls_cert_subject_altname },
1325 { US"ocsp_uri", 8, &tls_cert_ocsp_uri },
1326 { US"crl_uri", 7, &tls_cert_crl_uri },
1327 };
1328
1329 static uschar *
1330 expand_getcertele(uschar * field, uschar * certvar)
1331 {
1332 var_entry * vp;
1333
1334 if (!(vp = find_var_ent(certvar)))
1335 {
1336 expand_string_message =
1337 string_sprintf("no variable named \"%s\"", certvar);
1338 return NULL; /* Unknown variable name */
1339 }
1340 /* NB this stops us passing certs around in variable. Might
1341 want to do that in future */
1342 if (vp->type != vtype_cert)
1343 {
1344 expand_string_message =
1345 string_sprintf("\"%s\" is not a certificate", certvar);
1346 return NULL; /* Unknown variable name */
1347 }
1348 if (!*(void **)vp->value)
1349 return NULL;
1350
1351 if (*field >= '0' && *field <= '9')
1352 return tls_cert_ext_by_oid(*(void **)vp->value, field, 0);
1353
1354 for (certfield * cp = certfields;
1355 cp < certfields + nelem(certfields);
1356 cp++)
1357 if (Ustrncmp(cp->name, field, cp->namelen) == 0)
1358 {
1359 uschar * modifier = *(field += cp->namelen) == ','
1360 ? ++field : NULL;
1361 return (*cp->getfn)( *(void **)vp->value, modifier );
1362 }
1363
1364 expand_string_message =
1365 string_sprintf("bad field selector \"%s\" for certextract", field);
1366 return NULL;
1367 }
1368 #endif /*DISABLE_TLS*/
1369
1370 /*************************************************
1371 * Extract a substring from a string *
1372 *************************************************/
1373
1374 /* Perform the ${substr or ${length expansion operations.
1375
1376 Arguments:
1377 subject the input string
1378 value1 the offset from the start of the input string to the start of
1379 the output string; if negative, count from the right.
1380 value2 the length of the output string, or negative (-1) for unset
1381 if value1 is positive, unset means "all after"
1382 if value1 is negative, unset means "all before"
1383 len set to the length of the returned string
1384
1385 Returns: pointer to the output string, or NULL if there is an error
1386 */
1387
1388 static uschar *
1389 extract_substr(uschar *subject, int value1, int value2, int *len)
1390 {
1391 int sublen = Ustrlen(subject);
1392
1393 if (value1 < 0) /* count from right */
1394 {
1395 value1 += sublen;
1396
1397 /* If the position is before the start, skip to the start, and adjust the
1398 length. If the length ends up negative, the substring is null because nothing
1399 can precede. This falls out naturally when the length is unset, meaning "all
1400 to the left". */
1401
1402 if (value1 < 0)
1403 {
1404 value2 += value1;
1405 if (value2 < 0) value2 = 0;
1406 value1 = 0;
1407 }
1408
1409 /* Otherwise an unset length => characters before value1 */
1410
1411 else if (value2 < 0)
1412 {
1413 value2 = value1;
1414 value1 = 0;
1415 }
1416 }
1417
1418 /* For a non-negative offset, if the starting position is past the end of the
1419 string, the result will be the null string. Otherwise, an unset length means
1420 "rest"; just set it to the maximum - it will be cut down below if necessary. */
1421
1422 else
1423 {
1424 if (value1 > sublen)
1425 {
1426 value1 = sublen;
1427 value2 = 0;
1428 }
1429 else if (value2 < 0) value2 = sublen;
1430 }
1431
1432 /* Cut the length down to the maximum possible for the offset value, and get
1433 the required characters. */
1434
1435 if (value1 + value2 > sublen) value2 = sublen - value1;
1436 *len = value2;
1437 return subject + value1;
1438 }
1439
1440
1441
1442
1443 /*************************************************
1444 * Old-style hash of a string *
1445 *************************************************/
1446
1447 /* Perform the ${hash expansion operation.
1448
1449 Arguments:
1450 subject the input string (an expanded substring)
1451 value1 the length of the output string; if greater or equal to the
1452 length of the input string, the input string is returned
1453 value2 the number of hash characters to use, or 26 if negative
1454 len set to the length of the returned string
1455
1456 Returns: pointer to the output string, or NULL if there is an error
1457 */
1458
1459 static uschar *
1460 compute_hash(uschar *subject, int value1, int value2, int *len)
1461 {
1462 int sublen = Ustrlen(subject);
1463
1464 if (value2 < 0) value2 = 26;
1465 else if (value2 > Ustrlen(hashcodes))
1466 {
1467 expand_string_message =
1468 string_sprintf("hash count \"%d\" too big", value2);
1469 return NULL;
1470 }
1471
1472 /* Calculate the hash text. We know it is shorter than the original string, so
1473 can safely place it in subject[] (we know that subject is always itself an
1474 expanded substring). */
1475
1476 if (value1 < sublen)
1477 {
1478 int c;
1479 int i = 0;
1480 int j = value1;
1481 while ((c = (subject[j])) != 0)
1482 {
1483 int shift = (c + j++) & 7;
1484 subject[i] ^= (c << shift) | (c >> (8-shift));
1485 if (++i >= value1) i = 0;
1486 }
1487 for (i = 0; i < value1; i++)
1488 subject[i] = hashcodes[(subject[i]) % value2];
1489 }
1490 else value1 = sublen;
1491
1492 *len = value1;
1493 return subject;
1494 }
1495
1496
1497
1498
1499 /*************************************************
1500 * Numeric hash of a string *
1501 *************************************************/
1502
1503 /* Perform the ${nhash expansion operation. The first characters of the
1504 string are treated as most important, and get the highest prime numbers.
1505
1506 Arguments:
1507 subject the input string
1508 value1 the maximum value of the first part of the result
1509 value2 the maximum value of the second part of the result,
1510 or negative to produce only a one-part result
1511 len set to the length of the returned string
1512
1513 Returns: pointer to the output string, or NULL if there is an error.
1514 */
1515
1516 static uschar *
1517 compute_nhash (uschar *subject, int value1, int value2, int *len)
1518 {
1519 uschar *s = subject;
1520 int i = 0;
1521 unsigned long int total = 0; /* no overflow */
1522
1523 while (*s != 0)
1524 {
1525 if (i == 0) i = nelem(prime) - 1;
1526 total += prime[i--] * (unsigned int)(*s++);
1527 }
1528
1529 /* If value2 is unset, just compute one number */
1530
1531 if (value2 < 0)
1532 s = string_sprintf("%lu", total % value1);
1533
1534 /* Otherwise do a div/mod hash */
1535
1536 else
1537 {
1538 total = total % (value1 * value2);
1539 s = string_sprintf("%lu/%lu", total/value2, total % value2);
1540 }
1541
1542 *len = Ustrlen(s);
1543 return s;
1544 }
1545
1546
1547
1548
1549
1550 /*************************************************
1551 * Find the value of a header or headers *
1552 *************************************************/
1553
1554 /* Multiple instances of the same header get concatenated, and this function
1555 can also return a concatenation of all the header lines. When concatenating
1556 specific headers that contain lists of addresses, a comma is inserted between
1557 them. Otherwise we use a straight concatenation. Because some messages can have
1558 pathologically large number of lines, there is a limit on the length that is
1559 returned.
1560
1561 Arguments:
1562 name the name of the header, without the leading $header_ or $h_,
1563 or NULL if a concatenation of all headers is required
1564 newsize return the size of memory block that was obtained; may be NULL
1565 if exists_only is TRUE
1566 flags FH_EXISTS_ONLY
1567 set if called from a def: test; don't need to build a string;
1568 just return a string that is not "" and not "0" if the header
1569 exists
1570 FH_WANT_RAW
1571 set if called for $rh_ or $rheader_ items; no processing,
1572 other than concatenating, will be done on the header. Also used
1573 for $message_headers_raw.
1574 FH_WANT_LIST
1575 Double colon chars in the content, and replace newline with
1576 colon between each element when concatenating; returning a
1577 colon-sep list (elements might contain newlines)
1578 charset name of charset to translate MIME words to; used only if
1579 want_raw is false; if NULL, no translation is done (this is
1580 used for $bh_ and $bheader_)
1581
1582 Returns: NULL if the header does not exist, else a pointer to a new
1583 store block
1584 */
1585
1586 static uschar *
1587 find_header(uschar *name, int *newsize, unsigned flags, uschar *charset)
1588 {
1589 BOOL found = !name;
1590 int len = name ? Ustrlen(name) : 0;
1591 BOOL comma = FALSE;
1592 gstring * g = NULL;
1593
1594 for (header_line * h = header_list; h; h = h->next)
1595 if (h->type != htype_old && h->text) /* NULL => Received: placeholder */
1596 if (!name || (len <= h->slen && strncmpic(name, h->text, len) == 0))
1597 {
1598 uschar * s, * t;
1599 size_t inc;
1600
1601 if (flags & FH_EXISTS_ONLY)
1602 return US"1"; /* don't need actual string */
1603
1604 found = TRUE;
1605 s = h->text + len; /* text to insert */
1606 if (!(flags & FH_WANT_RAW)) /* unless wanted raw, */
1607 while (isspace(*s)) s++; /* remove leading white space */
1608 t = h->text + h->slen; /* end-point */
1609
1610 /* Unless wanted raw, remove trailing whitespace, including the
1611 newline. */
1612
1613 if (flags & FH_WANT_LIST)
1614 while (t > s && t[-1] == '\n') t--;
1615 else if (!(flags & FH_WANT_RAW))
1616 {
1617 while (t > s && isspace(t[-1])) t--;
1618
1619 /* Set comma if handling a single header and it's one of those
1620 that contains an address list, except when asked for raw headers. Only
1621 need to do this once. */
1622
1623 if (name && !comma && Ustrchr("BCFRST", h->type)) comma = TRUE;
1624 }
1625
1626 /* Trim the header roughly if we're approaching limits */
1627 inc = t - s;
1628 if ((g ? g->ptr : 0) + inc > header_insert_maxlen)
1629 inc = header_insert_maxlen - (g ? g->ptr : 0);
1630
1631 /* For raw just copy the data; for a list, add the data as a colon-sep
1632 list-element; for comma-list add as an unchecked comma,newline sep
1633 list-elemment; for other nonraw add as an unchecked newline-sep list (we
1634 stripped trailing WS above including the newline). We ignore the potential
1635 expansion due to colon-doubling, just leaving the loop if the limit is met
1636 or exceeded. */
1637
1638 if (flags & FH_WANT_LIST)
1639 g = string_append_listele_n(g, ':', s, (unsigned)inc);
1640 else if (flags & FH_WANT_RAW)
1641 {
1642 g = string_catn(g, s, (unsigned)inc);
1643 (void) string_from_gstring(g);
1644 }
1645 else if (inc > 0)
1646 if (comma)
1647 g = string_append2_listele_n(g, US",\n", s, (unsigned)inc);
1648 else
1649 g = string_append2_listele_n(g, US"\n", s, (unsigned)inc);
1650
1651 if (g && g->ptr >= header_insert_maxlen) break;
1652 }
1653
1654 if (!found) return NULL; /* No header found */
1655 if (!g) return US"";
1656
1657 /* That's all we do for raw header expansion. */
1658
1659 *newsize = g->size;
1660 if (flags & FH_WANT_RAW)
1661 return g->s;
1662
1663 /* Otherwise do RFC 2047 decoding, translating the charset if requested.
1664 The rfc2047_decode2() function can return an error with decoded data if the
1665 charset translation fails. If decoding fails, it returns NULL. */
1666
1667 else
1668 {
1669 uschar *decoded, *error;
1670
1671 decoded = rfc2047_decode2(g->s, check_rfc2047_length, charset, '?', NULL,
1672 newsize, &error);
1673 if (error)
1674 {
1675 DEBUG(D_any) debug_printf("*** error in RFC 2047 decoding: %s\n"
1676 " input was: %s\n", error, g->s);
1677 }
1678 return decoded ? decoded : g->s;
1679 }
1680 }
1681
1682
1683
1684
1685 /* Append a "local" element to an Authentication-Results: header
1686 if this was a non-smtp message.
1687 */
1688
1689 static gstring *
1690 authres_local(gstring * g, const uschar * sysname)
1691 {
1692 if (!f.authentication_local)
1693 return g;
1694 g = string_append(g, 3, US";\n\tlocal=pass (non-smtp, ", sysname, US")");
1695 if (authenticated_id) g = string_append(g, 2, " u=", authenticated_id);
1696 return g;
1697 }
1698
1699
1700 /* Append an "iprev" element to an Authentication-Results: header
1701 if we have attempted to get the calling host's name.
1702 */
1703
1704 static gstring *
1705 authres_iprev(gstring * g)
1706 {
1707 if (sender_host_name)
1708 g = string_append(g, 3, US";\n\tiprev=pass (", sender_host_name, US")");
1709 else if (host_lookup_deferred)
1710 g = string_catn(g, US";\n\tiprev=temperror", 19);
1711 else if (host_lookup_failed)
1712 g = string_catn(g, US";\n\tiprev=fail", 13);
1713 else
1714 return g;
1715
1716 if (sender_host_address)
1717 g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
1718 return g;
1719 }
1720
1721
1722
1723 /*************************************************
1724 * Return list of recipients *
1725 *************************************************/
1726 /* A recipients list is available only during system message filtering,
1727 during ACL processing after DATA, and while expanding pipe commands
1728 generated from a system filter, but not elsewhere. */
1729
1730 static uschar *
1731 fn_recipients(void)
1732 {
1733 uschar * s;
1734 gstring * g = NULL;
1735
1736 if (!f.enable_dollar_recipients) return NULL;
1737
1738 for (int i = 0; i < recipients_count; i++)
1739 {
1740 s = recipients_list[i].address;
1741 g = string_append2_listele_n(g, US", ", s, Ustrlen(s));
1742 }
1743 return g ? g->s : NULL;
1744 }
1745
1746
1747 /*************************************************
1748 * Find value of a variable *
1749 *************************************************/
1750
1751 /* The table of variables is kept in alphabetic order, so we can search it
1752 using a binary chop. The "choplen" variable is nothing to do with the binary
1753 chop.
1754
1755 Arguments:
1756 name the name of the variable being sought
1757 exists_only TRUE if this is a def: test; passed on to find_header()
1758 skipping TRUE => skip any processing evaluation; this is not the same as
1759 exists_only because def: may test for values that are first
1760 evaluated here
1761 newsize pointer to an int which is initially zero; if the answer is in
1762 a new memory buffer, *newsize is set to its size
1763
1764 Returns: NULL if the variable does not exist, or
1765 a pointer to the variable's contents, or
1766 something non-NULL if exists_only is TRUE
1767 */
1768
1769 static uschar *
1770 find_variable(uschar *name, BOOL exists_only, BOOL skipping, int *newsize)
1771 {
1772 var_entry * vp;
1773 uschar *s, *domain;
1774 uschar **ss;
1775 void * val;
1776
1777 /* Handle ACL variables, whose names are of the form acl_cxxx or acl_mxxx.
1778 Originally, xxx had to be a number in the range 0-9 (later 0-19), but from
1779 release 4.64 onwards arbitrary names are permitted, as long as the first 5
1780 characters are acl_c or acl_m and the sixth is either a digit or an underscore
1781 (this gave backwards compatibility at the changeover). There may be built-in
1782 variables whose names start acl_ but they should never start in this way. This
1783 slightly messy specification is a consequence of the history, needless to say.
1784
1785 If an ACL variable does not exist, treat it as empty, unless strict_acl_vars is
1786 set, in which case give an error. */
1787
1788 if ((Ustrncmp(name, "acl_c", 5) == 0 || Ustrncmp(name, "acl_m", 5) == 0) &&
1789 !isalpha(name[5]))
1790 {
1791 tree_node * node =
1792 tree_search(name[4] == 'c' ? acl_var_c : acl_var_m, name + 4);
1793 return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
1794 }
1795 else if (Ustrncmp(name, "r_", 2) == 0)
1796 {
1797 tree_node * node = tree_search(router_var, name + 2);
1798 return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
1799 }
1800
1801 /* Handle $auth<n> variables. */
1802
1803 if (Ustrncmp(name, "auth", 4) == 0)
1804 {
1805 uschar *endptr;
1806 int n = Ustrtoul(name + 4, &endptr, 10);
1807 if (*endptr == 0 && n != 0 && n <= AUTH_VARS)
1808 return !auth_vars[n-1] ? US"" : auth_vars[n-1];
1809 }
1810 else if (Ustrncmp(name, "regex", 5) == 0)
1811 {
1812 uschar *endptr;
1813 int n = Ustrtoul(name + 5, &endptr, 10);
1814 if (*endptr == 0 && n != 0 && n <= REGEX_VARS)
1815 return !regex_vars[n-1] ? US"" : regex_vars[n-1];
1816 }
1817
1818 /* For all other variables, search the table */
1819
1820 if (!(vp = find_var_ent(name)))
1821 return NULL; /* Unknown variable name */
1822
1823 /* Found an existing variable. If in skipping state, the value isn't needed,
1824 and we want to avoid processing (such as looking up the host name). */
1825
1826 if (skipping)
1827 return US"";
1828
1829 val = vp->value;
1830 switch (vp->type)
1831 {
1832 case vtype_filter_int:
1833 if (!f.filter_running) return NULL;
1834 /* Fall through */
1835 /* VVVVVVVVVVVV */
1836 case vtype_int:
1837 sprintf(CS var_buffer, "%d", *(int *)(val)); /* Integer */
1838 return var_buffer;
1839
1840 case vtype_ino:
1841 sprintf(CS var_buffer, "%ld", (long int)(*(ino_t *)(val))); /* Inode */
1842 return var_buffer;
1843
1844 case vtype_gid:
1845 sprintf(CS var_buffer, "%ld", (long int)(*(gid_t *)(val))); /* gid */
1846 return var_buffer;
1847
1848 case vtype_uid:
1849 sprintf(CS var_buffer, "%ld", (long int)(*(uid_t *)(val))); /* uid */
1850 return var_buffer;
1851
1852 case vtype_bool:
1853 sprintf(CS var_buffer, "%s", *(BOOL *)(val) ? "yes" : "no"); /* bool */
1854 return var_buffer;
1855
1856 case vtype_stringptr: /* Pointer to string */
1857 return (s = *((uschar **)(val))) ? s : US"";
1858
1859 case vtype_pid:
1860 sprintf(CS var_buffer, "%d", (int)getpid()); /* pid */
1861 return var_buffer;
1862
1863 case vtype_load_avg:
1864 sprintf(CS var_buffer, "%d", OS_GETLOADAVG()); /* load_average */
1865 return var_buffer;
1866
1867 case vtype_host_lookup: /* Lookup if not done so */
1868 if ( !sender_host_name && sender_host_address
1869 && !host_lookup_failed && host_name_lookup() == OK)
1870 host_build_sender_fullhost();
1871 return sender_host_name ? sender_host_name : US"";
1872
1873 case vtype_localpart: /* Get local part from address */
1874 if (!(s = *((uschar **)(val)))) return US"";
1875 if (!(domain = Ustrrchr(s, '@'))) return s;
1876 if (domain - s > sizeof(var_buffer) - 1)
1877 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "local part longer than " SIZE_T_FMT
1878 " in string expansion", sizeof(var_buffer));
1879 return string_copyn(s, domain - s);
1880
1881 case vtype_domain: /* Get domain from address */
1882 if (!(s = *((uschar **)(val)))) return US"";
1883 domain = Ustrrchr(s, '@');
1884 return domain ? domain + 1 : US"";
1885
1886 case vtype_msgheaders:
1887 return find_header(NULL, newsize, exists_only ? FH_EXISTS_ONLY : 0, NULL);
1888
1889 case vtype_msgheaders_raw:
1890 return find_header(NULL, newsize,
1891 exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW, NULL);
1892
1893 case vtype_msgbody: /* Pointer to msgbody string */
1894 case vtype_msgbody_end: /* Ditto, the end of the msg */
1895 ss = (uschar **)(val);
1896 if (!*ss && deliver_datafile >= 0) /* Read body when needed */
1897 {
1898 uschar *body;
1899 off_t start_offset = SPOOL_DATA_START_OFFSET;
1900 int len = message_body_visible;
1901 if (len > message_size) len = message_size;
1902 *ss = body = store_malloc(len+1);
1903 body[0] = 0;
1904 if (vp->type == vtype_msgbody_end)
1905 {
1906 struct stat statbuf;
1907 if (fstat(deliver_datafile, &statbuf) == 0)
1908 {
1909 start_offset = statbuf.st_size - len;
1910 if (start_offset < SPOOL_DATA_START_OFFSET)
1911 start_offset = SPOOL_DATA_START_OFFSET;
1912 }
1913 }
1914 if (lseek(deliver_datafile, start_offset, SEEK_SET) < 0)
1915 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "deliver_datafile lseek: %s",
1916 strerror(errno));
1917 len = read(deliver_datafile, body, len);
1918 if (len > 0)
1919 {
1920 body[len] = 0;
1921 if (message_body_newlines) /* Separate loops for efficiency */
1922 while (len > 0)
1923 { if (body[--len] == 0) body[len] = ' '; }
1924 else
1925 while (len > 0)
1926 { if (body[--len] == '\n' || body[len] == 0) body[len] = ' '; }
1927 }
1928 }
1929 return *ss ? *ss : US"";
1930
1931 case vtype_todbsdin: /* BSD inbox time of day */
1932 return tod_stamp(tod_bsdin);
1933
1934 case vtype_tode: /* Unix epoch time of day */
1935 return tod_stamp(tod_epoch);
1936
1937 case vtype_todel: /* Unix epoch/usec time of day */
1938 return tod_stamp(tod_epoch_l);
1939
1940 case vtype_todf: /* Full time of day */
1941 return tod_stamp(tod_full);
1942
1943 case vtype_todl: /* Log format time of day */
1944 return tod_stamp(tod_log_bare); /* (without timezone) */
1945
1946 case vtype_todzone: /* Time zone offset only */
1947 return tod_stamp(tod_zone);
1948
1949 case vtype_todzulu: /* Zulu time */
1950 return tod_stamp(tod_zulu);
1951
1952 case vtype_todlf: /* Log file datestamp tod */
1953 return tod_stamp(tod_log_datestamp_daily);
1954
1955 case vtype_reply: /* Get reply address */
1956 s = find_header(US"reply-to:", newsize,
1957 exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
1958 headers_charset);
1959 if (s) while (isspace(*s)) s++;
1960 if (!s || !*s)
1961 {
1962 *newsize = 0; /* For the *s==0 case */
1963 s = find_header(US"from:", newsize,
1964 exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
1965 headers_charset);
1966 }
1967 if (s)
1968 {
1969 uschar *t;
1970 while (isspace(*s)) s++;
1971 for (t = s; *t != 0; t++) if (*t == '\n') *t = ' ';
1972 while (t > s && isspace(t[-1])) t--;
1973 *t = 0;
1974 }
1975 return s ? s : US"";
1976
1977 case vtype_string_func:
1978 {
1979 stringptr_fn_t * fn = (stringptr_fn_t *) val;
1980 return fn();
1981 }
1982
1983 case vtype_pspace:
1984 {
1985 int inodes;
1986 sprintf(CS var_buffer, PR_EXIM_ARITH,
1987 receive_statvfs(val == (void *)TRUE, &inodes));
1988 }
1989 return var_buffer;
1990
1991 case vtype_pinodes:
1992 {
1993 int inodes;
1994 (void) receive_statvfs(val == (void *)TRUE, &inodes);
1995 sprintf(CS var_buffer, "%d", inodes);
1996 }
1997 return var_buffer;
1998
1999 case vtype_cert:
2000 return *(void **)val ? US"<cert>" : US"";
2001
2002 #ifndef DISABLE_DKIM
2003 case vtype_dkim:
2004 return dkim_exim_expand_query((int)(long)val);
2005 #endif
2006
2007 }
2008
2009 return NULL; /* Unknown variable. Silences static checkers. */
2010 }
2011
2012
2013
2014
2015 void
2016 modify_variable(uschar *name, void * value)
2017 {
2018 var_entry * vp;
2019 if ((vp = find_var_ent(name))) vp->value = value;
2020 return; /* Unknown variable name, fail silently */
2021 }
2022
2023
2024
2025
2026
2027
2028 /*************************************************
2029 * Read and expand substrings *
2030 *************************************************/
2031
2032 /* This function is called to read and expand argument substrings for various
2033 expansion items. Some have a minimum requirement that is less than the maximum;
2034 in these cases, the first non-present one is set to NULL.
2035
2036 Arguments:
2037 sub points to vector of pointers to set
2038 n maximum number of substrings
2039 m minimum required
2040 sptr points to current string pointer
2041 skipping the skipping flag
2042 check_end if TRUE, check for final '}'
2043 name name of item, for error message
2044 resetok if not NULL, pointer to flag - write FALSE if unsafe to reset
2045 the store.
2046
2047 Returns: 0 OK; string pointer updated
2048 1 curly bracketing error (too few arguments)
2049 2 too many arguments (only if check_end is set); message set
2050 3 other error (expansion failure)
2051 */
2052
2053 static int
2054 read_subs(uschar **sub, int n, int m, const uschar **sptr, BOOL skipping,
2055 BOOL check_end, uschar *name, BOOL *resetok)
2056 {
2057 const uschar *s = *sptr;
2058
2059 while (isspace(*s)) s++;
2060 for (int i = 0; i < n; i++)
2061 {
2062 if (*s != '{')
2063 {
2064 if (i < m)
2065 {
2066 expand_string_message = string_sprintf("Not enough arguments for '%s' "
2067 "(min is %d)", name, m);
2068 return 1;
2069 }
2070 sub[i] = NULL;
2071 break;
2072 }
2073 if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, resetok)))
2074 return 3;
2075 if (*s++ != '}') return 1;
2076 while (isspace(*s)) s++;
2077 }
2078 if (check_end && *s++ != '}')
2079 {
2080 if (s[-1] == '{')
2081 {
2082 expand_string_message = string_sprintf("Too many arguments for '%s' "
2083 "(max is %d)", name, n);
2084 return 2;
2085 }
2086 expand_string_message = string_sprintf("missing '}' after '%s'", name);
2087 return 1;
2088 }
2089
2090 *sptr = s;
2091 return 0;
2092 }
2093
2094
2095
2096
2097 /*************************************************
2098 * Elaborate message for bad variable *
2099 *************************************************/
2100
2101 /* For the "unknown variable" message, take a look at the variable's name, and
2102 give additional information about possible ACL variables. The extra information
2103 is added on to expand_string_message.
2104
2105 Argument: the name of the variable
2106 Returns: nothing
2107 */
2108
2109 static void
2110 check_variable_error_message(uschar *name)
2111 {
2112 if (Ustrncmp(name, "acl_", 4) == 0)
2113 expand_string_message = string_sprintf("%s (%s)", expand_string_message,
2114 (name[4] == 'c' || name[4] == 'm')?
2115 (isalpha(name[5])?
2116 US"6th character of a user-defined ACL variable must be a digit or underscore" :
2117 US"strict_acl_vars is set" /* Syntax is OK, it has to be this */
2118 ) :
2119 US"user-defined ACL variables must start acl_c or acl_m");
2120 }
2121
2122
2123
2124 /*
2125 Load args from sub array to globals, and call acl_check().
2126 Sub array will be corrupted on return.
2127
2128 Returns: OK access is granted by an ACCEPT verb
2129 DISCARD access is (apparently) granted by a DISCARD verb
2130 FAIL access is denied
2131 FAIL_DROP access is denied; drop the connection
2132 DEFER can't tell at the moment
2133 ERROR disaster
2134 */
2135 static int
2136 eval_acl(uschar ** sub, int nsub, uschar ** user_msgp)
2137 {
2138 int i;
2139 int sav_narg = acl_narg;
2140 int ret;
2141 uschar * dummy_logmsg;
2142 extern int acl_where;
2143
2144 if(--nsub > nelem(acl_arg)) nsub = nelem(acl_arg);
2145 for (i = 0; i < nsub && sub[i+1]; i++)
2146 {
2147 uschar * tmp = acl_arg[i];
2148 acl_arg[i] = sub[i+1]; /* place callers args in the globals */
2149 sub[i+1] = tmp; /* stash the old args using our caller's storage */
2150 }
2151 acl_narg = i;
2152 while (i < nsub)
2153 {
2154 sub[i+1] = acl_arg[i];
2155 acl_arg[i++] = NULL;
2156 }
2157
2158 DEBUG(D_expand)
2159 debug_printf_indent("expanding: acl: %s arg: %s%s\n",
2160 sub[0],
2161 acl_narg>0 ? acl_arg[0] : US"<none>",
2162 acl_narg>1 ? " +more" : "");
2163
2164 ret = acl_eval(acl_where, sub[0], user_msgp, &dummy_logmsg);
2165
2166 for (i = 0; i < nsub; i++)
2167 acl_arg[i] = sub[i+1]; /* restore old args */
2168 acl_narg = sav_narg;
2169
2170 return ret;
2171 }
2172
2173
2174
2175
2176 /* Return pointer to dewrapped string, with enclosing specified chars removed.
2177 The given string is modified on return. Leading whitespace is skipped while
2178 looking for the opening wrap character, then the rest is scanned for the trailing
2179 (non-escaped) wrap character. A backslash in the string will act as an escape.
2180
2181 A nul is written over the trailing wrap, and a pointer to the char after the
2182 leading wrap is returned.
2183
2184 Arguments:
2185 s String for de-wrapping
2186 wrap Two-char string, the first being the opener, second the closer wrapping
2187 character
2188 Return:
2189 Pointer to de-wrapped string, or NULL on error (with expand_string_message set).
2190 */
2191
2192 static uschar *
2193 dewrap(uschar * s, const uschar * wrap)
2194 {
2195 uschar * p = s;
2196 unsigned depth = 0;
2197 BOOL quotesmode = wrap[0] == wrap[1];
2198
2199 while (isspace(*p)) p++;
2200
2201 if (*p == *wrap)
2202 {
2203 s = ++p;
2204 wrap++;
2205 while (*p)
2206 {
2207 if (*p == '\\') p++;
2208 else if (!quotesmode && *p == wrap[-1]) depth++;
2209 else if (*p == *wrap)
2210 if (depth == 0)
2211 {
2212 *p = '\0';
2213 return s;
2214 }
2215 else
2216 depth--;
2217 p++;
2218 }
2219 }
2220 expand_string_message = string_sprintf("missing '%c'", *wrap);
2221 return NULL;
2222 }
2223
2224
2225 /* Pull off the leading array or object element, returning
2226 a copy in an allocated string. Update the list pointer.
2227
2228 The element may itself be an abject or array.
2229 Return NULL when the list is empty.
2230 */
2231
2232 static uschar *
2233 json_nextinlist(const uschar ** list)
2234 {
2235 unsigned array_depth = 0, object_depth = 0;
2236 const uschar * s = *list, * item;
2237
2238 while (isspace(*s)) s++;
2239
2240 for (item = s;
2241 *s && (*s != ',' || array_depth != 0 || object_depth != 0);
2242 s++)
2243 switch (*s)
2244 {
2245 case '[': array_depth++; break;
2246 case ']': array_depth--; break;
2247 case '{': object_depth++; break;
2248 case '}': object_depth--; break;
2249 }
2250 *list = *s ? s+1 : s;
2251 if (item == s) return NULL;
2252 item = string_copyn(item, s - item);
2253 DEBUG(D_expand) debug_printf_indent(" json ele: '%s'\n", item);
2254 return US item;
2255 }
2256
2257
2258
2259 /************************************************/
2260 /* Return offset in ops table, or -1 if not found.
2261 Repoint to just after the operator in the string.
2262
2263 Argument:
2264 ss string representation of operator
2265 opname split-out operator name
2266 */
2267
2268 static int
2269 identify_operator(const uschar ** ss, uschar ** opname)
2270 {
2271 const uschar * s = *ss;
2272 uschar name[256];
2273
2274 /* Numeric comparisons are symbolic */
2275
2276 if (*s == '=' || *s == '>' || *s == '<')
2277 {
2278 int p = 0;
2279 name[p++] = *s++;
2280 if (*s == '=')
2281 {
2282 name[p++] = '=';
2283 s++;
2284 }
2285 name[p] = 0;
2286 }
2287
2288 /* All other conditions are named */
2289
2290 else
2291 s = read_name(name, sizeof(name), s, US"_");
2292 *ss = s;
2293
2294 /* If we haven't read a name, it means some non-alpha character is first. */
2295
2296 if (!name[0])
2297 {
2298 expand_string_message = string_sprintf("condition name expected, "
2299 "but found \"%.16s\"", s);
2300 return -1;
2301 }
2302 if (opname)
2303 *opname = string_copy(name);
2304
2305 return chop_match(name, cond_table, nelem(cond_table));
2306 }
2307
2308
2309 /*************************************************
2310 * Handle MD5 or SHA-1 computation for HMAC *
2311 *************************************************/
2312
2313 /* These are some wrapping functions that enable the HMAC code to be a bit
2314 cleaner. A good compiler will spot the tail recursion.
2315
2316 Arguments:
2317 type HMAC_MD5 or HMAC_SHA1
2318 remaining are as for the cryptographic hash functions
2319
2320 Returns: nothing
2321 */
2322
2323 static void
2324 chash_start(int type, void * base)
2325 {
2326 if (type == HMAC_MD5)
2327 md5_start((md5 *)base);
2328 else
2329 sha1_start((hctx *)base);
2330 }
2331
2332 static void
2333 chash_mid(int type, void * base, const uschar * string)
2334 {
2335 if (type == HMAC_MD5)
2336 md5_mid((md5 *)base, string);
2337 else
2338 sha1_mid((hctx *)base, string);
2339 }
2340
2341 static void
2342 chash_end(int type, void * base, const uschar * string, int length,
2343 uschar * digest)
2344 {
2345 if (type == HMAC_MD5)
2346 md5_end((md5 *)base, string, length, digest);
2347 else
2348 sha1_end((hctx *)base, string, length, digest);
2349 }
2350
2351
2352
2353
2354 /* Do an hmac_md5. The result is _not_ nul-terminated, and is sized as
2355 the smaller of a full hmac_md5 result (16 bytes) or the supplied output buffer.
2356
2357 Arguments:
2358 key encoding key, nul-terminated
2359 src data to be hashed, nul-terminated
2360 buf output buffer
2361 len size of output buffer
2362 */
2363
2364 static void
2365 hmac_md5(const uschar * key, const uschar * src, uschar * buf, unsigned len)
2366 {
2367 md5 md5_base;
2368 const uschar * keyptr;
2369 uschar * p;
2370 unsigned int keylen;
2371
2372 #define MD5_HASHLEN 16
2373 #define MD5_HASHBLOCKLEN 64
2374
2375 uschar keyhash[MD5_HASHLEN];
2376 uschar innerhash[MD5_HASHLEN];
2377 uschar finalhash[MD5_HASHLEN];
2378 uschar innerkey[MD5_HASHBLOCKLEN];
2379 uschar outerkey[MD5_HASHBLOCKLEN];
2380
2381 keyptr = key;
2382 keylen = Ustrlen(keyptr);
2383
2384 /* If the key is longer than the hash block length, then hash the key
2385 first */
2386
2387 if (keylen > MD5_HASHBLOCKLEN)
2388 {
2389 chash_start(HMAC_MD5, &md5_base);
2390 chash_end(HMAC_MD5, &md5_base, keyptr, keylen, keyhash);
2391 keyptr = keyhash;
2392 keylen = MD5_HASHLEN;
2393 }
2394
2395 /* Now make the inner and outer key values */
2396
2397 memset(innerkey, 0x36, MD5_HASHBLOCKLEN);
2398 memset(outerkey, 0x5c, MD5_HASHBLOCKLEN);
2399
2400 for (int i = 0; i < keylen; i++)
2401 {
2402 innerkey[i] ^= keyptr[i];
2403 outerkey[i] ^= keyptr[i];
2404 }
2405
2406 /* Now do the hashes */
2407
2408 chash_start(HMAC_MD5, &md5_base);
2409 chash_mid(HMAC_MD5, &md5_base, innerkey);
2410 chash_end(HMAC_MD5, &md5_base, src, Ustrlen(src), innerhash);
2411
2412 chash_start(HMAC_MD5, &md5_base);
2413 chash_mid(HMAC_MD5, &md5_base, outerkey);
2414 chash_end(HMAC_MD5, &md5_base, innerhash, MD5_HASHLEN, finalhash);
2415
2416 /* Encode the final hash as a hex string, limited by output buffer size */
2417
2418 p = buf;
2419 for (int i = 0, j = len; i < MD5_HASHLEN; i++)
2420 {
2421 if (j-- <= 0) break;
2422 *p++ = hex_digits[(finalhash[i] & 0xf0) >> 4];
2423 if (j-- <= 0) break;
2424 *p++ = hex_digits[finalhash[i] & 0x0f];
2425 }
2426 return;
2427 }
2428
2429
2430 /*************************************************
2431 * Read and evaluate a condition *
2432 *************************************************/
2433
2434 /*
2435 Arguments:
2436 s points to the start of the condition text
2437 resetok points to a BOOL which is written false if it is unsafe to
2438 free memory. Certain condition types (acl) may have side-effect
2439 allocation which must be preserved.
2440 yield points to a BOOL to hold the result of the condition test;
2441 if NULL, we are just reading through a condition that is
2442 part of an "or" combination to check syntax, or in a state
2443 where the answer isn't required
2444
2445 Returns: a pointer to the first character after the condition, or
2446 NULL after an error
2447 */
2448
2449 static const uschar *
2450 eval_condition(const uschar *s, BOOL *resetok, BOOL *yield)
2451 {
2452 BOOL testfor = TRUE;
2453 BOOL tempcond, combined_cond;
2454 BOOL *subcondptr;
2455 BOOL sub2_honour_dollar = TRUE;
2456 BOOL is_forany, is_json, is_jsons;
2457 int rc, cond_type, roffset;
2458 int_eximarith_t num[2];
2459 struct stat statbuf;
2460 uschar * opname;
2461 uschar name[256];
2462 const uschar *sub[10];
2463
2464 const pcre *re;
2465 const uschar *rerror;
2466
2467 for (;;)
2468 {
2469 while (isspace(*s)) s++;
2470 if (*s == '!') { testfor = !testfor; s++; } else break;
2471 }
2472
2473 switch(cond_type = identify_operator(&s, &opname))
2474 {
2475 /* def: tests for a non-empty variable, or for the existence of a header. If
2476 yield == NULL we are in a skipping state, and don't care about the answer. */
2477
2478 case ECOND_DEF:
2479 {
2480 uschar * t;
2481
2482 if (*s != ':')
2483 {
2484 expand_string_message = US"\":\" expected after \"def\"";
2485 return NULL;
2486 }
2487
2488 s = read_name(name, sizeof(name), s+1, US"_");
2489
2490 /* Test for a header's existence. If the name contains a closing brace
2491 character, this may be a user error where the terminating colon has been
2492 omitted. Set a flag to adjust a subsequent error message in this case. */
2493
2494 if ( ( *(t = name) == 'h'
2495 || (*t == 'r' || *t == 'l' || *t == 'b') && *++t == 'h'
2496 )
2497 && (*++t == '_' || Ustrncmp(t, "eader_", 6) == 0)
2498 )
2499 {
2500 s = read_header_name(name, sizeof(name), s);
2501 /* {-for-text-editors */
2502 if (Ustrchr(name, '}') != NULL) malformed_header = TRUE;
2503 if (yield) *yield =
2504 (find_header(name, NULL, FH_EXISTS_ONLY, NULL) != NULL) == testfor;
2505 }
2506
2507 /* Test for a variable's having a non-empty value. A non-existent variable
2508 causes an expansion failure. */
2509
2510 else
2511 {
2512 if (!(t = find_variable(name, TRUE, yield == NULL, NULL)))
2513 {
2514 expand_string_message = name[0]
2515 ? string_sprintf("unknown variable \"%s\" after \"def:\"", name)
2516 : US"variable name omitted after \"def:\"";
2517 check_variable_error_message(name);
2518 return NULL;
2519 }
2520 if (yield) *yield = (t[0] != 0) == testfor;
2521 }
2522
2523 return s;
2524 }
2525
2526
2527 /* first_delivery tests for first delivery attempt */
2528
2529 case ECOND_FIRST_DELIVERY:
2530 if (yield) *yield = f.deliver_firsttime == testfor;
2531 return s;
2532
2533
2534 /* queue_running tests for any process started by a queue runner */
2535
2536 case ECOND_QUEUE_RUNNING:
2537 if (yield) *yield = (queue_run_pid != (pid_t)0) == testfor;
2538 return s;
2539
2540
2541 /* exists: tests for file existence
2542 isip: tests for any IP address
2543 isip4: tests for an IPv4 address
2544 isip6: tests for an IPv6 address
2545 pam: does PAM authentication
2546 radius: does RADIUS authentication
2547 ldapauth: does LDAP authentication
2548 pwcheck: does Cyrus SASL pwcheck authentication
2549 */
2550
2551 case ECOND_EXISTS:
2552 case ECOND_ISIP:
2553 case ECOND_ISIP4:
2554 case ECOND_ISIP6:
2555 case ECOND_PAM:
2556 case ECOND_RADIUS:
2557 case ECOND_LDAPAUTH:
2558 case ECOND_PWCHECK:
2559
2560 while (isspace(*s)) s++;
2561 if (*s != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
2562
2563 sub[0] = expand_string_internal(s+1, TRUE, &s, yield == NULL, TRUE, resetok);
2564 if (!sub[0]) return NULL;
2565 /* {-for-text-editors */
2566 if (*s++ != '}') goto COND_FAILED_CURLY_END;
2567
2568 if (!yield) return s; /* No need to run the test if skipping */
2569
2570 switch(cond_type)
2571 {
2572 case ECOND_EXISTS:
2573 if ((expand_forbid & RDO_EXISTS) != 0)
2574 {
2575 expand_string_message = US"File existence tests are not permitted";
2576 return NULL;
2577 }
2578 *yield = (Ustat(sub[0], &statbuf) == 0) == testfor;
2579 break;
2580
2581 case ECOND_ISIP:
2582 case ECOND_ISIP4:
2583 case ECOND_ISIP6:
2584 rc = string_is_ip_address(sub[0], NULL);
2585 *yield = ((cond_type == ECOND_ISIP)? (rc != 0) :
2586 (cond_type == ECOND_ISIP4)? (rc == 4) : (rc == 6)) == testfor;
2587 break;
2588
2589 /* Various authentication tests - all optionally compiled */
2590
2591 case ECOND_PAM:
2592 #ifdef SUPPORT_PAM
2593 rc = auth_call_pam(sub[0], &expand_string_message);
2594 goto END_AUTH;
2595 #else
2596 goto COND_FAILED_NOT_COMPILED;
2597 #endif /* SUPPORT_PAM */
2598
2599 case ECOND_RADIUS:
2600 #ifdef RADIUS_CONFIG_FILE
2601 rc = auth_call_radius(sub[0], &expand_string_message);
2602 goto END_AUTH;
2603 #else
2604 goto COND_FAILED_NOT_COMPILED;
2605 #endif /* RADIUS_CONFIG_FILE */
2606
2607 case ECOND_LDAPAUTH:
2608 #ifdef LOOKUP_LDAP
2609 {
2610 /* Just to keep the interface the same */
2611 BOOL do_cache;
2612 int old_pool = store_pool;
2613 store_pool = POOL_SEARCH;
2614 rc = eldapauth_find((void *)(-1), NULL, sub[0], Ustrlen(sub[0]), NULL,
2615 &expand_string_message, &do_cache);
2616 store_pool = old_pool;
2617 }
2618 goto END_AUTH;
2619 #else
2620 goto COND_FAILED_NOT_COMPILED;
2621 #endif /* LOOKUP_LDAP */
2622
2623 case ECOND_PWCHECK:
2624 #ifdef CYRUS_PWCHECK_SOCKET
2625 rc = auth_call_pwcheck(sub[0], &expand_string_message);
2626 goto END_AUTH;
2627 #else
2628 goto COND_FAILED_NOT_COMPILED;
2629 #endif /* CYRUS_PWCHECK_SOCKET */
2630
2631 #if defined(SUPPORT_PAM) || defined(RADIUS_CONFIG_FILE) || \
2632 defined(LOOKUP_LDAP) || defined(CYRUS_PWCHECK_SOCKET)
2633 END_AUTH:
2634 if (rc == ERROR || rc == DEFER) return NULL;
2635 *yield = (rc == OK) == testfor;
2636 #endif
2637 }
2638 return s;
2639
2640
2641 /* call ACL (in a conditional context). Accept true, deny false.
2642 Defer is a forced-fail. Anything set by message= goes to $value.
2643 Up to ten parameters are used; we use the braces round the name+args
2644 like the saslauthd condition does, to permit a variable number of args.
2645 See also the expansion-item version EITEM_ACL and the traditional
2646 acl modifier ACLC_ACL.
2647 Since the ACL may allocate new global variables, tell our caller to not
2648 reclaim memory.
2649 */
2650
2651 case ECOND_ACL:
2652 /* ${if acl {{name}{arg1}{arg2}...} {yes}{no}} */
2653 {
2654 uschar *sub[10];
2655 uschar *user_msg;
2656 BOOL cond = FALSE;
2657
2658 while (isspace(*s)) s++;
2659 if (*s++ != '{') goto COND_FAILED_CURLY_START; /*}*/
2660
2661 switch(read_subs(sub, nelem(sub), 1,
2662 &s, yield == NULL, TRUE, US"acl", resetok))
2663 {
2664 case 1: expand_string_message = US"too few arguments or bracketing "
2665 "error for acl";
2666 case 2:
2667 case 3: return NULL;
2668 }
2669
2670 if (yield)
2671 {
2672 int rc;
2673 *resetok = FALSE; /* eval_acl() might allocate; do not reclaim */
2674 switch(rc = eval_acl(sub, nelem(sub), &user_msg))
2675 {
2676 case OK:
2677 cond = TRUE;
2678 case FAIL:
2679 lookup_value = NULL;
2680 if (user_msg)
2681 lookup_value = string_copy(user_msg);
2682 *yield = cond == testfor;
2683 break;
2684
2685 case DEFER:
2686 f.expand_string_forcedfail = TRUE;
2687 /*FALLTHROUGH*/
2688 default:
2689 expand_string_message = string_sprintf("%s from acl \"%s\"",
2690 rc_names[rc], sub[0]);
2691 return NULL;
2692 }
2693 }
2694 return s;
2695 }
2696
2697
2698 /* saslauthd: does Cyrus saslauthd authentication. Four parameters are used:
2699
2700 ${if saslauthd {{username}{password}{service}{realm}} {yes}{no}}
2701
2702 However, the last two are optional. That is why the whole set is enclosed
2703 in their own set of braces. */
2704
2705 case ECOND_SASLAUTHD:
2706 #ifndef CYRUS_SASLAUTHD_SOCKET
2707 goto COND_FAILED_NOT_COMPILED;
2708 #else
2709 {
2710 uschar *sub[4];
2711 while (isspace(*s)) s++;
2712 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
2713 switch(read_subs(sub, nelem(sub), 2, &s, yield == NULL, TRUE, US"saslauthd",
2714 resetok))
2715 {
2716 case 1: expand_string_message = US"too few arguments or bracketing "
2717 "error for saslauthd";
2718 case 2:
2719 case 3: return NULL;
2720 }
2721 if (!sub[2]) sub[3] = NULL; /* realm if no service */
2722 if (yield)
2723 {
2724 int rc = auth_call_saslauthd(sub[0], sub[1], sub[2], sub[3],
2725 &expand_string_message);
2726 if (rc == ERROR || rc == DEFER) return NULL;
2727 *yield = (rc == OK) == testfor;
2728 }
2729 return s;
2730 }
2731 #endif /* CYRUS_SASLAUTHD_SOCKET */
2732
2733
2734 /* symbolic operators for numeric and string comparison, and a number of
2735 other operators, all requiring two arguments.
2736
2737 crypteq: encrypts plaintext and compares against an encrypted text,
2738 using crypt(), crypt16(), MD5 or SHA-1
2739 inlist/inlisti: checks if first argument is in the list of the second
2740 match: does a regular expression match and sets up the numerical
2741 variables if it succeeds
2742 match_address: matches in an address list
2743 match_domain: matches in a domain list
2744 match_ip: matches a host list that is restricted to IP addresses
2745 match_local_part: matches in a local part list
2746 */
2747
2748 case ECOND_MATCH_ADDRESS:
2749 case ECOND_MATCH_DOMAIN:
2750 case ECOND_MATCH_IP:
2751 case ECOND_MATCH_LOCAL_PART:
2752 #ifndef EXPAND_LISTMATCH_RHS
2753 sub2_honour_dollar = FALSE;
2754 #endif
2755 /* FALLTHROUGH */
2756
2757 case ECOND_CRYPTEQ:
2758 case ECOND_INLIST:
2759 case ECOND_INLISTI:
2760 case ECOND_MATCH:
2761
2762 case ECOND_NUM_L: /* Numerical comparisons */
2763 case ECOND_NUM_LE:
2764 case ECOND_NUM_E:
2765 case ECOND_NUM_EE:
2766 case ECOND_NUM_G:
2767 case ECOND_NUM_GE:
2768
2769 case ECOND_STR_LT: /* String comparisons */
2770 case ECOND_STR_LTI:
2771 case ECOND_STR_LE:
2772 case ECOND_STR_LEI:
2773 case ECOND_STR_EQ:
2774 case ECOND_STR_EQI:
2775 case ECOND_STR_GT:
2776 case ECOND_STR_GTI:
2777 case ECOND_STR_GE:
2778 case ECOND_STR_GEI:
2779
2780 for (int i = 0; i < 2; i++)
2781 {
2782 /* Sometimes, we don't expand substrings; too many insecure configurations
2783 created using match_address{}{} and friends, where the second param
2784 includes information from untrustworthy sources. */
2785 BOOL honour_dollar = TRUE;
2786 if ((i > 0) && !sub2_honour_dollar)
2787 honour_dollar = FALSE;
2788
2789 while (isspace(*s)) s++;
2790 if (*s != '{')
2791 {
2792 if (i == 0) goto COND_FAILED_CURLY_START;
2793 expand_string_message = string_sprintf("missing 2nd string in {} "
2794 "after \"%s\"", opname);
2795 return NULL;
2796 }
2797 if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, yield == NULL,
2798 honour_dollar, resetok)))
2799 return NULL;
2800 DEBUG(D_expand) if (i == 1 && !sub2_honour_dollar && Ustrchr(sub[1], '$'))
2801 debug_printf_indent("WARNING: the second arg is NOT expanded,"
2802 " for security reasons\n");
2803 if (*s++ != '}') goto COND_FAILED_CURLY_END;
2804
2805 /* Convert to numerical if required; we know that the names of all the
2806 conditions that compare numbers do not start with a letter. This just saves
2807 checking for them individually. */
2808
2809 if (!isalpha(opname[0]) && yield)
2810 if (sub[i][0] == 0)
2811 {
2812 num[i] = 0;
2813 DEBUG(D_expand)
2814 debug_printf_indent("empty string cast to zero for numerical comparison\n");
2815 }
2816 else
2817 {
2818 num[i] = expanded_string_integer(sub[i], FALSE);
2819 if (expand_string_message) return NULL;
2820 }
2821 }
2822
2823 /* Result not required */
2824
2825 if (!yield) return s;
2826
2827 /* Do an appropriate comparison */
2828
2829 switch(cond_type)
2830 {
2831 case ECOND_NUM_E:
2832 case ECOND_NUM_EE:
2833 tempcond = (num[0] == num[1]);
2834 break;
2835
2836 case ECOND_NUM_G:
2837 tempcond = (num[0] > num[1]);
2838 break;
2839
2840 case ECOND_NUM_GE:
2841 tempcond = (num[0] >= num[1]);
2842 break;
2843
2844 case ECOND_NUM_L:
2845 tempcond = (num[0] < num[1]);
2846 break;
2847
2848 case ECOND_NUM_LE:
2849 tempcond = (num[0] <= num[1]);
2850 break;
2851
2852 case ECOND_STR_LT:
2853 tempcond = (Ustrcmp(sub[0], sub[1]) < 0);
2854 break;
2855
2856 case ECOND_STR_LTI:
2857 tempcond = (strcmpic(sub[0], sub[1]) < 0);
2858 break;
2859
2860 case ECOND_STR_LE:
2861 tempcond = (Ustrcmp(sub[0], sub[1]) <= 0);
2862 break;
2863
2864 case ECOND_STR_LEI:
2865 tempcond = (strcmpic(sub[0], sub[1]) <= 0);
2866 break;
2867
2868 case ECOND_STR_EQ:
2869 tempcond = (Ustrcmp(sub[0], sub[1]) == 0);
2870 break;
2871
2872 case ECOND_STR_EQI:
2873 tempcond = (strcmpic(sub[0], sub[1]) == 0);
2874 break;
2875
2876 case ECOND_STR_GT:
2877 tempcond = (Ustrcmp(sub[0], sub[1]) > 0);
2878 break;
2879
2880 case ECOND_STR_GTI:
2881 tempcond = (strcmpic(sub[0], sub[1]) > 0);
2882 break;
2883
2884 case ECOND_STR_GE:
2885 tempcond = (Ustrcmp(sub[0], sub[1]) >= 0);
2886 break;
2887
2888 case ECOND_STR_GEI:
2889 tempcond = (strcmpic(sub[0], sub[1]) >= 0);
2890 break;
2891
2892 case ECOND_MATCH: /* Regular expression match */
2893 if (!(re = pcre_compile(CS sub[1], PCRE_COPT, (const char **)&rerror,
2894 &roffset, NULL)))
2895 {
2896 expand_string_message = string_sprintf("regular expression error in "
2897 "\"%s\": %s at offset %d", sub[1], rerror, roffset);
2898 return NULL;
2899 }
2900 tempcond = regex_match_and_setup(re, sub[0], 0, -1);
2901 break;
2902
2903 case ECOND_MATCH_ADDRESS: /* Match in an address list */
2904 rc = match_address_list(sub[0], TRUE, FALSE, &(sub[1]), NULL, -1, 0, NULL);
2905 goto MATCHED_SOMETHING;
2906
2907 case ECOND_MATCH_DOMAIN: /* Match in a domain list */
2908 rc = match_isinlist(sub[0], &(sub[1]), 0, &domainlist_anchor, NULL,
2909 MCL_DOMAIN + MCL_NOEXPAND, TRUE, NULL);
2910 goto MATCHED_SOMETHING;
2911
2912 case ECOND_MATCH_IP: /* Match IP address in a host list */
2913 if (sub[0][0] != 0 && string_is_ip_address(sub[0], NULL) == 0)
2914 {
2915 expand_string_message = string_sprintf("\"%s\" is not an IP address",
2916 sub[0]);
2917 return NULL;
2918 }
2919 else
2920 {
2921 unsigned int *nullcache = NULL;
2922 check_host_block cb;
2923
2924 cb.host_name = US"";
2925 cb.host_address = sub[0];
2926
2927 /* If the host address starts off ::ffff: it is an IPv6 address in
2928 IPv4-compatible mode. Find the IPv4 part for checking against IPv4
2929 addresses. */
2930
2931 cb.host_ipv4 = (Ustrncmp(cb.host_address, "::ffff:", 7) == 0)?
2932 cb.host_address + 7 : cb.host_address;
2933
2934 rc = match_check_list(
2935 &sub[1], /* the list */
2936 0, /* separator character */
2937 &hostlist_anchor, /* anchor pointer */
2938 &nullcache, /* cache pointer */
2939 check_host, /* function for testing */
2940 &cb, /* argument for function */
2941 MCL_HOST, /* type of check */
2942 sub[0], /* text for debugging */
2943 NULL); /* where to pass back data */
2944 }
2945 goto MATCHED_SOMETHING;
2946
2947 case ECOND_MATCH_LOCAL_PART:
2948 rc = match_isinlist(sub[0], &(sub[1]), 0, &localpartlist_anchor, NULL,
2949 MCL_LOCALPART + MCL_NOEXPAND, TRUE, NULL);
2950 /* Fall through */
2951 /* VVVVVVVVVVVV */
2952 MATCHED_SOMETHING:
2953 switch(rc)
2954 {
2955 case OK:
2956 tempcond = TRUE;
2957 break;
2958
2959 case FAIL:
2960 tempcond = FALSE;
2961 break;
2962
2963 case DEFER:
2964 expand_string_message = string_sprintf("unable to complete match "
2965 "against \"%s\": %s", sub[1], search_error_message);
2966 return NULL;
2967 }
2968
2969 break;
2970
2971 /* Various "encrypted" comparisons. If the second string starts with
2972 "{" then an encryption type is given. Default to crypt() or crypt16()
2973 (build-time choice). */
2974 /* }-for-text-editors */
2975
2976 case ECOND_CRYPTEQ:
2977 #ifndef SUPPORT_CRYPTEQ
2978 goto COND_FAILED_NOT_COMPILED;
2979 #else
2980 if (strncmpic(sub[1], US"{md5}", 5) == 0)
2981 {
2982 int sublen = Ustrlen(sub[1]+5);
2983 md5 base;
2984 uschar digest[16];
2985
2986 md5_start(&base);
2987 md5_end(&base, sub[0], Ustrlen(sub[0]), digest);
2988
2989 /* If the length that we are comparing against is 24, the MD5 digest
2990 is expressed as a base64 string. This is the way LDAP does it. However,
2991 some other software uses a straightforward hex representation. We assume
2992 this if the length is 32. Other lengths fail. */
2993
2994 if (sublen == 24)
2995 {
2996 uschar *coded = b64encode(CUS digest, 16);
2997 DEBUG(D_auth) debug_printf("crypteq: using MD5+B64 hashing\n"
2998 " subject=%s\n crypted=%s\n", coded, sub[1]+5);
2999 tempcond = (Ustrcmp(coded, sub[1]+5) == 0);
3000 }
3001 else if (sublen == 32)
3002 {
3003 uschar coded[36];
3004 for (int i = 0; i < 16; i++) sprintf(CS (coded+2*i), "%02X", digest[i]);
3005 coded[32] = 0;
3006 DEBUG(D_auth) debug_printf("crypteq: using MD5+hex hashing\n"
3007 " subject=%s\n crypted=%s\n", coded, sub[1]+5);
3008 tempcond = (strcmpic(coded, sub[1]+5) == 0);
3009 }
3010 else
3011 {
3012 DEBUG(D_auth) debug_printf("crypteq: length for MD5 not 24 or 32: "
3013 "fail\n crypted=%s\n", sub[1]+5);
3014 tempcond = FALSE;
3015 }
3016 }
3017
3018 else if (strncmpic(sub[1], US"{sha1}", 6) == 0)
3019 {
3020 int sublen = Ustrlen(sub[1]+6);
3021 hctx h;
3022 uschar digest[20];
3023
3024 sha1_start(&h);
3025 sha1_end(&h, sub[0], Ustrlen(sub[0]), digest);
3026
3027 /* If the length that we are comparing against is 28, assume the SHA1
3028 digest is expressed as a base64 string. If the length is 40, assume a
3029 straightforward hex representation. Other lengths fail. */
3030
3031 if (sublen == 28)
3032 {
3033 uschar *coded = b64encode(CUS digest, 20);
3034 DEBUG(D_auth) debug_printf("crypteq: using SHA1+B64 hashing\n"
3035 " subject=%s\n crypted=%s\n", coded, sub[1]+6);
3036 tempcond = (Ustrcmp(coded, sub[1]+6) == 0);
3037 }
3038 else if (sublen == 40)
3039 {
3040 uschar coded[44];
3041 for (int i = 0; i < 20; i++) sprintf(CS (coded+2*i), "%02X", digest[i]);
3042 coded[40] = 0;
3043 DEBUG(D_auth) debug_printf("crypteq: using SHA1+hex hashing\n"
3044 " subject=%s\n crypted=%s\n", coded, sub[1]+6);
3045 tempcond = (strcmpic(coded, sub[1]+6) == 0);
3046 }
3047 else
3048 {
3049 DEBUG(D_auth) debug_printf("crypteq: length for SHA-1 not 28 or 40: "
3050 "fail\n crypted=%s\n", sub[1]+6);
3051 tempcond = FALSE;
3052 }
3053 }
3054
3055 else /* {crypt} or {crypt16} and non-{ at start */
3056 /* }-for-text-editors */
3057 {
3058 int which = 0;
3059 uschar *coded;
3060
3061 if (strncmpic(sub[1], US"{crypt}", 7) == 0)
3062 {
3063 sub[1] += 7;
3064 which = 1;
3065 }
3066 else if (strncmpic(sub[1], US"{crypt16}", 9) == 0)
3067 {
3068 sub[1] += 9;
3069 which = 2;
3070 }
3071 else if (sub[1][0] == '{') /* }-for-text-editors */
3072 {
3073 expand_string_message = string_sprintf("unknown encryption mechanism "
3074 "in \"%s\"", sub[1]);
3075 return NULL;
3076 }
3077
3078 switch(which)
3079 {
3080 case 0: coded = US DEFAULT_CRYPT(CS sub[0], CS sub[1]); break;
3081 case 1: coded = US crypt(CS sub[0], CS sub[1]); break;
3082 default: coded = US crypt16(CS sub[0], CS sub[1]); break;
3083 }
3084
3085 #define STR(s) # s
3086 #define XSTR(s) STR(s)
3087 DEBUG(D_auth) debug_printf("crypteq: using %s()\n"
3088 " subject=%s\n crypted=%s\n",
3089 which == 0 ? XSTR(DEFAULT_CRYPT) : which == 1 ? "crypt" : "crypt16",
3090 coded, sub[1]);
3091 #undef STR
3092 #undef XSTR
3093
3094 /* If the encrypted string contains fewer than two characters (for the
3095 salt), force failure. Otherwise we get false positives: with an empty
3096 string the yield of crypt() is an empty string! */
3097
3098 if (coded)
3099 tempcond = Ustrlen(sub[1]) < 2 ? FALSE : Ustrcmp(coded, sub[1]) == 0;
3100 else if (errno == EINVAL)
3101 tempcond = FALSE;
3102 else
3103 {
3104 expand_string_message = string_sprintf("crypt error: %s\n",
3105 US strerror(errno));
3106 return NULL;
3107 }
3108 }
3109 break;
3110 #endif /* SUPPORT_CRYPTEQ */
3111
3112 case ECOND_INLIST:
3113 case ECOND_INLISTI:
3114 {
3115 const uschar * list = sub[1];
3116 int sep = 0;
3117 uschar *save_iterate_item = iterate_item;
3118 int (*compare)(const uschar *, const uschar *);
3119
3120 DEBUG(D_expand) debug_printf_indent("condition: %s item: %s\n", opname, sub[0]);
3121
3122 tempcond = FALSE;
3123 compare = cond_type == ECOND_INLISTI
3124 ? strcmpic : (int (*)(const uschar *, const uschar *)) strcmp;
3125
3126 while ((iterate_item = string_nextinlist(&list, &sep, NULL, 0)))
3127 {
3128 DEBUG(D_expand) debug_printf_indent(" compare %s\n", iterate_item);
3129 if (compare(sub[0], iterate_item) == 0)
3130 {
3131 tempcond = TRUE;
3132 break;
3133 }
3134 }
3135 iterate_item = save_iterate_item;
3136 }
3137
3138 } /* Switch for comparison conditions */
3139
3140 *yield = tempcond == testfor;
3141 return s; /* End of comparison conditions */
3142
3143
3144 /* and/or: computes logical and/or of several conditions */
3145
3146 case ECOND_AND:
3147 case ECOND_OR:
3148 subcondptr = (yield == NULL) ? NULL : &tempcond;
3149 combined_cond = (cond_type == ECOND_AND);
3150
3151 while (isspace(*s)) s++;
3152 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3153
3154 for (;;)
3155 {
3156 while (isspace(*s)) s++;
3157 /* {-for-text-editors */
3158 if (*s == '}') break;
3159 if (*s != '{') /* }-for-text-editors */
3160 {
3161 expand_string_message = string_sprintf("each subcondition "
3162 "inside an \"%s{...}\" condition must be in its own {}", opname);
3163 return NULL;
3164 }
3165
3166 if (!(s = eval_condition(s+1, resetok, subcondptr)))
3167 {
3168 expand_string_message = string_sprintf("%s inside \"%s{...}\" condition",
3169 expand_string_message, opname);
3170 return NULL;
3171 }
3172 while (isspace(*s)) s++;
3173
3174 /* {-for-text-editors */
3175 if (*s++ != '}')
3176 {
3177 /* {-for-text-editors */
3178 expand_string_message = string_sprintf("missing } at end of condition "
3179 "inside \"%s\" group", opname);
3180 return NULL;
3181 }
3182
3183 if (yield)
3184 if (cond_type == ECOND_AND)
3185 {
3186 combined_cond &= tempcond;
3187 if (!combined_cond) subcondptr = NULL; /* once false, don't */
3188 } /* evaluate any more */
3189 else
3190 {
3191 combined_cond |= tempcond;
3192 if (combined_cond) subcondptr = NULL; /* once true, don't */
3193 } /* evaluate any more */
3194 }
3195
3196 if (yield) *yield = (combined_cond == testfor);
3197 return ++s;
3198
3199
3200 /* forall/forany: iterates a condition with different values */
3201
3202 case ECOND_FORALL: is_forany = FALSE; is_json = FALSE; is_jsons = FALSE; goto FORMANY;
3203 case ECOND_FORANY: is_forany = TRUE; is_json = FALSE; is_jsons = FALSE; goto FORMANY;
3204 case ECOND_FORALL_JSON: is_forany = FALSE; is_json = TRUE; is_jsons = FALSE; goto FORMANY;
3205 case ECOND_FORANY_JSON: is_forany = TRUE; is_json = TRUE; is_jsons = FALSE; goto FORMANY;
3206 case ECOND_FORALL_JSONS: is_forany = FALSE; is_json = TRUE; is_jsons = TRUE; goto FORMANY;
3207 case ECOND_FORANY_JSONS: is_forany = TRUE; is_json = TRUE; is_jsons = TRUE; goto FORMANY;
3208
3209 FORMANY:
3210 {
3211 const uschar * list;
3212 int sep = 0;
3213 uschar *save_iterate_item = iterate_item;
3214
3215 DEBUG(D_expand) debug_printf_indent("condition: %s\n", opname);
3216
3217 while (isspace(*s)) s++;
3218 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3219 if (!(sub[0] = expand_string_internal(s, TRUE, &s, yield == NULL, TRUE, resetok)))
3220 return NULL;
3221 /* {-for-text-editors */
3222 if (*s++ != '}') goto COND_FAILED_CURLY_END;
3223
3224 while (isspace(*s)) s++;
3225 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3226
3227 sub[1] = s;
3228
3229 /* Call eval_condition once, with result discarded (as if scanning a
3230 "false" part). This allows us to find the end of the condition, because if
3231 the list it empty, we won't actually evaluate the condition for real. */
3232
3233 if (!(s = eval_condition(sub[1], resetok, NULL)))
3234 {
3235 expand_string_message = string_sprintf("%s inside \"%s\" condition",
3236 expand_string_message, opname);
3237 return NULL;
3238 }
3239 while (isspace(*s)) s++;
3240
3241 /* {-for-text-editors */
3242 if (*s++ != '}')
3243 {
3244 /* {-for-text-editors */
3245 expand_string_message = string_sprintf("missing } at end of condition "
3246 "inside \"%s\"", opname);
3247 return NULL;
3248 }
3249
3250 if (yield) *yield = !testfor;
3251 list = sub[0];
3252 if (is_json) list = dewrap(string_copy(list), US"[]");
3253 while ((iterate_item = is_json
3254 ? json_nextinlist(&list) : string_nextinlist(&list, &sep, NULL, 0)))
3255 {
3256 if (is_jsons)
3257 if (!(iterate_item = dewrap(iterate_item, US"\"\"")))
3258 {
3259 expand_string_message =
3260 string_sprintf("%s wrapping string result for extract jsons",
3261 expand_string_message);
3262 iterate_item = save_iterate_item;
3263 return NULL;
3264 }
3265
3266 DEBUG(D_expand) debug_printf_indent("%s: $item = \"%s\"\n", opname, iterate_item);
3267 if (!eval_condition(sub[1], resetok, &tempcond))
3268 {
3269 expand_string_message = string_sprintf("%s inside \"%s\" condition",
3270 expand_string_message, opname);
3271 iterate_item = save_iterate_item;
3272 return NULL;
3273 }
3274 DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", opname,
3275 tempcond? "true":"false");
3276
3277 if (yield) *yield = (tempcond == testfor);
3278 if (tempcond == is_forany) break;
3279 }
3280
3281 iterate_item = save_iterate_item;
3282 return s;
3283 }
3284
3285
3286 /* The bool{} expansion condition maps a string to boolean.
3287 The values supported should match those supported by the ACL condition
3288 (acl.c, ACLC_CONDITION) so that we keep to a minimum the different ideas
3289 of true/false. Note that Router "condition" rules have a different
3290 interpretation, where general data can be used and only a few values
3291 map to FALSE.
3292 Note that readconf.c boolean matching, for boolean configuration options,
3293 only matches true/yes/false/no.
3294 The bool_lax{} condition matches the Router logic, which is much more
3295 liberal. */
3296 case ECOND_BOOL:
3297 case ECOND_BOOL_LAX:
3298 {
3299 uschar *sub_arg[1];
3300 uschar *t, *t2;
3301 uschar *ourname;
3302 size_t len;
3303 BOOL boolvalue = FALSE;
3304 while (isspace(*s)) s++;
3305 if (*s != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3306 ourname = cond_type == ECOND_BOOL_LAX ? US"bool_lax" : US"bool";
3307 switch(read_subs(sub_arg, 1, 1, &s, yield == NULL, FALSE, ourname, resetok))
3308 {
3309 case 1: expand_string_message = string_sprintf(
3310 "too few arguments or bracketing error for %s",
3311 ourname);
3312 /*FALLTHROUGH*/
3313 case 2:
3314 case 3: return NULL;
3315 }
3316 t = sub_arg[0];
3317 while (isspace(*t)) t++;
3318 len = Ustrlen(t);
3319 if (len)
3320 {
3321 /* trailing whitespace: seems like a good idea to ignore it too */
3322 t2 = t + len - 1;
3323 while (isspace(*t2)) t2--;
3324 if (t2 != (t + len))
3325 {
3326 *++t2 = '\0';
3327 len = t2 - t;
3328 }
3329 }
3330 DEBUG(D_expand)
3331 debug_printf_indent("considering %s: %s\n", ourname, len ? t : US"<empty>");
3332 /* logic for the lax case from expand_check_condition(), which also does
3333 expands, and the logic is both short and stable enough that there should
3334 be no maintenance burden from replicating it. */
3335 if (len == 0)
3336 boolvalue = FALSE;
3337 else if (*t == '-'
3338 ? Ustrspn(t+1, "0123456789") == len-1
3339 : Ustrspn(t, "0123456789") == len)
3340 {
3341 boolvalue = (Uatoi(t) == 0) ? FALSE : TRUE;
3342 /* expand_check_condition only does a literal string "0" check */
3343 if ((cond_type == ECOND_BOOL_LAX) && (len > 1))
3344 boolvalue = TRUE;
3345 }
3346 else if (strcmpic(t, US"true") == 0 || strcmpic(t, US"yes") == 0)
3347 boolvalue = TRUE;
3348 else if (strcmpic(t, US"false") == 0 || strcmpic(t, US"no") == 0)
3349 boolvalue = FALSE;
3350 else if (cond_type == ECOND_BOOL_LAX)
3351 boolvalue = TRUE;
3352 else
3353 {
3354 expand_string_message = string_sprintf("unrecognised boolean "
3355 "value \"%s\"", t);
3356 return NULL;
3357 }
3358 DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", ourname,
3359 boolvalue? "true":"false");
3360 if (yield) *yield = (boolvalue == testfor);
3361 return s;
3362 }
3363
3364 #ifdef EXPERIMENTAL_SRS_NATIVE
3365 case ECOND_INBOUND_SRS:
3366 /* ${if inbound_srs {local_part}{secret} {yes}{no}} */
3367 {
3368 uschar * sub[2];
3369 const pcre * re;
3370 int ovec[3*(4+1)];
3371 int n;
3372 uschar cksum[4];
3373 BOOL boolvalue = FALSE;
3374
3375 switch(read_subs(sub, 2, 2, CUSS &s, yield == NULL, FALSE, US"inbound_srs", resetok))
3376 {
3377 case 1: expand_string_message = US"too few arguments or bracketing "
3378 "error for inbound_srs";
3379 case 2:
3380 case 3: return NULL;
3381 }
3382
3383 /* Match the given local_part against the SRS-encoded pattern */
3384
3385 re = regex_must_compile(US"^(?i)SRS0=([^=]+)=([A-Z2-7]+)=([^=]*)=(.*)$",
3386 TRUE, FALSE);
3387 if (pcre_exec(re, NULL, CS sub[0], Ustrlen(sub[0]), 0, PCRE_EOPT,
3388 ovec, nelem(ovec)) < 0)
3389 {
3390 DEBUG(D_expand) debug_printf("no match for SRS'd local-part pattern\n");
3391 goto srs_result;
3392 }
3393
3394 /* Side-effect: record the decoded recipient */
3395
3396 srs_recipient = string_sprintf("%.*S@%.*S", /* lowercased */
3397 ovec[9]-ovec[8], sub[0] + ovec[8], /* substring 4 */
3398 ovec[7]-ovec[6], sub[0] + ovec[6]); /* substring 3 */
3399
3400 /* If a zero-length secret was given, we're done. Otherwise carry on
3401 and validate the given SRS local_part againt our secret. */
3402
3403 if (!*sub[1])
3404 {
3405 boolvalue = TRUE;
3406 goto srs_result;
3407 }
3408
3409 /* check the timestamp */
3410 {
3411 struct timeval now;
3412 uschar * ss = sub[0] + ovec[4]; /* substring 2, the timestamp */
3413 long d;
3414
3415 gettimeofday(&now, NULL);
3416 now.tv_sec /= 86400; /* days since epoch */
3417
3418 /* Decode substring 2 from base32 to a number */
3419
3420 for (d = 0, n = ovec[5]-ovec[4]; n; n--)
3421 {
3422 uschar * t = Ustrchr(base32_chars, *ss++);
3423 d = d * 32 + (t - base32_chars);
3424 }
3425
3426 if (((now.tv_sec - d) & 0x3ff) > 10) /* days since SRS generated */
3427 {
3428 DEBUG(D_expand) debug_printf("SRS too old\n");
3429 goto srs_result;
3430 }
3431 }
3432
3433 /* check length of substring 1, the offered checksum */
3434
3435 if (ovec[3]-ovec[2] != 4)
3436 {
3437 DEBUG(D_expand) debug_printf("SRS checksum wrong size\n");
3438 goto srs_result;
3439 }
3440
3441 /* Hash the address with our secret, and compare that computed checksum
3442 with the one extracted from the arg */
3443
3444 hmac_md5(sub[1], srs_recipient, cksum, sizeof(cksum));
3445 if (Ustrncmp(cksum, sub[0] + ovec[2], 4) != 0)
3446 {
3447 DEBUG(D_expand) debug_printf("SRS checksum mismatch\n");
3448 goto srs_result;
3449 }
3450 boolvalue = TRUE;
3451
3452 srs_result:
3453 if (yield) *yield = (boolvalue == testfor);
3454 return s;
3455 }
3456 #endif /*EXPERIMENTAL_SRS_NATIVE*/
3457
3458 /* Unknown condition */
3459
3460 default:
3461 if (!expand_string_message || !*expand_string_message)
3462 expand_string_message = string_sprintf("unknown condition \"%s\"", opname);
3463 return NULL;
3464 } /* End switch on condition type */
3465
3466 /* Missing braces at start and end of data */
3467
3468 COND_FAILED_CURLY_START:
3469 expand_string_message = string_sprintf("missing { after \"%s\"", opname);
3470 return NULL;
3471
3472 COND_FAILED_CURLY_END:
3473 expand_string_message = string_sprintf("missing } at end of \"%s\" condition",
3474 opname);
3475 return NULL;
3476
3477 /* A condition requires code that is not compiled */
3478
3479 #if !defined(SUPPORT_PAM) || !defined(RADIUS_CONFIG_FILE) || \
3480 !defined(LOOKUP_LDAP) || !defined(CYRUS_PWCHECK_SOCKET) || \
3481 !defined(SUPPORT_CRYPTEQ) || !defined(CYRUS_SASLAUTHD_SOCKET)
3482 COND_FAILED_NOT_COMPILED:
3483 expand_string_message = string_sprintf("support for \"%s\" not compiled",
3484 opname);
3485 return NULL;
3486 #endif
3487 }
3488
3489
3490
3491
3492 /*************************************************
3493 * Save numerical variables *
3494 *************************************************/
3495
3496 /* This function is called from items such as "if" that want to preserve and
3497 restore the numbered variables.
3498
3499 Arguments:
3500 save_expand_string points to an array of pointers to set
3501 save_expand_nlength points to an array of ints for the lengths
3502
3503 Returns: the value of expand max to save
3504 */
3505
3506 static int
3507 save_expand_strings(uschar **save_expand_nstring, int *save_expand_nlength)
3508 {
3509 for (int i = 0; i <= expand_nmax; i++)
3510 {
3511 save_expand_nstring[i] = expand_nstring[i];
3512 save_expand_nlength[i] = expand_nlength[i];
3513 }
3514 return expand_nmax;
3515 }
3516
3517
3518
3519 /*************************************************
3520 * Restore numerical variables *
3521 *************************************************/
3522
3523 /* This function restored saved values of numerical strings.
3524
3525 Arguments:
3526 save_expand_nmax the number of strings to restore
3527 save_expand_string points to an array of pointers
3528 save_expand_nlength points to an array of ints
3529
3530 Returns: nothing
3531 */
3532
3533 static void
3534 restore_expand_strings(int save_expand_nmax, uschar **save_expand_nstring,
3535 int *save_expand_nlength)
3536 {
3537 expand_nmax = save_expand_nmax;
3538 for (int i = 0; i <= expand_nmax; i++)
3539 {
3540 expand_nstring[i] = save_expand_nstring[i];
3541 expand_nlength[i] = save_expand_nlength[i];
3542 }
3543 }
3544
3545
3546
3547
3548
3549 /*************************************************
3550 * Handle yes/no substrings *
3551 *************************************************/
3552
3553 /* This function is used by ${if}, ${lookup} and ${extract} to handle the
3554 alternative substrings that depend on whether or not the condition was true,
3555 or the lookup or extraction succeeded. The substrings always have to be
3556 expanded, to check their syntax, but "skipping" is set when the result is not
3557 needed - this avoids unnecessary nested lookups.
3558
3559 Arguments:
3560 skipping TRUE if we were skipping when this item was reached
3561 yes TRUE if the first string is to be used, else use the second
3562 save_lookup a value to put back into lookup_value before the 2nd expansion
3563 sptr points to the input string pointer
3564 yieldptr points to the output growable-string pointer
3565 type "lookup", "if", "extract", "run", "env", "listextract" or
3566 "certextract" for error message
3567 resetok if not NULL, pointer to flag - write FALSE if unsafe to reset
3568 the store.
3569
3570 Returns: 0 OK; lookup_value has been reset to save_lookup
3571 1 expansion failed
3572 2 expansion failed because of bracketing error
3573 */
3574
3575 static int
3576 process_yesno(BOOL skipping, BOOL yes, uschar *save_lookup, const uschar **sptr,
3577 gstring ** yieldptr, uschar *type, BOOL *resetok)
3578 {
3579 int rc = 0;
3580 const uschar *s = *sptr; /* Local value */
3581 uschar *sub1, *sub2;
3582 const uschar * errwhere;
3583
3584 /* If there are no following strings, we substitute the contents of $value for
3585 lookups and for extractions in the success case. For the ${if item, the string
3586 "true" is substituted. In the fail case, nothing is substituted for all three
3587 items. */
3588
3589 while (isspace(*s)) s++;
3590 if (*s == '}')
3591 {
3592 if (type[0] == 'i')
3593 {
3594 if (yes && !skipping)
3595 *yieldptr = string_catn(*yieldptr, US"true", 4);
3596 }
3597 else
3598 {
3599 if (yes && lookup_value && !skipping)
3600 *yieldptr = string_cat(*yieldptr, lookup_value);
3601 lookup_value = save_lookup;
3602 }
3603 s++;
3604 goto RETURN;
3605 }
3606
3607 /* The first following string must be braced. */
3608
3609 if (*s++ != '{')
3610 {
3611 errwhere = US"'yes' part did not start with '{'";
3612 goto FAILED_CURLY;
3613 }
3614
3615 /* Expand the first substring. Forced failures are noticed only if we actually
3616 want this string. Set skipping in the call in the fail case (this will always
3617 be the case if we were already skipping). */
3618
3619 sub1 = expand_string_internal(s, TRUE, &s, !yes, TRUE, resetok);
3620 if (sub1 == NULL && (yes || !f.expand_string_forcedfail)) goto FAILED;
3621 f.expand_string_forcedfail = FALSE;
3622 if (*s++ != '}')
3623 {
3624 errwhere = US"'yes' part did not end with '}'";
3625 goto FAILED_CURLY;
3626 }
3627
3628 /* If we want the first string, add it to the output */
3629
3630 if (yes)
3631 *yieldptr = string_cat(*yieldptr, sub1);
3632
3633 /* If this is called from a lookup/env or a (cert)extract, we want to restore
3634 $value to what it was at the start of the item, so that it has this value
3635 during the second string expansion. For the call from "if" or "run" to this
3636 function, save_lookup is set to lookup_value, so that this statement does
3637 nothing. */
3638
3639 lookup_value = save_lookup;
3640
3641 /* There now follows either another substring, or "fail", or nothing. This
3642 time, forced failures are noticed only if we want the second string. We must
3643 set skipping in the nested call if we don't want this string, or if we were
3644 already skipping. */
3645
3646 while (isspace(*s)) s++;
3647 if (*s == '{')
3648 {
3649 sub2 = expand_string_internal(s+1, TRUE, &s, yes || skipping, TRUE, resetok);
3650 if (sub2 == NULL && (!yes || !f.expand_string_forcedfail)) goto FAILED;
3651 f.expand_string_forcedfail = FALSE;
3652 if (*s++ != '}')
3653 {
3654 errwhere = US"'no' part did not start with '{'";
3655 goto FAILED_CURLY;
3656 }
3657
3658 /* If we want the second string, add it to the output */
3659
3660 if (!yes)
3661 *yieldptr = string_cat(*yieldptr, sub2);
3662 }
3663
3664 /* If there is no second string, but the word "fail" is present when the use of
3665 the second string is wanted, set a flag indicating it was a forced failure
3666 rather than a syntactic error. Swallow the terminating } in case this is nested
3667 inside another lookup or if or extract. */
3668
3669 else if (*s != '}')
3670 {
3671 uschar name[256];
3672 /* deconst cast ok here as source is s anyway */
3673 s = US read_name(name, sizeof(name), s, US"_");
3674 if (Ustrcmp(name, "fail") == 0)
3675 {
3676 if (!yes && !skipping)
3677 {
3678 while (isspace(*s)) s++;
3679 if (*s++ != '}')
3680 {
3681 errwhere = US"did not close with '}' after forcedfail";
3682 goto FAILED_CURLY;
3683 }
3684 expand_string_message =
3685 string_sprintf("\"%s\" failed and \"fail\" requested", type);
3686 f.expand_string_forcedfail = TRUE;
3687 goto FAILED;
3688 }
3689 }
3690 else
3691 {
3692 expand_string_message =
3693 string_sprintf("syntax error in \"%s\" item - \"fail\" expected", type);
3694 goto FAILED;
3695 }
3696 }
3697
3698 /* All we have to do now is to check on the final closing brace. */
3699
3700 while (isspace(*s)) s++;
3701 if (*s++ != '}')
3702 {
3703 errwhere = US"did not close with '}'";
3704 goto FAILED_CURLY;
3705 }
3706
3707
3708 RETURN:
3709 /* Update the input pointer value before returning */
3710 *sptr = s;
3711 return rc;
3712
3713 FAILED_CURLY:
3714 /* Get here if there is a bracketing failure */
3715 expand_string_message = string_sprintf(
3716 "curly-bracket problem in conditional yes/no parsing: %s\n"
3717 " remaining string is '%s'", errwhere, --s);
3718 rc = 2;
3719 goto RETURN;
3720
3721 FAILED:
3722 /* Get here for other failures */
3723 rc = 1;
3724 goto RETURN;
3725 }
3726
3727
3728
3729
3730 /********************************************************
3731 * prvs: Get last three digits of days since Jan 1, 1970 *
3732 ********************************************************/
3733
3734 /* This is needed to implement the "prvs" BATV reverse
3735 path signing scheme
3736
3737 Argument: integer "days" offset to add or substract to
3738 or from the current number of days.
3739
3740 Returns: pointer to string containing the last three
3741 digits of the number of days since Jan 1, 1970,
3742 modified by the offset argument, NULL if there
3743 was an error in the conversion.
3744
3745 */
3746
3747 static uschar *
3748 prvs_daystamp(int day_offset)
3749 {
3750 uschar *days = store_get(32, FALSE); /* Need at least 24 for cases */
3751 (void)string_format(days, 32, TIME_T_FMT, /* where TIME_T_FMT is %lld */
3752 (time(NULL) + day_offset*86400)/86400);
3753 return (Ustrlen(days) >= 3) ? &days[Ustrlen(days)-3] : US"100";
3754 }
3755
3756
3757
3758 /********************************************************
3759 * prvs: perform HMAC-SHA1 computation of prvs bits *
3760 ********************************************************/
3761
3762 /* This is needed to implement the "prvs" BATV reverse
3763 path signing scheme
3764
3765 Arguments:
3766 address RFC2821 Address to use
3767 key The key to use (must be less than 64 characters
3768 in size)
3769 key_num Single-digit key number to use. Defaults to
3770 '0' when NULL.
3771
3772 Returns: pointer to string containing the first three
3773 bytes of the final hash in hex format, NULL if
3774 there was an error in the process.
3775 */
3776
3777 static uschar *
3778 prvs_hmac_sha1(uschar *address, uschar *key, uschar *key_num, uschar *daystamp)
3779 {
3780 gstring * hash_source;
3781 uschar * p;
3782 hctx h;
3783 uschar innerhash[20];
3784 uschar finalhash[20];
3785 uschar innerkey[64];
3786 uschar outerkey[64];
3787 uschar *finalhash_hex;
3788
3789 if (!key_num)
3790 key_num = US"0";
3791
3792 if (Ustrlen(key) > 64)
3793 return NULL;
3794
3795 hash_source = string_catn(NULL, key_num, 1);
3796 hash_source = string_catn(hash_source, daystamp, 3);
3797 hash_source = string_cat(hash_source, address);
3798 (void) string_from_gstring(hash_source);
3799
3800 DEBUG(D_expand)
3801 debug_printf_indent("prvs: hash source is '%s'\n", hash_source->s);
3802
3803 memset(innerkey, 0x36, 64);
3804 memset(outerkey, 0x5c, 64);
3805
3806 for (int i = 0; i < Ustrlen(key); i++)
3807 {
3808 innerkey[i] ^= key[i];
3809 outerkey[i] ^= key[i];
3810 }
3811
3812 chash_start(HMAC_SHA1, &h);
3813 chash_mid(HMAC_SHA1, &h, innerkey);
3814 chash_end(HMAC_SHA1, &h, hash_source->s, hash_source->ptr, innerhash);
3815
3816 chash_start(HMAC_SHA1, &h);
3817 chash_mid(HMAC_SHA1, &h, outerkey);
3818 chash_end(HMAC_SHA1, &h, innerhash, 20, finalhash);
3819
3820 /* Hashing is deemed sufficient to de-taint any input data */
3821
3822 p = finalhash_hex = store_get(40, FALSE);
3823 for (int i = 0; i < 3; i++)
3824 {
3825 *p++ = hex_digits[(finalhash[i] & 0xf0) >> 4];
3826 *p++ = hex_digits[finalhash[i] & 0x0f];
3827 }
3828 *p = '\0';
3829
3830 return finalhash_hex;
3831 }
3832
3833
3834
3835
3836 /*************************************************
3837 * Join a file onto the output string *
3838 *************************************************/
3839
3840 /* This is used for readfile/readsock and after a run expansion.
3841 It joins the contents of a file onto the output string, globally replacing
3842 newlines with a given string (optionally).
3843
3844 Arguments:
3845 f the FILE
3846 yield pointer to the expandable string struct
3847 eol newline replacement string, or NULL
3848
3849 Returns: new pointer for expandable string, terminated if non-null
3850 */
3851
3852 static gstring *
3853 cat_file(FILE *f, gstring *yield, uschar *eol)
3854 {
3855 uschar buffer[1024];
3856
3857 while (Ufgets(buffer, sizeof(buffer), f))
3858 {
3859 int len = Ustrlen(buffer);
3860 if (eol && buffer[len-1] == '\n') len--;
3861 yield = string_catn(yield, buffer, len);
3862 if (eol && buffer[len])
3863 yield = string_cat(yield, eol);
3864 }
3865
3866 (void) string_from_gstring(yield);
3867 return yield;
3868 }
3869
3870
3871 #ifndef DISABLE_TLS
3872 static gstring *
3873 cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
3874 {
3875 int rc;
3876 uschar buffer[1024];
3877
3878 /*XXX could we read direct into a pre-grown string? */
3879
3880 while ((rc = tls_read(tls_ctx, buffer, sizeof(buffer))) > 0)
3881 for (uschar * s = buffer; rc--; s++)
3882 yield = eol && *s == '\n'
3883 ? string_cat(yield, eol) : string_catn(yield, s, 1);
3884
3885 /* We assume that all errors, and any returns of zero bytes,
3886 are actually EOF. */
3887
3888 (void) string_from_gstring(yield);
3889 return yield;
3890 }
3891 #endif
3892
3893
3894 /*************************************************
3895 * Evaluate numeric expression *
3896 *************************************************/
3897
3898 /* This is a set of mutually recursive functions that evaluate an arithmetic
3899 expression involving + - * / % & | ^ ~ << >> and parentheses. The only one of
3900 these functions that is called from elsewhere is eval_expr, whose interface is:
3901
3902 Arguments:
3903 sptr pointer to the pointer to the string - gets updated
3904 decimal TRUE if numbers are to be assumed decimal
3905 error pointer to where to put an error message - must be NULL on input
3906 endket TRUE if ')' must terminate - FALSE for external call
3907
3908 Returns: on success: the value of the expression, with *error still NULL
3909 on failure: an undefined value, with *error = a message
3910 */
3911
3912 static int_eximarith_t eval_op_or(uschar **, BOOL, uschar **);
3913
3914
3915 static int_eximarith_t
3916 eval_expr(uschar **sptr, BOOL decimal, uschar **error, BOOL endket)
3917 {
3918 uschar *s = *sptr;
3919 int_eximarith_t x = eval_op_or(&s, decimal, error);
3920
3921 if (!*error)
3922 if (endket)
3923 if (*s != ')')
3924 *error = US"expecting closing parenthesis";
3925 else
3926 while (isspace(*(++s)));
3927 else if (*s)
3928 *error = US"expecting operator";
3929 *sptr = s;
3930 return x;
3931 }
3932
3933
3934 static int_eximarith_t
3935 eval_number(uschar **sptr, BOOL decimal, uschar **error)
3936 {
3937 int c;
3938 int_eximarith_t n;
3939 uschar *s = *sptr;
3940
3941 while (isspace(*s)) s++;
3942 if (isdigit((