74267ab0cd99dfab64e4df5f81c103cccbec58e7
[exim.git] / src / src / expand.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8
9 /* Functions for handling string expansion. */
10
11
12 #include "exim.h"
13
14 /* Recursively called function */
15
16 static uschar *expand_string_internal(const uschar *, BOOL, const uschar **, BOOL, BOOL, BOOL *);
17 static int_eximarith_t expanded_string_integer(const uschar *, BOOL);
18
19 #ifdef STAND_ALONE
20 # ifndef SUPPORT_CRYPTEQ
21 # define SUPPORT_CRYPTEQ
22 # endif
23 #endif
24
25 #ifdef LOOKUP_LDAP
26 # include "lookups/ldap.h"
27 #endif
28
29 #ifdef SUPPORT_CRYPTEQ
30 # ifdef CRYPT_H
31 # include <crypt.h>
32 # endif
33 # ifndef HAVE_CRYPT16
34 extern char* crypt16(char*, char*);
35 # endif
36 #endif
37
38 /* The handling of crypt16() is a mess. I will record below the analysis of the
39 mess that was sent to me. We decided, however, to make changing this very low
40 priority, because in practice people are moving away from the crypt()
41 algorithms nowadays, so it doesn't seem worth it.
42
43 <quote>
44 There is an algorithm named "crypt16" in Ultrix and Tru64. It crypts
45 the first 8 characters of the password using a 20-round version of crypt
46 (standard crypt does 25 rounds). It then crypts the next 8 characters,
47 or an empty block if the password is less than 9 characters, using a
48 20-round version of crypt and the same salt as was used for the first
49 block. Characters after the first 16 are ignored. It always generates
50 a 16-byte hash, which is expressed together with the salt as a string
51 of 24 base 64 digits. Here are some links to peruse:
52
53 http://cvs.pld.org.pl/pam/pamcrypt/crypt16.c?rev=1.2
54 http://seclists.org/bugtraq/1999/Mar/0076.html
55
56 There's a different algorithm named "bigcrypt" in HP-UX, Digital Unix,
57 and OSF/1. This is the same as the standard crypt if given a password
58 of 8 characters or less. If given more, it first does the same as crypt
59 using the first 8 characters, then crypts the next 8 (the 9th to 16th)
60 using as salt the first two base 64 digits from the first hash block.
61 If the password is more than 16 characters then it crypts the 17th to 24th
62 characters using as salt the first two base 64 digits from the second hash
63 block. And so on: I've seen references to it cutting off the password at
64 40 characters (5 blocks), 80 (10 blocks), or 128 (16 blocks). Some links:
65
66 http://cvs.pld.org.pl/pam/pamcrypt/bigcrypt.c?rev=1.2
67 http://seclists.org/bugtraq/1999/Mar/0109.html
68 http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/HTML/AA-Q0R2D-
69 TET1_html/sec.c222.html#no_id_208
70
71 Exim has something it calls "crypt16". It will either use a native
72 crypt16 or its own implementation. A native crypt16 will presumably
73 be the one that I called "crypt16" above. The internal "crypt16"
74 function, however, is a two-block-maximum implementation of what I called
75 "bigcrypt". The documentation matches the internal code.
76
77 I suspect that whoever did the "crypt16" stuff for Exim didn't realise
78 that crypt16 and bigcrypt were different things.
79
80 Exim uses the LDAP-style scheme identifier "{crypt16}" to refer
81 to whatever it is using under that name. This unfortunately sets a
82 precedent for using "{crypt16}" to identify two incompatible algorithms
83 whose output can't be distinguished. With "{crypt16}" thus rendered
84 ambiguous, I suggest you deprecate it and invent two new identifiers
85 for the two algorithms.
86
87 Both crypt16 and bigcrypt are very poor algorithms, btw. Hashing parts
88 of the password separately means they can be cracked separately, so
89 the double-length hash only doubles the cracking effort instead of
90 squaring it. I recommend salted SHA-1 ({SSHA}), or the Blowfish-based
91 bcrypt ({CRYPT}$2a$).
92 </quote>
93 */
94
95
96
97 /*************************************************
98 * Local statics and tables *
99 *************************************************/
100
101 /* Table of item names, and corresponding switch numbers. The names must be in
102 alphabetical order. */
103
104 static uschar *item_table[] = {
105 US"acl",
106 US"authresults",
107 US"certextract",
108 US"dlfunc",
109 US"env",
110 US"extract",
111 US"filter",
112 US"hash",
113 US"hmac",
114 US"if",
115 #ifdef SUPPORT_I18N
116 US"imapfolder",
117 #endif
118 US"length",
119 US"listextract",
120 US"lookup",
121 US"map",
122 US"nhash",
123 US"perl",
124 US"prvs",
125 US"prvscheck",
126 US"readfile",
127 US"readsocket",
128 US"reduce",
129 US"run",
130 US"sg",
131 US"sort",
132 US"substr",
133 US"tr" };
134
135 enum {
136 EITEM_ACL,
137 EITEM_AUTHRESULTS,
138 EITEM_CERTEXTRACT,
139 EITEM_DLFUNC,
140 EITEM_ENV,
141 EITEM_EXTRACT,
142 EITEM_FILTER,
143 EITEM_HASH,
144 EITEM_HMAC,
145 EITEM_IF,
146 #ifdef SUPPORT_I18N
147 EITEM_IMAPFOLDER,
148 #endif
149 EITEM_LENGTH,
150 EITEM_LISTEXTRACT,
151 EITEM_LOOKUP,
152 EITEM_MAP,
153 EITEM_NHASH,
154 EITEM_PERL,
155 EITEM_PRVS,
156 EITEM_PRVSCHECK,
157 EITEM_READFILE,
158 EITEM_READSOCK,
159 EITEM_REDUCE,
160 EITEM_RUN,
161 EITEM_SG,
162 EITEM_SORT,
163 EITEM_SUBSTR,
164 EITEM_TR };
165
166 /* Tables of operator names, and corresponding switch numbers. The names must be
167 in alphabetical order. There are two tables, because underscore is used in some
168 cases to introduce arguments, whereas for other it is part of the name. This is
169 an historical mis-design. */
170
171 static uschar *op_table_underscore[] = {
172 US"from_utf8",
173 US"local_part",
174 US"quote_local_part",
175 US"reverse_ip",
176 US"time_eval",
177 US"time_interval"
178 #ifdef SUPPORT_I18N
179 ,US"utf8_domain_from_alabel",
180 US"utf8_domain_to_alabel",
181 US"utf8_localpart_from_alabel",
182 US"utf8_localpart_to_alabel"
183 #endif
184 };
185
186 enum {
187 EOP_FROM_UTF8,
188 EOP_LOCAL_PART,
189 EOP_QUOTE_LOCAL_PART,
190 EOP_REVERSE_IP,
191 EOP_TIME_EVAL,
192 EOP_TIME_INTERVAL
193 #ifdef SUPPORT_I18N
194 ,EOP_UTF8_DOMAIN_FROM_ALABEL,
195 EOP_UTF8_DOMAIN_TO_ALABEL,
196 EOP_UTF8_LOCALPART_FROM_ALABEL,
197 EOP_UTF8_LOCALPART_TO_ALABEL
198 #endif
199 };
200
201 static uschar *op_table_main[] = {
202 US"address",
203 US"addresses",
204 US"base32",
205 US"base32d",
206 US"base62",
207 US"base62d",
208 US"base64",
209 US"base64d",
210 US"domain",
211 US"escape",
212 US"escape8bit",
213 US"eval",
214 US"eval10",
215 US"expand",
216 US"h",
217 US"hash",
218 US"hex2b64",
219 US"hexquote",
220 US"ipv6denorm",
221 US"ipv6norm",
222 US"l",
223 US"lc",
224 US"length",
225 US"listcount",
226 US"listnamed",
227 US"mask",
228 US"md5",
229 US"nh",
230 US"nhash",
231 US"quote",
232 US"randint",
233 US"rfc2047",
234 US"rfc2047d",
235 US"rxquote",
236 US"s",
237 US"sha1",
238 US"sha2",
239 US"sha256",
240 US"sha3",
241 US"stat",
242 US"str2b64",
243 US"strlen",
244 US"substr",
245 US"uc",
246 US"utf8clean" };
247
248 enum {
249 EOP_ADDRESS = nelem(op_table_underscore),
250 EOP_ADDRESSES,
251 EOP_BASE32,
252 EOP_BASE32D,
253 EOP_BASE62,
254 EOP_BASE62D,
255 EOP_BASE64,
256 EOP_BASE64D,
257 EOP_DOMAIN,
258 EOP_ESCAPE,
259 EOP_ESCAPE8BIT,
260 EOP_EVAL,
261 EOP_EVAL10,
262 EOP_EXPAND,
263 EOP_H,
264 EOP_HASH,
265 EOP_HEX2B64,
266 EOP_HEXQUOTE,
267 EOP_IPV6DENORM,
268 EOP_IPV6NORM,
269 EOP_L,
270 EOP_LC,
271 EOP_LENGTH,
272 EOP_LISTCOUNT,
273 EOP_LISTNAMED,
274 EOP_MASK,
275 EOP_MD5,
276 EOP_NH,
277 EOP_NHASH,
278 EOP_QUOTE,
279 EOP_RANDINT,
280 EOP_RFC2047,
281 EOP_RFC2047D,
282 EOP_RXQUOTE,
283 EOP_S,
284 EOP_SHA1,
285 EOP_SHA2,
286 EOP_SHA256,
287 EOP_SHA3,
288 EOP_STAT,
289 EOP_STR2B64,
290 EOP_STRLEN,
291 EOP_SUBSTR,
292 EOP_UC,
293 EOP_UTF8CLEAN };
294
295
296 /* Table of condition names, and corresponding switch numbers. The names must
297 be in alphabetical order. */
298
299 static uschar *cond_table[] = {
300 US"<",
301 US"<=",
302 US"=",
303 US"==", /* Backward compatibility */
304 US">",
305 US">=",
306 US"acl",
307 US"and",
308 US"bool",
309 US"bool_lax",
310 US"crypteq",
311 US"def",
312 US"eq",
313 US"eqi",
314 US"exists",
315 US"first_delivery",
316 US"forall",
317 US"forall_json",
318 US"forall_jsons",
319 US"forany",
320 US"forany_json",
321 US"forany_jsons",
322 US"ge",
323 US"gei",
324 US"gt",
325 US"gti",
326 US"inlist",
327 US"inlisti",
328 US"isip",
329 US"isip4",
330 US"isip6",
331 US"ldapauth",
332 US"le",
333 US"lei",
334 US"lt",
335 US"lti",
336 US"match",
337 US"match_address",
338 US"match_domain",
339 US"match_ip",
340 US"match_local_part",
341 US"or",
342 US"pam",
343 US"pwcheck",
344 US"queue_running",
345 US"radius",
346 US"saslauthd"
347 };
348
349 enum {
350 ECOND_NUM_L,
351 ECOND_NUM_LE,
352 ECOND_NUM_E,
353 ECOND_NUM_EE,
354 ECOND_NUM_G,
355 ECOND_NUM_GE,
356 ECOND_ACL,
357 ECOND_AND,
358 ECOND_BOOL,
359 ECOND_BOOL_LAX,
360 ECOND_CRYPTEQ,
361 ECOND_DEF,
362 ECOND_STR_EQ,
363 ECOND_STR_EQI,
364 ECOND_EXISTS,
365 ECOND_FIRST_DELIVERY,
366 ECOND_FORALL,
367 ECOND_FORALL_JSON,
368 ECOND_FORALL_JSONS,
369 ECOND_FORANY,
370 ECOND_FORANY_JSON,
371 ECOND_FORANY_JSONS,
372 ECOND_STR_GE,
373 ECOND_STR_GEI,
374 ECOND_STR_GT,
375 ECOND_STR_GTI,
376 ECOND_INLIST,
377 ECOND_INLISTI,
378 ECOND_ISIP,
379 ECOND_ISIP4,
380 ECOND_ISIP6,
381 ECOND_LDAPAUTH,
382 ECOND_STR_LE,
383 ECOND_STR_LEI,
384 ECOND_STR_LT,
385 ECOND_STR_LTI,
386 ECOND_MATCH,
387 ECOND_MATCH_ADDRESS,
388 ECOND_MATCH_DOMAIN,
389 ECOND_MATCH_IP,
390 ECOND_MATCH_LOCAL_PART,
391 ECOND_OR,
392 ECOND_PAM,
393 ECOND_PWCHECK,
394 ECOND_QUEUE_RUNNING,
395 ECOND_RADIUS,
396 ECOND_SASLAUTHD
397 };
398
399
400 /* Types of table entry */
401
402 enum vtypes {
403 vtype_int, /* value is address of int */
404 vtype_filter_int, /* ditto, but recognized only when filtering */
405 vtype_ino, /* value is address of ino_t (not always an int) */
406 vtype_uid, /* value is address of uid_t (not always an int) */
407 vtype_gid, /* value is address of gid_t (not always an int) */
408 vtype_bool, /* value is address of bool */
409 vtype_stringptr, /* value is address of pointer to string */
410 vtype_msgbody, /* as stringptr, but read when first required */
411 vtype_msgbody_end, /* ditto, the end of the message */
412 vtype_msgheaders, /* the message's headers, processed */
413 vtype_msgheaders_raw, /* the message's headers, unprocessed */
414 vtype_localpart, /* extract local part from string */
415 vtype_domain, /* extract domain from string */
416 vtype_string_func, /* value is string returned by given function */
417 vtype_todbsdin, /* value not used; generate BSD inbox tod */
418 vtype_tode, /* value not used; generate tod in epoch format */
419 vtype_todel, /* value not used; generate tod in epoch/usec format */
420 vtype_todf, /* value not used; generate full tod */
421 vtype_todl, /* value not used; generate log tod */
422 vtype_todlf, /* value not used; generate log file datestamp tod */
423 vtype_todzone, /* value not used; generate time zone only */
424 vtype_todzulu, /* value not used; generate zulu tod */
425 vtype_reply, /* value not used; get reply from headers */
426 vtype_pid, /* value not used; result is pid */
427 vtype_host_lookup, /* value not used; get host name */
428 vtype_load_avg, /* value not used; result is int from os_getloadavg */
429 vtype_pspace, /* partition space; value is T/F for spool/log */
430 vtype_pinodes, /* partition inodes; value is T/F for spool/log */
431 vtype_cert /* SSL certificate */
432 #ifndef DISABLE_DKIM
433 ,vtype_dkim /* Lookup of value in DKIM signature */
434 #endif
435 };
436
437 /* Type for main variable table */
438
439 typedef struct {
440 const char *name;
441 enum vtypes type;
442 void *value;
443 } var_entry;
444
445 /* Type for entries pointing to address/length pairs. Not currently
446 in use. */
447
448 typedef struct {
449 uschar **address;
450 int *length;
451 } alblock;
452
453 static uschar * fn_recipients(void);
454
455 /* This table must be kept in alphabetical order. */
456
457 static var_entry var_table[] = {
458 /* WARNING: Do not invent variables whose names start acl_c or acl_m because
459 they will be confused with user-creatable ACL variables. */
460 { "acl_arg1", vtype_stringptr, &acl_arg[0] },
461 { "acl_arg2", vtype_stringptr, &acl_arg[1] },
462 { "acl_arg3", vtype_stringptr, &acl_arg[2] },
463 { "acl_arg4", vtype_stringptr, &acl_arg[3] },
464 { "acl_arg5", vtype_stringptr, &acl_arg[4] },
465 { "acl_arg6", vtype_stringptr, &acl_arg[5] },
466 { "acl_arg7", vtype_stringptr, &acl_arg[6] },
467 { "acl_arg8", vtype_stringptr, &acl_arg[7] },
468 { "acl_arg9", vtype_stringptr, &acl_arg[8] },
469 { "acl_narg", vtype_int, &acl_narg },
470 { "acl_verify_message", vtype_stringptr, &acl_verify_message },
471 { "address_data", vtype_stringptr, &deliver_address_data },
472 { "address_file", vtype_stringptr, &address_file },
473 { "address_pipe", vtype_stringptr, &address_pipe },
474 #ifdef EXPERIMENTAL_ARC
475 { "arc_domains", vtype_string_func, &fn_arc_domains },
476 { "arc_oldest_pass", vtype_int, &arc_oldest_pass },
477 { "arc_state", vtype_stringptr, &arc_state },
478 { "arc_state_reason", vtype_stringptr, &arc_state_reason },
479 #endif
480 { "authenticated_fail_id",vtype_stringptr, &authenticated_fail_id },
481 { "authenticated_id", vtype_stringptr, &authenticated_id },
482 { "authenticated_sender",vtype_stringptr, &authenticated_sender },
483 { "authentication_failed",vtype_int, &authentication_failed },
484 #ifdef WITH_CONTENT_SCAN
485 { "av_failed", vtype_int, &av_failed },
486 #endif
487 #ifdef EXPERIMENTAL_BRIGHTMAIL
488 { "bmi_alt_location", vtype_stringptr, &bmi_alt_location },
489 { "bmi_base64_tracker_verdict", vtype_stringptr, &bmi_base64_tracker_verdict },
490 { "bmi_base64_verdict", vtype_stringptr, &bmi_base64_verdict },
491 { "bmi_deliver", vtype_int, &bmi_deliver },
492 #endif
493 { "body_linecount", vtype_int, &body_linecount },
494 { "body_zerocount", vtype_int, &body_zerocount },
495 { "bounce_recipient", vtype_stringptr, &bounce_recipient },
496 { "bounce_return_size_limit", vtype_int, &bounce_return_size_limit },
497 { "caller_gid", vtype_gid, &real_gid },
498 { "caller_uid", vtype_uid, &real_uid },
499 { "callout_address", vtype_stringptr, &callout_address },
500 { "compile_date", vtype_stringptr, &version_date },
501 { "compile_number", vtype_stringptr, &version_cnumber },
502 { "config_dir", vtype_stringptr, &config_main_directory },
503 { "config_file", vtype_stringptr, &config_main_filename },
504 { "csa_status", vtype_stringptr, &csa_status },
505 #ifdef EXPERIMENTAL_DCC
506 { "dcc_header", vtype_stringptr, &dcc_header },
507 { "dcc_result", vtype_stringptr, &dcc_result },
508 #endif
509 #ifndef DISABLE_DKIM
510 { "dkim_algo", vtype_dkim, (void *)DKIM_ALGO },
511 { "dkim_bodylength", vtype_dkim, (void *)DKIM_BODYLENGTH },
512 { "dkim_canon_body", vtype_dkim, (void *)DKIM_CANON_BODY },
513 { "dkim_canon_headers", vtype_dkim, (void *)DKIM_CANON_HEADERS },
514 { "dkim_copiedheaders", vtype_dkim, (void *)DKIM_COPIEDHEADERS },
515 { "dkim_created", vtype_dkim, (void *)DKIM_CREATED },
516 { "dkim_cur_signer", vtype_stringptr, &dkim_cur_signer },
517 { "dkim_domain", vtype_stringptr, &dkim_signing_domain },
518 { "dkim_expires", vtype_dkim, (void *)DKIM_EXPIRES },
519 { "dkim_headernames", vtype_dkim, (void *)DKIM_HEADERNAMES },
520 { "dkim_identity", vtype_dkim, (void *)DKIM_IDENTITY },
521 { "dkim_key_granularity",vtype_dkim, (void *)DKIM_KEY_GRANULARITY },
522 { "dkim_key_length", vtype_int, &dkim_key_length },
523 { "dkim_key_nosubdomains",vtype_dkim, (void *)DKIM_NOSUBDOMAINS },
524 { "dkim_key_notes", vtype_dkim, (void *)DKIM_KEY_NOTES },
525 { "dkim_key_srvtype", vtype_dkim, (void *)DKIM_KEY_SRVTYPE },
526 { "dkim_key_testing", vtype_dkim, (void *)DKIM_KEY_TESTING },
527 { "dkim_selector", vtype_stringptr, &dkim_signing_selector },
528 { "dkim_signers", vtype_stringptr, &dkim_signers },
529 { "dkim_verify_reason", vtype_stringptr, &dkim_verify_reason },
530 { "dkim_verify_status", vtype_stringptr, &dkim_verify_status },
531 #endif
532 #ifdef EXPERIMENTAL_DMARC
533 { "dmarc_domain_policy", vtype_stringptr, &dmarc_domain_policy },
534 { "dmarc_status", vtype_stringptr, &dmarc_status },
535 { "dmarc_status_text", vtype_stringptr, &dmarc_status_text },
536 { "dmarc_used_domain", vtype_stringptr, &dmarc_used_domain },
537 #endif
538 { "dnslist_domain", vtype_stringptr, &dnslist_domain },
539 { "dnslist_matched", vtype_stringptr, &dnslist_matched },
540 { "dnslist_text", vtype_stringptr, &dnslist_text },
541 { "dnslist_value", vtype_stringptr, &dnslist_value },
542 { "domain", vtype_stringptr, &deliver_domain },
543 { "domain_data", vtype_stringptr, &deliver_domain_data },
544 #ifndef DISABLE_EVENT
545 { "event_data", vtype_stringptr, &event_data },
546
547 /*XXX want to use generic vars for as many of these as possible*/
548 { "event_defer_errno", vtype_int, &event_defer_errno },
549
550 { "event_name", vtype_stringptr, &event_name },
551 #endif
552 { "exim_gid", vtype_gid, &exim_gid },
553 { "exim_path", vtype_stringptr, &exim_path },
554 { "exim_uid", vtype_uid, &exim_uid },
555 { "exim_version", vtype_stringptr, &version_string },
556 { "headers_added", vtype_string_func, &fn_hdrs_added },
557 { "home", vtype_stringptr, &deliver_home },
558 { "host", vtype_stringptr, &deliver_host },
559 { "host_address", vtype_stringptr, &deliver_host_address },
560 { "host_data", vtype_stringptr, &host_data },
561 { "host_lookup_deferred",vtype_int, &host_lookup_deferred },
562 { "host_lookup_failed", vtype_int, &host_lookup_failed },
563 { "host_port", vtype_int, &deliver_host_port },
564 { "initial_cwd", vtype_stringptr, &initial_cwd },
565 { "inode", vtype_ino, &deliver_inode },
566 { "interface_address", vtype_stringptr, &interface_address },
567 { "interface_port", vtype_int, &interface_port },
568 { "item", vtype_stringptr, &iterate_item },
569 #ifdef LOOKUP_LDAP
570 { "ldap_dn", vtype_stringptr, &eldap_dn },
571 #endif
572 { "load_average", vtype_load_avg, NULL },
573 { "local_part", vtype_stringptr, &deliver_localpart },
574 { "local_part_data", vtype_stringptr, &deliver_localpart_data },
575 { "local_part_prefix", vtype_stringptr, &deliver_localpart_prefix },
576 { "local_part_suffix", vtype_stringptr, &deliver_localpart_suffix },
577 #ifdef HAVE_LOCAL_SCAN
578 { "local_scan_data", vtype_stringptr, &local_scan_data },
579 #endif
580 { "local_user_gid", vtype_gid, &local_user_gid },
581 { "local_user_uid", vtype_uid, &local_user_uid },
582 { "localhost_number", vtype_int, &host_number },
583 { "log_inodes", vtype_pinodes, (void *)FALSE },
584 { "log_space", vtype_pspace, (void *)FALSE },
585 { "lookup_dnssec_authenticated",vtype_stringptr,&lookup_dnssec_authenticated},
586 { "mailstore_basename", vtype_stringptr, &mailstore_basename },
587 #ifdef WITH_CONTENT_SCAN
588 { "malware_name", vtype_stringptr, &malware_name },
589 #endif
590 { "max_received_linelength", vtype_int, &max_received_linelength },
591 { "message_age", vtype_int, &message_age },
592 { "message_body", vtype_msgbody, &message_body },
593 { "message_body_end", vtype_msgbody_end, &message_body_end },
594 { "message_body_size", vtype_int, &message_body_size },
595 { "message_exim_id", vtype_stringptr, &message_id },
596 { "message_headers", vtype_msgheaders, NULL },
597 { "message_headers_raw", vtype_msgheaders_raw, NULL },
598 { "message_id", vtype_stringptr, &message_id },
599 { "message_linecount", vtype_int, &message_linecount },
600 { "message_size", vtype_int, &message_size },
601 #ifdef SUPPORT_I18N
602 { "message_smtputf8", vtype_bool, &message_smtputf8 },
603 #endif
604 #ifdef WITH_CONTENT_SCAN
605 { "mime_anomaly_level", vtype_int, &mime_anomaly_level },
606 { "mime_anomaly_text", vtype_stringptr, &mime_anomaly_text },
607 { "mime_boundary", vtype_stringptr, &mime_boundary },
608 { "mime_charset", vtype_stringptr, &mime_charset },
609 { "mime_content_description", vtype_stringptr, &mime_content_description },
610 { "mime_content_disposition", vtype_stringptr, &mime_content_disposition },
611 { "mime_content_id", vtype_stringptr, &mime_content_id },
612 { "mime_content_size", vtype_int, &mime_content_size },
613 { "mime_content_transfer_encoding",vtype_stringptr, &mime_content_transfer_encoding },
614 { "mime_content_type", vtype_stringptr, &mime_content_type },
615 { "mime_decoded_filename", vtype_stringptr, &mime_decoded_filename },
616 { "mime_filename", vtype_stringptr, &mime_filename },
617 { "mime_is_coverletter", vtype_int, &mime_is_coverletter },
618 { "mime_is_multipart", vtype_int, &mime_is_multipart },
619 { "mime_is_rfc822", vtype_int, &mime_is_rfc822 },
620 { "mime_part_count", vtype_int, &mime_part_count },
621 #endif
622 { "n0", vtype_filter_int, &filter_n[0] },
623 { "n1", vtype_filter_int, &filter_n[1] },
624 { "n2", vtype_filter_int, &filter_n[2] },
625 { "n3", vtype_filter_int, &filter_n[3] },
626 { "n4", vtype_filter_int, &filter_n[4] },
627 { "n5", vtype_filter_int, &filter_n[5] },
628 { "n6", vtype_filter_int, &filter_n[6] },
629 { "n7", vtype_filter_int, &filter_n[7] },
630 { "n8", vtype_filter_int, &filter_n[8] },
631 { "n9", vtype_filter_int, &filter_n[9] },
632 { "original_domain", vtype_stringptr, &deliver_domain_orig },
633 { "original_local_part", vtype_stringptr, &deliver_localpart_orig },
634 { "originator_gid", vtype_gid, &originator_gid },
635 { "originator_uid", vtype_uid, &originator_uid },
636 { "parent_domain", vtype_stringptr, &deliver_domain_parent },
637 { "parent_local_part", vtype_stringptr, &deliver_localpart_parent },
638 { "pid", vtype_pid, NULL },
639 #ifndef DISABLE_PRDR
640 { "prdr_requested", vtype_bool, &prdr_requested },
641 #endif
642 { "primary_hostname", vtype_stringptr, &primary_hostname },
643 #if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
644 { "proxy_external_address",vtype_stringptr, &proxy_external_address },
645 { "proxy_external_port", vtype_int, &proxy_external_port },
646 { "proxy_local_address", vtype_stringptr, &proxy_local_address },
647 { "proxy_local_port", vtype_int, &proxy_local_port },
648 { "proxy_session", vtype_bool, &proxy_session },
649 #endif
650 { "prvscheck_address", vtype_stringptr, &prvscheck_address },
651 { "prvscheck_keynum", vtype_stringptr, &prvscheck_keynum },
652 { "prvscheck_result", vtype_stringptr, &prvscheck_result },
653 { "qualify_domain", vtype_stringptr, &qualify_domain_sender },
654 { "qualify_recipient", vtype_stringptr, &qualify_domain_recipient },
655 { "queue_name", vtype_stringptr, &queue_name },
656 { "rcpt_count", vtype_int, &rcpt_count },
657 { "rcpt_defer_count", vtype_int, &rcpt_defer_count },
658 { "rcpt_fail_count", vtype_int, &rcpt_fail_count },
659 { "received_count", vtype_int, &received_count },
660 { "received_for", vtype_stringptr, &received_for },
661 { "received_ip_address", vtype_stringptr, &interface_address },
662 { "received_port", vtype_int, &interface_port },
663 { "received_protocol", vtype_stringptr, &received_protocol },
664 { "received_time", vtype_int, &received_time.tv_sec },
665 { "recipient_data", vtype_stringptr, &recipient_data },
666 { "recipient_verify_failure",vtype_stringptr,&recipient_verify_failure },
667 { "recipients", vtype_string_func, &fn_recipients },
668 { "recipients_count", vtype_int, &recipients_count },
669 #ifdef WITH_CONTENT_SCAN
670 { "regex_match_string", vtype_stringptr, &regex_match_string },
671 #endif
672 { "reply_address", vtype_reply, NULL },
673 { "return_path", vtype_stringptr, &return_path },
674 { "return_size_limit", vtype_int, &bounce_return_size_limit },
675 { "router_name", vtype_stringptr, &router_name },
676 { "runrc", vtype_int, &runrc },
677 { "self_hostname", vtype_stringptr, &self_hostname },
678 { "sender_address", vtype_stringptr, &sender_address },
679 { "sender_address_data", vtype_stringptr, &sender_address_data },
680 { "sender_address_domain", vtype_domain, &sender_address },
681 { "sender_address_local_part", vtype_localpart, &sender_address },
682 { "sender_data", vtype_stringptr, &sender_data },
683 { "sender_fullhost", vtype_stringptr, &sender_fullhost },
684 { "sender_helo_dnssec", vtype_bool, &sender_helo_dnssec },
685 { "sender_helo_name", vtype_stringptr, &sender_helo_name },
686 { "sender_host_address", vtype_stringptr, &sender_host_address },
687 { "sender_host_authenticated",vtype_stringptr, &sender_host_authenticated },
688 { "sender_host_dnssec", vtype_bool, &sender_host_dnssec },
689 { "sender_host_name", vtype_host_lookup, NULL },
690 { "sender_host_port", vtype_int, &sender_host_port },
691 { "sender_ident", vtype_stringptr, &sender_ident },
692 { "sender_rate", vtype_stringptr, &sender_rate },
693 { "sender_rate_limit", vtype_stringptr, &sender_rate_limit },
694 { "sender_rate_period", vtype_stringptr, &sender_rate_period },
695 { "sender_rcvhost", vtype_stringptr, &sender_rcvhost },
696 { "sender_verify_failure",vtype_stringptr, &sender_verify_failure },
697 { "sending_ip_address", vtype_stringptr, &sending_ip_address },
698 { "sending_port", vtype_int, &sending_port },
699 { "smtp_active_hostname", vtype_stringptr, &smtp_active_hostname },
700 { "smtp_command", vtype_stringptr, &smtp_cmd_buffer },
701 { "smtp_command_argument", vtype_stringptr, &smtp_cmd_argument },
702 { "smtp_command_history", vtype_string_func, &smtp_cmd_hist },
703 { "smtp_count_at_connection_start", vtype_int, &smtp_accept_count },
704 { "smtp_notquit_reason", vtype_stringptr, &smtp_notquit_reason },
705 { "sn0", vtype_filter_int, &filter_sn[0] },
706 { "sn1", vtype_filter_int, &filter_sn[1] },
707 { "sn2", vtype_filter_int, &filter_sn[2] },
708 { "sn3", vtype_filter_int, &filter_sn[3] },
709 { "sn4", vtype_filter_int, &filter_sn[4] },
710 { "sn5", vtype_filter_int, &filter_sn[5] },
711 { "sn6", vtype_filter_int, &filter_sn[6] },
712 { "sn7", vtype_filter_int, &filter_sn[7] },
713 { "sn8", vtype_filter_int, &filter_sn[8] },
714 { "sn9", vtype_filter_int, &filter_sn[9] },
715 #ifdef WITH_CONTENT_SCAN
716 { "spam_action", vtype_stringptr, &spam_action },
717 { "spam_bar", vtype_stringptr, &spam_bar },
718 { "spam_report", vtype_stringptr, &spam_report },
719 { "spam_score", vtype_stringptr, &spam_score },
720 { "spam_score_int", vtype_stringptr, &spam_score_int },
721 #endif
722 #ifdef SUPPORT_SPF
723 { "spf_guess", vtype_stringptr, &spf_guess },
724 { "spf_header_comment", vtype_stringptr, &spf_header_comment },
725 { "spf_received", vtype_stringptr, &spf_received },
726 { "spf_result", vtype_stringptr, &spf_result },
727 { "spf_result_guessed", vtype_bool, &spf_result_guessed },
728 { "spf_smtp_comment", vtype_stringptr, &spf_smtp_comment },
729 #endif
730 { "spool_directory", vtype_stringptr, &spool_directory },
731 { "spool_inodes", vtype_pinodes, (void *)TRUE },
732 { "spool_space", vtype_pspace, (void *)TRUE },
733 #ifdef EXPERIMENTAL_SRS
734 { "srs_db_address", vtype_stringptr, &srs_db_address },
735 { "srs_db_key", vtype_stringptr, &srs_db_key },
736 { "srs_orig_recipient", vtype_stringptr, &srs_orig_recipient },
737 { "srs_orig_sender", vtype_stringptr, &srs_orig_sender },
738 { "srs_recipient", vtype_stringptr, &srs_recipient },
739 { "srs_status", vtype_stringptr, &srs_status },
740 #endif
741 { "thisaddress", vtype_stringptr, &filter_thisaddress },
742
743 /* The non-(in,out) variables are now deprecated */
744 { "tls_bits", vtype_int, &tls_in.bits },
745 { "tls_certificate_verified", vtype_int, &tls_in.certificate_verified },
746 { "tls_cipher", vtype_stringptr, &tls_in.cipher },
747
748 { "tls_in_bits", vtype_int, &tls_in.bits },
749 { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
750 { "tls_in_cipher", vtype_stringptr, &tls_in.cipher },
751 { "tls_in_cipher_std", vtype_stringptr, &tls_in.cipher_stdname },
752 { "tls_in_ocsp", vtype_int, &tls_in.ocsp },
753 { "tls_in_ourcert", vtype_cert, &tls_in.ourcert },
754 { "tls_in_peercert", vtype_cert, &tls_in.peercert },
755 { "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn },
756 #ifdef EXPERIMENTAL_TLS_RESUME
757 { "tls_in_resumption", vtype_int, &tls_in.resumption },
758 #endif
759 #ifndef DISABLE_TLS
760 { "tls_in_sni", vtype_stringptr, &tls_in.sni },
761 #endif
762 { "tls_out_bits", vtype_int, &tls_out.bits },
763 { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
764 { "tls_out_cipher", vtype_stringptr, &tls_out.cipher },
765 { "tls_out_cipher_std", vtype_stringptr, &tls_out.cipher_stdname },
766 #ifdef SUPPORT_DANE
767 { "tls_out_dane", vtype_bool, &tls_out.dane_verified },
768 #endif
769 { "tls_out_ocsp", vtype_int, &tls_out.ocsp },
770 { "tls_out_ourcert", vtype_cert, &tls_out.ourcert },
771 { "tls_out_peercert", vtype_cert, &tls_out.peercert },
772 { "tls_out_peerdn", vtype_stringptr, &tls_out.peerdn },
773 #ifdef EXPERIMENTAL_TLS_RESUME
774 { "tls_out_resumption", vtype_int, &tls_out.resumption },
775 #endif
776 #ifndef DISABLE_TLS
777 { "tls_out_sni", vtype_stringptr, &tls_out.sni },
778 #endif
779 #ifdef SUPPORT_DANE
780 { "tls_out_tlsa_usage", vtype_int, &tls_out.tlsa_usage },
781 #endif
782
783 { "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */
784 #ifndef DISABLE_TLS
785 { "tls_sni", vtype_stringptr, &tls_in.sni }, /* mind the alphabetical order! */
786 #endif
787
788 { "tod_bsdinbox", vtype_todbsdin, NULL },
789 { "tod_epoch", vtype_tode, NULL },
790 { "tod_epoch_l", vtype_todel, NULL },
791 { "tod_full", vtype_todf, NULL },
792 { "tod_log", vtype_todl, NULL },
793 { "tod_logfile", vtype_todlf, NULL },
794 { "tod_zone", vtype_todzone, NULL },
795 { "tod_zulu", vtype_todzulu, NULL },
796 { "transport_name", vtype_stringptr, &transport_name },
797 { "value", vtype_stringptr, &lookup_value },
798 { "verify_mode", vtype_stringptr, &verify_mode },
799 { "version_number", vtype_stringptr, &version_string },
800 { "warn_message_delay", vtype_stringptr, &warnmsg_delay },
801 { "warn_message_recipient",vtype_stringptr, &warnmsg_recipients },
802 { "warn_message_recipients",vtype_stringptr,&warnmsg_recipients },
803 { "warnmsg_delay", vtype_stringptr, &warnmsg_delay },
804 { "warnmsg_recipient", vtype_stringptr, &warnmsg_recipients },
805 { "warnmsg_recipients", vtype_stringptr, &warnmsg_recipients }
806 };
807
808 static int var_table_size = nelem(var_table);
809 static uschar var_buffer[256];
810 static BOOL malformed_header;
811
812 /* For textual hashes */
813
814 static const char *hashcodes = "abcdefghijklmnopqrtsuvwxyz"
815 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
816 "0123456789";
817
818 enum { HMAC_MD5, HMAC_SHA1 };
819
820 /* For numeric hashes */
821
822 static unsigned int prime[] = {
823 2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
824 31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
825 73, 79, 83, 89, 97, 101, 103, 107, 109, 113};
826
827 /* For printing modes in symbolic form */
828
829 static uschar *mtable_normal[] =
830 { US"---", US"--x", US"-w-", US"-wx", US"r--", US"r-x", US"rw-", US"rwx" };
831
832 static uschar *mtable_setid[] =
833 { US"--S", US"--s", US"-wS", US"-ws", US"r-S", US"r-s", US"rwS", US"rws" };
834
835 static uschar *mtable_sticky[] =
836 { US"--T", US"--t", US"-wT", US"-wt", US"r-T", US"r-t", US"rwT", US"rwt" };
837
838 /* flags for find_header() */
839 #define FH_EXISTS_ONLY BIT(0)
840 #define FH_WANT_RAW BIT(1)
841 #define FH_WANT_LIST BIT(2)
842
843
844 /*************************************************
845 * Tables for UTF-8 support *
846 *************************************************/
847
848 /* Table of the number of extra characters, indexed by the first character
849 masked with 0x3f. The highest number for a valid UTF-8 character is in fact
850 0x3d. */
851
852 static uschar utf8_table1[] = {
853 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
854 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
855 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,
856 3,3,3,3,3,3,3,3,4,4,4,4,5,5,5,5 };
857
858 /* These are the masks for the data bits in the first byte of a character,
859 indexed by the number of additional bytes. */
860
861 static int utf8_table2[] = { 0xff, 0x1f, 0x0f, 0x07, 0x03, 0x01};
862
863 /* Get the next UTF-8 character, advancing the pointer. */
864
865 #define GETUTF8INC(c, ptr) \
866 c = *ptr++; \
867 if ((c & 0xc0) == 0xc0) \
868 { \
869 int a = utf8_table1[c & 0x3f]; /* Number of additional bytes */ \
870 int s = 6*a; \
871 c = (c & utf8_table2[a]) << s; \
872 while (a-- > 0) \
873 { \
874 s -= 6; \
875 c |= (*ptr++ & 0x3f) << s; \
876 } \
877 }
878
879
880
881 static uschar * base32_chars = US"abcdefghijklmnopqrstuvwxyz234567";
882
883 /*************************************************
884 * Binary chop search on a table *
885 *************************************************/
886
887 /* This is used for matching expansion items and operators.
888
889 Arguments:
890 name the name that is being sought
891 table the table to search
892 table_size the number of items in the table
893
894 Returns: the offset in the table, or -1
895 */
896
897 static int
898 chop_match(uschar *name, uschar **table, int table_size)
899 {
900 uschar **bot = table;
901 uschar **top = table + table_size;
902
903 while (top > bot)
904 {
905 uschar **mid = bot + (top - bot)/2;
906 int c = Ustrcmp(name, *mid);
907 if (c == 0) return mid - table;
908 if (c > 0) bot = mid + 1; else top = mid;
909 }
910
911 return -1;
912 }
913
914
915
916 /*************************************************
917 * Check a condition string *
918 *************************************************/
919
920 /* This function is called to expand a string, and test the result for a "true"
921 or "false" value. Failure of the expansion yields FALSE; logged unless it was a
922 forced fail or lookup defer.
923
924 We used to release all store used, but this is not not safe due
925 to ${dlfunc } and ${acl }. In any case expand_string_internal()
926 is reasonably careful to release what it can.
927
928 The actual false-value tests should be replicated for ECOND_BOOL_LAX.
929
930 Arguments:
931 condition the condition string
932 m1 text to be incorporated in panic error
933 m2 ditto
934
935 Returns: TRUE if condition is met, FALSE if not
936 */
937
938 BOOL
939 expand_check_condition(uschar *condition, uschar *m1, uschar *m2)
940 {
941 int rc;
942 uschar *ss = expand_string(condition);
943 if (ss == NULL)
944 {
945 if (!f.expand_string_forcedfail && !f.search_find_defer)
946 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand condition \"%s\" "
947 "for %s %s: %s", condition, m1, m2, expand_string_message);
948 return FALSE;
949 }
950 rc = ss[0] != 0 && Ustrcmp(ss, "0") != 0 && strcmpic(ss, US"no") != 0 &&
951 strcmpic(ss, US"false") != 0;
952 return rc;
953 }
954
955
956
957
958 /*************************************************
959 * Pseudo-random number generation *
960 *************************************************/
961
962 /* Pseudo-random number generation. The result is not "expected" to be
963 cryptographically strong but not so weak that someone will shoot themselves
964 in the foot using it as a nonce in some email header scheme or whatever
965 weirdness they'll twist this into. The result should ideally handle fork().
966
967 However, if we're stuck unable to provide this, then we'll fall back to
968 appallingly bad randomness.
969
970 If DISABLE_TLS is not defined then this will not be used except as an emergency
971 fallback.
972
973 Arguments:
974 max range maximum
975 Returns a random number in range [0, max-1]
976 */
977
978 #ifndef DISABLE_TLS
979 # define vaguely_random_number vaguely_random_number_fallback
980 #endif
981 int
982 vaguely_random_number(int max)
983 {
984 #ifndef DISABLE_TLS
985 # undef vaguely_random_number
986 #endif
987 static pid_t pid = 0;
988 pid_t p2;
989
990 if ((p2 = getpid()) != pid)
991 {
992 if (pid != 0)
993 {
994
995 #ifdef HAVE_ARC4RANDOM
996 /* cryptographically strong randomness, common on *BSD platforms, not
997 so much elsewhere. Alas. */
998 # ifndef NOT_HAVE_ARC4RANDOM_STIR
999 arc4random_stir();
1000 # endif
1001 #elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
1002 # ifdef HAVE_SRANDOMDEV
1003 /* uses random(4) for seeding */
1004 srandomdev();
1005 # else
1006 {
1007 struct timeval tv;
1008 gettimeofday(&tv, NULL);
1009 srandom(tv.tv_sec | tv.tv_usec | getpid());
1010 }
1011 # endif
1012 #else
1013 /* Poor randomness and no seeding here */
1014 #endif
1015
1016 }
1017 pid = p2;
1018 }
1019
1020 #ifdef HAVE_ARC4RANDOM
1021 return arc4random() % max;
1022 #elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
1023 return random() % max;
1024 #else
1025 /* This one returns a 16-bit number, definitely not crypto-strong */
1026 return random_number(max);
1027 #endif
1028 }
1029
1030
1031
1032
1033 /*************************************************
1034 * Pick out a name from a string *
1035 *************************************************/
1036
1037 /* If the name is too long, it is silently truncated.
1038
1039 Arguments:
1040 name points to a buffer into which to put the name
1041 max is the length of the buffer
1042 s points to the first alphabetic character of the name
1043 extras chars other than alphanumerics to permit
1044
1045 Returns: pointer to the first character after the name
1046
1047 Note: The test for *s != 0 in the while loop is necessary because
1048 Ustrchr() yields non-NULL if the character is zero (which is not something
1049 I expected). */
1050
1051 static const uschar *
1052 read_name(uschar *name, int max, const uschar *s, uschar *extras)
1053 {
1054 int ptr = 0;
1055 while (*s != 0 && (isalnum(*s) || Ustrchr(extras, *s) != NULL))
1056 {
1057 if (ptr < max-1) name[ptr++] = *s;
1058 s++;
1059 }
1060 name[ptr] = 0;
1061 return s;
1062 }
1063
1064
1065
1066 /*************************************************
1067 * Pick out the rest of a header name *
1068 *************************************************/
1069
1070 /* A variable name starting $header_ (or just $h_ for those who like
1071 abbreviations) might not be the complete header name because headers can
1072 contain any printing characters in their names, except ':'. This function is
1073 called to read the rest of the name, chop h[eader]_ off the front, and put ':'
1074 on the end, if the name was terminated by white space.
1075
1076 Arguments:
1077 name points to a buffer in which the name read so far exists
1078 max is the length of the buffer
1079 s points to the first character after the name so far, i.e. the
1080 first non-alphameric character after $header_xxxxx
1081
1082 Returns: a pointer to the first character after the header name
1083 */
1084
1085 static const uschar *
1086 read_header_name(uschar *name, int max, const uschar *s)
1087 {
1088 int prelen = Ustrchr(name, '_') - name + 1;
1089 int ptr = Ustrlen(name) - prelen;
1090 if (ptr > 0) memmove(name, name+prelen, ptr);
1091 while (mac_isgraph(*s) && *s != ':')
1092 {
1093 if (ptr < max-1) name[ptr++] = *s;
1094 s++;
1095 }
1096 if (*s == ':') s++;
1097 name[ptr++] = ':';
1098 name[ptr] = 0;
1099 return s;
1100 }
1101
1102
1103
1104 /*************************************************
1105 * Pick out a number from a string *
1106 *************************************************/
1107
1108 /* Arguments:
1109 n points to an integer into which to put the number
1110 s points to the first digit of the number
1111
1112 Returns: a pointer to the character after the last digit
1113 */
1114 /*XXX consider expanding to int_eximarith_t. But the test for
1115 "overbig numbers" in 0002 still needs to overflow it. */
1116
1117 static uschar *
1118 read_number(int *n, uschar *s)
1119 {
1120 *n = 0;
1121 while (isdigit(*s)) *n = *n * 10 + (*s++ - '0');
1122 return s;
1123 }
1124
1125 static const uschar *
1126 read_cnumber(int *n, const uschar *s)
1127 {
1128 *n = 0;
1129 while (isdigit(*s)) *n = *n * 10 + (*s++ - '0');
1130 return s;
1131 }
1132
1133
1134
1135 /*************************************************
1136 * Extract keyed subfield from a string *
1137 *************************************************/
1138
1139 /* The yield is in dynamic store; NULL means that the key was not found.
1140
1141 Arguments:
1142 key points to the name of the key
1143 s points to the string from which to extract the subfield
1144
1145 Returns: NULL if the subfield was not found, or
1146 a pointer to the subfield's data
1147 */
1148
1149 static uschar *
1150 expand_getkeyed(uschar * key, const uschar * s)
1151 {
1152 int length = Ustrlen(key);
1153 while (isspace(*s)) s++;
1154
1155 /* Loop to search for the key */
1156
1157 while (*s)
1158 {
1159 int dkeylength;
1160 uschar * data;
1161 const uschar * dkey = s;
1162
1163 while (*s && *s != '=' && !isspace(*s)) s++;
1164 dkeylength = s - dkey;
1165 while (isspace(*s)) s++;
1166 if (*s == '=') while (isspace((*(++s))));
1167
1168 data = string_dequote(&s);
1169 if (length == dkeylength && strncmpic(key, dkey, length) == 0)
1170 return data;
1171
1172 while (isspace(*s)) s++;
1173 }
1174
1175 return NULL;
1176 }
1177
1178
1179
1180 static var_entry *
1181 find_var_ent(uschar * name)
1182 {
1183 int first = 0;
1184 int last = var_table_size;
1185
1186 while (last > first)
1187 {
1188 int middle = (first + last)/2;
1189 int c = Ustrcmp(name, var_table[middle].name);
1190
1191 if (c > 0) { first = middle + 1; continue; }
1192 if (c < 0) { last = middle; continue; }
1193 return &var_table[middle];
1194 }
1195 return NULL;
1196 }
1197
1198 /*************************************************
1199 * Extract numbered subfield from string *
1200 *************************************************/
1201
1202 /* Extracts a numbered field from a string that is divided by tokens - for
1203 example a line from /etc/passwd is divided by colon characters. First field is
1204 numbered one. Negative arguments count from the right. Zero returns the whole
1205 string. Returns NULL if there are insufficient tokens in the string
1206
1207 ***WARNING***
1208 Modifies final argument - this is a dynamically generated string, so that's OK.
1209
1210 Arguments:
1211 field number of field to be extracted,
1212 first field = 1, whole string = 0, last field = -1
1213 separators characters that are used to break string into tokens
1214 s points to the string from which to extract the subfield
1215
1216 Returns: NULL if the field was not found,
1217 a pointer to the field's data inside s (modified to add 0)
1218 */
1219
1220 static uschar *
1221 expand_gettokened (int field, uschar *separators, uschar *s)
1222 {
1223 int sep = 1;
1224 int count;
1225 uschar *ss = s;
1226 uschar *fieldtext = NULL;
1227
1228 if (field == 0) return s;
1229
1230 /* Break the line up into fields in place; for field > 0 we stop when we have
1231 done the number of fields we want. For field < 0 we continue till the end of
1232 the string, counting the number of fields. */
1233
1234 count = (field > 0)? field : INT_MAX;
1235
1236 while (count-- > 0)
1237 {
1238 size_t len;
1239
1240 /* Previous field was the last one in the string. For a positive field
1241 number, this means there are not enough fields. For a negative field number,
1242 check that there are enough, and scan back to find the one that is wanted. */
1243
1244 if (sep == 0)
1245 {
1246 if (field > 0 || (-field) > (INT_MAX - count - 1)) return NULL;
1247 if ((-field) == (INT_MAX - count - 1)) return s;
1248 while (field++ < 0)
1249 {
1250 ss--;
1251 while (ss[-1] != 0) ss--;
1252 }
1253 fieldtext = ss;
1254 break;
1255 }
1256
1257 /* Previous field was not last in the string; save its start and put a
1258 zero at its end. */
1259
1260 fieldtext = ss;
1261 len = Ustrcspn(ss, separators);
1262 sep = ss[len];
1263 ss[len] = 0;
1264 ss += len + 1;
1265 }
1266
1267 return fieldtext;
1268 }
1269
1270
1271 static uschar *
1272 expand_getlistele(int field, const uschar * list)
1273 {
1274 const uschar * tlist = list;
1275 int sep = 0;
1276 uschar dummy;
1277
1278 if (field < 0)
1279 {
1280 for (field++; string_nextinlist(&tlist, &sep, &dummy, 1); ) field++;
1281 sep = 0;
1282 }
1283 if (field == 0) return NULL;
1284 while (--field > 0 && (string_nextinlist(&list, &sep, &dummy, 1))) ;
1285 return string_nextinlist(&list, &sep, NULL, 0);
1286 }
1287
1288
1289 /* Certificate fields, by name. Worry about by-OID later */
1290 /* Names are chosen to not have common prefixes */
1291
1292 #ifndef DISABLE_TLS
1293 typedef struct
1294 {
1295 uschar * name;
1296 int namelen;
1297 uschar * (*getfn)(void * cert, uschar * mod);
1298 } certfield;
1299 static certfield certfields[] =
1300 { /* linear search; no special order */
1301 { US"version", 7, &tls_cert_version },
1302 { US"serial_number", 13, &tls_cert_serial_number },
1303 { US"subject", 7, &tls_cert_subject },
1304 { US"notbefore", 9, &tls_cert_not_before },
1305 { US"notafter", 8, &tls_cert_not_after },
1306 { US"issuer", 6, &tls_cert_issuer },
1307 { US"signature", 9, &tls_cert_signature },
1308 { US"sig_algorithm", 13, &tls_cert_signature_algorithm },
1309 { US"subj_altname", 12, &tls_cert_subject_altname },
1310 { US"ocsp_uri", 8, &tls_cert_ocsp_uri },
1311 { US"crl_uri", 7, &tls_cert_crl_uri },
1312 };
1313
1314 static uschar *
1315 expand_getcertele(uschar * field, uschar * certvar)
1316 {
1317 var_entry * vp;
1318
1319 if (!(vp = find_var_ent(certvar)))
1320 {
1321 expand_string_message =
1322 string_sprintf("no variable named \"%s\"", certvar);
1323 return NULL; /* Unknown variable name */
1324 }
1325 /* NB this stops us passing certs around in variable. Might
1326 want to do that in future */
1327 if (vp->type != vtype_cert)
1328 {
1329 expand_string_message =
1330 string_sprintf("\"%s\" is not a certificate", certvar);
1331 return NULL; /* Unknown variable name */
1332 }
1333 if (!*(void **)vp->value)
1334 return NULL;
1335
1336 if (*field >= '0' && *field <= '9')
1337 return tls_cert_ext_by_oid(*(void **)vp->value, field, 0);
1338
1339 for (certfield * cp = certfields;
1340 cp < certfields + nelem(certfields);
1341 cp++)
1342 if (Ustrncmp(cp->name, field, cp->namelen) == 0)
1343 {
1344 uschar * modifier = *(field += cp->namelen) == ','
1345 ? ++field : NULL;
1346 return (*cp->getfn)( *(void **)vp->value, modifier );
1347 }
1348
1349 expand_string_message =
1350 string_sprintf("bad field selector \"%s\" for certextract", field);
1351 return NULL;
1352 }
1353 #endif /*DISABLE_TLS*/
1354
1355 /*************************************************
1356 * Extract a substring from a string *
1357 *************************************************/
1358
1359 /* Perform the ${substr or ${length expansion operations.
1360
1361 Arguments:
1362 subject the input string
1363 value1 the offset from the start of the input string to the start of
1364 the output string; if negative, count from the right.
1365 value2 the length of the output string, or negative (-1) for unset
1366 if value1 is positive, unset means "all after"
1367 if value1 is negative, unset means "all before"
1368 len set to the length of the returned string
1369
1370 Returns: pointer to the output string, or NULL if there is an error
1371 */
1372
1373 static uschar *
1374 extract_substr(uschar *subject, int value1, int value2, int *len)
1375 {
1376 int sublen = Ustrlen(subject);
1377
1378 if (value1 < 0) /* count from right */
1379 {
1380 value1 += sublen;
1381
1382 /* If the position is before the start, skip to the start, and adjust the
1383 length. If the length ends up negative, the substring is null because nothing
1384 can precede. This falls out naturally when the length is unset, meaning "all
1385 to the left". */
1386
1387 if (value1 < 0)
1388 {
1389 value2 += value1;
1390 if (value2 < 0) value2 = 0;
1391 value1 = 0;
1392 }
1393
1394 /* Otherwise an unset length => characters before value1 */
1395
1396 else if (value2 < 0)
1397 {
1398 value2 = value1;
1399 value1 = 0;
1400 }
1401 }
1402
1403 /* For a non-negative offset, if the starting position is past the end of the
1404 string, the result will be the null string. Otherwise, an unset length means
1405 "rest"; just set it to the maximum - it will be cut down below if necessary. */
1406
1407 else
1408 {
1409 if (value1 > sublen)
1410 {
1411 value1 = sublen;
1412 value2 = 0;
1413 }
1414 else if (value2 < 0) value2 = sublen;
1415 }
1416
1417 /* Cut the length down to the maximum possible for the offset value, and get
1418 the required characters. */
1419
1420 if (value1 + value2 > sublen) value2 = sublen - value1;
1421 *len = value2;
1422 return subject + value1;
1423 }
1424
1425
1426
1427
1428 /*************************************************
1429 * Old-style hash of a string *
1430 *************************************************/
1431
1432 /* Perform the ${hash expansion operation.
1433
1434 Arguments:
1435 subject the input string (an expanded substring)
1436 value1 the length of the output string; if greater or equal to the
1437 length of the input string, the input string is returned
1438 value2 the number of hash characters to use, or 26 if negative
1439 len set to the length of the returned string
1440
1441 Returns: pointer to the output string, or NULL if there is an error
1442 */
1443
1444 static uschar *
1445 compute_hash(uschar *subject, int value1, int value2, int *len)
1446 {
1447 int sublen = Ustrlen(subject);
1448
1449 if (value2 < 0) value2 = 26;
1450 else if (value2 > Ustrlen(hashcodes))
1451 {
1452 expand_string_message =
1453 string_sprintf("hash count \"%d\" too big", value2);
1454 return NULL;
1455 }
1456
1457 /* Calculate the hash text. We know it is shorter than the original string, so
1458 can safely place it in subject[] (we know that subject is always itself an
1459 expanded substring). */
1460
1461 if (value1 < sublen)
1462 {
1463 int c;
1464 int i = 0;
1465 int j = value1;
1466 while ((c = (subject[j])) != 0)
1467 {
1468 int shift = (c + j++) & 7;
1469 subject[i] ^= (c << shift) | (c >> (8-shift));
1470 if (++i >= value1) i = 0;
1471 }
1472 for (i = 0; i < value1; i++)
1473 subject[i] = hashcodes[(subject[i]) % value2];
1474 }
1475 else value1 = sublen;
1476
1477 *len = value1;
1478 return subject;
1479 }
1480
1481
1482
1483
1484 /*************************************************
1485 * Numeric hash of a string *
1486 *************************************************/
1487
1488 /* Perform the ${nhash expansion operation. The first characters of the
1489 string are treated as most important, and get the highest prime numbers.
1490
1491 Arguments:
1492 subject the input string
1493 value1 the maximum value of the first part of the result
1494 value2 the maximum value of the second part of the result,
1495 or negative to produce only a one-part result
1496 len set to the length of the returned string
1497
1498 Returns: pointer to the output string, or NULL if there is an error.
1499 */
1500
1501 static uschar *
1502 compute_nhash (uschar *subject, int value1, int value2, int *len)
1503 {
1504 uschar *s = subject;
1505 int i = 0;
1506 unsigned long int total = 0; /* no overflow */
1507
1508 while (*s != 0)
1509 {
1510 if (i == 0) i = nelem(prime) - 1;
1511 total += prime[i--] * (unsigned int)(*s++);
1512 }
1513
1514 /* If value2 is unset, just compute one number */
1515
1516 if (value2 < 0)
1517 s = string_sprintf("%lu", total % value1);
1518
1519 /* Otherwise do a div/mod hash */
1520
1521 else
1522 {
1523 total = total % (value1 * value2);
1524 s = string_sprintf("%lu/%lu", total/value2, total % value2);
1525 }
1526
1527 *len = Ustrlen(s);
1528 return s;
1529 }
1530
1531
1532
1533
1534
1535 /*************************************************
1536 * Find the value of a header or headers *
1537 *************************************************/
1538
1539 /* Multiple instances of the same header get concatenated, and this function
1540 can also return a concatenation of all the header lines. When concatenating
1541 specific headers that contain lists of addresses, a comma is inserted between
1542 them. Otherwise we use a straight concatenation. Because some messages can have
1543 pathologically large number of lines, there is a limit on the length that is
1544 returned.
1545
1546 Arguments:
1547 name the name of the header, without the leading $header_ or $h_,
1548 or NULL if a concatenation of all headers is required
1549 newsize return the size of memory block that was obtained; may be NULL
1550 if exists_only is TRUE
1551 flags FH_EXISTS_ONLY
1552 set if called from a def: test; don't need to build a string;
1553 just return a string that is not "" and not "0" if the header
1554 exists
1555 FH_WANT_RAW
1556 set if called for $rh_ or $rheader_ items; no processing,
1557 other than concatenating, will be done on the header. Also used
1558 for $message_headers_raw.
1559 FH_WANT_LIST
1560 Double colon chars in the content, and replace newline with
1561 colon between each element when concatenating; returning a
1562 colon-sep list (elements might contain newlines)
1563 charset name of charset to translate MIME words to; used only if
1564 want_raw is false; if NULL, no translation is done (this is
1565 used for $bh_ and $bheader_)
1566
1567 Returns: NULL if the header does not exist, else a pointer to a new
1568 store block
1569 */
1570
1571 static uschar *
1572 find_header(uschar *name, int *newsize, unsigned flags, uschar *charset)
1573 {
1574 BOOL found = !name;
1575 int len = name ? Ustrlen(name) : 0;
1576 BOOL comma = FALSE;
1577 gstring * g = NULL;
1578
1579 for (header_line * h = header_list; h; h = h->next)
1580 if (h->type != htype_old && h->text) /* NULL => Received: placeholder */
1581 if (!name || (len <= h->slen && strncmpic(name, h->text, len) == 0))
1582 {
1583 uschar * s, * t;
1584 size_t inc;
1585
1586 if (flags & FH_EXISTS_ONLY)
1587 return US"1"; /* don't need actual string */
1588
1589 found = TRUE;
1590 s = h->text + len; /* text to insert */
1591 if (!(flags & FH_WANT_RAW)) /* unless wanted raw, */
1592 while (isspace(*s)) s++; /* remove leading white space */
1593 t = h->text + h->slen; /* end-point */
1594
1595 /* Unless wanted raw, remove trailing whitespace, including the
1596 newline. */
1597
1598 if (flags & FH_WANT_LIST)
1599 while (t > s && t[-1] == '\n') t--;
1600 else if (!(flags & FH_WANT_RAW))
1601 {
1602 while (t > s && isspace(t[-1])) t--;
1603
1604 /* Set comma if handling a single header and it's one of those
1605 that contains an address list, except when asked for raw headers. Only
1606 need to do this once. */
1607
1608 if (name && !comma && Ustrchr("BCFRST", h->type)) comma = TRUE;
1609 }
1610
1611 /* Trim the header roughly if we're approaching limits */
1612 inc = t - s;
1613 if ((g ? g->ptr : 0) + inc > header_insert_maxlen)
1614 inc = header_insert_maxlen - (g ? g->ptr : 0);
1615
1616 /* For raw just copy the data; for a list, add the data as a colon-sep
1617 list-element; for comma-list add as an unchecked comma,newline sep
1618 list-elemment; for other nonraw add as an unchecked newline-sep list (we
1619 stripped trailing WS above including the newline). We ignore the potential
1620 expansion due to colon-doubling, just leaving the loop if the limit is met
1621 or exceeded. */
1622
1623 if (flags & FH_WANT_LIST)
1624 g = string_append_listele_n(g, ':', s, (unsigned)inc);
1625 else if (flags & FH_WANT_RAW)
1626 {
1627 g = string_catn(g, s, (unsigned)inc);
1628 (void) string_from_gstring(g);
1629 }
1630 else if (inc > 0)
1631 if (comma)
1632 g = string_append2_listele_n(g, US",\n", s, (unsigned)inc);
1633 else
1634 g = string_append2_listele_n(g, US"\n", s, (unsigned)inc);
1635
1636 if (g && g->ptr >= header_insert_maxlen) break;
1637 }
1638
1639 if (!found) return NULL; /* No header found */
1640 if (!g) return US"";
1641
1642 /* That's all we do for raw header expansion. */
1643
1644 *newsize = g->size;
1645 if (flags & FH_WANT_RAW)
1646 return g->s;
1647
1648 /* Otherwise do RFC 2047 decoding, translating the charset if requested.
1649 The rfc2047_decode2() function can return an error with decoded data if the
1650 charset translation fails. If decoding fails, it returns NULL. */
1651
1652 else
1653 {
1654 uschar *decoded, *error;
1655
1656 decoded = rfc2047_decode2(g->s, check_rfc2047_length, charset, '?', NULL,
1657 newsize, &error);
1658 if (error)
1659 {
1660 DEBUG(D_any) debug_printf("*** error in RFC 2047 decoding: %s\n"
1661 " input was: %s\n", error, g->s);
1662 }
1663 return decoded ? decoded : g->s;
1664 }
1665 }
1666
1667
1668
1669
1670 /* Append a "local" element to an Authentication-Results: header
1671 if this was a non-smtp message.
1672 */
1673
1674 static gstring *
1675 authres_local(gstring * g, const uschar * sysname)
1676 {
1677 if (!f.authentication_local)
1678 return g;
1679 g = string_append(g, 3, US";\n\tlocal=pass (non-smtp, ", sysname, US")");
1680 if (authenticated_id) g = string_append(g, 2, " u=", authenticated_id);
1681 return g;
1682 }
1683
1684
1685 /* Append an "iprev" element to an Authentication-Results: header
1686 if we have attempted to get the calling host's name.
1687 */
1688
1689 static gstring *
1690 authres_iprev(gstring * g)
1691 {
1692 if (sender_host_name)
1693 g = string_append(g, 3, US";\n\tiprev=pass (", sender_host_name, US")");
1694 else if (host_lookup_deferred)
1695 g = string_catn(g, US";\n\tiprev=temperror", 19);
1696 else if (host_lookup_failed)
1697 g = string_catn(g, US";\n\tiprev=fail", 13);
1698 else
1699 return g;
1700
1701 if (sender_host_address)
1702 g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
1703 return g;
1704 }
1705
1706
1707
1708 /*************************************************
1709 * Return list of recipients *
1710 *************************************************/
1711 /* A recipients list is available only during system message filtering,
1712 during ACL processing after DATA, and while expanding pipe commands
1713 generated from a system filter, but not elsewhere. */
1714
1715 static uschar *
1716 fn_recipients(void)
1717 {
1718 uschar * s;
1719 gstring * g = NULL;
1720
1721 if (!f.enable_dollar_recipients) return NULL;
1722
1723 for (int i = 0; i < recipients_count; i++)
1724 {
1725 s = recipients_list[i].address;
1726 g = string_append2_listele_n(g, US", ", s, Ustrlen(s));
1727 }
1728 return g ? g->s : NULL;
1729 }
1730
1731
1732 /*************************************************
1733 * Find value of a variable *
1734 *************************************************/
1735
1736 /* The table of variables is kept in alphabetic order, so we can search it
1737 using a binary chop. The "choplen" variable is nothing to do with the binary
1738 chop.
1739
1740 Arguments:
1741 name the name of the variable being sought
1742 exists_only TRUE if this is a def: test; passed on to find_header()
1743 skipping TRUE => skip any processing evaluation; this is not the same as
1744 exists_only because def: may test for values that are first
1745 evaluated here
1746 newsize pointer to an int which is initially zero; if the answer is in
1747 a new memory buffer, *newsize is set to its size
1748
1749 Returns: NULL if the variable does not exist, or
1750 a pointer to the variable's contents, or
1751 something non-NULL if exists_only is TRUE
1752 */
1753
1754 static uschar *
1755 find_variable(uschar *name, BOOL exists_only, BOOL skipping, int *newsize)
1756 {
1757 var_entry * vp;
1758 uschar *s, *domain;
1759 uschar **ss;
1760 void * val;
1761
1762 /* Handle ACL variables, whose names are of the form acl_cxxx or acl_mxxx.
1763 Originally, xxx had to be a number in the range 0-9 (later 0-19), but from
1764 release 4.64 onwards arbitrary names are permitted, as long as the first 5
1765 characters are acl_c or acl_m and the sixth is either a digit or an underscore
1766 (this gave backwards compatibility at the changeover). There may be built-in
1767 variables whose names start acl_ but they should never start in this way. This
1768 slightly messy specification is a consequence of the history, needless to say.
1769
1770 If an ACL variable does not exist, treat it as empty, unless strict_acl_vars is
1771 set, in which case give an error. */
1772
1773 if ((Ustrncmp(name, "acl_c", 5) == 0 || Ustrncmp(name, "acl_m", 5) == 0) &&
1774 !isalpha(name[5]))
1775 {
1776 tree_node * node =
1777 tree_search(name[4] == 'c' ? acl_var_c : acl_var_m, name + 4);
1778 return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
1779 }
1780 else if (Ustrncmp(name, "r_", 2) == 0)
1781 {
1782 tree_node * node = tree_search(router_var, name + 2);
1783 return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
1784 }
1785
1786 /* Handle $auth<n> variables. */
1787
1788 if (Ustrncmp(name, "auth", 4) == 0)
1789 {
1790 uschar *endptr;
1791 int n = Ustrtoul(name + 4, &endptr, 10);
1792 if (*endptr == 0 && n != 0 && n <= AUTH_VARS)
1793 return !auth_vars[n-1] ? US"" : auth_vars[n-1];
1794 }
1795 else if (Ustrncmp(name, "regex", 5) == 0)
1796 {
1797 uschar *endptr;
1798 int n = Ustrtoul(name + 5, &endptr, 10);
1799 if (*endptr == 0 && n != 0 && n <= REGEX_VARS)
1800 return !regex_vars[n-1] ? US"" : regex_vars[n-1];
1801 }
1802
1803 /* For all other variables, search the table */
1804
1805 if (!(vp = find_var_ent(name)))
1806 return NULL; /* Unknown variable name */
1807
1808 /* Found an existing variable. If in skipping state, the value isn't needed,
1809 and we want to avoid processing (such as looking up the host name). */
1810
1811 if (skipping)
1812 return US"";
1813
1814 val = vp->value;
1815 switch (vp->type)
1816 {
1817 case vtype_filter_int:
1818 if (!f.filter_running) return NULL;
1819 /* Fall through */
1820 /* VVVVVVVVVVVV */
1821 case vtype_int:
1822 sprintf(CS var_buffer, "%d", *(int *)(val)); /* Integer */
1823 return var_buffer;
1824
1825 case vtype_ino:
1826 sprintf(CS var_buffer, "%ld", (long int)(*(ino_t *)(val))); /* Inode */
1827 return var_buffer;
1828
1829 case vtype_gid:
1830 sprintf(CS var_buffer, "%ld", (long int)(*(gid_t *)(val))); /* gid */
1831 return var_buffer;
1832
1833 case vtype_uid:
1834 sprintf(CS var_buffer, "%ld", (long int)(*(uid_t *)(val))); /* uid */
1835 return var_buffer;
1836
1837 case vtype_bool:
1838 sprintf(CS var_buffer, "%s", *(BOOL *)(val) ? "yes" : "no"); /* bool */
1839 return var_buffer;
1840
1841 case vtype_stringptr: /* Pointer to string */
1842 return (s = *((uschar **)(val))) ? s : US"";
1843
1844 case vtype_pid:
1845 sprintf(CS var_buffer, "%d", (int)getpid()); /* pid */
1846 return var_buffer;
1847
1848 case vtype_load_avg:
1849 sprintf(CS var_buffer, "%d", OS_GETLOADAVG()); /* load_average */
1850 return var_buffer;
1851
1852 case vtype_host_lookup: /* Lookup if not done so */
1853 if ( !sender_host_name && sender_host_address
1854 && !host_lookup_failed && host_name_lookup() == OK)
1855 host_build_sender_fullhost();
1856 return sender_host_name ? sender_host_name : US"";
1857
1858 case vtype_localpart: /* Get local part from address */
1859 s = *((uschar **)(val));
1860 if (s == NULL) return US"";
1861 domain = Ustrrchr(s, '@');
1862 if (domain == NULL) return s;
1863 if (domain - s > sizeof(var_buffer) - 1)
1864 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "local part longer than " SIZE_T_FMT
1865 " in string expansion", sizeof(var_buffer));
1866 Ustrncpy(var_buffer, s, domain - s);
1867 var_buffer[domain - s] = 0;
1868 return var_buffer;
1869
1870 case vtype_domain: /* Get domain from address */
1871 s = *((uschar **)(val));
1872 if (s == NULL) return US"";
1873 domain = Ustrrchr(s, '@');
1874 return (domain == NULL)? US"" : domain + 1;
1875
1876 case vtype_msgheaders:
1877 return find_header(NULL, newsize, exists_only ? FH_EXISTS_ONLY : 0, NULL);
1878
1879 case vtype_msgheaders_raw:
1880 return find_header(NULL, newsize,
1881 exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW, NULL);
1882
1883 case vtype_msgbody: /* Pointer to msgbody string */
1884 case vtype_msgbody_end: /* Ditto, the end of the msg */
1885 ss = (uschar **)(val);
1886 if (!*ss && deliver_datafile >= 0) /* Read body when needed */
1887 {
1888 uschar *body;
1889 off_t start_offset = SPOOL_DATA_START_OFFSET;
1890 int len = message_body_visible;
1891 if (len > message_size) len = message_size;
1892 *ss = body = store_malloc(len+1);
1893 body[0] = 0;
1894 if (vp->type == vtype_msgbody_end)
1895 {
1896 struct stat statbuf;
1897 if (fstat(deliver_datafile, &statbuf) == 0)
1898 {
1899 start_offset = statbuf.st_size - len;
1900 if (start_offset < SPOOL_DATA_START_OFFSET)
1901 start_offset = SPOOL_DATA_START_OFFSET;
1902 }
1903 }
1904 if (lseek(deliver_datafile, start_offset, SEEK_SET) < 0)
1905 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "deliver_datafile lseek: %s",
1906 strerror(errno));
1907 len = read(deliver_datafile, body, len);
1908 if (len > 0)
1909 {
1910 body[len] = 0;
1911 if (message_body_newlines) /* Separate loops for efficiency */
1912 while (len > 0)
1913 { if (body[--len] == 0) body[len] = ' '; }
1914 else
1915 while (len > 0)
1916 { if (body[--len] == '\n' || body[len] == 0) body[len] = ' '; }
1917 }
1918 }
1919 return *ss ? *ss : US"";
1920
1921 case vtype_todbsdin: /* BSD inbox time of day */
1922 return tod_stamp(tod_bsdin);
1923
1924 case vtype_tode: /* Unix epoch time of day */
1925 return tod_stamp(tod_epoch);
1926
1927 case vtype_todel: /* Unix epoch/usec time of day */
1928 return tod_stamp(tod_epoch_l);
1929
1930 case vtype_todf: /* Full time of day */
1931 return tod_stamp(tod_full);
1932
1933 case vtype_todl: /* Log format time of day */
1934 return tod_stamp(tod_log_bare); /* (without timezone) */
1935
1936 case vtype_todzone: /* Time zone offset only */
1937 return tod_stamp(tod_zone);
1938
1939 case vtype_todzulu: /* Zulu time */
1940 return tod_stamp(tod_zulu);
1941
1942 case vtype_todlf: /* Log file datestamp tod */
1943 return tod_stamp(tod_log_datestamp_daily);
1944
1945 case vtype_reply: /* Get reply address */
1946 s = find_header(US"reply-to:", newsize,
1947 exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
1948 headers_charset);
1949 if (s) while (isspace(*s)) s++;
1950 if (!s || !*s)
1951 {
1952 *newsize = 0; /* For the *s==0 case */
1953 s = find_header(US"from:", newsize,
1954 exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
1955 headers_charset);
1956 }
1957 if (s)
1958 {
1959 uschar *t;
1960 while (isspace(*s)) s++;
1961 for (t = s; *t != 0; t++) if (*t == '\n') *t = ' ';
1962 while (t > s && isspace(t[-1])) t--;
1963 *t = 0;
1964 }
1965 return s ? s : US"";
1966
1967 case vtype_string_func:
1968 {
1969 uschar * (*fn)() = val;
1970 return fn();
1971 }
1972
1973 case vtype_pspace:
1974 {
1975 int inodes;
1976 sprintf(CS var_buffer, PR_EXIM_ARITH,
1977 receive_statvfs(val == (void *)TRUE, &inodes));
1978 }
1979 return var_buffer;
1980
1981 case vtype_pinodes:
1982 {
1983 int inodes;
1984 (void) receive_statvfs(val == (void *)TRUE, &inodes);
1985 sprintf(CS var_buffer, "%d", inodes);
1986 }
1987 return var_buffer;
1988
1989 case vtype_cert:
1990 return *(void **)val ? US"<cert>" : US"";
1991
1992 #ifndef DISABLE_DKIM
1993 case vtype_dkim:
1994 return dkim_exim_expand_query((int)(long)val);
1995 #endif
1996
1997 }
1998
1999 return NULL; /* Unknown variable. Silences static checkers. */
2000 }
2001
2002
2003
2004
2005 void
2006 modify_variable(uschar *name, void * value)
2007 {
2008 var_entry * vp;
2009 if ((vp = find_var_ent(name))) vp->value = value;
2010 return; /* Unknown variable name, fail silently */
2011 }
2012
2013
2014
2015
2016
2017
2018 /*************************************************
2019 * Read and expand substrings *
2020 *************************************************/
2021
2022 /* This function is called to read and expand argument substrings for various
2023 expansion items. Some have a minimum requirement that is less than the maximum;
2024 in these cases, the first non-present one is set to NULL.
2025
2026 Arguments:
2027 sub points to vector of pointers to set
2028 n maximum number of substrings
2029 m minimum required
2030 sptr points to current string pointer
2031 skipping the skipping flag
2032 check_end if TRUE, check for final '}'
2033 name name of item, for error message
2034 resetok if not NULL, pointer to flag - write FALSE if unsafe to reset
2035 the store.
2036
2037 Returns: 0 OK; string pointer updated
2038 1 curly bracketing error (too few arguments)
2039 2 too many arguments (only if check_end is set); message set
2040 3 other error (expansion failure)
2041 */
2042
2043 static int
2044 read_subs(uschar **sub, int n, int m, const uschar **sptr, BOOL skipping,
2045 BOOL check_end, uschar *name, BOOL *resetok)
2046 {
2047 const uschar *s = *sptr;
2048
2049 while (isspace(*s)) s++;
2050 for (int i = 0; i < n; i++)
2051 {
2052 if (*s != '{')
2053 {
2054 if (i < m)
2055 {
2056 expand_string_message = string_sprintf("Not enough arguments for '%s' "
2057 "(min is %d)", name, m);
2058 return 1;
2059 }
2060 sub[i] = NULL;
2061 break;
2062 }
2063 if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, resetok)))
2064 return 3;
2065 if (*s++ != '}') return 1;
2066 while (isspace(*s)) s++;
2067 }
2068 if (check_end && *s++ != '}')
2069 {
2070 if (s[-1] == '{')
2071 {
2072 expand_string_message = string_sprintf("Too many arguments for '%s' "
2073 "(max is %d)", name, n);
2074 return 2;
2075 }
2076 expand_string_message = string_sprintf("missing '}' after '%s'", name);
2077 return 1;
2078 }
2079
2080 *sptr = s;
2081 return 0;
2082 }
2083
2084
2085
2086
2087 /*************************************************
2088 * Elaborate message for bad variable *
2089 *************************************************/
2090
2091 /* For the "unknown variable" message, take a look at the variable's name, and
2092 give additional information about possible ACL variables. The extra information
2093 is added on to expand_string_message.
2094
2095 Argument: the name of the variable
2096 Returns: nothing
2097 */
2098
2099 static void
2100 check_variable_error_message(uschar *name)
2101 {
2102 if (Ustrncmp(name, "acl_", 4) == 0)
2103 expand_string_message = string_sprintf("%s (%s)", expand_string_message,
2104 (name[4] == 'c' || name[4] == 'm')?
2105 (isalpha(name[5])?
2106 US"6th character of a user-defined ACL variable must be a digit or underscore" :
2107 US"strict_acl_vars is set" /* Syntax is OK, it has to be this */
2108 ) :
2109 US"user-defined ACL variables must start acl_c or acl_m");
2110 }
2111
2112
2113
2114 /*
2115 Load args from sub array to globals, and call acl_check().
2116 Sub array will be corrupted on return.
2117
2118 Returns: OK access is granted by an ACCEPT verb
2119 DISCARD access is (apparently) granted by a DISCARD verb
2120 FAIL access is denied
2121 FAIL_DROP access is denied; drop the connection
2122 DEFER can't tell at the moment
2123 ERROR disaster
2124 */
2125 static int
2126 eval_acl(uschar ** sub, int nsub, uschar ** user_msgp)
2127 {
2128 int i;
2129 int sav_narg = acl_narg;
2130 int ret;
2131 uschar * dummy_logmsg;
2132 extern int acl_where;
2133
2134 if(--nsub > nelem(acl_arg)) nsub = nelem(acl_arg);
2135 for (i = 0; i < nsub && sub[i+1]; i++)
2136 {
2137 uschar * tmp = acl_arg[i];
2138 acl_arg[i] = sub[i+1]; /* place callers args in the globals */
2139 sub[i+1] = tmp; /* stash the old args using our caller's storage */
2140 }
2141 acl_narg = i;
2142 while (i < nsub)
2143 {
2144 sub[i+1] = acl_arg[i];
2145 acl_arg[i++] = NULL;
2146 }
2147
2148 DEBUG(D_expand)
2149 debug_printf_indent("expanding: acl: %s arg: %s%s\n",
2150 sub[0],
2151 acl_narg>0 ? acl_arg[0] : US"<none>",
2152 acl_narg>1 ? " +more" : "");
2153
2154 ret = acl_eval(acl_where, sub[0], user_msgp, &dummy_logmsg);
2155
2156 for (i = 0; i < nsub; i++)
2157 acl_arg[i] = sub[i+1]; /* restore old args */
2158 acl_narg = sav_narg;
2159
2160 return ret;
2161 }
2162
2163
2164
2165
2166 /* Return pointer to dewrapped string, with enclosing specified chars removed.
2167 The given string is modified on return. Leading whitespace is skipped while
2168 looking for the opening wrap character, then the rest is scanned for the trailing
2169 (non-escaped) wrap character. A backslash in the string will act as an escape.
2170
2171 A nul is written over the trailing wrap, and a pointer to the char after the
2172 leading wrap is returned.
2173
2174 Arguments:
2175 s String for de-wrapping
2176 wrap Two-char string, the first being the opener, second the closer wrapping
2177 character
2178 Return:
2179 Pointer to de-wrapped string, or NULL on error (with expand_string_message set).
2180 */
2181
2182 static uschar *
2183 dewrap(uschar * s, const uschar * wrap)
2184 {
2185 uschar * p = s;
2186 unsigned depth = 0;
2187 BOOL quotesmode = wrap[0] == wrap[1];
2188
2189 while (isspace(*p)) p++;
2190
2191 if (*p == *wrap)
2192 {
2193 s = ++p;
2194 wrap++;
2195 while (*p)
2196 {
2197 if (*p == '\\') p++;
2198 else if (!quotesmode && *p == wrap[-1]) depth++;
2199 else if (*p == *wrap)
2200 if (depth == 0)
2201 {
2202 *p = '\0';
2203 return s;
2204 }
2205 else
2206 depth--;
2207 p++;
2208 }
2209 }
2210 expand_string_message = string_sprintf("missing '%c'", *wrap);
2211 return NULL;
2212 }
2213
2214
2215 /* Pull off the leading array or object element, returning
2216 a copy in an allocated string. Update the list pointer.
2217
2218 The element may itself be an abject or array.
2219 Return NULL when the list is empty.
2220 */
2221
2222 static uschar *
2223 json_nextinlist(const uschar ** list)
2224 {
2225 unsigned array_depth = 0, object_depth = 0;
2226 const uschar * s = *list, * item;
2227
2228 while (isspace(*s)) s++;
2229
2230 for (item = s;
2231 *s && (*s != ',' || array_depth != 0 || object_depth != 0);
2232 s++)
2233 switch (*s)
2234 {
2235 case '[': array_depth++; break;
2236 case ']': array_depth--; break;
2237 case '{': object_depth++; break;
2238 case '}': object_depth--; break;
2239 }
2240 *list = *s ? s+1 : s;
2241 if (item == s) return NULL;
2242 item = string_copyn(item, s - item);
2243 DEBUG(D_expand) debug_printf_indent(" json ele: '%s'\n", item);
2244 return US item;
2245 }
2246
2247
2248
2249 /*************************************************
2250 * Read and evaluate a condition *
2251 *************************************************/
2252
2253 /*
2254 Arguments:
2255 s points to the start of the condition text
2256 resetok points to a BOOL which is written false if it is unsafe to
2257 free memory. Certain condition types (acl) may have side-effect
2258 allocation which must be preserved.
2259 yield points to a BOOL to hold the result of the condition test;
2260 if NULL, we are just reading through a condition that is
2261 part of an "or" combination to check syntax, or in a state
2262 where the answer isn't required
2263
2264 Returns: a pointer to the first character after the condition, or
2265 NULL after an error
2266 */
2267
2268 static const uschar *
2269 eval_condition(const uschar *s, BOOL *resetok, BOOL *yield)
2270 {
2271 BOOL testfor = TRUE;
2272 BOOL tempcond, combined_cond;
2273 BOOL *subcondptr;
2274 BOOL sub2_honour_dollar = TRUE;
2275 BOOL is_forany, is_json, is_jsons;
2276 int rc, cond_type, roffset;
2277 int_eximarith_t num[2];
2278 struct stat statbuf;
2279 uschar name[256];
2280 const uschar *sub[10];
2281
2282 const pcre *re;
2283 const uschar *rerror;
2284
2285 for (;;)
2286 {
2287 while (isspace(*s)) s++;
2288 if (*s == '!') { testfor = !testfor; s++; } else break;
2289 }
2290
2291 /* Numeric comparisons are symbolic */
2292
2293 if (*s == '=' || *s == '>' || *s == '<')
2294 {
2295 int p = 0;
2296 name[p++] = *s++;
2297 if (*s == '=')
2298 {
2299 name[p++] = '=';
2300 s++;
2301 }
2302 name[p] = 0;
2303 }
2304
2305 /* All other conditions are named */
2306
2307 else s = read_name(name, 256, s, US"_");
2308
2309 /* If we haven't read a name, it means some non-alpha character is first. */
2310
2311 if (name[0] == 0)
2312 {
2313 expand_string_message = string_sprintf("condition name expected, "
2314 "but found \"%.16s\"", s);
2315 return NULL;
2316 }
2317
2318 /* Find which condition we are dealing with, and switch on it */
2319
2320 cond_type = chop_match(name, cond_table, nelem(cond_table));
2321 switch(cond_type)
2322 {
2323 /* def: tests for a non-empty variable, or for the existence of a header. If
2324 yield == NULL we are in a skipping state, and don't care about the answer. */
2325
2326 case ECOND_DEF:
2327 {
2328 uschar * t;
2329
2330 if (*s != ':')
2331 {
2332 expand_string_message = US"\":\" expected after \"def\"";
2333 return NULL;
2334 }
2335
2336 s = read_name(name, 256, s+1, US"_");
2337
2338 /* Test for a header's existence. If the name contains a closing brace
2339 character, this may be a user error where the terminating colon has been
2340 omitted. Set a flag to adjust a subsequent error message in this case. */
2341
2342 if ( ( *(t = name) == 'h'
2343 || (*t == 'r' || *t == 'l' || *t == 'b') && *++t == 'h'
2344 )
2345 && (*++t == '_' || Ustrncmp(t, "eader_", 6) == 0)
2346 )
2347 {
2348 s = read_header_name(name, 256, s);
2349 /* {-for-text-editors */
2350 if (Ustrchr(name, '}') != NULL) malformed_header = TRUE;
2351 if (yield) *yield =
2352 (find_header(name, NULL, FH_EXISTS_ONLY, NULL) != NULL) == testfor;
2353 }
2354
2355 /* Test for a variable's having a non-empty value. A non-existent variable
2356 causes an expansion failure. */
2357
2358 else
2359 {
2360 if (!(t = find_variable(name, TRUE, yield == NULL, NULL)))
2361 {
2362 expand_string_message = (name[0] == 0)?
2363 string_sprintf("variable name omitted after \"def:\"") :
2364 string_sprintf("unknown variable \"%s\" after \"def:\"", name);
2365 check_variable_error_message(name);
2366 return NULL;
2367 }
2368 if (yield) *yield = (t[0] != 0) == testfor;
2369 }
2370
2371 return s;
2372 }
2373
2374
2375 /* first_delivery tests for first delivery attempt */
2376
2377 case ECOND_FIRST_DELIVERY:
2378 if (yield != NULL) *yield = f.deliver_firsttime == testfor;
2379 return s;
2380
2381
2382 /* queue_running tests for any process started by a queue runner */
2383
2384 case ECOND_QUEUE_RUNNING:
2385 if (yield != NULL) *yield = (queue_run_pid != (pid_t)0) == testfor;
2386 return s;
2387
2388
2389 /* exists: tests for file existence
2390 isip: tests for any IP address
2391 isip4: tests for an IPv4 address
2392 isip6: tests for an IPv6 address
2393 pam: does PAM authentication
2394 radius: does RADIUS authentication
2395 ldapauth: does LDAP authentication
2396 pwcheck: does Cyrus SASL pwcheck authentication
2397 */
2398
2399 case ECOND_EXISTS:
2400 case ECOND_ISIP:
2401 case ECOND_ISIP4:
2402 case ECOND_ISIP6:
2403 case ECOND_PAM:
2404 case ECOND_RADIUS:
2405 case ECOND_LDAPAUTH:
2406 case ECOND_PWCHECK:
2407
2408 while (isspace(*s)) s++;
2409 if (*s != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
2410
2411 sub[0] = expand_string_internal(s+1, TRUE, &s, yield == NULL, TRUE, resetok);
2412 if (sub[0] == NULL) return NULL;
2413 /* {-for-text-editors */
2414 if (*s++ != '}') goto COND_FAILED_CURLY_END;
2415
2416 if (yield == NULL) return s; /* No need to run the test if skipping */
2417
2418 switch(cond_type)
2419 {
2420 case ECOND_EXISTS:
2421 if ((expand_forbid & RDO_EXISTS) != 0)
2422 {
2423 expand_string_message = US"File existence tests are not permitted";
2424 return NULL;
2425 }
2426 *yield = (Ustat(sub[0], &statbuf) == 0) == testfor;
2427 break;
2428
2429 case ECOND_ISIP:
2430 case ECOND_ISIP4:
2431 case ECOND_ISIP6:
2432 rc = string_is_ip_address(sub[0], NULL);
2433 *yield = ((cond_type == ECOND_ISIP)? (rc != 0) :
2434 (cond_type == ECOND_ISIP4)? (rc == 4) : (rc == 6)) == testfor;
2435 break;
2436
2437 /* Various authentication tests - all optionally compiled */
2438
2439 case ECOND_PAM:
2440 #ifdef SUPPORT_PAM
2441 rc = auth_call_pam(sub[0], &expand_string_message);
2442 goto END_AUTH;
2443 #else
2444 goto COND_FAILED_NOT_COMPILED;
2445 #endif /* SUPPORT_PAM */
2446
2447 case ECOND_RADIUS:
2448 #ifdef RADIUS_CONFIG_FILE
2449 rc = auth_call_radius(sub[0], &expand_string_message);
2450 goto END_AUTH;
2451 #else
2452 goto COND_FAILED_NOT_COMPILED;
2453 #endif /* RADIUS_CONFIG_FILE */
2454
2455 case ECOND_LDAPAUTH:
2456 #ifdef LOOKUP_LDAP
2457 {
2458 /* Just to keep the interface the same */
2459 BOOL do_cache;
2460 int old_pool = store_pool;
2461 store_pool = POOL_SEARCH;
2462 rc = eldapauth_find((void *)(-1), NULL, sub[0], Ustrlen(sub[0]), NULL,
2463 &expand_string_message, &do_cache);
2464 store_pool = old_pool;
2465 }
2466 goto END_AUTH;
2467 #else
2468 goto COND_FAILED_NOT_COMPILED;
2469 #endif /* LOOKUP_LDAP */
2470
2471 case ECOND_PWCHECK:
2472 #ifdef CYRUS_PWCHECK_SOCKET
2473 rc = auth_call_pwcheck(sub[0], &expand_string_message);
2474 goto END_AUTH;
2475 #else
2476 goto COND_FAILED_NOT_COMPILED;
2477 #endif /* CYRUS_PWCHECK_SOCKET */
2478
2479 #if defined(SUPPORT_PAM) || defined(RADIUS_CONFIG_FILE) || \
2480 defined(LOOKUP_LDAP) || defined(CYRUS_PWCHECK_SOCKET)
2481 END_AUTH:
2482 if (rc == ERROR || rc == DEFER) return NULL;
2483 *yield = (rc == OK) == testfor;
2484 #endif
2485 }
2486 return s;
2487
2488
2489 /* call ACL (in a conditional context). Accept true, deny false.
2490 Defer is a forced-fail. Anything set by message= goes to $value.
2491 Up to ten parameters are used; we use the braces round the name+args
2492 like the saslauthd condition does, to permit a variable number of args.
2493 See also the expansion-item version EITEM_ACL and the traditional
2494 acl modifier ACLC_ACL.
2495 Since the ACL may allocate new global variables, tell our caller to not
2496 reclaim memory.
2497 */
2498
2499 case ECOND_ACL:
2500 /* ${if acl {{name}{arg1}{arg2}...} {yes}{no}} */
2501 {
2502 uschar *sub[10];
2503 uschar *user_msg;
2504 BOOL cond = FALSE;
2505
2506 while (isspace(*s)) s++;
2507 if (*s++ != '{') goto COND_FAILED_CURLY_START; /*}*/
2508
2509 switch(read_subs(sub, nelem(sub), 1,
2510 &s, yield == NULL, TRUE, US"acl", resetok))
2511 {
2512 case 1: expand_string_message = US"too few arguments or bracketing "
2513 "error for acl";
2514 case 2:
2515 case 3: return NULL;
2516 }
2517
2518 if (yield != NULL)
2519 {
2520 *resetok = FALSE; /* eval_acl() might allocate; do not reclaim */
2521 switch(eval_acl(sub, nelem(sub), &user_msg))
2522 {
2523 case OK:
2524 cond = TRUE;
2525 case FAIL:
2526 lookup_value = NULL;
2527 if (user_msg)
2528 lookup_value = string_copy(user_msg);
2529 *yield = cond == testfor;
2530 break;
2531
2532 case DEFER:
2533 f.expand_string_forcedfail = TRUE;
2534 /*FALLTHROUGH*/
2535 default:
2536 expand_string_message = string_sprintf("error from acl \"%s\"", sub[0]);
2537 return NULL;
2538 }
2539 }
2540 return s;
2541 }
2542
2543
2544 /* saslauthd: does Cyrus saslauthd authentication. Four parameters are used:
2545
2546 ${if saslauthd {{username}{password}{service}{realm}} {yes}{no}}
2547
2548 However, the last two are optional. That is why the whole set is enclosed
2549 in their own set of braces. */
2550
2551 case ECOND_SASLAUTHD:
2552 #ifndef CYRUS_SASLAUTHD_SOCKET
2553 goto COND_FAILED_NOT_COMPILED;
2554 #else
2555 {
2556 uschar *sub[4];
2557 while (isspace(*s)) s++;
2558 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
2559 switch(read_subs(sub, nelem(sub), 2, &s, yield == NULL, TRUE, US"saslauthd",
2560 resetok))
2561 {
2562 case 1: expand_string_message = US"too few arguments or bracketing "
2563 "error for saslauthd";
2564 case 2:
2565 case 3: return NULL;
2566 }
2567 if (sub[2] == NULL) sub[3] = NULL; /* realm if no service */
2568 if (yield != NULL)
2569 {
2570 int rc = auth_call_saslauthd(sub[0], sub[1], sub[2], sub[3],
2571 &expand_string_message);
2572 if (rc == ERROR || rc == DEFER) return NULL;
2573 *yield = (rc == OK) == testfor;
2574 }
2575 return s;
2576 }
2577 #endif /* CYRUS_SASLAUTHD_SOCKET */
2578
2579
2580 /* symbolic operators for numeric and string comparison, and a number of
2581 other operators, all requiring two arguments.
2582
2583 crypteq: encrypts plaintext and compares against an encrypted text,
2584 using crypt(), crypt16(), MD5 or SHA-1
2585 inlist/inlisti: checks if first argument is in the list of the second
2586 match: does a regular expression match and sets up the numerical
2587 variables if it succeeds
2588 match_address: matches in an address list
2589 match_domain: matches in a domain list
2590 match_ip: matches a host list that is restricted to IP addresses
2591 match_local_part: matches in a local part list
2592 */
2593
2594 case ECOND_MATCH_ADDRESS:
2595 case ECOND_MATCH_DOMAIN:
2596 case ECOND_MATCH_IP:
2597 case ECOND_MATCH_LOCAL_PART:
2598 #ifndef EXPAND_LISTMATCH_RHS
2599 sub2_honour_dollar = FALSE;
2600 #endif
2601 /* FALLTHROUGH */
2602
2603 case ECOND_CRYPTEQ:
2604 case ECOND_INLIST:
2605 case ECOND_INLISTI:
2606 case ECOND_MATCH:
2607
2608 case ECOND_NUM_L: /* Numerical comparisons */
2609 case ECOND_NUM_LE:
2610 case ECOND_NUM_E:
2611 case ECOND_NUM_EE:
2612 case ECOND_NUM_G:
2613 case ECOND_NUM_GE:
2614
2615 case ECOND_STR_LT: /* String comparisons */
2616 case ECOND_STR_LTI:
2617 case ECOND_STR_LE:
2618 case ECOND_STR_LEI:
2619 case ECOND_STR_EQ:
2620 case ECOND_STR_EQI:
2621 case ECOND_STR_GT:
2622 case ECOND_STR_GTI:
2623 case ECOND_STR_GE:
2624 case ECOND_STR_GEI:
2625
2626 for (int i = 0; i < 2; i++)
2627 {
2628 /* Sometimes, we don't expand substrings; too many insecure configurations
2629 created using match_address{}{} and friends, where the second param
2630 includes information from untrustworthy sources. */
2631 BOOL honour_dollar = TRUE;
2632 if ((i > 0) && !sub2_honour_dollar)
2633 honour_dollar = FALSE;
2634
2635 while (isspace(*s)) s++;
2636 if (*s != '{')
2637 {
2638 if (i == 0) goto COND_FAILED_CURLY_START;
2639 expand_string_message = string_sprintf("missing 2nd string in {} "
2640 "after \"%s\"", name);
2641 return NULL;
2642 }
2643 if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, yield == NULL,
2644 honour_dollar, resetok)))
2645 return NULL;
2646 DEBUG(D_expand) if (i == 1 && !sub2_honour_dollar && Ustrchr(sub[1], '$'))
2647 debug_printf_indent("WARNING: the second arg is NOT expanded,"
2648 " for security reasons\n");
2649 if (*s++ != '}') goto COND_FAILED_CURLY_END;
2650
2651 /* Convert to numerical if required; we know that the names of all the
2652 conditions that compare numbers do not start with a letter. This just saves
2653 checking for them individually. */
2654
2655 if (!isalpha(name[0]) && yield != NULL)
2656 if (sub[i][0] == 0)
2657 {
2658 num[i] = 0;
2659 DEBUG(D_expand)
2660 debug_printf_indent("empty string cast to zero for numerical comparison\n");
2661 }
2662 else
2663 {
2664 num[i] = expanded_string_integer(sub[i], FALSE);
2665 if (expand_string_message != NULL) return NULL;
2666 }
2667 }
2668
2669 /* Result not required */
2670
2671 if (yield == NULL) return s;
2672
2673 /* Do an appropriate comparison */
2674
2675 switch(cond_type)
2676 {
2677 case ECOND_NUM_E:
2678 case ECOND_NUM_EE:
2679 tempcond = (num[0] == num[1]);
2680 break;
2681
2682 case ECOND_NUM_G:
2683 tempcond = (num[0] > num[1]);
2684 break;
2685
2686 case ECOND_NUM_GE:
2687 tempcond = (num[0] >= num[1]);
2688 break;
2689
2690 case ECOND_NUM_L:
2691 tempcond = (num[0] < num[1]);
2692 break;
2693
2694 case ECOND_NUM_LE:
2695 tempcond = (num[0] <= num[1]);
2696 break;
2697
2698 case ECOND_STR_LT:
2699 tempcond = (Ustrcmp(sub[0], sub[1]) < 0);
2700 break;
2701
2702 case ECOND_STR_LTI:
2703 tempcond = (strcmpic(sub[0], sub[1]) < 0);
2704 break;
2705
2706 case ECOND_STR_LE:
2707 tempcond = (Ustrcmp(sub[0], sub[1]) <= 0);
2708 break;
2709
2710 case ECOND_STR_LEI:
2711 tempcond = (strcmpic(sub[0], sub[1]) <= 0);
2712 break;
2713
2714 case ECOND_STR_EQ:
2715 tempcond = (Ustrcmp(sub[0], sub[1]) == 0);
2716 break;
2717
2718 case ECOND_STR_EQI:
2719 tempcond = (strcmpic(sub[0], sub[1]) == 0);
2720 break;
2721
2722 case ECOND_STR_GT:
2723 tempcond = (Ustrcmp(sub[0], sub[1]) > 0);
2724 break;
2725
2726 case ECOND_STR_GTI:
2727 tempcond = (strcmpic(sub[0], sub[1]) > 0);
2728 break;
2729
2730 case ECOND_STR_GE:
2731 tempcond = (Ustrcmp(sub[0], sub[1]) >= 0);
2732 break;
2733
2734 case ECOND_STR_GEI:
2735 tempcond = (strcmpic(sub[0], sub[1]) >= 0);
2736 break;
2737
2738 case ECOND_MATCH: /* Regular expression match */
2739 re = pcre_compile(CS sub[1], PCRE_COPT, (const char **)&rerror, &roffset,
2740 NULL);
2741 if (re == NULL)
2742 {
2743 expand_string_message = string_sprintf("regular expression error in "
2744 "\"%s\": %s at offset %d", sub[1], rerror, roffset);
2745 return NULL;
2746 }
2747 tempcond = regex_match_and_setup(re, sub[0], 0, -1);
2748 break;
2749
2750 case ECOND_MATCH_ADDRESS: /* Match in an address list */
2751 rc = match_address_list(sub[0], TRUE, FALSE, &(sub[1]), NULL, -1, 0, NULL);
2752 goto MATCHED_SOMETHING;
2753
2754 case ECOND_MATCH_DOMAIN: /* Match in a domain list */
2755 rc = match_isinlist(sub[0], &(sub[1]), 0, &domainlist_anchor, NULL,
2756 MCL_DOMAIN + MCL_NOEXPAND, TRUE, NULL);
2757 goto MATCHED_SOMETHING;
2758
2759 case ECOND_MATCH_IP: /* Match IP address in a host list */
2760 if (sub[0][0] != 0 && string_is_ip_address(sub[0], NULL) == 0)
2761 {
2762 expand_string_message = string_sprintf("\"%s\" is not an IP address",
2763 sub[0]);
2764 return NULL;
2765 }
2766 else
2767 {
2768 unsigned int *nullcache = NULL;
2769 check_host_block cb;
2770
2771 cb.host_name = US"";
2772 cb.host_address = sub[0];
2773
2774 /* If the host address starts off ::ffff: it is an IPv6 address in
2775 IPv4-compatible mode. Find the IPv4 part for checking against IPv4
2776 addresses. */
2777
2778 cb.host_ipv4 = (Ustrncmp(cb.host_address, "::ffff:", 7) == 0)?
2779 cb.host_address + 7 : cb.host_address;
2780
2781 rc = match_check_list(
2782 &sub[1], /* the list */
2783 0, /* separator character */
2784 &hostlist_anchor, /* anchor pointer */
2785 &nullcache, /* cache pointer */
2786 check_host, /* function for testing */
2787 &cb, /* argument for function */
2788 MCL_HOST, /* type of check */
2789 sub[0], /* text for debugging */
2790 NULL); /* where to pass back data */
2791 }
2792 goto MATCHED_SOMETHING;
2793
2794 case ECOND_MATCH_LOCAL_PART:
2795 rc = match_isinlist(sub[0], &(sub[1]), 0, &localpartlist_anchor, NULL,
2796 MCL_LOCALPART + MCL_NOEXPAND, TRUE, NULL);
2797 /* Fall through */
2798 /* VVVVVVVVVVVV */
2799 MATCHED_SOMETHING:
2800 switch(rc)
2801 {
2802 case OK:
2803 tempcond = TRUE;
2804 break;
2805
2806 case FAIL:
2807 tempcond = FALSE;
2808 break;
2809
2810 case DEFER:
2811 expand_string_message = string_sprintf("unable to complete match "
2812 "against \"%s\": %s", sub[1], search_error_message);
2813 return NULL;
2814 }
2815
2816 break;
2817
2818 /* Various "encrypted" comparisons. If the second string starts with
2819 "{" then an encryption type is given. Default to crypt() or crypt16()
2820 (build-time choice). */
2821 /* }-for-text-editors */
2822
2823 case ECOND_CRYPTEQ:
2824 #ifndef SUPPORT_CRYPTEQ
2825 goto COND_FAILED_NOT_COMPILED;
2826 #else
2827 if (strncmpic(sub[1], US"{md5}", 5) == 0)
2828 {
2829 int sublen = Ustrlen(sub[1]+5);
2830 md5 base;
2831 uschar digest[16];
2832
2833 md5_start(&base);
2834 md5_end(&base, sub[0], Ustrlen(sub[0]), digest);
2835
2836 /* If the length that we are comparing against is 24, the MD5 digest
2837 is expressed as a base64 string. This is the way LDAP does it. However,
2838 some other software uses a straightforward hex representation. We assume
2839 this if the length is 32. Other lengths fail. */
2840
2841 if (sublen == 24)
2842 {
2843 uschar *coded = b64encode(CUS digest, 16);
2844 DEBUG(D_auth) debug_printf("crypteq: using MD5+B64 hashing\n"
2845 " subject=%s\n crypted=%s\n", coded, sub[1]+5);
2846 tempcond = (Ustrcmp(coded, sub[1]+5) == 0);
2847 }
2848 else if (sublen == 32)
2849 {
2850 uschar coded[36];
2851 for (int i = 0; i < 16; i++) sprintf(CS (coded+2*i), "%02X", digest[i]);
2852 coded[32] = 0;
2853 DEBUG(D_auth) debug_printf("crypteq: using MD5+hex hashing\n"
2854 " subject=%s\n crypted=%s\n", coded, sub[1]+5);
2855 tempcond = (strcmpic(coded, sub[1]+5) == 0);
2856 }
2857 else
2858 {
2859 DEBUG(D_auth) debug_printf("crypteq: length for MD5 not 24 or 32: "
2860 "fail\n crypted=%s\n", sub[1]+5);
2861 tempcond = FALSE;
2862 }
2863 }
2864
2865 else if (strncmpic(sub[1], US"{sha1}", 6) == 0)
2866 {
2867 int sublen = Ustrlen(sub[1]+6);
2868 hctx h;
2869 uschar digest[20];
2870
2871 sha1_start(&h);
2872 sha1_end(&h, sub[0], Ustrlen(sub[0]), digest);
2873
2874 /* If the length that we are comparing against is 28, assume the SHA1
2875 digest is expressed as a base64 string. If the length is 40, assume a
2876 straightforward hex representation. Other lengths fail. */
2877
2878 if (sublen == 28)
2879 {
2880 uschar *coded = b64encode(CUS digest, 20);
2881 DEBUG(D_auth) debug_printf("crypteq: using SHA1+B64 hashing\n"
2882 " subject=%s\n crypted=%s\n", coded, sub[1]+6);
2883 tempcond = (Ustrcmp(coded, sub[1]+6) == 0);
2884 }
2885 else if (sublen == 40)
2886 {
2887 uschar coded[44];
2888 for (int i = 0; i < 20; i++) sprintf(CS (coded+2*i), "%02X", digest[i]);
2889 coded[40] = 0;
2890 DEBUG(D_auth) debug_printf("crypteq: using SHA1+hex hashing\n"
2891 " subject=%s\n crypted=%s\n", coded, sub[1]+6);
2892 tempcond = (strcmpic(coded, sub[1]+6) == 0);
2893 }
2894 else
2895 {
2896 DEBUG(D_auth) debug_printf("crypteq: length for SHA-1 not 28 or 40: "
2897 "fail\n crypted=%s\n", sub[1]+6);
2898 tempcond = FALSE;
2899 }
2900 }
2901
2902 else /* {crypt} or {crypt16} and non-{ at start */
2903 /* }-for-text-editors */
2904 {
2905 int which = 0;
2906 uschar *coded;
2907
2908 if (strncmpic(sub[1], US"{crypt}", 7) == 0)
2909 {
2910 sub[1] += 7;
2911 which = 1;
2912 }
2913 else if (strncmpic(sub[1], US"{crypt16}", 9) == 0)
2914 {
2915 sub[1] += 9;
2916 which = 2;
2917 }
2918 else if (sub[1][0] == '{') /* }-for-text-editors */
2919 {
2920 expand_string_message = string_sprintf("unknown encryption mechanism "
2921 "in \"%s\"", sub[1]);
2922 return NULL;
2923 }
2924
2925 switch(which)
2926 {
2927 case 0: coded = US DEFAULT_CRYPT(CS sub[0], CS sub[1]); break;
2928 case 1: coded = US crypt(CS sub[0], CS sub[1]); break;
2929 default: coded = US crypt16(CS sub[0], CS sub[1]); break;
2930 }
2931
2932 #define STR(s) # s
2933 #define XSTR(s) STR(s)
2934 DEBUG(D_auth) debug_printf("crypteq: using %s()\n"
2935 " subject=%s\n crypted=%s\n",
2936 which == 0 ? XSTR(DEFAULT_CRYPT) : which == 1 ? "crypt" : "crypt16",
2937 coded, sub[1]);
2938 #undef STR
2939 #undef XSTR
2940
2941 /* If the encrypted string contains fewer than two characters (for the
2942 salt), force failure. Otherwise we get false positives: with an empty
2943 string the yield of crypt() is an empty string! */
2944
2945 if (coded)
2946 tempcond = Ustrlen(sub[1]) < 2 ? FALSE : Ustrcmp(coded, sub[1]) == 0;
2947 else if (errno == EINVAL)
2948 tempcond = FALSE;
2949 else
2950 {
2951 expand_string_message = string_sprintf("crypt error: %s\n",
2952 US strerror(errno));
2953 return NULL;
2954 }
2955 }
2956 break;
2957 #endif /* SUPPORT_CRYPTEQ */
2958
2959 case ECOND_INLIST:
2960 case ECOND_INLISTI:
2961 {
2962 const uschar * list = sub[1];
2963 int sep = 0;
2964 uschar *save_iterate_item = iterate_item;
2965 int (*compare)(const uschar *, const uschar *);
2966
2967 DEBUG(D_expand) debug_printf_indent("condition: %s item: %s\n", name, sub[0]);
2968
2969 tempcond = FALSE;
2970 compare = cond_type == ECOND_INLISTI
2971 ? strcmpic : (int (*)(const uschar *, const uschar *)) strcmp;
2972
2973 while ((iterate_item = string_nextinlist(&list, &sep, NULL, 0)))
2974 {
2975 DEBUG(D_expand) debug_printf_indent(" compare %s\n", iterate_item);
2976 if (compare(sub[0], iterate_item) == 0)
2977 {
2978 tempcond = TRUE;
2979 break;
2980 }
2981 }
2982 iterate_item = save_iterate_item;
2983 }
2984
2985 } /* Switch for comparison conditions */
2986
2987 *yield = tempcond == testfor;
2988 return s; /* End of comparison conditions */
2989
2990
2991 /* and/or: computes logical and/or of several conditions */
2992
2993 case ECOND_AND:
2994 case ECOND_OR:
2995 subcondptr = (yield == NULL)? NULL : &tempcond;
2996 combined_cond = (cond_type == ECOND_AND);
2997
2998 while (isspace(*s)) s++;
2999 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3000
3001 for (;;)
3002 {
3003 while (isspace(*s)) s++;
3004 /* {-for-text-editors */
3005 if (*s == '}') break;
3006 if (*s != '{') /* }-for-text-editors */
3007 {
3008 expand_string_message = string_sprintf("each subcondition "
3009 "inside an \"%s{...}\" condition must be in its own {}", name);
3010 return NULL;
3011 }
3012
3013 if (!(s = eval_condition(s+1, resetok, subcondptr)))
3014 {
3015 expand_string_message = string_sprintf("%s inside \"%s{...}\" condition",
3016 expand_string_message, name);
3017 return NULL;
3018 }
3019 while (isspace(*s)) s++;
3020
3021 /* {-for-text-editors */
3022 if (*s++ != '}')
3023 {
3024 /* {-for-text-editors */
3025 expand_string_message = string_sprintf("missing } at end of condition "
3026 "inside \"%s\" group", name);
3027 return NULL;
3028 }
3029
3030 if (yield != NULL)
3031 {
3032 if (cond_type == ECOND_AND)
3033 {
3034 combined_cond &= tempcond;
3035 if (!combined_cond) subcondptr = NULL; /* once false, don't */
3036 } /* evaluate any more */
3037 else
3038 {
3039 combined_cond |= tempcond;
3040 if (combined_cond) subcondptr = NULL; /* once true, don't */
3041 } /* evaluate any more */
3042 }
3043 }
3044
3045 if (yield != NULL) *yield = (combined_cond == testfor);
3046 return ++s;
3047
3048
3049 /* forall/forany: iterates a condition with different values */
3050
3051 case ECOND_FORALL: is_forany = FALSE; is_json = FALSE; is_jsons = FALSE; goto FORMANY;
3052 case ECOND_FORANY: is_forany = TRUE; is_json = FALSE; is_jsons = FALSE; goto FORMANY;
3053 case ECOND_FORALL_JSON: is_forany = FALSE; is_json = TRUE; is_jsons = FALSE; goto FORMANY;
3054 case ECOND_FORANY_JSON: is_forany = TRUE; is_json = TRUE; is_jsons = FALSE; goto FORMANY;
3055 case ECOND_FORALL_JSONS: is_forany = FALSE; is_json = TRUE; is_jsons = TRUE; goto FORMANY;
3056 case ECOND_FORANY_JSONS: is_forany = TRUE; is_json = TRUE; is_jsons = TRUE; goto FORMANY;
3057
3058 FORMANY:
3059 {
3060 const uschar * list;
3061 int sep = 0;
3062 uschar *save_iterate_item = iterate_item;
3063
3064 DEBUG(D_expand) debug_printf_indent("condition: %s\n", name);
3065
3066 while (isspace(*s)) s++;
3067 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3068 sub[0] = expand_string_internal(s, TRUE, &s, (yield == NULL), TRUE, resetok);
3069 if (sub[0] == NULL) return NULL;
3070 /* {-for-text-editors */
3071 if (*s++ != '}') goto COND_FAILED_CURLY_END;
3072
3073 while (isspace(*s)) s++;
3074 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3075
3076 sub[1] = s;
3077
3078 /* Call eval_condition once, with result discarded (as if scanning a
3079 "false" part). This allows us to find the end of the condition, because if
3080 the list it empty, we won't actually evaluate the condition for real. */
3081
3082 if (!(s = eval_condition(sub[1], resetok, NULL)))
3083 {
3084 expand_string_message = string_sprintf("%s inside \"%s\" condition",
3085 expand_string_message, name);
3086 return NULL;
3087 }
3088 while (isspace(*s)) s++;
3089
3090 /* {-for-text-editors */
3091 if (*s++ != '}')
3092 {
3093 /* {-for-text-editors */
3094 expand_string_message = string_sprintf("missing } at end of condition "
3095 "inside \"%s\"", name);
3096 return NULL;
3097 }
3098
3099 if (yield) *yield = !testfor;
3100 list = sub[0];
3101 if (is_json) list = dewrap(string_copy(list), US"[]");
3102 while ((iterate_item = is_json
3103 ? json_nextinlist(&list) : string_nextinlist(&list, &sep, NULL, 0)))
3104 {
3105 if (is_jsons)
3106 if (!(iterate_item = dewrap(iterate_item, US"\"\"")))
3107 {
3108 expand_string_message =
3109 string_sprintf("%s wrapping string result for extract jsons",
3110 expand_string_message);
3111 iterate_item = save_iterate_item;
3112 return NULL;
3113 }
3114
3115 DEBUG(D_expand) debug_printf_indent("%s: $item = \"%s\"\n", name, iterate_item);
3116 if (!eval_condition(sub[1], resetok, &tempcond))
3117 {
3118 expand_string_message = string_sprintf("%s inside \"%s\" condition",
3119 expand_string_message, name);
3120 iterate_item = save_iterate_item;
3121 return NULL;
3122 }
3123 DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", name,
3124 tempcond? "true":"false");
3125
3126 if (yield) *yield = (tempcond == testfor);
3127 if (tempcond == is_forany) break;
3128 }
3129
3130 iterate_item = save_iterate_item;
3131 return s;
3132 }
3133
3134
3135 /* The bool{} expansion condition maps a string to boolean.
3136 The values supported should match those supported by the ACL condition
3137 (acl.c, ACLC_CONDITION) so that we keep to a minimum the different ideas
3138 of true/false. Note that Router "condition" rules have a different
3139 interpretation, where general data can be used and only a few values
3140 map to FALSE.
3141 Note that readconf.c boolean matching, for boolean configuration options,
3142 only matches true/yes/false/no.
3143 The bool_lax{} condition matches the Router logic, which is much more
3144 liberal. */
3145 case ECOND_BOOL:
3146 case ECOND_BOOL_LAX:
3147 {
3148 uschar *sub_arg[1];
3149 uschar *t, *t2;
3150 uschar *ourname;
3151 size_t len;
3152 BOOL boolvalue = FALSE;
3153 while (isspace(*s)) s++;
3154 if (*s != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3155 ourname = cond_type == ECOND_BOOL_LAX ? US"bool_lax" : US"bool";
3156 switch(read_subs(sub_arg, 1, 1, &s, yield == NULL, FALSE, ourname, resetok))
3157 {
3158 case 1: expand_string_message = string_sprintf(
3159 "too few arguments or bracketing error for %s",
3160 ourname);
3161 /*FALLTHROUGH*/
3162 case 2:
3163 case 3: return NULL;
3164 }
3165 t = sub_arg[0];
3166 while (isspace(*t)) t++;
3167 len = Ustrlen(t);
3168 if (len)
3169 {
3170 /* trailing whitespace: seems like a good idea to ignore it too */
3171 t2 = t + len - 1;
3172 while (isspace(*t2)) t2--;
3173 if (t2 != (t + len))
3174 {
3175 *++t2 = '\0';
3176 len = t2 - t;
3177 }
3178 }
3179 DEBUG(D_expand)
3180 debug_printf_indent("considering %s: %s\n", ourname, len ? t : US"<empty>");
3181 /* logic for the lax case from expand_check_condition(), which also does
3182 expands, and the logic is both short and stable enough that there should
3183 be no maintenance burden from replicating it. */
3184 if (len == 0)
3185 boolvalue = FALSE;
3186 else if (*t == '-'
3187 ? Ustrspn(t+1, "0123456789") == len-1
3188 : Ustrspn(t, "0123456789") == len)
3189 {
3190 boolvalue = (Uatoi(t) == 0) ? FALSE : TRUE;
3191 /* expand_check_condition only does a literal string "0" check */
3192 if ((cond_type == ECOND_BOOL_LAX) && (len > 1))
3193 boolvalue = TRUE;
3194 }
3195 else if (strcmpic(t, US"true") == 0 || strcmpic(t, US"yes") == 0)
3196 boolvalue = TRUE;
3197 else if (strcmpic(t, US"false") == 0 || strcmpic(t, US"no") == 0)
3198 boolvalue = FALSE;
3199 else if (cond_type == ECOND_BOOL_LAX)
3200 boolvalue = TRUE;
3201 else
3202 {
3203 expand_string_message = string_sprintf("unrecognised boolean "
3204 "value \"%s\"", t);
3205 return NULL;
3206 }
3207 DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", ourname,
3208 boolvalue? "true":"false");
3209 if (yield != NULL) *yield = (boolvalue == testfor);
3210 return s;
3211 }
3212
3213 /* Unknown condition */
3214
3215 default:
3216 expand_string_message = string_sprintf("unknown condition \"%s\"", name);
3217 return NULL;
3218 } /* End switch on condition type */
3219
3220 /* Missing braces at start and end of data */
3221
3222 COND_FAILED_CURLY_START:
3223 expand_string_message = string_sprintf("missing { after \"%s\"", name);
3224 return NULL;
3225
3226 COND_FAILED_CURLY_END:
3227 expand_string_message = string_sprintf("missing } at end of \"%s\" condition",
3228 name);
3229 return NULL;
3230
3231 /* A condition requires code that is not compiled */
3232
3233 #if !defined(SUPPORT_PAM) || !defined(RADIUS_CONFIG_FILE) || \
3234 !defined(LOOKUP_LDAP) || !defined(CYRUS_PWCHECK_SOCKET) || \
3235 !defined(SUPPORT_CRYPTEQ) || !defined(CYRUS_SASLAUTHD_SOCKET)
3236 COND_FAILED_NOT_COMPILED:
3237 expand_string_message = string_sprintf("support for \"%s\" not compiled",
3238 name);
3239 return NULL;
3240 #endif
3241 }
3242
3243
3244
3245
3246 /*************************************************
3247 * Save numerical variables *
3248 *************************************************/
3249
3250 /* This function is called from items such as "if" that want to preserve and
3251 restore the numbered variables.
3252
3253 Arguments:
3254 save_expand_string points to an array of pointers to set
3255 save_expand_nlength points to an array of ints for the lengths
3256
3257 Returns: the value of expand max to save
3258 */
3259
3260 static int
3261 save_expand_strings(uschar **save_expand_nstring, int *save_expand_nlength)
3262 {
3263 for (int i = 0; i <= expand_nmax; i++)
3264 {
3265 save_expand_nstring[i] = expand_nstring[i];
3266 save_expand_nlength[i] = expand_nlength[i];
3267 }
3268 return expand_nmax;
3269 }
3270
3271
3272
3273 /*************************************************
3274 * Restore numerical variables *
3275 *************************************************/
3276
3277 /* This function restored saved values of numerical strings.
3278
3279 Arguments:
3280 save_expand_nmax the number of strings to restore
3281 save_expand_string points to an array of pointers
3282 save_expand_nlength points to an array of ints
3283
3284 Returns: nothing
3285 */
3286
3287 static void
3288 restore_expand_strings(int save_expand_nmax, uschar **save_expand_nstring,
3289 int *save_expand_nlength)
3290 {
3291 expand_nmax = save_expand_nmax;
3292 for (int i = 0; i <= expand_nmax; i++)
3293 {
3294 expand_nstring[i] = save_expand_nstring[i];
3295 expand_nlength[i] = save_expand_nlength[i];
3296 }
3297 }
3298
3299
3300
3301
3302
3303 /*************************************************
3304 * Handle yes/no substrings *
3305 *************************************************/
3306
3307 /* This function is used by ${if}, ${lookup} and ${extract} to handle the
3308 alternative substrings that depend on whether or not the condition was true,
3309 or the lookup or extraction succeeded. The substrings always have to be
3310 expanded, to check their syntax, but "skipping" is set when the result is not
3311 needed - this avoids unnecessary nested lookups.
3312
3313 Arguments:
3314 skipping TRUE if we were skipping when this item was reached
3315 yes TRUE if the first string is to be used, else use the second
3316 save_lookup a value to put back into lookup_value before the 2nd expansion
3317 sptr points to the input string pointer
3318 yieldptr points to the output growable-string pointer
3319 type "lookup", "if", "extract", "run", "env", "listextract" or
3320 "certextract" for error message
3321 resetok if not NULL, pointer to flag - write FALSE if unsafe to reset
3322 the store.
3323
3324 Returns: 0 OK; lookup_value has been reset to save_lookup
3325 1 expansion failed
3326 2 expansion failed because of bracketing error
3327 */
3328
3329 static int
3330 process_yesno(BOOL skipping, BOOL yes, uschar *save_lookup, const uschar **sptr,
3331 gstring ** yieldptr, uschar *type, BOOL *resetok)
3332 {
3333 int rc = 0;
3334 const uschar *s = *sptr; /* Local value */
3335 uschar *sub1, *sub2;
3336 const uschar * errwhere;
3337
3338 /* If there are no following strings, we substitute the contents of $value for
3339 lookups and for extractions in the success case. For the ${if item, the string
3340 "true" is substituted. In the fail case, nothing is substituted for all three
3341 items. */
3342
3343 while (isspace(*s)) s++;
3344 if (*s == '}')
3345 {
3346 if (type[0] == 'i')
3347 {
3348 if (yes && !skipping)
3349 *yieldptr = string_catn(*yieldptr, US"true", 4);
3350 }
3351 else
3352 {
3353 if (yes && lookup_value && !skipping)
3354 *yieldptr = string_cat(*yieldptr, lookup_value);
3355 lookup_value = save_lookup;
3356 }
3357 s++;
3358 goto RETURN;
3359 }
3360
3361 /* The first following string must be braced. */
3362
3363 if (*s++ != '{')
3364 {
3365 errwhere = US"'yes' part did not start with '{'";
3366 goto FAILED_CURLY;
3367 }
3368
3369 /* Expand the first substring. Forced failures are noticed only if we actually
3370 want this string. Set skipping in the call in the fail case (this will always
3371 be the case if we were already skipping). */
3372
3373 sub1 = expand_string_internal(s, TRUE, &s, !yes, TRUE, resetok);
3374 if (sub1 == NULL && (yes || !f.expand_string_forcedfail)) goto FAILED;
3375 f.expand_string_forcedfail = FALSE;
3376 if (*s++ != '}')
3377 {
3378 errwhere = US"'yes' part did not end with '}'";
3379 goto FAILED_CURLY;
3380 }
3381
3382 /* If we want the first string, add it to the output */
3383
3384 if (yes)
3385 *yieldptr = string_cat(*yieldptr, sub1);
3386
3387 /* If this is called from a lookup/env or a (cert)extract, we want to restore
3388 $value to what it was at the start of the item, so that it has this value
3389 during the second string expansion. For the call from "if" or "run" to this
3390 function, save_lookup is set to lookup_value, so that this statement does
3391 nothing. */
3392
3393 lookup_value = save_lookup;
3394
3395 /* There now follows either another substring, or "fail", or nothing. This
3396 time, forced failures are noticed only if we want the second string. We must
3397 set skipping in the nested call if we don't want this string, or if we were
3398 already skipping. */
3399
3400 while (isspace(*s)) s++;
3401 if (*s == '{')
3402 {
3403 sub2 = expand_string_internal(s+1, TRUE, &s, yes || skipping, TRUE, resetok);
3404 if (sub2 == NULL && (!yes || !f.expand_string_forcedfail)) goto FAILED;
3405 f.expand_string_forcedfail = FALSE;
3406 if (*s++ != '}')
3407 {
3408 errwhere = US"'no' part did not start with '{'";
3409 goto FAILED_CURLY;
3410 }
3411
3412 /* If we want the second string, add it to the output */
3413
3414 if (!yes)
3415 *yieldptr = string_cat(*yieldptr, sub2);
3416 }
3417
3418 /* If there is no second string, but the word "fail" is present when the use of
3419 the second string is wanted, set a flag indicating it was a forced failure
3420 rather than a syntactic error. Swallow the terminating } in case this is nested
3421 inside another lookup or if or extract. */
3422
3423 else if (*s != '}')
3424 {
3425 uschar name[256];
3426 /* deconst cast ok here as source is s anyway */
3427 s = US read_name(name, sizeof(name), s, US"_");
3428 if (Ustrcmp(name, "fail") == 0)
3429 {
3430 if (!yes && !skipping)
3431 {
3432 while (isspace(*s)) s++;
3433 if (*s++ != '}')
3434 {
3435 errwhere = US"did not close with '}' after forcedfail";
3436 goto FAILED_CURLY;
3437 }
3438 expand_string_message =
3439 string_sprintf("\"%s\" failed and \"fail\" requested", type);
3440 f.expand_string_forcedfail = TRUE;
3441 goto FAILED;
3442 }
3443 }
3444 else
3445 {
3446 expand_string_message =
3447 string_sprintf("syntax error in \"%s\" item - \"fail\" expected", type);
3448 goto FAILED;
3449 }
3450 }
3451
3452 /* All we have to do now is to check on the final closing brace. */
3453
3454 while (isspace(*s)) s++;
3455 if (*s++ != '}')
3456 {
3457 errwhere = US"did not close with '}'";
3458 goto FAILED_CURLY;
3459 }
3460
3461
3462 RETURN:
3463 /* Update the input pointer value before returning */
3464 *sptr = s;
3465 return rc;
3466
3467 FAILED_CURLY:
3468 /* Get here if there is a bracketing failure */
3469 expand_string_message = string_sprintf(
3470 "curly-bracket problem in conditional yes/no parsing: %s\n"
3471 " remaining string is '%s'", errwhere, --s);
3472 rc = 2;
3473 goto RETURN;
3474
3475 FAILED:
3476 /* Get here for other failures */
3477 rc = 1;
3478 goto RETURN;
3479 }
3480
3481
3482
3483
3484 /*************************************************
3485 * Handle MD5 or SHA-1 computation for HMAC *
3486 *************************************************/
3487
3488 /* These are some wrapping functions that enable the HMAC code to be a bit
3489 cleaner. A good compiler will spot the tail recursion.
3490
3491 Arguments:
3492 type HMAC_MD5 or HMAC_SHA1
3493 remaining are as for the cryptographic hash functions
3494
3495 Returns: nothing
3496 */
3497
3498 static void
3499 chash_start(int type, void *base)
3500 {
3501 if (type == HMAC_MD5)
3502 md5_start((md5 *)base);
3503 else
3504 sha1_start((hctx *)base);
3505 }
3506
3507 static void
3508 chash_mid(int type, void *base, uschar *string)
3509 {
3510 if (type == HMAC_MD5)
3511 md5_mid((md5 *)base, string);
3512 else
3513 sha1_mid((hctx *)base, string);
3514 }
3515
3516 static void
3517 chash_end(int type, void *base, uschar *string, int length, uschar *digest)
3518 {
3519 if (type == HMAC_MD5)
3520 md5_end((md5 *)base, string, length, digest);
3521 else
3522 sha1_end((hctx *)base, string, length, digest);
3523 }
3524
3525
3526
3527
3528
3529 /********************************************************
3530 * prvs: Get last three digits of days since Jan 1, 1970 *
3531 ********************************************************/
3532
3533 /* This is needed to implement the "prvs" BATV reverse
3534 path signing scheme
3535
3536 Argument: integer "days" offset to add or substract to
3537 or from the current number of days.
3538
3539 Returns: pointer to string containing the last three
3540 digits of the number of days since Jan 1, 1970,
3541 modified by the offset argument, NULL if there
3542 was an error in the conversion.
3543
3544 */
3545
3546 static uschar *
3547 prvs_daystamp(int day_offset)
3548 {
3549 uschar *days = store_get(32); /* Need at least 24 for cases */
3550 (void)string_format(days, 32, TIME_T_FMT, /* where TIME_T_FMT is %lld */
3551 (time(NULL) + day_offset*86400)/86400);
3552 return (Ustrlen(days) >= 3) ? &days[Ustrlen(days)-3] : US"100";
3553 }
3554
3555
3556
3557 /********************************************************
3558 * prvs: perform HMAC-SHA1 computation of prvs bits *
3559 ********************************************************/
3560
3561 /* This is needed to implement the "prvs" BATV reverse
3562 path signing scheme
3563
3564 Arguments:
3565 address RFC2821 Address to use
3566 key The key to use (must be less than 64 characters
3567 in size)
3568 key_num Single-digit key number to use. Defaults to
3569 '0' when NULL.
3570
3571 Returns: pointer to string containing the first three
3572 bytes of the final hash in hex format, NULL if
3573 there was an error in the process.
3574 */
3575
3576 static uschar *
3577 prvs_hmac_sha1(uschar *address, uschar *key, uschar *key_num, uschar *daystamp)
3578 {
3579 gstring * hash_source;
3580 uschar * p;
3581 hctx h;
3582 uschar innerhash[20];
3583 uschar finalhash[20];
3584 uschar innerkey[64];
3585 uschar outerkey[64];
3586 uschar *finalhash_hex = store_get(40);
3587
3588 if (key_num == NULL)
3589 key_num = US"0";
3590
3591 if (Ustrlen(key) > 64)
3592 return NULL;
3593
3594 hash_source = string_catn(NULL, key_num, 1);
3595 hash_source = string_catn(hash_source, daystamp, 3);
3596 hash_source = string_cat(hash_source, address);
3597 (void) string_from_gstring(hash_source);
3598
3599 DEBUG(D_expand)
3600 debug_printf_indent("prvs: hash source is '%s'\n", hash_source->s);
3601
3602 memset(innerkey, 0x36, 64);
3603 memset(outerkey, 0x5c, 64);
3604
3605 for (int i = 0; i < Ustrlen(key); i++)
3606 {
3607 innerkey[i] ^= key[i];
3608 outerkey[i] ^= key[i];
3609 }
3610
3611 chash_start(HMAC_SHA1, &h);
3612 chash_mid(HMAC_SHA1, &h, innerkey);
3613 chash_end(HMAC_SHA1, &h, hash_source->s, hash_source->ptr, innerhash);
3614
3615 chash_start(HMAC_SHA1, &h);
3616 chash_mid(HMAC_SHA1, &h, outerkey);
3617 chash_end(HMAC_SHA1, &h, innerhash, 20, finalhash);
3618
3619 p = finalhash_hex;
3620 for (int i = 0; i < 3; i++)
3621 {
3622 *p++ = hex_digits[(finalhash[i] & 0xf0) >> 4];
3623 *p++ = hex_digits[finalhash[i] & 0x0f];
3624 }
3625 *p = '\0';
3626
3627 return finalhash_hex;
3628 }
3629
3630
3631
3632
3633 /*************************************************
3634 * Join a file onto the output string *
3635 *************************************************/
3636
3637 /* This is used for readfile/readsock and after a run expansion.
3638 It joins the contents of a file onto the output string, globally replacing
3639 newlines with a given string (optionally).
3640
3641 Arguments:
3642 f the FILE
3643 yield pointer to the expandable string struct
3644 eol newline replacement string, or NULL
3645
3646 Returns: new pointer for expandable string, terminated if non-null
3647 */
3648
3649 static gstring *
3650 cat_file(FILE *f, gstring *yield, uschar *eol)
3651 {
3652 uschar buffer[1024];
3653
3654 while (Ufgets(buffer, sizeof(buffer), f))
3655 {
3656 int len = Ustrlen(buffer);
3657 if (eol && buffer[len-1] == '\n') len--;
3658 yield = string_catn(yield, buffer, len);
3659 if (eol && buffer[len])
3660 yield = string_cat(yield, eol);
3661 }
3662
3663 (void) string_from_gstring(yield);
3664 return yield;
3665 }
3666
3667
3668 #ifndef DISABLE_TLS
3669 static gstring *
3670 cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
3671 {
3672 int rc;
3673 uschar buffer[1024];
3674
3675 /*XXX could we read direct into a pre-grown string? */
3676
3677 while ((rc = tls_read(tls_ctx, buffer, sizeof(buffer))) > 0)
3678 for (uschar * s = buffer; rc--; s++)
3679 yield = eol && *s == '\n'
3680 ? string_cat(yield, eol) : string_catn(yield, s, 1);
3681
3682 /* We assume that all errors, and any returns of zero bytes,
3683 are actually EOF. */
3684
3685 (void) string_from_gstring(yield);
3686 return yield;
3687 }
3688 #endif
3689
3690
3691 /*************************************************
3692 * Evaluate numeric expression *
3693 *************************************************/
3694
3695 /* This is a set of mutually recursive functions that evaluate an arithmetic
3696 expression involving + - * / % & | ^ ~ << >> and parentheses. The only one of
3697 these functions that is called from elsewhere is eval_expr, whose interface is:
3698
3699 Arguments:
3700 sptr pointer to the pointer to the string - gets updated
3701 decimal TRUE if numbers are to be assumed decimal
3702 error pointer to where to put an error message - must be NULL on input
3703 endket TRUE if ')' must terminate - FALSE for external call
3704
3705 Returns: on success: the value of the expression, with *error still NULL
3706 on failure: an undefined value, with *error = a message
3707 */
3708
3709 static int_eximarith_t eval_op_or(uschar **, BOOL, uschar **);
3710
3711
3712 static int_eximarith_t
3713 eval_expr(uschar **sptr, BOOL decimal, uschar **error, BOOL endket)
3714 {
3715 uschar *s = *sptr;
3716 int_eximarith_t x = eval_op_or(&s, decimal, error);
3717
3718 if (!*error)
3719 if (endket)
3720 if (*s != ')')
3721 *error = US"expecting closing parenthesis";
3722 else
3723 while (isspace(*(++s)));
3724 else if (*s)
3725 *error = US"expecting operator";
3726 *sptr = s;
3727 return x;
3728 }
3729
3730
3731 static int_eximarith_t
3732 eval_number(uschar **sptr, BOOL decimal, uschar **error)
3733 {
3734 int c;
3735 int_eximarith_t n;
3736 uschar *s = *sptr;
3737
3738 while (isspace(*s)) s++;
3739 if (isdigit((c = *s)))
3740 {
3741 int count;
3742 (void)sscanf(CS s, (decimal? SC_EXIM_DEC "%n" : SC_EXIM_ARITH "%n"), &n, &count);
3743 s += count;
3744 switch (tolower(*s))
3745 {
3746 default: break;
3747 case 'k': n *= 1024; s++; break;
3748 case 'm': n *= 1024*1024; s++; break;
3749 case 'g': n *= 1024*1024*1024; s++; break;
3750 }
3751 while (isspace (*s)) s++;
3752 }
3753 else if (c == '(')
3754 {
3755 s++;
3756 n = eval_expr(&s, decimal, error, 1);
3757 }
3758 else
3759 {
3760 *error = US"expecting number or opening parenthesis";
3761 n = 0;
3762 }
3763 *sptr = s;
3764 return n;
3765 }
3766
3767
3768 static int_eximarith_t
3769 eval_op_unary(uschar **sptr, BOOL decimal, uschar **error)
3770 {
3771 uschar *s = *sptr;
3772 int_eximarith_t x;
3773 while (isspace(*s)) s++;
3774 if (*s == '+' || *s == '-' || *s == '~')
3775 {
3776 int op = *s++;
3777 x = eval_op_unary(&s, decimal, error);
3778 if (op == '-') x = -x;
3779 else if (op == '~') x = ~x;
3780 }
3781 else
3782 x = eval_number(&s, decimal, error);
3783
3784 *sptr = s;
3785 return x;
3786 }
3787
3788
3789 static int_eximarith_t
3790 eval_op_mult(uschar **sptr, BOOL decimal, uschar **error)
3791 {
3792 uschar *s = *sptr;
3793 int_eximarith_t x = eval_op_unary(&s, decimal, error);
3794 if (*error == NULL)
3795 {
3796 while (*s == '*' || *s == '/' || *s == '%')
3797 {
3798 int op = *s++;
3799 int_eximarith_t y = eval_op_unary(&s, decimal, error);
3800 if (*error != NULL) break;
3801 /* SIGFPE both on div/mod by zero and on INT_MIN / -1, which would give
3802 * a value of INT_MAX+1. Note that INT_MIN * -1 gives INT_MIN for me, which
3803 * is a bug somewhere in [gcc 4.2.1, FreeBSD, amd64]. In fact, -N*-M where
3804 * -N*M is INT_MIN will yield INT_MIN.
3805 * Since we don't support floating point, this is somewhat simpler.
3806 * Ideally, we'd return an error, but since we overflow for all other
3807 * arithmetic, consistency suggests otherwise, but what's the correct value
3808 * to use? There is none.
3809 * The C standard guarantees overflow for unsigned arithmetic but signed
3810 * overflow invokes undefined behaviour; in practice, this is overflow
3811 * except for converting INT_MIN to INT_MAX+1. We also can't guarantee
3812 * that long/longlong larger than int are available, or we could just work
3813 * with larger types. We should consider whether to guarantee 32bit eval
3814 * and 64-bit working variables, with errors returned. For now ...
3815 * So, the only SIGFPEs occur with a non-shrinking div/mod, thus -1; we
3816 * can just let the other invalid results occur otherwise, as they have
3817 * until now. For this one case, we can coerce.
3818 */
3819 if (y == -1 && x == EXIM_ARITH_MIN && op != '*')
3820 {
3821 DEBUG(D_expand)
3822 debug_printf("Integer exception dodging: " PR_EXIM_ARITH "%c-1 coerced to " PR_EXIM_ARITH "\n",
3823 EXIM_ARITH_MIN, op, EXIM_ARITH_MAX);
3824 x = EXIM_ARITH_MAX;
3825 continue;
3826 }
3827 if (op == '*')
3828 x *= y;
3829 else
3830 {
3831 if (y == 0)
3832 {
3833 *error = (op == '/') ? US"divide by zero" : US"modulo by zero";
3834 x = 0;
3835 break;
3836 }
3837 if (op == '/')
3838 x /= y;
3839 else
3840 x %= y;
3841 }
3842 }
3843 }
3844 *sptr = s;
3845 return x;
3846 }
3847
3848
3849 static int_eximarith_t
3850 eval_op_sum(uschar **sptr, BOOL decimal, uschar **error)
3851 {
3852 uschar *s = *sptr;
3853 int_eximarith_t x = eval_op_mult(&s, decimal, error);
3854 if (!*error)
3855 {
3856 while (*s == '+' || *s == '-')
3857 {
3858 int op = *s++;
3859 int_eximarith_t y = eval_op_mult(&s, decimal, error);
3860 if (*error) break;
3861 if ( (x >= EXIM_ARITH_MAX/2 && x >= EXIM_ARITH_MAX/2)
3862 || (x <= -(EXIM_ARITH_MAX/2) && y <= -(EXIM_ARITH_MAX/2)))
3863 { /* over-conservative check */
3864 *error = op == '+'
3865 ? US"overflow in sum" : US"overflow in difference";
3866 break;
3867 }
3868 if (op == '+') x += y; else x -= y;
3869 }
3870 }
3871 *sptr = s;
3872 return x;
3873 }
3874
3875
3876 static int_eximarith_t
3877 eval_op_shift(uschar **sptr, BOOL decimal, uschar **error)
3878 {
3879 uschar *s = *sptr;
3880 int_eximarith_t x = eval_op_sum(&s, decimal, error);
3881 if (*error == NULL)
3882 {
3883 while ((*s == '<' || *s == '>') && s[1] == s[0])
3884 {
3885 int_eximarith_t y;
3886 int op = *s++;
3887 s++;
3888 y = eval_op_sum(&s, decimal, error);
3889 if (*error != NULL) break;
3890 if (op == '<') x <<= y; else x >>= y;
3891 }
3892 }
3893 *sptr = s;
3894 return x;
3895 }
3896
3897
3898 static int_eximarith_t
3899 eval_op_and(uschar **sptr, BOOL decimal, uschar **error)
3900 {
3901 uschar *s = *sptr;
3902 int_eximarith_t x = eval_op_shift(&s, decimal, error);
3903 if (*error == NULL)
3904 {
3905 while (*s == '&')
3906 {
3907 int_eximarith_t y;
3908 s++;
3909 y = eval_op_shift(&s, decimal, error);
3910 if (*error != NULL) break;
3911 x &= y;
3912 }
3913 }
3914 *sptr = s;
3915 return x;
3916 }
3917
3918
3919 static int_eximarith_t
3920 eval_op_xor(uschar **sptr, BOOL decimal, uschar **error)
3921 {
3922 uschar *s = *sptr;
3923 int_eximarith_t x = eval_op_and(&s, decimal, error);
3924 if (*error == NULL)
3925 {
3926 while (*s == '^')
3927 {
3928 int_eximarith_t y;
3929 s++;
3930 y = eval_op_and(&s, decimal, error);
3931 if (*error != NULL) break;
3932 x ^= y;
3933 }
3934 }
3935 *sptr = s;