Use serial number 1 for self-generated selfsigned certificate
[exim.git] / src / src / spool_in.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions for reading spool files. When compiling for a utility (eximon),
9 not all are needed, and some functionality can be cut out. */
10
11
12 #include "exim.h"
13
14
15
16 #ifndef COMPILE_UTILITY
17 /*************************************************
18 * Open and lock data file *
19 *************************************************/
20
21 /* The data file is the one that is used for locking, because the header file
22 can get replaced during delivery because of header rewriting. The file has
23 to opened with write access so that we can get an exclusive lock, but in
24 fact it won't be written to. Just in case there's a major disaster (e.g.
25 overwriting some other file descriptor with the value of this one), open it
26 with append.
27
28 As called by deliver_message() (at least) we are operating as root.
29
30 Argument: the id of the message
31 Returns: fd if file successfully opened and locked, else -1
32
33 Side effect: message_subdir is set for the (possibly split) spool directory
34 */
35
36 int
37 spool_open_datafile(uschar *id)
38 {
39 int i;
40 struct stat statbuf;
41 flock_t lock_data;
42 int fd;
43
44 /* If split_spool_directory is set, first look for the file in the appropriate
45 sub-directory of the input directory. If it is not found there, try the input
46 directory itself, to pick up leftovers from before the splitting. If split_
47 spool_directory is not set, first look in the main input directory. If it is
48 not found there, try the split sub-directory, in case it is left over from a
49 splitting state. */
50
51 for (i = 0; i < 2; i++)
52 {
53 uschar * fname;
54 int save_errno;
55
56 message_subdir[0] = split_spool_directory == i ? '\0' : id[5];
57 fname = spool_fname(US"input", message_subdir, id, US"-D");
58 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
59
60 /* We protect against symlink attacks both in not propagating the
61 * file-descriptor to other processes as we exec, and also ensuring that we
62 * don't even open symlinks.
63 * No -D file inside the spool area should be a symlink.
64 */
65 if ((fd = Uopen(fname,
66 #ifdef O_CLOEXEC
67 O_CLOEXEC |
68 #endif
69 #ifdef O_NOFOLLOW
70 O_NOFOLLOW |
71 #endif
72 O_RDWR | O_APPEND, 0)) >= 0)
73 break;
74 save_errno = errno;
75 if (errno == ENOENT)
76 {
77 if (i == 0) continue;
78 if (!queue_running)
79 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
80 *queue_name ? US" Q=" : US"",
81 *queue_name ? queue_name : US"",
82 id);
83 }
84 else
85 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
86 errno = save_errno;
87 return -1;
88 }
89
90 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
91 the file. We lock only the first line of the file (containing the message ID)
92 because this apparently is needed for running Exim under Cygwin. If the entire
93 file is locked in one process, a sub-process cannot access it, even when passed
94 an open file descriptor (at least, I think that's the Cygwin story). On real
95 Unix systems it doesn't make any difference as long as Exim is consistent in
96 what it locks. */
97
98 #ifndef O_CLOEXEC
99 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
100 #endif
101
102 lock_data.l_type = F_WRLCK;
103 lock_data.l_whence = SEEK_SET;
104 lock_data.l_start = 0;
105 lock_data.l_len = SPOOL_DATA_START_OFFSET;
106
107 if (fcntl(fd, F_SETLK, &lock_data) < 0)
108 {
109 log_write(L_skip_delivery,
110 LOG_MAIN,
111 "Spool file is locked (another process is handling this message)");
112 (void)close(fd);
113 errno = 0;
114 return -1;
115 }
116
117 /* Get the size of the data; don't include the leading filename line
118 in the count, but add one for the newline before the data. */
119
120 if (fstat(fd, &statbuf) == 0)
121 {
122 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
123 message_size = message_body_size + 1;
124 }
125
126 return fd;
127 }
128 #endif /* COMPILE_UTILITY */
129
130
131
132 /*************************************************
133 * Read non-recipients tree from spool file *
134 *************************************************/
135
136 /* The tree of non-recipients is written to the spool file in a form that
137 makes it easy to read back into a tree. The format is as follows:
138
139 . Each node is preceded by two letter(Y/N) indicating whether it has left
140 or right children. There's one space after the two flags, before the name.
141
142 . The left subtree (if any) then follows, then the right subtree (if any).
143
144 This function is entered with the next input line in the buffer. Note we must
145 save the right flag before recursing with the same buffer.
146
147 Once the tree is read, we re-construct the balance fields by scanning the tree.
148 I forgot to write them out originally, and the compatible fix is to do it this
149 way. This initial local recursing function does the necessary.
150
151 Arguments:
152 node tree node
153
154 Returns: maximum depth below the node, including the node itself
155 */
156
157 static int
158 count_below(tree_node *node)
159 {
160 int nleft, nright;
161 if (node == NULL) return 0;
162 nleft = count_below(node->left);
163 nright = count_below(node->right);
164 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
165 return 1 + ((nleft > nright)? nleft : nright);
166 }
167
168 /* This is the real function...
169
170 Arguments:
171 connect pointer to the root of the tree
172 f FILE to read data from
173 buffer contains next input line; further lines read into it
174 buffer_size size of the buffer
175
176 Returns: FALSE on format error
177 */
178
179 static BOOL
180 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
181 int buffer_size)
182 {
183 tree_node *node;
184 int n = Ustrlen(buffer);
185 BOOL right = buffer[1] == 'Y';
186
187 if (n < 5) return FALSE; /* malformed line */
188 buffer[n-1] = 0; /* Remove \n */
189 node = store_get(sizeof(tree_node) + n - 3);
190 *connect = node;
191 Ustrcpy(node->name, buffer + 3);
192 node->data.ptr = NULL;
193
194 if (buffer[0] == 'Y')
195 {
196 if (Ufgets(buffer, buffer_size, f) == NULL ||
197 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
198 return FALSE;
199 }
200 else node->left = NULL;
201
202 if (right)
203 {
204 if (Ufgets(buffer, buffer_size, f) == NULL ||
205 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
206 return FALSE;
207 }
208 else node->right = NULL;
209
210 (void) count_below(*connect);
211 return TRUE;
212 }
213
214
215
216
217 /* Reset all the global variables to their default values. However, there is
218 one exception. DO NOT change the default value of dont_deliver, because it may
219 be forced by an external setting. */
220
221 void
222 spool_clear_header_globals(void)
223 {
224 acl_var_c = acl_var_m = NULL;
225 authenticated_id = NULL;
226 authenticated_sender = NULL;
227 allow_unqualified_recipient = FALSE;
228 allow_unqualified_sender = FALSE;
229 body_linecount = 0;
230 body_zerocount = 0;
231 deliver_firsttime = FALSE;
232 deliver_freeze = FALSE;
233 deliver_frozen_at = 0;
234 deliver_manual_thaw = FALSE;
235 /* dont_deliver must NOT be reset */
236 header_list = header_last = NULL;
237 host_lookup_deferred = FALSE;
238 host_lookup_failed = FALSE;
239 interface_address = NULL;
240 interface_port = 0;
241 local_error_message = FALSE;
242 #ifdef HAVE_LOCAL_SCAN
243 local_scan_data = NULL;
244 #endif
245 max_received_linelength = 0;
246 message_linecount = 0;
247 received_protocol = NULL;
248 received_count = 0;
249 recipients_list = NULL;
250 sender_address = NULL;
251 sender_fullhost = NULL;
252 sender_helo_name = NULL;
253 sender_host_address = NULL;
254 sender_host_name = NULL;
255 sender_host_port = 0;
256 sender_host_authenticated = NULL;
257 sender_ident = NULL;
258 sender_local = FALSE;
259 sender_set_untrusted = FALSE;
260 smtp_active_hostname = primary_hostname;
261 #ifndef COMPILE_UTILITY
262 spool_file_wireformat = FALSE;
263 #endif
264 tree_nonrecipients = NULL;
265
266 #ifdef EXPERIMENTAL_BRIGHTMAIL
267 bmi_run = 0;
268 bmi_verdicts = NULL;
269 #endif
270
271 #ifndef DISABLE_DKIM
272 dkim_signers = NULL;
273 dkim_disable_verify = FALSE;
274 dkim_collect_input = 0;
275 #endif
276
277 #ifdef SUPPORT_TLS
278 tls_in.certificate_verified = FALSE;
279 # ifdef SUPPORT_DANE
280 tls_in.dane_verified = FALSE;
281 # endif
282 tls_in.cipher = NULL;
283 # ifndef COMPILE_UTILITY /* tls support fns not built in */
284 tls_free_cert(&tls_in.ourcert);
285 tls_free_cert(&tls_in.peercert);
286 # endif
287 tls_in.peerdn = NULL;
288 tls_in.sni = NULL;
289 tls_in.ocsp = OCSP_NOT_REQ;
290 #endif
291
292 #ifdef WITH_CONTENT_SCAN
293 spam_bar = NULL;
294 spam_score = NULL;
295 spam_score_int = NULL;
296 #endif
297
298 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
299 message_smtputf8 = FALSE;
300 message_utf8_downconvert = 0;
301 #endif
302
303 dsn_ret = 0;
304 dsn_envid = NULL;
305 }
306
307
308 /*************************************************
309 * Read spool header file *
310 *************************************************/
311
312 /* This function reads a spool header file and places the data into the
313 appropriate global variables. The header portion is always read, but header
314 structures are built only if read_headers is set true. It isn't, for example,
315 while generating -bp output.
316
317 It may be possible for blocks of nulls (binary zeroes) to get written on the
318 end of a file if there is a system crash during writing. It was observed on an
319 earlier version of Exim that omitted to fsync() the files - this is thought to
320 have been the cause of that incident, but in any case, this code must be robust
321 against such an event, and if such a file is encountered, it must be treated as
322 malformed.
323
324 As called from deliver_message() (at least) we are running as root.
325
326 Arguments:
327 name name of the header file, including the -H
328 read_headers TRUE if in-store header structures are to be built
329 subdir_set TRUE is message_subdir is already set
330
331 Returns: spool_read_OK success
332 spool_read_notopen open failed
333 spool_read_enverror error in the envelope portion
334 spool_read_hdrerror error in the header portion
335 */
336
337 int
338 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
339 {
340 FILE *f = NULL;
341 int n;
342 int rcount = 0;
343 long int uid, gid;
344 BOOL inheader = FALSE;
345 uschar *p;
346
347 /* Reset all the global variables to their default values. However, there is
348 one exception. DO NOT change the default value of dont_deliver, because it may
349 be forced by an external setting. */
350
351 spool_clear_header_globals();
352
353 /* Generate the full name and open the file. If message_subdir is already
354 set, just look in the given directory. Otherwise, look in both the split
355 and unsplit directories, as for the data file above. */
356
357 for (n = 0; n < 2; n++)
358 {
359 if (!subdir_set)
360 message_subdir[0] = split_spool_directory == (n == 0) ? name[5] : 0;
361
362 if ((f = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
363 break;
364 if (n != 0 || subdir_set || errno != ENOENT)
365 return spool_read_notopen;
366 }
367
368 errno = 0;
369
370 #ifndef COMPILE_UTILITY
371 DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
372 #endif /* COMPILE_UTILITY */
373
374 /* The first line of a spool file contains the message id followed by -H (i.e.
375 the file name), in order to make the file self-identifying. */
376
377 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
378 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
379 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
380 goto SPOOL_FORMAT_ERROR;
381
382 /* The next three lines in the header file are in a fixed format. The first
383 contains the login, uid, and gid of the user who caused the file to be written.
384 There are known cases where a negative gid is used, so we allow for both
385 negative uids and gids. The second contains the mail address of the message's
386 sender, enclosed in <>. The third contains the time the message was received,
387 and the number of warning messages for delivery delays that have been sent. */
388
389 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
390
391 p = big_buffer + Ustrlen(big_buffer);
392 while (p > big_buffer && isspace(p[-1])) p--;
393 *p = 0;
394 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
395 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
396 gid = Uatoi(p);
397 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
398 *p = 0;
399 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
400 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
401 uid = Uatoi(p);
402 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
403 *p = 0;
404
405 originator_login = string_copy(big_buffer);
406 originator_uid = (uid_t)uid;
407 originator_gid = (gid_t)gid;
408
409 /* envelope from */
410 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
411 n = Ustrlen(big_buffer);
412 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
413 goto SPOOL_FORMAT_ERROR;
414
415 sender_address = store_get(n-2);
416 Ustrncpy(sender_address, big_buffer+1, n-3);
417 sender_address[n-3] = 0;
418
419 /* time */
420 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
421 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
422 goto SPOOL_FORMAT_ERROR;
423 received_time.tv_usec = 0;
424
425 message_age = time(NULL) - received_time.tv_sec;
426
427 #ifndef COMPILE_UTILITY
428 DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
429 originator_login, (long int)originator_uid, (long int)originator_gid,
430 sender_address);
431 #endif /* COMPILE_UTILITY */
432
433 /* Now there may be a number of optional lines, each starting with "-". If you
434 add a new setting here, make sure you set the default above.
435
436 Because there are now quite a number of different possibilities, we use a
437 switch on the first character to avoid too many failing tests. Thanks to Nico
438 Erfurth for the patch that implemented this. I have made it even more efficient
439 by not re-scanning the first two characters.
440
441 To allow new versions of Exim that add additional flags to interwork with older
442 versions that do not understand them, just ignore any lines starting with "-"
443 that we don't recognize. Otherwise it wouldn't be possible to back off a new
444 version that left new-style flags written on the spool. */
445
446 p = big_buffer + 2;
447 for (;;)
448 {
449 int len;
450 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
451 if (big_buffer[0] != '-') break;
452 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
453 && big_buffer[len-1] != '\n'
454 )
455 { /* buffer not big enough for line; certs make this possible */
456 uschar * buf;
457 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
458 buf = store_get_perm(big_buffer_size *= 2);
459 memcpy(buf, big_buffer, --len);
460 big_buffer = buf;
461 if (Ufgets(big_buffer+len, big_buffer_size-len, f) == NULL)
462 goto SPOOL_READ_ERROR;
463 }
464 big_buffer[len-1] = 0;
465
466 switch(big_buffer[1])
467 {
468 case 'a':
469
470 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
471 variable, because Exim allows any number of them, with arbitrary names.
472 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
473 the c or m. */
474
475 if (Ustrncmp(p, "clc ", 4) == 0 ||
476 Ustrncmp(p, "clm ", 4) == 0)
477 {
478 uschar *name, *endptr;
479 int count;
480 tree_node *node;
481 endptr = Ustrchr(big_buffer + 6, ' ');
482 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
483 name = string_sprintf("%c%.*s", big_buffer[4],
484 (int)(endptr - big_buffer - 6), big_buffer + 6);
485 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
486 node = acl_var_create(name);
487 node->data.ptr = store_get(count + 1);
488 if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
489 ((uschar*)node->data.ptr)[count] = 0;
490 }
491
492 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
493 allow_unqualified_recipient = TRUE;
494 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
495 allow_unqualified_sender = TRUE;
496
497 else if (Ustrncmp(p, "uth_id", 6) == 0)
498 authenticated_id = string_copy(big_buffer + 9);
499 else if (Ustrncmp(p, "uth_sender", 10) == 0)
500 authenticated_sender = string_copy(big_buffer + 13);
501 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
502 smtp_active_hostname = string_copy(big_buffer + 17);
503
504 /* For long-term backward compatibility, we recognize "-acl", which was
505 used before the number of ACL variables changed from 10 to 20. This was
506 before the subsequent change to an arbitrary number of named variables.
507 This code is retained so that upgrades from very old versions can still
508 handle old-format spool files. The value given after "-acl" is a number
509 that is 0-9 for connection variables, and 10-19 for message variables. */
510
511 else if (Ustrncmp(p, "cl ", 3) == 0)
512 {
513 unsigned index, count;
514 uschar name[20]; /* Need plenty of space for %u format */
515 tree_node * node;
516 if ( sscanf(CS big_buffer + 5, "%u %u", &index, &count) != 2
517 || index >= 20
518 || count > 16384 /* arbitrary limit on variable size */
519 )
520 goto SPOOL_FORMAT_ERROR;
521 if (index < 10)
522 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
523 else
524 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
525 node = acl_var_create(name);
526 node->data.ptr = store_get(count + 1);
527 /* We sanity-checked the count, so disable the Coverity error */
528 /* coverity[tainted_data] */
529 if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
530 (US node->data.ptr)[count] = '\0';
531 }
532 break;
533
534 case 'b':
535 if (Ustrncmp(p, "ody_linecount", 13) == 0)
536 body_linecount = Uatoi(big_buffer + 15);
537 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
538 body_zerocount = Uatoi(big_buffer + 15);
539 #ifdef EXPERIMENTAL_BRIGHTMAIL
540 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
541 bmi_verdicts = string_copy(big_buffer + 14);
542 #endif
543 break;
544
545 case 'd':
546 if (Ustrcmp(p, "eliver_firsttime") == 0)
547 deliver_firsttime = TRUE;
548 /* Check if the dsn flags have been set in the header file */
549 else if (Ustrncmp(p, "sn_ret", 6) == 0)
550 dsn_ret= atoi(CS big_buffer + 8);
551 else if (Ustrncmp(p, "sn_envid", 8) == 0)
552 dsn_envid = string_copy(big_buffer + 11);
553 break;
554
555 case 'f':
556 if (Ustrncmp(p, "rozen", 5) == 0)
557 {
558 deliver_freeze = TRUE;
559 if (sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at) != 1)
560 goto SPOOL_READ_ERROR;
561 }
562 break;
563
564 case 'h':
565 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
566 host_lookup_deferred = TRUE;
567 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
568 host_lookup_failed = TRUE;
569 else if (Ustrncmp(p, "ost_auth", 8) == 0)
570 sender_host_authenticated = string_copy(big_buffer + 11);
571 else if (Ustrncmp(p, "ost_name", 8) == 0)
572 sender_host_name = string_copy(big_buffer + 11);
573 else if (Ustrncmp(p, "elo_name", 8) == 0)
574 sender_helo_name = string_copy(big_buffer + 11);
575
576 /* We now record the port number after the address, separated by a
577 dot. For compatibility during upgrading, do nothing if there
578 isn't a value (it gets left at zero). */
579
580 else if (Ustrncmp(p, "ost_address", 11) == 0)
581 {
582 sender_host_port = host_address_extract_port(big_buffer + 14);
583 sender_host_address = string_copy(big_buffer + 14);
584 }
585 break;
586
587 case 'i':
588 if (Ustrncmp(p, "nterface_address", 16) == 0)
589 {
590 interface_port = host_address_extract_port(big_buffer + 19);
591 interface_address = string_copy(big_buffer + 19);
592 }
593 else if (Ustrncmp(p, "dent", 4) == 0)
594 sender_ident = string_copy(big_buffer + 7);
595 break;
596
597 case 'l':
598 if (Ustrcmp(p, "ocal") == 0)
599 sender_local = TRUE;
600 else if (Ustrcmp(big_buffer, "-localerror") == 0)
601 local_error_message = TRUE;
602 #ifdef HAVE_LOCAL_SCAN
603 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
604 local_scan_data = string_copy(big_buffer + 12);
605 #endif
606 break;
607
608 case 'm':
609 if (Ustrcmp(p, "anual_thaw") == 0) deliver_manual_thaw = TRUE;
610 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
611 max_received_linelength = Uatoi(big_buffer + 24);
612 break;
613
614 case 'N':
615 if (*p == 0) dont_deliver = TRUE; /* -N */
616 break;
617
618 case 'r':
619 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
620 received_protocol = string_copy(big_buffer + 19);
621 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
622 {
623 unsigned usec;
624 if (sscanf(CS big_buffer + 21, "%u", &usec) == 1)
625 received_time.tv_usec = usec;
626 }
627 break;
628
629 case 's':
630 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
631 sender_set_untrusted = TRUE;
632 #ifdef WITH_CONTENT_SCAN
633 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
634 spam_bar = string_copy(big_buffer + 10);
635 else if (Ustrncmp(p, "pam_score ", 10) == 0)
636 spam_score = string_copy(big_buffer + 12);
637 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
638 spam_score_int = string_copy(big_buffer + 16);
639 #endif
640 #ifndef COMPILE_UTILITY
641 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
642 spool_file_wireformat = TRUE;
643 #endif
644 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
645 else if (Ustrncmp(p, "mtputf8", 7) == 0)
646 message_smtputf8 = TRUE;
647 #endif
648 break;
649
650 #ifdef SUPPORT_TLS
651 case 't':
652 if (Ustrncmp(p, "ls_certificate_verified", 23) == 0)
653 tls_in.certificate_verified = TRUE;
654 else if (Ustrncmp(p, "ls_cipher", 9) == 0)
655 tls_in.cipher = string_copy(big_buffer + 12);
656 # ifndef COMPILE_UTILITY /* tls support fns not built in */
657 else if (Ustrncmp(p, "ls_ourcert", 10) == 0)
658 (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
659 else if (Ustrncmp(p, "ls_peercert", 11) == 0)
660 (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
661 # endif
662 else if (Ustrncmp(p, "ls_peerdn", 9) == 0)
663 tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
664 else if (Ustrncmp(p, "ls_sni", 6) == 0)
665 tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
666 else if (Ustrncmp(p, "ls_ocsp", 7) == 0)
667 tls_in.ocsp = big_buffer[10] - '0';
668 break;
669 #endif
670
671 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
672 case 'u':
673 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
674 message_utf8_downconvert = 1;
675 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
676 message_utf8_downconvert = -1;
677 break;
678 #endif
679
680 default: /* Present because some compilers complain if all */
681 break; /* possibilities are not covered. */
682 }
683 }
684
685 /* Build sender_fullhost if required */
686
687 #ifndef COMPILE_UTILITY
688 host_build_sender_fullhost();
689 #endif /* COMPILE_UTILITY */
690
691 #ifndef COMPILE_UTILITY
692 DEBUG(D_deliver)
693 debug_printf("sender_local=%d ident=%s\n", sender_local,
694 (sender_ident == NULL)? US"unset" : sender_ident);
695 #endif /* COMPILE_UTILITY */
696
697 /* We now have the tree of addresses NOT to deliver to, or a line
698 containing "XX", indicating no tree. */
699
700 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
701 !read_nonrecipients_tree(&tree_nonrecipients, f, big_buffer, big_buffer_size))
702 goto SPOOL_FORMAT_ERROR;
703
704 #ifndef COMPILE_UTILITY
705 DEBUG(D_deliver)
706 {
707 debug_printf("Non-recipients:\n");
708 debug_print_tree(tree_nonrecipients);
709 }
710 #endif /* COMPILE_UTILITY */
711
712 /* After reading the tree, the next line has not yet been read into the
713 buffer. It contains the count of recipients which follow on separate lines.
714 Apply an arbitrary sanity check.*/
715
716 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
717 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
718 goto SPOOL_FORMAT_ERROR;
719
720 #ifndef COMPILE_UTILITY
721 DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
722 #endif /* COMPILE_UTILITY */
723
724 recipients_list_max = rcount;
725 recipients_list = store_get(rcount * sizeof(recipient_item));
726
727 /* We sanitised the count and know we have enough memory, so disable
728 the Coverity error on recipients_count */
729 /* coverity[tainted_data] */
730
731 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
732 {
733 int nn;
734 int pno = -1;
735 int dsn_flags = 0;
736 uschar *orcpt = NULL;
737 uschar *errors_to = NULL;
738 uschar *p;
739
740 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
741 nn = Ustrlen(big_buffer);
742 if (nn < 2) goto SPOOL_FORMAT_ERROR;
743
744 /* Remove the newline; this terminates the address if there is no additional
745 data on the line. */
746
747 p = big_buffer + nn - 1;
748 *p-- = 0;
749
750 /* Look back from the end of the line for digits and special terminators.
751 Since an address must end with a domain, we can tell that extra data is
752 present by the presence of the terminator, which is always some character
753 that cannot exist in a domain. (If I'd thought of the need for additional
754 data early on, I'd have put it at the start, with the address at the end. As
755 it is, we have to operate backwards. Addresses are permitted to contain
756 spaces, you see.)
757
758 This code has to cope with various versions of this data that have evolved
759 over time. In all cases, the line might just contain an address, with no
760 additional data. Otherwise, the possibilities are as follows:
761
762 Exim 3 type: <address><space><digits>,<digits>,<digits>
763
764 The second set of digits is the parent number for one_time addresses. The
765 other values were remnants of earlier experiments that were abandoned.
766
767 Exim 4 first type: <address><space><digits>
768
769 The digits are the parent number for one_time addresses.
770
771 Exim 4 new type: <address><space><data>#<type bits>
772
773 The type bits indicate what the contents of the data are.
774
775 Bit 01 indicates that, reading from right to left, the data
776 ends with <errors_to address><space><len>,<pno> where pno is
777 the parent number for one_time addresses, and len is the length
778 of the errors_to address (zero meaning none).
779
780 Bit 02 indicates that, again reading from right to left, the data continues
781 with orcpt len(orcpt),dsn_flags
782 */
783
784 while (isdigit(*p)) p--;
785
786 /* Handle Exim 3 spool files */
787
788 if (*p == ',')
789 {
790 int dummy;
791 while (isdigit(*(--p)) || *p == ',');
792 if (*p == ' ')
793 {
794 *p++ = 0;
795 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
796 }
797 }
798
799 /* Handle early Exim 4 spool files */
800
801 else if (*p == ' ')
802 {
803 *p++ = 0;
804 (void)sscanf(CS p, "%d", &pno);
805 }
806
807 /* Handle current format Exim 4 spool files */
808
809 else if (*p == '#')
810 {
811 int flags;
812
813 #if !defined (COMPILE_UTILITY)
814 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n");
815 #endif
816
817 (void)sscanf(CS p+1, "%d", &flags);
818
819 if ((flags & 0x01) != 0) /* one_time data exists */
820 {
821 int len;
822 while (isdigit(*(--p)) || *p == ',' || *p == '-');
823 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
824 *p = 0;
825 if (len > 0)
826 {
827 p -= len;
828 errors_to = string_copy(p);
829 }
830 }
831
832 *(--p) = 0; /* Terminate address */
833 if ((flags & 0x02) != 0) /* one_time data exists */
834 {
835 int len;
836 while (isdigit(*(--p)) || *p == ',' || *p == '-');
837 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
838 *p = 0;
839 if (len > 0)
840 {
841 p -= len;
842 orcpt = string_copy(p);
843 }
844 }
845
846 *(--p) = 0; /* Terminate address */
847 }
848 #if !defined(COMPILE_UTILITY)
849 else
850 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
851
852 if ((orcpt != NULL) || (dsn_flags != 0))
853 {
854 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n",
855 big_buffer, orcpt, dsn_flags);
856 }
857 if (errors_to != NULL)
858 {
859 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n",
860 big_buffer, errors_to);
861 }
862 #endif
863
864 recipients_list[recipients_count].address = string_copy(big_buffer);
865 recipients_list[recipients_count].pno = pno;
866 recipients_list[recipients_count].errors_to = errors_to;
867 recipients_list[recipients_count].orcpt = orcpt;
868 recipients_list[recipients_count].dsn_flags = dsn_flags;
869 }
870
871 /* The remainder of the spool header file contains the headers for the message,
872 separated off from the previous data by a blank line. Each header is preceded
873 by a count of its length and either a certain letter (for various identified
874 headers), space (for a miscellaneous live header) or an asterisk (for a header
875 that has been rewritten). Count the Received: headers. We read the headers
876 always, in order to check on the format of the file, but only create a header
877 list if requested to do so. */
878
879 inheader = TRUE;
880 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
881 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
882
883 while ((n = fgetc(f)) != EOF)
884 {
885 header_line *h;
886 uschar flag[4];
887 int i;
888
889 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
890 if(ungetc(n, f) == EOF || fscanf(f, "%d%c ", &n, flag) == EOF)
891 goto SPOOL_READ_ERROR;
892 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
893
894 if (read_headers)
895 {
896 h = store_get(sizeof(header_line));
897 h->next = NULL;
898 h->type = flag[0];
899 h->slen = n;
900 h->text = store_get(n+1);
901
902 if (h->type == htype_received) received_count++;
903
904 if (header_list == NULL) header_list = h;
905 else header_last->next = h;
906 header_last = h;
907
908 for (i = 0; i < n; i++)
909 {
910 int c = fgetc(f);
911 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
912 if (c == '\n' && h->type != htype_old) message_linecount++;
913 h->text[i] = c;
914 }
915 h->text[i] = 0;
916 }
917
918 /* Not requiring header data, just skip through the bytes */
919
920 else for (i = 0; i < n; i++)
921 {
922 int c = fgetc(f);
923 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
924 }
925 }
926
927 /* We have successfully read the data in the header file. Update the message
928 line count by adding the body linecount to the header linecount. Close the file
929 and give a positive response. */
930
931 #ifndef COMPILE_UTILITY
932 DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
933 body_linecount, message_linecount);
934 #endif /* COMPILE_UTILITY */
935
936 message_linecount += body_linecount;
937
938 fclose(f);
939 return spool_read_OK;
940
941
942 /* There was an error reading the spool or there was missing data,
943 or there was a format error. A "read error" with no errno means an
944 unexpected EOF, which we treat as a format error. */
945
946 SPOOL_READ_ERROR:
947 if (errno != 0)
948 {
949 n = errno;
950
951 #ifndef COMPILE_UTILITY
952 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
953 #endif /* COMPILE_UTILITY */
954
955 fclose(f);
956 errno = n;
957 return inheader? spool_read_hdrerror : spool_read_enverror;
958 }
959
960 SPOOL_FORMAT_ERROR:
961
962 #ifndef COMPILE_UTILITY
963 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
964 #endif /* COMPILE_UTILITY */
965
966 fclose(f);
967 errno = ERRNO_SPOOLFORMAT;
968 return inheader? spool_read_hdrerror : spool_read_enverror;
969 }
970
971 /* vi: aw ai sw=2
972 */
973 /* End of spool_in.c */