From cfab9d68aba4f5cc5218b1619b4469880c4d6cc5 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 2 Jun 2016 21:56:29 +0100 Subject: [PATCH 1/1] Add support for ${sha256:} --- doc/doc-docbook/spec.xfpt | 11 +++++++---- doc/doc-txt/ChangeLog | 9 ++++++--- src/src/expand.c | 29 +++++++++++++++++++++-------- test/scripts/2000-GnuTLS/2000 | 6 ++++++ test/scripts/2100-OpenSSL/2100 | 6 ++++++ test/stdout/2000 | 3 +++ test/stdout/2100 | 3 +++ 7 files changed, 52 insertions(+), 15 deletions(-) create mode 100644 test/stdout/2000 create mode 100644 test/stdout/2100 diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 42e116182..1e5b72e87 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -10490,16 +10490,19 @@ If the string is a single variable of type certificate, returns the SHA-1 hash fingerprint of the certificate. -.vitem &*${sha256:*&<&'certificate'&>&*}*& +.vitem &*${sha256:*&<&'string'&>&*}*& .cindex "SHA-256 hash" .cindex certificate fingerprint .cindex "expansion" "SHA-256 hashing" .cindex "&%sha256%& expansion item" -The &%sha256%& operator computes the SHA-256 hash fingerprint of the -certificate, +.new +The &%sha256%& operator computes the SHA-256 hash value of the string and returns it as a 64-digit hexadecimal number, in which any letters are in upper case. -Only arguments which are a single variable of certificate type are supported. +.wen + +If the string is a single variable of type certificate, +returns the SHA-256 hash fingerprint of the certificate. .vitem &*${stat:*&<&'string'&>&*}*& diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 254070e26..7a5aab755 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -37,6 +37,9 @@ JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode. +JH/10 Support ${sha256:} applied to a string (as well as the previous + certificate). + Exim version 4.87 ----------------- @@ -303,7 +306,7 @@ JH/18 Bug 1581: Router and transport options headers_add/remove can now have the list separator specified. JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry - option values. + option values. JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails under OpenSSL. @@ -318,7 +321,7 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size JH/24 Verification callouts now attempt to use TLS by default. -HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) +HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) are generic router options now. The defaults didn't change. JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames. @@ -938,7 +941,7 @@ PP/12 MAIL args handles TAB as well as SP, for better interop with Analysis and variant patch by Todd Lyons. NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated - Bug report from Lars Müller (via SUSE), + Bug report from Lars Müller (via SUSE), Patch from Dirk Mueller PP/13 tls_peerdn now print-escaped for spool files. diff --git a/src/src/expand.c b/src/src/expand.c index 40b697a5d..d23e15fa7 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -2506,7 +2506,6 @@ switch(cond_type) checking for them individually. */ if (!isalpha(name[0]) && yield != NULL) - { if (sub[i][0] == 0) { num[i] = 0; @@ -2518,7 +2517,6 @@ switch(cond_type) num[i] = expanded_string_integer(sub[i], FALSE); if (expand_string_message != NULL) return NULL; } - } } /* Result not required */ @@ -2686,7 +2684,7 @@ switch(cond_type) uschar digest[16]; md5_start(&base); - md5_end(&base, (uschar *)sub[0], Ustrlen(sub[0]), digest); + md5_end(&base, sub[0], Ustrlen(sub[0]), digest); /* If the length that we are comparing against is 24, the MD5 digest is expressed as a base64 string. This is the way LDAP does it. However, @@ -2695,7 +2693,7 @@ switch(cond_type) if (sublen == 24) { - uschar *coded = b64encode((uschar *)digest, 16); + uschar *coded = b64encode(digest, 16); DEBUG(D_auth) debug_printf("crypteq: using MD5+B64 hashing\n" " subject=%s\n crypted=%s\n", coded, sub[1]+5); tempcond = (Ustrcmp(coded, sub[1]+5) == 0); @@ -2725,7 +2723,7 @@ switch(cond_type) uschar digest[20]; sha1_start(&h); - sha1_end(&h, (uschar *)sub[0], Ustrlen(sub[0]), digest); + sha1_end(&h, sub[0], Ustrlen(sub[0]), digest); /* If the length that we are comparing against is 28, assume the SHA1 digest is expressed as a base64 string. If the length is 40, assume a @@ -2733,7 +2731,7 @@ switch(cond_type) if (sublen == 28) { - uschar *coded = b64encode((uschar *)digest, 20); + uschar *coded = b64encode(digest, 20); DEBUG(D_auth) debug_printf("crypteq: using SHA1+B64 hashing\n" " subject=%s\n crypted=%s\n", coded, sub[1]+6); tempcond = (Ustrcmp(coded, sub[1]+6) == 0); @@ -6364,7 +6362,7 @@ while (*s != 0) sha1_start(&h); sha1_end(&h, sub, Ustrlen(sub), digest); for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]); - yield = string_cat(yield, &size, &ptr, US st); + yield = string_catn(yield, &size, &ptr, US st, 40); } continue; @@ -6376,8 +6374,23 @@ while (*s != 0) yield = string_cat(yield, &size, &ptr, cp); } else + { + hctx h; + blob b; + char st[3]; + + exim_sha_init(&h, HASH_SHA256); + exim_sha_update(&h, sub, Ustrlen(sub)); + exim_sha_finish(&h, &b); + while (b.len-- > 0) + { + sprintf(st, "%02X", *b.data++); + yield = string_catn(yield, &size, &ptr, US st, 2); + } + } +#else + expand_string_message = US"sha256 only supported with TLS"; #endif - expand_string_message = US"sha256 only supported for certificates"; continue; /* Convert hex encoding to base64 encoding */ diff --git a/test/scripts/2000-GnuTLS/2000 b/test/scripts/2000-GnuTLS/2000 index a1299e574..5e26e4332 100644 --- a/test/scripts/2000-GnuTLS/2000 +++ b/test/scripts/2000-GnuTLS/2000 @@ -13,3 +13,9 @@ exim -qf **** killdaemon no_msglog_check +# +# +exim -be +sha256: ${sha256:} +sha256: ${sha256:abc} +**** diff --git a/test/scripts/2100-OpenSSL/2100 b/test/scripts/2100-OpenSSL/2100 index c2b0f8981..27c6c84d6 100644 --- a/test/scripts/2100-OpenSSL/2100 +++ b/test/scripts/2100-OpenSSL/2100 @@ -8,3 +8,9 @@ exim -qf **** killdaemon no_msglog_check +# +# +exim -be +sha256: ${sha256:} +sha256: ${sha256:abc} +**** diff --git a/test/stdout/2000 b/test/stdout/2000 new file mode 100644 index 000000000..effaada83 --- /dev/null +++ b/test/stdout/2000 @@ -0,0 +1,3 @@ +> sha256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 +> sha256: BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD +> diff --git a/test/stdout/2100 b/test/stdout/2100 new file mode 100644 index 000000000..effaada83 --- /dev/null +++ b/test/stdout/2100 @@ -0,0 +1,3 @@ +> sha256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 +> sha256: BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD +> -- 2.25.1