US"rxquote",
US"s",
US"sha1",
+ US"sha2",
US"sha256",
US"sha3",
US"stat",
EOP_RXQUOTE,
EOP_S,
EOP_SHA1,
+ EOP_SHA2,
EOP_SHA256,
EOP_SHA3,
EOP_STAT,
{ "tls_in_ourcert", vtype_cert, &tls_in.ourcert },
{ "tls_in_peercert", vtype_cert, &tls_in.peercert },
{ "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn },
-#if defined(SUPPORT_TLS)
+#ifdef EXPERIMENTAL_TLS_RESUME
+ { "tls_in_resumption", vtype_int, &tls_in.resumption },
+#endif
+#ifndef DISABLE_TLS
{ "tls_in_sni", vtype_stringptr, &tls_in.sni },
#endif
{ "tls_out_bits", vtype_int, &tls_out.bits },
{ "tls_out_ourcert", vtype_cert, &tls_out.ourcert },
{ "tls_out_peercert", vtype_cert, &tls_out.peercert },
{ "tls_out_peerdn", vtype_stringptr, &tls_out.peerdn },
-#if defined(SUPPORT_TLS)
+#ifdef EXPERIMENTAL_TLS_RESUME
+ { "tls_out_resumption", vtype_int, &tls_out.resumption },
+#endif
+#ifndef DISABLE_TLS
{ "tls_out_sni", vtype_stringptr, &tls_out.sni },
#endif
#ifdef SUPPORT_DANE
#endif
{ "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
{ "tls_sni", vtype_stringptr, &tls_in.sni }, /* mind the alphabetical order! */
#endif
However, if we're stuck unable to provide this, then we'll fall back to
appallingly bad randomness.
-If SUPPORT_TLS is defined then this will not be used except as an emergency
+If DISABLE_TLS is not defined then this will not be used except as an emergency
fallback.
Arguments:
Returns a random number in range [0, max-1]
*/
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# define vaguely_random_number vaguely_random_number_fallback
#endif
int
vaguely_random_number(int max)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# undef vaguely_random_number
#endif
static pid_t pid = 0;
/* Certificate fields, by name. Worry about by-OID later */
/* Names are chosen to not have common prefixes */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
typedef struct
{
uschar * name;
string_sprintf("bad field selector \"%s\" for certextract", field);
return NULL;
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/*************************************************
* Extract a substring from a string *
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
static gstring *
cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
{
{
uschar *s = *sptr;
int_eximarith_t x = eval_op_or(&s, decimal, error);
-if (*error == NULL)
- {
+
+if (!*error)
if (endket)
- {
if (*s != ')')
*error = US"expecting closing parenthesis";
else
while (isspace(*(++s)));
- }
- else if (*s != 0) *error = US"expecting operator";
- }
+ else if (*s)
+ *error = US"expecting operator";
*sptr = s;
return x;
}
static int_eximarith_t
eval_number(uschar **sptr, BOOL decimal, uschar **error)
{
-register int c;
+int c;
int_eximarith_t n;
uschar *s = *sptr;
+
while (isspace(*s)) s++;
-c = *s;
-if (isdigit(c))
+if (isdigit((c = *s)))
{
int count;
(void)sscanf(CS s, (decimal? SC_EXIM_DEC "%n" : SC_EXIM_ARITH "%n"), &n, &count);
else if (op == '~') x = ~x;
}
else
- {
x = eval_number(&s, decimal, error);
- }
+
*sptr = s;
return x;
}
uschar * server_name = NULL;
host_item host;
BOOL do_shutdown = TRUE;
- BOOL do_tls = FALSE; /* Only set under SUPPORT_TLS */
+ BOOL do_tls = FALSE; /* Only set under ! DISABLE_TLS */
blob reqstr;
if (expand_forbid & RDO_READSOCK)
while ((item = string_nextinlist(&list, &sep, NULL, 0)))
if (Ustrncmp(item, US"shutdown=", 9) == 0)
{ if (Ustrcmp(item + 9, US"no") == 0) do_shutdown = FALSE; }
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
else if (Ustrncmp(item, US"tls=", 4) == 0)
{ if (Ustrcmp(item + 9, US"no") != 0) do_tls = TRUE; }
#endif
port = ntohs(service_info->s_port);
}
- /*XXX we trust that the request is idempotent. Hmm. */
+ /*XXX we trust that the request is idempotent for TFO. Hmm. */
cctx.sock = ip_connectedsocket(SOCK_STREAM, server_name, port, port,
timeout, &host, &expand_string_message,
do_tls ? NULL : &reqstr);
DEBUG(D_expand) debug_printf_indent("connected to socket %s\n", sub_arg[0]);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (do_tls)
{
smtp_connect_args conn_args = {.host = &host };
DEBUG(D_expand) debug_printf_indent("writing \"%s\" to socket\n",
reqstr.data);
if ( (
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
do_tls ? tls_write(cctx.tls_ctx, reqstr.data, reqstr.len, FALSE) :
#endif
write(cctx.sock, reqstr.data, reqstr.len)) != reqstr.len)
sigalrm_seen = FALSE;
ALARM(timeout);
yield =
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
do_tls ? cat_file_tls(cctx.tls_ctx, yield, sub_arg[3]) :
#endif
cat_file(fp, yield, sub_arg[3]);
ALARM_CLR(0);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (do_tls)
{
tls_close(cctx.tls_ctx, TRUE);
continue;
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case EITEM_CERTEXTRACT:
{
uschar *save_lookup_value = lookup_value;
save_expand_nlength);
continue;
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/* Handle list operations */
int c;
uschar *arg = NULL;
uschar *sub;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
var_entry *vp = NULL;
#endif
as we do not want to do the usual expansion. For most, expand the string.*/
switch(c)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case EOP_MD5:
case EOP_SHA1:
case EOP_SHA256:
}
case EOP_MD5:
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (vp && *(void **)vp->value)
{
uschar * cp = tls_cert_fprt_md5(*(void **)vp->value);
continue;
case EOP_SHA1:
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (vp && *(void **)vp->value)
{
uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value);
}
continue;
+ case EOP_SHA2:
case EOP_SHA256:
#ifdef EXIM_HAVE_SHA2
if (vp && *(void **)vp->value)
- {
- uschar * cp = tls_cert_fprt_sha256(*(void **)vp->value);
- yield = string_cat(yield, cp);
- }
+ if (c == EOP_SHA256)
+ yield = string_cat(yield, tls_cert_fprt_sha256(*(void **)vp->value));
+ else
+ expand_string_message = US"sha2_N not supported with certificates";
else
{
hctx h;
blob b;
+ hashmethod m = !arg ? HASH_SHA2_256
+ : Ustrcmp(arg, "256") == 0 ? HASH_SHA2_256
+ : Ustrcmp(arg, "384") == 0 ? HASH_SHA2_384
+ : Ustrcmp(arg, "512") == 0 ? HASH_SHA2_512
+ : HASH_BADTYPE;
- if (!exim_sha_init(&h, HASH_SHA2_256))
+ if (m == HASH_BADTYPE || !exim_sha_init(&h, m))
{
- expand_string_message = US"unrecognised sha256 variant";
+ expand_string_message = US"unrecognised sha2 variant";
goto EXPAND_FAILED;
}
+
exim_sha_update(&h, sub, Ustrlen(sub));
exim_sha_finish(&h, &b);
while (b.len-- > 0)
case EOP_STR2B64:
case EOP_BASE64:
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar * s = vp && *(void **)vp->value
? tls_cert_der_b64(*(void **)vp->value)
: b64encode(CUS sub, Ustrlen(sub));