X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/9f497717cbb7ffea60b235da3e10a7b42bda41ac..b10c87b38c2345d15d30da5c18c823355ac506a9:/src/src/expand.c

diff --git a/src/src/expand.c b/src/src/expand.c
index aa4d0289e..d8ea87dee 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -668,9 +668,6 @@ static var_entry var_table[] = {
   { "regex_match_string",  vtype_stringptr,   &regex_match_string },
 #endif
   { "reply_address",       vtype_reply,       NULL },
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-  { "requiretls",          vtype_bool,        &tls_requiretls },
-#endif
   { "return_path",         vtype_stringptr,   &return_path },
   { "return_size_limit",   vtype_int,         &bounce_return_size_limit },
   { "router_name",         vtype_stringptr,   &router_name },
@@ -754,6 +751,9 @@ static var_entry var_table[] = {
   { "tls_in_ourcert",      vtype_cert,        &tls_in.ourcert },
   { "tls_in_peercert",     vtype_cert,        &tls_in.peercert },
   { "tls_in_peerdn",       vtype_stringptr,   &tls_in.peerdn },
+#ifdef EXPERIMENTAL_TLS_RESUME
+  { "tls_in_resumption",   vtype_int,         &tls_in.resumption },
+#endif
 #if defined(SUPPORT_TLS)
   { "tls_in_sni",          vtype_stringptr,   &tls_in.sni },
 #endif
@@ -768,6 +768,9 @@ static var_entry var_table[] = {
   { "tls_out_ourcert",     vtype_cert,        &tls_out.ourcert },
   { "tls_out_peercert",    vtype_cert,        &tls_out.peercert },
   { "tls_out_peerdn",      vtype_stringptr,   &tls_out.peerdn },
+#ifdef EXPERIMENTAL_TLS_RESUME
+  { "tls_out_resumption",  vtype_int,         &tls_out.resumption },
+#endif
 #if defined(SUPPORT_TLS)
   { "tls_out_sni",         vtype_stringptr,   &tls_out.sni },
 #endif
@@ -979,47 +982,46 @@ vaguely_random_number(int max)
 #ifdef SUPPORT_TLS
 # undef vaguely_random_number
 #endif
-  static pid_t pid = 0;
-  pid_t p2;
-#if defined(HAVE_SRANDOM) && !defined(HAVE_SRANDOMDEV)
-  struct timeval tv;
-#endif
+static pid_t pid = 0;
+pid_t p2;
 
-  p2 = getpid();
-  if (p2 != pid)
+if ((p2 = getpid()) != pid)
+  {
+  if (pid != 0)
     {
-    if (pid != 0)
-      {
 
 #ifdef HAVE_ARC4RANDOM
-      /* cryptographically strong randomness, common on *BSD platforms, not
-      so much elsewhere.  Alas. */
-#ifndef NOT_HAVE_ARC4RANDOM_STIR
-      arc4random_stir();
-#endif
+    /* cryptographically strong randomness, common on *BSD platforms, not
+    so much elsewhere.  Alas. */
+# ifndef NOT_HAVE_ARC4RANDOM_STIR
+    arc4random_stir();
+# endif
 #elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
-#ifdef HAVE_SRANDOMDEV
-      /* uses random(4) for seeding */
-      srandomdev();
-#else
-      gettimeofday(&tv, NULL);
-      srandom(tv.tv_sec | tv.tv_usec | getpid());
-#endif
+# ifdef HAVE_SRANDOMDEV
+    /* uses random(4) for seeding */
+    srandomdev();
+# else
+    {
+    struct timeval tv;
+    gettimeofday(&tv, NULL);
+    srandom(tv.tv_sec | tv.tv_usec | getpid());
+    }
+# endif
 #else
-      /* Poor randomness and no seeding here */
+    /* Poor randomness and no seeding here */
 #endif
 
-      }
-    pid = p2;
     }
+  pid = p2;
+  }
 
 #ifdef HAVE_ARC4RANDOM
-  return arc4random() % max;
+return arc4random() % max;
 #elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
-  return random() % max;
+return random() % max;
 #else
-  /* This one returns a 16-bit number, definitely not crypto-strong */
-  return random_number(max);
+/* This one returns a 16-bit number, definitely not crypto-strong */
+return random_number(max);
 #endif
 }
 
@@ -4837,7 +4839,7 @@ while (*s != 0)
           (void)sscanf(CS now,"%u",&inow);
           (void)sscanf(CS daystamp,"%u",&iexpire);
 
-          /* When "iexpire" is < 7, a "flip" has occured.
+          /* When "iexpire" is < 7, a "flip" has occurred.
              Adjust "inow" accordingly. */
           if ( (iexpire < 7) && (inow >= 993) ) inow = 0;
 
@@ -4934,17 +4936,16 @@ while (*s != 0)
 
     case EITEM_READSOCK:
       {
-      int fd;
+      client_conn_ctx cctx;
       int timeout = 5;
       int save_ptr = yield->ptr;
-      FILE * fp;
+      FILE * fp = NULL;
       uschar * arg;
       uschar * sub_arg[4];
       uschar * server_name = NULL;
       host_item host;
       BOOL do_shutdown = TRUE;
       BOOL do_tls = FALSE;	/* Only set under SUPPORT_TLS */
-      void * tls_ctx = NULL;	/* ditto		      */
       blob reqstr;
 
       if (expand_forbid & RDO_READSOCK)
@@ -5044,12 +5045,12 @@ while (*s != 0)
             port = ntohs(service_info->s_port);
             }
 
-	  /*XXX we trust that the request is idempotent.  Hmm. */
-	  fd = ip_connectedsocket(SOCK_STREAM, server_name, port, port,
+	  /*XXX we trust that the request is idempotent for TFO.  Hmm. */
+	  cctx.sock = ip_connectedsocket(SOCK_STREAM, server_name, port, port,
 		  timeout, &host, &expand_string_message,
 		  do_tls ? NULL : &reqstr);
 	  callout_address = NULL;
-	  if (fd < 0)
+	  if (cctx.sock < 0)
 	    goto SOCK_FAIL;
 	  if (!do_tls)
 	    reqstr.len = 0;
@@ -5062,7 +5063,7 @@ while (*s != 0)
 	  struct sockaddr_un sockun;         /* don't call this "sun" ! */
           int rc;
 
-          if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
+          if ((cctx.sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
             {
             expand_string_message = string_sprintf("failed to create socket: %s",
               strerror(errno));
@@ -5076,7 +5077,7 @@ while (*s != 0)
 
           sigalrm_seen = FALSE;
           ALARM(timeout);
-          rc = connect(fd, (struct sockaddr *)(&sockun), sizeof(sockun));
+          rc = connect(cctx.sock, (struct sockaddr *)(&sockun), sizeof(sockun));
           ALARM_CLR(0);
           if (sigalrm_seen)
             {
@@ -5098,14 +5099,11 @@ while (*s != 0)
 #ifdef SUPPORT_TLS
 	if (do_tls)
 	  {
+	  smtp_connect_args conn_args = {.host = &host };
 	  tls_support tls_dummy = {.sni=NULL};
 	  uschar * errstr;
 
-	  if (!(tls_ctx = tls_client_start(fd, &host, NULL, NULL,
-# ifdef SUPPORT_DANE
-				NULL,
-# endif
-	  			&tls_dummy, &errstr)))
+	  if (!tls_client_start(&cctx, &conn_args, NULL, &tls_dummy, &errstr))
 	    {
 	    expand_string_message = string_sprintf("TLS connect failed: %s", errstr);
 	    goto SOCK_FAIL;
@@ -5124,9 +5122,9 @@ while (*s != 0)
             reqstr.data);
           if ( (
 #ifdef SUPPORT_TLS
-	      tls_ctx ? tls_write(tls_ctx, reqstr.data, reqstr.len, FALSE) :
+	      do_tls ? tls_write(cctx.tls_ctx, reqstr.data, reqstr.len, FALSE) :
 #endif
-			write(fd, reqstr.data, reqstr.len)) != reqstr.len)
+			write(cctx.sock, reqstr.data, reqstr.len)) != reqstr.len)
             {
             expand_string_message = string_sprintf("request write to socket "
               "failed: %s", strerror(errno));
@@ -5139,7 +5137,7 @@ while (*s != 0)
         system doesn't have this function, make it conditional. */
 
 #ifdef SHUT_WR
-	if (!tls_ctx && do_shutdown) shutdown(fd, SHUT_WR);
+	if (!do_tls && do_shutdown) shutdown(cctx.sock, SHUT_WR);
 #endif
 
 	if (f.running_in_test_harness) millisleep(100);
@@ -5147,22 +5145,22 @@ while (*s != 0)
         /* Now we need to read from the socket, under a timeout. The function
         that reads a file can be used. */
 
-	if (!tls_ctx)
-	  fp = fdopen(fd, "rb");
+	if (!do_tls)
+	  fp = fdopen(cctx.sock, "rb");
         sigalrm_seen = FALSE;
         ALARM(timeout);
         yield =
 #ifdef SUPPORT_TLS
-	  tls_ctx ? cat_file_tls(tls_ctx, yield, sub_arg[3]) :
+	  do_tls ? cat_file_tls(cctx.tls_ctx, yield, sub_arg[3]) :
 #endif
 		    cat_file(fp, yield, sub_arg[3]);
         ALARM_CLR(0);
 
 #ifdef SUPPORT_TLS
-	if (tls_ctx)
+	if (do_tls)
 	  {
-	  tls_close(tls_ctx, TRUE);
-	  close(fd);
+	  tls_close(cctx.tls_ctx, TRUE);
+	  close(cctx.sock);
 	  }
 	else
 #endif
@@ -5664,6 +5662,12 @@ while (*s != 0)
       uschar *sub[3];
       int save_expand_nmax =
         save_expand_strings(save_expand_nstring, save_expand_nlength);
+
+      /* On reflection the original behaviour of extract-json for a string
+      result, leaving it quoted, was a mistake.  But it was already published,
+      hence the addition of jsons.  In a future major version, make json
+      work like josons, and withdraw jsons. */
+
       enum {extract_basic, extract_json, extract_jsons} fmt = extract_basic;
 
       while (isspace(*s)) s++;
@@ -7097,16 +7101,11 @@ while (*s != 0)
         uschar * t = parse_extract_address(sub, &error, &start, &end, &domain,
           FALSE);
         if (t)
-          if (c != EOP_DOMAIN)
-            {
-            if (c == EOP_LOCAL_PART && domain != 0) end = start + domain - 1;
-            yield = string_catn(yield, sub+start, end-start);
-            }
-          else if (domain != 0)
-            {
-            domain += start;
-            yield = string_catn(yield, sub+domain, end-domain);
-            }
+	  yield = c == EOP_DOMAIN
+	    ? string_cat(yield, t + domain)
+	    : c == EOP_LOCAL_PART && domain > 0
+	    ? string_catn(yield, t, domain - 1 )
+	    : string_cat(yield, t);
         continue;
         }
 
@@ -7130,7 +7129,7 @@ while (*s != 0)
 
         for (;;)
           {
-          uschar *p = parse_find_address_end(sub, FALSE);
+          uschar * p = parse_find_address_end(sub, FALSE);
           uschar saveend = *p;
           *p = '\0';
           address = parse_extract_address(sub, &error, &start, &end, &domain,
@@ -7143,7 +7142,7 @@ while (*s != 0)
           list, add in a space if the new address begins with the separator
           character, or is an empty string. */
 
-          if (address != NULL)
+          if (address)
             {
             if (yield->ptr != save_ptr && address[0] == *outsep)
               yield = string_catn(yield, US" ", 1);
@@ -7516,7 +7515,7 @@ while (*s != 0)
         continue;
         }
 
-      /* Handle time period formating */
+      /* Handle time period formatting */
 
       case EOP_TIME_EVAL:
         {