String expansions: support sha3 under OpenSSL (1.1.1+)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ad3a34214e6d81aaec899e7071b0c9ea8ba14ebf..c4209659ab54e7d32950bfad60850a695db18ba6 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -10645,7 +10645,10 @@ the output length.  Values of 224, 256, 384 and 512 are accepted;
 with 256 being the default.
 
 The &%sha3%& expansion item is only supported if Exim has been
-compiled with GnuTLS 3.5.0 or later.
+compiled with GnuTLS 3.5.0 or later,
+.new
+or OpenSSL 1.1.1 or later.
+.wen
 
 
 .vitem &*${stat:*&<&'string'&>&*}*&

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 2a72852bb984cb393861c710018ce73c6e6c5b85..c3f013ee85a4784a9600fece8480cf3b5b7e6138 100644 (file)
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -30,6 +30,9 @@ Version 4.91
  7. Options "ipv4_only" and "ipv4_prefer" on the dnslookup router and on
     routing rules in the manualroute router.
 
+ 8. Expansion item ${sha3:<string>} / ${sha3_<N>:<string>} now also supported
+    under OpenSSL version 1.1.1 or later.
+
 
 Version 4.90
 ------------

diff --git a/src/src/expand.c b/src/src/expand.c
index 2b40823c92b0905a9d650c1981a98ea8b0f9ef58..f6fef84efadde748ecf028640578edb130e4c4c1 100644 (file)
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -6495,7 +6495,7 @@ while (*s != 0)
        }
         continue;
 #else
-       expand_string_message = US"sha3 only supported with GnuTLS 3.5.0 +";
+       expand_string_message = US"sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +";
        goto EXPAND_FAILED;
 #endif
 

diff --git a/src/src/hash.c b/src/src/hash.c
index ee43796480d4f27994e6833aa94777ece30be08c..1e25bdbe18269b9d9be9261d3518b49c50f1555a 100644 (file)
--- a/src/src/hash.c
+++ b/src/src/hash.c
@@ -40,6 +40,20 @@ switch (h->method = m)
   case HASH_SHA2_256: h->hashlen = 32; SHA256_Init(&h->u.sha2_256); break;
   case HASH_SHA2_384: h->hashlen = 48; SHA384_Init(&h->u.sha2_512); break;
   case HASH_SHA2_512: h->hashlen = 64; SHA512_Init(&h->u.sha2_512); break;
+#ifdef EXIM_HAVE_SHA3
+  case HASH_SHA3_224: h->hashlen = 28;
+                     EVP_DigestInit(h->u.mctx = EVP_MD_CTX_new(), EVP_sha3_224());
+                     break;
+  case HASH_SHA3_256: h->hashlen = 32;
+                     EVP_DigestInit(h->u.mctx = EVP_MD_CTX_new(), EVP_sha3_256());
+                     break;
+  case HASH_SHA3_384: h->hashlen = 48;
+                     EVP_DigestInit(h->u.mctx = EVP_MD_CTX_new(), EVP_sha3_384());
+                     break;
+  case HASH_SHA3_512: h->hashlen = 64;
+                     EVP_DigestInit(h->u.mctx = EVP_MD_CTX_new(), EVP_sha3_512());
+                     break;
+#endif
   default:           h->hashlen = 0; return FALSE;
   }
 return TRUE;
@@ -55,6 +69,12 @@ switch (h->method)
   case HASH_SHA2_256: SHA256_Update(&h->u.sha2_256, data, len); break;
   case HASH_SHA2_384: SHA384_Update(&h->u.sha2_512, data, len); break;
   case HASH_SHA2_512: SHA512_Update(&h->u.sha2_512, data, len); break;
+#ifdef EXIM_HAVE_SHA3
+  case HASH_SHA3_224:
+  case HASH_SHA3_256:
+  case HASH_SHA3_384:
+  case HASH_SHA3_512: EVP_DigestUpdate(h->u.mctx, data, len); break;
+#endif
   /* should be blocked by init not handling these, but be explicit to
   guard against accidents later (and hush up clang -Wswitch) */
   default: assert(0);
@@ -72,6 +92,12 @@ switch (h->method)
   case HASH_SHA2_256: SHA256_Final(b->data, &h->u.sha2_256); break;
   case HASH_SHA2_384: SHA384_Final(b->data, &h->u.sha2_512); break;
   case HASH_SHA2_512: SHA512_Final(b->data, &h->u.sha2_512); break;
+#ifdef EXIM_HAVE_SHA3
+  case HASH_SHA3_224:
+  case HASH_SHA3_256:
+  case HASH_SHA3_384:
+  case HASH_SHA3_512: EVP_DigestFinal(h->u.mctx, b->data, NULL); break;
+#endif
   default: assert(0);
   }
 }
@@ -92,6 +118,7 @@ switch (h->method = m)
   case HASH_SHA2_384: h->hashlen = 48; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA384); break;
   case HASH_SHA2_512: h->hashlen = 64; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA512); break;
 #ifdef EXIM_HAVE_SHA3
+  case HASH_SHA3_224: h->hashlen = 28; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_224); break;
   case HASH_SHA3_256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_256); break;
   case HASH_SHA3_384: h->hashlen = 48; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_384); break;
   case HASH_SHA3_512: h->hashlen = 64; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_512); break;

diff --git a/src/src/hash.h b/src/src/hash.h
index 79521f027d9eda59e599ec5bbad57ff4d80144ce..585237fa886fbc080a50a7f788231ec1da08a223 100644 (file)
--- a/src/src/hash.h
+++ b/src/src/hash.h
@@ -51,6 +51,9 @@ typedef struct {
     SHA_CTX      sha1;       /* SHA1 block                                */
     SHA256_CTX   sha2_256;   /* SHA256 or 224 block                       */
     SHA512_CTX   sha2_512;   /* SHA512 or 384 block                       */
+#ifdef EXIM_HAVE_SHA3
+    EVP_MD_CTX * mctx;      /* SHA3 block                                */
+#endif
   } u;
 
 #elif defined(SHA_GNUTLS)

diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index 387ac52c179030c1f0d0ea090e1e6ec961d3033f..2428e52d66d293c10c72c91549ae0486789a1594 100644 (file)
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -2,7 +2,7 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) Jeremy Harris 2016 */
+/* Copyright (c) Jeremy Harris 2018 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* SHA routine selection */
@@ -34,6 +34,10 @@
 
 # else
 #  define SHA_OPENSSL
+#  include <openssl/ssl.h>
+#  if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#   define EXIM_HAVE_SHA3
+#  endif
 # endif
 
 #else

diff --git a/test/scripts/2100-OpenSSL/2100 b/test/scripts/2100-OpenSSL/2100
index 27c6c84d6eb4fee7423dc332c5d8048d8f47235e..37ba66fb5d1d10898a8d9043cb4f5905066536e9 100644 (file)
--- a/test/scripts/2100-OpenSSL/2100
+++ b/test/scripts/2100-OpenSSL/2100
@@ -13,4 +13,11 @@ no_msglog_check
 exim -be
 sha256: ${sha256:}
 sha256: ${sha256:abc}
+
+sha3:     ${sha3:}
+sha3:     ${sha3:abc}
+sha3_256: ${sha3_256:}
+sha3_256: ${sha3_256:abc}
+sha3_512: ${sha3_512:}
+sha3_512: ${sha3_512:abc}
 ****

diff --git a/test/stdout/2000 b/test/stdout/2000
index 2279f2e7d46587ffc81ca8dc8b1263f3c2e1337a..939df1b9ed73c0f5f09696adc5d87260227b9ad8 100644 (file)
--- a/test/stdout/2000
+++ b/test/stdout/2000
@@ -1,10 +1,10 @@
 > sha256:   E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
 > sha256:   BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD
 > 
-> Failed: sha3 only supported with GnuTLS 3.5.0 +
-> Failed: sha3 only supported with GnuTLS 3.5.0 +
-> Failed: sha3 only supported with GnuTLS 3.5.0 +
-> Failed: sha3 only supported with GnuTLS 3.5.0 +
-> Failed: sha3 only supported with GnuTLS 3.5.0 +
-> Failed: sha3 only supported with GnuTLS 3.5.0 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
 > 

diff --git a/test/stdout/2100 b/test/stdout/2100
index effaada830638d614210b2ca293502729b453ede..f349c70beb8549d6ea59e083d7d3cf3c8c225a52 100644 (file)
--- a/test/stdout/2100
+++ b/test/stdout/2100
@@ -1,3 +1,10 @@
 > sha256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
 > sha256: BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD
 > 
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+> Failed: sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +
+>