From 9ef9101c7dc24878b83931e716021378ae789d78 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 10 May 2014 15:37:52 +0100
Subject: [PATCH] New expansion operator sha256 for certificates.  Bug 1170

---
 doc/doc-docbook/spec.xfpt | 14 ++++++++++++++
 doc/doc-txt/ChangeLog     |  1 +
 doc/doc-txt/NewStuff      |  3 ++-
 src/src/expand.c          | 17 ++++++++++++++++-
 src/src/functions.h       |  1 +
 src/src/tlscert-gnu.c     |  6 ++++++
 src/src/tlscert-openssl.c |  6 ++++++
 test/confs/2002           |  3 ++-
 test/confs/2102           |  5 +++--
 test/log/2002             |  3 ++-
 test/log/2102             |  5 +++--
 11 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 3dd72e9f9..cbe5c1851 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -10036,6 +10036,7 @@ Letters in IPv6 addresses are always output in lower case.
 .vitem &*${md5:*&<&'string'&>&*}*&
 .cindex "MD5 hash"
 .cindex "expansion" "MD5 hash"
+.cindex "certificate fingerprint"
 .cindex "&%md5%& expansion item"
 The &%md5%& operator computes the MD5 hash value of the string, and returns it
 as a 32-digit hexadecimal number, in which any letters are in lower case.
@@ -10173,11 +10174,24 @@ variables or headers inside regular expressions.
 .vitem &*${sha1:*&<&'string'&>&*}*&
 .cindex "SHA-1 hash"
 .cindex "expansion" "SHA-1 hashing"
+.cindex "certificate fingerprint"
 .cindex "&%sha2%& expansion item"
 The &%sha1%& operator computes the SHA-1 hash value of the string, and returns
 it as a 40-digit hexadecimal number, in which any letters are in upper case.
 
 
+.vitem &*${sha256:*&<&'certificate'&>&*}*&
+.cindex "SHA-256 hash"
+.cindex "certificate fingerprint"
+.cindex "expansion" "SHA-256 hashing"
+.cindex "&%sha256%& expansion item"
+The &%sha256%& operator computes the SHA-256 hash fingerprint of the
+certificate,
+and returns
+it as a 64-digit hexadecimal number, in which any letters are in upper case.
+Only arguments which are a single variable of certificate type are supported.
+
+
 .vitem &*${stat:*&<&'string'&>&*}*&
 .cindex "expansion" "statting a file"
 .cindex "file" "extracting characteristics"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9704295e3..33e43b196 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -113,6 +113,7 @@ JH/21 Observability of OCSP via variables tls_(in,out)_ocsp.  Stapling
 
 JH/22 Expansion operators ${md5:string} and ${sha1::string} can now
       operate on certificate variables to give certificate fingerprints
+      Also new ${sha256:cert_variable}.
 
 
 Exim version 4.82
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 87bb8a37b..9eebd089f 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -46,7 +46,8 @@ Version 4.83
 
 10. New variables "tls_(in,out)_(our,peer)cert" and expansion item
     "certextract" to extract fields from them. Hash operators md5 and sha1
-    work over them for generating fingerprints.
+    work over them for generating fingerprints, and a new sha256 operator
+    for them added.
 
 
 Version 4.82
diff --git a/src/src/expand.c b/src/src/expand.c
index 127134dbc..9afc036fa 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -205,6 +205,7 @@ static uschar *op_table_main[] = {
   US"rxquote",
   US"s",
   US"sha1",
+  US"sha256",
   US"stat",
   US"str2b64",
   US"strlen",
@@ -242,6 +243,7 @@ enum {
   EOP_RXQUOTE,
   EOP_S,
   EOP_SHA1,
+  EOP_SHA256,
   EOP_STAT,
   EOP_STR2B64,
   EOP_STRLEN,
@@ -5745,8 +5747,9 @@ while (*s != 0)
     switch(c)
       {
 #ifdef SUPPORT_TLS
-      case EOP_SHA1:
       case EOP_MD5:
+      case EOP_SHA1:
+      case EOP_SHA256:
 	if (s[1] == '$')
 	  {
 	  uschar * s1 = s;
@@ -5894,6 +5897,18 @@ while (*s != 0)
 	  }
         continue;
 
+      case EOP_SHA256:
+#ifdef SUPPORT_TLS
+	if (vp && *(void **)vp->value)
+	  {
+	  uschar * cp = tls_cert_fprt_sha256(*(void **)vp->value);
+	  yield = string_cat(yield, &size, &ptr, cp, (int)strlen(cp));
+	  }
+	else
+#endif
+	  expand_string_message = US"sha256 only supported for certificates";
+        continue;
+
       /* Convert hex encoding to base64 encoding */
 
       case EOP_HEX2B64:
diff --git a/src/src/functions.h b/src/src/functions.h
index 38ba7f39d..792f3df4d 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -41,6 +41,7 @@ extern uschar * tls_cert_version(void *, uschar * mod);
 
 extern uschar * tls_cert_fprt_md5(void *);
 extern uschar * tls_cert_fprt_sha1(void *);
+extern uschar * tls_cert_fprt_sha256(void *);
 
 extern int     tls_client_start(int, host_item *, address_item *,
 		 void *);
diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c
index 32b1986b8..5a4c231bb 100644
--- a/src/src/tlscert-gnu.c
+++ b/src/src/tlscert-gnu.c
@@ -421,6 +421,12 @@ tls_cert_fprt_sha1(void * cert)
 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
 }
 
+uschar *
+tls_cert_fprt_sha256(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
+}
+
 
 /* vi: aw ai sw=2
 */
diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c
index a36ec2ee2..9903f08f3 100644
--- a/src/src/tlscert-openssl.c
+++ b/src/src/tlscert-openssl.c
@@ -357,6 +357,12 @@ tls_cert_fprt_sha1(void * cert)
 return fingerprint((X509 *)cert, EVP_sha1());
 }
 
+uschar * 
+tls_cert_fprt_sha256(void * cert)
+{
+return fingerprint((X509 *)cert, EVP_sha256());
+}
+
 
 /* vi: aw ai sw=2
 */
diff --git a/test/confs/2002 b/test/confs/2002
index dfb4feef5..178265d65 100644
--- a/test/confs/2002
+++ b/test/confs/2002
@@ -58,8 +58,9 @@ check_recipient:
 	  logwrite =       ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}}
 #	  logwrite =       ${certextract {ocsp_uri}	{$tls_in_peercert} {OCU <$value>}{(no OCU)}}
 	  logwrite =       ${certextract {crl_uri}	{$tls_in_peercert} {CRU <$value>}{(no CRU)}}
-	  logwrite =  md5 fingerprint ${md5:$tls_in_peercert}
+	  logwrite =  md5    fingerprint ${md5:$tls_in_peercert}
 	  logwrite =  sha1 fingerprint ${sha1:$tls_in_peercert}
+	  logwrite =  sha256 fingerprint ${sha256:$tls_in_peercert}
 
 
 # ----- Routers -----
diff --git a/test/confs/2102 b/test/confs/2102
index 6f29298b1..3d5e51ae6 100644
--- a/test/confs/2102
+++ b/test/confs/2102
@@ -59,8 +59,9 @@ check_recipient:
 	  logwrite =       ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}}
 	  logwrite =       ${certextract {ocsp_uri}	{$tls_in_peercert} {OCU <$value>}{(no OCU)}}
 	  logwrite =       ${certextract {crl_uri}	{$tls_in_peercert} {CRU <$value>}{(no CRU)}}
-	  logwrite =  md5 fingerprint ${md5:$tls_in_peercert}
-	  logwrite =  sha1 fingerprint ${sha1:$tls_in_peercert}
+	  logwrite =  md5    fingerprint ${md5:$tls_in_peercert}
+	  logwrite =  sha1   fingerprint ${sha1:$tls_in_peercert}
+	  logwrite =  sha256 fingerprint ${sha256:$tls_in_peercert}
 
 
 # ----- Routers -----
diff --git a/test/log/2002 b/test/log/2002
index 96762c1a3..6a5d0c899 100644
--- a/test/log/2002
+++ b/test/log/2002
@@ -18,8 +18,9 @@
 1999-03-02 09:44:33 SG  <6c 37 41 26 4d 5d f4 b5 31 10 67 ca fb 64 b6 22 98 62 f7 1e 95 7b 6c e6 74 47 21 f4 5e 89 36 3e b9 9c 8a c5 52 bb c4 af 12 93 26 3b d7 3d e0 56 71 1e 1d 21 20 02 ed f0 4e d5 5e 45 42 fd 3c 38 41 54 83 86 0b 3b bf c5 47 39 ff 15 ea 93 dc fd c7 3d 18 58 59 ca dd 2a d8 b9 f9 2f b9 76 93 f4 ae e3 91 56 80 2f 8c 04 2f ad 57 ef d2 51 19 f4 b4 ef 32 9c ac 3a 7c 0d b8 39 db b1 e3 30 73 1a>
 1999-03-02 09:44:33 SAN <DNS=server2.example.com>
 1999-03-02 09:44:33 CRU <http://crl.example.com/latest.crl>
-1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55
+1999-03-02 09:44:33 md5    fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55
 1999-03-02 09:44:33 sha1 fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3
+1999-03-02 09:44:33 sha256 fingerprint 6064D93E235FBA6FC66788F2AAC087752D856ECC7901FFCB8B53B21A09D232D2
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server2.example.com" S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
diff --git a/test/log/2102 b/test/log/2102
index 77ef15052..57240408d 100644
--- a/test/log/2102
+++ b/test/log/2102
@@ -20,8 +20,9 @@
 1999-03-02 09:44:33 SAN <DNS=server2.example.com>
 1999-03-02 09:44:33 OCU <http://oscp/example.com/>
 1999-03-02 09:44:33 CRU <http://crl.example.com/latest.crl>
-1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55
-1999-03-02 09:44:33 sha1 fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3
+1999-03-02 09:44:33 md5    fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55
+1999-03-02 09:44:33 sha1   fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3
+1999-03-02 09:44:33 sha256 fingerprint 6064D93E235FBA6FC66788F2AAC087752D856ECC7901FFCB8B53B21A09D232D2
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/CN=server2.example.com" S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
-- 
2.30.2