From db4dcd57f3ce2d62b5a86feadd736836c2909025 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 12 Nov 2017 19:08:43 +0000 Subject: [PATCH] Docs: PRVS validity. Bug 2033 --- doc/doc-docbook/spec.xfpt | 4 ++++ src/src/expand.c | 18 +++++++++--------- test/stdout/0002 | 6 +++--- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f3c7a060e..e3ac7f3b9 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17133,6 +17133,9 @@ use when sending messages as a client, you must set the &%tls_certificate%& option in the relevant &(smtp)& transport. .new +&*Note*&: If you use filenames based on IP addresses, change the list +separator in the usual way to avoid confusion under IPv6. + &*Note*&: Under current versions of OpenSSL, when a list of more than one file is used, the &$tls_in_ourcert$& veriable is unreliable. .wen @@ -31327,6 +31330,7 @@ address and some time-based randomizing information. The &%prvs%& expansion item creates a signed address, and the &%prvscheck%& expansion item checks one. The syntax of these expansion items is described in section &<>&. +The validity period on signed addresses is seven days. As an example, suppose the secret per-address keys are stored in an MySQL database. A query to look up the key for an address could be defined as a macro diff --git a/src/src/expand.c b/src/src/expand.c index f44ddf8b8..881c5fb2a 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -4494,25 +4494,25 @@ while (*s != 0) if (skipping) continue; /* sub_arg[0] is the address */ - domain = Ustrrchr(sub_arg[0],'@'); - if ( (domain == NULL) || (domain == sub_arg[0]) || (Ustrlen(domain) == 1) ) + if ( !(domain = Ustrrchr(sub_arg[0],'@')) + || domain == sub_arg[0] || Ustrlen(domain) == 1) { expand_string_message = US"prvs first argument must be a qualified email address"; goto EXPAND_FAILED; } - /* Calculate the hash. The second argument must be a single-digit + /* Calculate the hash. The third argument must be a single-digit key number, or unset. */ - if (sub_arg[2] != NULL && - (!isdigit(sub_arg[2][0]) || sub_arg[2][1] != 0)) + if ( sub_arg[2] + && (!isdigit(sub_arg[2][0]) || sub_arg[2][1] != 0)) { - expand_string_message = US"prvs second argument must be a single digit"; + expand_string_message = US"prvs third argument must be a single digit"; goto EXPAND_FAILED; } - p = prvs_hmac_sha1(sub_arg[0],sub_arg[1],sub_arg[2],prvs_daystamp(7)); - if (p == NULL) + p = prvs_hmac_sha1(sub_arg[0], sub_arg[1], sub_arg[2], prvs_daystamp(7)); + if (!p) { expand_string_message = US"prvs hmac-sha1 conversion failed"; goto EXPAND_FAILED; @@ -4628,7 +4628,7 @@ while (*s != 0) prvscheck_result = US"1"; DEBUG(D_expand) debug_printf_indent("prvscheck: success, $pvrs_result set to 1\n"); } - else + else { prvscheck_result = NULL; DEBUG(D_expand) debug_printf_indent("prvscheck: signature expired, $pvrs_result unset\n"); diff --git a/test/stdout/0002 b/test/stdout/0002 index c7f8cce80..20f418360 100644 --- a/test/stdout/0002 +++ b/test/stdout/0002 @@ -736,9 +736,9 @@ xyz > > # Syntax errors > -> Failed: prvs second argument must be a single digit -> Failed: prvs second argument must be a single digit -> Failed: prvs second argument must be a single digit +> Failed: prvs third argument must be a single digit +> Failed: prvs third argument must be a single digit +> Failed: prvs third argument must be a single digit > > # Correct checks; can't put explicit addresses in the tests, because they > # will change over time. -- 2.30.2