From: Jeremy Harris Date: Sun, 8 Dec 2019 23:36:01 +0000 (+0000) Subject: Merge branch '4.next' X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/1d717e1c110562fd6bf28478c79f180cafeba776 Merge branch '4.next' --- 1d717e1c110562fd6bf28478c79f180cafeba776 diff --cc doc/doc-docbook/spec.xfpt index abd15d452,0e7d7655c..2946d7013 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@@ -15111,9 -15136,10 +15122,11 @@@ etc. are ignored. If IP literals are en to handle IPv6 literal addresses. - .option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1" + .new + .option dkim_verify_hashes main "string list" "sha256 : sha512" .cindex DKIM "selecting signature algorithms" This option gives a list of hash types which are acceptable in signatures, ++.wen and an order of processing. Signatures with algorithms not in the list will be ignored. diff --cc doc/doc-txt/ChangeLog index 1e8a2d216,9f18a2073..9f8775f0f --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@@ -3,6 -5,28 +3,28 @@@ affect Exim's operation, with an unchan options, and new features, see the NewStuff file next to this ChangeLog. -Exim version 4.next -------------------- ++Exim version 4.94 ++----------------- + + JH/01 Avoid costly startup code when not strictly needed. This reduces time + for some exim process initialisations. It does mean that the logging + of TLS configuration problems is only done for the daemon startup. + + JH/02 Early-pipelining support code is now included unless disabled in Makefile. + + JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to + RFC 8301. They can still be enabled, using the dkim_verify_hashes main + option. + + JH/04 Support CHUNKING from an smtp transport using a transport_filter, when + DKIM signing is being done. Previously a transport_filter would always + disable CHUNKING, falling back to traditional DATA. + + JH/05 Regard command-line receipients as tainted. + + JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM. + + Exim version 4.93 ----------------- diff --cc doc/doc-txt/NewStuff index fc307a3ba,18c3d3024..763a806a5 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@@ -6,6 -6,18 +6,16 @@@ Before a formal release, there may be q test from the snapshots or the Git before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. -Version 4.next --------------- ++Version 4.94 ++------------ + + 1. EXPERIMENTAL_SRS_NATIVE optional build feature. See the experimental.spec + file. + - 2. Variables $tls_in_ver, $tls_out_ver. - - 3. Channel-binding for authenticators is now supported under OpenSSL. ++ 2. Channel-binding for authenticators is now supported under OpenSSL. + Previously it was GnuTLS-only. + + Version 4.93 ------------ diff --cc src/src/functions.h index f4fcd1e19,da21b8779..ea3cf257c --- a/src/src/functions.h +++ b/src/src/functions.h @@@ -539,7 -541,7 +542,8 @@@ extern int strcmpic(const uschar * extern int strncmpic(const uschar *, const uschar *, int); extern uschar *strstric(uschar *, uschar *, BOOL); +extern int test_harness_fudged_queue_time(int); + extern void tcp_init(void); #ifdef EXIM_TFO_PROBE extern void tfo_probe(void); #endif diff --cc src/src/tls.c index a541a3c7a,d47156cdc..f95091218 --- a/src/src/tls.c +++ b/src/src/tls.c @@@ -371,38 -369,79 +369,111 @@@ return FALSE } +/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment +and writes a file by that name. Our OpenSSL code does the same, using keying +info from the library API. +The GnuTLS support only works if exim is run by root, not taking advantage of +the setuid bit. +You can use either the external environment (modulo the keep_environment config) +or the add_environment config option for SSLKEYLOGFILE; the latter takes +precedence. + +If the path is absolute, require it starts with the spooldir; otherwise delete +the env variable. If relative, prefix the spooldir. +*/ +void +tls_clean_env(void) +{ +uschar * path = US getenv("SSLKEYLOGFILE"); +if (path) + if (!*path) + unsetenv("SSLKEYLOGFILE"); + else if (*path != '/') + { + DEBUG(D_tls) + debug_printf("prepending spooldir to env SSLKEYLOGFILE\n"); + setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1); + } + else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0) + { + DEBUG(D_tls) + debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path); + unsetenv("SSLKEYLOGFILE"); + } +} + + /************************************************* + * Drop privs for checking TLS config * + *************************************************/ + + /* We want to validate TLS options during readconf, but do not want to be + root when we call into the TLS library, in case of library linkage errors + which cause segfaults; before this check, those were always done as the Exim + runtime user and it makes sense to continue with that. + + Assumes: tls_require_ciphers has been set, if it will be + exim_user has been set, if it will be + exim_group has been set, if it will be + + Returns: bool for "okay"; false will cause caller to immediately exit. + */ + + BOOL + tls_dropprivs_validate_require_cipher(BOOL nowarn) + { + const uschar *errmsg; + pid_t pid; + int rc, status; + void (*oldsignal)(int); + + /* If TLS will never be used, no point checking ciphers */ + + if ( !tls_advertise_hosts + || !*tls_advertise_hosts + || Ustrcmp(tls_advertise_hosts, ":") == 0 + ) + return TRUE; + else if (!nowarn && !tls_certificate) + log_write(0, LOG_MAIN, + "Warning: No server certificate defined; will use a selfsigned one.\n" + " Suggested action: either install a certificate or change tls_advertise_hosts option"); + + oldsignal = signal(SIGCHLD, SIG_DFL); + + fflush(NULL); + if ((pid = fork()) < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check"); + + if (pid == 0) + { + /* in some modes, will have dropped privilege already */ + if (!geteuid()) + exim_setugid(exim_uid, exim_gid, FALSE, + US"calling tls_validate_require_cipher"); + + if ((errmsg = tls_validate_require_cipher())) + log_write(0, LOG_PANIC_DIE|LOG_CONFIG, + "tls_require_ciphers invalid: %s", errmsg); + fflush(NULL); + exim_underbar_exit(0); + } + + do { + rc = waitpid(pid, &status, 0); + } while (rc < 0 && errno == EINTR); + + DEBUG(D_tls) + debug_printf("tls_validate_require_cipher child %d ended: status=0x%x\n", + (int)pid, status); + + signal(SIGCHLD, oldsignal); + + return status == 0; + } + + + + #endif /*!DISABLE_TLS*/ #endif /*!MACRO_PREDEF*/ diff --cc test/confs/5665 index da6e5197a,000000000..673ec6656 mode 100644,000000..100644 --- a/test/confs/5665 +++ b/test/confs/5665 @@@ -1,101 -1,0 +1,102 @@@ +# Exim test configuration 5652 +# OCSP stapling, server, multiple leaf-certs + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = server1.example.com + +# ----- Main settings ----- + +acl_smtp_mail = check_mail +acl_smtp_rcpt = check_recipient + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +CADIR = DIR/aux-fixed/exim-ca +DRSA = CADIR/example.com +DECDSA = CADIR/example_ec.com + +tls_certificate = DRSA/server1.example.com/server1.example.com.pem \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.pem +tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key +tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp + + +.ifdef _HAVE_GNUTLS +tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0 +.endif +.ifdef _OPT_OPENSSL_NO_TLSV1_3_X +openssl_options = +no_tlsv1_3 +.endif + +# ------ ACL ------ + +begin acl + +check_mail: + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +check_recipient: + accept + + +# ----- Routers ----- + +begin routers + +client: + driver = manualroute + condition = ${if !eq {SERVER}{server}} + route_list = * 127.0.0.1 + self = send + transport = remote_delivery + errors_to = "" + +srvr: + driver = accept + retry_use_local_part + transport = local_delivery + + +# ----- Transports ----- + +begin transports + +remote_delivery: + driver = smtp + port = PORT_D ++ hosts_try_fastopen = : + hosts_require_tls = * +.ifdef _HAVE_GNUTLS + tls_require_ciphers = NONE:\ + ${if eq {SELECTOR}{auth_ecdsa} \ + {+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:} \ + {+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:}}\ + +CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 +.endif +.ifdef _HAVE_OPENSSL + tls_require_ciphers = ${if eq {SELECTOR}{auth_ecdsa} {ECDSA:RSA:!COMPLEMENTOFDEFAULT} {RSA}} +.endif + hosts_require_ocsp = * + tls_verify_certificates = CADIR/\ + ${if eq {SELECTOR}{auth_ecdsa} \ + {example_ec.com/server1.example_ec.com/ca_chain.pem}\ + {example.com/server1.example.com/ca_chain.pem}} + tls_verify_cert_hostnames = : + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# End diff --cc test/log/2102 index dfcfc1b67,bddb8e973..91761cd68 --- a/test/log/2102 +++ b/test/log/2102 @@@ -41,7 -41,7 +41,11 @@@ 1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY= 1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac ++<<<<<<< HEAD +1999-03-02 09:44:33 ver: TLS1.x ++======= + 1999-03-02 09:44:33 ver: TLSv1.x ++>>>>>>> 4.next 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 Our cert SN: diff --cc test/runtest index 87c78070e,30315044f..f53b9d72b --- a/test/runtest +++ b/test/runtest @@@ -3450,17 -3435,16 +3465,17 @@@ while (not ($parm_ipv4 and $parm_ipv6) { if (/^(?:[0-9]+: )?([a-z0-9]+): /) { $ifname = $1; } - if (not $parm_ipv4 and /^\s*inet(?:\saddr)?:?\s?(\d+\.\d+\.\d+\.\d+)(?:\/\d+)?\s/i) + if (not $parm_ipv4 and /^\s*inet(?:\saddr(?:ess))?:?\s*(\d+\.\d+\.\d+\.\d+)(?:\/\d+)?\s/i) { - # It would ne nice to be able to vary the /16 used for manyhome; we could take + # It would be nice to be able to vary the /16 used for manyhome; we could take # an option to runtest used here - but we'd also have to pass it on to fakens. # Possibly an environment variable? next if $1 eq '0.0.0.0' or $1 =~ /^(?:127|10\.250)\./; $parm_ipv4 = $1; } - if (not $parm_ipv6 and /^\s*inet6(?:\saddr(?:ess))?:?\s*([abcdef\d:]+)(?:%[^ \/]+)?(?:\/\d+)?/i) + if ( (not $parm_ipv6 or $parm_ipv6 =~ /%/) - and /^\s*inet6(?:\saddr)?:?\s?([abcdef\d:]+)(?:%[^ \/]+)?(?:\/\d+)?/i) ++ and /^\s*inet6(?:\saddr(?:ess))?:?\s*([abcdef\d:]+)(?:%[^ \/]+)?(?:\/\d+)?/i) { next if $1 eq '::' or $1 eq '::1' or $1 =~ /^ff00/i or $1 =~ /^fe80::1/i; $parm_ipv6 = $1;