Add new ALLOW_SYSTEM_CRYPT_BRACES build optiondubious

FreeBSD now defaults to a {sha512} hash prefix.  Rather than continue
adding more types to crypteq{}{}, to have the same options available
everywhere, we allow this build option to cause the comparison to fall
through to the system crypt() for unrecognised {...} prefices -- the
same logic that happens if the crypt doesn't have a {...} prefix.

Set ALLOW_SYSTEM_CRYPT_BRACES in FreeBSD's OS Makefile.

The `expand.c` change was tested in a `#if 0` variant by Randy Bush, who
confirms that this works.  The rest is Exim build tuning and
documentation thereof, "too simple to go wrong".  *cough*

6 files changed, 20 insertions, 0 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e41dc3e02..8a2773759 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -82,6 +82,11 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
       is a combined value of both the record presence and the result of the
       analysis.
 
+PP/02 Add new ALLOW_SYSTEM_CRYPT_BRACES option, enable by default for FreeBSD,
+      letting crypteq comparisons pass unrecognised {..} prefices through to
+      system crypt.
+
+
 Exim version 4.82
 -----------------
 
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index c168cf2a7..07c8c3285 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -32,6 +32,13 @@ Version 4.83
     is split from the encryption operation. The default remains that a failed
     verification cancels the encryption.
 
+ 6. If your system's crypt() supports {hashtype} prefices unknown to Exim,
+    ensure that the compile-time "ALLOW_SYSTEM_CRYPT_BRACES" is defined (it
+    might be by default for your OS).  Without this, Exim rejects unrecognised
+    hashtypes, as it always has.  With this, the default handling passes the
+    value onto the system crypt().  This is necessary for FreeBSD {sha512}
+    support.
+
 
 Version 4.82
 ------------
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 4ad112180..e8215d14d 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -815,6 +815,7 @@ only listed below for the TLS implementation cases.
 Option                       Type         Description
 ------------------------------------------------------------------------------
 
+ALLOW_SYSTEM_CRYPT_BRACES    system**     system crypt() can handle {hashtype}
 ALT_CONFIG_PREFIX            optional     restricts location of -C files
 APPENDFILE_MODE              optional*
 APPENDFILE_DIRECTORY_MODE    optional*
diff --git a/src/OS/Makefile-FreeBSD b/src/OS/Makefile-FreeBSD
index ebb116bf2..ab0918366 100644
--- a/src/OS/Makefile-FreeBSD
+++ b/src/OS/Makefile-FreeBSD
@@ -8,6 +8,9 @@ CHMOD_COMMAND=/bin/chmod
 
 HAVE_SA_LEN=YES
 
+# FreeBSD has switched to {sha512} as the default hash-type.
+ALLOW_SYSTEM_CRYPT_BRACES=YES
+
 # crypt() is in a separate library
 LIBS=-lcrypt -lm -lutil
 
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 962b90d68..6b2bec047 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -13,6 +13,8 @@ it's a default value. */
 #define ALT_CONFIG_PREFIX
 #define TRUSTED_CONFIG_LIST
 
+#define ALLOW_SYSTEM_CRYPT_BRACES
+
 #define APPENDFILE_MODE            0600
 #define APPENDFILE_DIRECTORY_MODE  0700
 #define APPENDFILE_LOCKFILE_MODE   0600
diff --git a/src/src/expand.c b/src/src/expand.c
index d2ac8ca79..afe60efc3 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -2616,12 +2616,14 @@ switch(cond_type)
         sub[1] += 9;
         which = 2;
         }
+#ifndef ALLOW_SYSTEM_CRYPT_BRACES
       else if (sub[1][0] == '{')		/* }-for-text-editors */
         {
         expand_string_message = string_sprintf("unknown encryption mechanism "
           "in \"%s\"", sub[1]);
         return NULL;
         }
+#endif
 
       switch(which)
         {