Add support for ${sha256:<string>}

7 files changed, 52 insertions, 15 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 42e116182..1e5b72e87 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -10490,16 +10490,19 @@ If the string is a single variable of type certificate,
 returns the SHA-1 hash fingerprint of the certificate.
 
 
-.vitem &*${sha256:*&<&'certificate'&>&*}*&
+.vitem &*${sha256:*&<&'string'&>&*}*&
 .cindex "SHA-256 hash"
 .cindex certificate fingerprint
 .cindex "expansion" "SHA-256 hashing"
 .cindex "&%sha256%& expansion item"
-The &%sha256%& operator computes the SHA-256 hash fingerprint of the
-certificate,
+.new
+The &%sha256%& operator computes the SHA-256 hash value of the string
 and returns
 it as a 64-digit hexadecimal number, in which any letters are in upper case.
-Only arguments which are a single variable of certificate type are supported.
+.wen
+
+If the string is a single variable of type certificate,
+returns the SHA-256 hash fingerprint of the certificate.
 
 
 .vitem &*${stat:*&<&'string'&>&*}*&
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 254070e26..7a5aab755 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -37,6 +37,9 @@ JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
 
 JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
 
+JH/10 Support ${sha256:} applied to a string (as well as the previous
+      certificate).
+
 
 Exim version 4.87
 -----------------
@@ -303,7 +306,7 @@ JH/18 Bug 1581: Router and transport options headers_add/remove can
       now have the list separator specified.
 
 JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
-      option values. 
+      option values.
 
 JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
       under OpenSSL.
@@ -318,7 +321,7 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
 
 JH/24 Verification callouts now attempt to use TLS by default.
 
-HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) 
+HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
       are generic router options now. The defaults didn't change.
 
 JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
@@ -938,7 +941,7 @@ PP/12 MAIL args handles TAB as well as SP, for better interop with
       Analysis and variant patch by Todd Lyons.
 
 NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated
-      Bug report from Lars Müller <lars@samba.org> (via SUSE), 
+      Bug report from Lars Müller <lars@samba.org> (via SUSE),
       Patch from Dirk Mueller <dmueller@suse.com>
 
 PP/13 tls_peerdn now print-escaped for spool files.
diff --git a/src/src/expand.c b/src/src/expand.c
index 40b697a5d..d23e15fa7 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -2506,7 +2506,6 @@ switch(cond_type)
     checking for them individually. */
 
     if (!isalpha(name[0]) && yield != NULL)
-      {
       if (sub[i][0] == 0)
         {
         num[i] = 0;
@@ -2518,7 +2517,6 @@ switch(cond_type)
         num[i] = expanded_string_integer(sub[i], FALSE);
         if (expand_string_message != NULL) return NULL;
         }
-      }
     }
 
   /* Result not required */
@@ -2686,7 +2684,7 @@ switch(cond_type)
       uschar digest[16];
 
       md5_start(&base);
-      md5_end(&base, (uschar *)sub[0], Ustrlen(sub[0]), digest);
+      md5_end(&base, sub[0], Ustrlen(sub[0]), digest);
 
       /* If the length that we are comparing against is 24, the MD5 digest
       is expressed as a base64 string. This is the way LDAP does it. However,
@@ -2695,7 +2693,7 @@ switch(cond_type)
 
       if (sublen == 24)
         {
-        uschar *coded = b64encode((uschar *)digest, 16);
+        uschar *coded = b64encode(digest, 16);
         DEBUG(D_auth) debug_printf("crypteq: using MD5+B64 hashing\n"
           "  subject=%s\n  crypted=%s\n", coded, sub[1]+5);
         tempcond = (Ustrcmp(coded, sub[1]+5) == 0);
@@ -2725,7 +2723,7 @@ switch(cond_type)
       uschar digest[20];
 
       sha1_start(&h);
-      sha1_end(&h, (uschar *)sub[0], Ustrlen(sub[0]), digest);
+      sha1_end(&h, sub[0], Ustrlen(sub[0]), digest);
 
       /* If the length that we are comparing against is 28, assume the SHA1
       digest is expressed as a base64 string. If the length is 40, assume a
@@ -2733,7 +2731,7 @@ switch(cond_type)
 
       if (sublen == 28)
         {
-        uschar *coded = b64encode((uschar *)digest, 20);
+        uschar *coded = b64encode(digest, 20);
         DEBUG(D_auth) debug_printf("crypteq: using SHA1+B64 hashing\n"
           "  subject=%s\n  crypted=%s\n", coded, sub[1]+6);
         tempcond = (Ustrcmp(coded, sub[1]+6) == 0);
@@ -6364,7 +6362,7 @@ while (*s != 0)
 	  sha1_start(&h);
 	  sha1_end(&h, sub, Ustrlen(sub), digest);
 	  for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]);
-	  yield = string_cat(yield, &size, &ptr, US st);
+	  yield = string_catn(yield, &size, &ptr, US st, 40);
 	  }
         continue;
 
@@ -6376,8 +6374,23 @@ while (*s != 0)
 	  yield = string_cat(yield, &size, &ptr, cp);
 	  }
 	else
+	  {
+	  hctx h;
+	  blob b;
+	  char st[3];
+
+	  exim_sha_init(&h, HASH_SHA256);
+	  exim_sha_update(&h, sub, Ustrlen(sub));
+	  exim_sha_finish(&h, &b);
+	  while (b.len-- > 0)
+	    {
+	    sprintf(st, "%02X", *b.data++);
+	    yield = string_catn(yield, &size, &ptr, US st, 2);
+	    }
+	  }
+#else
+	  expand_string_message = US"sha256 only supported with TLS";
 #endif
-	  expand_string_message = US"sha256 only supported for certificates";
         continue;
 
       /* Convert hex encoding to base64 encoding */
diff --git a/test/scripts/2000-GnuTLS/2000 b/test/scripts/2000-GnuTLS/2000
index a1299e574..5e26e4332 100644
--- a/test/scripts/2000-GnuTLS/2000
+++ b/test/scripts/2000-GnuTLS/2000
@@ -13,3 +13,9 @@ exim -qf
 ****
 killdaemon
 no_msglog_check
+#
+#
+exim -be
+sha256: ${sha256:}
+sha256: ${sha256:abc}
+****
diff --git a/test/scripts/2100-OpenSSL/2100 b/test/scripts/2100-OpenSSL/2100
index c2b0f8981..27c6c84d6 100644
--- a/test/scripts/2100-OpenSSL/2100
+++ b/test/scripts/2100-OpenSSL/2100
@@ -8,3 +8,9 @@ exim -qf
 ****
 killdaemon
 no_msglog_check
+#
+#
+exim -be
+sha256: ${sha256:}
+sha256: ${sha256:abc}
+****
diff --git a/test/stdout/2000 b/test/stdout/2000
new file mode 100644
index 000000000..effaada83
--- /dev/null
+++ b/test/stdout/2000
@@ -0,0 +1,3 @@
+> sha256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
+> sha256: BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD
+> 
diff --git a/test/stdout/2100 b/test/stdout/2100
new file mode 100644
index 000000000..effaada83
--- /dev/null
+++ b/test/stdout/2100
@@ -0,0 +1,3 @@
+> sha256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
+> sha256: BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD
+>