1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
8
9
10 /* Functions for handling string expansion. */
11
12
13 #include "exim.h"
14
15 /* Recursively called function */
16
17 static uschar *expand_string_internal(const uschar *, BOOL, const uschar **, BOOL, BOOL, BOOL *);
18 static int_eximarith_t expanded_string_integer(const uschar *, BOOL);
19
20 #ifdef STAND_ALONE
21 # ifndef SUPPORT_CRYPTEQ
22 # define SUPPORT_CRYPTEQ
23 # endif
24 #endif
25
26 #ifdef LOOKUP_LDAP
27 # include "lookups/ldap.h"
28 #endif
29
30 #ifdef SUPPORT_CRYPTEQ
31 # ifdef CRYPT_H
32 # include <crypt.h>
33 # endif
34 # ifndef HAVE_CRYPT16
35 extern char* crypt16(char*, char*);
36 # endif
37 #endif
38
39 /* The handling of crypt16() is a mess. I will record below the analysis of the
40 mess that was sent to me. We decided, however, to make changing this very low
41 priority, because in practice people are moving away from the crypt()
42 algorithms nowadays, so it doesn't seem worth it.
43
44 <quote>
45 There is an algorithm named "crypt16" in Ultrix and Tru64. It crypts
46 the first 8 characters of the password using a 20-round version of crypt
47 (standard crypt does 25 rounds). It then crypts the next 8 characters,
48 or an empty block if the password is less than 9 characters, using a
49 20-round version of crypt and the same salt as was used for the first
50 block. Characters after the first 16 are ignored. It always generates
51 a 16-byte hash, which is expressed together with the salt as a string
52 of 24 base 64 digits. Here are some links to peruse:
53
54 http://cvs.pld.org.pl/pam/pamcrypt/crypt16.c?rev=1.2
55 http://seclists.org/bugtraq/1999/Mar/0076.html
56
57 There's a different algorithm named "bigcrypt" in HP-UX, Digital Unix,
58 and OSF/1. This is the same as the standard crypt if given a password
59 of 8 characters or less. If given more, it first does the same as crypt
60 using the first 8 characters, then crypts the next 8 (the 9th to 16th)
61 using as salt the first two base 64 digits from the first hash block.
62 If the password is more than 16 characters then it crypts the 17th to 24th
63 characters using as salt the first two base 64 digits from the second hash
64 block. And so on: I've seen references to it cutting off the password at
65 40 characters (5 blocks), 80 (10 blocks), or 128 (16 blocks). Some links:
66
67 http://cvs.pld.org.pl/pam/pamcrypt/bigcrypt.c?rev=1.2
68 http://seclists.org/bugtraq/1999/Mar/0109.html
69 http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/HTML/AA-Q0R2D-
70 TET1_html/sec.c222.html#no_id_208
71
72 Exim has something it calls "crypt16". It will either use a native
73 crypt16 or its own implementation. A native crypt16 will presumably
74 be the one that I called "crypt16" above. The internal "crypt16"
75 function, however, is a two-block-maximum implementation of what I called
76 "bigcrypt". The documentation matches the internal code.
77
78 I suspect that whoever did the "crypt16" stuff for Exim didn't realise
79 that crypt16 and bigcrypt were different things.
80
81 Exim uses the LDAP-style scheme identifier "{crypt16}" to refer
82 to whatever it is using under that name. This unfortunately sets a
83 precedent for using "{crypt16}" to identify two incompatible algorithms
84 whose output can't be distinguished. With "{crypt16}" thus rendered
85 ambiguous, I suggest you deprecate it and invent two new identifiers
86 for the two algorithms.
87
88 Both crypt16 and bigcrypt are very poor algorithms, btw. Hashing parts
89 of the password separately means they can be cracked separately, so
90 the double-length hash only doubles the cracking effort instead of
91 squaring it. I recommend salted SHA-1 ({SSHA}), or the Blowfish-based
92 bcrypt ({CRYPT}$2a$).
93 </quote>
94 */
95
96
97
98 /*************************************************
99 * Local statics and tables *
100 *************************************************/
101
102 /* Table of item names, and corresponding switch numbers. The names must be in
103 alphabetical order. */
104
105 static uschar *item_table[] = {
106 US"acl",
107 US"authresults",
108 US"certextract",
109 US"dlfunc",
110 US"env",
111 US"extract",
112 US"filter",
113 US"hash",
114 US"hmac",
115 US"if",
116 #ifdef SUPPORT_I18N
117 US"imapfolder",
118 #endif
119 US"length",
120 US"listextract",
121 US"listquote",
122 US"lookup",
123 US"map",
124 US"nhash",
125 US"perl",
126 US"prvs",
127 US"prvscheck",
128 US"readfile",
129 US"readsocket",
130 US"reduce",
131 US"run",
132 US"sg",
133 US"sort",
134 #ifdef SUPPORT_SRS
135 US"srs_encode",
136 #endif
137 US"substr",
138 US"tr" };
139
140 enum {
141 EITEM_ACL,
142 EITEM_AUTHRESULTS,
143 EITEM_CERTEXTRACT,
144 EITEM_DLFUNC,
145 EITEM_ENV,
146 EITEM_EXTRACT,
147 EITEM_FILTER,
148 EITEM_HASH,
149 EITEM_HMAC,
150 EITEM_IF,
151 #ifdef SUPPORT_I18N
152 EITEM_IMAPFOLDER,
153 #endif
154 EITEM_LENGTH,
155 EITEM_LISTEXTRACT,
156 EITEM_LISTQUOTE,
157 EITEM_LOOKUP,
158 EITEM_MAP,
159 EITEM_NHASH,
160 EITEM_PERL,
161 EITEM_PRVS,
162 EITEM_PRVSCHECK,
163 EITEM_READFILE,
164 EITEM_READSOCK,
165 EITEM_REDUCE,
166 EITEM_RUN,
167 EITEM_SG,
168 EITEM_SORT,
169 #ifdef SUPPORT_SRS
170 EITEM_SRS_ENCODE,
171 #endif
172 EITEM_SUBSTR,
173 EITEM_TR };
174
175 /* Tables of operator names, and corresponding switch numbers. The names must be
176 in alphabetical order. There are two tables, because underscore is used in some
177 cases to introduce arguments, whereas for other it is part of the name. This is
178 an historical mis-design. */
179
180 static uschar *op_table_underscore[] = {
181 US"from_utf8",
182 US"local_part",
183 US"quote_local_part",
184 US"reverse_ip",
185 US"time_eval",
186 US"time_interval"
187 #ifdef SUPPORT_I18N
188 ,US"utf8_domain_from_alabel",
189 US"utf8_domain_to_alabel",
190 US"utf8_localpart_from_alabel",
191 US"utf8_localpart_to_alabel"
192 #endif
193 };
194
195 enum {
196 EOP_FROM_UTF8,
197 EOP_LOCAL_PART,
198 EOP_QUOTE_LOCAL_PART,
199 EOP_REVERSE_IP,
200 EOP_TIME_EVAL,
201 EOP_TIME_INTERVAL
202 #ifdef SUPPORT_I18N
203 ,EOP_UTF8_DOMAIN_FROM_ALABEL,
204 EOP_UTF8_DOMAIN_TO_ALABEL,
205 EOP_UTF8_LOCALPART_FROM_ALABEL,
206 EOP_UTF8_LOCALPART_TO_ALABEL
207 #endif
208 };
209
210 static uschar *op_table_main[] = {
211 US"address",
212 US"addresses",
213 US"base32",
214 US"base32d",
215 US"base62",
216 US"base62d",
217 US"base64",
218 US"base64d",
219 US"domain",
220 US"escape",
221 US"escape8bit",
222 US"eval",
223 US"eval10",
224 US"expand",
225 US"h",
226 US"hash",
227 US"hex2b64",
228 US"hexquote",
229 US"ipv6denorm",
230 US"ipv6norm",
231 US"l",
232 US"lc",
233 US"length",
234 US"listcount",
235 US"listnamed",
236 US"mask",
237 US"md5",
238 US"nh",
239 US"nhash",
240 US"quote",
241 US"randint",
242 US"rfc2047",
243 US"rfc2047d",
244 US"rxquote",
245 US"s",
246 US"sha1",
247 US"sha2",
248 US"sha256",
249 US"sha3",
250 US"stat",
251 US"str2b64",
252 US"strlen",
253 US"substr",
254 US"uc",
255 US"utf8clean" };
256
257 enum {
258 EOP_ADDRESS = nelem(op_table_underscore),
259 EOP_ADDRESSES,
260 EOP_BASE32,
261 EOP_BASE32D,
262 EOP_BASE62,
263 EOP_BASE62D,
264 EOP_BASE64,
265 EOP_BASE64D,
266 EOP_DOMAIN,
267 EOP_ESCAPE,
268 EOP_ESCAPE8BIT,
269 EOP_EVAL,
270 EOP_EVAL10,
271 EOP_EXPAND,
272 EOP_H,
273 EOP_HASH,
274 EOP_HEX2B64,
275 EOP_HEXQUOTE,
276 EOP_IPV6DENORM,
277 EOP_IPV6NORM,
278 EOP_L,
279 EOP_LC,
280 EOP_LENGTH,
281 EOP_LISTCOUNT,
282 EOP_LISTNAMED,
283 EOP_MASK,
284 EOP_MD5,
285 EOP_NH,
286 EOP_NHASH,
287 EOP_QUOTE,
288 EOP_RANDINT,
289 EOP_RFC2047,
290 EOP_RFC2047D,
291 EOP_RXQUOTE,
292 EOP_S,
293 EOP_SHA1,
294 EOP_SHA2,
295 EOP_SHA256,
296 EOP_SHA3,
297 EOP_STAT,
298 EOP_STR2B64,
299 EOP_STRLEN,
300 EOP_SUBSTR,
301 EOP_UC,
302 EOP_UTF8CLEAN };
303
304
305 /* Table of condition names, and corresponding switch numbers. The names must
306 be in alphabetical order. */
307
308 static uschar *cond_table[] = {
309 US"<",
310 US"<=",
311 US"=",
312 US"==", /* Backward compatibility */
313 US">",
314 US">=",
315 US"acl",
316 US"and",
317 US"bool",
318 US"bool_lax",
319 US"crypteq",
320 US"def",
321 US"eq",
322 US"eqi",
323 US"exists",
324 US"first_delivery",
325 US"forall",
326 US"forall_json",
327 US"forall_jsons",
328 US"forany",
329 US"forany_json",
330 US"forany_jsons",
331 US"ge",
332 US"gei",
333 US"gt",
334 US"gti",
335 #ifdef SUPPORT_SRS
336 US"inbound_srs",
337 #endif
338 US"inlist",
339 US"inlisti",
340 US"isip",
341 US"isip4",
342 US"isip6",
343 US"ldapauth",
344 US"le",
345 US"lei",
346 US"lt",
347 US"lti",
348 US"match",
349 US"match_address",
350 US"match_domain",
351 US"match_ip",
352 US"match_local_part",
353 US"or",
354 US"pam",
355 US"pwcheck",
356 US"queue_running",
357 US"radius",
358 US"saslauthd"
359 };
360
361 enum {
362 ECOND_NUM_L,
363 ECOND_NUM_LE,
364 ECOND_NUM_E,
365 ECOND_NUM_EE,
366 ECOND_NUM_G,
367 ECOND_NUM_GE,
368 ECOND_ACL,
369 ECOND_AND,
370 ECOND_BOOL,
371 ECOND_BOOL_LAX,
372 ECOND_CRYPTEQ,
373 ECOND_DEF,
374 ECOND_STR_EQ,
375 ECOND_STR_EQI,
376 ECOND_EXISTS,
377 ECOND_FIRST_DELIVERY,
378 ECOND_FORALL,
379 ECOND_FORALL_JSON,
380 ECOND_FORALL_JSONS,
381 ECOND_FORANY,
382 ECOND_FORANY_JSON,
383 ECOND_FORANY_JSONS,
384 ECOND_STR_GE,
385 ECOND_STR_GEI,
386 ECOND_STR_GT,
387 ECOND_STR_GTI,
388 #ifdef SUPPORT_SRS
389 ECOND_INBOUND_SRS,
390 #endif
391 ECOND_INLIST,
392 ECOND_INLISTI,
393 ECOND_ISIP,
394 ECOND_ISIP4,
395 ECOND_ISIP6,
396 ECOND_LDAPAUTH,
397 ECOND_STR_LE,
398 ECOND_STR_LEI,
399 ECOND_STR_LT,
400 ECOND_STR_LTI,
401 ECOND_MATCH,
402 ECOND_MATCH_ADDRESS,
403 ECOND_MATCH_DOMAIN,
404 ECOND_MATCH_IP,
405 ECOND_MATCH_LOCAL_PART,
406 ECOND_OR,
407 ECOND_PAM,
408 ECOND_PWCHECK,
409 ECOND_QUEUE_RUNNING,
410 ECOND_RADIUS,
411 ECOND_SASLAUTHD
412 };
413
414
415 /* Types of table entry */
416
417 enum vtypes {
418 vtype_int, /* value is address of int */
419 vtype_filter_int, /* ditto, but recognized only when filtering */
420 vtype_ino, /* value is address of ino_t (not always an int) */
421 vtype_uid, /* value is address of uid_t (not always an int) */
422 vtype_gid, /* value is address of gid_t (not always an int) */
423 vtype_bool, /* value is address of bool */
424 vtype_stringptr, /* value is address of pointer to string */
425 vtype_msgbody, /* as stringptr, but read when first required */
426 vtype_msgbody_end, /* ditto, the end of the message */
427 vtype_msgheaders, /* the message's headers, processed */
428 vtype_msgheaders_raw, /* the message's headers, unprocessed */
429 vtype_localpart, /* extract local part from string */
430 vtype_domain, /* extract domain from string */
431 vtype_string_func, /* value is string returned by given function */
432 vtype_todbsdin, /* value not used; generate BSD inbox tod */
433 vtype_tode, /* value not used; generate tod in epoch format */
434 vtype_todel, /* value not used; generate tod in epoch/usec format */
435 vtype_todf, /* value not used; generate full tod */
436 vtype_todl, /* value not used; generate log tod */
437 vtype_todlf, /* value not used; generate log file datestamp tod */
438 vtype_todzone, /* value not used; generate time zone only */
439 vtype_todzulu, /* value not used; generate zulu tod */
440 vtype_reply, /* value not used; get reply from headers */
441 vtype_pid, /* value not used; result is pid */
442 vtype_host_lookup, /* value not used; get host name */
443 vtype_load_avg, /* value not used; result is int from os_getloadavg */
444 vtype_pspace, /* partition space; value is T/F for spool/log */
445 vtype_pinodes, /* partition inodes; value is T/F for spool/log */
446 vtype_cert /* SSL certificate */
447 #ifndef DISABLE_DKIM
448 ,vtype_dkim /* Lookup of value in DKIM signature */
449 #endif
450 };
451
452 /* Type for main variable table */
453
454 typedef struct {
455 const char *name;
456 enum vtypes type;
457 void *value;
458 } var_entry;
459
460 /* Type for entries pointing to address/length pairs. Not currently
461 in use. */
462
463 typedef struct {
464 uschar **address;
465 int *length;
466 } alblock;
467
468 static uschar * fn_recipients(void);
469 typedef uschar * stringptr_fn_t(void);
470 static uschar * fn_queue_size(void);
471
472 /* This table must be kept in alphabetical order. */
473
474 static var_entry var_table[] = {
475 /* WARNING: Do not invent variables whose names start acl_c or acl_m because
476 they will be confused with user-creatable ACL variables. */
477 { "acl_arg1", vtype_stringptr, &acl_arg[0] },
478 { "acl_arg2", vtype_stringptr, &acl_arg[1] },
479 { "acl_arg3", vtype_stringptr, &acl_arg[2] },
480 { "acl_arg4", vtype_stringptr, &acl_arg[3] },
481 { "acl_arg5", vtype_stringptr, &acl_arg[4] },
482 { "acl_arg6", vtype_stringptr, &acl_arg[5] },
483 { "acl_arg7", vtype_stringptr, &acl_arg[6] },
484 { "acl_arg8", vtype_stringptr, &acl_arg[7] },
485 { "acl_arg9", vtype_stringptr, &acl_arg[8] },
486 { "acl_narg", vtype_int, &acl_narg },
487 { "acl_verify_message", vtype_stringptr, &acl_verify_message },
488 { "address_data", vtype_stringptr, &deliver_address_data },
489 { "address_file", vtype_stringptr, &address_file },
490 { "address_pipe", vtype_stringptr, &address_pipe },
491 #ifdef EXPERIMENTAL_ARC
492 { "arc_domains", vtype_string_func, (void *) &fn_arc_domains },
493 { "arc_oldest_pass", vtype_int, &arc_oldest_pass },
494 { "arc_state", vtype_stringptr, &arc_state },
495 { "arc_state_reason", vtype_stringptr, &arc_state_reason },
496 #endif
497 { "authenticated_fail_id",vtype_stringptr, &authenticated_fail_id },
498 { "authenticated_id", vtype_stringptr, &authenticated_id },
499 { "authenticated_sender",vtype_stringptr, &authenticated_sender },
500 { "authentication_failed",vtype_int, &authentication_failed },
501 #ifdef WITH_CONTENT_SCAN
502 { "av_failed", vtype_int, &av_failed },
503 #endif
504 #ifdef EXPERIMENTAL_BRIGHTMAIL
505 { "bmi_alt_location", vtype_stringptr, &bmi_alt_location },
506 { "bmi_base64_tracker_verdict", vtype_stringptr, &bmi_base64_tracker_verdict },
507 { "bmi_base64_verdict", vtype_stringptr, &bmi_base64_verdict },
508 { "bmi_deliver", vtype_int, &bmi_deliver },
509 #endif
510 { "body_linecount", vtype_int, &body_linecount },
511 { "body_zerocount", vtype_int, &body_zerocount },
512 { "bounce_recipient", vtype_stringptr, &bounce_recipient },
513 { "bounce_return_size_limit", vtype_int, &bounce_return_size_limit },
514 { "caller_gid", vtype_gid, &real_gid },
515 { "caller_uid", vtype_uid, &real_uid },
516 { "callout_address", vtype_stringptr, &callout_address },
517 { "compile_date", vtype_stringptr, &version_date },
518 { "compile_number", vtype_stringptr, &version_cnumber },
519 { "config_dir", vtype_stringptr, &config_main_directory },
520 { "config_file", vtype_stringptr, &config_main_filename },
521 { "csa_status", vtype_stringptr, &csa_status },
522 #ifdef EXPERIMENTAL_DCC
523 { "dcc_header", vtype_stringptr, &dcc_header },
524 { "dcc_result", vtype_stringptr, &dcc_result },
525 #endif
526 #ifndef DISABLE_DKIM
527 { "dkim_algo", vtype_dkim, (void *)DKIM_ALGO },
528 { "dkim_bodylength", vtype_dkim, (void *)DKIM_BODYLENGTH },
529 { "dkim_canon_body", vtype_dkim, (void *)DKIM_CANON_BODY },
530 { "dkim_canon_headers", vtype_dkim, (void *)DKIM_CANON_HEADERS },
531 { "dkim_copiedheaders", vtype_dkim, (void *)DKIM_COPIEDHEADERS },
532 { "dkim_created", vtype_dkim, (void *)DKIM_CREATED },
533 { "dkim_cur_signer", vtype_stringptr, &dkim_cur_signer },
534 { "dkim_domain", vtype_stringptr, &dkim_signing_domain },
535 { "dkim_expires", vtype_dkim, (void *)DKIM_EXPIRES },
536 { "dkim_headernames", vtype_dkim, (void *)DKIM_HEADERNAMES },
537 { "dkim_identity", vtype_dkim, (void *)DKIM_IDENTITY },
538 { "dkim_key_granularity",vtype_dkim, (void *)DKIM_KEY_GRANULARITY },
539 { "dkim_key_length", vtype_int, &dkim_key_length },
540 { "dkim_key_nosubdomains",vtype_dkim, (void *)DKIM_NOSUBDOMAINS },
541 { "dkim_key_notes", vtype_dkim, (void *)DKIM_KEY_NOTES },
542 { "dkim_key_srvtype", vtype_dkim, (void *)DKIM_KEY_SRVTYPE },
543 { "dkim_key_testing", vtype_dkim, (void *)DKIM_KEY_TESTING },
544 { "dkim_selector", vtype_stringptr, &dkim_signing_selector },
545 { "dkim_signers", vtype_stringptr, &dkim_signers },
546 { "dkim_verify_reason", vtype_stringptr, &dkim_verify_reason },
547 { "dkim_verify_status", vtype_stringptr, &dkim_verify_status },
548 #endif
549 #ifdef SUPPORT_DMARC
550 { "dmarc_domain_policy", vtype_stringptr, &dmarc_domain_policy },
551 { "dmarc_status", vtype_stringptr, &dmarc_status },
552 { "dmarc_status_text", vtype_stringptr, &dmarc_status_text },
553 { "dmarc_used_domain", vtype_stringptr, &dmarc_used_domain },
554 #endif
555 { "dnslist_domain", vtype_stringptr, &dnslist_domain },
556 { "dnslist_matched", vtype_stringptr, &dnslist_matched },
557 { "dnslist_text", vtype_stringptr, &dnslist_text },
558 { "dnslist_value", vtype_stringptr, &dnslist_value },
559 { "domain", vtype_stringptr, &deliver_domain },
560 { "domain_data", vtype_stringptr, &deliver_domain_data },
561 #ifndef DISABLE_EVENT
562 { "event_data", vtype_stringptr, &event_data },
563
564 /*XXX want to use generic vars for as many of these as possible*/
565 { "event_defer_errno", vtype_int, &event_defer_errno },
566
567 { "event_name", vtype_stringptr, &event_name },
568 #endif
569 { "exim_gid", vtype_gid, &exim_gid },
570 { "exim_path", vtype_stringptr, &exim_path },
571 { "exim_uid", vtype_uid, &exim_uid },
572 { "exim_version", vtype_stringptr, &version_string },
573 { "headers_added", vtype_string_func, (void *) &fn_hdrs_added },
574 { "home", vtype_stringptr, &deliver_home },
575 { "host", vtype_stringptr, &deliver_host },
576 { "host_address", vtype_stringptr, &deliver_host_address },
577 { "host_data", vtype_stringptr, &host_data },
578 { "host_lookup_deferred",vtype_int, &host_lookup_deferred },
579 { "host_lookup_failed", vtype_int, &host_lookup_failed },
580 { "host_port", vtype_int, &deliver_host_port },
581 { "initial_cwd", vtype_stringptr, &initial_cwd },
582 { "inode", vtype_ino, &deliver_inode },
583 { "interface_address", vtype_stringptr, &interface_address },
584 { "interface_port", vtype_int, &interface_port },
585 { "item", vtype_stringptr, &iterate_item },
586 #ifdef LOOKUP_LDAP
587 { "ldap_dn", vtype_stringptr, &eldap_dn },
588 #endif
589 { "load_average", vtype_load_avg, NULL },
590 { "local_part", vtype_stringptr, &deliver_localpart },
591 { "local_part_data", vtype_stringptr, &deliver_localpart_data },
592 { "local_part_prefix", vtype_stringptr, &deliver_localpart_prefix },
593 { "local_part_prefix_v", vtype_stringptr, &deliver_localpart_prefix_v },
594 { "local_part_suffix", vtype_stringptr, &deliver_localpart_suffix },
595 { "local_part_suffix_v", vtype_stringptr, &deliver_localpart_suffix_v },
596 #ifdef HAVE_LOCAL_SCAN
597 { "local_scan_data", vtype_stringptr, &local_scan_data },
598 #endif
599 { "local_user_gid", vtype_gid, &local_user_gid },
600 { "local_user_uid", vtype_uid, &local_user_uid },
601 { "localhost_number", vtype_int, &host_number },
602 { "log_inodes", vtype_pinodes, (void *)FALSE },
603 { "log_space", vtype_pspace, (void *)FALSE },
604 { "lookup_dnssec_authenticated",vtype_stringptr,&lookup_dnssec_authenticated},
605 { "mailstore_basename", vtype_stringptr, &mailstore_basename },
606 #ifdef WITH_CONTENT_SCAN
607 { "malware_name", vtype_stringptr, &malware_name },
608 #endif
609 { "max_received_linelength", vtype_int, &max_received_linelength },
610 { "message_age", vtype_int, &message_age },
611 { "message_body", vtype_msgbody, &message_body },
612 { "message_body_end", vtype_msgbody_end, &message_body_end },
613 { "message_body_size", vtype_int, &message_body_size },
614 { "message_exim_id", vtype_stringptr, &message_id },
615 { "message_headers", vtype_msgheaders, NULL },
616 { "message_headers_raw", vtype_msgheaders_raw, NULL },
617 { "message_id", vtype_stringptr, &message_id },
618 { "message_linecount", vtype_int, &message_linecount },
619 { "message_size", vtype_int, &message_size },
620 #ifdef SUPPORT_I18N
621 { "message_smtputf8", vtype_bool, &message_smtputf8 },
622 #endif
623 #ifdef WITH_CONTENT_SCAN
624 { "mime_anomaly_level", vtype_int, &mime_anomaly_level },
625 { "mime_anomaly_text", vtype_stringptr, &mime_anomaly_text },
626 { "mime_boundary", vtype_stringptr, &mime_boundary },
627 { "mime_charset", vtype_stringptr, &mime_charset },
628 { "mime_content_description", vtype_stringptr, &mime_content_description },
629 { "mime_content_disposition", vtype_stringptr, &mime_content_disposition },
630 { "mime_content_id", vtype_stringptr, &mime_content_id },
631 { "mime_content_size", vtype_int, &mime_content_size },
632 { "mime_content_transfer_encoding",vtype_stringptr, &mime_content_transfer_encoding },
633 { "mime_content_type", vtype_stringptr, &mime_content_type },
634 { "mime_decoded_filename", vtype_stringptr, &mime_decoded_filename },
635 { "mime_filename", vtype_stringptr, &mime_filename },
636 { "mime_is_coverletter", vtype_int, &mime_is_coverletter },
637 { "mime_is_multipart", vtype_int, &mime_is_multipart },
638 { "mime_is_rfc822", vtype_int, &mime_is_rfc822 },
639 { "mime_part_count", vtype_int, &mime_part_count },
640 #endif
641 { "n0", vtype_filter_int, &filter_n[0] },
642 { "n1", vtype_filter_int, &filter_n[1] },
643 { "n2", vtype_filter_int, &filter_n[2] },
644 { "n3", vtype_filter_int, &filter_n[3] },
645 { "n4", vtype_filter_int, &filter_n[4] },
646 { "n5", vtype_filter_int, &filter_n[5] },
647 { "n6", vtype_filter_int, &filter_n[6] },
648 { "n7", vtype_filter_int, &filter_n[7] },
649 { "n8", vtype_filter_int, &filter_n[8] },
650 { "n9", vtype_filter_int, &filter_n[9] },
651 { "original_domain", vtype_stringptr, &deliver_domain_orig },
652 { "original_local_part", vtype_stringptr, &deliver_localpart_orig },
653 { "originator_gid", vtype_gid, &originator_gid },
654 { "originator_uid", vtype_uid, &originator_uid },
655 { "parent_domain", vtype_stringptr, &deliver_domain_parent },
656 { "parent_local_part", vtype_stringptr, &deliver_localpart_parent },
657 { "pid", vtype_pid, NULL },
658 #ifndef DISABLE_PRDR
659 { "prdr_requested", vtype_bool, &prdr_requested },
660 #endif
661 { "primary_hostname", vtype_stringptr, &primary_hostname },
662 #if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
663 { "proxy_external_address",vtype_stringptr, &proxy_external_address },
664 { "proxy_external_port", vtype_int, &proxy_external_port },
665 { "proxy_local_address", vtype_stringptr, &proxy_local_address },
666 { "proxy_local_port", vtype_int, &proxy_local_port },
667 { "proxy_session", vtype_bool, &proxy_session },
668 #endif
669 { "prvscheck_address", vtype_stringptr, &prvscheck_address },
670 { "prvscheck_keynum", vtype_stringptr, &prvscheck_keynum },
671 { "prvscheck_result", vtype_stringptr, &prvscheck_result },
672 { "qualify_domain", vtype_stringptr, &qualify_domain_sender },
673 { "qualify_recipient", vtype_stringptr, &qualify_domain_recipient },
674 { "queue_name", vtype_stringptr, &queue_name },
675 { "queue_size", vtype_string_func, &fn_queue_size },
676 { "rcpt_count", vtype_int, &rcpt_count },
677 { "rcpt_defer_count", vtype_int, &rcpt_defer_count },
678 { "rcpt_fail_count", vtype_int, &rcpt_fail_count },
679 { "received_count", vtype_int, &received_count },
680 { "received_for", vtype_stringptr, &received_for },
681 { "received_ip_address", vtype_stringptr, &interface_address },
682 { "received_port", vtype_int, &interface_port },
683 { "received_protocol", vtype_stringptr, &received_protocol },
684 { "received_time", vtype_int, &received_time.tv_sec },
685 { "recipient_data", vtype_stringptr, &recipient_data },
686 { "recipient_verify_failure",vtype_stringptr,&recipient_verify_failure },
687 { "recipients", vtype_string_func, (void *) &fn_recipients },
688 { "recipients_count", vtype_int, &recipients_count },
689 #ifdef WITH_CONTENT_SCAN
690 { "regex_match_string", vtype_stringptr, ®ex_match_string },
691 #endif
692 { "reply_address", vtype_reply, NULL },
693 { "return_path", vtype_stringptr, &return_path },
694 { "return_size_limit", vtype_int, &bounce_return_size_limit },
695 { "router_name", vtype_stringptr, &router_name },
696 { "runrc", vtype_int, &runrc },
697 { "self_hostname", vtype_stringptr, &self_hostname },
698 { "sender_address", vtype_stringptr, &sender_address },
699 { "sender_address_data", vtype_stringptr, &sender_address_data },
700 { "sender_address_domain", vtype_domain, &sender_address },
701 { "sender_address_local_part", vtype_localpart, &sender_address },
702 { "sender_data", vtype_stringptr, &sender_data },
703 { "sender_fullhost", vtype_stringptr, &sender_fullhost },
704 { "sender_helo_dnssec", vtype_bool, &sender_helo_dnssec },
705 { "sender_helo_name", vtype_stringptr, &sender_helo_name },
706 { "sender_host_address", vtype_stringptr, &sender_host_address },
707 { "sender_host_authenticated",vtype_stringptr, &sender_host_authenticated },
708 { "sender_host_dnssec", vtype_bool, &sender_host_dnssec },
709 { "sender_host_name", vtype_host_lookup, NULL },
710 { "sender_host_port", vtype_int, &sender_host_port },
711 { "sender_ident", vtype_stringptr, &sender_ident },
712 { "sender_rate", vtype_stringptr, &sender_rate },
713 { "sender_rate_limit", vtype_stringptr, &sender_rate_limit },
714 { "sender_rate_period", vtype_stringptr, &sender_rate_period },
715 { "sender_rcvhost", vtype_stringptr, &sender_rcvhost },
716 { "sender_verify_failure",vtype_stringptr, &sender_verify_failure },
717 { "sending_ip_address", vtype_stringptr, &sending_ip_address },
718 { "sending_port", vtype_int, &sending_port },
719 { "smtp_active_hostname", vtype_stringptr, &smtp_active_hostname },
720 { "smtp_command", vtype_stringptr, &smtp_cmd_buffer },
721 { "smtp_command_argument", vtype_stringptr, &smtp_cmd_argument },
722 { "smtp_command_history", vtype_string_func, (void *) &smtp_cmd_hist },
723 { "smtp_count_at_connection_start", vtype_int, &smtp_accept_count },
724 { "smtp_notquit_reason", vtype_stringptr, &smtp_notquit_reason },
725 { "sn0", vtype_filter_int, &filter_sn[0] },
726 { "sn1", vtype_filter_int, &filter_sn[1] },
727 { "sn2", vtype_filter_int, &filter_sn[2] },
728 { "sn3", vtype_filter_int, &filter_sn[3] },
729 { "sn4", vtype_filter_int, &filter_sn[4] },
730 { "sn5", vtype_filter_int, &filter_sn[5] },
731 { "sn6", vtype_filter_int, &filter_sn[6] },
732 { "sn7", vtype_filter_int, &filter_sn[7] },
733 { "sn8", vtype_filter_int, &filter_sn[8] },
734 { "sn9", vtype_filter_int, &filter_sn[9] },
735 #ifdef WITH_CONTENT_SCAN
736 { "spam_action", vtype_stringptr, &spam_action },
737 { "spam_bar", vtype_stringptr, &spam_bar },
738 { "spam_report", vtype_stringptr, &spam_report },
739 { "spam_score", vtype_stringptr, &spam_score },
740 { "spam_score_int", vtype_stringptr, &spam_score_int },
741 #endif
742 #ifdef SUPPORT_SPF
743 { "spf_guess", vtype_stringptr, &spf_guess },
744 { "spf_header_comment", vtype_stringptr, &spf_header_comment },
745 { "spf_received", vtype_stringptr, &spf_received },
746 { "spf_result", vtype_stringptr, &spf_result },
747 { "spf_result_guessed", vtype_bool, &spf_result_guessed },
748 { "spf_smtp_comment", vtype_stringptr, &spf_smtp_comment },
749 #endif
750 { "spool_directory", vtype_stringptr, &spool_directory },
751 { "spool_inodes", vtype_pinodes, (void *)TRUE },
752 { "spool_space", vtype_pspace, (void *)TRUE },
753 #ifdef EXPERIMENTAL_SRS_ALT
754 { "srs_db_address", vtype_stringptr, &srs_db_address },
755 { "srs_db_key", vtype_stringptr, &srs_db_key },
756 { "srs_orig_recipient", vtype_stringptr, &srs_orig_recipient },
757 { "srs_orig_sender", vtype_stringptr, &srs_orig_sender },
758 #endif
759 #if defined(EXPERIMENTAL_SRS_ALT) || defined(SUPPORT_SRS)
760 { "srs_recipient", vtype_stringptr, &srs_recipient },
761 #endif
762 #ifdef EXPERIMENTAL_SRS_ALT
763 { "srs_status", vtype_stringptr, &srs_status },
764 #endif
765 { "thisaddress", vtype_stringptr, &filter_thisaddress },
766
767 /* The non-(in,out) variables are now deprecated */
768 { "tls_bits", vtype_int, &tls_in.bits },
769 { "tls_certificate_verified", vtype_int, &tls_in.certificate_verified },
770 { "tls_cipher", vtype_stringptr, &tls_in.cipher },
771
772 { "tls_in_bits", vtype_int, &tls_in.bits },
773 { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
774 { "tls_in_cipher", vtype_stringptr, &tls_in.cipher },
775 { "tls_in_cipher_std", vtype_stringptr, &tls_in.cipher_stdname },
776 { "tls_in_ocsp", vtype_int, &tls_in.ocsp },
777 { "tls_in_ourcert", vtype_cert, &tls_in.ourcert },
778 { "tls_in_peercert", vtype_cert, &tls_in.peercert },
779 { "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn },
780 #ifndef DISABLE_TLS_RESUME
781 { "tls_in_resumption", vtype_int, &tls_in.resumption },
782 #endif
783 #ifndef DISABLE_TLS
784 { "tls_in_sni", vtype_stringptr, &tls_in.sni },
785 #endif
786 { "tls_in_ver", vtype_stringptr, &tls_in.ver },
787 { "tls_out_bits", vtype_int, &tls_out.bits },
788 { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
789 { "tls_out_cipher", vtype_stringptr, &tls_out.cipher },
790 { "tls_out_cipher_std", vtype_stringptr, &tls_out.cipher_stdname },
791 #ifdef SUPPORT_DANE
792 { "tls_out_dane", vtype_bool, &tls_out.dane_verified },
793 #endif
794 { "tls_out_ocsp", vtype_int, &tls_out.ocsp },
795 { "tls_out_ourcert", vtype_cert, &tls_out.ourcert },
796 { "tls_out_peercert", vtype_cert, &tls_out.peercert },
797 { "tls_out_peerdn", vtype_stringptr, &tls_out.peerdn },
798 #ifndef DISABLE_TLS_RESUME
799 { "tls_out_resumption", vtype_int, &tls_out.resumption },
800 #endif
801 #ifndef DISABLE_TLS
802 { "tls_out_sni", vtype_stringptr, &tls_out.sni },
803 #endif
804 #ifdef SUPPORT_DANE
805 { "tls_out_tlsa_usage", vtype_int, &tls_out.tlsa_usage },
806 #endif
807 { "tls_out_ver", vtype_stringptr, &tls_out.ver },
808
809 { "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */
810 #ifndef DISABLE_TLS
811 { "tls_sni", vtype_stringptr, &tls_in.sni }, /* mind the alphabetical order! */
812 #endif
813
814 { "tod_bsdinbox", vtype_todbsdin, NULL },
815 { "tod_epoch", vtype_tode, NULL },
816 { "tod_epoch_l", vtype_todel, NULL },
817 { "tod_full", vtype_todf, NULL },
818 { "tod_log", vtype_todl, NULL },
819 { "tod_logfile", vtype_todlf, NULL },
820 { "tod_zone", vtype_todzone, NULL },
821 { "tod_zulu", vtype_todzulu, NULL },
822 { "transport_name", vtype_stringptr, &transport_name },
823 { "value", vtype_stringptr, &lookup_value },
824 { "verify_mode", vtype_stringptr, &verify_mode },
825 { "version_number", vtype_stringptr, &version_string },
826 { "warn_message_delay", vtype_stringptr, &warnmsg_delay },
827 { "warn_message_recipient",vtype_stringptr, &warnmsg_recipients },
828 { "warn_message_recipients",vtype_stringptr,&warnmsg_recipients },
829 { "warnmsg_delay", vtype_stringptr, &warnmsg_delay },
830 { "warnmsg_recipient", vtype_stringptr, &warnmsg_recipients },
831 { "warnmsg_recipients", vtype_stringptr, &warnmsg_recipients }
832 };
833
834 static int var_table_size = nelem(var_table);
835 static uschar var_buffer[256];
836 static BOOL malformed_header;
837
838 /* For textual hashes */
839
840 static const char *hashcodes = "abcdefghijklmnopqrtsuvwxyz"
841 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
842 "0123456789";
843
844 enum { HMAC_MD5, HMAC_SHA1 };
845
846 /* For numeric hashes */
847
848 static unsigned int prime[] = {
849 2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
850 31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
851 73, 79, 83, 89, 97, 101, 103, 107, 109, 113};
852
853 /* For printing modes in symbolic form */
854
855 static uschar *mtable_normal[] =
856 { US"---", US"--x", US"-w-", US"-wx", US"r--", US"r-x", US"rw-", US"rwx" };
857
858 static uschar *mtable_setid[] =
859 { US"--S", US"--s", US"-wS", US"-ws", US"r-S", US"r-s", US"rwS", US"rws" };
860
861 static uschar *mtable_sticky[] =
862 { US"--T", US"--t", US"-wT", US"-wt", US"r-T", US"r-t", US"rwT", US"rwt" };
863
864 /* flags for find_header() */
865 #define FH_EXISTS_ONLY BIT(0)
866 #define FH_WANT_RAW BIT(1)
867 #define FH_WANT_LIST BIT(2)
868
869
870 /*************************************************
871 * Tables for UTF-8 support *
872 *************************************************/
873
874 /* Table of the number of extra characters, indexed by the first character
875 masked with 0x3f. The highest number for a valid UTF-8 character is in fact
876 0x3d. */
877
878 static uschar utf8_table1[] = {
879 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
880 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
881 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,
882 3,3,3,3,3,3,3,3,4,4,4,4,5,5,5,5 };
883
884 /* These are the masks for the data bits in the first byte of a character,
885 indexed by the number of additional bytes. */
886
887 static int utf8_table2[] = { 0xff, 0x1f, 0x0f, 0x07, 0x03, 0x01};
888
889 /* Get the next UTF-8 character, advancing the pointer. */
890
891 #define GETUTF8INC(c, ptr) \
892 c = *ptr++; \
893 if ((c & 0xc0) == 0xc0) \
894 { \
895 int a = utf8_table1[c & 0x3f]; /* Number of additional bytes */ \
896 int s = 6*a; \
897 c = (c & utf8_table2[a]) << s; \
898 while (a-- > 0) \
899 { \
900 s -= 6; \
901 c |= (*ptr++ & 0x3f) << s; \
902 } \
903 }
904
905
906
907 static uschar * base32_chars = US"abcdefghijklmnopqrstuvwxyz234567";
908
909 /*************************************************
910 * Binary chop search on a table *
911 *************************************************/
912
913 /* This is used for matching expansion items and operators.
914
915 Arguments:
916 name the name that is being sought
917 table the table to search
918 table_size the number of items in the table
919
920 Returns: the offset in the table, or -1
921 */
922
923 static int
chop_match(uschar * name,uschar ** table,int table_size)924 chop_match(uschar *name, uschar **table, int table_size)
925 {
926 uschar **bot = table;
927 uschar **top = table + table_size;
928
929 while (top > bot)
930 {
931 uschar **mid = bot + (top - bot)/2;
932 int c = Ustrcmp(name, *mid);
933 if (c == 0) return mid - table;
934 if (c > 0) bot = mid + 1; else top = mid;
935 }
936
937 return -1;
938 }
939
940
941
942 /*************************************************
943 * Check a condition string *
944 *************************************************/
945
946 /* This function is called to expand a string, and test the result for a "true"
947 or "false" value. Failure of the expansion yields FALSE; logged unless it was a
948 forced fail or lookup defer.
949
950 We used to release all store used, but this is not not safe due
951 to ${dlfunc } and ${acl }. In any case expand_string_internal()
952 is reasonably careful to release what it can.
953
954 The actual false-value tests should be replicated for ECOND_BOOL_LAX.
955
956 Arguments:
957 condition the condition string
958 m1 text to be incorporated in panic error
959 m2 ditto
960
961 Returns: TRUE if condition is met, FALSE if not
962 */
963
964 BOOL
expand_check_condition(uschar * condition,uschar * m1,uschar * m2)965 expand_check_condition(uschar *condition, uschar *m1, uschar *m2)
966 {
967 uschar * ss = expand_string(condition);
968 if (!ss)
969 {
970 if (!f.expand_string_forcedfail && !f.search_find_defer)
971 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand condition \"%s\" "
972 "for %s %s: %s", condition, m1, m2, expand_string_message);
973 return FALSE;
974 }
975 return *ss && Ustrcmp(ss, "0") != 0 && strcmpic(ss, US"no") != 0 &&
976 strcmpic(ss, US"false") != 0;
977 }
978
979
980
981
982 /*************************************************
983 * Pseudo-random number generation *
984 *************************************************/
985
986 /* Pseudo-random number generation. The result is not "expected" to be
987 cryptographically strong but not so weak that someone will shoot themselves
988 in the foot using it as a nonce in some email header scheme or whatever
989 weirdness they'll twist this into. The result should ideally handle fork().
990
991 However, if we're stuck unable to provide this, then we'll fall back to
992 appallingly bad randomness.
993
994 If DISABLE_TLS is not defined then this will not be used except as an emergency
995 fallback.
996
997 Arguments:
998 max range maximum
999 Returns a random number in range [0, max-1]
1000 */
1001
1002 #ifndef DISABLE_TLS
1003 # define vaguely_random_number vaguely_random_number_fallback
1004 #endif
1005 int
vaguely_random_number(int max)1006 vaguely_random_number(int max)
1007 {
1008 #ifndef DISABLE_TLS
1009 # undef vaguely_random_number
1010 #endif
1011 static pid_t pid = 0;
1012 pid_t p2;
1013
1014 if ((p2 = getpid()) != pid)
1015 {
1016 if (pid != 0)
1017 {
1018
1019 #ifdef HAVE_ARC4RANDOM
1020 /* cryptographically strong randomness, common on *BSD platforms, not
1021 so much elsewhere. Alas. */
1022 # ifndef NOT_HAVE_ARC4RANDOM_STIR
1023 arc4random_stir();
1024 # endif
1025 #elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
1026 # ifdef HAVE_SRANDOMDEV
1027 /* uses random(4) for seeding */
1028 srandomdev();
1029 # else
1030 {
1031 struct timeval tv;
1032 gettimeofday(&tv, NULL);
1033 srandom(tv.tv_sec | tv.tv_usec | getpid());
1034 }
1035 # endif
1036 #else
1037 /* Poor randomness and no seeding here */
1038 #endif
1039
1040 }
1041 pid = p2;
1042 }
1043
1044 #ifdef HAVE_ARC4RANDOM
1045 return arc4random() % max;
1046 #elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
1047 return random() % max;
1048 #else
1049 /* This one returns a 16-bit number, definitely not crypto-strong */
1050 return random_number(max);
1051 #endif
1052 }
1053
1054
1055
1056
1057 /*************************************************
1058 * Pick out a name from a string *
1059 *************************************************/
1060
1061 /* If the name is too long, it is silently truncated.
1062
1063 Arguments:
1064 name points to a buffer into which to put the name
1065 max is the length of the buffer
1066 s points to the first alphabetic character of the name
1067 extras chars other than alphanumerics to permit
1068
1069 Returns: pointer to the first character after the name
1070
1071 Note: The test for *s != 0 in the while loop is necessary because
1072 Ustrchr() yields non-NULL if the character is zero (which is not something
1073 I expected). */
1074
1075 static const uschar *
read_name(uschar * name,int max,const uschar * s,uschar * extras)1076 read_name(uschar *name, int max, const uschar *s, uschar *extras)
1077 {
1078 int ptr = 0;
1079 while (*s && (isalnum(*s) || Ustrchr(extras, *s) != NULL))
1080 {
1081 if (ptr < max-1) name[ptr++] = *s;
1082 s++;
1083 }
1084 name[ptr] = 0;
1085 return s;
1086 }
1087
1088
1089
1090 /*************************************************
1091 * Pick out the rest of a header name *
1092 *************************************************/
1093
1094 /* A variable name starting $header_ (or just $h_ for those who like
1095 abbreviations) might not be the complete header name because headers can
1096 contain any printing characters in their names, except ':'. This function is
1097 called to read the rest of the name, chop h[eader]_ off the front, and put ':'
1098 on the end, if the name was terminated by white space.
1099
1100 Arguments:
1101 name points to a buffer in which the name read so far exists
1102 max is the length of the buffer
1103 s points to the first character after the name so far, i.e. the
1104 first non-alphameric character after $header_xxxxx
1105
1106 Returns: a pointer to the first character after the header name
1107 */
1108
1109 static const uschar *
read_header_name(uschar * name,int max,const uschar * s)1110 read_header_name(uschar *name, int max, const uschar *s)
1111 {
1112 int prelen = Ustrchr(name, '_') - name + 1;
1113 int ptr = Ustrlen(name) - prelen;
1114 if (ptr > 0) memmove(name, name+prelen, ptr);
1115 while (mac_isgraph(*s) && *s != ':')
1116 {
1117 if (ptr < max-1) name[ptr++] = *s;
1118 s++;
1119 }
1120 if (*s == ':') s++;
1121 name[ptr++] = ':';
1122 name[ptr] = 0;
1123 return s;
1124 }
1125
1126
1127
1128 /*************************************************
1129 * Pick out a number from a string *
1130 *************************************************/
1131
1132 /* Arguments:
1133 n points to an integer into which to put the number
1134 s points to the first digit of the number
1135
1136 Returns: a pointer to the character after the last digit
1137 */
1138 /*XXX consider expanding to int_eximarith_t. But the test for
1139 "overbig numbers" in 0002 still needs to overflow it. */
1140
1141 static uschar *
read_number(int * n,uschar * s)1142 read_number(int *n, uschar *s)
1143 {
1144 *n = 0;
1145 while (isdigit(*s)) *n = *n * 10 + (*s++ - '0');
1146 return s;
1147 }
1148
1149 static const uschar *
read_cnumber(int * n,const uschar * s)1150 read_cnumber(int *n, const uschar *s)
1151 {
1152 *n = 0;
1153 while (isdigit(*s)) *n = *n * 10 + (*s++ - '0');
1154 return s;
1155 }
1156
1157
1158
1159 /*************************************************
1160 * Extract keyed subfield from a string *
1161 *************************************************/
1162
1163 /* The yield is in dynamic store; NULL means that the key was not found.
1164
1165 Arguments:
1166 key points to the name of the key
1167 s points to the string from which to extract the subfield
1168
1169 Returns: NULL if the subfield was not found, or
1170 a pointer to the subfield's data
1171 */
1172
1173 uschar *
expand_getkeyed(const uschar * key,const uschar * s)1174 expand_getkeyed(const uschar * key, const uschar * s)
1175 {
1176 int length = Ustrlen(key);
1177 Uskip_whitespace(&s);
1178
1179 /* Loop to search for the key */
1180
1181 while (*s)
1182 {
1183 int dkeylength;
1184 uschar * data;
1185 const uschar * dkey = s;
1186
1187 while (*s && *s != '=' && !isspace(*s)) s++;
1188 dkeylength = s - dkey;
1189 if (Uskip_whitespace(&s) == '=') while (isspace(*++s));
1190
1191 data = string_dequote(&s);
1192 if (length == dkeylength && strncmpic(key, dkey, length) == 0)
1193 return data;
1194
1195 Uskip_whitespace(&s);
1196 }
1197
1198 return NULL;
1199 }
1200
1201
1202
1203 static var_entry *
find_var_ent(uschar * name)1204 find_var_ent(uschar * name)
1205 {
1206 int first = 0;
1207 int last = var_table_size;
1208
1209 while (last > first)
1210 {
1211 int middle = (first + last)/2;
1212 int c = Ustrcmp(name, var_table[middle].name);
1213
1214 if (c > 0) { first = middle + 1; continue; }
1215 if (c < 0) { last = middle; continue; }
1216 return &var_table[middle];
1217 }
1218 return NULL;
1219 }
1220
1221 /*************************************************
1222 * Extract numbered subfield from string *
1223 *************************************************/
1224
1225 /* Extracts a numbered field from a string that is divided by tokens - for
1226 example a line from /etc/passwd is divided by colon characters. First field is
1227 numbered one. Negative arguments count from the right. Zero returns the whole
1228 string. Returns NULL if there are insufficient tokens in the string
1229
1230 ***WARNING***
1231 Modifies final argument - this is a dynamically generated string, so that's OK.
1232
1233 Arguments:
1234 field number of field to be extracted,
1235 first field = 1, whole string = 0, last field = -1
1236 separators characters that are used to break string into tokens
1237 s points to the string from which to extract the subfield
1238
1239 Returns: NULL if the field was not found,
1240 a pointer to the field's data inside s (modified to add 0)
1241 */
1242
1243 static uschar *
expand_gettokened(int field,uschar * separators,uschar * s)1244 expand_gettokened (int field, uschar *separators, uschar *s)
1245 {
1246 int sep = 1;
1247 int count;
1248 uschar *ss = s;
1249 uschar *fieldtext = NULL;
1250
1251 if (field == 0) return s;
1252
1253 /* Break the line up into fields in place; for field > 0 we stop when we have
1254 done the number of fields we want. For field < 0 we continue till the end of
1255 the string, counting the number of fields. */
1256
1257 count = (field > 0)? field : INT_MAX;
1258
1259 while (count-- > 0)
1260 {
1261 size_t len;
1262
1263 /* Previous field was the last one in the string. For a positive field
1264 number, this means there are not enough fields. For a negative field number,
1265 check that there are enough, and scan back to find the one that is wanted. */
1266
1267 if (sep == 0)
1268 {
1269 if (field > 0 || (-field) > (INT_MAX - count - 1)) return NULL;
1270 if ((-field) == (INT_MAX - count - 1)) return s;
1271 while (field++ < 0)
1272 {
1273 ss--;
1274 while (ss[-1] != 0) ss--;
1275 }
1276 fieldtext = ss;
1277 break;
1278 }
1279
1280 /* Previous field was not last in the string; save its start and put a
1281 zero at its end. */
1282
1283 fieldtext = ss;
1284 len = Ustrcspn(ss, separators);
1285 sep = ss[len];
1286 ss[len] = 0;
1287 ss += len + 1;
1288 }
1289
1290 return fieldtext;
1291 }
1292
1293
1294 static uschar *
expand_getlistele(int field,const uschar * list)1295 expand_getlistele(int field, const uschar * list)
1296 {
1297 const uschar * tlist = list;
1298 int sep = 0;
1299 /* Tainted mem for the throwaway element copies */
1300 uschar * dummy = store_get(2, TRUE);
1301
1302 if (field < 0)
1303 {
1304 for (field++; string_nextinlist(&tlist, &sep, dummy, 1); ) field++;
1305 sep = 0;
1306 }
1307 if (field == 0) return NULL;
1308 while (--field > 0 && (string_nextinlist(&list, &sep, dummy, 1))) ;
1309 return string_nextinlist(&list, &sep, NULL, 0);
1310 }
1311
1312
1313 /* Certificate fields, by name. Worry about by-OID later */
1314 /* Names are chosen to not have common prefixes */
1315
1316 #ifndef DISABLE_TLS
1317 typedef struct
1318 {
1319 uschar * name;
1320 int namelen;
1321 uschar * (*getfn)(void * cert, uschar * mod);
1322 } certfield;
1323 static certfield certfields[] =
1324 { /* linear search; no special order */
1325 { US"version", 7, &tls_cert_version },
1326 { US"serial_number", 13, &tls_cert_serial_number },
1327 { US"subject", 7, &tls_cert_subject },
1328 { US"notbefore", 9, &tls_cert_not_before },
1329 { US"notafter", 8, &tls_cert_not_after },
1330 { US"issuer", 6, &tls_cert_issuer },
1331 { US"signature", 9, &tls_cert_signature },
1332 { US"sig_algorithm", 13, &tls_cert_signature_algorithm },
1333 { US"subj_altname", 12, &tls_cert_subject_altname },
1334 { US"ocsp_uri", 8, &tls_cert_ocsp_uri },
1335 { US"crl_uri", 7, &tls_cert_crl_uri },
1336 };
1337
1338 static uschar *
expand_getcertele(uschar * field,uschar * certvar)1339 expand_getcertele(uschar * field, uschar * certvar)
1340 {
1341 var_entry * vp;
1342
1343 if (!(vp = find_var_ent(certvar)))
1344 {
1345 expand_string_message =
1346 string_sprintf("no variable named \"%s\"", certvar);
1347 return NULL; /* Unknown variable name */
1348 }
1349 /* NB this stops us passing certs around in variable. Might
1350 want to do that in future */
1351 if (vp->type != vtype_cert)
1352 {
1353 expand_string_message =
1354 string_sprintf("\"%s\" is not a certificate", certvar);
1355 return NULL; /* Unknown variable name */
1356 }
1357 if (!*(void **)vp->value)
1358 return NULL;
1359
1360 if (*field >= '0' && *field <= '9')
1361 return tls_cert_ext_by_oid(*(void **)vp->value, field, 0);
1362
1363 for (certfield * cp = certfields;
1364 cp < certfields + nelem(certfields);
1365 cp++)
1366 if (Ustrncmp(cp->name, field, cp->namelen) == 0)
1367 {
1368 uschar * modifier = *(field += cp->namelen) == ','
1369 ? ++field : NULL;
1370 return (*cp->getfn)( *(void **)vp->value, modifier );
1371 }
1372
1373 expand_string_message =
1374 string_sprintf("bad field selector \"%s\" for certextract", field);
1375 return NULL;
1376 }
1377 #endif /*DISABLE_TLS*/
1378
1379 /*************************************************
1380 * Extract a substring from a string *
1381 *************************************************/
1382
1383 /* Perform the ${substr or ${length expansion operations.
1384
1385 Arguments:
1386 subject the input string
1387 value1 the offset from the start of the input string to the start of
1388 the output string; if negative, count from the right.
1389 value2 the length of the output string, or negative (-1) for unset
1390 if value1 is positive, unset means "all after"
1391 if value1 is negative, unset means "all before"
1392 len set to the length of the returned string
1393
1394 Returns: pointer to the output string, or NULL if there is an error
1395 */
1396
1397 static uschar *
extract_substr(uschar * subject,int value1,int value2,int * len)1398 extract_substr(uschar *subject, int value1, int value2, int *len)
1399 {
1400 int sublen = Ustrlen(subject);
1401
1402 if (value1 < 0) /* count from right */
1403 {
1404 value1 += sublen;
1405
1406 /* If the position is before the start, skip to the start, and adjust the
1407 length. If the length ends up negative, the substring is null because nothing
1408 can precede. This falls out naturally when the length is unset, meaning "all
1409 to the left". */
1410
1411 if (value1 < 0)
1412 {
1413 value2 += value1;
1414 if (value2 < 0) value2 = 0;
1415 value1 = 0;
1416 }
1417
1418 /* Otherwise an unset length => characters before value1 */
1419
1420 else if (value2 < 0)
1421 {
1422 value2 = value1;
1423 value1 = 0;
1424 }
1425 }
1426
1427 /* For a non-negative offset, if the starting position is past the end of the
1428 string, the result will be the null string. Otherwise, an unset length means
1429 "rest"; just set it to the maximum - it will be cut down below if necessary. */
1430
1431 else
1432 {
1433 if (value1 > sublen)
1434 {
1435 value1 = sublen;
1436 value2 = 0;
1437 }
1438 else if (value2 < 0) value2 = sublen;
1439 }
1440
1441 /* Cut the length down to the maximum possible for the offset value, and get
1442 the required characters. */
1443
1444 if (value1 + value2 > sublen) value2 = sublen - value1;
1445 *len = value2;
1446 return subject + value1;
1447 }
1448
1449
1450
1451
1452 /*************************************************
1453 * Old-style hash of a string *
1454 *************************************************/
1455
1456 /* Perform the ${hash expansion operation.
1457
1458 Arguments:
1459 subject the input string (an expanded substring)
1460 value1 the length of the output string; if greater or equal to the
1461 length of the input string, the input string is returned
1462 value2 the number of hash characters to use, or 26 if negative
1463 len set to the length of the returned string
1464
1465 Returns: pointer to the output string, or NULL if there is an error
1466 */
1467
1468 static uschar *
compute_hash(uschar * subject,int value1,int value2,int * len)1469 compute_hash(uschar *subject, int value1, int value2, int *len)
1470 {
1471 int sublen = Ustrlen(subject);
1472
1473 if (value2 < 0) value2 = 26;
1474 else if (value2 > Ustrlen(hashcodes))
1475 {
1476 expand_string_message =
1477 string_sprintf("hash count \"%d\" too big", value2);
1478 return NULL;
1479 }
1480
1481 /* Calculate the hash text. We know it is shorter than the original string, so
1482 can safely place it in subject[] (we know that subject is always itself an
1483 expanded substring). */
1484
1485 if (value1 < sublen)
1486 {
1487 int c;
1488 int i = 0;
1489 int j = value1;
1490 while ((c = (subject[j])) != 0)
1491 {
1492 int shift = (c + j++) & 7;
1493 subject[i] ^= (c << shift) | (c >> (8-shift));
1494 if (++i >= value1) i = 0;
1495 }
1496 for (i = 0; i < value1; i++)
1497 subject[i] = hashcodes[(subject[i]) % value2];
1498 }
1499 else value1 = sublen;
1500
1501 *len = value1;
1502 return subject;
1503 }
1504
1505
1506
1507
1508 /*************************************************
1509 * Numeric hash of a string *
1510 *************************************************/
1511
1512 /* Perform the ${nhash expansion operation. The first characters of the
1513 string are treated as most important, and get the highest prime numbers.
1514
1515 Arguments:
1516 subject the input string
1517 value1 the maximum value of the first part of the result
1518 value2 the maximum value of the second part of the result,
1519 or negative to produce only a one-part result
1520 len set to the length of the returned string
1521
1522 Returns: pointer to the output string, or NULL if there is an error.
1523 */
1524
1525 static uschar *
compute_nhash(uschar * subject,int value1,int value2,int * len)1526 compute_nhash (uschar *subject, int value1, int value2, int *len)
1527 {
1528 uschar *s = subject;
1529 int i = 0;
1530 unsigned long int total = 0; /* no overflow */
1531
1532 while (*s != 0)
1533 {
1534 if (i == 0) i = nelem(prime) - 1;
1535 total += prime[i--] * (unsigned int)(*s++);
1536 }
1537
1538 /* If value2 is unset, just compute one number */
1539
1540 if (value2 < 0)
1541 s = string_sprintf("%lu", total % value1);
1542
1543 /* Otherwise do a div/mod hash */
1544
1545 else
1546 {
1547 total = total % (value1 * value2);
1548 s = string_sprintf("%lu/%lu", total/value2, total % value2);
1549 }
1550
1551 *len = Ustrlen(s);
1552 return s;
1553 }
1554
1555
1556
1557
1558
1559 /*************************************************
1560 * Find the value of a header or headers *
1561 *************************************************/
1562
1563 /* Multiple instances of the same header get concatenated, and this function
1564 can also return a concatenation of all the header lines. When concatenating
1565 specific headers that contain lists of addresses, a comma is inserted between
1566 them. Otherwise we use a straight concatenation. Because some messages can have
1567 pathologically large number of lines, there is a limit on the length that is
1568 returned.
1569
1570 Arguments:
1571 name the name of the header, without the leading $header_ or $h_,
1572 or NULL if a concatenation of all headers is required
1573 newsize return the size of memory block that was obtained; may be NULL
1574 if exists_only is TRUE
1575 flags FH_EXISTS_ONLY
1576 set if called from a def: test; don't need to build a string;
1577 just return a string that is not "" and not "0" if the header
1578 exists
1579 FH_WANT_RAW
1580 set if called for $rh_ or $rheader_ items; no processing,
1581 other than concatenating, will be done on the header. Also used
1582 for $message_headers_raw.
1583 FH_WANT_LIST
1584 Double colon chars in the content, and replace newline with
1585 colon between each element when concatenating; returning a
1586 colon-sep list (elements might contain newlines)
1587 charset name of charset to translate MIME words to; used only if
1588 want_raw is false; if NULL, no translation is done (this is
1589 used for $bh_ and $bheader_)
1590
1591 Returns: NULL if the header does not exist, else a pointer to a new
1592 store block
1593 */
1594
1595 static uschar *
find_header(uschar * name,int * newsize,unsigned flags,uschar * charset)1596 find_header(uschar *name, int *newsize, unsigned flags, uschar *charset)
1597 {
1598 BOOL found = !name;
1599 int len = name ? Ustrlen(name) : 0;
1600 BOOL comma = FALSE;
1601 gstring * g = NULL;
1602
1603 for (header_line * h = header_list; h; h = h->next)
1604 if (h->type != htype_old && h->text) /* NULL => Received: placeholder */
1605 if (!name || (len <= h->slen && strncmpic(name, h->text, len) == 0))
1606 {
1607 uschar * s, * t;
1608 size_t inc;
1609
1610 if (flags & FH_EXISTS_ONLY)
1611 return US"1"; /* don't need actual string */
1612
1613 found = TRUE;
1614 s = h->text + len; /* text to insert */
1615 if (!(flags & FH_WANT_RAW)) /* unless wanted raw, */
1616 Uskip_whitespace(&s); /* remove leading white space */
1617 t = h->text + h->slen; /* end-point */
1618
1619 /* Unless wanted raw, remove trailing whitespace, including the
1620 newline. */
1621
1622 if (flags & FH_WANT_LIST)
1623 while (t > s && t[-1] == '\n') t--;
1624 else if (!(flags & FH_WANT_RAW))
1625 {
1626 while (t > s && isspace(t[-1])) t--;
1627
1628 /* Set comma if handling a single header and it's one of those
1629 that contains an address list, except when asked for raw headers. Only
1630 need to do this once. */
1631
1632 if (name && !comma && Ustrchr("BCFRST", h->type)) comma = TRUE;
1633 }
1634
1635 /* Trim the header roughly if we're approaching limits */
1636 inc = t - s;
1637 if (gstring_length(g) + inc > header_insert_maxlen)
1638 inc = header_insert_maxlen - gstring_length(g);
1639
1640 /* For raw just copy the data; for a list, add the data as a colon-sep
1641 list-element; for comma-list add as an unchecked comma,newline sep
1642 list-elemment; for other nonraw add as an unchecked newline-sep list (we
1643 stripped trailing WS above including the newline). We ignore the potential
1644 expansion due to colon-doubling, just leaving the loop if the limit is met
1645 or exceeded. */
1646
1647 if (flags & FH_WANT_LIST)
1648 g = string_append_listele_n(g, ':', s, (unsigned)inc);
1649 else if (flags & FH_WANT_RAW)
1650 g = string_catn(g, s, (unsigned)inc);
1651 else if (inc > 0)
1652 g = string_append2_listele_n(g, comma ? US",\n" : US"\n",
1653 s, (unsigned)inc);
1654
1655 if (gstring_length(g) >= header_insert_maxlen) break;
1656 }
1657
1658 if (!found) return NULL; /* No header found */
1659 if (!g) return US"";
1660
1661 /* That's all we do for raw header expansion. */
1662
1663 *newsize = g->size;
1664 if (flags & FH_WANT_RAW)
1665 return string_from_gstring(g);
1666
1667 /* Otherwise do RFC 2047 decoding, translating the charset if requested.
1668 The rfc2047_decode2() function can return an error with decoded data if the
1669 charset translation fails. If decoding fails, it returns NULL. */
1670
1671 else
1672 {
1673 uschar * error, * decoded = rfc2047_decode2(string_from_gstring(g),
1674 check_rfc2047_length, charset, '?', NULL, newsize, &error);
1675 if (error)
1676 DEBUG(D_any) debug_printf("*** error in RFC 2047 decoding: %s\n"
1677 " input was: %s\n", error, g->s);
1678 return decoded ? decoded : string_from_gstring(g);
1679 }
1680 }
1681
1682
1683
1684
1685 /* Append a "local" element to an Authentication-Results: header
1686 if this was a non-smtp message.
1687 */
1688
1689 static gstring *
authres_local(gstring * g,const uschar * sysname)1690 authres_local(gstring * g, const uschar * sysname)
1691 {
1692 if (!f.authentication_local)
1693 return g;
1694 g = string_append(g, 3, US";\n\tlocal=pass (non-smtp, ", sysname, US")");
1695 if (authenticated_id) g = string_append(g, 2, " u=", authenticated_id);
1696 return g;
1697 }
1698
1699
1700 /* Append an "iprev" element to an Authentication-Results: header
1701 if we have attempted to get the calling host's name.
1702 */
1703
1704 static gstring *
authres_iprev(gstring * g)1705 authres_iprev(gstring * g)
1706 {
1707 if (sender_host_name)
1708 g = string_append(g, 3, US";\n\tiprev=pass (", sender_host_name, US")");
1709 else if (host_lookup_deferred)
1710 g = string_cat(g, US";\n\tiprev=temperror");
1711 else if (host_lookup_failed)
1712 g = string_cat(g, US";\n\tiprev=fail");
1713 else
1714 return g;
1715
1716 if (sender_host_address)
1717 g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
1718 return g;
1719 }
1720
1721
1722
1723 /*************************************************
1724 * Return list of recipients *
1725 *************************************************/
1726 /* A recipients list is available only during system message filtering,
1727 during ACL processing after DATA, and while expanding pipe commands
1728 generated from a system filter, but not elsewhere. */
1729
1730 static uschar *
fn_recipients(void)1731 fn_recipients(void)
1732 {
1733 uschar * s;
1734 gstring * g = NULL;
1735
1736 if (!f.enable_dollar_recipients) return NULL;
1737
1738 for (int i = 0; i < recipients_count; i++)
1739 {
1740 s = recipients_list[i].address;
1741 g = string_append2_listele_n(g, US", ", s, Ustrlen(s));
1742 }
1743 return g ? g->s : NULL;
1744 }
1745
1746
1747 /*************************************************
1748 * Return size of queue *
1749 *************************************************/
1750 /* Ask the daemon for the queue size */
1751
1752 static uschar *
fn_queue_size(void)1753 fn_queue_size(void)
1754 {
1755 struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
1756 uschar buf[16];
1757 int fd;
1758 ssize_t len;
1759 const uschar * where;
1760 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1761 uschar * sname;
1762 #endif
1763
1764 if ((fd = socket(AF_UNIX, SOCK_DGRAM, 0)) < 0)
1765 {
1766 DEBUG(D_expand) debug_printf(" socket: %s\n", strerror(errno));
1767 return NULL;
1768 }
1769
1770 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1771 sa_un.sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1772 len = offsetof(struct sockaddr_un, sun_path) + 1
1773 + snprintf(sa_un.sun_path+1, sizeof(sa_un.sun_path)-1, "exim_%d", getpid());
1774 #else
1775 sname = string_sprintf("%s/p_%d", spool_directory, getpid());
1776 len = offsetof(struct sockaddr_un, sun_path)
1777 + snprintf(sa_un.sun_path, sizeof(sa_un.sun_path), "%s", sname);
1778 #endif
1779
1780 if (bind(fd, (const struct sockaddr *)&sa_un, len) < 0)
1781 { where = US"bind"; goto bad; }
1782
1783 #ifdef notdef
1784 debug_printf("local addr '%s%s'\n",
1785 *sa_un.sun_path ? "" : "@",
1786 sa_un.sun_path + (*sa_un.sun_path ? 0 : 1));
1787 #endif
1788
1789 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1790 sa_un.sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1791 len = offsetof(struct sockaddr_un, sun_path) + 1
1792 + snprintf(sa_un.sun_path+1, sizeof(sa_un.sun_path)-1, "%s",
1793 expand_string(notifier_socket));
1794 #else
1795 len = offsetof(struct sockaddr_un, sun_path)
1796 + snprintf(sa_un.sun_path, sizeof(sa_un.sun_path), "%s",
1797 expand_string(notifier_socket));
1798 #endif
1799
1800 if (connect(fd, (const struct sockaddr *)&sa_un, len) < 0)
1801 { where = US"connect"; goto bad2; }
1802
1803 buf[0] = NOTIFY_QUEUE_SIZE_REQ;
1804 if (send(fd, buf, 1, 0) < 0) { where = US"send"; goto bad; }
1805
1806 if (poll_one_fd(fd, POLLIN, 2 * 1000) != 1)
1807 {
1808 DEBUG(D_expand) debug_printf("no daemon response; using local evaluation\n");
1809 len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached());
1810 }
1811 else if ((len = recv(fd, buf, sizeof(buf), 0)) < 0)
1812 { where = US"recv"; goto bad2; }
1813
1814 close(fd);
1815 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1816 Uunlink(sname);
1817 #endif
1818 return string_copyn(buf, len);
1819
1820 bad2:
1821 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1822 Uunlink(sname);
1823 #endif
1824 bad:
1825 close(fd);
1826 DEBUG(D_expand) debug_printf(" %s: %s\n", where, strerror(errno));
1827 return NULL;
1828 }
1829
1830
1831 /*************************************************
1832 * Find value of a variable *
1833 *************************************************/
1834
1835 /* The table of variables is kept in alphabetic order, so we can search it
1836 using a binary chop. The "choplen" variable is nothing to do with the binary
1837 chop.
1838
1839 Arguments:
1840 name the name of the variable being sought
1841 exists_only TRUE if this is a def: test; passed on to find_header()
1842 skipping TRUE => skip any processing evaluation; this is not the same as
1843 exists_only because def: may test for values that are first
1844 evaluated here
1845 newsize pointer to an int which is initially zero; if the answer is in
1846 a new memory buffer, *newsize is set to its size
1847
1848 Returns: NULL if the variable does not exist, or
1849 a pointer to the variable's contents, or
1850 something non-NULL if exists_only is TRUE
1851 */
1852
1853 static uschar *
find_variable(uschar * name,BOOL exists_only,BOOL skipping,int * newsize)1854 find_variable(uschar *name, BOOL exists_only, BOOL skipping, int *newsize)
1855 {
1856 var_entry * vp;
1857 uschar *s, *domain;
1858 uschar **ss;
1859 void * val;
1860
1861 /* Handle ACL variables, whose names are of the form acl_cxxx or acl_mxxx.
1862 Originally, xxx had to be a number in the range 0-9 (later 0-19), but from
1863 release 4.64 onwards arbitrary names are permitted, as long as the first 5
1864 characters are acl_c or acl_m and the sixth is either a digit or an underscore
1865 (this gave backwards compatibility at the changeover). There may be built-in
1866 variables whose names start acl_ but they should never start in this way. This
1867 slightly messy specification is a consequence of the history, needless to say.
1868
1869 If an ACL variable does not exist, treat it as empty, unless strict_acl_vars is
1870 set, in which case give an error. */
1871
1872 if ((Ustrncmp(name, "acl_c", 5) == 0 || Ustrncmp(name, "acl_m", 5) == 0) &&
1873 !isalpha(name[5]))
1874 {
1875 tree_node * node =
1876 tree_search(name[4] == 'c' ? acl_var_c : acl_var_m, name + 4);
1877 return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
1878 }
1879 else if (Ustrncmp(name, "r_", 2) == 0)
1880 {
1881 tree_node * node = tree_search(router_var, name + 2);
1882 return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
1883 }
1884
1885 /* Handle $auth<n> variables. */
1886
1887 if (Ustrncmp(name, "auth", 4) == 0)
1888 {
1889 uschar *endptr;
1890 int n = Ustrtoul(name + 4, &endptr, 10);
1891 if (*endptr == 0 && n != 0 && n <= AUTH_VARS)
1892 return !auth_vars[n-1] ? US"" : auth_vars[n-1];
1893 }
1894 else if (Ustrncmp(name, "regex", 5) == 0)
1895 {
1896 uschar *endptr;
1897 int n = Ustrtoul(name + 5, &endptr, 10);
1898 if (*endptr == 0 && n != 0 && n <= REGEX_VARS)
1899 return !regex_vars[n-1] ? US"" : regex_vars[n-1];
1900 }
1901
1902 /* For all other variables, search the table */
1903
1904 if (!(vp = find_var_ent(name)))
1905 return NULL; /* Unknown variable name */
1906
1907 /* Found an existing variable. If in skipping state, the value isn't needed,
1908 and we want to avoid processing (such as looking up the host name). */
1909
1910 if (skipping)
1911 return US"";
1912
1913 val = vp->value;
1914 switch (vp->type)
1915 {
1916 case vtype_filter_int:
1917 if (!f.filter_running) return NULL;
1918 /* Fall through */
1919 /* VVVVVVVVVVVV */
1920 case vtype_int:
1921 sprintf(CS var_buffer, "%d", *(int *)(val)); /* Integer */
1922 return var_buffer;
1923
1924 case vtype_ino:
1925 sprintf(CS var_buffer, "%ld", (long int)(*(ino_t *)(val))); /* Inode */
1926 return var_buffer;
1927
1928 case vtype_gid:
1929 sprintf(CS var_buffer, "%ld", (long int)(*(gid_t *)(val))); /* gid */
1930 return var_buffer;
1931
1932 case vtype_uid:
1933 sprintf(CS var_buffer, "%ld", (long int)(*(uid_t *)(val))); /* uid */
1934 return var_buffer;
1935
1936 case vtype_bool:
1937 sprintf(CS var_buffer, "%s", *(BOOL *)(val) ? "yes" : "no"); /* bool */
1938 return var_buffer;
1939
1940 case vtype_stringptr: /* Pointer to string */
1941 return (s = *((uschar **)(val))) ? s : US"";
1942
1943 case vtype_pid:
1944 sprintf(CS var_buffer, "%d", (int)getpid()); /* pid */
1945 return var_buffer;
1946
1947 case vtype_load_avg:
1948 sprintf(CS var_buffer, "%d", OS_GETLOADAVG()); /* load_average */
1949 return var_buffer;
1950
1951 case vtype_host_lookup: /* Lookup if not done so */
1952 if ( !sender_host_name && sender_host_address
1953 && !host_lookup_failed && host_name_lookup() == OK)
1954 host_build_sender_fullhost();
1955 return sender_host_name ? sender_host_name : US"";
1956
1957 case vtype_localpart: /* Get local part from address */
1958 if (!(s = *((uschar **)(val)))) return US"";
1959 if (!(domain = Ustrrchr(s, '@'))) return s;
1960 if (domain - s > sizeof(var_buffer) - 1)
1961 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "local part longer than " SIZE_T_FMT
1962 " in string expansion", sizeof(var_buffer));
1963 return string_copyn(s, domain - s);
1964
1965 case vtype_domain: /* Get domain from address */
1966 if (!(s = *((uschar **)(val)))) return US"";
1967 domain = Ustrrchr(s, '@');
1968 return domain ? domain + 1 : US"";
1969
1970 case vtype_msgheaders:
1971 return find_header(NULL, newsize, exists_only ? FH_EXISTS_ONLY : 0, NULL);
1972
1973 case vtype_msgheaders_raw:
1974 return find_header(NULL, newsize,
1975 exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW, NULL);
1976
1977 case vtype_msgbody: /* Pointer to msgbody string */
1978 case vtype_msgbody_end: /* Ditto, the end of the msg */
1979 ss = (uschar **)(val);
1980 if (!*ss && deliver_datafile >= 0) /* Read body when needed */
1981 {
1982 uschar * body;
1983 off_t start_offset = SPOOL_DATA_START_OFFSET;
1984 int len = message_body_visible;
1985
1986 if (len > message_size) len = message_size;
1987 *ss = body = store_get(len+1, TRUE);
1988 body[0] = 0;
1989 if (vp->type == vtype_msgbody_end)
1990 {
1991 struct stat statbuf;
1992 if (fstat(deliver_datafile, &statbuf) == 0)
1993 {
1994 start_offset = statbuf.st_size - len;
1995 if (start_offset < SPOOL_DATA_START_OFFSET)
1996 start_offset = SPOOL_DATA_START_OFFSET;
1997 }
1998 }
1999 if (lseek(deliver_datafile, start_offset, SEEK_SET) < 0)
2000 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "deliver_datafile lseek: %s",
2001 strerror(errno));
2002 if ((len = read(deliver_datafile, body, len)) > 0)
2003 {
2004 body[len] = 0;
2005 if (message_body_newlines) /* Separate loops for efficiency */
2006 while (len > 0)
2007 { if (body[--len] == 0) body[len] = ' '; }
2008 else
2009 while (len > 0)
2010 { if (body[--len] == '\n' || body[len] == 0) body[len] = ' '; }
2011 }
2012 }
2013 return *ss ? *ss : US"";
2014
2015 case vtype_todbsdin: /* BSD inbox time of day */
2016 return tod_stamp(tod_bsdin);
2017
2018 case vtype_tode: /* Unix epoch time of day */
2019 return tod_stamp(tod_epoch);
2020
2021 case vtype_todel: /* Unix epoch/usec time of day */
2022 return tod_stamp(tod_epoch_l);
2023
2024 case vtype_todf: /* Full time of day */
2025 return tod_stamp(tod_full);
2026
2027 case vtype_todl: /* Log format time of day */
2028 return tod_stamp(tod_log_bare); /* (without timezone) */
2029
2030 case vtype_todzone: /* Time zone offset only */
2031 return tod_stamp(tod_zone);
2032
2033 case vtype_todzulu: /* Zulu time */
2034 return tod_stamp(tod_zulu);
2035
2036 case vtype_todlf: /* Log file datestamp tod */
2037 return tod_stamp(tod_log_datestamp_daily);
2038
2039 case vtype_reply: /* Get reply address */
2040 s = find_header(US"reply-to:", newsize,
2041 exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
2042 headers_charset);
2043 if (s) Uskip_whitespace(&s);
2044 if (!s || !*s)
2045 {
2046 *newsize = 0; /* For the *s==0 case */
2047 s = find_header(US"from:", newsize,
2048 exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
2049 headers_charset);
2050 }
2051 if (s)
2052 {
2053 uschar *t;
2054 Uskip_whitespace(&s);
2055 for (t = s; *t; t++) if (*t == '\n') *t = ' ';
2056 while (t > s && isspace(t[-1])) t--;
2057 *t = 0;
2058 }
2059 return s ? s : US"";
2060
2061 case vtype_string_func:
2062 {
2063 stringptr_fn_t * fn = (stringptr_fn_t *) val;
2064 uschar* s = fn();
2065 return s ? s : US"";
2066 }
2067
2068 case vtype_pspace:
2069 {
2070 int inodes;
2071 sprintf(CS var_buffer, PR_EXIM_ARITH,
2072 receive_statvfs(val == (void *)TRUE, &inodes));
2073 }
2074 return var_buffer;
2075
2076 case vtype_pinodes:
2077 {
2078 int inodes;
2079 (void) receive_statvfs(val == (void *)TRUE, &inodes);
2080 sprintf(CS var_buffer, "%d", inodes);
2081 }
2082 return var_buffer;
2083
2084 case vtype_cert:
2085 return *(void **)val ? US"<cert>" : US"";
2086
2087 #ifndef DISABLE_DKIM
2088 case vtype_dkim:
2089 return dkim_exim_expand_query((int)(long)val);
2090 #endif
2091
2092 }
2093
2094 return NULL; /* Unknown variable. Silences static checkers. */
2095 }
2096
2097
2098
2099
2100 void
modify_variable(uschar * name,void * value)2101 modify_variable(uschar *name, void * value)
2102 {
2103 var_entry * vp;
2104 if ((vp = find_var_ent(name))) vp->value = value;
2105 return; /* Unknown variable name, fail silently */
2106 }
2107
2108
2109
2110
2111
2112
2113 /*************************************************
2114 * Read and expand substrings *
2115 *************************************************/
2116
2117 /* This function is called to read and expand argument substrings for various
2118 expansion items. Some have a minimum requirement that is less than the maximum;
2119 in these cases, the first non-present one is set to NULL.
2120
2121 Arguments:
2122 sub points to vector of pointers to set
2123 n maximum number of substrings
2124 m minimum required
2125 sptr points to current string pointer
2126 skipping the skipping flag
2127 check_end if TRUE, check for final '}'
2128 name name of item, for error message
2129 resetok if not NULL, pointer to flag - write FALSE if unsafe to reset
2130 the store.
2131
2132 Returns: 0 OK; string pointer updated
2133 1 curly bracketing error (too few arguments)
2134 2 too many arguments (only if check_end is set); message set
2135 3 other error (expansion failure)
2136 */
2137
2138 static int
read_subs(uschar ** sub,int n,int m,const uschar ** sptr,BOOL skipping,BOOL check_end,uschar * name,BOOL * resetok)2139 read_subs(uschar **sub, int n, int m, const uschar **sptr, BOOL skipping,
2140 BOOL check_end, uschar *name, BOOL *resetok)
2141 {
2142 const uschar *s = *sptr;
2143
2144 Uskip_whitespace(&s);
2145 for (int i = 0; i < n; i++)
2146 {
2147 if (*s != '{')
2148 {
2149 if (i < m)
2150 {
2151 expand_string_message = string_sprintf("Not enough arguments for '%s' "
2152 "(min is %d)", name, m);
2153 return 1;
2154 }
2155 sub[i] = NULL;
2156 break;
2157 }
2158 if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, resetok)))
2159 return 3;
2160 if (*s++ != '}') return 1;
2161 Uskip_whitespace(&s);
2162 }
2163 if (check_end && *s++ != '}')
2164 {
2165 if (s[-1] == '{')
2166 {
2167 expand_string_message = string_sprintf("Too many arguments for '%s' "
2168 "(max is %d)", name, n);
2169 return 2;
2170 }
2171 expand_string_message = string_sprintf("missing '}' after '%s'", name);
2172 return 1;
2173 }
2174
2175 *sptr = s;
2176 return 0;
2177 }
2178
2179
2180
2181
2182 /*************************************************
2183 * Elaborate message for bad variable *
2184 *************************************************/
2185
2186 /* For the "unknown variable" message, take a look at the variable's name, and
2187 give additional information about possible ACL variables. The extra information
2188 is added on to expand_string_message.
2189
2190 Argument: the name of the variable
2191 Returns: nothing
2192 */
2193
2194 static void
check_variable_error_message(uschar * name)2195 check_variable_error_message(uschar *name)
2196 {
2197 if (Ustrncmp(name, "acl_", 4) == 0)
2198 expand_string_message = string_sprintf("%s (%s)", expand_string_message,
2199 (name[4] == 'c' || name[4] == 'm')?
2200 (isalpha(name[5])?
2201 US"6th character of a user-defined ACL variable must be a digit or underscore" :
2202 US"strict_acl_vars is set" /* Syntax is OK, it has to be this */
2203 ) :
2204 US"user-defined ACL variables must start acl_c or acl_m");
2205 }
2206
2207
2208
2209 /*
2210 Load args from sub array to globals, and call acl_check().
2211 Sub array will be corrupted on return.
2212
2213 Returns: OK access is granted by an ACCEPT verb
2214 DISCARD access is (apparently) granted by a DISCARD verb
2215 FAIL access is denied
2216 FAIL_DROP access is denied; drop the connection
2217 DEFER can't tell at the moment
2218 ERROR disaster
2219 */
2220 static int
eval_acl(uschar ** sub,int nsub,uschar ** user_msgp)2221 eval_acl(uschar ** sub, int nsub, uschar ** user_msgp)
2222 {
2223 int i;
2224 int sav_narg = acl_narg;
2225 int ret;
2226 uschar * dummy_logmsg;
2227 extern int acl_where;
2228
2229 if(--nsub > nelem(acl_arg)) nsub = nelem(acl_arg);
2230 for (i = 0; i < nsub && sub[i+1]; i++)
2231 {
2232 uschar * tmp = acl_arg[i];
2233 acl_arg[i] = sub[i+1]; /* place callers args in the globals */
2234 sub[i+1] = tmp; /* stash the old args using our caller's storage */
2235 }
2236 acl_narg = i;
2237 while (i < nsub)
2238 {
2239 sub[i+1] = acl_arg[i];
2240 acl_arg[i++] = NULL;
2241 }
2242
2243 DEBUG(D_expand)
2244 debug_printf_indent("expanding: acl: %s arg: %s%s\n",
2245 sub[0],
2246 acl_narg>0 ? acl_arg[0] : US"<none>",
2247 acl_narg>1 ? " +more" : "");
2248
2249 ret = acl_eval(acl_where, sub[0], user_msgp, &dummy_logmsg);
2250
2251 for (i = 0; i < nsub; i++)
2252 acl_arg[i] = sub[i+1]; /* restore old args */
2253 acl_narg = sav_narg;
2254
2255 return ret;
2256 }
2257
2258
2259
2260
2261 /* Return pointer to dewrapped string, with enclosing specified chars removed.
2262 The given string is modified on return. Leading whitespace is skipped while
2263 looking for the opening wrap character, then the rest is scanned for the trailing
2264 (non-escaped) wrap character. A backslash in the string will act as an escape.
2265
2266 A nul is written over the trailing wrap, and a pointer to the char after the
2267 leading wrap is returned.
2268
2269 Arguments:
2270 s String for de-wrapping
2271 wrap Two-char string, the first being the opener, second the closer wrapping
2272 character
2273 Return:
2274 Pointer to de-wrapped string, or NULL on error (with expand_string_message set).
2275 */
2276
2277 static uschar *
dewrap(uschar * s,const uschar * wrap)2278 dewrap(uschar * s, const uschar * wrap)
2279 {
2280 uschar * p = s;
2281 unsigned depth = 0;
2282 BOOL quotesmode = wrap[0] == wrap[1];
2283
2284 if (Uskip_whitespace(&p) == *wrap)
2285 {
2286 s = ++p;
2287 wrap++;
2288 while (*p)
2289 {
2290 if (*p == '\\') p++;
2291 else if (!quotesmode && *p == wrap[-1]) depth++;
2292 else if (*p == *wrap)
2293 if (depth == 0)
2294 {
2295 *p = '\0';
2296 return s;
2297 }
2298 else
2299 depth--;
2300 p++;
2301 }
2302 }
2303 expand_string_message = string_sprintf("missing '%c'", *wrap);
2304 return NULL;
2305 }
2306
2307
2308 /* Pull off the leading array or object element, returning
2309 a copy in an allocated string. Update the list pointer.
2310
2311 The element may itself be an abject or array.
2312 Return NULL when the list is empty.
2313 */
2314
2315 static uschar *
json_nextinlist(const uschar ** list)2316 json_nextinlist(const uschar ** list)
2317 {
2318 unsigned array_depth = 0, object_depth = 0;
2319 const uschar * s = *list, * item;
2320
2321 skip_whitespace(&s);
2322
2323 for (item = s;
2324 *s && (*s != ',' || array_depth != 0 || object_depth != 0);
2325 s++)
2326 switch (*s)
2327 {
2328 case '[': array_depth++; break;
2329 case ']': array_depth--; break;
2330 case '{': object_depth++; break;
2331 case '}': object_depth--; break;
2332 }
2333 *list = *s ? s+1 : s;
2334 if (item == s) return NULL;
2335 item = string_copyn(item, s - item);
2336 DEBUG(D_expand) debug_printf_indent(" json ele: '%s'\n", item);
2337 return US item;
2338 }
2339
2340
2341
2342 /************************************************/
2343 /* Return offset in ops table, or -1 if not found.
2344 Repoint to just after the operator in the string.
2345
2346 Argument:
2347 ss string representation of operator
2348 opname split-out operator name
2349 */
2350
2351 static int
identify_operator(const uschar ** ss,uschar ** opname)2352 identify_operator(const uschar ** ss, uschar ** opname)
2353 {
2354 const uschar * s = *ss;
2355 uschar name[256];
2356
2357 /* Numeric comparisons are symbolic */
2358
2359 if (*s == '=' || *s == '>' || *s == '<')
2360 {
2361 int p = 0;
2362 name[p++] = *s++;
2363 if (*s == '=')
2364 {
2365 name[p++] = '=';
2366 s++;
2367 }
2368 name[p] = 0;
2369 }
2370
2371 /* All other conditions are named */
2372
2373 else
2374 s = read_name(name, sizeof(name), s, US"_");
2375 *ss = s;
2376
2377 /* If we haven't read a name, it means some non-alpha character is first. */
2378
2379 if (!name[0])
2380 {
2381 expand_string_message = string_sprintf("condition name expected, "
2382 "but found \"%.16s\"", s);
2383 return -1;
2384 }
2385 if (opname)
2386 *opname = string_copy(name);
2387
2388 return chop_match(name, cond_table, nelem(cond_table));
2389 }
2390
2391
2392 /*************************************************
2393 * Handle MD5 or SHA-1 computation for HMAC *
2394 *************************************************/
2395
2396 /* These are some wrapping functions that enable the HMAC code to be a bit
2397 cleaner. A good compiler will spot the tail recursion.
2398
2399 Arguments:
2400 type HMAC_MD5 or HMAC_SHA1
2401 remaining are as for the cryptographic hash functions
2402
2403 Returns: nothing
2404 */
2405
2406 static void
chash_start(int type,void * base)2407 chash_start(int type, void * base)
2408 {
2409 if (type == HMAC_MD5)
2410 md5_start((md5 *)base);
2411 else
2412 sha1_start((hctx *)base);
2413 }
2414
2415 static void
chash_mid(int type,void * base,const uschar * string)2416 chash_mid(int type, void * base, const uschar * string)
2417 {
2418 if (type == HMAC_MD5)
2419 md5_mid((md5 *)base, string);
2420 else
2421 sha1_mid((hctx *)base, string);
2422 }
2423
2424 static void
chash_end(int type,void * base,const uschar * string,int length,uschar * digest)2425 chash_end(int type, void * base, const uschar * string, int length,
2426 uschar * digest)
2427 {
2428 if (type == HMAC_MD5)
2429 md5_end((md5 *)base, string, length, digest);
2430 else
2431 sha1_end((hctx *)base, string, length, digest);
2432 }
2433
2434
2435
2436
2437 #ifdef SUPPORT_SRS
2438 /* Do an hmac_md5. The result is _not_ nul-terminated, and is sized as
2439 the smaller of a full hmac_md5 result (16 bytes) or the supplied output buffer.
2440
2441 Arguments:
2442 key encoding key, nul-terminated
2443 src data to be hashed, nul-terminated
2444 buf output buffer
2445 len size of output buffer
2446 */
2447
2448 static void
hmac_md5(const uschar * key,const uschar * src,uschar * buf,unsigned len)2449 hmac_md5(const uschar * key, const uschar * src, uschar * buf, unsigned len)
2450 {
2451 md5 md5_base;
2452 const uschar * keyptr;
2453 uschar * p;
2454 unsigned int keylen;
2455
2456 #define MD5_HASHLEN 16
2457 #define MD5_HASHBLOCKLEN 64
2458
2459 uschar keyhash[MD5_HASHLEN];
2460 uschar innerhash[MD5_HASHLEN];
2461 uschar finalhash[MD5_HASHLEN];
2462 uschar innerkey[MD5_HASHBLOCKLEN];
2463 uschar outerkey[MD5_HASHBLOCKLEN];
2464
2465 keyptr = key;
2466 keylen = Ustrlen(keyptr);
2467
2468 /* If the key is longer than the hash block length, then hash the key
2469 first */
2470
2471 if (keylen > MD5_HASHBLOCKLEN)
2472 {
2473 chash_start(HMAC_MD5, &md5_base);
2474 chash_end(HMAC_MD5, &md5_base, keyptr, keylen, keyhash);
2475 keyptr = keyhash;
2476 keylen = MD5_HASHLEN;
2477 }
2478
2479 /* Now make the inner and outer key values */
2480
2481 memset(innerkey, 0x36, MD5_HASHBLOCKLEN);
2482 memset(outerkey, 0x5c, MD5_HASHBLOCKLEN);
2483
2484 for (int i = 0; i < keylen; i++)
2485 {
2486 innerkey[i] ^= keyptr[i];
2487 outerkey[i] ^= keyptr[i];
2488 }
2489
2490 /* Now do the hashes */
2491
2492 chash_start(HMAC_MD5, &md5_base);
2493 chash_mid(HMAC_MD5, &md5_base, innerkey);
2494 chash_end(HMAC_MD5, &md5_base, src, Ustrlen(src), innerhash);
2495
2496 chash_start(HMAC_MD5, &md5_base);
2497 chash_mid(HMAC_MD5, &md5_base, outerkey);
2498 chash_end(HMAC_MD5, &md5_base, innerhash, MD5_HASHLEN, finalhash);
2499
2500 /* Encode the final hash as a hex string, limited by output buffer size */
2501
2502 p = buf;
2503 for (int i = 0, j = len; i < MD5_HASHLEN; i++)
2504 {
2505 if (j-- <= 0) break;
2506 *p++ = hex_digits[(finalhash[i] & 0xf0) >> 4];
2507 if (j-- <= 0) break;
2508 *p++ = hex_digits[finalhash[i] & 0x0f];
2509 }
2510 return;
2511 }
2512 #endif /*SUPPORT_SRS*/
2513
2514
2515 /*************************************************
2516 * Read and evaluate a condition *
2517 *************************************************/
2518
2519 /*
2520 Arguments:
2521 s points to the start of the condition text
2522 resetok points to a BOOL which is written false if it is unsafe to
2523 free memory. Certain condition types (acl) may have side-effect
2524 allocation which must be preserved.
2525 yield points to a BOOL to hold the result of the condition test;
2526 if NULL, we are just reading through a condition that is
2527 part of an "or" combination to check syntax, or in a state
2528 where the answer isn't required
2529
2530 Returns: a pointer to the first character after the condition, or
2531 NULL after an error
2532 */
2533
2534 static const uschar *
eval_condition(const uschar * s,BOOL * resetok,BOOL * yield)2535 eval_condition(const uschar *s, BOOL *resetok, BOOL *yield)
2536 {
2537 BOOL testfor = TRUE;
2538 BOOL tempcond, combined_cond;
2539 BOOL *subcondptr;
2540 BOOL sub2_honour_dollar = TRUE;
2541 BOOL is_forany, is_json, is_jsons;
2542 int rc, cond_type, roffset;
2543 int_eximarith_t num[2];
2544 struct stat statbuf;
2545 uschar * opname;
2546 uschar name[256];
2547 const uschar *sub[10];
2548
2549 const pcre *re;
2550 const uschar *rerror;
2551
2552 for (;;)
2553 if (Uskip_whitespace(&s) == '!') { testfor = !testfor; s++; } else break;
2554
2555 switch(cond_type = identify_operator(&s, &opname))
2556 {
2557 /* def: tests for a non-empty variable, or for the existence of a header. If
2558 yield == NULL we are in a skipping state, and don't care about the answer. */
2559
2560 case ECOND_DEF:
2561 {
2562 uschar * t;
2563
2564 if (*s != ':')
2565 {
2566 expand_string_message = US"\":\" expected after \"def\"";
2567 return NULL;
2568 }
2569
2570 s = read_name(name, sizeof(name), s+1, US"_");
2571
2572 /* Test for a header's existence. If the name contains a closing brace
2573 character, this may be a user error where the terminating colon has been
2574 omitted. Set a flag to adjust a subsequent error message in this case. */
2575
2576 if ( ( *(t = name) == 'h'
2577 || (*t == 'r' || *t == 'l' || *t == 'b') && *++t == 'h'
2578 )
2579 && (*++t == '_' || Ustrncmp(t, "eader_", 6) == 0)
2580 )
2581 {
2582 s = read_header_name(name, sizeof(name), s);
2583 /* {-for-text-editors */
2584 if (Ustrchr(name, '}') != NULL) malformed_header = TRUE;
2585 if (yield) *yield =
2586 (find_header(name, NULL, FH_EXISTS_ONLY, NULL) != NULL) == testfor;
2587 }
2588
2589 /* Test for a variable's having a non-empty value. A non-existent variable
2590 causes an expansion failure. */
2591
2592 else
2593 {
2594 if (!(t = find_variable(name, TRUE, yield == NULL, NULL)))
2595 {
2596 expand_string_message = name[0]
2597 ? string_sprintf("unknown variable \"%s\" after \"def:\"", name)
2598 : US"variable name omitted after \"def:\"";
2599 check_variable_error_message(name);
2600 return NULL;
2601 }
2602 if (yield) *yield = (t[0] != 0) == testfor;
2603 }
2604
2605 return s;
2606 }
2607
2608
2609 /* first_delivery tests for first delivery attempt */
2610
2611 case ECOND_FIRST_DELIVERY:
2612 if (yield) *yield = f.deliver_firsttime == testfor;
2613 return s;
2614
2615
2616 /* queue_running tests for any process started by a queue runner */
2617
2618 case ECOND_QUEUE_RUNNING:
2619 if (yield) *yield = (queue_run_pid != (pid_t)0) == testfor;
2620 return s;
2621
2622
2623 /* exists: tests for file existence
2624 isip: tests for any IP address
2625 isip4: tests for an IPv4 address
2626 isip6: tests for an IPv6 address
2627 pam: does PAM authentication
2628 radius: does RADIUS authentication
2629 ldapauth: does LDAP authentication
2630 pwcheck: does Cyrus SASL pwcheck authentication
2631 */
2632
2633 case ECOND_EXISTS:
2634 case ECOND_ISIP:
2635 case ECOND_ISIP4:
2636 case ECOND_ISIP6:
2637 case ECOND_PAM:
2638 case ECOND_RADIUS:
2639 case ECOND_LDAPAUTH:
2640 case ECOND_PWCHECK:
2641
2642 if (Uskip_whitespace(&s) != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
2643
2644 sub[0] = expand_string_internal(s+1, TRUE, &s, yield == NULL, TRUE, resetok);
2645 if (!sub[0]) return NULL;
2646 /* {-for-text-editors */
2647 if (*s++ != '}') goto COND_FAILED_CURLY_END;
2648
2649 if (!yield) return s; /* No need to run the test if skipping */
2650
2651 switch(cond_type)
2652 {
2653 case ECOND_EXISTS:
2654 if ((expand_forbid & RDO_EXISTS) != 0)
2655 {
2656 expand_string_message = US"File existence tests are not permitted";
2657 return NULL;
2658 }
2659 *yield = (Ustat(sub[0], &statbuf) == 0) == testfor;
2660 break;
2661
2662 case ECOND_ISIP:
2663 case ECOND_ISIP4:
2664 case ECOND_ISIP6:
2665 rc = string_is_ip_address(sub[0], NULL);
2666 *yield = ((cond_type == ECOND_ISIP)? (rc != 0) :
2667 (cond_type == ECOND_ISIP4)? (rc == 4) : (rc == 6)) == testfor;
2668 break;
2669
2670 /* Various authentication tests - all optionally compiled */
2671
2672 case ECOND_PAM:
2673 #ifdef SUPPORT_PAM
2674 rc = auth_call_pam(sub[0], &expand_string_message);
2675 goto END_AUTH;
2676 #else
2677 goto COND_FAILED_NOT_COMPILED;
2678 #endif /* SUPPORT_PAM */
2679
2680 case ECOND_RADIUS:
2681 #ifdef RADIUS_CONFIG_FILE
2682 rc = auth_call_radius(sub[0], &expand_string_message);
2683 goto END_AUTH;
2684 #else
2685 goto COND_FAILED_NOT_COMPILED;
2686 #endif /* RADIUS_CONFIG_FILE */
2687
2688 case ECOND_LDAPAUTH:
2689 #ifdef LOOKUP_LDAP
2690 {
2691 /* Just to keep the interface the same */
2692 BOOL do_cache;
2693 int old_pool = store_pool;
2694 store_pool = POOL_SEARCH;
2695 rc = eldapauth_find((void *)(-1), NULL, sub[0], Ustrlen(sub[0]), NULL,
2696 &expand_string_message, &do_cache);
2697 store_pool = old_pool;
2698 }
2699 goto END_AUTH;
2700 #else
2701 goto COND_FAILED_NOT_COMPILED;
2702 #endif /* LOOKUP_LDAP */
2703
2704 case ECOND_PWCHECK:
2705 #ifdef CYRUS_PWCHECK_SOCKET
2706 rc = auth_call_pwcheck(sub[0], &expand_string_message);
2707 goto END_AUTH;
2708 #else
2709 goto COND_FAILED_NOT_COMPILED;
2710 #endif /* CYRUS_PWCHECK_SOCKET */
2711
2712 #if defined(SUPPORT_PAM) || defined(RADIUS_CONFIG_FILE) || \
2713 defined(LOOKUP_LDAP) || defined(CYRUS_PWCHECK_SOCKET)
2714 END_AUTH:
2715 if (rc == ERROR || rc == DEFER) return NULL;
2716 *yield = (rc == OK) == testfor;
2717 #endif
2718 }
2719 return s;
2720
2721
2722 /* call ACL (in a conditional context). Accept true, deny false.
2723 Defer is a forced-fail. Anything set by message= goes to $value.
2724 Up to ten parameters are used; we use the braces round the name+args
2725 like the saslauthd condition does, to permit a variable number of args.
2726 See also the expansion-item version EITEM_ACL and the traditional
2727 acl modifier ACLC_ACL.
2728 Since the ACL may allocate new global variables, tell our caller to not
2729 reclaim memory.
2730 */
2731
2732 case ECOND_ACL:
2733 /* ${if acl {{name}{arg1}{arg2}...} {yes}{no}} */
2734 {
2735 uschar *sub[10];
2736 uschar *user_msg;
2737 BOOL cond = FALSE;
2738
2739 Uskip_whitespace(&s);
2740 if (*s++ != '{') goto COND_FAILED_CURLY_START; /*}*/
2741
2742 switch(read_subs(sub, nelem(sub), 1,
2743 &s, yield == NULL, TRUE, name, resetok))
2744 {
2745 case 1: expand_string_message = US"too few arguments or bracketing "
2746 "error for acl";
2747 case 2:
2748 case 3: return NULL;
2749 }
2750
2751 if (yield)
2752 {
2753 int rc;
2754 *resetok = FALSE; /* eval_acl() might allocate; do not reclaim */
2755 switch(rc = eval_acl(sub, nelem(sub), &user_msg))
2756 {
2757 case OK:
2758 cond = TRUE;
2759 case FAIL:
2760 lookup_value = NULL;
2761 if (user_msg)
2762 lookup_value = string_copy(user_msg);
2763 *yield = cond == testfor;
2764 break;
2765
2766 case DEFER:
2767 f.expand_string_forcedfail = TRUE;
2768 /*FALLTHROUGH*/
2769 default:
2770 expand_string_message = string_sprintf("%s from acl \"%s\"",
2771 rc_names[rc], sub[0]);
2772 return NULL;
2773 }
2774 }
2775 return s;
2776 }
2777
2778
2779 /* saslauthd: does Cyrus saslauthd authentication. Four parameters are used:
2780
2781 ${if saslauthd {{username}{password}{service}{realm}} {yes}{no}}
2782
2783 However, the last two are optional. That is why the whole set is enclosed
2784 in their own set of braces. */
2785
2786 case ECOND_SASLAUTHD:
2787 #ifndef CYRUS_SASLAUTHD_SOCKET
2788 goto COND_FAILED_NOT_COMPILED;
2789 #else
2790 {
2791 uschar *sub[4];
2792 Uskip_whitespace(&s);
2793 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
2794 switch(read_subs(sub, nelem(sub), 2, &s, yield == NULL, TRUE, name,
2795 resetok))
2796 {
2797 case 1: expand_string_message = US"too few arguments or bracketing "
2798 "error for saslauthd";
2799 case 2:
2800 case 3: return NULL;
2801 }
2802 if (!sub[2]) sub[3] = NULL; /* realm if no service */
2803 if (yield)
2804 {
2805 int rc = auth_call_saslauthd(sub[0], sub[1], sub[2], sub[3],
2806 &expand_string_message);
2807 if (rc == ERROR || rc == DEFER) return NULL;
2808 *yield = (rc == OK) == testfor;
2809 }
2810 return s;
2811 }
2812 #endif /* CYRUS_SASLAUTHD_SOCKET */
2813
2814
2815 /* symbolic operators for numeric and string comparison, and a number of
2816 other operators, all requiring two arguments.
2817
2818 crypteq: encrypts plaintext and compares against an encrypted text,
2819 using crypt(), crypt16(), MD5 or SHA-1
2820 inlist/inlisti: checks if first argument is in the list of the second
2821 match: does a regular expression match and sets up the numerical
2822 variables if it succeeds
2823 match_address: matches in an address list
2824 match_domain: matches in a domain list
2825 match_ip: matches a host list that is restricted to IP addresses
2826 match_local_part: matches in a local part list
2827 */
2828
2829 case ECOND_MATCH_ADDRESS:
2830 case ECOND_MATCH_DOMAIN:
2831 case ECOND_MATCH_IP:
2832 case ECOND_MATCH_LOCAL_PART:
2833 #ifndef EXPAND_LISTMATCH_RHS
2834 sub2_honour_dollar = FALSE;
2835 #endif
2836 /* FALLTHROUGH */
2837
2838 case ECOND_CRYPTEQ:
2839 case ECOND_INLIST:
2840 case ECOND_INLISTI:
2841 case ECOND_MATCH:
2842
2843 case ECOND_NUM_L: /* Numerical comparisons */
2844 case ECOND_NUM_LE:
2845 case ECOND_NUM_E:
2846 case ECOND_NUM_EE:
2847 case ECOND_NUM_G:
2848 case ECOND_NUM_GE:
2849
2850 case ECOND_STR_LT: /* String comparisons */
2851 case ECOND_STR_LTI:
2852 case ECOND_STR_LE:
2853 case ECOND_STR_LEI:
2854 case ECOND_STR_EQ:
2855 case ECOND_STR_EQI:
2856 case ECOND_STR_GT:
2857 case ECOND_STR_GTI:
2858 case ECOND_STR_GE:
2859 case ECOND_STR_GEI:
2860
2861 for (int i = 0; i < 2; i++)
2862 {
2863 /* Sometimes, we don't expand substrings; too many insecure configurations
2864 created using match_address{}{} and friends, where the second param
2865 includes information from untrustworthy sources. */
2866 BOOL honour_dollar = TRUE;
2867 if ((i > 0) && !sub2_honour_dollar)
2868 honour_dollar = FALSE;
2869
2870 if (Uskip_whitespace(&s) != '{')
2871 {
2872 if (i == 0) goto COND_FAILED_CURLY_START;
2873 expand_string_message = string_sprintf("missing 2nd string in {} "
2874 "after \"%s\"", opname);
2875 return NULL;
2876 }
2877 if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, yield == NULL,
2878 honour_dollar, resetok)))
2879 return NULL;
2880 DEBUG(D_expand) if (i == 1 && !sub2_honour_dollar && Ustrchr(sub[1], '$'))
2881 debug_printf_indent("WARNING: the second arg is NOT expanded,"
2882 " for security reasons\n");
2883 if (*s++ != '}') goto COND_FAILED_CURLY_END;
2884
2885 /* Convert to numerical if required; we know that the names of all the
2886 conditions that compare numbers do not start with a letter. This just saves
2887 checking for them individually. */
2888
2889 if (!isalpha(opname[0]) && yield)
2890 if (sub[i][0] == 0)
2891 {
2892 num[i] = 0;
2893 DEBUG(D_expand)
2894 debug_printf_indent("empty string cast to zero for numerical comparison\n");
2895 }
2896 else
2897 {
2898 num[i] = expanded_string_integer(sub[i], FALSE);
2899 if (expand_string_message) return NULL;
2900 }
2901 }
2902
2903 /* Result not required */
2904
2905 if (!yield) return s;
2906
2907 /* Do an appropriate comparison */
2908
2909 switch(cond_type)
2910 {
2911 case ECOND_NUM_E:
2912 case ECOND_NUM_EE:
2913 tempcond = (num[0] == num[1]);
2914 break;
2915
2916 case ECOND_NUM_G:
2917 tempcond = (num[0] > num[1]);
2918 break;
2919
2920 case ECOND_NUM_GE:
2921 tempcond = (num[0] >= num[1]);
2922 break;
2923
2924 case ECOND_NUM_L:
2925 tempcond = (num[0] < num[1]);
2926 break;
2927
2928 case ECOND_NUM_LE:
2929 tempcond = (num[0] <= num[1]);
2930 break;
2931
2932 case ECOND_STR_LT:
2933 tempcond = (Ustrcmp(sub[0], sub[1]) < 0);
2934 break;
2935
2936 case ECOND_STR_LTI:
2937 tempcond = (strcmpic(sub[0], sub[1]) < 0);
2938 break;
2939
2940 case ECOND_STR_LE:
2941 tempcond = (Ustrcmp(sub[0], sub[1]) <= 0);
2942 break;
2943
2944 case ECOND_STR_LEI:
2945 tempcond = (strcmpic(sub[0], sub[1]) <= 0);
2946 break;
2947
2948 case ECOND_STR_EQ:
2949 tempcond = (Ustrcmp(sub[0], sub[1]) == 0);
2950 break;
2951
2952 case ECOND_STR_EQI:
2953 tempcond = (strcmpic(sub[0], sub[1]) == 0);
2954 break;
2955
2956 case ECOND_STR_GT:
2957 tempcond = (Ustrcmp(sub[0], sub[1]) > 0);
2958 break;
2959
2960 case ECOND_STR_GTI:
2961 tempcond = (strcmpic(sub[0], sub[1]) > 0);
2962 break;
2963
2964 case ECOND_STR_GE:
2965 tempcond = (Ustrcmp(sub[0], sub[1]) >= 0);
2966 break;
2967
2968 case ECOND_STR_GEI:
2969 tempcond = (strcmpic(sub[0], sub[1]) >= 0);
2970 break;
2971
2972 case ECOND_MATCH: /* Regular expression match */
2973 if (!(re = pcre_compile(CS sub[1], PCRE_COPT, CCSS &rerror,
2974 &roffset, NULL)))
2975 {
2976 expand_string_message = string_sprintf("regular expression error in "
2977 "\"%s\": %s at offset %d", sub[1], rerror, roffset);
2978 return NULL;
2979 }
2980 tempcond = regex_match_and_setup(re, sub[0], 0, -1);
2981 break;
2982
2983 case ECOND_MATCH_ADDRESS: /* Match in an address list */
2984 rc = match_address_list(sub[0], TRUE, FALSE, &(sub[1]), NULL, -1, 0, NULL);
2985 goto MATCHED_SOMETHING;
2986
2987 case ECOND_MATCH_DOMAIN: /* Match in a domain list */
2988 rc = match_isinlist(sub[0], &(sub[1]), 0, &domainlist_anchor, NULL,
2989 MCL_DOMAIN + MCL_NOEXPAND, TRUE, NULL);
2990 goto MATCHED_SOMETHING;
2991
2992 case ECOND_MATCH_IP: /* Match IP address in a host list */
2993 if (sub[0][0] != 0 && string_is_ip_address(sub[0], NULL) == 0)
2994 {
2995 expand_string_message = string_sprintf("\"%s\" is not an IP address",
2996 sub[0]);
2997 return NULL;
2998 }
2999 else
3000 {
3001 unsigned int *nullcache = NULL;
3002 check_host_block cb;
3003
3004 cb.host_name = US"";
3005 cb.host_address = sub[0];
3006
3007 /* If the host address starts off ::ffff: it is an IPv6 address in
3008 IPv4-compatible mode. Find the IPv4 part for checking against IPv4
3009 addresses. */
3010
3011 cb.host_ipv4 = (Ustrncmp(cb.host_address, "::ffff:", 7) == 0)?
3012 cb.host_address + 7 : cb.host_address;
3013
3014 rc = match_check_list(
3015 &sub[1], /* the list */
3016 0, /* separator character */
3017 &hostlist_anchor, /* anchor pointer */
3018 &nullcache, /* cache pointer */
3019 check_host, /* function for testing */
3020 &cb, /* argument for function */
3021 MCL_HOST, /* type of check */
3022 sub[0], /* text for debugging */
3023 NULL); /* where to pass back data */
3024 }
3025 goto MATCHED_SOMETHING;
3026
3027 case ECOND_MATCH_LOCAL_PART:
3028 rc = match_isinlist(sub[0], &(sub[1]), 0, &localpartlist_anchor, NULL,
3029 MCL_LOCALPART + MCL_NOEXPAND, TRUE, NULL);
3030 /* Fall through */
3031 /* VVVVVVVVVVVV */
3032 MATCHED_SOMETHING:
3033 switch(rc)
3034 {
3035 case OK:
3036 tempcond = TRUE;
3037 break;
3038
3039 case FAIL:
3040 tempcond = FALSE;
3041 break;
3042
3043 case DEFER:
3044 expand_string_message = string_sprintf("unable to complete match "
3045 "against \"%s\": %s", sub[1], search_error_message);
3046 return NULL;
3047 }
3048
3049 break;
3050
3051 /* Various "encrypted" comparisons. If the second string starts with
3052 "{" then an encryption type is given. Default to crypt() or crypt16()
3053 (build-time choice). */
3054 /* }-for-text-editors */
3055
3056 case ECOND_CRYPTEQ:
3057 #ifndef SUPPORT_CRYPTEQ
3058 goto COND_FAILED_NOT_COMPILED;
3059 #else
3060 if (strncmpic(sub[1], US"{md5}", 5) == 0)
3061 {
3062 int sublen = Ustrlen(sub[1]+5);
3063 md5 base;
3064 uschar digest[16];
3065
3066 md5_start(&base);
3067 md5_end(&base, sub[0], Ustrlen(sub[0]), digest);
3068
3069 /* If the length that we are comparing against is 24, the MD5 digest
3070 is expressed as a base64 string. This is the way LDAP does it. However,
3071 some other software uses a straightforward hex representation. We assume
3072 this if the length is 32. Other lengths fail. */
3073
3074 if (sublen == 24)
3075 {
3076 uschar *coded = b64encode(CUS digest, 16);
3077 DEBUG(D_auth) debug_printf("crypteq: using MD5+B64 hashing\n"
3078 " subject=%s\n crypted=%s\n", coded, sub[1]+5);
3079 tempcond = (Ustrcmp(coded, sub[1]+5) == 0);
3080 }
3081 else if (sublen == 32)
3082 {
3083 uschar coded[36];
3084 for (int i = 0; i < 16; i++) sprintf(CS (coded+2*i), "%02X", digest[i]);
3085 coded[32] = 0;
3086 DEBUG(D_auth) debug_printf("crypteq: using MD5+hex hashing\n"
3087 " subject=%s\n crypted=%s\n", coded, sub[1]+5);
3088 tempcond = (strcmpic(coded, sub[1]+5) == 0);
3089 }
3090 else
3091 {
3092 DEBUG(D_auth) debug_printf("crypteq: length for MD5 not 24 or 32: "
3093 "fail\n crypted=%s\n", sub[1]+5);
3094 tempcond = FALSE;
3095 }
3096 }
3097
3098 else if (strncmpic(sub[1], US"{sha1}", 6) == 0)
3099 {
3100 int sublen = Ustrlen(sub[1]+6);
3101 hctx h;
3102 uschar digest[20];
3103
3104 sha1_start(&h);
3105 sha1_end(&h, sub[0], Ustrlen(sub[0]), digest);
3106
3107 /* If the length that we are comparing against is 28, assume the SHA1
3108 digest is expressed as a base64 string. If the length is 40, assume a
3109 straightforward hex representation. Other lengths fail. */
3110
3111 if (sublen == 28)
3112 {
3113 uschar *coded = b64encode(CUS digest, 20);
3114 DEBUG(D_auth) debug_printf("crypteq: using SHA1+B64 hashing\n"
3115 " subject=%s\n crypted=%s\n", coded, sub[1]+6);
3116 tempcond = (Ustrcmp(coded, sub[1]+6) == 0);
3117 }
3118 else if (sublen == 40)
3119 {
3120 uschar coded[44];
3121 for (int i = 0; i < 20; i++) sprintf(CS (coded+2*i), "%02X", digest[i]);
3122 coded[40] = 0;
3123 DEBUG(D_auth) debug_printf("crypteq: using SHA1+hex hashing\n"
3124 " subject=%s\n crypted=%s\n", coded, sub[1]+6);
3125 tempcond = (strcmpic(coded, sub[1]+6) == 0);
3126 }
3127 else
3128 {
3129 DEBUG(D_auth) debug_printf("crypteq: length for SHA-1 not 28 or 40: "
3130 "fail\n crypted=%s\n", sub[1]+6);
3131 tempcond = FALSE;
3132 }
3133 }
3134
3135 else /* {crypt} or {crypt16} and non-{ at start */
3136 /* }-for-text-editors */
3137 {
3138 int which = 0;
3139 uschar *coded;
3140
3141 if (strncmpic(sub[1], US"{crypt}", 7) == 0)
3142 {
3143 sub[1] += 7;
3144 which = 1;
3145 }
3146 else if (strncmpic(sub[1], US"{crypt16}", 9) == 0)
3147 {
3148 sub[1] += 9;
3149 which = 2;
3150 }
3151 else if (sub[1][0] == '{') /* }-for-text-editors */
3152 {
3153 expand_string_message = string_sprintf("unknown encryption mechanism "
3154 "in \"%s\"", sub[1]);
3155 return NULL;
3156 }
3157
3158 switch(which)
3159 {
3160 case 0: coded = US DEFAULT_CRYPT(CS sub[0], CS sub[1]); break;
3161 case 1: coded = US crypt(CS sub[0], CS sub[1]); break;
3162 default: coded = US crypt16(CS sub[0], CS sub[1]); break;
3163 }
3164
3165 #define STR(s) # s
3166 #define XSTR(s) STR(s)
3167 DEBUG(D_auth) debug_printf("crypteq: using %s()\n"
3168 " subject=%s\n crypted=%s\n",
3169 which == 0 ? XSTR(DEFAULT_CRYPT) : which == 1 ? "crypt" : "crypt16",
3170 coded, sub[1]);
3171 #undef STR
3172 #undef XSTR
3173
3174 /* If the encrypted string contains fewer than two characters (for the
3175 salt), force failure. Otherwise we get false positives: with an empty
3176 string the yield of crypt() is an empty string! */
3177
3178 if (coded)
3179 tempcond = Ustrlen(sub[1]) < 2 ? FALSE : Ustrcmp(coded, sub[1]) == 0;
3180 else if (errno == EINVAL)
3181 tempcond = FALSE;
3182 else
3183 {
3184 expand_string_message = string_sprintf("crypt error: %s\n",
3185 US strerror(errno));
3186 return NULL;
3187 }
3188 }
3189 break;
3190 #endif /* SUPPORT_CRYPTEQ */
3191
3192 case ECOND_INLIST:
3193 case ECOND_INLISTI:
3194 {
3195 const uschar * list = sub[1];
3196 int sep = 0;
3197 uschar *save_iterate_item = iterate_item;
3198 int (*compare)(const uschar *, const uschar *);
3199
3200 DEBUG(D_expand) debug_printf_indent("condition: %s item: %s\n", opname, sub[0]);
3201
3202 tempcond = FALSE;
3203 compare = cond_type == ECOND_INLISTI
3204 ? strcmpic : (int (*)(const uschar *, const uschar *)) strcmp;
3205
3206 while ((iterate_item = string_nextinlist(&list, &sep, NULL, 0)))
3207 {
3208 DEBUG(D_expand) debug_printf_indent(" compare %s\n", iterate_item);
3209 if (compare(sub[0], iterate_item) == 0)
3210 {
3211 tempcond = TRUE;
3212 break;
3213 }
3214 }
3215 iterate_item = save_iterate_item;
3216 }
3217
3218 } /* Switch for comparison conditions */
3219
3220 *yield = tempcond == testfor;
3221 return s; /* End of comparison conditions */
3222
3223
3224 /* and/or: computes logical and/or of several conditions */
3225
3226 case ECOND_AND:
3227 case ECOND_OR:
3228 subcondptr = (yield == NULL) ? NULL : &tempcond;
3229 combined_cond = (cond_type == ECOND_AND);
3230
3231 Uskip_whitespace(&s);
3232 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3233
3234 for (;;)
3235 {
3236 /* {-for-text-editors */
3237 if (Uskip_whitespace(&s) == '}') break;
3238 if (*s != '{') /* }-for-text-editors */
3239 {
3240 expand_string_message = string_sprintf("each subcondition "
3241 "inside an \"%s{...}\" condition must be in its own {}", opname);
3242 return NULL;
3243 }
3244
3245 if (!(s = eval_condition(s+1, resetok, subcondptr)))
3246 {
3247 expand_string_message = string_sprintf("%s inside \"%s{...}\" condition",
3248 expand_string_message, opname);
3249 return NULL;
3250 }
3251 Uskip_whitespace(&s);
3252
3253 /* {-for-text-editors */
3254 if (*s++ != '}')
3255 {
3256 /* {-for-text-editors */
3257 expand_string_message = string_sprintf("missing } at end of condition "
3258 "inside \"%s\" group", opname);
3259 return NULL;
3260 }
3261
3262 if (yield)
3263 if (cond_type == ECOND_AND)
3264 {
3265 combined_cond &= tempcond;
3266 if (!combined_cond) subcondptr = NULL; /* once false, don't */
3267 } /* evaluate any more */
3268 else
3269 {
3270 combined_cond |= tempcond;
3271 if (combined_cond) subcondptr = NULL; /* once true, don't */
3272 } /* evaluate any more */
3273 }
3274
3275 if (yield) *yield = (combined_cond == testfor);
3276 return ++s;
3277
3278
3279 /* forall/forany: iterates a condition with different values */
3280
3281 case ECOND_FORALL: is_forany = FALSE; is_json = FALSE; is_jsons = FALSE; goto FORMANY;
3282 case ECOND_FORANY: is_forany = TRUE; is_json = FALSE; is_jsons = FALSE; goto FORMANY;
3283 case ECOND_FORALL_JSON: is_forany = FALSE; is_json = TRUE; is_jsons = FALSE; goto FORMANY;
3284 case ECOND_FORANY_JSON: is_forany = TRUE; is_json = TRUE; is_jsons = FALSE; goto FORMANY;
3285 case ECOND_FORALL_JSONS: is_forany = FALSE; is_json = TRUE; is_jsons = TRUE; goto FORMANY;
3286 case ECOND_FORANY_JSONS: is_forany = TRUE; is_json = TRUE; is_jsons = TRUE; goto FORMANY;
3287
3288 FORMANY:
3289 {
3290 const uschar * list;
3291 int sep = 0;
3292 uschar *save_iterate_item = iterate_item;
3293
3294 DEBUG(D_expand) debug_printf_indent("condition: %s\n", opname);
3295
3296 Uskip_whitespace(&s);
3297 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3298 if (!(sub[0] = expand_string_internal(s, TRUE, &s, yield == NULL, TRUE, resetok)))
3299 return NULL;
3300 /* {-for-text-editors */
3301 if (*s++ != '}') goto COND_FAILED_CURLY_END;
3302
3303 Uskip_whitespace(&s);
3304 if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3305
3306 sub[1] = s;
3307
3308 /* Call eval_condition once, with result discarded (as if scanning a
3309 "false" part). This allows us to find the end of the condition, because if
3310 the list it empty, we won't actually evaluate the condition for real. */
3311
3312 if (!(s = eval_condition(sub[1], resetok, NULL)))
3313 {
3314 expand_string_message = string_sprintf("%s inside \"%s\" condition",
3315 expand_string_message, opname);
3316 return NULL;
3317 }
3318 Uskip_whitespace(&s);
3319
3320 /* {-for-text-editors */
3321 if (*s++ != '}')
3322 {
3323 /* {-for-text-editors */
3324 expand_string_message = string_sprintf("missing } at end of condition "
3325 "inside \"%s\"", opname);
3326 return NULL;
3327 }
3328
3329 if (yield) *yield = !testfor;
3330 list = sub[0];
3331 if (is_json) list = dewrap(string_copy(list), US"[]");
3332 while ((iterate_item = is_json
3333 ? json_nextinlist(&list) : string_nextinlist(&list, &sep, NULL, 0)))
3334 {
3335 if (is_jsons)
3336 if (!(iterate_item = dewrap(iterate_item, US"\"\"")))
3337 {
3338 expand_string_message =
3339 string_sprintf("%s wrapping string result for extract jsons",
3340 expand_string_message);
3341 iterate_item = save_iterate_item;
3342 return NULL;
3343 }
3344
3345 DEBUG(D_expand) debug_printf_indent("%s: $item = \"%s\"\n", opname, iterate_item);
3346 if (!eval_condition(sub[1], resetok, &tempcond))
3347 {
3348 expand_string_message = string_sprintf("%s inside \"%s\" condition",
3349 expand_string_message, opname);
3350 iterate_item = save_iterate_item;
3351 return NULL;
3352 }
3353 DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", opname,
3354 tempcond? "true":"false");
3355
3356 if (yield) *yield = (tempcond == testfor);
3357 if (tempcond == is_forany) break;
3358 }
3359
3360 iterate_item = save_iterate_item;
3361 return s;
3362 }
3363
3364
3365 /* The bool{} expansion condition maps a string to boolean.
3366 The values supported should match those supported by the ACL condition
3367 (acl.c, ACLC_CONDITION) so that we keep to a minimum the different ideas
3368 of true/false. Note that Router "condition" rules have a different
3369 interpretation, where general data can be used and only a few values
3370 map to FALSE.
3371 Note that readconf.c boolean matching, for boolean configuration options,
3372 only matches true/yes/false/no.
3373 The bool_lax{} condition matches the Router logic, which is much more
3374 liberal. */
3375 case ECOND_BOOL:
3376 case ECOND_BOOL_LAX:
3377 {
3378 uschar *sub_arg[1];
3379 uschar *t, *t2;
3380 uschar *ourname;
3381 size_t len;
3382 BOOL boolvalue = FALSE;
3383
3384 if (Uskip_whitespace(&s) != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
3385 ourname = cond_type == ECOND_BOOL_LAX ? US"bool_lax" : US"bool";
3386 switch(read_subs(sub_arg, 1, 1, &s, yield == NULL, FALSE, ourname, resetok))
3387 {
3388 case 1: expand_string_message = string_sprintf(
3389 "too few arguments or bracketing error for %s",
3390 ourname);
3391 /*FALLTHROUGH*/
3392 case 2:
3393 case 3: return NULL;
3394 }
3395 t = sub_arg[0];
3396 Uskip_whitespace(&t);
3397 if ((len = Ustrlen(t)))
3398 {
3399 /* trailing whitespace: seems like a good idea to ignore it too */
3400 t2 = t + len - 1;
3401 while (isspace(*t2)) t2--;
3402 if (t2 != (t + len))
3403 {
3404 *++t2 = '\0';
3405 len = t2 - t;
3406 }
3407 }
3408 DEBUG(D_expand)
3409 debug_printf_indent("considering %s: %s\n", ourname, len ? t : US"<empty>");
3410 /* logic for the lax case from expand_check_condition(), which also does
3411 expands, and the logic is both short and stable enough that there should
3412 be no maintenance burden from replicating it. */
3413 if (len == 0)
3414 boolvalue = FALSE;
3415 else if (*t == '-'
3416 ? Ustrspn(t+1, "0123456789") == len-1
3417 : Ustrspn(t, "0123456789") == len)
3418 {
3419 boolvalue = (Uatoi(t) == 0) ? FALSE : TRUE;
3420 /* expand_check_condition only does a literal string "0" check */
3421 if ((cond_type == ECOND_BOOL_LAX) && (len > 1))
3422 boolvalue = TRUE;
3423 }
3424 else if (strcmpic(t, US"true") == 0 || strcmpic(t, US"yes") == 0)
3425 boolvalue = TRUE;
3426 else if (strcmpic(t, US"false") == 0 || strcmpic(t, US"no") == 0)
3427 boolvalue = FALSE;
3428 else if (cond_type == ECOND_BOOL_LAX)
3429 boolvalue = TRUE;
3430 else
3431 {
3432 expand_string_message = string_sprintf("unrecognised boolean "
3433 "value \"%s\"", t);
3434 return NULL;
3435 }
3436 DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", ourname,
3437 boolvalue? "true":"false");
3438 if (yield) *yield = (boolvalue == testfor);
3439 return s;
3440 }
3441
3442 #ifdef SUPPORT_SRS
3443 case ECOND_INBOUND_SRS:
3444 /* ${if inbound_srs {local_part}{secret} {yes}{no}} */
3445 {
3446 uschar * sub[2];
3447 const pcre * re;
3448 int ovec[3*(4+1)];
3449 int n, quoting = 0;
3450 uschar cksum[4];
3451 BOOL boolvalue = FALSE;
3452
3453 switch(read_subs(sub, 2, 2, CUSS &s, yield == NULL, FALSE, name, resetok))
3454 {
3455 case 1: expand_string_message = US"too few arguments or bracketing "
3456 "error for inbound_srs";
3457 case 2:
3458 case 3: return NULL;
3459 }
3460
3461 /* Match the given local_part against the SRS-encoded pattern */
3462
3463 re = regex_must_compile(US"^(?i)SRS0=([^=]+)=([A-Z2-7]+)=([^=]*)=(.*)$",
3464 TRUE, FALSE);
3465 if (pcre_exec(re, NULL, CS sub[0], Ustrlen(sub[0]), 0, PCRE_EOPT,
3466 ovec, nelem(ovec)) < 0)
3467 {
3468 DEBUG(D_expand) debug_printf("no match for SRS'd local-part pattern\n");
3469 goto srs_result;
3470 }
3471
3472 if (sub[0][0] == '"')
3473 quoting = 1;
3474 else for (uschar * s = sub[0]; *s; s++)
3475 if (!isalnum(*s) && Ustrchr(".!#$%&'*+-/=?^_`{|}~", *s) == NULL)
3476 { quoting = 1; break; }
3477 if (quoting)
3478 DEBUG(D_expand) debug_printf_indent("auto-quoting local part\n");
3479
3480 /* Record the (quoted, if needed) decoded recipient as $srs_recipient */
3481
3482 srs_recipient = string_sprintf("%.*s%.*S%.*s@%.*S", /* lowercased */
3483 quoting, "\"",
3484 ovec[9]-ovec[8], sub[0] + ovec[8], /* substring 4 */
3485 quoting, "\"",
3486 ovec[7]-ovec[6], sub[0] + ovec[6]); /* substring 3 */
3487
3488 /* If a zero-length secret was given, we're done. Otherwise carry on
3489 and validate the given SRS local_part againt our secret. */
3490
3491 if (!*sub[1])
3492 {
3493 boolvalue = TRUE;
3494 goto srs_result;
3495 }
3496
3497 /* check the timestamp */
3498 {
3499 struct timeval now;
3500 uschar * ss = sub[0] + ovec[4]; /* substring 2, the timestamp */
3501 long d;
3502
3503 gettimeofday(&now, NULL);
3504 now.tv_sec /= 86400; /* days since epoch */
3505
3506 /* Decode substring 2 from base32 to a number */
3507
3508 for (d = 0, n = ovec[5]-ovec[4]; n; n--)
3509 {
3510 uschar * t = Ustrchr(base32_chars, *ss++);
3511 d = d * 32 + (t - base32_chars);
3512 }
3513
3514 if (((now.tv_sec - d) & 0x3ff) > 10) /* days since SRS generated */
3515 {
3516 DEBUG(D_expand) debug_printf("SRS too old\n");
3517 goto srs_result;
3518 }
3519 }
3520
3521 /* check length of substring 1, the offered checksum */
3522
3523 if (ovec[3]-ovec[2] != 4)
3524 {
3525 DEBUG(D_expand) debug_printf("SRS checksum wrong size\n");
3526 goto srs_result;
3527 }
3528
3529 /* Hash the address with our secret, and compare that computed checksum
3530 with the one extracted from the arg */
3531
3532 hmac_md5(sub[1], srs_recipient, cksum, sizeof(cksum));
3533 if (Ustrncmp(cksum, sub[0] + ovec[2], 4) != 0)
3534 {
3535 DEBUG(D_expand) debug_printf("SRS checksum mismatch\n");
3536 goto srs_result;
3537 }
3538 boolvalue = TRUE;
3539
3540 srs_result:
3541 if (yield) *yield = (boolvalue == testfor);
3542 return s;
3543 }
3544 #endif /*SUPPORT_SRS*/
3545
3546 /* Unknown condition */
3547
3548 default:
3549 if (!expand_string_message || !*expand_string_message)
3550 expand_string_message = string_sprintf("unknown condition \"%s\"", opname);
3551 return NULL;
3552 } /* End switch on condition type */
3553
3554 /* Missing braces at start and end of data */
3555
3556 COND_FAILED_CURLY_START:
3557 expand_string_message = string_sprintf("missing { after \"%s\"", opname);
3558 return NULL;
3559
3560 COND_FAILED_CURLY_END:
3561 expand_string_message = string_sprintf("missing } at end of \"%s\" condition",
3562 opname);
3563 return NULL;
3564
3565 /* A condition requires code that is not compiled */
3566
3567 #if !defined(SUPPORT_PAM) || !defined(RADIUS_CONFIG_FILE) || \
3568 !defined(LOOKUP_LDAP) || !defined(CYRUS_PWCHECK_SOCKET) || \
3569 !defined(SUPPORT_CRYPTEQ) || !defined(CYRUS_SASLAUTHD_SOCKET)
3570 COND_FAILED_NOT_COMPILED:
3571 expand_string_message = string_sprintf("support for \"%s\" not compiled",
3572 opname);
3573 return NULL;
3574 #endif
3575 }
3576
3577
3578
3579
3580 /*************************************************
3581 * Save numerical variables *
3582 *************************************************/
3583
3584 /* This function is called from items such as "if" that want to preserve and
3585 restore the numbered variables.
3586
3587 Arguments:
3588 save_expand_string points to an array of pointers to set
3589 save_expand_nlength points to an array of ints for the lengths
3590
3591 Returns: the value of expand max to save
3592 */
3593
3594 static int
save_expand_strings(uschar ** save_expand_nstring,int * save_expand_nlength)3595 save_expand_strings(uschar **save_expand_nstring, int *save_expand_nlength)
3596 {
3597 for (int i = 0; i <= expand_nmax; i++)
3598 {
3599 save_expand_nstring[i] = expand_nstring[i];
3600 save_expand_nlength[i] = expand_nlength[i];
3601 }
3602 return expand_nmax;
3603 }
3604
3605
3606
3607 /*************************************************
3608 * Restore numerical variables *
3609 *************************************************/
3610
3611 /* This function restored saved values of numerical strings.
3612
3613 Arguments:
3614 save_expand_nmax the number of strings to restore
3615 save_expand_string points to an array of pointers
3616 save_expand_nlength points to an array of ints
3617
3618 Returns: nothing
3619 */
3620
3621 static void
restore_expand_strings(int save_expand_nmax,uschar ** save_expand_nstring,int * save_expand_nlength)3622 restore_expand_strings(int save_expand_nmax, uschar **save_expand_nstring,
3623 int *save_expand_nlength)
3624 {
3625 expand_nmax = save_expand_nmax;
3626 for (int i = 0; i <= expand_nmax; i++)
3627 {
3628 expand_nstring[i] = save_expand_nstring[i];
3629 expand_nlength[i] = save_expand_nlength[i];
3630 }
3631 }
3632
3633
3634
3635
3636
3637 /*************************************************
3638 * Handle yes/no substrings *
3639 *************************************************/
3640
3641 /* This function is used by ${if}, ${lookup} and ${extract} to handle the
3642 alternative substrings that depend on whether or not the condition was true,
3643 or the lookup or extraction succeeded. The substrings always have to be
3644 expanded, to check their syntax, but "skipping" is set when the result is not
3645 needed - this avoids unnecessary nested lookups.
3646
3647 Arguments:
3648 skipping TRUE if we were skipping when this item was reached
3649 yes TRUE if the first string is to be used, else use the second
3650 save_lookup a value to put back into lookup_value before the 2nd expansion
3651 sptr points to the input string pointer
3652 yieldptr points to the output growable-string pointer
3653 type "lookup", "if", "extract", "run", "env", "listextract" or
3654 "certextract" for error message
3655 resetok if not NULL, pointer to flag - write FALSE if unsafe to reset
3656 the store.
3657
3658 Returns: 0 OK; lookup_value has been reset to save_lookup
3659 1 expansion failed
3660 2 expansion failed because of bracketing error
3661 */
3662
3663 static int
process_yesno(BOOL skipping,BOOL yes,uschar * save_lookup,const uschar ** sptr,gstring ** yieldptr,uschar * type,BOOL * resetok)3664 process_yesno(BOOL skipping, BOOL yes, uschar *save_lookup, const uschar **sptr,
3665 gstring ** yieldptr, uschar *type, BOOL *resetok)
3666 {
3667 int rc = 0;
3668 const uschar *s = *sptr; /* Local value */
3669 uschar *sub1, *sub2;
3670 const uschar * errwhere;
3671
3672 /* If there are no following strings, we substitute the contents of $value for
3673 lookups and for extractions in the success case. For the ${if item, the string
3674 "true" is substituted. In the fail case, nothing is substituted for all three
3675 items. */
3676
3677 if (skip_whitespace(&s) == '}')
3678 {
3679 if (type[0] == 'i')
3680 {
3681 if (yes && !skipping)
3682 *yieldptr = string_catn(*yieldptr, US"true", 4);
3683 }
3684 else
3685 {
3686 if (yes && lookup_value && !skipping)
3687 *yieldptr = string_cat(*yieldptr, lookup_value);
3688 lookup_value = save_lookup;
3689 }
3690 s++;
3691 goto RETURN;
3692 }
3693
3694 /* The first following string must be braced. */
3695
3696 if (*s++ != '{')
3697 {
3698 errwhere = US"'yes' part did not start with '{'";
3699 goto FAILED_CURLY;
3700 }
3701
3702 /* Expand the first substring. Forced failures are noticed only if we actually
3703 want this string. Set skipping in the call in the fail case (this will always
3704 be the case if we were already skipping). */
3705
3706 sub1 = expand_string_internal(s, TRUE, &s, !yes, TRUE, resetok);
3707 if (sub1 == NULL && (yes || !f.expand_string_forcedfail)) goto FAILED;
3708 f.expand_string_forcedfail = FALSE;
3709 if (*s++ != '}')
3710 {
3711 errwhere = US"'yes' part did not end with '}'";
3712 goto FAILED_CURLY;
3713 }
3714
3715 /* If we want the first string, add it to the output */
3716
3717 if (yes)
3718 *yieldptr = string_cat(*yieldptr, sub1);
3719
3720 /* If this is called from a lookup/env or a (cert)extract, we want to restore
3721 $value to what it was at the start of the item, so that it has this value
3722 during the second string expansion. For the call from "if" or "run" to this
3723 function, save_lookup is set to lookup_value, so that this statement does
3724 nothing. */
3725
3726 lookup_value = save_lookup;
3727
3728 /* There now follows either another substring, or "fail", or nothing. This
3729 time, forced failures are noticed only if we want the second string. We must
3730 set skipping in the nested call if we don't want this string, or if we were
3731 already skipping. */
3732
3733 if (skip_whitespace(&s) == '{')
3734 {
3735 sub2 = expand_string_internal(s+1, TRUE, &s, yes || skipping, TRUE, resetok);
3736 if (sub2 == NULL && (!yes || !f.expand_string_forcedfail)) goto FAILED;
3737 f.expand_string_forcedfail = FALSE;
3738 if (*s++ != '}')
3739 {
3740 errwhere = US"'no' part did not start with '{'";
3741 goto FAILED_CURLY;
3742 }
3743
3744 /* If we want the second string, add it to the output */
3745
3746 if (!yes)
3747 *yieldptr = string_cat(*yieldptr, sub2);
3748 }
3749
3750 /* If there is no second string, but the word "fail" is present when the use of
3751 the second string is wanted, set a flag indicating it was a forced failure
3752 rather than a syntactic error. Swallow the terminating } in case this is nested
3753 inside another lookup or if or extract. */
3754
3755 else if (*s != '}')
3756 {
3757 uschar name[256];
3758 /* deconst cast ok here as source is s anyway */
3759 s = US read_name(name, sizeof(name), s, US"_");
3760 if (Ustrcmp(name, "fail") == 0)
3761 {
3762 if (!yes && !skipping)
3763 {
3764 Uskip_whitespace(&s);
3765 if (*s++ != '}')
3766 {
3767 errwhere = US"did not close with '}' after forcedfail";
3768 goto FAILED_CURLY;
3769 }
3770 expand_string_message =
3771 string_sprintf("\"%s\" failed and \"fail\" requested", type);
3772 f.expand_string_forcedfail = TRUE;
3773 goto FAILED;
3774 }
3775 }
3776 else
3777 {
3778 expand_string_message =
3779 string_sprintf("syntax error in \"%s\" item - \"fail\" expected", type);
3780 goto FAILED;
3781 }
3782 }
3783
3784 /* All we have to do now is to check on the final closing brace. */
3785
3786 skip_whitespace(&s);
3787 if (*s++ != '}')
3788 {
3789 errwhere = US"did not close with '}'";
3790 goto FAILED_CURLY;
3791 }
3792
3793
3794 RETURN:
3795 /* Update the input pointer value before returning */
3796 *sptr = s;
3797 return rc;
3798
3799 FAILED_CURLY:
3800 /* Get here if there is a bracketing failure */
3801 expand_string_message = string_sprintf(
3802 "curly-bracket problem in conditional yes/no parsing: %s\n"
3803 " remaining string is '%s'", errwhere, --s);
3804 rc = 2;
3805 goto RETURN;
3806
3807 FAILED:
3808 /* Get here for other failures */
3809 rc = 1;
3810 goto RETURN;
3811 }
3812
3813
3814
3815
3816 /********************************************************
3817 * prvs: Get last three digits of days since Jan 1, 1970 *
3818 ********************************************************/
3819
3820 /* This is needed to implement the "prvs" BATV reverse
3821 path signing scheme
3822
3823 Argument: integer "days" offset to add or substract to
3824 or from the current number of days.
3825
3826 Returns: pointer to string containing the last three
3827 digits of the number of days since Jan 1, 1970,
3828 modified by the offset argument, NULL if there
3829 was an error in the conversion.
3830
3831 */
3832
3833 static uschar *
prvs_daystamp(int day_offset)3834 prvs_daystamp(int day_offset)
3835 {
3836 uschar *days = store_get(32, FALSE); /* Need at least 24 for cases */
3837 (void)string_format(days, 32, TIME_T_FMT, /* where TIME_T_FMT is %lld */
3838 (time(NULL) + day_offset*86400)/86400);
3839 return (Ustrlen(days) >= 3) ? &days[Ustrlen(days)-3] : US"100";
3840 }
3841
3842
3843
3844 /********************************************************
3845 * prvs: perform HMAC-SHA1 computation of prvs bits *
3846 ********************************************************/
3847
3848 /* This is needed to implement the "prvs" BATV reverse
3849 path signing scheme
3850
3851 Arguments:
3852 address RFC2821 Address to use
3853 key The key to use (must be less than 64 characters
3854 in size)
3855 key_num Single-digit key number to use. Defaults to
3856 '0' when NULL.
3857
3858 Returns: pointer to string containing the first three
3859 bytes of the final hash in hex format, NULL if
3860 there was an error in the process.
3861 */
3862
3863 static uschar *
prvs_hmac_sha1(uschar * address,uschar * key,uschar * key_num,uschar * daystamp)3864 prvs_hmac_sha1(uschar *address, uschar *key, uschar *key_num, uschar *daystamp)
3865 {
3866 gstring * hash_source;
3867 uschar * p;
3868 hctx h;
3869 uschar innerhash[20];
3870 uschar finalhash[20];
3871 uschar innerkey[64];
3872 uschar outerkey[64];
3873 uschar *finalhash_hex;
3874
3875 if (!key_num)
3876 key_num = US"0";
3877
3878 if (Ustrlen(key) > 64)
3879 return NULL;
3880
3881 hash_source = string_catn(NULL, key_num, 1);
3882 hash_source = string_catn(hash_source, daystamp, 3);
3883 hash_source = string_cat(hash_source, address);
3884 (void) string_from_gstring(hash_source);
3885
3886 DEBUG(D_expand)
3887 debug_printf_indent("prvs: hash source is '%s'\n", hash_source->s);
3888
3889 memset(innerkey, 0x36, 64);
3890 memset(outerkey, 0x5c, 64);
3891
3892 for (int i = 0; i < Ustrlen(key); i++)
3893 {
3894 innerkey[i] ^= key[i];
3895 outerkey[i] ^= key[i];
3896 }
3897
3898 chash_start(HMAC_SHA1, &h);
3899 chash_mid(HMAC_SHA1, &h, innerkey);
3900 chash_end(HMAC_SHA1, &h, hash_source->s, hash_source->ptr, innerhash);
3901
3902 chash_start(HMAC_SHA1, &h);
3903 chash_mid(HMAC_SHA1, &h, outerkey);
3904 chash_end(HMAC_SHA1, &h, innerhash, 20, finalhash);
3905
3906 /* Hashing is deemed sufficient to de-taint any input data */
3907
3908 p = finalhash_hex = store_get(40, FALSE);
3909 for (int i = 0; i < 3; i++)
3910 {
3911 *p++ = hex_digits[(finalhash[i] & 0xf0) >> 4];
3912 *p++ = hex_digits[finalhash[i] & 0x0f];
3913 }
3914 *p = '\0';
3915
3916 return finalhash_hex;
3917 }
3918
3919
3920
3921
3922 /*************************************************
3923 * Join a file onto the output string *
3924 *************************************************/
3925
3926 /* This is used for readfile/readsock and after a run expansion.
3927 It joins the contents of a file onto the output string, globally replacing
3928 newlines with a given string (optionally).
3929
3930 Arguments:
3931 f the FILE
3932 yield pointer to the expandable string struct
3933 eol newline replacement string, or NULL
3934
3935 Returns: new pointer for expandable string, terminated if non-null
3936 */
3937
3938 gstring *
cat_file(FILE * f,gstring * yield,uschar * eol)3939 cat_file(FILE *f, gstring *yield, uschar *eol)
3940 {
3941 uschar buffer[1024];
3942
3943 while (Ufgets(buffer, sizeof(buffer), f))
3944 {
3945 int len = Ustrlen(buffer);
3946 if (eol && buffer[len-1] == '\n') len--;
3947 yield = string_catn(yield, buffer, len);
3948 if (eol && buffer[len])
3949 yield = string_cat(yield, eol);
3950 }
3951
3952 (void) string_from_gstring(yield);
3953 return yield;
3954 }
3955
3956
3957 #ifndef DISABLE_TLS
3958 gstring *
cat_file_tls(void * tls_ctx,gstring * yield,uschar * eol)3959 cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
3960 {
3961 int rc;
3962 uschar buffer[1024];
3963
3964 /*XXX could we read direct into a pre-grown string? */
3965
3966 while ((rc = tls_read(tls_ctx, buffer, sizeof(buffer))) > 0)
3967 for (uschar * s = buffer; rc--; s++)
3968 yield = eol && *s == '\n'
3969 ? string_cat(yield, eol) : string_catn(yield, s, 1);
3970
3971 /* We assume that all errors, and any returns of zero bytes,
3972 are actually EOF. */
3973
3974 (void) string_from_gstring(yield);
3975 return yield;
3976 }
3977 #endif
3978
3979
3980 /*************************************************
3981 * Evaluate numeric expression *
3982 *************************************************/
3983
3984 /* This is a set of mutually recursive functions that evaluate an arithmetic
3985 expression involving + - * / % & | ^ ~ << >> and parentheses. The only one of
3986 these functions that is called from elsewhere is eval_expr, whose interface is:
3987
3988 Arguments:
3989 sptr pointer to the pointer to the string - gets updated
3990 decimal TRUE if numbers are to be assumed decimal
3991 error pointer to where to put an error message - must be NULL on input
3992 endket TRUE if ')' must terminate - FALSE for external call
3993
3994 Returns: on success: the value of the expression, with *error still NULL
3995 on failure: an undefined value, with *error = a message
3996 */
3997
3998 static int_eximarith_t eval_op_or(uschar **, BOOL, uschar **);
3999
4000
4001 static int_eximarith_t
eval_expr(uschar ** sptr,BOOL decimal,uschar ** error,BOOL endket)4002 eval_expr(uschar **sptr, BOOL decimal, uschar **error, BOOL endket)
4003 {
4004 uschar *s = *sptr;
4005 int_eximarith_t x = eval_op_or(&s, decimal, error);
4006
4007 if (!*error)
4008 if (endket)
4009 if (*s != ')')
4010 *error = US"expecting closing parenthesis";
4011 else
4012 while (isspace(*++s));
4013 else if (*s)
4014 *error = US"expecting operator";
4015 *sptr = s;
4016 return x;
4017 }
4018
4019
4020 static int_eximarith_t
eval_number(uschar ** sptr,BOOL decimal,uschar ** error)4021 eval_number(uschar **sptr, BOOL decimal, uschar **error)
4022 {
4023 int c;
4024 int_eximarith_t n;
4025 uschar *s = *sptr;
4026
4027 if (isdigit((c = Uskip_whitespace(&s))))
4028 {
4029 int count;
4030 (void)sscanf(CS s, (decimal? SC_EXIM_DEC "%n" : SC_EXIM_ARITH "%n"), &n, &count);
4031 s += count;
4032 switch (tolower(*s))
4033 {
4034 default: break;
4035 case 'k': n *= 1024; s++; break;
4036 case 'm': n *= 1024*1024; s++; break;
4037 case 'g': n *= 1024*1024*1024; s++; break;
4038 }
4039 Uskip_whitespace(&s);
4040 }
4041 else if (c == '(')
4042 {
4043 s++;
4044 n = eval_expr(&s, decimal, error, 1);
4045 }
4046 else
4047 {
4048 *error = US"expecting number or opening parenthesis";
4049 n = 0;
4050 }
4051 *sptr = s;
4052 return n;
4053 }
4054
4055
4056 static int_eximarith_t
eval_op_unary(uschar ** sptr,BOOL decimal,uschar ** error)4057 eval_op_unary(uschar **sptr, BOOL decimal, uschar **error)
4058 {
4059 uschar *s = *sptr;
4060 int_eximarith_t x;
4061 Uskip_whitespace(&s);
4062 if (*s == '+' || *s == '-' || *s == '~')
4063 {
4064 int op = *s++;
4065 x = eval_op_unary(&s, decimal, error);
4066 if (op == '-') x = -x;
4067 else if (op == '~') x = ~x;
4068 }
4069 else
4070 x = eval_number(&s, decimal, error);
4071
4072 *sptr = s;
4073 return x;
4074 }
4075
4076
4077 static int_eximarith_t
eval_op_mult(uschar ** sptr,BOOL decimal,uschar ** error)4078 eval_op_mult(uschar **sptr, BOOL decimal, uschar **error)
4079 {
4080 uschar *s = *sptr;
4081 int_eximarith_t x = eval_op_unary(&s, decimal, error);
4082 if (!*error)
4083 {
4084 while (*s == '*' || *s == '/' || *s == '%')
4085 {
4086 int op = *s++;
4087 int_eximarith_t y = eval_op_unary(&s, decimal, error);
4088 if (*error) break;
4089 /* SIGFPE both on div/mod by zero and on INT_MIN / -1, which would give
4090 * a value of INT_MAX+1. Note that INT_MIN * -1 gives INT_MIN for me, which
4091 * is a bug somewhere in [gcc 4.2.1, FreeBSD, amd64]. In fact, -N*-M where
4092 * -N*M is INT_MIN will yield INT_MIN.
4093 * Since we don't support floating point, this is somewhat simpler.
4094 * Ideally, we'd return an error, but since we overflow for all other
4095 * arithmetic, consistency suggests otherwise, but what's the correct value
4096 * to use? There is none.
4097 * The C standard guarantees overflow for unsigned arithmetic but signed
4098 * overflow invokes undefined behaviour; in practice, this is overflow
4099 * except for converting INT_MIN to INT_MAX+1. We also can't guarantee
4100 * that long/longlong larger than int are available, or we could just work
4101 * with larger types. We should consider whether to guarantee 32bit eval
4102 * and 64-bit working variables, with errors returned. For now ...
4103 * So, the only SIGFPEs occur with a non-shrinking div/mod, thus -1; we
4104 * can just let the other invalid results occur otherwise, as they have
4105 * until now. For this one case, we can coerce.
4106 */
4107 if (y == -1 && x == EXIM_ARITH_MIN && op != '*')
4108 {
4109 DEBUG(D_expand)
4110 debug_printf("Integer exception dodging: " PR_EXIM_ARITH "%c-1 coerced to " PR_EXIM_ARITH "\n",
4111 EXIM_ARITH_MIN, op, EXIM_ARITH_MAX);
4112 x = EXIM_ARITH_MAX;
4113 continue;
4114 }
4115 if (op == '*')
4116 x *= y;
4117 else
4118 {
4119 if (y == 0)
4120 {
4121 *error = (op == '/') ? US"divide by zero" : US"modulo by zero";
4122 x = 0;
4123 break;
4124 }
4125 if (op == '/')
4126 x /= y;
4127 else
4128 x %= y;
4129 }
4130 }
4131 }
4132 *sptr = s;
4133 return x;
4134 }
4135
4136
4137 static int_eximarith_t
eval_op_sum(uschar ** sptr,BOOL decimal,uschar ** error)4138 eval_op_sum(uschar **sptr, BOOL decimal, uschar **error)
4139 {
4140 uschar *s = *sptr;
4141 int_eximarith_t x = eval_op_mult(&s, decimal, error);
4142 if (!*error)
4143 {
4144 while (*s == '+' || *s == '-')
4145 {
4146 int op = *s++;
4147 int_eximarith_t y = eval_op_mult(&s, decimal, error);
4148 if (*error) break;
4149 if ( (x >= EXIM_ARITH_MAX/2 && x >= EXIM_ARITH_MAX/2)
4150 || (x <= -(EXIM_ARITH_MAX/2) && y <= -(EXIM_ARITH_MAX/2)))
4151 { /* over-conservative check */
4152 *error = op == '+'
4153 ? US"overflow in sum" : US"overflow in difference";
4154 break;
4155 }
4156 if (op == '+') x += y; else x -= y;
4157 }
4158 }
4159 *sptr = s;
4160 return x;
4161 }
4162
4163
4164 static int_eximarith_t
eval_op_shift(uschar ** sptr,BOOL decimal,uschar ** error)4165 eval_op_shift(uschar **sptr, BOOL decimal, uschar **error)
4166 {
4167 uschar *s = *sptr;
4168 int_eximarith_t x = eval_op_sum(&s, decimal, error);
4169 if (!*error)
4170 {
4171 while ((*s == '<' || *s == '>') && s[1] == s[0])
4172 {
4173 int_eximarith_t y;
4174 int op = *s++;
4175 s++;
4176 y = eval_op_sum(&s, decimal, error);
4177 if (*error) break;
4178 if (op == '<') x <<= y; else x >>= y;
4179 }
4180 }
4181 *sptr = s;
4182 return x;
4183 }
4184
4185
4186 static int_eximarith_t
eval_op_and(uschar ** sptr,BOOL decimal,uschar ** error)4187 eval_op_and(uschar **sptr, BOOL decimal, uschar **error)
4188 {
4189 uschar *s = *sptr;
4190 int_eximarith_t x = eval_op_shift(&s, decimal, error);
4191 if (!*error)
4192 {
4193 while (*s == '&')
4194 {
4195 int_eximarith_t y;
4196 s++;
4197 y = eval_op_shift(&s, decimal, error);
4198 if (*error) break;
4199 x &= y;
4200 }
4201 }
4202 *sptr = s;
4203 return x;
4204 }
4205
4206
4207 static int_eximarith_t
eval_op_xor(uschar ** sptr,BOOL decimal,uschar ** error)4208 eval_op_xor(uschar **sptr, BOOL decimal, uschar **error)
4209 {
4210 uschar *s = *sptr;
4211 int_eximarith_t x = eval_op_and(&s, decimal, error);
4212 if (!*error)
4213 {
4214 while (*s == '^')
4215 {
4216 int_eximarith_t y;
4217 s++;
4218 y = eval_op_and(&s, decimal, error);
4219 if (*error) break;
4220 x ^= y;
4221 }
4222 }
4223 *sptr = s;
4224 return x;
4225 }
4226
4227
4228 static int_eximarith_t
eval_op_or(uschar ** sptr,BOOL decimal,uschar ** error)4229 eval_op_or(uschar **sptr, BOOL decimal, uschar **error)
4230 {
4231 uschar *s = *sptr;
4232 int_eximarith_t x = eval_op_xor(&s, decimal, error);
4233 if (!*error)
4234 {
4235 while (*s == '|')
4236 {
4237 int_eximarith_t y;
4238 s++;
4239 y = eval_op_xor(&s, decimal, error);
4240 if (*error) break;
4241 x |= y;
4242 }
4243 }
4244 *sptr = s;
4245 return x;
4246 }
4247
4248
4249
4250 /************************************************/
4251 /* Comparison operation for sort expansion. We need to avoid
4252 re-expanding the fields being compared, so need a custom routine.
4253
4254 Arguments:
4255 cond_type Comparison operator code
4256 leftarg, rightarg Arguments for comparison
4257
4258 Return true iff (leftarg compare rightarg)
4259 */
4260
4261 static BOOL
sortsbefore(int cond_type,BOOL alpha_cond,const uschar * leftarg,const uschar * rightarg)4262 sortsbefore(int cond_type, BOOL alpha_cond,
4263 const uschar * leftarg, const uschar * rightarg)
4264 {
4265 int_eximarith_t l_num, r_num;
4266
4267 if (!alpha_cond)
4268 {
4269 l_num = expanded_string_integer(leftarg, FALSE);
4270 if (expand_string_message) return FALSE;
4271 r_num = expanded_string_integer(rightarg, FALSE);
4272 if (expand_string_message) return FALSE;
4273
4274 switch (cond_type)
4275 {
4276 case ECOND_NUM_G: return l_num > r_num;
4277 case ECOND_NUM_GE: return l_num >= r_num;
4278 case ECOND_NUM_L: return l_num < r_num;
4279 case ECOND_NUM_LE: return l_num <= r_num;
4280 default: break;
4281 }
4282 }
4283 else
4284 switch (cond_type)
4285 {
4286 case ECOND_STR_LT: return Ustrcmp (leftarg, rightarg) < 0;
4287 case ECOND_STR_LTI: return strcmpic(leftarg, rightarg) < 0;
4288 case ECOND_STR_LE: return Ustrcmp (leftarg, rightarg) <= 0;
4289 case ECOND_STR_LEI: return strcmpic(leftarg, rightarg) <= 0;
4290 case ECOND_STR_GT: return Ustrcmp (leftarg, rightarg) > 0;
4291 case ECOND_STR_GTI: return strcmpic(leftarg, rightarg) > 0;
4292 case ECOND_STR_GE: return Ustrcmp (leftarg, rightarg) >= 0;
4293 case ECOND_STR_GEI: return strcmpic(leftarg, rightarg) >= 0;
4294 default: break;
4295 }
4296 return FALSE; /* should not happen */
4297 }
4298
4299
4300 /* Expand a named list. Return false on failure. */
4301 static gstring *
expand_listnamed(gstring * yield,const uschar * name,const uschar * listtype)4302 expand_listnamed(gstring * yield, const uschar * name, const uschar * listtype)
4303 {
4304 tree_node *t = NULL;
4305 const uschar * list;
4306 int sep = 0;
4307 uschar * item;
4308 uschar * suffix = US"";
4309 BOOL needsep = FALSE;
4310 #define LISTNAMED_BUF_SIZE 256
4311 uschar b[LISTNAMED_BUF_SIZE];
4312 uschar * buffer = b;
4313
4314 if (*name == '+') name++;
4315 if (!listtype) /* no-argument version */
4316 {
4317 if ( !(t = tree_search(addresslist_anchor, name))
4318 && !(t = tree_search(domainlist_anchor, name))
4319 && !(t = tree_search(hostlist_anchor, name)))
4320 t = tree_search(localpartlist_anchor, name);
4321 }
4322 else switch(*listtype) /* specific list-type version */
4323 {
4324 case 'a': t = tree_search(addresslist_anchor, name); suffix = US"_a"; break;
4325 case 'd': t = tree_search(domainlist_anchor, name); suffix = US"_d"; break;
4326 case 'h': t = tree_search(hostlist_anchor, name); suffix = US"_h"; break;
4327 case 'l': t = tree_search(localpartlist_anchor, name); suffix = US"_l"; break;
4328 default:
4329 expand_string_message = US"bad suffix on \"list\" operator";
4330 return yield;
4331 }
4332
4333 if(!t)
4334 {
4335 expand_string_message = string_sprintf("\"%s\" is not a %snamed list",
4336 name, !listtype?""
4337 : *listtype=='a'?"address "
4338 : *listtype=='d'?"domain "
4339 : *listtype=='h'?"host "
4340 : *listtype=='l'?"localpart "
4341 : 0);
4342 return yield;
4343 }
4344
4345 list = ((namedlist_block *)(t->data.ptr))->string;
4346
4347 /* The list could be quite long so we (re)use a buffer for each element
4348 rather than getting each in new memory */
4349
4350 if (is_tainted(list)) buffer = store_get(LISTNAMED_BUF_SIZE, TRUE);
4351 while ((item = string_nextinlist(&list, &sep, buffer, LISTNAMED_BUF_SIZE)))
4352 {
4353 uschar * buf = US" : ";
4354 if (needsep)
4355 yield = string_catn(yield, buf, 3);
4356 else
4357 needsep = TRUE;
4358
4359 if (*item == '+') /* list item is itself a named list */
4360 {
4361 yield = expand_listnamed(yield, item, listtype);
4362 if (expand_string_message)
4363 return yield;
4364 }
4365
4366 else if (sep != ':') /* item from non-colon-sep list, re-quote for colon list-separator */
4367 {
4368 char tok[3];
4369 tok[0] = sep; tok[1] = ':'; tok[2] = 0;
4370
4371 for(char * cp; cp = strpbrk(CCS item, tok); item = US cp)
4372 {
4373 yield = string_catn(yield, item, cp - CS item);
4374 if (*cp++ == ':') /* colon in a non-colon-sep list item, needs doubling */
4375 yield = string_catn(yield, US"::", 2);
4376 else /* sep in item; should already be doubled; emit once */
4377 {
4378 yield = string_catn(yield, US tok, 1);
4379 if (*cp == sep) cp++;
4380 }
4381 }
4382 yield = string_cat(yield, item);
4383 }
4384 else
4385 yield = string_cat(yield, item);
4386 }
4387 return yield;
4388 }
4389
4390
4391
4392 /*************************************************
4393 * Expand string *
4394 *************************************************/
4395
4396 /* Returns either an unchanged string, or the expanded string in stacking pool
4397 store. Interpreted sequences are:
4398
4399 \... normal escaping rules
4400 $name substitutes the variable
4401 ${name} ditto
4402 ${op:string} operates on the expanded string value
4403 ${item{arg1}{arg2}...} expands the args and then does the business
4404 some literal args are not enclosed in {}
4405
4406 There are now far too many operators and item types to make it worth listing
4407 them here in detail any more.
4408
4409 We use an internal routine recursively to handle embedded substrings. The
4410 external function follows. The yield is NULL if the expansion failed, and there
4411 are two cases: if something collapsed syntactically, or if "fail" was given
4412 as the action on a lookup failure. These can be distinguished by looking at the
4413 variable expand_string_forcedfail, which is TRUE in the latter case.
4414
4415 The skipping flag is set true when expanding a substring that isn't actually
4416 going to be used (after "if" or "lookup") and it prevents lookups from
4417 happening lower down.
4418
4419 Store usage: At start, a store block of the length of the input plus 64
4420 is obtained. This is expanded as necessary by string_cat(), which might have to
4421 get a new block, or might be able to expand the original. At the end of the
4422 function we can release any store above that portion of the yield block that
4423 was actually used. In many cases this will be optimal.
4424
4425 However: if the first item in the expansion is a variable name or header name,
4426 we reset the store before processing it; if the result is in fresh store, we
4427 use that without copying. This is helpful for expanding strings like
4428 $message_headers which can get very long.
4429
4430 There's a problem if a ${dlfunc item has side-effects that cause allocation,
4431 since resetting the store at the end of the expansion will free store that was
4432 allocated by the plugin code as well as the slop after the expanded string. So
4433 we skip any resets if ${dlfunc } has been used. The same applies for ${acl }
4434 and, given the acl condition, ${if }. This is an unfortunate consequence of
4435 string expansion becoming too powerful.
4436
4437 Arguments:
4438 string the string to be expanded
4439 ket_ends true if expansion is to stop at }
4440 left if not NULL, a pointer to the first character after the
4441 expansion is placed here (typically used with ket_ends)
4442 skipping TRUE for recursive calls when the value isn't actually going
4443 to be used (to allow for optimisation)
4444 honour_dollar TRUE if $ is to be expanded,
4445 FALSE if it's just another character
4446 resetok_p if not NULL, pointer to flag - write FALSE if unsafe to reset
4447 the store.
4448
4449 Returns: NULL if expansion fails:
4450 expand_string_forcedfail is set TRUE if failure was forced
4451 expand_string_message contains a textual error message
4452 a pointer to the expanded string on success
4453 */
4454
4455 static uschar *
expand_string_internal(const uschar * string,BOOL ket_ends,const uschar ** left,BOOL skipping,BOOL honour_dollar,BOOL * resetok_p)4456 expand_string_internal(const uschar *string, BOOL ket_ends, const uschar **left,
4457 BOOL skipping, BOOL honour_dollar, BOOL *resetok_p)
4458 {
4459 rmark reset_point = store_mark();
4460 gstring * yield = string_get(Ustrlen(string) + 64);
4461 int item_type;
4462 const uschar *s = string;
4463 uschar *save_expand_nstring[EXPAND_MAXN+1];
4464 int save_expand_nlength[EXPAND_MAXN+1];
4465 BOOL resetok = TRUE;
4466
4467 expand_level++;
4468 DEBUG(D_expand)
4469 DEBUG(D_noutf8)
4470 debug_printf_indent("/%s: %s\n",
4471 skipping ? "---scanning" : "considering", string);
4472 else
4473 debug_printf_indent(UTF8_DOWN_RIGHT "%s: %s\n",
4474 skipping
4475 ? UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ "scanning"
4476 : "considering",
4477 string);
4478
4479 f.expand_string_forcedfail = FALSE;
4480 expand_string_message = US"";
4481
4482 { uschar *m;
4483 if ((m = is_tainted2(string, LOG_MAIN|LOG_PANIC, "Tainted string '%s' in expansion", s)))
4484 {
4485 expand_string_message = m;
4486 goto EXPAND_FAILED;
4487 }
4488 }
4489
4490 while (*s)
4491 {
4492 uschar *value;
4493 uschar name[256];
4494
4495 /* \ escapes the next character, which must exist, or else
4496 the expansion fails. There's a special escape, \N, which causes
4497 copying of the subject verbatim up to the next \N. Otherwise,
4498 the escapes are the standard set. */
4499
4500 if (*s == '\\')
4501 {
4502 if (s[1] == 0)
4503 {
4504 expand_string_message = US"\\ at end of string";
4505 goto EXPAND_FAILED;
4506 }
4507
4508 if (s[1] == 'N')
4509 {
4510 const uschar * t = s + 2;
4511 for (s = t; *s != 0; s++) if (*s == '\\' && s[1] == 'N') break;
4512 yield = string_catn(yield, t, s - t);
4513 if (*s != 0) s += 2;
4514 }
4515
4516 else
4517 {
4518 uschar ch[1];
4519 ch[0] = string_interpret_escape(&s);
4520 s++;
4521 yield = string_catn(yield, ch, 1);
4522 }
4523
4524 continue;
4525 }
4526
4527 /*{*/
4528 /* Anything other than $ is just copied verbatim, unless we are
4529 looking for a terminating } character. */
4530
4531 /*{*/
4532 if (ket_ends && *s == '}') break;
4533
4534 if (*s != '$' || !honour_dollar)
4535 {
4536 yield = string_catn(yield, s++, 1);
4537 continue;
4538 }
4539
4540 /* No { after the $ - must be a plain name or a number for string
4541 match variable. There has to be a fudge for variables that are the
4542 names of header fields preceded by "$header_" because header field
4543 names can contain any printing characters except space and colon.
4544 For those that don't like typing this much, "$h_" is a synonym for
4545 "$header_". A non-existent header yields a NULL value; nothing is
4546 inserted. */ /*}*/
4547
4548 if (isalpha((*(++s))))
4549 {
4550 int len;
4551 int newsize = 0;
4552 gstring * g = NULL;
4553 uschar * t;
4554
4555 s = read_name(name, sizeof(name), s, US"_");
4556
4557 /* If this is the first thing to be expanded, release the pre-allocated
4558 buffer. */
4559
4560 if (!yield)
4561 g = store_get(sizeof(gstring), FALSE);
4562 else if (yield->ptr == 0)
4563 {
4564 if (resetok) reset_point = store_reset(reset_point);
4565 yield = NULL;
4566 reset_point = store_mark();
4567 g = store_get(sizeof(gstring), FALSE); /* alloc _before_ calling find_variable() */
4568 }
4569
4570 /* Header */
4571
4572 if ( ( *(t = name) == 'h'
4573 || (*t == 'r' || *t == 'l' || *t == 'b') && *++t == 'h'
4574 )
4575 && (*++t == '_' || Ustrncmp(t, "eader_", 6) == 0)
4576 )
4577 {
4578 unsigned flags = *name == 'r' ? FH_WANT_RAW
4579 : *name == 'l' ? FH_WANT_RAW|FH_WANT_LIST
4580 : 0;
4581 uschar * charset = *name == 'b' ? NULL : headers_charset;
4582
4583 s = read_header_name(name, sizeof(name), s);
4584 value = find_header(name, &newsize, flags, charset);
4585
4586 /* If we didn't find the header, and the header contains a closing brace
4587 character, this may be a user error where the terminating colon
4588 has been omitted. Set a flag to adjust the error message in this case.
4589 But there is no error here - nothing gets inserted. */
4590
4591 if (!value)
4592 {
4593 if (Ustrchr(name, '}')) malformed_header = TRUE;
4594 continue;
4595 }
4596 }
4597
4598 /* Variable */
4599
4600 else if (!(value = find_variable(name, FALSE, skipping, &newsize)))
4601 {
4602 expand_string_message =
4603 string_sprintf("unknown variable name \"%s\"", name);
4604 check_variable_error_message(name);
4605 goto EXPAND_FAILED;
4606 }
4607
4608 /* If the data is known to be in a new buffer, newsize will be set to the
4609 size of that buffer. If this is the first thing in an expansion string,
4610 yield will be NULL; just point it at the new store instead of copying. Many
4611 expansion strings contain just one reference, so this is a useful
4612 optimization, especially for humungous headers. We need to use a gstring
4613 structure that is not allocated after that new-buffer, else a later store
4614 reset in the middle of the buffer will make it inaccessible. */
4615
4616 len = Ustrlen(value);
4617 if (!yield && newsize != 0)
4618 {
4619 yield = g;
4620 yield->size = newsize;
4621 yield->ptr = len;
4622 yield->s = value;
4623 }
4624 else
4625 yield = string_catn(yield, value, len);
4626
4627 continue;
4628 }
4629
4630 if (isdigit(*s))
4631 {
4632 int n;
4633 s = read_cnumber(&n, s);
4634 if (n >= 0 && n <= expand_nmax)
4635 yield = string_catn(yield, expand_nstring[n], expand_nlength[n]);
4636 continue;
4637 }
4638
4639 /* Otherwise, if there's no '{' after $ it's an error. */ /*}*/
4640
4641 if (*s != '{') /*}*/
4642 {
4643 expand_string_message = US"$ not followed by letter, digit, or {"; /*}*/
4644 goto EXPAND_FAILED;
4645 }
4646
4647 /* After { there can be various things, but they all start with
4648 an initial word, except for a number for a string match variable. */
4649
4650 if (isdigit((*(++s))))
4651 {
4652 int n;
4653 s = read_cnumber(&n, s); /*{*/
4654 if (*s++ != '}')
4655 { /*{*/
4656 expand_string_message = US"} expected after number";
4657 goto EXPAND_FAILED;
4658 }
4659 if (n >= 0 && n <= expand_nmax)
4660 yield = string_catn(yield, expand_nstring[n], expand_nlength[n]);
4661 continue;
4662 }
4663
4664 if (!isalpha(*s))
4665 {
4666 expand_string_message = US"letter or digit expected after ${"; /*}*/
4667 goto EXPAND_FAILED;
4668 }
4669
4670 /* Allow "-" in names to cater for substrings with negative
4671 arguments. Since we are checking for known names after { this is
4672 OK. */
4673
4674 s = read_name(name, sizeof(name), s, US"_-");
4675 item_type = chop_match(name, item_table, nelem(item_table));
4676
4677 switch(item_type)
4678 {
4679 /* Call an ACL from an expansion. We feed data in via $acl_arg1 - $acl_arg9.
4680 If the ACL returns accept or reject we return content set by "message ="
4681 There is currently no limit on recursion; this would have us call
4682 acl_check_internal() directly and get a current level from somewhere.
4683 See also the acl expansion condition ECOND_ACL and the traditional
4684 acl modifier ACLC_ACL.
4685 Assume that the function has side-effects on the store that must be preserved.
4686 */
4687
4688 case EITEM_ACL:
4689 /* ${acl {name} {arg1}{arg2}...} */
4690 {
4691 uschar *sub[10]; /* name + arg1-arg9 (which must match number of acl_arg[]) */
4692 uschar *user_msg;
4693 int rc;
4694
4695 switch(read_subs(sub, nelem(sub), 1, &s, skipping, TRUE, name,
4696 &resetok))
4697 {
4698 case 1: goto EXPAND_FAILED_CURLY;
4699 case 2:
4700 case 3: goto EXPAND_FAILED;
4701 }
4702 if (skipping) continue;
4703
4704 resetok = FALSE;
4705 switch(rc = eval_acl(sub, nelem(sub), &user_msg))
4706 {
4707 case OK:
4708 case FAIL:
4709 DEBUG(D_expand)
4710 debug_printf_indent("acl expansion yield: %s\n", user_msg);
4711 if (user_msg)
4712 yield = string_cat(yield, user_msg);
4713 continue;
4714
4715 case DEFER:
4716 f.expand_string_forcedfail = TRUE;
4717 /*FALLTHROUGH*/
4718 default:
4719 expand_string_message = string_sprintf("%s from acl \"%s\"",
4720 rc_names[rc], sub[0]);
4721 goto EXPAND_FAILED;
4722 }
4723 }
4724
4725 case EITEM_AUTHRESULTS:
4726 /* ${authresults {mysystemname}} */
4727 {
4728 uschar *sub_arg[1];
4729
4730 switch(read_subs(sub_arg, nelem(sub_arg), 1, &s, skipping, TRUE, name,
4731 &resetok))
4732 {
4733 case 1: goto EXPAND_FAILED_CURLY;
4734 case 2:
4735 case 3: goto EXPAND_FAILED;
4736 }
4737
4738 yield = string_append(yield, 3,
4739 US"Authentication-Results: ", sub_arg[0], US"; none");
4740 yield->ptr -= 6;
4741
4742 yield = authres_local(yield, sub_arg[0]);
4743 yield = authres_iprev(yield);
4744 yield = authres_smtpauth(yield);
4745 #ifdef SUPPORT_SPF
4746 yield = authres_spf(yield);
4747 #endif
4748 #ifndef DISABLE_DKIM
4749 yield = authres_dkim(yield);
4750 #endif
4751 #ifdef SUPPORT_DMARC
4752 yield = authres_dmarc(yield);
4753 #endif
4754 #ifdef EXPERIMENTAL_ARC
4755 yield = authres_arc(yield);
4756 #endif
4757 continue;
4758 }
4759
4760 /* Handle conditionals - preserve the values of the numerical expansion
4761 variables in case they get changed by a regular expression match in the
4762 condition. If not, they retain their external settings. At the end
4763 of this "if" section, they get restored to their previous values. */
4764
4765 case EITEM_IF:
4766 {
4767 BOOL cond = FALSE;
4768 const uschar *next_s;
4769 int save_expand_nmax =
4770 save_expand_strings(save_expand_nstring, save_expand_nlength);
4771
4772 Uskip_whitespace(&s);
4773 if (!(next_s = eval_condition(s, &resetok, skipping ? NULL : &cond)))
4774 goto EXPAND_FAILED; /* message already set */
4775
4776 DEBUG(D_expand)
4777 DEBUG(D_noutf8)
4778 {
4779 debug_printf_indent("|--condition: %.*s\n", (int)(next_s - s), s);
4780 debug_printf_indent("|-----result: %s\n", cond ? "true" : "false");
4781 }
4782 else
4783 {
4784 debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
4785 "condition: %.*s\n",
4786 (int)(next_s - s), s);
4787 debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
4788 UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
4789 "result: %s\n",
4790 cond ? "true" : "false");
4791 }
4792
4793 s = next_s;
4794
4795 /* The handling of "yes" and "no" result strings is now in a separate
4796 function that is also used by ${lookup} and ${extract} and ${run}. */
4797
4798 switch(process_yesno(
4799 skipping, /* were previously skipping */
4800 cond, /* success/failure indicator */
4801 lookup_value, /* value to reset for string2 */
4802 &s, /* input pointer */
4803 &yield, /* output pointer */
4804 US"if", /* condition type */
4805 &resetok))
4806 {
4807 case 1: goto EXPAND_FAILED; /* when all is well, the */
4808 case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
4809 }
4810
4811 /* Restore external setting of expansion variables for continuation
4812 at this level. */
4813
4814 restore_expand_strings(save_expand_nmax, save_expand_nstring,
4815 save_expand_nlength);
4816 continue;
4817 }
4818
4819 #ifdef SUPPORT_I18N
4820 case EITEM_IMAPFOLDER:
4821 { /* ${imapfolder {name}{sep]{specials}} */
4822 uschar *sub_arg[3];
4823 uschar *encoded;
4824
4825 switch(read_subs(sub_arg, nelem(sub_arg), 1, &s, skipping, TRUE, name,
4826 &resetok))
4827 {
4828 case 1: goto EXPAND_FAILED_CURLY;
4829 case 2:
4830 case 3: goto EXPAND_FAILED;
4831 }
4832
4833 if (!sub_arg[1]) /* One argument */
4834 {
4835 sub_arg[1] = US"/"; /* default separator */
4836 sub_arg[2] = NULL;
4837 }
4838 else if (Ustrlen(sub_arg[1]) != 1)
4839 {
4840 expand_string_message =
4841 string_sprintf(
4842 "IMAP folder separator must be one character, found \"%s\"",
4843 sub_arg[1]);
4844 goto EXPAND_FAILED;
4845 }
4846
4847 if (!skipping)
4848 {
4849 if (!(encoded = imap_utf7_encode(sub_arg[0], headers_charset,
4850 sub_arg[1][0], sub_arg[2], &expand_string_message)))
4851 goto EXPAND_FAILED;
4852 yield = string_cat(yield, encoded);
4853 }
4854 continue;
4855 }
4856 #endif
4857
4858 /* Handle database lookups unless locked out. If "skipping" is TRUE, we are
4859 expanding an internal string that isn't actually going to be used. All we
4860 need to do is check the syntax, so don't do a lookup at all. Preserve the
4861 values of the numerical expansion variables in case they get changed by a
4862 partial lookup. If not, they retain their external settings. At the end
4863 of this "lookup" section, they get restored to their previous values. */
4864
4865 case EITEM_LOOKUP:
4866 {
4867 int stype, partial, affixlen, starflags;
4868 int expand_setup = 0;
4869 int nameptr = 0;
4870 uschar *key, *filename;
4871 const uschar * affix, * opts;
4872 uschar *save_lookup_value = lookup_value;
4873 int save_expand_nmax =
4874 save_expand_strings(save_expand_nstring, save_expand_nlength);
4875
4876 if (expand_forbid & RDO_LOOKUP)
4877 {
4878 expand_string_message = US"lookup expansions are not permitted";
4879 goto EXPAND_FAILED;
4880 }
4881
4882 /* Get the key we are to look up for single-key+file style lookups.
4883 Otherwise set the key NULL pro-tem. */
4884
4885 if (Uskip_whitespace(&s) == '{') /*}*/
4886 {
4887 key = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
4888 if (!key) goto EXPAND_FAILED; /*{{*/
4889 if (*s++ != '}')
4890 {
4891 expand_string_message = US"missing '}' after lookup key";
4892 goto EXPAND_FAILED_CURLY;
4893 }
4894 Uskip_whitespace(&s);
4895 }
4896 else key = NULL;
4897
4898 /* Find out the type of database */
4899
4900 if (!isalpha(*s))
4901 {
4902 expand_string_message = US"missing lookup type";
4903 goto EXPAND_FAILED;
4904 }
4905
4906 /* The type is a string that may contain special characters of various
4907 kinds. Allow everything except space or { to appear; the actual content
4908 is checked by search_findtype_partial. */ /*}*/
4909
4910 while (*s && *s != '{' && !isspace(*s)) /*}*/
4911 {
4912 if (nameptr < sizeof(name) - 1) name[nameptr++] = *s;
4913 s++;
4914 }
4915 name[nameptr] = '\0';
4916 Uskip_whitespace(&s);
4917
4918 /* Now check for the individual search type and any partial or default
4919 options. Only those types that are actually in the binary are valid. */
4920
4921 if ((stype = search_findtype_partial(name, &partial, &affix, &affixlen,
4922 &starflags, &opts)) < 0)
4923 {
4924 expand_string_message = search_error_message;
4925 goto EXPAND_FAILED;
4926 }
4927
4928 /* Check that a key was provided for those lookup types that need it,
4929 and was not supplied for those that use the query style. */
4930
4931 if (!mac_islookup(stype, lookup_querystyle|lookup_absfilequery))
4932 {
4933 if (!key)
4934 {
4935 expand_string_message = string_sprintf("missing {key} for single-"
4936 "key \"%s\" lookup", name);
4937 goto EXPAND_FAILED;
4938 }
4939 }
4940 else
4941 {
4942 if (key)
4943 {
4944 expand_string_message = string_sprintf("a single key was given for "
4945 "lookup type \"%s\", which is not a single-key lookup type", name);
4946 goto EXPAND_FAILED;
4947 }
4948 }
4949
4950 /* Get the next string in brackets and expand it. It is the file name for
4951 single-key+file lookups, and the whole query otherwise. In the case of
4952 queries that also require a file name (e.g. sqlite), the file name comes
4953 first. */
4954
4955 if (*s != '{')
4956 {
4957 expand_string_message = US"missing '{' for lookup file-or-query arg";
4958 goto EXPAND_FAILED_CURLY;
4959 }
4960 if (!(filename = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok)))
4961 goto EXPAND_FAILED;
4962 if (*s++ != '}')
4963 {
4964 expand_string_message = US"missing '}' closing lookup file-or-query arg";
4965 goto EXPAND_FAILED_CURLY;
4966 }
4967 Uskip_whitespace(&s);
4968
4969 /* If this isn't a single-key+file lookup, re-arrange the variables
4970 to be appropriate for the search_ functions. For query-style lookups,
4971 there is just a "key", and no file name. For the special query-style +
4972 file types, the query (i.e. "key") starts with a file name. */
4973
4974 if (!key)
4975 key = search_args(stype, name, filename, &filename, opts);
4976
4977 /* If skipping, don't do the next bit - just lookup_value == NULL, as if
4978 the entry was not found. Note that there is no search_close() function.
4979 Files are left open in case of re-use. At suitable places in higher logic,
4980 search_tidyup() is called to tidy all open files. This can save opening
4981 the same file several times. However, files may also get closed when
4982 others are opened, if too many are open at once. The rule is that a
4983 handle should not be used after a second search_open().
4984
4985 Request that a partial search sets up $1 and maybe $2 by passing
4986 expand_setup containing zero. If its value changes, reset expand_nmax,
4987 since new variables will have been set. Note that at the end of this
4988 "lookup" section, the old numeric variables are restored. */
4989
4990 if (skipping)
4991 lookup_value = NULL;
4992 else
4993 {
4994 void *handle = search_open(filename, stype, 0, NULL, NULL);
4995 if (!handle)
4996 {
4997 expand_string_message = search_error_message;
4998 goto EXPAND_FAILED;
4999 }
5000 lookup_value = search_find(handle, filename, key, partial, affix,
5001 affixlen, starflags, &expand_setup, opts);
5002 if (f.search_find_defer)
5003 {
5004 expand_string_message =
5005 string_sprintf("lookup of \"%s\" gave DEFER: %s",
5006 string_printing2(key, SP_TAB), search_error_message);
5007 goto EXPAND_FAILED;
5008 }
5009 if (expand_setup > 0) expand_nmax = expand_setup;
5010 }
5011
5012 /* The handling of "yes" and "no" result strings is now in a separate
5013 function that is also used by ${if} and ${extract}. */
5014
5015 switch(process_yesno(
5016 skipping, /* were previously skipping */
5017 lookup_value != NULL, /* success/failure indicator */
5018 save_lookup_value, /* value to reset for string2 */
5019 &s, /* input pointer */
5020 &yield, /* output pointer */
5021 US"lookup", /* condition type */
5022 &resetok))
5023 {
5024 case 1: goto EXPAND_FAILED; /* when all is well, the */
5025 case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
5026 }
5027
5028 /* Restore external setting of expansion variables for carrying on
5029 at this level, and continue. */
5030
5031 restore_expand_strings(save_expand_nmax, save_expand_nstring,
5032 save_expand_nlength);
5033 continue;
5034 }
5035
5036 /* If Perl support is configured, handle calling embedded perl subroutines,
5037 unless locked out at this time. Syntax is ${perl{sub}} or ${perl{sub}{arg}}
5038 or ${perl{sub}{arg1}{arg2}} or up to a maximum of EXIM_PERL_MAX_ARGS
5039 arguments (defined below). */
5040
5041 #define EXIM_PERL_MAX_ARGS 8
5042
5043 case EITEM_PERL:
5044 #ifndef EXIM_PERL
5045 expand_string_message = US"\"${perl\" encountered, but this facility " /*}*/
5046 "is not included in this binary";
5047 goto EXPAND_FAILED;
5048
5049 #else /* EXIM_PERL */
5050 {
5051 uschar *sub_arg[EXIM_PERL_MAX_ARGS + 2];
5052 gstring *new_yield;
5053
5054 if ((expand_forbid & RDO_PERL) != 0)
5055 {
5056 expand_string_message = US"Perl calls are not permitted";
5057 goto EXPAND_FAILED;
5058 }
5059
5060 switch(read_subs(sub_arg, EXIM_PERL_MAX_ARGS + 1, 1, &s, skipping, TRUE,
5061 name, &resetok))
5062 {
5063 case 1: goto EXPAND_FAILED_CURLY;
5064 case 2:
5065 case 3: goto EXPAND_FAILED;
5066 }
5067
5068 /* If skipping, we don't actually do anything */
5069
5070 if (skipping) continue;
5071
5072 /* Start the interpreter if necessary */
5073
5074 if (!opt_perl_started)
5075 {
5076 uschar *initerror;
5077 if (!opt_perl_startup)
5078 {
5079 expand_string_message = US"A setting of perl_startup is needed when "
5080 "using the Perl interpreter";
5081 goto EXPAND_FAILED;
5082 }
5083 DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
5084 if ((initerror = init_perl(opt_perl_startup)))
5085 {
5086 expand_string_message =
5087 string_sprintf("error in perl_startup code: %s\n", initerror);
5088 goto EXPAND_FAILED;
5089 }
5090 opt_perl_started = TRUE;
5091 }
5092
5093 /* Call the function */
5094
5095 sub_arg[EXIM_PERL_MAX_ARGS + 1] = NULL;
5096 new_yield = call_perl_cat(yield, &expand_string_message,
5097 sub_arg[0], sub_arg + 1);
5098
5099 /* NULL yield indicates failure; if the message pointer has been set to
5100 NULL, the yield was undef, indicating a forced failure. Otherwise the
5101 message will indicate some kind of Perl error. */
5102
5103 if (!new_yield)
5104 {
5105 if (!expand_string_message)
5106 {
5107 expand_string_message =
5108 string_sprintf("Perl subroutine \"%s\" returned undef to force "
5109 "failure", sub_arg[0]);
5110 f.expand_string_forcedfail = TRUE;
5111 }
5112 goto EXPAND_FAILED;
5113 }
5114
5115 /* Yield succeeded. Ensure forcedfail is unset, just in case it got
5116 set during a callback from Perl. */
5117
5118 f.expand_string_forcedfail = FALSE;
5119 yield = new_yield;
5120 continue;
5121 }
5122 #endif /* EXIM_PERL */
5123
5124 /* Transform email address to "prvs" scheme to use
5125 as BATV-signed return path */
5126
5127 case EITEM_PRVS:
5128 {
5129 uschar *sub_arg[3];
5130 uschar *p,*domain;
5131
5132 switch(read_subs(sub_arg, 3, 2, &s, skipping, TRUE, name, &resetok))
5133 {
5134 case 1: goto EXPAND_FAILED_CURLY;
5135 case 2:
5136 case 3: goto EXPAND_FAILED;
5137 }
5138
5139 /* If skipping, we don't actually do anything */
5140 if (skipping) continue;
5141
5142 /* sub_arg[0] is the address */
5143 if ( !(domain = Ustrrchr(sub_arg[0],'@'))
5144 || domain == sub_arg[0] || Ustrlen(domain) == 1)
5145 {
5146 expand_string_message = US"prvs first argument must be a qualified email address";
5147 goto EXPAND_FAILED;
5148 }
5149
5150 /* Calculate the hash. The third argument must be a single-digit
5151 key number, or unset. */
5152
5153 if ( sub_arg[2]
5154 && (!isdigit(sub_arg[2][0]) || sub_arg[2][1] != 0))
5155 {
5156 expand_string_message = US"prvs third argument must be a single digit";
5157 goto EXPAND_FAILED;
5158 }
5159
5160 p = prvs_hmac_sha1(sub_arg[0], sub_arg[1], sub_arg[2], prvs_daystamp(7));
5161 if (!p)
5162 {
5163 expand_string_message = US"prvs hmac-sha1 conversion failed";
5164 goto EXPAND_FAILED;
5165 }
5166
5167 /* Now separate the domain from the local part */
5168 *domain++ = '\0';
5169
5170 yield = string_catn(yield, US"prvs=", 5);
5171 yield = string_catn(yield, sub_arg[2] ? sub_arg[2] : US"0", 1);
5172 yield = string_catn(yield, prvs_daystamp(7), 3);
5173 yield = string_catn(yield, p, 6);
5174 yield = string_catn(yield, US"=", 1);
5175 yield = string_cat (yield, sub_arg[0]);
5176 yield = string_catn(yield, US"@", 1);
5177 yield = string_cat (yield, domain);
5178
5179 continue;
5180 }
5181
5182 /* Check a prvs-encoded address for validity */
5183
5184 case EITEM_PRVSCHECK:
5185 {
5186 uschar *sub_arg[3];
5187 gstring * g;
5188 const pcre *re;
5189 uschar *p;
5190
5191 /* TF: Ugliness: We want to expand parameter 1 first, then set
5192 up expansion variables that are used in the expansion of
5193 parameter 2. So we clone the string for the first
5194 expansion, where we only expand parameter 1.
5195
5196 PH: Actually, that isn't necessary. The read_subs() function is
5197 designed to work this way for the ${if and ${lookup expansions. I've
5198 tidied the code.
5199 */
5200
5201 /* Reset expansion variables */
5202 prvscheck_result = NULL;
5203 prvscheck_address = NULL;
5204 prvscheck_keynum = NULL;
5205
5206 switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, name, &resetok))
5207 {
5208 case 1: goto EXPAND_FAILED_CURLY;
5209 case 2:
5210 case 3: goto EXPAND_FAILED;
5211 }
5212
5213 re = regex_must_compile(US"^prvs\\=([0-9])([0-9]{3})([A-F0-9]{6})\\=(.+)\\@(.+)$",
5214 TRUE,FALSE);
5215
5216 if (regex_match_and_setup(re,sub_arg[0],0,-1))
5217 {
5218 uschar *local_part = string_copyn(expand_nstring[4],expand_nlength[4]);
5219 uschar *key_num = string_copyn(expand_nstring[1],expand_nlength[1]);
5220 uschar *daystamp = string_copyn(expand_nstring[2],expand_nlength[2]);
5221 uschar *hash = string_copyn(expand_nstring[3],expand_nlength[3]);
5222 uschar *domain = string_copyn(expand_nstring[5],expand_nlength[5]);
5223
5224 DEBUG(D_expand) debug_printf_indent("prvscheck localpart: %s\n", local_part);
5225 DEBUG(D_expand) debug_printf_indent("prvscheck key number: %s\n", key_num);
5226 DEBUG(D_expand) debug_printf_indent("prvscheck daystamp: %s\n", daystamp);
5227 DEBUG(D_expand) debug_printf_indent("prvscheck hash: %s\n", hash);
5228 DEBUG(D_expand) debug_printf_indent("prvscheck domain: %s\n", domain);
5229
5230 /* Set up expansion variables */
5231 g = string_cat (NULL, local_part);
5232 g = string_catn(g, US"@", 1);
5233 g = string_cat (g, domain);
5234 prvscheck_address = string_from_gstring(g);
5235 prvscheck_keynum = string_copy(key_num);
5236
5237 /* Now expand the second argument */
5238 switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, name, &resetok))
5239 {
5240 case 1: goto EXPAND_FAILED_CURLY;
5241 case 2:
5242 case 3: goto EXPAND_FAILED;
5243 }
5244
5245 /* Now we have the key and can check the address. */
5246
5247 p = prvs_hmac_sha1(prvscheck_address, sub_arg[0], prvscheck_keynum,
5248 daystamp);
5249
5250 if (!p)
5251 {
5252 expand_string_message = US"hmac-sha1 conversion failed";
5253 goto EXPAND_FAILED;
5254 }
5255
5256 DEBUG(D_expand) debug_printf_indent("prvscheck: received hash is %s\n", hash);
5257 DEBUG(D_expand) debug_printf_indent("prvscheck: own hash is %s\n", p);
5258
5259 if (Ustrcmp(p,hash) == 0)
5260 {
5261 /* Success, valid BATV address. Now check the expiry date. */
5262 uschar *now = prvs_daystamp(0);
5263 unsigned int inow = 0,iexpire = 1;
5264
5265 (void)sscanf(CS now,"%u",&inow);
5266 (void)sscanf(CS daystamp,"%u",&iexpire);
5267
5268 /* When "iexpire" is < 7, a "flip" has occurred.
5269 Adjust "inow" accordingly. */
5270 if ( (iexpire < 7) && (inow >= 993) ) inow = 0;
5271
5272 if (iexpire >= inow)
5273 {
5274 prvscheck_result = US"1";
5275 DEBUG(D_expand) debug_printf_indent("prvscheck: success, $pvrs_result set to 1\n");
5276 }
5277 else
5278 {
5279 prvscheck_result = NULL;
5280 DEBUG(D_expand) debug_printf_indent("prvscheck: signature expired, $pvrs_result unset\n");
5281 }
5282 }
5283 else
5284 {
5285 prvscheck_result = NULL;
5286 DEBUG(D_expand) debug_printf_indent("prvscheck: hash failure, $pvrs_result unset\n");
5287 }
5288
5289 /* Now expand the final argument. We leave this till now so that
5290 it can include $prvscheck_result. */
5291
5292 switch(read_subs(sub_arg, 1, 0, &s, skipping, TRUE, name, &resetok))
5293 {
5294 case 1: goto EXPAND_FAILED_CURLY;
5295 case 2:
5296 case 3: goto EXPAND_FAILED;
5297 }
5298
5299 yield = string_cat(yield,
5300 !sub_arg[0] || !*sub_arg[0] ? prvscheck_address : sub_arg[0]);
5301
5302 /* Reset the "internal" variables afterwards, because they are in
5303 dynamic store that will be reclaimed if the expansion succeeded. */
5304
5305 prvscheck_address = NULL;
5306 prvscheck_keynum = NULL;
5307 }
5308 else
5309 /* Does not look like a prvs encoded address, return the empty string.
5310 We need to make sure all subs are expanded first, so as to skip over
5311 the entire item. */
5312
5313 switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, name, &resetok))
5314 {
5315 case 1: goto EXPAND_FAILED_CURLY;
5316 case 2:
5317 case 3: goto EXPAND_FAILED;
5318 }
5319
5320 continue;
5321 }
5322
5323 /* Handle "readfile" to insert an entire file */
5324
5325 case EITEM_READFILE:
5326 {
5327 FILE *f;
5328 uschar *sub_arg[2];
5329
5330 if ((expand_forbid & RDO_READFILE) != 0)
5331 {
5332 expand_string_message = US"file insertions are not permitted";
5333 goto EXPAND_FAILED;
5334 }
5335
5336 switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, name, &resetok))
5337 {
5338 case 1: goto EXPAND_FAILED_CURLY;
5339 case 2:
5340 case 3: goto EXPAND_FAILED;
5341 }
5342
5343 /* If skipping, we don't actually do anything */
5344
5345 if (skipping) continue;
5346
5347 /* Open the file and read it */
5348
5349 if (!(f = Ufopen(sub_arg[0], "rb")))
5350 {
5351 expand_string_message = string_open_failed("%s", sub_arg[0]);
5352 goto EXPAND_FAILED;
5353 }
5354
5355 yield = cat_file(f, yield, sub_arg[1]);
5356 (void)fclose(f);
5357 continue;
5358 }
5359
5360 /* Handle "readsocket" to insert data from a socket, either
5361 Inet or Unix domain */
5362
5363 case EITEM_READSOCK:
5364 {
5365 uschar * arg;
5366 uschar * sub_arg[4];
5367
5368 if (expand_forbid & RDO_READSOCK)
5369 {
5370 expand_string_message = US"socket insertions are not permitted";
5371 goto EXPAND_FAILED;
5372 }
5373
5374 /* Read up to 4 arguments, but don't do the end of item check afterwards,
5375 because there may be a string for expansion on failure. */
5376
5377 switch(read_subs(sub_arg, 4, 2, &s, skipping, FALSE, name, &resetok))
5378 {
5379 case 1: goto EXPAND_FAILED_CURLY;
5380 case 2: /* Won't occur: no end check */
5381 case 3: goto EXPAND_FAILED;
5382 }
5383
5384 /* If skipping, we don't actually do anything. Otherwise, arrange to
5385 connect to either an IP or a Unix socket. */
5386
5387 if (!skipping)
5388 {
5389 int stype = search_findtype(US"readsock", 8);
5390 gstring * g = NULL;
5391 void * handle;
5392 int expand_setup = -1;
5393 uschar * s;
5394
5395 /* If the reqstr is empty, flag that and set a dummy */
5396
5397 if (!sub_arg[1][0])
5398 {
5399 g = string_append_listele(g, ',', US"send=no");
5400 sub_arg[1] = US"DUMMY";
5401 }
5402
5403 /* Re-marshall the options */
5404
5405 if (sub_arg[2])
5406 {
5407 const uschar * list = sub_arg[2];
5408 uschar * item;
5409 int sep = 0;
5410
5411 /* First option has no tag and is timeout */
5412 if ((item = string_nextinlist(&list, &sep, NULL, 0)))
5413 g = string_append_listele(g, ',',
5414 string_sprintf("timeout=%s", item));
5415
5416 /* The rest of the options from the expansion */
5417 while ((item = string_nextinlist(&list, &sep, NULL, 0)))
5418 g = string_append_listele(g, ',', item);
5419
5420 /* possibly plus an EOL string. Process with escapes, to protect
5421 from list-processing. The only current user of eol= in search
5422 options is the readsock expansion. */
5423
5424 if (sub_arg[3] && *sub_arg[3])
5425 g = string_append_listele(g, ',',
5426 string_sprintf("eol=%s",
5427 string_printing2(sub_arg[3], SP_TAB|SP_SPACE)));
5428 }
5429
5430 /* Gat a (possibly cached) handle for the connection */
5431
5432 if (!(handle = search_open(sub_arg[0], stype, 0, NULL, NULL)))
5433 {
5434 if (*expand_string_message) goto EXPAND_FAILED;
5435 expand_string_message = search_error_message;
5436 search_error_message = NULL;
5437 goto SOCK_FAIL;
5438 }
5439
5440 /* Get (possibly cached) results for the lookup */
5441 /* sspec: sub_arg[0] req: sub_arg[1] opts: g */
5442
5443 if ((s = search_find(handle, sub_arg[0], sub_arg[1], -1, NULL, 0, 0,
5444 &expand_setup, string_from_gstring(g))))
5445 yield = string_cat(yield, s);
5446 else if (f.search_find_defer)
5447 {
5448 expand_string_message = search_error_message;
5449 search_error_message = NULL;
5450 goto SOCK_FAIL;
5451 }
5452 else
5453 { /* should not happen, at present */
5454 expand_string_message = search_error_message;
5455 search_error_message = NULL;
5456 goto SOCK_FAIL;
5457 }
5458 }
5459
5460 /* The whole thing has worked (or we were skipping). If there is a
5461 failure string following, we need to skip it. */
5462
5463 if (*s == '{')
5464 {
5465 if (!expand_string_internal(s+1, TRUE, &s, TRUE, TRUE, &resetok))
5466 goto EXPAND_FAILED;
5467 if (*s++ != '}')
5468 {
5469 expand_string_message = US"missing '}' closing failstring for readsocket";
5470 goto EXPAND_FAILED_CURLY;
5471 }
5472 Uskip_whitespace(&s);
5473 }
5474
5475 READSOCK_DONE:
5476 if (*s++ != '}')
5477 {
5478 expand_string_message = US"missing '}' closing readsocket";
5479 goto EXPAND_FAILED_CURLY;
5480 }
5481 continue;
5482
5483 /* Come here on failure to create socket, connect socket, write to the
5484 socket, or timeout on reading. If another substring follows, expand and
5485 use it. Otherwise, those conditions give expand errors. */
5486
5487 SOCK_FAIL:
5488 if (*s != '{') goto EXPAND_FAILED;
5489 DEBUG(D_any) debug_printf("%s\n", expand_string_message);
5490 if (!(arg = expand_string_internal(s+1, TRUE, &s, FALSE, TRUE, &resetok)))
5491 goto EXPAND_FAILED;
5492 yield = string_cat(yield, arg);
5493 if (*s++ != '}')
5494 {
5495 expand_string_message = US"missing '}' closing failstring for readsocket";
5496 goto EXPAND_FAILED_CURLY;
5497 }
5498 Uskip_whitespace(&s);
5499 goto READSOCK_DONE;
5500 }
5501
5502 /* Handle "run" to execute a program. */
5503
5504 case EITEM_RUN:
5505 {
5506 FILE *f;
5507 uschar *arg;
5508 const uschar **argv;
5509 pid_t pid;
5510 int fd_in, fd_out;
5511
5512 if ((expand_forbid & RDO_RUN) != 0)
5513 {
5514 expand_string_message = US"running a command is not permitted";
5515 goto EXPAND_FAILED;
5516 }
5517
5518 Uskip_whitespace(&s);
5519 if (*s != '{')
5520 {
5521 expand_string_message = US"missing '{' for command arg of run";
5522 goto EXPAND_FAILED_CURLY;
5523 }
5524 if (!(arg = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok)))
5525 goto EXPAND_FAILED;
5526 Uskip_whitespace(&s);
5527 if (*s++ != '}')
5528 {
5529 expand_string_message = US"missing '}' closing command arg of run";
5530 goto EXPAND_FAILED_CURLY;
5531 }
5532
5533 if (skipping) /* Just pretend it worked when we're skipping */
5534 {
5535 runrc = 0;
5536 lookup_value = NULL;
5537 }
5538 else
5539 {
5540 if (!transport_set_up_command(&argv, /* anchor for arg list */
5541 arg, /* raw command */
5542 FALSE, /* don't expand the arguments */
5543 0, /* not relevant when... */
5544 NULL, /* no transporting address */
5545 US"${run} expansion", /* for error messages */
5546 &expand_string_message)) /* where to put error message */
5547 goto EXPAND_FAILED;
5548
5549 /* Create the child process, making it a group leader. */
5550
5551 if ((pid = child_open(USS argv, NULL, 0077, &fd_in, &fd_out, TRUE,
5552 US"expand-run")) < 0)
5553 {
5554 expand_string_message =
5555 string_sprintf("couldn't create child process: %s", strerror(errno));
5556 goto EXPAND_FAILED;
5557 }
5558
5559 /* Nothing is written to the standard input. */
5560
5561 (void)close(fd_in);
5562
5563 /* Read the pipe to get the command's output into $value (which is kept
5564 in lookup_value). Read during execution, so that if the output exceeds
5565 the OS pipe buffer limit, we don't block forever. Remember to not release
5566 memory just allocated for $value. */
5567
5568 resetok = FALSE;
5569 f = fdopen(fd_out, "rb");
5570 sigalrm_seen = FALSE;
5571 ALARM(60);
5572 lookup_value = string_from_gstring(cat_file(f, NULL, NULL));
5573 ALARM_CLR(0);
5574 (void)fclose(f);
5575
5576 /* Wait for the process to finish, applying the timeout, and inspect its
5577 return code for serious disasters. Simple non-zero returns are passed on.
5578 */
5579
5580 if (sigalrm_seen || (runrc = child_close(pid, 30)) < 0)
5581 {
5582 if (sigalrm_seen || runrc == -256)
5583 {
5584 expand_string_message = US"command timed out";
5585 killpg(pid, SIGKILL); /* Kill the whole process group */
5586 }
5587
5588 else if (runrc == -257)
5589 expand_string_message = string_sprintf("wait() failed: %s",
5590 strerror(errno));
5591
5592 else
5593 expand_string_message = string_sprintf("command killed by signal %d",
5594 -runrc);
5595
5596 goto EXPAND_FAILED;
5597 }
5598 }
5599
5600 /* Process the yes/no strings; $value may be useful in both cases */
5601
5602 switch(process_yesno(
5603 skipping, /* were previously skipping */
5604 runrc == 0, /* success/failure indicator */
5605 lookup_value, /* value to reset for string2 */
5606 &s, /* input pointer */
5607 &yield, /* output pointer */
5608 US"run", /* condition type */
5609 &resetok))
5610 {
5611 case 1: goto EXPAND_FAILED; /* when all is well, the */
5612 case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
5613 }
5614
5615 continue;
5616 }
5617
5618 /* Handle character translation for "tr" */
5619
5620 case EITEM_TR:
5621 {
5622 int oldptr = gstring_length(yield);
5623 int o2m;
5624 uschar *sub[3];
5625
5626 switch(read_subs(sub, 3, 3, &s, skipping, TRUE, name, &resetok))
5627 {
5628 case 1: goto EXPAND_FAILED_CURLY;
5629 case 2:
5630 case 3: goto EXPAND_FAILED;
5631 }
5632
5633 yield = string_cat(yield, sub[0]);
5634 o2m = Ustrlen(sub[2]) - 1;
5635
5636 if (o2m >= 0) for (; oldptr < yield->ptr; oldptr++)
5637 {
5638 uschar *m = Ustrrchr(sub[1], yield->s[oldptr]);
5639 if (m)
5640 {
5641 int o = m - sub[1];
5642 yield->s[oldptr] = sub[2][(o < o2m)? o : o2m];
5643 }
5644 }
5645
5646 continue;
5647 }
5648
5649 /* Handle "hash", "length", "nhash", and "substr" when they are given with
5650 expanded arguments. */
5651
5652 case EITEM_HASH:
5653 case EITEM_LENGTH:
5654 case EITEM_NHASH:
5655 case EITEM_SUBSTR:
5656 {
5657 int len;
5658 uschar *ret;
5659 int val[2] = { 0, -1 };
5660 uschar *sub[3];
5661
5662 /* "length" takes only 2 arguments whereas the others take 2 or 3.
5663 Ensure that sub[2] is set in the ${length } case. */
5664
5665 sub[2] = NULL;
5666 switch(read_subs(sub, (item_type == EITEM_LENGTH)? 2:3, 2, &s, skipping,
5667 TRUE, name, &resetok))
5668 {
5669 case 1: goto EXPAND_FAILED_CURLY;
5670 case 2:
5671 case 3: goto EXPAND_FAILED;
5672 }
5673
5674 /* Juggle the arguments if there are only two of them: always move the
5675 string to the last position and make ${length{n}{str}} equivalent to
5676 ${substr{0}{n}{str}}. See the defaults for val[] above. */
5677
5678 if (!sub[2])
5679 {
5680 sub[2] = sub[1];
5681 sub[1] = NULL;
5682 if (item_type == EITEM_LENGTH)
5683 {
5684 sub[1] = sub[0];
5685 sub[0] = NULL;
5686 }
5687 }
5688
5689 for (int i = 0; i < 2; i++) if (sub[i])
5690 {
5691 val[i] = (int)Ustrtol(sub[i], &ret, 10);
5692 if (*ret != 0 || (i != 0 && val[i] < 0))
5693 {
5694 expand_string_message = string_sprintf("\"%s\" is not a%s number "
5695 "(in \"%s\" expansion)", sub[i], (i != 0)? " positive" : "", name);
5696 goto EXPAND_FAILED;
5697 }
5698 }
5699
5700 ret =
5701 item_type == EITEM_HASH
5702 ? compute_hash(sub[2], val[0], val[1], &len)
5703 : item_type == EITEM_NHASH
5704 ? compute_nhash(sub[2], val[0], val[1], &len)
5705 : extract_substr(sub[2], val[0], val[1], &len);
5706 if (!ret)
5707 goto EXPAND_FAILED;
5708 yield = string_catn(yield, ret, len);
5709 continue;
5710 }
5711
5712 /* Handle HMAC computation: ${hmac{<algorithm>}{<secret>}{<text>}}
5713 This code originally contributed by Steve Haslam. It currently supports
5714 the use of MD5 and SHA-1 hashes.
5715
5716 We need some workspace that is large enough to handle all the supported
5717 hash types. Use macros to set the sizes rather than be too elaborate. */
5718
5719 #define MAX_HASHLEN 20
5720 #define MAX_HASHBLOCKLEN 64
5721
5722 case EITEM_HMAC:
5723 {
5724 uschar *sub[3];
5725 md5 md5_base;
5726 hctx sha1_ctx;
5727 void *use_base;
5728 int type;
5729 int hashlen; /* Number of octets for the hash algorithm's output */
5730 int hashblocklen; /* Number of octets the hash algorithm processes */
5731 uschar *keyptr, *p;
5732 unsigned int keylen;
5733
5734 uschar keyhash[MAX_HASHLEN];
5735 uschar innerhash[MAX_HASHLEN];
5736 uschar finalhash[MAX_HASHLEN];
5737 uschar finalhash_hex[2*MAX_HASHLEN];
5738 uschar innerkey[MAX_HASHBLOCKLEN];
5739 uschar outerkey[MAX_HASHBLOCKLEN];
5740
5741 switch (read_subs(sub, 3, 3, &s, skipping, TRUE, name, &resetok))
5742 {
5743 case 1: goto EXPAND_FAILED_CURLY;
5744 case 2:
5745 case 3: goto EXPAND_FAILED;
5746 }
5747
5748 if (!skipping)
5749 {
5750 if (Ustrcmp(sub[0], "md5") == 0)
5751 {
5752 type = HMAC_MD5;
5753 use_base = &md5_base;
5754 hashlen = 16;
5755 hashblocklen = 64;
5756 }
5757 else if (Ustrcmp(sub[0], "sha1") == 0)
5758 {
5759 type = HMAC_SHA1;
5760 use_base = &sha1_ctx;
5761 hashlen = 20;
5762 hashblocklen = 64;
5763 }
5764 else
5765 {
5766 expand_string_message =
5767 string_sprintf("hmac algorithm \"%s\" is not recognised", sub[0]);
5768 goto EXPAND_FAILED;
5769 }
5770
5771 keyptr = sub[1];
5772 keylen = Ustrlen(keyptr);
5773
5774 /* If the key is longer than the hash block length, then hash the key
5775 first */
5776
5777 if (keylen > hashblocklen)
5778 {
5779 chash_start(type, use_base);
5780 chash_end(type, use_base, keyptr, keylen, keyhash);
5781 keyptr = keyhash;
5782 keylen = hashlen;
5783 }
5784
5785 /* Now make the inner and outer key values */
5786
5787 memset(innerkey, 0x36, hashblocklen);
5788 memset(outerkey, 0x5c, hashblocklen);
5789
5790 for (int i = 0; i < keylen; i++)
5791 {
5792 innerkey[i] ^= keyptr[i];
5793 outerkey[i] ^= keyptr[i];
5794 }
5795
5796 /* Now do the hashes */
5797
5798 chash_start(type, use_base);
5799 chash_mid(type, use_base, innerkey);
5800 chash_end(type, use_base, sub[2], Ustrlen(sub[2]), innerhash);
5801
5802 chash_start(type, use_base);
5803 chash_mid(type, use_base, outerkey);
5804 chash_end(type, use_base, innerhash, hashlen, finalhash);
5805
5806 /* Encode the final hash as a hex string */
5807
5808 p = finalhash_hex;
5809 for (int i = 0; i < hashlen; i++)
5810 {
5811 *p++ = hex_digits[(finalhash[i] & 0xf0) >> 4];
5812 *p++ = hex_digits[finalhash[i] & 0x0f];
5813 }
5814
5815 DEBUG(D_any) debug_printf("HMAC[%s](%.*s,%s)=%.*s\n",
5816 sub[0], (int)keylen, keyptr, sub[2], hashlen*2, finalhash_hex);
5817
5818 yield = string_catn(yield, finalhash_hex, hashlen*2);
5819 }
5820 continue;
5821 }
5822
5823 /* Handle global substitution for "sg" - like Perl's s/xxx/yyy/g operator.
5824 We have to save the numerical variables and restore them afterwards. */
5825
5826 case EITEM_SG:
5827 {
5828 const pcre *re;
5829 int moffset, moffsetextra, slen;
5830 int roffset;
5831 int emptyopt;
5832 const uschar *rerror;
5833 uschar *subject;
5834 uschar *sub[3];
5835 int save_expand_nmax =
5836 save_expand_strings(save_expand_nstring, save_expand_nlength);
5837
5838 switch(read_subs(sub, 3, 3, &s, skipping, TRUE, name, &resetok))
5839 {
5840 case 1: goto EXPAND_FAILED_CURLY;
5841 case 2:
5842 case 3: goto EXPAND_FAILED;
5843 }
5844
5845 /* Compile the regular expression */
5846
5847 if (!(re = pcre_compile(CS sub[1], PCRE_COPT, CCSS &rerror,
5848 &roffset, NULL)))
5849 {
5850 expand_string_message = string_sprintf("regular expression error in "
5851 "\"%s\": %s at offset %d", sub[1], rerror, roffset);
5852 goto EXPAND_FAILED;
5853 }
5854
5855 /* Now run a loop to do the substitutions as often as necessary. It ends
5856 when there are no more matches. Take care over matches of the null string;
5857 do the same thing as Perl does. */
5858
5859 subject = sub[0];
5860 slen = Ustrlen(sub[0]);
5861 moffset = moffsetextra = 0;
5862 emptyopt = 0;
5863
5864 for (;;)
5865 {
5866 int ovector[3*(EXPAND_MAXN+1)];
5867 int n = pcre_exec(re, NULL, CS subject, slen, moffset + moffsetextra,
5868 PCRE_EOPT | emptyopt, ovector, nelem(ovector));
5869 uschar *insert;
5870
5871 /* No match - if we previously set PCRE_NOTEMPTY after a null match, this
5872 is not necessarily the end. We want to repeat the match from one
5873 character further along, but leaving the basic offset the same (for
5874 copying below). We can't be at the end of the string - that was checked
5875 before setting PCRE_NOTEMPTY. If PCRE_NOTEMPTY is not set, we are
5876 finished; copy the remaining string and end the loop. */
5877
5878 if (n < 0)
5879 {
5880 if (emptyopt != 0)
5881 {
5882 moffsetextra = 1;
5883 emptyopt = 0;
5884 continue;
5885 }
5886 yield = string_catn(yield, subject+moffset, slen-moffset);
5887 break;
5888 }
5889
5890 /* Match - set up for expanding the replacement. */
5891
5892 if (n == 0) n = EXPAND_MAXN + 1;
5893 expand_nmax = 0;
5894 for (int nn = 0; nn < n*2; nn += 2)
5895 {
5896 expand_nstring[expand_nmax] = subject + ovector[nn];
5897 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
5898 }
5899 expand_nmax--;
5900
5901 /* Copy the characters before the match, plus the expanded insertion. */
5902
5903 yield = string_catn(yield, subject + moffset, ovector[0] - moffset);
5904 if (!(insert = expand_string(sub[2])))
5905 goto EXPAND_FAILED;
5906 yield = string_cat(yield, insert);
5907
5908 moffset = ovector[1];
5909 moffsetextra = 0;
5910 emptyopt = 0;
5911
5912 /* If we have matched an empty string, first check to see if we are at
5913 the end of the subject. If so, the loop is over. Otherwise, mimic
5914 what Perl's /g options does. This turns out to be rather cunning. First
5915 we set PCRE_NOTEMPTY and PCRE_ANCHORED and try the match a non-empty
5916 string at the same point. If this fails (picked up above) we advance to
5917 the next character. */
5918
5919 if (ovector[0] == ovector[1])
5920 {
5921 if (ovector[0] == slen) break;
5922 emptyopt = PCRE_NOTEMPTY | PCRE_ANCHORED;
5923 }
5924 }
5925
5926 /* All done - restore numerical variables. */
5927
5928 restore_expand_strings(save_expand_nmax, save_expand_nstring,
5929 save_expand_nlength);
5930 continue;
5931 }
5932
5933 /* Handle keyed and numbered substring extraction. If the first argument
5934 consists entirely of digits, then a numerical extraction is assumed. */
5935
5936 case EITEM_EXTRACT:
5937 {
5938 int field_number = 1;
5939 BOOL field_number_set = FALSE;
5940 uschar *save_lookup_value = lookup_value;
5941 uschar *sub[3];
5942 int save_expand_nmax =
5943 save_expand_strings(save_expand_nstring, save_expand_nlength);
5944
5945 /* On reflection the original behaviour of extract-json for a string
5946 result, leaving it quoted, was a mistake. But it was already published,
5947 hence the addition of jsons. In a future major version, make json
5948 work like josons, and withdraw jsons. */
5949
5950 enum {extract_basic, extract_json, extract_jsons} fmt = extract_basic;
5951
5952 /* Check for a format-variant specifier */
5953
5954 if (Uskip_whitespace(&s) != '{') /*}*/
5955 if (Ustrncmp(s, "json", 4) == 0)
5956 if (*(s += 4) == 's')
5957 {fmt = extract_jsons; s++;}
5958 else
5959 fmt = extract_json;
5960
5961 /* While skipping we cannot rely on the data for expansions being
5962 available (eg. $item) hence cannot decide on numeric vs. keyed.
5963 Read a maximum of 5 arguments (including the yes/no) */
5964
5965 if (skipping)
5966 {
5967 for (int j = 5; j > 0 && *s == '{'; j--) /*'}'*/
5968 {
5969 if (!expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok))
5970 goto EXPAND_FAILED; /*'{'*/
5971 if (*s++ != '}')
5972 {
5973 expand_string_message = US"missing '{' for arg of extract";
5974 goto EXPAND_FAILED_CURLY;
5975 }
5976 Uskip_whitespace(&s);
5977 }
5978 if ( Ustrncmp(s, "fail", 4) == 0 /*'{'*/
5979 && (s[4] == '}' || s[4] == ' ' || s[4] == '\t' || !s[4])
5980 )
5981 {
5982 s += 4;
5983 Uskip_whitespace(&s);
5984 } /*'{'*/
5985 if (*s != '}')
5986 {
5987 expand_string_message = US"missing '}' closing extract";
5988 goto EXPAND_FAILED_CURLY;
5989 }
5990 }
5991
5992 else for (int i = 0, j = 2; i < j; i++) /* Read the proper number of arguments */
5993 {
5994 if (Uskip_whitespace(&s) == '{') /*'}'*/
5995 {
5996 if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok)))
5997 goto EXPAND_FAILED; /*'{'*/
5998 if (*s++ != '}')
5999 {
6000 expand_string_message = string_sprintf(
6001 "missing '}' closing arg %d of extract", i+1);
6002 goto EXPAND_FAILED_CURLY;
6003 }
6004
6005 /* After removal of leading and trailing white space, the first
6006 argument must not be empty; if it consists entirely of digits
6007 (optionally preceded by a minus sign), this is a numerical
6008 extraction, and we expect 3 arguments (normal) or 2 (json). */
6009
6010 if (i == 0)
6011 {
6012 int len;
6013 int x = 0;
6014 uschar *p = sub[0];
6015
6016 Uskip_whitespace(&p);
6017 sub[0] = p;
6018
6019 len = Ustrlen(p);
6020 while (len > 0 && isspace(p[len-1])) len--;
6021 p[len] = 0;
6022
6023 if (*p == 0)
6024 {
6025 expand_string_message = US"first argument of \"extract\" must "
6026 "not be empty";
6027 goto EXPAND_FAILED;
6028 }
6029
6030 if (*p == '-')
6031 {
6032 field_number = -1;
6033 p++;
6034 }
6035 while (*p != 0 && isdigit(*p)) x = x * 10 + *p++ - '0';
6036 if (*p == 0)
6037 {
6038 field_number *= x;
6039 if (fmt == extract_basic) j = 3; /* Need 3 args */
6040 field_number_set = TRUE;
6041 }
6042 }
6043 }
6044 else
6045 {
6046 expand_string_message = string_sprintf(
6047 "missing '{' for arg %d of extract", i+1);
6048 goto EXPAND_FAILED_CURLY;
6049 }
6050 }
6051
6052 /* Extract either the numbered or the keyed substring into $value. If
6053 skipping, just pretend the extraction failed. */
6054
6055 if (skipping)
6056 lookup_value = NULL;
6057 else switch (fmt)
6058 {
6059 case extract_basic:
6060 lookup_value = field_number_set
6061 ? expand_gettokened(field_number, sub[1], sub[2])
6062 : expand_getkeyed(sub[0], sub[1]);
6063 break;
6064
6065 case extract_json:
6066 case extract_jsons:
6067 {
6068 uschar * s, * item;
6069 const uschar * list;
6070
6071 /* Array: Bracket-enclosed and comma-separated.
6072 Object: Brace-enclosed, comma-sep list of name:value pairs */
6073
6074 if (!(s = dewrap(sub[1], field_number_set ? US"[]" : US"{}")))
6075 {
6076 expand_string_message =
6077 string_sprintf("%s wrapping %s for extract json",
6078 expand_string_message,
6079 field_number_set ? "array" : "object");
6080 goto EXPAND_FAILED_CURLY;
6081 }
6082
6083 list = s;
6084 if (field_number_set)
6085 {
6086 if (field_number <= 0)
6087 {
6088 expand_string_message = US"first argument of \"extract\" must "
6089 "be greater than zero";
6090 goto EXPAND_FAILED;
6091 }
6092 while (field_number > 0 && (item = json_nextinlist(&list)))
6093 field_number--;
6094 if ((lookup_value = s = item))
6095 {
6096 while (*s) s++;
6097 while (--s >= lookup_value && isspace(*s)) *s = '\0';
6098 }
6099 }
6100 else
6101 {
6102 lookup_value = NULL;
6103 while ((item = json_nextinlist(&list)))
6104 {
6105 /* Item is: string name-sep value. string is quoted.
6106 Dequote the string and compare with the search key. */
6107
6108 if (!(item = dewrap(item, US"\"\"")))
6109 {
6110 expand_string_message =
6111 string_sprintf("%s wrapping string key for extract json",
6112 expand_string_message);
6113 goto EXPAND_FAILED_CURLY;
6114 }
6115 if (Ustrcmp(item, sub[0]) == 0) /*XXX should be a UTF8-compare */
6116 {
6117 s = item + Ustrlen(item) + 1;
6118 if (Uskip_whitespace(&s) != ':')
6119 {
6120 expand_string_message =
6121 US"missing object value-separator for extract json";
6122 goto EXPAND_FAILED_CURLY;
6123 }
6124 s++;
6125 Uskip_whitespace(&s);
6126 lookup_value = s;
6127 break;
6128 }
6129 }
6130 }
6131 }
6132
6133 if ( fmt == extract_jsons
6134 && lookup_value
6135 && !(lookup_value = dewrap(lookup_value, US"\"\"")))
6136 {
6137 expand_string_message =
6138 string_sprintf("%s wrapping string result for extract jsons",
6139 expand_string_message);
6140 goto EXPAND_FAILED_CURLY;
6141 }
6142 break; /* json/s */
6143 }
6144
6145 /* If no string follows, $value gets substituted; otherwise there can
6146 be yes/no strings, as for lookup or if. */
6147
6148 switch(process_yesno(
6149 skipping, /* were previously skipping */
6150 lookup_value != NULL, /* success/failure indicator */
6151 save_lookup_value, /* value to reset for string2 */
6152 &s, /* input pointer */
6153 &yield, /* output pointer */
6154 US"extract", /* condition type */
6155 &resetok))
6156 {
6157 case 1: goto EXPAND_FAILED; /* when all is well, the */
6158 case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
6159 }
6160
6161 /* All done - restore numerical variables. */
6162
6163 restore_expand_strings(save_expand_nmax, save_expand_nstring,
6164 save_expand_nlength);
6165
6166 continue;
6167 }
6168
6169 /* return the Nth item from a list */
6170
6171 case EITEM_LISTEXTRACT:
6172 {
6173 int field_number = 1;
6174 uschar *save_lookup_value = lookup_value;
6175 uschar *sub[2];
6176 int save_expand_nmax =
6177 save_expand_strings(save_expand_nstring, save_expand_nlength);
6178
6179 /* Read the field & list arguments */
6180
6181 for (int i = 0; i < 2; i++)
6182 {
6183 if (Uskip_whitespace(&s) != '{') /*'}'*/
6184 {
6185 expand_string_message = string_sprintf(
6186 "missing '{' for arg %d of listextract", i+1);
6187 goto EXPAND_FAILED_CURLY;
6188 }
6189
6190 sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
6191 if (!sub[i]) goto EXPAND_FAILED; /*{*/
6192 if (*s++ != '}')
6193 {
6194 expand_string_message = string_sprintf(
6195 "missing '}' closing arg %d of listextract", i+1);
6196 goto EXPAND_FAILED_CURLY;
6197 }
6198
6199 /* After removal of leading and trailing white space, the first
6200 argument must be numeric and nonempty. */
6201
6202 if (i == 0)
6203 {
6204 int len;
6205 int x = 0;
6206 uschar *p = sub[0];
6207
6208 Uskip_whitespace(&p);
6209 sub[0] = p;
6210
6211 len = Ustrlen(p);
6212 while (len > 0 && isspace(p[len-1])) len--;
6213 p[len] = 0;
6214
6215 if (!*p && !skipping)
6216 {
6217 expand_string_message = US"first argument of \"listextract\" must "
6218 "not be empty";
6219 goto EXPAND_FAILED;
6220 }
6221
6222 if (*p == '-')
6223 {
6224 field_number = -1;
6225 p++;
6226 }
6227 while (*p && isdigit(*p)) x = x * 10 + *p++ - '0';
6228 if (*p)
6229 {
6230 expand_string_message = US"first argument of \"listextract\" must "
6231 "be numeric";
6232 goto EXPAND_FAILED;
6233 }
6234 field_number *= x;
6235 }
6236 }
6237
6238 /* Extract the numbered element into $value. If
6239 skipping, just pretend the extraction failed. */
6240
6241 lookup_value = skipping ? NULL : expand_getlistele(field_number, sub[1]);
6242
6243 /* If no string follows, $value gets substituted; otherwise there can
6244 be yes/no strings, as for lookup or if. */
6245
6246 switch(process_yesno(
6247 skipping, /* were previously skipping */
6248 lookup_value != NULL, /* success/failure indicator */
6249 save_lookup_value, /* value to reset for string2 */
6250 &s, /* input pointer */
6251 &yield, /* output pointer */
6252 US"listextract", /* condition type */
6253 &resetok))
6254 {
6255 case 1: goto EXPAND_FAILED; /* when all is well, the */
6256 case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
6257 }
6258
6259 /* All done - restore numerical variables. */
6260
6261 restore_expand_strings(save_expand_nmax, save_expand_nstring,
6262 save_expand_nlength);
6263
6264 continue;
6265 }
6266
6267 case EITEM_LISTQUOTE:
6268 {
6269 uschar * sub[2];
6270 switch(read_subs(sub, 2, 2, &s, skipping, TRUE, name, &resetok))
6271 {
6272 case 1: goto EXPAND_FAILED_CURLY;
6273 case 2:
6274 case 3: goto EXPAND_FAILED;
6275 }
6276 if (*sub[1]) for (uschar sep = *sub[0], c; c = *sub[1]; sub[1]++)
6277 {
6278 if (c == sep) yield = string_catn(yield, sub[1], 1);
6279 yield = string_catn(yield, sub[1], 1);
6280 }
6281 else yield = string_catn(yield, US" ", 1);
6282 continue;
6283 }
6284
6285 #ifndef DISABLE_TLS
6286 case EITEM_CERTEXTRACT:
6287 {
6288 uschar *save_lookup_value = lookup_value;
6289 uschar *sub[2];
6290 int save_expand_nmax =
6291 save_expand_strings(save_expand_nstring, save_expand_nlength);
6292
6293 /* Read the field argument */
6294 if (Uskip_whitespace(&s) != '{') /*}*/
6295 {
6296 expand_string_message = US"missing '{' for field arg of certextract";
6297 goto EXPAND_FAILED_CURLY;
6298 }
6299 sub[0] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
6300 if (!sub[0]) goto EXPAND_FAILED; /*{*/
6301 if (*s++ != '}')
6302 {
6303 expand_string_message = US"missing '}' closing field arg of certextract";
6304 goto EXPAND_FAILED_CURLY;
6305 }
6306 /* strip spaces fore & aft */
6307 {
6308 int len;
6309 uschar *p = sub[0];
6310
6311 Uskip_whitespace(&p);
6312 sub[0] = p;
6313
6314 len = Ustrlen(p);
6315 while (len > 0 && isspace(p[len-1])) len--;
6316 p[len] = 0;
6317 }
6318
6319 /* inspect the cert argument */
6320 if (Uskip_whitespace(&s) != '{') /*}*/
6321 {
6322 expand_string_message = US"missing '{' for cert variable arg of certextract";
6323 goto EXPAND_FAILED_CURLY;
6324 }
6325 if (*++s != '$')
6326 {
6327 expand_string_message = US"second argument of \"certextract\" must "
6328 "be a certificate variable";
6329 goto EXPAND_FAILED;
6330 }
6331 sub[1] = expand_string_internal(s+1, TRUE, &s, skipping, FALSE, &resetok);
6332 if (!sub[1]) goto EXPAND_FAILED; /*{*/
6333 if (*s++ != '}')
6334 {
6335 expand_string_message = US"missing '}' closing cert variable arg of certextract";
6336 goto EXPAND_FAILED_CURLY;
6337 }
6338
6339 if (skipping)
6340 lookup_value = NULL;
6341 else
6342 {
6343 lookup_value = expand_getcertele(sub[0], sub[1]);
6344 if (*expand_string_message) goto EXPAND_FAILED;
6345 }
6346 switch(process_yesno(
6347 skipping, /* were previously skipping */
6348 lookup_value != NULL, /* success/failure indicator */
6349 save_lookup_value, /* value to reset for string2 */
6350 &s, /* input pointer */
6351 &yield, /* output pointer */
6352 US"certextract", /* condition type */
6353 &resetok))
6354 {
6355 case 1: goto EXPAND_FAILED; /* when all is well, the */
6356 case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
6357 }
6358
6359 restore_expand_strings(save_expand_nmax, save_expand_nstring,
6360 save_expand_nlength);
6361 continue;
6362 }
6363 #endif /*DISABLE_TLS*/
6364
6365 /* Handle list operations */
6366
6367 case EITEM_FILTER:
6368 case EITEM_MAP:
6369 case EITEM_REDUCE:
6370 {
6371 int sep = 0;
6372 int save_ptr = gstring_length(yield);
6373 uschar outsep[2] = { '\0', '\0' };
6374 const uschar *list, *expr, *temp;
6375 uschar *save_iterate_item = iterate_item;
6376 uschar *save_lookup_value = lookup_value;
6377
6378 Uskip_whitespace(&s);
6379 if (*s++ != '{')
6380 {
6381 expand_string_message =
6382 string_sprintf("missing '{' for first arg of %s", name);
6383 goto EXPAND_FAILED_CURLY;
6384 }
6385
6386 if (!(list = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok)))
6387 goto EXPAND_FAILED;
6388 if (*s++ != '}')
6389 {
6390 expand_string_message =
6391 string_sprintf("missing '}' closing first arg of %s", name);
6392 goto EXPAND_FAILED_CURLY;
6393 }
6394
6395 if (item_type == EITEM_REDUCE)
6396 {
6397 uschar * t;
6398 Uskip_whitespace(&s);
6399 if (*s++ != '{')
6400 {
6401 expand_string_message = US"missing '{' for second arg of reduce";
6402 goto EXPAND_FAILED_CURLY;
6403 }
6404 t = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok);
6405 if (!t) goto EXPAND_FAILED;
6406 lookup_value = t;
6407 if (*s++ != '}')
6408 {
6409 expand_string_message = US"missing '}' closing second arg of reduce";
6410 goto EXPAND_FAILED_CURLY;
6411 }
6412 }
6413
6414 Uskip_whitespace(&s);
6415 if (*s++ != '{')
6416 {
6417 expand_string_message =
6418 string_sprintf("missing '{' for last arg of %s", name);
6419 goto EXPAND_FAILED_CURLY;
6420 }
6421
6422 expr = s;
6423
6424 /* For EITEM_FILTER, call eval_condition once, with result discarded (as
6425 if scanning a "false" part). This allows us to find the end of the
6426 condition, because if the list is empty, we won't actually evaluate the
6427 condition for real. For EITEM_MAP and EITEM_REDUCE, do the same, using
6428 the normal internal expansion function. */
6429
6430 if (item_type != EITEM_FILTER)
6431 temp = expand_string_internal(s, TRUE, &s, TRUE, TRUE, &resetok);
6432 else
6433 if ((temp = eval_condition(expr, &resetok, NULL))) s = temp;
6434
6435 if (!temp)
6436 {
6437 expand_string_message = string_sprintf("%s inside \"%s\" item",
6438 expand_string_message, name);
6439 goto EXPAND_FAILED;
6440 }
6441
6442 Uskip_whitespace(&s); /*{*/
6443 if (*s++ != '}')
6444 { /*{*/
6445 expand_string_message = string_sprintf("missing } at end of condition "
6446 "or expression inside \"%s\"; could be an unquoted } in the content",
6447 name);
6448 goto EXPAND_FAILED;
6449 }
6450
6451 Uskip_whitespace(&s); /*{*/
6452 if (*s++ != '}')
6453 { /*{*/
6454 expand_string_message = string_sprintf("missing } at end of \"%s\"",
6455 name);
6456 goto EXPAND_FAILED;
6457 }
6458
6459 /* If we are skipping, we can now just move on to the next item. When
6460 processing for real, we perform the iteration. */
6461
6462 if (skipping) continue;
6463 while ((iterate_item = string_nextinlist(&list, &sep, NULL, 0)))
6464 {
6465 *outsep = (uschar)sep; /* Separator as a string */
6466
6467 DEBUG(D_expand) debug_printf_indent("%s: $item = '%s' $value = '%s'\n",
6468 name, iterate_item, lookup_value);
6469
6470 if (item_type == EITEM_FILTER)
6471 {
6472 BOOL condresult;
6473 if (!eval_condition(expr, &resetok, &condresult))
6474 {
6475 iterate_item = save_iterate_item;
6476 lookup_value = save_lookup_value;
6477 expand_string_message = string_sprintf("%s inside \"%s\" condition",
6478 expand_string_message, name);
6479 goto EXPAND_FAILED;
6480 }
6481 DEBUG(D_expand) debug_printf_indent("%s: condition is %s\n", name,
6482 condresult? "true":"false");
6483 if (condresult)
6484 temp = iterate_item; /* TRUE => include this item */
6485 else
6486 continue; /* FALSE => skip this item */
6487 }
6488
6489 /* EITEM_MAP and EITEM_REDUCE */
6490
6491 else
6492 {
6493 uschar * t = expand_string_internal(expr, TRUE, NULL, skipping, TRUE, &resetok);
6494 temp = t;
6495 if (!temp)
6496 {
6497 iterate_item = save_iterate_item;
6498 expand_string_message = string_sprintf("%s inside \"%s\" item",
6499 expand_string_message, name);
6500 goto EXPAND_FAILED;
6501 }
6502 if (item_type == EITEM_REDUCE)
6503 {
6504 lookup_value = t; /* Update the value of $value */
6505 continue; /* and continue the iteration */
6506 }
6507 }
6508
6509 /* We reach here for FILTER if the condition is true, always for MAP,
6510 and never for REDUCE. The value in "temp" is to be added to the output
6511 list that is being created, ensuring that any occurrences of the
6512 separator character are doubled. Unless we are dealing with the first
6513 item of the output list, add in a space if the new item begins with the
6514 separator character, or is an empty string. */
6515
6516 if ( yield && yield->ptr != save_ptr
6517 && (temp[0] == *outsep || temp[0] == 0))
6518 yield = string_catn(yield, US" ", 1);
6519
6520 /* Add the string in "temp" to the output list that we are building,
6521 This is done in chunks by searching for the separator character. */
6522
6523 for (;;)
6524 {
6525 size_t seglen = Ustrcspn(temp, outsep);
6526
6527 yield = string_catn(yield, temp, seglen + 1);
6528
6529 /* If we got to the end of the string we output one character
6530 too many; backup and end the loop. Otherwise arrange to double the
6531 separator. */
6532
6533 if (temp[seglen] == '\0') { yield->ptr--; break; }
6534 yield = string_catn(yield, outsep, 1);
6535 temp += seglen + 1;
6536 }
6537
6538 /* Output a separator after the string: we will remove the redundant
6539 final one at the end. */
6540
6541 yield = string_catn(yield, outsep, 1);
6542 } /* End of iteration over the list loop */
6543
6544 /* REDUCE has generated no output above: output the final value of
6545 $value. */
6546
6547 if (item_type == EITEM_REDUCE)
6548 {
6549 yield = string_cat(yield, lookup_value);
6550 lookup_value = save_lookup_value; /* Restore $value */
6551 }
6552
6553 /* FILTER and MAP generate lists: if they have generated anything, remove
6554 the redundant final separator. Even though an empty item at the end of a
6555 list does not count, this is tidier. */
6556
6557 else if (yield && yield->ptr != save_ptr) yield->ptr--;
6558
6559 /* Restore preserved $item */
6560
6561 iterate_item = save_iterate_item;
6562 continue;
6563 }
6564
6565 case EITEM_SORT:
6566 {
6567 int cond_type;
6568 int sep = 0;
6569 const uschar *srclist, *cmp, *xtract;
6570 uschar * opname, * srcitem;
6571 const uschar *dstlist = NULL, *dstkeylist = NULL;
6572 uschar * tmp;
6573 uschar *save_iterate_item = iterate_item;
6574
6575 Uskip_whitespace(&s);
6576 if (*s++ != '{')
6577 {
6578 expand_string_message = US"missing '{' for list arg of sort";
6579 goto EXPAND_FAILED_CURLY;
6580 }
6581
6582 srclist = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok);
6583 if (!srclist) goto EXPAND_FAILED;
6584 if (*s++ != '}')
6585 {
6586 expand_string_message = US"missing '}' closing list arg of sort";
6587 goto EXPAND_FAILED_CURLY;
6588 }
6589
6590 Uskip_whitespace(&s);
6591 if (*s++ != '{')
6592 {
6593 expand_string_message = US"missing '{' for comparator arg of sort";
6594 goto EXPAND_FAILED_CURLY;
6595 }
6596
6597 cmp = expand_string_internal(s, TRUE, &s, skipping, FALSE, &resetok);
6598 if (!cmp) goto EXPAND_FAILED;
6599 if (*s++ != '}')
6600 {
6601 expand_string_message = US"missing '}' closing comparator arg of sort";
6602 goto EXPAND_FAILED_CURLY;
6603 }
6604
6605 if ((cond_type = identify_operator(&cmp, &opname)) == -1)
6606 {
6607 if (!expand_string_message)
6608 expand_string_message = string_sprintf("unknown condition \"%s\"", s);
6609 goto EXPAND_FAILED;
6610 }
6611 switch(cond_type)
6612 {
6613 case ECOND_NUM_L: case ECOND_NUM_LE:
6614 case ECOND_NUM_G: case ECOND_NUM_GE:
6615 case ECOND_STR_GE: case ECOND_STR_GEI: case ECOND_STR_GT: case ECOND_STR_GTI:
6616 case ECOND_STR_LE: case ECOND_STR_LEI: case ECOND_STR_LT: case ECOND_STR_LTI:
6617 break;
6618
6619 default:
6620 expand_string_message = US"comparator not handled for sort";
6621 goto EXPAND_FAILED;
6622 }
6623
6624 Uskip_whitespace(&s);
6625 if (*s++ != '{')
6626 {
6627 expand_string_message = US"missing '{' for extractor arg of sort";
6628 goto EXPAND_FAILED_CURLY;
6629 }
6630
6631 xtract = s;
6632 if (!(tmp = expand_string_internal(s, TRUE, &s, TRUE, TRUE, &resetok)))
6633 goto EXPAND_FAILED;
6634 xtract = string_copyn(xtract, s - xtract);
6635
6636 if (*s++ != '}')
6637 {
6638 expand_string_message = US"missing '}' closing extractor arg of sort";
6639 goto EXPAND_FAILED_CURLY;
6640 }
6641 /*{*/
6642 if (*s++ != '}')
6643 { /*{*/
6644 expand_string_message = US"missing } at end of \"sort\"";
6645 goto EXPAND_FAILED;
6646 }
6647
6648 if (skipping) continue;
6649
6650 while ((srcitem = string_nextinlist(&srclist, &sep, NULL, 0)))
6651 {
6652 uschar * srcfield, * dstitem;
6653 gstring * newlist = NULL;
6654 gstring * newkeylist = NULL;
6655
6656 DEBUG(D_expand) debug_printf_indent("%s: $item = \"%s\"\n", name, srcitem);
6657
6658 /* extract field for comparisons */
6659 iterate_item = srcitem;
6660 if ( !(srcfield = expand_string_internal(xtract, FALSE, NULL, FALSE,
6661 TRUE, &resetok))
6662 || !*srcfield)
6663 {
6664 expand_string_message = string_sprintf(
6665 "field-extract in sort: \"%s\"", xtract);
6666 goto EXPAND_FAILED;
6667 }
6668
6669 /* Insertion sort */
6670
6671 /* copy output list until new-item < list-item */
6672 while ((dstitem = string_nextinlist(&dstlist, &sep, NULL, 0)))
6673 {
6674 uschar * dstfield;
6675
6676 /* field for comparison */
6677 if (!(dstfield = string_nextinlist(&dstkeylist, &sep, NULL, 0)))
6678 goto sort_mismatch;
6679
6680 /* String-comparator names start with a letter; numeric names do not */
6681
6682 if (sortsbefore(cond_type, isalpha(opname[0]),
6683 srcfield, dstfield))
6684 {
6685 /* New-item sorts before this dst-item. Append new-item,
6686 then dst-item, then remainder of dst list. */
6687
6688 newlist = string_append_listele(newlist, sep, srcitem);
6689 newkeylist = string_append_listele(newkeylist, sep, srcfield);
6690 srcitem = NULL;
6691
6692 newlist = string_append_listele(newlist, sep, dstitem);
6693 newkeylist = string_append_listele(newkeylist, sep, dstfield);
6694
6695 /*XXX why field-at-a-time copy? Why not just dup the rest of the list? */
6696 while ((dstitem = string_nextinlist(&dstlist, &sep, NULL, 0)))
6697 {
6698 if (!(dstfield = string_nextinlist(&dstkeylist, &sep, NULL, 0)))
6699 goto sort_mismatch;
6700 newlist = string_append_listele(newlist, sep, dstitem);
6701 newkeylist = string_append_listele(newkeylist, sep, dstfield);
6702 }
6703
6704 break;
6705 }
6706
6707 newlist = string_append_listele(newlist, sep, dstitem);
6708 newkeylist = string_append_listele(newkeylist, sep, dstfield);
6709 }
6710
6711 /* If we ran out of dstlist without consuming srcitem, append it */
6712 if (srcitem)
6713 {
6714 newlist = string_append_listele(newlist, sep, srcitem);
6715 newkeylist = string_append_listele(newkeylist, sep, srcfield);
6716 }
6717
6718 dstlist = newlist->s;
6719 dstkeylist = newkeylist->s;
6720
6721 DEBUG(D_expand) debug_printf_indent("%s: dstlist = \"%s\"\n", name, dstlist);
6722 DEBUG(D_expand) debug_printf_indent("%s: dstkeylist = \"%s\"\n", name, dstkeylist);
6723 }
6724
6725 if (dstlist)
6726 yield = string_cat(yield, dstlist);
6727
6728 /* Restore preserved $item */
6729 iterate_item = save_iterate_item;
6730 continue;
6731
6732 sort_mismatch:
6733 expand_string_message = US"Internal error in sort (list mismatch)";
6734 goto EXPAND_FAILED;
6735 }
6736
6737
6738 /* If ${dlfunc } support is configured, handle calling dynamically-loaded
6739 functions, unless locked out at this time. Syntax is ${dlfunc{file}{func}}
6740 or ${dlfunc{file}{func}{arg}} or ${dlfunc{file}{func}{arg1}{arg2}} or up to
6741 a maximum of EXPAND_DLFUNC_MAX_ARGS arguments (defined below). */
6742
6743 #define EXPAND_DLFUNC_MAX_ARGS 8
6744
6745 case EITEM_DLFUNC:
6746 #ifndef EXPAND_DLFUNC
6747 expand_string_message = US"\"${dlfunc\" encountered, but this facility " /*}*/
6748 "is not included in this binary";
6749 goto EXPAND_FAILED;
6750
6751 #else /* EXPAND_DLFUNC */
6752 {
6753 tree_node *t;
6754 exim_dlfunc_t *func;
6755 uschar *result;
6756 int status, argc;
6757 uschar *argv[EXPAND_DLFUNC_MAX_ARGS + 3];
6758
6759 if ((expand_forbid & RDO_DLFUNC) != 0)
6760 {
6761 expand_string_message =
6762 US"dynamically-loaded functions are not permitted";
6763 goto EXPAND_FAILED;
6764 }
6765
6766 switch(read_subs(argv, EXPAND_DLFUNC_MAX_ARGS + 2, 2, &s, skipping,
6767 TRUE, name, &resetok))
6768 {
6769 case 1: goto EXPAND_FAILED_CURLY;
6770 case 2:
6771 case 3: goto EXPAND_FAILED;
6772 }
6773
6774 /* If skipping, we don't actually do anything */
6775
6776 if (skipping) continue;
6777
6778 /* Look up the dynamically loaded object handle in the tree. If it isn't
6779 found, dlopen() the file and put the handle in the tree for next time. */
6780
6781 if (!(t = tree_search(dlobj_anchor, argv[0])))
6782 {
6783 void *handle = dlopen(CS argv[0], RTLD_LAZY);
6784 if (!handle)
6785 {
6786 expand_string_message = string_sprintf("dlopen \"%s\" failed: %s",
6787 argv[0], dlerror());
6788 log_write(0, LOG_MAIN|LOG_PANIC, "%s", expand_string_message);
6789 goto EXPAND_FAILED;
6790 }
6791 t = store_get_perm(sizeof(tree_node) + Ustrlen(argv[0]), is_tainted(argv[0]));
6792 Ustrcpy(t->name, argv[0]);
6793 t->data.ptr = handle;
6794 (void)tree_insertnode(&dlobj_anchor, t);
6795 }
6796
6797 /* Having obtained the dynamically loaded object handle, look up the
6798 function pointer. */
6799
6800 if (!(func = (exim_dlfunc_t *)dlsym(t->data.ptr, CS argv[1])))
6801 {
6802 expand_string_message = string_sprintf("dlsym \"%s\" in \"%s\" failed: "
6803 "%s", argv[1], argv[0], dlerror());
6804 log_write(0, LOG_MAIN|LOG_PANIC, "%s", expand_string_message);
6805 goto EXPAND_FAILED;
6806 }
6807
6808 /* Call the function and work out what to do with the result. If it
6809 returns OK, we have a replacement string; if it returns DEFER then
6810 expansion has failed in a non-forced manner; if it returns FAIL then
6811 failure was forced; if it returns ERROR or any other value there's a
6812 problem, so panic slightly. In any case, assume that the function has
6813 side-effects on the store that must be preserved. */
6814
6815 resetok = FALSE;
6816 result = NULL;
6817 for (argc = 0; argv[argc]; argc++);
6818 status = func(&result, argc - 2, &argv[2]);
6819 if(status == OK)
6820 {
6821 if (!result) result = US"";
6822 yield = string_cat(yield, result);
6823 continue;
6824 }
6825 else
6826 {
6827 expand_string_message = result ? result : US"(no message)";
6828 if (status == FAIL_FORCED)
6829 f.expand_string_forcedfail = TRUE;
6830 else if (status != FAIL)
6831 log_write(0, LOG_MAIN|LOG_PANIC, "dlfunc{%s}{%s} failed (%d): %s",
6832 argv[0], argv[1], status, expand_string_message);
6833 goto EXPAND_FAILED;
6834 }
6835 }
6836 #endif /* EXPAND_DLFUNC */
6837
6838 case EITEM_ENV: /* ${env {name} {val_if_found} {val_if_unfound}} */
6839 {
6840 uschar * key;
6841 uschar *save_lookup_value = lookup_value;
6842
6843 if (Uskip_whitespace(&s) != '{') /*}*/
6844 goto EXPAND_FAILED;
6845
6846 key = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
6847 if (!key) goto EXPAND_FAILED; /*{*/
6848 if (*s++ != '}')
6849 {
6850 expand_string_message = US"missing '{' for name arg of env";
6851 goto EXPAND_FAILED_CURLY;
6852 }
6853
6854 lookup_value = US getenv(CS key);
6855
6856 switch(process_yesno(
6857 skipping, /* were previously skipping */
6858 lookup_value != NULL, /* success/failure indicator */
6859 save_lookup_value, /* value to reset for string2 */
6860 &s, /* input pointer */
6861 &yield, /* output pointer */
6862 US"env", /* condition type */
6863 &resetok))
6864 {
6865 case 1: goto EXPAND_FAILED; /* when all is well, the */
6866 case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
6867 }
6868 continue;
6869 }
6870
6871 #ifdef SUPPORT_SRS
6872 case EITEM_SRS_ENCODE:
6873 /* ${srs_encode {secret} {return_path} {orig_domain}} */
6874 {
6875 uschar * sub[3];
6876 uschar cksum[4];
6877 gstring * g = NULL;
6878 BOOL quoted = FALSE;
6879
6880 switch (read_subs(sub, 3, 3, CUSS &s, skipping, TRUE, name, &resetok))
6881 {
6882 case 1: goto EXPAND_FAILED_CURLY;
6883 case 2:
6884 case 3: goto EXPAND_FAILED;
6885 }
6886
6887 g = string_catn(g, US"SRS0=", 5);
6888
6889 /* ${l_4:${hmac{md5}{SRS_SECRET}{${lc:$return_path}}}}= */
6890 hmac_md5(sub[0], string_copylc(sub[1]), cksum, sizeof(cksum));
6891 g = string_catn(g, cksum, sizeof(cksum));
6892 g = string_catn(g, US"=", 1);
6893
6894 /* ${base32:${eval:$tod_epoch/86400&0x3ff}}= */
6895 {
6896 struct timeval now;
6897 unsigned long i;
6898 gstring * h = NULL;
6899
6900 gettimeofday(&now, NULL);
6901 for (unsigned long i = (now.tv_sec / 86400) & 0x3ff; i; i >>= 5)
6902 h = string_catn(h, &base32_chars[i & 0x1f], 1);
6903 if (h) while (h->ptr > 0)
6904 g = string_catn(g, &h->s[--h->ptr], 1);
6905 }
6906 g = string_catn(g, US"=", 1);
6907
6908 /* ${domain:$return_path}=${local_part:$return_path} */
6909 {
6910 int start, end, domain;
6911 uschar * t = parse_extract_address(sub[1], &expand_string_message,
6912 &start, &end, &domain, FALSE);
6913 uschar * s;
6914
6915 if (!t)
6916 goto EXPAND_FAILED;
6917
6918 if (domain > 0) g = string_cat(g, t + domain);
6919 g = string_catn(g, US"=", 1);
6920
6921 s = domain > 0 ? string_copyn(t, domain - 1) : t;
6922 if ((quoted = Ustrchr(s, '"') != NULL))
6923 {
6924 gstring * h = NULL;
6925 DEBUG(D_expand) debug_printf_indent("auto-quoting local part\n");
6926 while (*s) /* de-quote */
6927 {
6928 while (*s && *s != '"') h = string_catn(h, s++, 1);
6929 if (*s) s++;
6930 while (*s && *s != '"') h = string_catn(h, s++, 1);
6931 if (*s) s++;
6932 }
6933 gstring_release_unused(h);
6934 s = string_from_gstring(h);
6935 }
6936 g = string_cat(g, s);
6937 }
6938
6939 /* Assume that if the original local_part had quotes
6940 it was for good reason */
6941
6942 if (quoted) yield = string_catn(yield, US"\"", 1);
6943 yield = string_catn(yield, g->s, g->ptr);
6944 if (quoted) yield = string_catn(yield, US"\"", 1);
6945
6946 /* @$original_domain */
6947 yield = string_catn(yield, US"@", 1);
6948 yield = string_cat(yield, sub[2]);
6949 continue;
6950 }
6951 #endif /*SUPPORT_SRS*/
6952 } /* EITEM_* switch */
6953
6954 /* Control reaches here if the name is not recognized as one of the more
6955 complicated expansion items. Check for the "operator" syntax (name terminated
6956 by a colon). Some of the operators have arguments, separated by _ from the
6957 name. */
6958
6959 if (*s == ':')
6960 {
6961 int c;
6962 uschar *arg = NULL;
6963 uschar *sub;
6964 #ifndef DISABLE_TLS
6965 var_entry *vp = NULL;
6966 #endif
6967
6968 /* Owing to an historical mis-design, an underscore may be part of the
6969 operator name, or it may introduce arguments. We therefore first scan the
6970 table of names that contain underscores. If there is no match, we cut off
6971 the arguments and then scan the main table. */
6972
6973 if ((c = chop_match(name, op_table_underscore,
6974 nelem(op_table_underscore))) < 0)
6975 {
6976 if ((arg = Ustrchr(name, '_')))
6977 *arg = 0;
6978 if ((c = chop_match(name, op_table_main, nelem(op_table_main))) >= 0)
6979 c += nelem(op_table_underscore);
6980 if (arg) *arg++ = '_'; /* Put back for error messages */
6981 }
6982
6983 /* Deal specially with operators that might take a certificate variable
6984 as we do not want to do the usual expansion. For most, expand the string.*/
6985 switch(c)
6986 {
6987 #ifndef DISABLE_TLS
6988 case EOP_MD5:
6989 case EOP_SHA1:
6990 case EOP_SHA256:
6991 case EOP_BASE64:
6992 if (s[1] == '$')
6993 {
6994 const uschar * s1 = s;
6995 sub = expand_string_internal(s+2, TRUE, &s1, skipping,
6996 FALSE, &resetok);
6997 if (!sub) goto EXPAND_FAILED; /*{*/
6998 if (*s1 != '}')
6999 {
7000 expand_string_message =
7001 string_sprintf("missing '}' closing cert arg of %s", name);
7002 goto EXPAND_FAILED_CURLY;
7003 }
7004 if ((vp = find_var_ent(sub)) && vp->type == vtype_cert)
7005 {
7006 s = s1+1;
7007 break;
7008 }
7009 vp = NULL;
7010 }
7011 /*FALLTHROUGH*/
7012 #endif
7013 default:
7014 sub = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
7015 if (!sub) goto EXPAND_FAILED;
7016 s++;
7017 break;
7018 }
7019
7020 /* If we are skipping, we don't need to perform the operation at all.
7021 This matters for operations like "mask", because the data may not be
7022 in the correct format when skipping. For example, the expression may test
7023 for the existence of $sender_host_address before trying to mask it. For
7024 other operations, doing them may not fail, but it is a waste of time. */
7025
7026 if (skipping && c >= 0) continue;
7027
7028 /* Otherwise, switch on the operator type */
7029
7030 switch(c)
7031 {
7032 case EOP_BASE32:
7033 {
7034 uschar *t;
7035 unsigned long int n = Ustrtoul(sub, &t, 10);
7036 gstring * g = NULL;
7037
7038 if (*t != 0)
7039 {
7040 expand_string_message = string_sprintf("argument for base32 "
7041 "operator is \"%s\", which is not a decimal number", sub);
7042 goto EXPAND_FAILED;
7043 }
7044 for ( ; n; n >>= 5)
7045 g = string_catn(g, &base32_chars[n & 0x1f], 1);
7046
7047 if (g) while (g->ptr > 0) yield = string_catn(yield, &g->s[--g->ptr], 1);
7048 continue;
7049 }
7050
7051 case EOP_BASE32D:
7052 {
7053 uschar *tt = sub;
7054 unsigned long int n = 0;
7055 while (*tt)
7056 {
7057 uschar * t = Ustrchr(base32_chars, *tt++);
7058 if (!t)
7059 {
7060 expand_string_message = string_sprintf("argument for base32d "
7061 "operator is \"%s\", which is not a base 32 number", sub);
7062 goto EXPAND_FAILED;
7063 }
7064 n = n * 32 + (t - base32_chars);
7065 }
7066 yield = string_fmt_append(yield, "%ld", n);
7067 continue;
7068 }
7069
7070 case EOP_BASE62:
7071 {
7072 uschar *t;
7073 unsigned long int n = Ustrtoul(sub, &t, 10);
7074 if (*t != 0)
7075 {
7076 expand_string_message = string_sprintf("argument for base62 "
7077 "operator is \"%s\", which is not a decimal number", sub);
7078 goto EXPAND_FAILED;
7079 }
7080 yield = string_cat(yield, string_base62(n));
7081 continue;
7082 }
7083
7084 /* Note that for Darwin and Cygwin, BASE_62 actually has the value 36 */
7085
7086 case EOP_BASE62D:
7087 {
7088 uschar *tt = sub;
7089 unsigned long int n = 0;
7090 while (*tt != 0)
7091 {
7092 uschar *t = Ustrchr(base62_chars, *tt++);
7093 if (!t)
7094 {
7095 expand_string_message = string_sprintf("argument for base62d "
7096 "operator is \"%s\", which is not a base %d number", sub,
7097 BASE_62);
7098 goto EXPAND_FAILED;
7099 }
7100 n = n * BASE_62 + (t - base62_chars);
7101 }
7102 yield = string_fmt_append(yield, "%ld", n);
7103 continue;
7104 }
7105
7106 case EOP_EXPAND:
7107 {
7108 uschar *expanded = expand_string_internal(sub, FALSE, NULL, skipping, TRUE, &resetok);
7109 if (!expanded)
7110 {
7111 expand_string_message =
7112 string_sprintf("internal expansion of \"%s\" failed: %s", sub,
7113 expand_string_message);
7114 goto EXPAND_FAILED;
7115 }
7116 yield = string_cat(yield, expanded);
7117 continue;
7118 }
7119
7120 case EOP_LC:
7121 {
7122 int count = 0;
7123 uschar *t = sub - 1;
7124 while (*(++t) != 0) { *t = tolower(*t); count++; }
7125 yield = string_catn(yield, sub, count);
7126 continue;
7127 }
7128
7129 case EOP_UC:
7130 {
7131 int count = 0;
7132 uschar *t = sub - 1;
7133 while (*(++t) != 0) { *t = toupper(*t); count++; }
7134 yield = string_catn(yield, sub, count);
7135 continue;
7136 }
7137
7138 case EOP_MD5:
7139 #ifndef DISABLE_TLS
7140 if (vp && *(void **)vp->value)
7141 {
7142 uschar * cp = tls_cert_fprt_md5(*(void **)vp->value);
7143 yield = string_cat(yield, cp);
7144 }
7145 else
7146 #endif
7147 {
7148 md5 base;
7149 uschar digest[16];
7150 md5_start(&base);
7151 md5_end(&base, sub, Ustrlen(sub), digest);
7152 for (int j = 0; j < 16; j++)
7153 yield = string_fmt_append(yield, "%02x", digest[j]);
7154 }
7155 continue;
7156
7157 case EOP_SHA1:
7158 #ifndef DISABLE_TLS
7159 if (vp && *(void **)vp->value)
7160 {
7161 uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value);
7162 yield = string_cat(yield, cp);
7163 }
7164 else
7165 #endif
7166 {
7167 hctx h;
7168 uschar digest[20];
7169 sha1_start(&h);
7170 sha1_end(&h, sub, Ustrlen(sub), digest);
7171 for (int j = 0; j < 20; j++)
7172 yield = string_fmt_append(yield, "%02X", digest[j]);
7173 }
7174 continue;
7175
7176 case EOP_SHA2:
7177 case EOP_SHA256:
7178 #ifdef EXIM_HAVE_SHA2
7179 if (vp && *(void **)vp->value)
7180 if (c == EOP_SHA256)
7181 yield = string_cat(yield, tls_cert_fprt_sha256(*(void **)vp->value));
7182 else
7183 expand_string_message = US"sha2_N not supported with certificates";
7184 else
7185 {
7186 hctx h;
7187 blob b;
7188 hashmethod m = !arg ? HASH_SHA2_256
7189 : Ustrcmp(arg, "256") == 0 ? HASH_SHA2_256
7190 : Ustrcmp(arg, "384") == 0 ? HASH_SHA2_384
7191 : Ustrcmp(arg, "512") == 0 ? HASH_SHA2_512
7192 : HASH_BADTYPE;
7193
7194 if (m == HASH_BADTYPE || !exim_sha_init(&h, m))
7195 {
7196 expand_string_message = US"unrecognised sha2 variant";
7197 goto EXPAND_FAILED;
7198 }
7199
7200 exim_sha_update(&h, sub, Ustrlen(sub));
7201 exim_sha_finish(&h, &b);
7202 while (b.len-- > 0)
7203 yield = string_fmt_append(yield, "%02X", *b.data++);
7204 }
7205 #else
7206 expand_string_message = US"sha256 only supported with TLS";
7207 #endif
7208 continue;
7209
7210 case EOP_SHA3:
7211 #ifdef EXIM_HAVE_SHA3
7212 {
7213 hctx h;
7214 blob b;
7215 hashmethod m = !arg ? HASH_SHA3_256
7216 : Ustrcmp(arg, "224") == 0 ? HASH_SHA3_224
7217 : Ustrcmp(arg, "256") == 0 ? HASH_SHA3_256
7218 : Ustrcmp(arg, "384") == 0 ? HASH_SHA3_384
7219 : Ustrcmp(arg, "512") == 0 ? HASH_SHA3_512
7220 : HASH_BADTYPE;
7221
7222 if (m == HASH_BADTYPE || !exim_sha_init(&h, m))
7223 {
7224 expand_string_message = US"unrecognised sha3 variant";
7225 goto EXPAND_FAILED;
7226 }
7227
7228 exim_sha_update(&h, sub, Ustrlen(sub));
7229 exim_sha_finish(&h, &b);
7230 while (b.len-- > 0)
7231 yield = string_fmt_append(yield, "%02X", *b.data++);
7232 }
7233 continue;
7234 #else
7235 expand_string_message = US"sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +";
7236 goto EXPAND_FAILED;
7237 #endif
7238
7239 /* Convert hex encoding to base64 encoding */
7240
7241 case EOP_HEX2B64:
7242 {
7243 int c = 0;
7244 int b = -1;
7245 uschar *in = sub;
7246 uschar *out = sub;
7247 uschar *enc;
7248
7249 for (enc = sub; *enc; enc++)
7250 {
7251 if (!isxdigit(*enc))
7252 {
7253 expand_string_message = string_sprintf("\"%s\" is not a hex "
7254 "string", sub);
7255 goto EXPAND_FAILED;
7256 }
7257 c++;
7258 }
7259
7260 if ((c & 1) != 0)
7261 {
7262 expand_string_message = string_sprintf("\"%s\" contains an odd "
7263 "number of characters", sub);
7264 goto EXPAND_FAILED;
7265 }
7266
7267 while ((c = *in++) != 0)
7268 {
7269 if (isdigit(c)) c -= '0';
7270 else c = toupper(c) - 'A' + 10;
7271 if (b == -1)
7272 b = c << 4;
7273 else
7274 {
7275 *out++ = b | c;
7276 b = -1;
7277 }
7278 }
7279
7280 enc = b64encode(CUS sub, out - sub);
7281 yield = string_cat(yield, enc);
7282 continue;
7283 }
7284
7285 /* Convert octets outside 0x21..0x7E to \xXX form */
7286
7287 case EOP_HEXQUOTE:
7288 {
7289 uschar *t = sub - 1;
7290 while (*(++t) != 0)
7291 {
7292 if (*t < 0x21 || 0x7E < *t)
7293 yield = string_fmt_append(yield, "\\x%02x", *t);
7294 else
7295 yield = string_catn(yield, t, 1);
7296 }
7297 continue;
7298 }
7299
7300 /* count the number of list elements */
7301
7302 case EOP_LISTCOUNT:
7303 {
7304 int cnt = 0, sep = 0;
7305 uschar * buf = store_get(2, is_tainted(sub));
7306
7307 while (string_nextinlist(CUSS &sub, &sep, buf, 1)) cnt++;
7308 yield = string_fmt_append(yield, "%d", cnt);
7309 continue;
7310 }
7311
7312 /* expand a named list given the name */
7313 /* handles nested named lists; requotes as colon-sep list */
7314
7315 case EOP_LISTNAMED:
7316 expand_string_message = NULL;
7317 yield = expand_listnamed(yield, sub, arg);
7318 if (expand_string_message)
7319 goto EXPAND_FAILED;
7320 continue;
7321
7322 /* quote a list-item for the given list-separator */
7323
7324 /* mask applies a mask to an IP address; for example the result of
7325 ${mask:131.111.10.206/28} is 131.111.10.192/28. */
7326
7327 case EOP_MASK:
7328 {
7329 int count;
7330 uschar *endptr;
7331 int binary[4];
7332 int mask, maskoffset;
7333 int type = string_is_ip_address(sub, &maskoffset);
7334 uschar buffer[64];
7335
7336 if (type == 0)
7337 {
7338 expand_string_message = string_sprintf("\"%s\" is not an IP address",
7339 sub);
7340 goto EXPAND_FAILED;
7341 }
7342
7343 if (maskoffset == 0)
7344 {
7345 expand_string_message = string_sprintf("missing mask value in \"%s\"",
7346 sub);
7347 goto EXPAND_FAILED;
7348 }
7349
7350 mask = Ustrtol(sub + maskoffset + 1, &endptr, 10);
7351
7352 if (*endptr != 0 || mask < 0 || mask > ((type == 4)? 32 : 128))
7353 {
7354 expand_string_message = string_sprintf("mask value too big in \"%s\"",
7355 sub);
7356 goto EXPAND_FAILED;
7357 }
7358
7359 /* Convert the address to binary integer(s) and apply the mask */
7360
7361 sub[maskoffset] = 0;
7362 count = host_aton(sub, binary);
7363 host_mask(count, binary, mask);
7364
7365 /* Convert to masked textual format and add to output. */
7366
7367 yield = string_catn(yield, buffer,
7368 host_nmtoa(count, binary, mask, buffer, '.'));
7369 continue;
7370 }
7371
7372 case EOP_IPV6NORM:
7373 case EOP_IPV6DENORM:
7374 {
7375 int type = string_is_ip_address(sub, NULL);
7376 int binary[4];
7377 uschar buffer[44];
7378
7379 switch (type)
7380 {
7381 case 6:
7382 (void) host_aton(sub, binary);
7383 break;
7384
7385 case 4: /* convert to IPv4-mapped IPv6 */
7386 binary[0] = binary[1] = 0;
7387 binary[2] = 0x0000ffff;
7388 (void) host_aton(sub, binary+3);
7389 break;
7390
7391 case 0:
7392 expand_string_message =
7393 string_sprintf("\"%s\" is not an IP address", sub);
7394 goto EXPAND_FAILED;
7395 }
7396
7397 yield = string_catn(yield, buffer, c == EOP_IPV6NORM
7398 ? ipv6_nmtoa(binary, buffer)
7399 : host_nmtoa(4, binary, -1, buffer, ':')
7400 );
7401 continue;
7402 }
7403
7404 case EOP_ADDRESS:
7405 case EOP_LOCAL_PART:
7406 case EOP_DOMAIN:
7407 {
7408 uschar * error;
7409 int start, end, domain;
7410 uschar * t = parse_extract_address(sub, &error, &start, &end, &domain,
7411 FALSE);
7412 if (t)
7413 if (c != EOP_DOMAIN)
7414 yield = c == EOP_LOCAL_PART && domain > 0
7415 ? string_catn(yield, t, domain - 1)
7416 : string_cat(yield, t);
7417 else if (domain > 0)
7418 yield = string_cat(yield, t + domain);
7419 continue;
7420 }
7421
7422 case EOP_ADDRESSES:
7423 {
7424 uschar outsep[2] = { ':', '\0' };
7425 uschar *address, *error;
7426 int save_ptr = gstring_length(yield);
7427 int start, end, domain; /* Not really used */
7428
7429 if (Uskip_whitespace(&sub) == '>')
7430 if (*outsep = *++sub) ++sub;
7431 else
7432 {
7433 expand_string_message = string_sprintf("output separator "
7434 "missing in expanding ${addresses:%s}", --sub);
7435 goto EXPAND_FAILED;
7436 }
7437 f.parse_allow_group = TRUE;
7438
7439 for (;;)
7440 {
7441 uschar * p = parse_find_address_end(sub, FALSE);
7442 uschar saveend = *p;
7443 *p = '\0';
7444 address = parse_extract_address(sub, &error, &start, &end, &domain,
7445 FALSE);
7446 *p = saveend;
7447
7448 /* Add the address to the output list that we are building. This is
7449 done in chunks by searching for the separator character. At the
7450 start, unless we are dealing with the first address of the output
7451 list, add in a space if the new address begins with the separator
7452 character, or is an empty string. */
7453
7454 if (address)
7455 {
7456 if (yield && yield->ptr != save_ptr && address[0] == *outsep)
7457 yield = string_catn(yield, US" ", 1);
7458
7459 for (;;)
7460 {
7461 size_t seglen = Ustrcspn(address, outsep);
7462 yield = string_catn(yield, address, seglen + 1);
7463
7464 /* If we got to the end of the string we output one character
7465 too many. */
7466
7467 if (address[seglen] == '\0') { yield->ptr--; break; }
7468 yield = string_catn(yield, outsep, 1);
7469 address += seglen + 1;
7470 }
7471
7472 /* Output a separator after the string: we will remove the
7473 redundant final one at the end. */
7474
7475 yield = string_catn(yield, outsep, 1);
7476 }
7477
7478 if (saveend == '\0') break;
7479 sub = p + 1;
7480 }
7481
7482 /* If we have generated anything, remove the redundant final
7483 separator. */
7484
7485 if (yield && yield->ptr != save_ptr) yield->ptr--;
7486 f.parse_allow_group = FALSE;
7487 continue;
7488 }
7489
7490
7491 /* quote puts a string in quotes if it is empty or contains anything
7492 other than alphamerics, underscore, dot, or hyphen.
7493
7494 quote_local_part puts a string in quotes if RFC 2821/2822 requires it to
7495 be quoted in order to be a valid local part.
7496
7497 In both cases, newlines and carriage returns are converted into \n and \r
7498 respectively */
7499
7500 case EOP_QUOTE:
7501 case EOP_QUOTE_LOCAL_PART:
7502 if (!arg)
7503 {
7504 BOOL needs_quote = (!*sub); /* TRUE for empty string */
7505 uschar *t = sub - 1;
7506
7507 if (c == EOP_QUOTE)
7508 while (!needs_quote && *++t)
7509 needs_quote = !isalnum(*t) && !strchr("_-.", *t);
7510
7511 else /* EOP_QUOTE_LOCAL_PART */
7512 while (!needs_quote && *++t)
7513 needs_quote = !isalnum(*t)
7514 && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL
7515 && (*t != '.' || t == sub || !t[1]);
7516
7517 if (needs_quote)
7518 {
7519 yield = string_catn(yield, US"\"", 1);
7520 t = sub - 1;
7521 while (*++t)
7522 if (*t == '\n')
7523 yield = string_catn(yield, US"\\n", 2);
7524 else if (*t == '\r')
7525 yield = string_catn(yield, US"\\r", 2);
7526 else
7527 {
7528 if (*t == '\\' || *t == '"')
7529 yield = string_catn(yield, US"\\", 1);
7530 yield = string_catn(yield, t, 1);
7531 }
7532 yield = string_catn(yield, US"\"", 1);
7533 }
7534 else
7535 yield = string_cat(yield, sub);
7536 continue;
7537 }
7538
7539 /* quote_lookuptype does lookup-specific quoting */
7540
7541 else
7542 {
7543 int n;
7544 uschar *opt = Ustrchr(arg, '_');
7545
7546 if (opt) *opt++ = 0;
7547
7548 if ((n = search_findtype(arg, Ustrlen(arg))) < 0)
7549 {
7550 expand_string_message = search_error_message;
7551 goto EXPAND_FAILED;
7552 }
7553
7554 if (lookup_list[n]->quote)
7555 sub = (lookup_list[n]->quote)(sub, opt);
7556 else if (opt)
7557 sub = NULL;
7558
7559 if (!sub)
7560 {
7561 expand_string_message = string_sprintf(
7562 "\"%s\" unrecognized after \"${quote_%s\"",
7563 opt, arg);
7564 goto EXPAND_FAILED;
7565 }
7566
7567 yield = string_cat(yield, sub);
7568 continue;
7569 }
7570
7571 /* rx quote sticks in \ before any non-alphameric character so that
7572 the insertion works in a regular expression. */
7573
7574 case EOP_RXQUOTE:
7575 {
7576 uschar *t = sub - 1;
7577 while (*(++t) != 0)
7578 {
7579 if (!isalnum(*t))
7580 yield = string_catn(yield, US"\\", 1);
7581 yield = string_catn(yield, t, 1);
7582 }
7583 continue;
7584 }
7585
7586 /* RFC 2047 encodes, assuming headers_charset (default ISO 8859-1) as
7587 prescribed by the RFC, if there are characters that need to be encoded */
7588
7589 case EOP_RFC2047:
7590 yield = string_cat(yield,
7591 parse_quote_2047(sub, Ustrlen(sub), headers_charset,
7592 FALSE));
7593 continue;
7594
7595 /* RFC 2047 decode */
7596
7597 case EOP_RFC2047D:
7598 {
7599 int len;
7600 uschar *error;
7601 uschar *decoded = rfc2047_decode(sub, check_rfc2047_length,
7602 headers_charset, '?', &len, &error);
7603 if (error)
7604 {
7605 expand_string_message = error;
7606 goto EXPAND_FAILED;
7607 }
7608 yield = string_catn(yield, decoded, len);
7609 continue;
7610 }
7611
7612 /* from_utf8 converts UTF-8 to 8859-1, turning non-existent chars into
7613 underscores */
7614
7615 case EOP_FROM_UTF8:
7616 {
7617 uschar * buff = store_get(4, is_tainted(sub));
7618 while (*sub)
7619 {
7620 int c;
7621 GETUTF8INC(c, sub);
7622 if (c > 255) c = '_';
7623 buff[0] = c;
7624 yield = string_catn(yield, buff, 1);
7625 }
7626 continue;
7627 }
7628
7629 /* replace illegal UTF-8 sequences by replacement character */
7630
7631 #define UTF8_REPLACEMENT_CHAR US"?"
7632
7633 case EOP_UTF8CLEAN:
7634 {
7635 int seq_len = 0, index = 0;
7636 int bytes_left = 0;
7637 long codepoint = -1;
7638 int complete;
7639 uschar seq_buff[4]; /* accumulate utf-8 here */
7640
7641 /* Manually track tainting, as we deal in individual chars below */
7642
7643 if (is_tainted(sub))
7644 {
7645 if (yield->s && yield->ptr)
7646 gstring_rebuffer(yield);
7647 else
7648 yield->s = store_get(yield->size = Ustrlen(sub), TRUE);
7649 }
7650
7651 /* Check the UTF-8, byte-by-byte */
7652
7653 while (*sub)
7654 {
7655 complete = 0;
7656 uschar c = *sub++;
7657
7658 if (bytes_left)
7659 {
7660 if ((c & 0xc0) != 0x80)
7661 /* wrong continuation byte; invalidate all bytes */
7662 complete = 1; /* error */
7663 else
7664 {
7665 codepoint = (codepoint << 6) | (c & 0x3f);
7666 seq_buff[index++] = c;
7667 if (--bytes_left == 0) /* codepoint complete */
7668 if(codepoint > 0x10FFFF) /* is it too large? */
7669 complete = -1; /* error (RFC3629 limit) */
7670 else
7671 { /* finished; output utf-8 sequence */
7672 yield = string_catn(yield, seq_buff, seq_len);
7673 index = 0;
7674 }
7675 }
7676 }
7677 else /* no bytes left: new sequence */
7678 {
7679 if(!(c & 0x80)) /* 1-byte sequence, US-ASCII, keep it */
7680 {
7681 yield = string_catn(yield, &c, 1);
7682 continue;
7683 }
7684 if((c & 0xe0) == 0xc0) /* 2-byte sequence */
7685 {
7686 if(c == 0xc0 || c == 0xc1) /* 0xc0 and 0xc1 are illegal */
7687 complete = -1;
7688 else
7689 {
7690 bytes_left = 1;
7691 codepoint = c & 0x1f;
7692 }
7693 }
7694 else if((c & 0xf0) == 0xe0) /* 3-byte sequence */
7695 {
7696 bytes_left = 2;
7697 codepoint = c & 0x0f;
7698 }
7699 else if((c & 0xf8) == 0xf0) /* 4-byte sequence */
7700 {
7701 bytes_left = 3;
7702 codepoint = c & 0x07;
7703 }
7704 else /* invalid or too long (RFC3629 allows only 4 bytes) */
7705 complete = -1;
7706
7707 seq_buff[index++] = c;
7708 seq_len = bytes_left + 1;
7709 } /* if(bytes_left) */
7710
7711 if (complete != 0)
7712 {
7713 bytes_left = index = 0;
7714 yield = string_catn(yield, UTF8_REPLACEMENT_CHAR, 1);
7715 }
7716 if ((complete == 1) && ((c & 0x80) == 0))
7717 /* ASCII character follows incomplete sequence */
7718 yield = string_catn(yield, &c, 1);
7719 }
7720 /* If given a sequence truncated mid-character, we also want to report ?
7721 * Eg, ${length_1:フィル} is one byte, not one character, so we expect
7722 * ${utf8clean:${length_1:フィル}} to yield '?' */
7723 if (bytes_left != 0)
7724 yield = string_catn(yield, UTF8_REPLACEMENT_CHAR, 1);
7725
7726 continue;
7727 }
7728
7729 #ifdef SUPPORT_I18N
7730 case EOP_UTF8_DOMAIN_TO_ALABEL:
7731 {
7732 uschar * error = NULL;
7733 uschar * s = string_domain_utf8_to_alabel(sub, &error);
7734 if (error)
7735 {
7736 expand_string_message = string_sprintf(
7737 "error converting utf8 (%s) to alabel: %s",
7738 string_printing(sub), error);
7739 goto EXPAND_FAILED;
7740 }
7741 yield = string_cat(yield, s);
7742 continue;
7743 }
7744
7745 case EOP_UTF8_DOMAIN_FROM_ALABEL:
7746 {
7747 uschar * error = NULL;
7748 uschar * s = string_domain_alabel_to_utf8(sub, &error);
7749 if (error)
7750 {
7751 expand_string_message = string_sprintf(
7752 "error converting alabel (%s) to utf8: %s",
7753 string_printing(sub), error);
7754 goto EXPAND_FAILED;
7755 }
7756 yield = string_cat(yield, s);
7757 continue;
7758 }
7759
7760 case EOP_UTF8_LOCALPART_TO_ALABEL:
7761 {
7762 uschar * error = NULL;
7763 uschar * s = string_localpart_utf8_to_alabel(sub, &error);
7764 if (error)
7765 {
7766 expand_string_message = string_sprintf(
7767 "error converting utf8 (%s) to alabel: %s",
7768 string_printing(sub), error);
7769 goto EXPAND_FAILED;
7770 }
7771 yield = string_cat(yield, s);
7772 DEBUG(D_expand) debug_printf_indent("yield: '%s'\n", yield->s);
7773 continue;
7774 }
7775
7776 case EOP_UTF8_LOCALPART_FROM_ALABEL:
7777 {
7778 uschar * error = NULL;
7779 uschar * s = string_localpart_alabel_to_utf8(sub, &error);
7780 if (error)
7781 {
7782 expand_string_message = string_sprintf(
7783 "error converting alabel (%s) to utf8: %s",
7784 string_printing(sub), error);
7785 goto EXPAND_FAILED;
7786 }
7787 yield = string_cat(yield, s);
7788 continue;
7789 }
7790 #endif /* EXPERIMENTAL_INTERNATIONAL */
7791
7792 /* escape turns all non-printing characters into escape sequences. */
7793
7794 case EOP_ESCAPE:
7795 {
7796 const uschar * t = string_printing(sub);
7797 yield = string_cat(yield, t);
7798 continue;
7799 }
7800
7801 case EOP_ESCAPE8BIT:
7802 {
7803 uschar c;
7804
7805 for (const uschar * s = sub; (c = *s); s++)
7806 yield = c < 127 && c != '\\'
7807 ? string_catn(yield, s, 1)
7808 : string_fmt_append(yield, "\\%03o", c);
7809 continue;
7810 }
7811
7812 /* Handle numeric expression evaluation */
7813
7814 case EOP_EVAL:
7815 case EOP_EVAL10:
7816 {
7817 uschar *save_sub = sub;
7818 uschar *error = NULL;
7819 int_eximarith_t n = eval_expr(&sub, (c == EOP_EVAL10), &error, FALSE);
7820 if (error)
7821 {
7822 expand_string_message = string_sprintf("error in expression "
7823 "evaluation: %s (after processing \"%.*s\")", error,
7824 (int)(sub-save_sub), save_sub);
7825 goto EXPAND_FAILED;
7826 }
7827 yield = string_fmt_append(yield, PR_EXIM_ARITH, n);
7828 continue;
7829 }
7830
7831 /* Handle time period formatting */
7832
7833 case EOP_TIME_EVAL:
7834 {
7835 int n = readconf_readtime(sub, 0, FALSE);
7836 if (n < 0)
7837 {
7838 expand_string_message = string_sprintf("string \"%s\" is not an "
7839 "Exim time interval in \"%s\" operator", sub, name);
7840 goto EXPAND_FAILED;
7841 }
7842 yield = string_fmt_append(yield, "%d", n);
7843 continue;
7844 }
7845
7846 case EOP_TIME_INTERVAL:
7847 {
7848 int n;
7849 uschar *t = read_number(&n, sub);
7850 if (*t != 0) /* Not A Number*/
7851 {
7852 expand_string_message = string_sprintf("string \"%s\" is not a "
7853 "positive number in \"%s\" operator", sub, name);
7854 goto EXPAND_FAILED;
7855 }
7856 t = readconf_printtime(n);
7857 yield = string_cat(yield, t);
7858 continue;
7859 }
7860
7861 /* Convert string to base64 encoding */
7862
7863 case EOP_STR2B64:
7864 case EOP_BASE64:
7865 {
7866 #ifndef DISABLE_TLS
7867 uschar * s = vp && *(void **)vp->value
7868 ? tls_cert_der_b64(*(void **)vp->value)
7869 : b64encode(CUS sub, Ustrlen(sub));
7870 #else
7871 uschar * s = b64encode(CUS sub, Ustrlen(sub));
7872 #endif
7873 yield = string_cat(yield, s);
7874 continue;
7875 }
7876
7877 case EOP_BASE64D:
7878 {
7879 uschar * s;
7880 int len = b64decode(sub, &s);
7881 if (len < 0)
7882 {
7883 expand_string_message = string_sprintf("string \"%s\" is not "
7884 "well-formed for \"%s\" operator", sub, name);
7885 goto EXPAND_FAILED;
7886 }
7887 yield = string_cat(yield, s);
7888 continue;
7889 }
7890
7891 /* strlen returns the length of the string */
7892
7893 case EOP_STRLEN:
7894 yield = string_fmt_append(yield, "%d", Ustrlen(sub));
7895 continue;
7896
7897 /* length_n or l_n takes just the first n characters or the whole string,
7898 whichever is the shorter;
7899
7900 substr_m_n, and s_m_n take n characters from offset m; negative m take
7901 from the end; l_n is synonymous with s_0_n. If n is omitted in substr it
7902 takes the rest, either to the right or to the left.
7903
7904 hash_n or h_n makes a hash of length n from the string, yielding n
7905 characters from the set a-z; hash_n_m makes a hash of length n, but
7906 uses m characters from the set a-zA-Z0-9.
7907
7908 nhash_n returns a single number between 0 and n-1 (in text form), while
7909 nhash_n_m returns a div/mod hash as two numbers "a/b". The first lies
7910 between 0 and n-1 and the second between 0 and m-1. */
7911
7912 case EOP_LENGTH:
7913 case EOP_L:
7914 case EOP_SUBSTR:
7915 case EOP_S:
7916 case EOP_HASH:
7917 case EOP_H:
7918 case EOP_NHASH:
7919 case EOP_NH:
7920 {
7921 int sign = 1;
7922 int value1 = 0;
7923 int value2 = -1;
7924 int *pn;
7925 int len;
7926 uschar *ret;
7927
7928 if (!arg)
7929 {
7930 expand_string_message = string_sprintf("missing values after %s",
7931 name);
7932 goto EXPAND_FAILED;
7933 }
7934
7935 /* "length" has only one argument, effectively being synonymous with
7936 substr_0_n. */
7937
7938 if (c == EOP_LENGTH || c == EOP_L)
7939 {
7940 pn = &value2;
7941 value2 = 0;
7942 }
7943
7944 /* The others have one or two arguments; for "substr" the first may be
7945 negative. The second being negative means "not supplied". */
7946
7947 else
7948 {
7949 pn = &value1;
7950 if (name[0] == 's' && *arg == '-') { sign = -1; arg++; }
7951 }
7952
7953 /* Read up to two numbers, separated by underscores */
7954
7955 ret = arg;
7956 while (*arg != 0)
7957 {
7958 if (arg != ret && *arg == '_' && pn == &value1)
7959 {
7960 pn = &value2;
7961 value2 = 0;
7962 if (arg[1] != 0) arg++;
7963 }
7964 else if (!isdigit(*arg))
7965 {
7966 expand_string_message =
7967 string_sprintf("non-digit after underscore in \"%s\"", name);
7968 goto EXPAND_FAILED;
7969 }
7970 else *pn = (*pn)*10 + *arg++ - '0';
7971 }
7972 value1 *= sign;
7973
7974 /* Perform the required operation */
7975
7976 ret = c == EOP_HASH || c == EOP_H
7977 ? compute_hash(sub, value1, value2, &len)
7978 : c == EOP_NHASH || c == EOP_NH
7979 ? compute_nhash(sub, value1, value2, &len)
7980 : extract_substr(sub, value1, value2, &len);
7981 if (!ret) goto EXPAND_FAILED;
7982
7983 yield = string_catn(yield, ret, len);
7984 continue;
7985 }
7986
7987 /* Stat a path */
7988
7989 case EOP_STAT:
7990 {
7991 uschar smode[12];
7992 uschar **modetable[3];
7993 mode_t mode;
7994 struct stat st;
7995
7996 if (expand_forbid & RDO_EXISTS)
7997 {
7998 expand_string_message = US"Use of the stat() expansion is not permitted";
7999 goto EXPAND_FAILED;
8000 }
8001
8002 if (stat(CS sub, &st) < 0)
8003 {
8004 expand_string_message = string_sprintf("stat(%s) failed: %s",
8005 sub, strerror(errno));
8006 goto EXPAND_FAILED;
8007 }
8008 mode = st.st_mode;
8009 switch (mode & S_IFMT)
8010 {
8011 case S_IFIFO: smode[0] = 'p'; break;
8012 case S_IFCHR: smode[0] = 'c'; break;
8013 case S_IFDIR: smode[0] = 'd'; break;
8014 case S_IFBLK: smode[0] = 'b'; break;
8015 case S_IFREG: smode[0] = '-'; break;
8016 default: smode[0] = '?'; break;
8017 }
8018
8019 modetable[0] = ((mode & 01000) == 0)? mtable_normal : mtable_sticky;
8020 modetable[1] = ((mode & 02000) == 0)? mtable_normal : mtable_setid;
8021 modetable[2] = ((mode & 04000) == 0)? mtable_normal : mtable_setid;
8022
8023 for (int i = 0; i < 3; i++)
8024 {
8025 memcpy(CS(smode + 7 - i*3), CS(modetable[i][mode & 7]), 3);
8026 mode >>= 3;
8027 }
8028
8029 smode[10] = 0;
8030 yield = string_fmt_append(yield,
8031 "mode=%04lo smode=%s inode=%ld device=%ld links=%ld "
8032 "uid=%ld gid=%ld size=" OFF_T_FMT " atime=%ld mtime=%ld ctime=%ld",
8033 (long)(st.st_mode & 077777), smode, (long)st.st_ino,
8034 (long)st.st_dev, (long)st.st_nlink, (long)st.st_uid,
8035 (long)st.st_gid, st.st_size, (long)st.st_atime,
8036 (long)st.st_mtime, (long)st.st_ctime);
8037 continue;
8038 }
8039
8040 /* vaguely random number less than N */
8041
8042 case EOP_RANDINT:
8043 {
8044 int_eximarith_t max = expanded_string_integer(sub, TRUE);
8045
8046 if (expand_string_message)
8047 goto EXPAND_FAILED;
8048 yield = string_fmt_append(yield, "%d", vaguely_random_number((int)max));
8049 continue;
8050 }
8051
8052 /* Reverse IP, including IPv6 to dotted-nibble */
8053
8054 case EOP_REVERSE_IP:
8055 {
8056 int family, maskptr;
8057 uschar reversed[128];
8058
8059 family = string_is_ip_address(sub, &maskptr);
8060 if (family == 0)
8061 {
8062 expand_string_message = string_sprintf(
8063 "reverse_ip() not given an IP address [%s]", sub);
8064 goto EXPAND_FAILED;
8065 }
8066 invert_address(reversed, sub);
8067 yield = string_cat(yield, reversed);
8068 continue;
8069 }
8070
8071 /* Unknown operator */
8072
8073 default:
8074 expand_string_message =
8075 string_sprintf("unknown expansion operator \"%s\"", name);
8076 goto EXPAND_FAILED;
8077 }
8078 }
8079
8080 /* Handle a plain name. If this is the first thing in the expansion, release
8081 the pre-allocated buffer. If the result data is known to be in a new buffer,
8082 newsize will be set to the size of that buffer, and we can just point at that
8083 store instead of copying. Many expansion strings contain just one reference,
8084 so this is a useful optimization, especially for humungous headers
8085 ($message_headers). */
8086 /*{*/
8087 if (*s++ == '}')
8088 {
8089 int len;
8090 int newsize = 0;
8091 gstring * g = NULL;
8092
8093 if (!yield)
8094 g = store_get(sizeof(gstring), FALSE);
8095 else if (yield->ptr == 0)
8096 {
8097 if (resetok) reset_point = store_reset(reset_point);
8098 yield = NULL;
8099 reset_point = store_mark();
8100 g = store_get(sizeof(gstring), FALSE); /* alloc _before_ calling find_variable() */
8101 }
8102 if (!(value = find_variable(name, FALSE, skipping, &newsize)))
8103 {
8104 expand_string_message =
8105 string_sprintf("unknown variable in \"${%s}\"", name);
8106 check_variable_error_message(name);
8107 goto EXPAND_FAILED;
8108 }
8109 len = Ustrlen(value);
8110 if (!yield && newsize)
8111 {
8112 yield = g;
8113 yield->size = newsize;
8114 yield->ptr = len;
8115 yield->s = value;
8116 }
8117 else
8118 yield = string_catn(yield, value, len);
8119 continue;
8120 }
8121
8122 /* Else there's something wrong */
8123
8124 expand_string_message =
8125 string_sprintf("\"${%s\" is not a known operator (or a } is missing "
8126 "in a variable reference)", name);
8127 goto EXPAND_FAILED;
8128 }
8129
8130 /* If we hit the end of the string when ket_ends is set, there is a missing
8131 terminating brace. */
8132
8133 if (ket_ends && *s == 0)
8134 {
8135 expand_string_message = malformed_header
8136 ? US"missing } at end of string - could be header name not terminated by colon"
8137 : US"missing } at end of string";
8138 goto EXPAND_FAILED;
8139 }
8140
8141 /* Expansion succeeded; yield may still be NULL here if nothing was actually
8142 added to the string. If so, set up an empty string. Add a terminating zero. If
8143 left != NULL, return a pointer to the terminator. */
8144
8145 if (!yield)
8146 yield = string_get(1);
8147 (void) string_from_gstring(yield);
8148 if (left) *left = s;
8149
8150 /* Any stacking store that was used above the final string is no longer needed.
8151 In many cases the final string will be the first one that was got and so there
8152 will be optimal store usage. */
8153
8154 if (resetok) gstring_release_unused(yield);
8155 else if (resetok_p) *resetok_p = FALSE;
8156
8157 DEBUG(D_expand)
8158 {
8159 BOOL tainted = is_tainted(yield->s);
8160 DEBUG(D_noutf8)
8161 {
8162 debug_printf_indent("|--expanding: %.*s\n", (int)(s - string), string);
8163 debug_printf_indent("%sresult: %s\n",
8164 skipping ? "|-----" : "\\_____", yield->s);
8165 if (tainted)
8166 debug_printf_indent("%s \\__(tainted)\n",
8167 skipping ? "| " : " ");
8168 if (skipping)
8169 debug_printf_indent("\\___skipping: result is not used\n");
8170 }
8171 else
8172 {
8173 debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
8174 "expanding: %.*s\n",
8175 (int)(s - string), string);
8176 debug_printf_indent("%s" UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
8177 "result: %s\n",
8178 skipping ? UTF8_VERT_RIGHT : UTF8_UP_RIGHT,
8179 yield->s);
8180 if (tainted)
8181 debug_printf_indent("%s(tainted)\n",
8182 skipping
8183 ? UTF8_VERT " " : " " UTF8_UP_RIGHT UTF8_HORIZ UTF8_HORIZ);
8184 if (skipping)
8185 debug_printf_indent(UTF8_UP_RIGHT UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
8186 "skipping: result is not used\n");
8187 }
8188 }
8189 expand_level--;
8190 return yield->s;
8191
8192 /* This is the failure exit: easiest to program with a goto. We still need
8193 to update the pointer to the terminator, for cases of nested calls with "fail".
8194 */
8195
8196 EXPAND_FAILED_CURLY:
8197 if (malformed_header)
8198 expand_string_message =
8199 US"missing or misplaced { or } - could be header name not terminated by colon";
8200
8201 else if (!expand_string_message || !*expand_string_message)
8202 expand_string_message = US"missing or misplaced { or }";
8203
8204 /* At one point, Exim reset the store to yield (if yield was not NULL), but
8205 that is a bad idea, because expand_string_message is in dynamic store. */
8206
8207 EXPAND_FAILED:
8208 if (left) *left = s;
8209 DEBUG(D_expand)
8210 {
8211 DEBUG(D_noutf8)
8212 {
8213 debug_printf_indent("|failed to expand: %s\n", string);
8214 debug_printf_indent("%serror message: %s\n",
8215 f.expand_string_forcedfail ? "|---" : "\\___", expand_string_message);
8216 if (f.expand_string_forcedfail)
8217 debug_printf_indent("\\failure was forced\n");
8218 }
8219 else
8220 {
8221 debug_printf_indent(UTF8_VERT_RIGHT "failed to expand: %s\n",
8222 string);
8223 debug_printf_indent("%s" UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
8224 "error message: %s\n",
8225 f.expand_string_forcedfail ? UTF8_VERT_RIGHT : UTF8_UP_RIGHT,
8226 expand_string_message);
8227 if (f.expand_string_forcedfail)
8228 debug_printf_indent(UTF8_UP_RIGHT "failure was forced\n");
8229 }
8230 }
8231 if (resetok_p && !resetok) *resetok_p = FALSE;
8232 expand_level--;
8233 return NULL;
8234 }
8235
8236
8237 /* This is the external function call. Do a quick check for any expansion
8238 metacharacters, and if there are none, just return the input string.
8239
8240 Argument: the string to be expanded
8241 Returns: the expanded string, or NULL if expansion failed; if failure was
8242 due to a lookup deferring, search_find_defer will be TRUE
8243 */
8244
8245 const uschar *
expand_cstring(const uschar * string)8246 expand_cstring(const uschar * string)
8247 {
8248 if (Ustrpbrk(string, "$\\") != NULL)
8249 {
8250 int old_pool = store_pool;
8251 uschar * s;
8252
8253 f.search_find_defer = FALSE;
8254 malformed_header = FALSE;
8255 store_pool = POOL_MAIN;
8256 s = expand_string_internal(string, FALSE, NULL, FALSE, TRUE, NULL);
8257 store_pool = old_pool;
8258 return s;
8259 }
8260 return string;
8261 }
8262
8263
8264 uschar *
expand_string(uschar * string)8265 expand_string(uschar * string)
8266 {
8267 return US expand_cstring(CUS string);
8268 }
8269
8270
8271
8272
8273
8274 /*************************************************
8275 * Expand and copy *
8276 *************************************************/
8277
8278 /* Now and again we want to expand a string and be sure that the result is in a
8279 new bit of store. This function does that.
8280 Since we know it has been copied, the de-const cast is safe.
8281
8282 Argument: the string to be expanded
8283 Returns: the expanded string, always in a new bit of store, or NULL
8284 */
8285
8286 uschar *
expand_string_copy(const uschar * string)8287 expand_string_copy(const uschar *string)
8288 {
8289 const uschar *yield = expand_cstring(string);
8290 if (yield == string) yield = string_copy(string);
8291 return US yield;
8292 }
8293
8294
8295
8296 /*************************************************
8297 * Expand and interpret as an integer *
8298 *************************************************/
8299
8300 /* Expand a string, and convert the result into an integer.
8301
8302 Arguments:
8303 string the string to be expanded
8304 isplus TRUE if a non-negative number is expected
8305
8306 Returns: the integer value, or
8307 -1 for an expansion error ) in both cases, message in
8308 -2 for an integer interpretation error ) expand_string_message
8309 expand_string_message is set NULL for an OK integer
8310 */
8311
8312 int_eximarith_t
expand_string_integer(uschar * string,BOOL isplus)8313 expand_string_integer(uschar *string, BOOL isplus)
8314 {
8315 return expanded_string_integer(expand_string(string), isplus);
8316 }
8317
8318
8319 /*************************************************
8320 * Interpret string as an integer *
8321 *************************************************/
8322
8323 /* Convert a string (that has already been expanded) into an integer.
8324
8325 This function is used inside the expansion code.
8326
8327 Arguments:
8328 s the string to be expanded
8329 isplus TRUE if a non-negative number is expected
8330
8331 Returns: the integer value, or
8332 -1 if string is NULL (which implies an expansion error)
8333 -2 for an integer interpretation error
8334 expand_string_message is set NULL for an OK integer
8335 */
8336
8337 static int_eximarith_t
expanded_string_integer(const uschar * s,BOOL isplus)8338 expanded_string_integer(const uschar *s, BOOL isplus)
8339 {
8340 int_eximarith_t value;
8341 uschar *msg = US"invalid integer \"%s\"";
8342 uschar *endptr;
8343
8344 /* If expansion failed, expand_string_message will be set. */
8345
8346 if (!s) return -1;
8347
8348 /* On an overflow, strtol() returns LONG_MAX or LONG_MIN, and sets errno
8349 to ERANGE. When there isn't an overflow, errno is not changed, at least on some
8350 systems, so we set it zero ourselves. */
8351
8352 errno = 0;
8353 expand_string_message = NULL; /* Indicates no error */
8354
8355 /* Before Exim 4.64, strings consisting entirely of whitespace compared
8356 equal to 0. Unfortunately, people actually relied upon that, so preserve
8357 the behaviour explicitly. Stripping leading whitespace is a harmless
8358 noop change since strtol skips it anyway (provided that there is a number
8359 to find at all). */
8360 if (isspace(*s))
8361 if (Uskip_whitespace(&s) == '\0')
8362 {
8363 DEBUG(D_expand)
8364 debug_printf_indent("treating blank string as number 0\n");
8365 return 0;
8366 }
8367
8368 value = strtoll(CS s, CSS &endptr, 10);
8369
8370 if (endptr == s)
8371 msg = US"integer expected but \"%s\" found";
8372 else if (value < 0 && isplus)
8373 msg = US"non-negative integer expected but \"%s\" found";
8374 else
8375 {
8376 switch (tolower(*endptr))
8377 {
8378 default:
8379 break;
8380 case 'k':
8381 if (value > EXIM_ARITH_MAX/1024 || value < EXIM_ARITH_MIN/1024) errno = ERANGE;
8382 else value *= 1024;
8383 endptr++;
8384 break;
8385 case 'm':
8386 if (value > EXIM_ARITH_MAX/(1024*1024) || value < EXIM_ARITH_MIN/(1024*1024)) errno = ERANGE;
8387 else value *= 1024*1024;
8388 endptr++;
8389 break;
8390 case 'g':
8391 if (value > EXIM_ARITH_MAX/(1024*1024*1024) || value < EXIM_ARITH_MIN/(1024*1024*1024)) errno = ERANGE;
8392 else value *= 1024*1024*1024;
8393 endptr++;
8394 break;
8395 }
8396 if (errno == ERANGE)
8397 msg = US"absolute value of integer \"%s\" is too large (overflow)";
8398 else
8399 if (Uskip_whitespace(&endptr) == 0) return value;
8400 }
8401
8402 expand_string_message = string_sprintf(CS msg, s);
8403 return -2;
8404 }
8405
8406
8407 /* These values are usually fixed boolean values, but they are permitted to be
8408 expanded strings.
8409
8410 Arguments:
8411 addr address being routed
8412 mtype the module type
8413 mname the module name
8414 dbg_opt debug selectors
8415 oname the option name
8416 bvalue the router's boolean value
8417 svalue the router's string value
8418 rvalue where to put the returned value
8419
8420 Returns: OK value placed in rvalue
8421 DEFER expansion failed
8422 */
8423
8424 int
exp_bool(address_item * addr,uschar * mtype,uschar * mname,unsigned dbg_opt,uschar * oname,BOOL bvalue,uschar * svalue,BOOL * rvalue)8425 exp_bool(address_item *addr,
8426 uschar *mtype, uschar *mname, unsigned dbg_opt,
8427 uschar *oname, BOOL bvalue,
8428 uschar *svalue, BOOL *rvalue)
8429 {
8430 uschar *expanded;
8431 if (!svalue) { *rvalue = bvalue; return OK; }
8432
8433 if (!(expanded = expand_string(svalue)))
8434 {
8435 if (f.expand_string_forcedfail)
8436 {
8437 DEBUG(dbg_opt) debug_printf("expansion of \"%s\" forced failure\n", oname);
8438 *rvalue = bvalue;
8439 return OK;
8440 }
8441 addr->message = string_sprintf("failed to expand \"%s\" in %s %s: %s",
8442 oname, mname, mtype, expand_string_message);
8443 DEBUG(dbg_opt) debug_printf("%s\n", addr->message);
8444 return DEFER;
8445 }
8446
8447 DEBUG(dbg_opt) debug_printf("expansion of \"%s\" yields \"%s\"\n", oname,
8448 expanded);
8449
8450 if (strcmpic(expanded, US"true") == 0 || strcmpic(expanded, US"yes") == 0)
8451 *rvalue = TRUE;
8452 else if (strcmpic(expanded, US"false") == 0 || strcmpic(expanded, US"no") == 0)
8453 *rvalue = FALSE;
8454 else
8455 {
8456 addr->message = string_sprintf("\"%s\" is not a valid value for the "
8457 "\"%s\" option in the %s %s", expanded, oname, mname, mtype);
8458 return DEFER;
8459 }
8460
8461 return OK;
8462 }
8463
8464
8465
8466 /* Avoid potentially exposing a password in a string about to be logged */
8467
8468 uschar *
expand_hide_passwords(uschar * s)8469 expand_hide_passwords(uschar * s)
8470 {
8471 return ( ( Ustrstr(s, "failed to expand") != NULL
8472 || Ustrstr(s, "expansion of ") != NULL
8473 )
8474 && ( Ustrstr(s, "mysql") != NULL
8475 || Ustrstr(s, "pgsql") != NULL
8476 || Ustrstr(s, "redis") != NULL
8477 || Ustrstr(s, "sqlite") != NULL
8478 || Ustrstr(s, "ldap:") != NULL
8479 || Ustrstr(s, "ldaps:") != NULL
8480 || Ustrstr(s, "ldapi:") != NULL
8481 || Ustrstr(s, "ldapdn:") != NULL
8482 || Ustrstr(s, "ldapm:") != NULL
8483 ) )
8484 ? US"Temporary internal error" : s;
8485 }
8486
8487
8488 /* Read given named file into big_buffer. Use for keying material etc.
8489 The content will have an ascii NUL appended.
8490
8491 Arguments:
8492 filename as it says
8493
8494 Return: pointer to buffer, or NULL on error.
8495 */
8496
8497 uschar *
expand_file_big_buffer(const uschar * filename)8498 expand_file_big_buffer(const uschar * filename)
8499 {
8500 int fd, off = 0, len;
8501
8502 if ((fd = exim_open2(CS filename, O_RDONLY)) < 0)
8503 {
8504 log_write(0, LOG_MAIN | LOG_PANIC, "unable to open file for reading: %s",
8505 filename);
8506 return NULL;
8507 }
8508
8509 do
8510 {
8511 if ((len = read(fd, big_buffer + off, big_buffer_size - 2 - off)) < 0)
8512 {
8513 (void) close(fd);
8514 log_write(0, LOG_MAIN|LOG_PANIC, "unable to read file: %s", filename);
8515 return NULL;
8516 }
8517 off += len;
8518 }
8519 while (len > 0);
8520
8521 (void) close(fd);
8522 big_buffer[off] = '\0';
8523 return big_buffer;
8524 }
8525
8526
8527
8528 /*************************************************
8529 * Error-checking for testsuite *
8530 *************************************************/
8531 typedef struct {
8532 uschar * region_start;
8533 uschar * region_end;
8534 const uschar *var_name;
8535 const uschar *var_data;
8536 } err_ctx;
8537
8538 static void
assert_variable_notin(uschar * var_name,uschar * var_data,void * ctx)8539 assert_variable_notin(uschar * var_name, uschar * var_data, void * ctx)
8540 {
8541 err_ctx * e = ctx;
8542 if (var_data >= e->region_start && var_data < e->region_end)
8543 {
8544 e->var_name = CUS var_name;
8545 e->var_data = CUS var_data;
8546 }
8547 }
8548
8549 void
assert_no_variables(void * ptr,int len,const char * filename,int linenumber)8550 assert_no_variables(void * ptr, int len, const char * filename, int linenumber)
8551 {
8552 err_ctx e = { .region_start = ptr, .region_end = US ptr + len,
8553 .var_name = NULL, .var_data = NULL };
8554
8555 /* check acl_ variables */
8556 tree_walk(acl_var_c, assert_variable_notin, &e);
8557 tree_walk(acl_var_m, assert_variable_notin, &e);
8558
8559 /* check auth<n> variables */
8560 for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i])
8561 assert_variable_notin(US"auth<n>", auth_vars[i], &e);
8562
8563 /* check regex<n> variables */
8564 for (int i = 0; i < REGEX_VARS; i++) if (regex_vars[i])
8565 assert_variable_notin(US"regex<n>", regex_vars[i], &e);
8566
8567 /* check known-name variables */
8568 for (var_entry * v = var_table; v < var_table + var_table_size; v++)
8569 if (v->type == vtype_stringptr)
8570 assert_variable_notin(US v->name, *(USS v->value), &e);
8571
8572 /* check dns and address trees */
8573 tree_walk(tree_dns_fails, assert_variable_notin, &e);
8574 tree_walk(tree_duplicates, assert_variable_notin, &e);
8575 tree_walk(tree_nonrecipients, assert_variable_notin, &e);
8576 tree_walk(tree_unusable, assert_variable_notin, &e);
8577
8578 if (e.var_name)
8579 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
8580 "live variable '%s' destroyed by reset_store at %s:%d\n- value '%.64s'",
8581 e.var_name, filename, linenumber, e.var_data);
8582 }
8583
8584
8585
8586 /*************************************************
8587 **************************************************
8588 * Stand-alone test program *
8589 **************************************************
8590 *************************************************/
8591
8592 #ifdef STAND_ALONE
8593
8594
8595 BOOL
regex_match_and_setup(const pcre * re,uschar * subject,int options,int setup)8596 regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup)
8597 {
8598 int ovector[3*(EXPAND_MAXN+1)];
8599 int n = pcre_exec(re, NULL, subject, Ustrlen(subject), 0, PCRE_EOPT|options,
8600 ovector, nelem(ovector));
8601 BOOL yield = n >= 0;
8602 if (n == 0) n = EXPAND_MAXN + 1;
8603 if (yield)
8604 {
8605 expand_nmax = setup < 0 ? 0 : setup + 1;
8606 for (int nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
8607 {
8608 expand_nstring[expand_nmax] = subject + ovector[nn];
8609 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
8610 }
8611 expand_nmax--;
8612 }
8613 return yield;
8614 }
8615
8616
main(int argc,uschar ** argv)8617 int main(int argc, uschar **argv)
8618 {
8619 uschar buffer[1024];
8620
8621 debug_selector = D_v;
8622 debug_file = stderr;
8623 debug_fd = fileno(debug_file);
8624 big_buffer = malloc(big_buffer_size);
8625 store_init();
8626
8627 for (int i = 1; i < argc; i++)
8628 {
8629 if (argv[i][0] == '+')
8630 {
8631 debug_trace_memory = 2;
8632 argv[i]++;
8633 }
8634 if (isdigit(argv[i][0]))
8635 debug_selector = Ustrtol(argv[i], NULL, 0);
8636 else
8637 if (Ustrspn(argv[i], "abcdefghijklmnopqrtsuvwxyz0123456789-.:/") ==
8638 Ustrlen(argv[i]))
8639 {
8640 #ifdef LOOKUP_LDAP
8641 eldap_default_servers = argv[i];
8642 #endif
8643 #ifdef LOOKUP_MYSQL
8644 mysql_servers = argv[i];
8645 #endif
8646 #ifdef LOOKUP_PGSQL
8647 pgsql_servers = argv[i];
8648 #endif
8649 #ifdef LOOKUP_REDIS
8650 redis_servers = argv[i];
8651 #endif
8652 }
8653 #ifdef EXIM_PERL
8654 else opt_perl_startup = argv[i];
8655 #endif
8656 }
8657
8658 printf("Testing string expansion: debug_level = %d\n\n", debug_level);
8659
8660 expand_nstring[1] = US"string 1....";
8661 expand_nlength[1] = 8;
8662 expand_nmax = 1;
8663
8664 #ifdef EXIM_PERL
8665 if (opt_perl_startup != NULL)
8666 {
8667 uschar *errstr;
8668 printf("Starting Perl interpreter\n");
8669 errstr = init_perl(opt_perl_startup);
8670 if (errstr != NULL)
8671 {
8672 printf("** error in perl_startup code: %s\n", errstr);
8673 return EXIT_FAILURE;
8674 }
8675 }
8676 #endif /* EXIM_PERL */
8677
8678 /* Thie deliberately regards the input as untainted, so that it can be
8679 expanded; only reasonable since this is a test for string-expansions. */
8680
8681 while (fgets(buffer, sizeof(buffer), stdin) != NULL)
8682 {
8683 rmark reset_point = store_mark();
8684 uschar *yield = expand_string(buffer);
8685 if (yield)
8686 printf("%s\n", yield);
8687 else
8688 {
8689 if (f.search_find_defer) printf("search_find deferred\n");
8690 printf("Failed: %s\n", expand_string_message);
8691 if (f.expand_string_forcedfail) printf("Forced failure\n");
8692 printf("\n");
8693 }
8694 store_reset(reset_point);
8695 }
8696
8697 search_tidyup();
8698
8699 return 0;
8700 }
8701
8702 #endif
8703
8704 /* vi: aw ai sw=2
8705 */
8706 /* End of expand.c */
8707