Phil Pennock [Fri, 13 Apr 2018 22:51:23 +0000 (18:51 -0400)]
DKIM downgrade example again; this time debugged
As well as previous commit's `len_3` -> `length_3`, we were missing
braces around the expansion operator, resulting in trying to dereference
an unknown variable `$length_3`, and we were missing the outer braces
from the `or` expansion condition.
We really need a better way to test ACL expansion without a full harness. :(
This bug-fixed version is now running on my system.
Phil Pennock [Thu, 12 Apr 2018 02:04:28 +0000 (22:04 -0400)]
Mention MTA-STS in DANE context; nit fixes
Did an audit of text changed since commit 6aa6fc9c5 to look for issues
which stood out, fixed those. Spelling mistakes, markup issues, minor
grammatical infelicities.
The public/private CA stuff in the DANE text might push people away from
public CAs, but the existence of MTA-STS means that one of those is
probably the best choice. Mention what exim.org does, to provide
slightly firmer guidance without pressure.
List the `dkim_hash` values, `sha512` appears to be new since that text
was last touched.
Phil Pennock [Mon, 9 Apr 2018 21:49:57 +0000 (17:49 -0400)]
bugfix: heimdal interaction, check length
clang noted that taking the address of a struct member will never be 0,
so checking against 0 was wrong. It was a `.length` member. I've
compiled RC4 with this change and deployed it to my box and I can still
authenticate fine.
Jeremy Harris [Sun, 8 Apr 2018 21:45:39 +0000 (22:45 +0100)]
OpenSSL: Revert the disabling of the session-cache. Bug 2255
Session cacheing is never useful, as we use a new context for every TLS startup.
However, removing the support triggers odd behaviour from Outlook Express (only
when there is an IMAP server on the same machine as Exim): an initial connect
from the OE client fails, the immediate retry works.
It compiles with OpenSSL, on Darwin (if restore Darwin OS).
It doesn't crash immediately, but more testing is needed from a place
where port 25 is not just blocked.
Phil Pennock [Fri, 23 Mar 2018 22:34:21 +0000 (18:34 -0400)]
Address jgh notes re OpenSSL
* `/usr/local` is fair, on Linux, but I deliberately picked something
specific to OpenSSL to make the context clear and limit bad
interactions with other locally-installed software.
* `RPATH` and `RUNPATH` are not the same and are deeply twisty in their
interactions.
<https://blog.qt.io/blog/2011/10/28/rpath-and-runpath/> is a decent
summary.
Phil Pennock [Sat, 17 Mar 2018 01:57:14 +0000 (21:57 -0400)]
openssl: use += for LDFLAGS, drop env PC docs
Using `LDFLAGS=` instead of `LDFLAGS+=` will stomp over an earlier
setting of LDFLAGS, and the DMARC support is now further up in
`src/EDITME`, thus likely to get stomped upon.
Rather than continue to document using `PKG_CONFIG_PATH` via env, the
in-Local/Makefile support has been around for a little while now, so go
ahead and make that the only way we suggest here.
Add a mention of _why_ we use both `USE_OPENSSL_PC` and `LDFLAGS`.
(Normally we don't care about leaks in short lived processes we use
during build time. But as -fsanitize=address breaks the build in an
early stage, the leak is fixed now.)
Tomas Hoger [Wed, 7 Mar 2018 10:30:18 +0000 (11:30 +0100)]
Fix dec64table[] OOB read in b64decode()
Possible values for y at this point are 0..255. However, dec64table[]
only has 128 entries and hence valid indexes are 0..127. The values of
y greater than 127 trigger out of bounds read. As dec64table[] is in
the data segment, the OOB access is not detected by tools as valgrind or
ASAN. This adds a check to ensure y is less than or equal to 127, just
like in other cases where dec64table[] is accessed.
Note that removal of the y == 0 condition is not a problem, as
dec64table[0] == 255, so the second part of the condition is true.
Simon Arlott [Sun, 11 Mar 2018 16:25:28 +0000 (16:25 +0000)]
PRDR: append overall DATA acceptance message to delivery log line "C=" item. Bug 2253
It can have useful tracking info from the destination, eg. their message Id.