Attachment #246125 for bug #274909




BDB_USES=	bdb
DMARC_LIB_DEPENDS=	libopendmarc.so:mail/opendmarc
EMBEDDED_PERL_USE=	perl5=run,build
EMBEDDED_PERL_BUILD_DEPENDS=	p5-File-FcntlLock>0:devel/p5-File-FcntlLock
EMBEDDED_PERL_RUN_DEPENDS=	p5-File-FcntlLock>0:devel/p5-File-FcntlLock
EXIMON_USES=	xorg
EXIMON_USE=	xorg=x11,xaw,xext,xmu,xt
GNUTLS_LIB_DEPENDS=	libgnutls.so:security/gnutls

SQLITE_LIB_DEPENDS=	libicudata.so:devel/icu
SQLITE_USES=	pkgconfig sqlite

#DEBIAN_PATCHES_PREFIX=	${FILESDIR}/debian/75
#EXTRA_PATCHES= \
#		${DEBIAN_PATCHES_PREFIX}_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch:-p1 \
#		${DEBIAN_PATCHES_PREFIX}_05-SPF-fix-memory-accounting-for-error-case.patch:-p1
		${DEBIAN_PATCHES_PREFIX}_08-Fix-regex-n-use-after-free.-Bug-2915.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_09-Fix-non-WITH_CONTENT_SCAN-build.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_10-Fix-non-WITH_CONTENT_SCAN-build-2.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_11-Fix-non-WITH_CONTENT_SCAN-build-3.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_19-DMARC-fix-use-after-free-in-dmarc_dns_lookup.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_22-Fix-daemon-startup.-Bug-2930.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_23-Fix-reccipients-after-run.-.-Bug-2929.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_31-Fix-regext-substring-capture-variables-for-null-matc.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_32-Fix-regex-substring-capture-variables-for-null-match.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_34-Fix-regex-substring-capture-commentary.-Bug-2933.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_37-OpenSSL-when-preloading-creds-do-the-server-certs-be.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_38-OpenSSL-fix-double-expansion-of-tls_verify_certifica.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_50-Fix-logging-of-max-size-log-line.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_58-Close-server-smtp-socket-explicitly-on-connect-ACL-d.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_62-OpenSSL-Fix-tls_eccurve-on-earlier-versions-than-3.0.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_63-OpenSSL-log-conns-rejected-for-bad-ALPN-with-the-off.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch:-p1 \
		${DEBIAN_PATCHES_PREFIX}_66-Fix-crash-in-expansions.patch:-p1

.include <bsd.port.options.mk>


EXTRA_PATCHES+=	${FILESDIR}/extra-patch-Local-sa-exim.conf
.endif

EXIM_VERSION=	4.97
SA_EXIM_VERSION=4.2.1
EXIM_INSTALL_ARG+=	"-no_chown" "-no_symlink"
EXTRA_PATCHES+=	`${FIND} ${PATCHDIR} -name '74_*.patch'|${SORT} -h`

Lines 1-5 Link Here

(-)b/mail/exim/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1697388290	1	TIMESTAMP = 1699107695
2	SHA256 (exim/exim-4.96.2.tar.bz2) = a7b9c247a8dcdf72b37ef4a6db0a744f6d34f65b40ef376265ddeb35610bb432	2	SHA256 (exim/exim-4.97.tar.bz2) = f0f6141b126a929e431d6ac8af3d6a1e310621ffe1f628b7b0de1e9b05488bfd
3	SIZE (exim/exim-4.96.2.tar.bz2) = 2047572	3	SIZE (exim/exim-4.97.tar.bz2) = 2077471
4	SHA256 (exim/sa-exim-4.2.1.tar.gz) = 24d4bf7b0fdddaea11f132981cebb6a86a4ab20ef54111a8ebd481b421c6e2c1	4	SHA256 (exim/sa-exim-4.2.1.tar.gz) = 24d4bf7b0fdddaea11f132981cebb6a86a4ab20ef54111a8ebd481b421c6e2c1
5	SIZE (exim/sa-exim-4.2.1.tar.gz) = 68933	5	SIZE (exim/sa-exim-4.2.1.tar.gz) = 68933




From e7ec503729970a03d4509921342bc81313976126 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 12 Jul 2022 22:14:04 +0100
Subject: [PATCH] Fix exit on attempt to rewrite a malformed address.  Bug 2903

---
 src/rewrite.c            |   9 +-
 test/confs/0471              |   7 +
 test/log/0471                |   5 +
 test/scripts/0000-Basic/0471 |   4 +-
 test/stderr/0471             | 245 ++++++++++++++++++++++++++++++++++-
 6 files changed, 267 insertions(+), 8 deletions(-)

--- a/src/rewrite.c
+++ b/src/rewrite.c
@@ -493,19 +493,18 @@
   empty address, overlong addres. Sometimes the result matters, sometimes not.
   It seems this function is called for *any* header we see. */
 
   if (!recipient)
     {
-    /* Handle unparesable addresses in the header. Slightly ugly because a
+    /* Log unparesable addresses in the header. Slightly ugly because a
     null output from the extract can also result from a header without an
-    address, "To: undisclosed recpients:;" being the classic case. */
+    address, "To: undisclosed recpients:;" being the classic case. Ignore
+    this one and carry on. */
 
     if ((rewrite_rules || routed_old) && Ustrcmp(errmess, "empty address") != 0)
-      {
       log_write(0, LOG_MAIN, "rewrite: %s", errmess);
-      exim_exit(EXIT_FAILURE);
-      }
+
     loop_reset_point = store_reset(loop_reset_point);
     continue;
     }
 
   /* If routed_old is not NULL, this is a rewrite caused by a router,




From 93c722ce0549360af68269f088f4e59ed8fc130e Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 7 Aug 2022 17:00:27 +0100
Subject: [PATCH] SPF: fix memory accounting for error case

---
 src/spf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/spf.c b/src/spf.c
index db6eea3a8..a8c0f75c4 100644
--- a/src/spf.c
+++ b/src/spf.c
@@ -204,7 +204,7 @@ spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
   "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
 if (!spf_nxdomain)
   {
-  free(spf_dns_server);
+  store_free(spf_dns_server);
   return NULL;
   }
 
-- 
2.35.1





From 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 31 Aug 2022 15:37:40 +0100
Subject: [PATCH] Fix $regex<n> use-after-free.  Bug 2915

---
 src/exim.c                  |  4 +---
 src/expand.c                |  2 +-
 src/functions.h             |  1 +
 src/globals.c               |  2 +-
 src/regex.c                 | 29 ++++++++++++++++++-----------
 src/smtp_in.c               |  2 ++
 7 files changed, 55 insertions(+), 17 deletions(-)

--- a/src/exim.c
+++ b/src/exim.c
@@ -1999,12 +1999,10 @@
 
 regex_whitelisted_macro =
   regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
 #endif
 
-for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
-
 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
 this seems to be a generally accepted convention, since one finds symbolic
 links called "mailq" in standard OS configurations. */
 
 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
@@ -6082,11 +6080,11 @@
   callout_address = NULL;
   sending_ip_address = NULL;
   deliver_localpart_data = deliver_domain_data =
   recipient_data = sender_data = NULL;
   acl_var_m = NULL;
-  for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+  regex_vars_clear();
 
   store_reset(reset_point);
   }
 
 exim_exit(EXIT_SUCCESS);   /* Never returns */
--- a/src/expand.c
+++ b/src/expand.c
@@ -1871,11 +1871,11 @@
   {
   tree_node * node = tree_search(router_var, name + 2);
   return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
   }
 
-/* Handle $auth<n> variables. */
+/* Handle $auth<n>, $regex<n> variables. */
 
 if (Ustrncmp(name, "auth", 4) == 0)
   {
   uschar *endptr;
   int n = Ustrtoul(name + 4, &endptr, 10);
--- a/src/functions.h
+++ b/src/functions.h
@@ -436,10 +436,11 @@
 extern int     regex(const uschar **);
 #endif
 extern BOOL    regex_match(const pcre2_code *, const uschar *, int, uschar **);
 extern BOOL    regex_match_and_setup(const pcre2_code *, const uschar *, int, int);
 extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL);
+extern void    regex_vars_clear(void);
 extern void    retry_add_item(address_item *, uschar *, int);
 extern BOOL    retry_check_address(const uschar *, host_item *, uschar *, BOOL,
                  uschar **, uschar **);
 extern retry_config *retry_find_config(const uschar *, const uschar *, int, int);
 extern BOOL    retry_ultimate_address_timeout(uschar *, const uschar *,
--- a/src/globals.c
+++ b/src/globals.c
@@ -1313,11 +1313,11 @@
 #ifndef DISABLE_PIPE_CONNECT
 const pcre2_code *regex_EARLY_PIPE   = NULL;
 #endif
 const pcre2_code *regex_ismsgid      = NULL;
 const pcre2_code *regex_smtp_code    = NULL;
-const uschar *regex_vars[REGEX_VARS];
+const uschar *regex_vars[REGEX_VARS] = { 0 };;
 #ifdef WHITELIST_D_MACROS
 const pcre2_code *regex_whitelisted_macro = NULL;
 #endif
 #ifdef WITH_CONTENT_SCAN
 uschar *regex_match_string     = NULL;
--- a/src/regex.c
+++ b/src/regex.c
@@ -94,22 +94,32 @@
   }
 pcre2_match_data_free(md);
 return FAIL;
 }
 
+
+/* reset expansion variables */
+void
+regex_vars_clear(void)
+{
+regex_match_string = NULL;
+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+}
+
+
+
 int
-regex(const uschar **listptr)
+regex(const uschar ** listptr)
 {
 unsigned long mbox_size;
-FILE *mbox_file;
-pcre_list *re_list_head;
-uschar *linebuffer;
+FILE * mbox_file;
+pcre_list * re_list_head;
+uschar * linebuffer;
 long f_pos = 0;
 int ret = FAIL;
 
-/* reset expansion variable */
-regex_match_string = NULL;
+regex_vars_clear();
 
 if (!mime_stream)				/* We are in the DATA ACL */
   {
   if (!(mbox_file = spool_mbox(&mbox_size, NULL, NULL)))
     {						/* error while spooling */
@@ -167,18 +177,17 @@
 
 
 int
 mime_regex(const uschar **listptr)
 {
-pcre_list *re_list_head = NULL;
-FILE *f;
-uschar *mime_subject = NULL;
+pcre_list * re_list_head = NULL;
+FILE * f;
+uschar * mime_subject = NULL;
 int mime_subject_len = 0;
 int ret;
 
-/* reset expansion variable */
-regex_match_string = NULL;
+regex_vars_clear();
 
 /* precompile our regexes */
 if (!(re_list_head = compile(*listptr)))
   return FAIL;			/* no regexes -> nothing to do */
 
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -2155,12 +2155,14 @@
 prdr_requested = FALSE;
 #endif
 #ifdef SUPPORT_I18N
 message_smtputf8 = FALSE;
 #endif
+regex_vars_clear();
 body_linecount = body_zerocount = 0;
 
+lookup_value = NULL;				/* Can be set by ACL */
 sender_rate = sender_rate_limit = sender_rate_period = NULL;
 ratelimiters_mail = NULL;           /* Updated by ratelimit ACL condition */
                    /* Note that ratelimiters_conn persists across resets. */
 
 /* Reset message ACL variables */




From d8ecc7bf97934a1e2244788c610c958cacd740bd Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 31 Aug 2022 17:03:37 +0100
Subject: [PATCH 1/3] Fix non-WITH_CONTENT_SCAN build.

Broken-by: 4e9ed49f8f
---
 src/exim.c  | 11 +++++++++++
 src/regex.c | 10 ----------
 2 files changed, 11 insertions(+), 10 deletions(-)

--- a/src/exim.c
+++ b/src/exim.c
@@ -1677,10 +1677,21 @@
   if ((s = expand_string(big_buffer))) printf("%s\n", CS s);
   else printf("Failed: %s\n", expand_string_message);
 }
 
 
+/* reset regex expansion variables */
+void
+regex_vars_clear(void)
+{
+regex_match_string = NULL;
+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+}
+
+
+
+
 
 /*************************************************
 *          Entry point and high-level code       *
 *************************************************/
 
--- a/src/regex.c
+++ b/src/regex.c
@@ -95,20 +95,10 @@
 pcre2_match_data_free(md);
 return FAIL;
 }
 
 
-/* reset expansion variables */
-void
-regex_vars_clear(void)
-{
-regex_match_string = NULL;
-for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
-}
-
-
-
 int
 regex(const uschar ** listptr)
 {
 unsigned long mbox_size;
 FILE * mbox_file;




From 158dff9936e36a2d31d037d3988b9353458d6471 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 31 Aug 2022 17:17:59 +0100
Subject: [PATCH 2/3] Fix non-WITH_CONTENT_SCAN build (2)

Broken-by: d8ecc7bf97
---
 src/exim.c      | 13 +------------
 src/functions.h |  2 +-
 src/globals.h   |  2 +-
 src/regex.c     | 10 ++++++++++
 src/smtp_in.c   |  2 ++
 5 files changed, 15 insertions(+), 14 deletions(-)

--- a/src/exim.c
+++ b/src/exim.c
@@ -1677,21 +1677,10 @@
   if ((s = expand_string(big_buffer))) printf("%s\n", CS s);
   else printf("Failed: %s\n", expand_string_message);
 }
 
 
-/* reset regex expansion variables */
-void
-regex_vars_clear(void)
-{
-regex_match_string = NULL;
-for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
-}
-
-
-
-
 
 /*************************************************
 *          Entry point and high-level code       *
 *************************************************/
 
@@ -6085,17 +6074,17 @@
   deliver_domain_orig = NULL;
   deliver_host = deliver_host_address = NULL;
   dnslist_domain = dnslist_matched = NULL;
 #ifdef WITH_CONTENT_SCAN
   malware_name = NULL;
+  regex_vars_clear();
 #endif
   callout_address = NULL;
   sending_ip_address = NULL;
   deliver_localpart_data = deliver_domain_data =
   recipient_data = sender_data = NULL;
   acl_var_m = NULL;
-  regex_vars_clear();
 
   store_reset(reset_point);
   }
 
 exim_exit(EXIT_SUCCESS);   /* Never returns */
--- a/src/functions.h
+++ b/src/functions.h
@@ -432,15 +432,15 @@
 extern BOOL    receive_msg(BOOL);
 extern int_eximarith_t receive_statvfs(BOOL, int *);
 extern void    receive_swallow_smtp(void);
 #ifdef WITH_CONTENT_SCAN
 extern int     regex(const uschar **);
+extern void    regex_vars_clear(void);
 #endif
 extern BOOL    regex_match(const pcre2_code *, const uschar *, int, uschar **);
 extern BOOL    regex_match_and_setup(const pcre2_code *, const uschar *, int, int);
 extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL);
-extern void    regex_vars_clear(void);
 extern void    retry_add_item(address_item *, uschar *, int);
 extern BOOL    retry_check_address(const uschar *, host_item *, uschar *, BOOL,
                  uschar **, uschar **);
 extern retry_config *retry_find_config(const uschar *, const uschar *, int, int);
 extern BOOL    retry_ultimate_address_timeout(uschar *, const uschar *,
--- a/src/globals.h
+++ b/src/globals.h
@@ -895,16 +895,16 @@
 #ifndef DISABLE_PIPE_CONNECT
 extern const pcre2_code  *regex_EARLY_PIPE;  /* For recognizing PIPE_CONNCT */
 #endif
 extern const pcre2_code  *regex_ismsgid;     /* Compiled r.e. for message ID */
 extern const pcre2_code  *regex_smtp_code;   /* For recognizing SMTP codes */
-extern const uschar *regex_vars[];           /* $regexN variables */
 #ifdef WHITELIST_D_MACROS
 extern const pcre2_code  *regex_whitelisted_macro; /* For -D macro values */
 #endif
 #ifdef WITH_CONTENT_SCAN
 extern uschar *regex_match_string;     /* regex that matched a line (regex ACL condition) */
+extern const uschar *regex_vars[];
 #endif
 extern int     remote_delivery_count;  /* Number of remote addresses */
 extern int     remote_max_parallel;    /* Maximum parallel delivery */
 extern uschar *remote_sort_domains;    /* Remote domain sorting order */
 extern retry_config *retries;          /* Chain of retry config information */
--- a/src/regex.c
+++ b/src/regex.c
@@ -95,10 +95,20 @@
 pcre2_match_data_free(md);
 return FAIL;
 }
 
 
+/* reset expansion variables */
+void
+regex_vars_clear(void)
+{
+regex_match_string = NULL;
+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+}
+
+
+
 int
 regex(const uschar ** listptr)
 {
 unsigned long mbox_size;
 FILE * mbox_file;
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -2155,11 +2155,13 @@
 prdr_requested = FALSE;
 #endif
 #ifdef SUPPORT_I18N
 message_smtputf8 = FALSE;
 #endif
+#ifdef WITH_CONTENT_SCAN
 regex_vars_clear();
+#endif
 body_linecount = body_zerocount = 0;
 
 lookup_value = NULL;				/* Can be set by ACL */
 sender_rate = sender_rate_limit = sender_rate_period = NULL;
 ratelimiters_mail = NULL;           /* Updated by ratelimit ACL condition */




From 32da6327e434e986a18b75a84f2d8c687ba14619 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 1 Sep 2022 15:54:35 +0100
Subject: [PATCH 3/3] Fix non-WITH_CONTENT_SCAN build (3)

Broken-by: d8ecc7bf97
---
 src/expand.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/expand.c b/src/expand.c
index 89de56255..831ca2b75 100644
--- a/src/expand.c
+++ b/src/expand.c
@@ -1869,6 +1869,7 @@ if (Ustrncmp(name, "auth", 4) == 0)
   if (!*endptr && n != 0 && n <= AUTH_VARS)
     return auth_vars[n-1] ? auth_vars[n-1] : US"";
   }
+#ifdef WITH_CONTENT_SCAN
 else if (Ustrncmp(name, "regex", 5) == 0)
   {
   uschar *endptr;
@@ -1876,6 +1877,7 @@ else if (Ustrncmp(name, "regex", 5) == 0)
   if (!*endptr && n != 0 && n <= REGEX_VARS)
     return regex_vars[n-1] ? regex_vars[n-1] : US"";
   }
+#endif
 
 /* For all other variables, search the table */
 
@@ -8715,9 +8717,11 @@ assert_variable_notin() treats as const, so deconst is safe. */
 for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i])
   assert_variable_notin(US"auth<n>", US auth_vars[i], &e);
 
+#ifdef WITH_CONTENT_SCAN
 /* check regex<n> variables. assert_variable_notin() treats as const. */
 for (int i = 0; i < REGEX_VARS; i++) if (regex_vars[i])
   assert_variable_notin(US"regex<n>", US regex_vars[i], &e);
+#endif
 
 /* check known-name variables */
 for (var_entry * v = var_table; v < var_table + var_table_size; v++)
-- 
2.35.1





From ece23f05d6a430a461a75639197271c23f6858ec Mon Sep 17 00:00:00 2001
From: Jasen Betts <jasen@xnet.co.nz>
Date: Fri, 30 Sep 2022 13:49:41 +0100
Subject: [PATCH] GnuTLS: fix for clients offering no TLS extensions

---
 src/tls-gnu.c                  |  3 ++-
 src/tls-openssl.c              | 39 +++++++++++++++---------------
 test/confs/2091                    |  1 +
 test/log/2091                      |  3 +++
 test/scripts/2090-GnuTLS-ALPN/2091 | 19 +++++++++++++++
 test/stdout/2091                   | 21 ++++++++++++++++
 7 files changed, 68 insertions(+), 21 deletions(-)
 create mode 120000 test/confs/2091
 create mode 100644 test/log/2091
 create mode 100644 test/scripts/2090-GnuTLS-ALPN/2091
 create mode 100644 test/stdout/2091

--- a/src/tls-gnu.c
+++ b/src/tls-gnu.c
@@ -1130,12 +1130,13 @@
 static int
 tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
   unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
 {
 /* Call fn for each extension seen.  3.6.3 onwards */
-return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
 			   GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc;
 }
 
 
 # ifdef notdef_crashes
 /* Make a note that we saw a status-response */
--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -940,40 +940,39 @@
 
 Returns:    nothing
 */
 
 static void
-info_callback(SSL *s, int where, int ret)
+info_callback(SSL * s, int where, int ret)
 {
 DEBUG(D_tls)
   {
-  const uschar * str;
+  gstring * g = NULL;
 
-  if (where & SSL_ST_CONNECT)
-     str = US"SSL_connect";
-  else if (where & SSL_ST_ACCEPT)
-     str = US"SSL_accept";
-  else
-     str = US"SSL info (undefined)";
+  if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect");
+  if (where & SSL_ST_ACCEPT)  g = string_append_listele(g, ',', US"SSL_accept");
+  if (where & SSL_CB_LOOP)    g = string_append_listele(g, ',', US"state_chg");
+  if (where & SSL_CB_EXIT)    g = string_append_listele(g, ',', US"hshake_exit");
+  if (where & SSL_CB_READ)    g = string_append_listele(g, ',', US"read");
+  if (where & SSL_CB_WRITE)   g = string_append_listele(g, ',', US"write");
+  if (where & SSL_CB_ALERT)   g = string_append_listele(g, ',', US"alert");
+  if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start");
+  if (where & SSL_CB_HANDSHAKE_DONE)  g = string_append_listele(g, ',', US"hshake_done");
 
   if (where & SSL_CB_LOOP)
-     debug_printf("%s: %s\n", str, SSL_state_string_long(s));
+     debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
   else if (where & SSL_CB_ALERT)
-    debug_printf("SSL3 alert %s:%s:%s\n",
-	  str = where & SSL_CB_READ ? US"read" : US"write",
+    debug_printf("SSL %s %s:%s\n", g->s,
 	  SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
   else if (where & SSL_CB_EXIT)
     {
-    if (ret == 0)
-      debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
-    else if (ret < 0)
-      debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
+    if (ret <= 0)
+      debug_printf("SSL %s: %s in %s\n", g->s,
+	ret == 0 ? "failed" : "error", SSL_state_string_long(s));
     }
-  else if (where & SSL_CB_HANDSHAKE_START)
-     debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
-  else if (where & SSL_CB_HANDSHAKE_DONE)
-     debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
+  else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE))
+     debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
   }
 }
 
 #ifdef OPENSSL_HAVE_KEYLOG_CB
 static void




From 1561c5d88b3a23a4348d8e3c1ce28554fcbcfe46 Mon Sep 17 00:00:00 2001
From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Date: Sat, 15 Oct 2022 19:30:58 +0200
Subject: [PATCH 1/2] Fix: Build with libopendmarc 1.4.x (fixes 2728)

---
 src/EDITME            | 7 +++++--
 src/config.h.defaults | 1 +
 src/dmarc.c           | 7 ++++++-
 4 files changed, 15 insertions(+), 3 deletions(-)

--- a/src/EDITME
+++ b/src/EDITME
@@ -600,18 +600,21 @@
 
 # EXPERIMENTAL_DCC=yes
 
 # Uncomment the following line to add DMARC checking capability, implemented
 # using libopendmarc libraries. You must have SPF and DKIM support enabled also.
-# Library version libopendmarc-1.4.1-1.fc33.x86_64  (on Fedora 33) is known broken;
-# 1.3.2-3 works.  I seems that the OpenDMARC project broke their API.
 # SUPPORT_DMARC=yes
 # CFLAGS += -I/usr/local/include
 # LDFLAGS += -lopendmarc
 # Uncomment the following if you need to change the default. You can
 # override it at runtime (main config option dmarc_tld_file)
 # DMARC_TLD_FILE=/etc/exim/opendmarc.tlds
+#
+# Library version libopendmarc-1.4.1-1.fc33.x86_64  (on Fedora 33) is known broken;
+# 1.3.2-3 works.  It seems that the OpenDMARC project broke their API.
+# Use this option if you need to build with an old library (1.3.x)
+# DMARC_API=100300
 
 # Uncomment the following line to add ARC (Authenticated Received Chain)
 # support.  You must have SPF and DKIM support enabled also.
 # EXPERIMENTAL_ARC=yes
 
--- a/src/config.h.defaults
+++ b/src/config.h.defaults
@@ -148,10 +148,11 @@
 #define STRING_SPRINTF_BUFFER_SIZE (8192 * 4)
 
 #define SUPPORT_CRYPTEQ
 #define SUPPORT_DANE
 #define SUPPORT_DMARC
+#define DMARC_API 100400
 #define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
 #define SUPPORT_I18N
 #define SUPPORT_I18N_2008
 #define SUPPORT_MAILDIR
 #define SUPPORT_MAILSTORE
--- a/src/dmarc.c
+++ b/src/dmarc.c
@@ -457,11 +457,16 @@
     dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS :
 		  vs == PDKIM_VERIFY_FAIL ? DMARC_POLICY_DKIM_OUTCOME_FAIL :
 		  vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
 		  DMARC_POLICY_DKIM_OUTCOME_NONE;
     libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
-					       dkim_result, US"");
+/* The opendmarc project broke its API in a way we can't detect * easily.
+ * The EDITME provides a DMARC_API variable */
+#if DMARC_API >= 100400
+                                               sig->selector,
+#endif
+                                               dkim_result, US"");
     DEBUG(D_receive)
       debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
     if (libdm_status != DMARC_PARSE_OKAY)
       log_write(0, LOG_MAIN|LOG_PANIC,
 		"failure to store dkim (%s) for DMARC: %s",




From 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445 Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@brun.one>
Date: Fri, 14 Oct 2022 21:02:51 +0200
Subject: [PATCH 2/2] DMARC: fix use-after-free in dmarc_dns_lookup

This fixes a use-after-free in dmarc_dns_lookup where the result
of dns_lookup in dnsa is freed before the required data is copied out.

Fixes: 9258363 ("DNS: explicit alloc/free of workspace")
---
 src/dmarc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/dmarc.c b/src/dmarc.c
index ad0c26c91..53c2752ac 100644
--- a/src/dmarc.c
+++ b/src/dmarc.c
@@ -226,16 +226,17 @@ dns_scan dnss;
 int rc = dns_lookup(dnsa, string_sprintf("_dmarc.%s", dom), T_TXT, NULL);
 
 if (rc == DNS_SUCCEED)
   for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
        rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
     if (rr->type == T_TXT && rr->size > 3)
       {
+      uschar *record = string_copyn_taint(US rr->data, rr->size, GET_TAINTED);
       store_free_dns_answer(dnsa);
-      return string_copyn_taint(US rr->data, rr->size, GET_TAINTED);
+      return record;
       }
 store_free_dns_answer(dnsa);
 return NULL;
 }
 
 
 static int
-- 
2.35.1





From 221321d2c51b83d1feced80ecd6c2fe33ec5456c Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 3 Nov 2022 20:08:25 +0000
Subject: [PATCH 1/2] Fix daemon startup.  Bug 2930

Broken-by: 7d5055276a
---
 src/daemon.c      | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

--- a/src/daemon.c
+++ b/src/daemon.c
@@ -1744,19 +1744,23 @@
   {
   /* If the parent process of this one has pid == 1, we are re-initializing the
   daemon as the result of a SIGHUP. In this case, there is no need to do
   anything, because the controlling terminal has long gone. Otherwise, fork, in
   case current process is a process group leader (see 'man setsid' for an
-  explanation) before calling setsid(). */
+  explanation) before calling setsid().
+  All other forks want daemon_listen cleared. Rather than blow a register, jsut
+  restore it here. */
 
   if (getppid() != 1)
     {
+    BOOL daemon_listen = f.daemon_listen;
     pid_t pid = exim_fork(US"daemon");
     if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
       "fork() failed when starting daemon: %s", strerror(errno));
     if (pid > 0) exit(EXIT_SUCCESS);      /* in parent process, just exit */
     (void)setsid();                       /* release controlling terminal */
+    f.daemon_listen = daemon_listen;
     }
   }
 
 /* We are now in the disconnected, daemon process (unless debugging). Set up
 the listening sockets if required. */
@@ -2090,11 +2094,11 @@
 	      {				/* found; append port to list */
 	      for (p = i2->log; *p; ) p++;	/* end of existing string */
 	      if (*--p == '}') *p = '\0';	/* drop EOL */
 	      while (isdigit(*--p)) ;		/* char before port */
 
-	      i2->log = *p == ':'		/* no list yet? */
+	      i2->log = *p == ':'		/* no list yet?     { */
 		? string_sprintf("%.*s{%s,%d}",
 		  (int)(p - i2->log + 1), i2->log, p+1, ipa->port)
 		: string_sprintf("%s,%d}", i2->log, ipa->port);
 	      ipa->log = NULL;
 	      break;




From 6b331d5834d12bdda21857cd6fffac17038ce3c7 Mon Sep 17 00:00:00 2001
From: Ruben Jenster <r.jenster@drachenfels.de>
Date: Thu, 3 Nov 2022 21:38:15 +0000
Subject: [PATCH 2/2] Fix $reccipients after ${run...}.  Bug 2929

Broken-by: cfe6acff2d
---
 src/transport.c   | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

--- a/src/transport.c
+++ b/src/transport.c
@@ -2342,13 +2342,14 @@
     /* Handle normal expansion string */
 
     else
       {
       const uschar *expanded_arg;
+      BOOL enable_dollar_recipients_g = f.enable_dollar_recipients;
       f.enable_dollar_recipients = allow_dollar_recipients;
       expanded_arg = expand_cstring(argv[i]);
-      f.enable_dollar_recipients = FALSE;
+      f.enable_dollar_recipients = enable_dollar_recipients_g;
 
       if (!expanded_arg)
         {
         uschar *msg = string_sprintf("Expansion of \"%s\" "
           "from command \"%s\" in %s failed: %s",




From e63825824cc406c160ccbf2b154c5d81b168604a Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 11 Nov 2022 00:05:59 +0000
Subject: [PATCH 1/2] Fix regext substring capture variables for null matches. 
 Bug 2933

broken-by: 59d66fdc13f0
---
 src/exim.c        | 2 ++
 src/malware.c     | 3 +++
 src/regex.c       | 2 +-
 4 files changed, 11 insertions(+), 1 deletion(-)

--- a/src/exim.c
+++ b/src/exim.c
@@ -167,10 +167,12 @@
   for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++)
     {
     PCRE2_SIZE len;
     pcre2_substring_get_bynumber(md, matchnum,
       (PCRE2_UCHAR **)&expand_nstring[expand_nmax], &len);
+    if (!expand_nstring[expand_nmax])
+      { expand_nstring[expand_nmax] = US""; len = 0; }
     expand_nlength[expand_nmax++] = (int)len;
     }
   expand_nmax--;
   }
 else if (res != PCRE2_ERROR_NOMATCH) DEBUG(D_any)
--- a/src/malware.c
+++ b/src/malware.c
@@ -323,11 +323,14 @@
 int i = pcre2_match(cre, text, PCRE2_ZERO_TERMINATED, 0, 0, md, pcre_mtc_ctx);
 PCRE2_UCHAR * substr = NULL;
 PCRE2_SIZE slen;
 
 if (i >= 2)				/* Got it */
+  {
   pcre2_substring_get_bynumber(md, 1, &substr, &slen);
+  if (!substr) substr = US"";
+  }
 return US substr;
 }
 
 static const pcre2_code *
 m_pcre_nextinlist(const uschar ** list, int * sep,
--- a/src/regex.c
+++ b/src/regex.c
@@ -84,11 +84,11 @@
     for (int nn = 1; nn < n; nn++)
       {
       PCRE2_UCHAR * cstr;
       PCRE2_SIZE cslen;
       pcre2_substring_get_bynumber(md, nn, &cstr, &cslen);
-      regex_vars[nn-1] = CUS cstr;
+      regex_vars[nn-1] = cstr ? CUS cstr : CUS"";
       }
 
     return OK;
     }
   }




From 7ad1a2b2cc57b5f4bcb59186a9a8abcbed9f4f76 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 11 Nov 2022 18:22:00 +0000
Subject: [PATCH 2/2] Fix regex substring capture variables for null matches
 (again).  Bug 2933

Broken-by: 59d66fdc13f0
---
 src/exim.c               | 11 +++++------
 src/malware.c            | 10 +++++-----
 src/regex.c              |  8 ++++----
 test/aux-var-src/0383.F      |  4 ++--
 test/log/0383                |  4 ++--
 test/mail/0383.CALLER        |  8 ++++----
 test/scripts/0000-Basic/0002 |  2 ++
 test/stdout/0002             |  2 ++
 8 files changed, 26 insertions(+), 23 deletions(-)

--- a/src/exim.c
+++ b/src/exim.c
@@ -160,20 +160,19 @@
 			PCRE_EOPT | options, md, pcre_mtc_ctx);
 BOOL yield;
 
 if ((yield = (res >= 0)))
   {
+  PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
   res = pcre2_get_ovector_count(md);
   expand_nmax = setup < 0 ? 0 : setup + 1;
   for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++)
     {
-    PCRE2_SIZE len;
-    pcre2_substring_get_bynumber(md, matchnum,
-      (PCRE2_UCHAR **)&expand_nstring[expand_nmax], &len);
-    if (!expand_nstring[expand_nmax])
-      { expand_nstring[expand_nmax] = US""; len = 0; }
-    expand_nlength[expand_nmax++] = (int)len;
+    int off = matchnum * 2;
+    int len = ovec[off + 1] - ovec[off];
+    expand_nstring[expand_nmax] = string_copyn(subject + ovec[off], len);
+    expand_nlength[expand_nmax++] = len;
     }
   expand_nmax--;
   }
 else if (res != PCRE2_ERROR_NOMATCH) DEBUG(D_any)
   {
--- a/src/malware.c
+++ b/src/malware.c
@@ -319,19 +319,19 @@
 uschar *
 m_pcre_exec(const pcre2_code * cre, uschar * text)
 {
 pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx);
 int i = pcre2_match(cre, text, PCRE2_ZERO_TERMINATED, 0, 0, md, pcre_mtc_ctx);
-PCRE2_UCHAR * substr = NULL;
-PCRE2_SIZE slen;
+uschar * substr = NULL;
 
 if (i >= 2)				/* Got it */
   {
-  pcre2_substring_get_bynumber(md, 1, &substr, &slen);
-  if (!substr) substr = US"";
+  PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
+  int len = ovec[3] - ovec[2];
+  substr = string_copyn(text + ovec[2], len);
   }
-return US substr;
+return substr;
 }
 
 static const pcre2_code *
 m_pcre_nextinlist(const uschar ** list, int * sep,
  char * listerr, uschar ** errstr)
--- a/src/regex.c
+++ b/src/regex.c
@@ -81,14 +81,14 @@
 	      sizeof(regex_match_string_buffer)-1);
     regex_match_string = regex_match_string_buffer;
 
     for (int nn = 1; nn < n; nn++)
       {
-      PCRE2_UCHAR * cstr;
-      PCRE2_SIZE cslen;
-      pcre2_substring_get_bynumber(md, nn, &cstr, &cslen);
-      regex_vars[nn-1] = cstr ? CUS cstr : CUS"";
+      PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
+      int off = nn * 2;
+      int len = ovec[off + 1] - ovec[off];
+      regex_vars[nn-1] = string_copyn(linebuffer + ovec[off], len);
       }
 
     return OK;
     }
   }




From 9ba47886c71d40edc99b026a99edee269d9c9c6f Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 12 Nov 2022 12:38:22 +0000
Subject: [PATCH] Fix regex substring capture - commentary.  Bug 2933

Broken-by (corrected): 22ed7a5295f1
---
 src/exim.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/exim.c b/src/exim.c
index 16c0184e0..625494ce4 100644
--- a/src/exim.c
+++ b/src/exim.c
@@ -102,11 +102,13 @@ pcre_gen_mtc_ctx = pcre2_match_context_create(pcre_gen_ctx);
 *   Execute regular expression and set strings   *
 *************************************************/
 
 /* This function runs a regular expression match, and sets up the pointers to
 the matched substrings.  The matched strings are copied so the lifetime of
-the subject is not a problem.
+the subject is not a problem.  Matched strings will have the same taint status
+as the subject string (this is not a de-taint method, and must not be made so
+given the support for wildcards in REs).
 
 Arguments:
   re          the compiled expression
   subject     the subject string
   options     additional PCRE options
@@ -130,10 +132,15 @@ if ((yield = (res >= 0)))
   PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
   res = pcre2_get_ovector_count(md);
   expand_nmax = setup < 0 ? 0 : setup + 1;
   for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++)
     {
+    /* Although PCRE2 has a pcre2_substring_get_bynumber() conveneience, it
+    seems to return a bad pointer when a capture group had no data, eg. (.*)
+    matching zero letters.  So use the underlying ovec and hope (!) that the
+    offsets are sane (including that case).  Should we go further and range-
+    check each one vs. the subject string length? */
     int off = matchnum * 2;
     int len = ovec[off + 1] - ovec[off];
     expand_nstring[expand_nmax] = string_copyn(subject + ovec[off], len);
     expand_nlength[expand_nmax++] = len;
     }
-- 
2.35.1





From 7f65a63b60c6ea86db683ac00e221939f3bb1d47 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 25 Oct 2022 21:26:30 +0100
Subject: [PATCH 1/2] OpenSSL: when preloading creds do the server certs before
 the OCSP proofs so that the latter can ve verified before loading

---
 src/tls-openssl.c | 113 ++++++++++++++++++++++--------------------
 1 file changed, 58 insertions(+), 55 deletions(-)

diff --git a/src/tls-openssl.c b/src/tls-openssl.c
index 68ad6f15b..fdf0d92b2 100644
--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -441,14 +441,16 @@ exim_openssl_state_st state_server = {.is_server = TRUE};
 static int
 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host,
     uschar ** errstr );
 
 /* Callbacks */
 #ifndef DISABLE_OCSP
 static int tls_server_stapling_cb(SSL *s, void *arg);
+static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk);
+static void x509_store_dump_cert_s_names(X509_STORE * store);
 #endif
 
 
 
 /* Daemon-called, before every connection, key create/rotate */
 #ifndef DISABLE_TLS_RESUME
 static void tk_init(void);
@@ -1307,15 +1309,14 @@ ocsp_load_response(exim_openssl_state_st * state, const uschar * filename,
 {
 BIO * bio;
 OCSP_RESPONSE * resp;
 OCSP_BASICRESP * basic_response;
 OCSP_SINGLERESP * single_response;
 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
 STACK_OF(X509) * sk;
-unsigned long verify_flags;
 int status, reason, i;
 
 DEBUG(D_tls)
   debug_printf("tls_ocsp_file (%s)  '%s'\n", is_pem ? "PEM" : "DER", filename);
 
 if (!filename || !*filename) return;
 
@@ -1372,28 +1373,28 @@ if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
 if (!(basic_response = OCSP_response_get1_basic(resp)))
   {
   DEBUG(D_tls)
     debug_printf("OCSP response parse error: unable to extract basic response.\n");
   goto bad;
   }
 
-sk = state->verify_stack;
-verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
+sk = state->verify_stack;	/* set by setup_certs() / chain_from_pem_file() */
 
 /* May need to expose ability to adjust those flags?
 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
 OCSP_TRUSTOTHER OCSP_NOINTERN */
 
-/* This does a full verify on the OCSP proof before we load it for serving
-up; possibly overkill - just date-checks might be nice enough.
+/* This does a partial verify (only the signer link, not the whole chain-to-CA)
+on the OCSP proof before we load it for serving up; possibly overkill -
+just date-checks might be nice enough.
 
 OCSP_basic_verify takes a "store" arg, but does not
-use it for the chain verification, which is all we do
-when OCSP_NOVERIFY is set.  The content from the wire
-"basic_response" and a cert-stack "sk" are all that is used.
+use it for the chain verification, when OCSP_NOVERIFY is set.
+The content from the wire "basic_response" and a cert-stack "sk" are all
+that is used.
 
 We have a stack, loaded in setup_certs() if tls_verify_certificates
 was a file (not a directory, or "system").  It is unfortunate we
 cannot used the connection context store, as that would neatly
 handle the "system" case too, but there seems to be no library
 function for getting a stack from a store.
 [ In OpenSSL 1.1 - ?  X509_STORE_CTX_get0_chain(ctx) ? ]
@@ -1402,15 +1403,15 @@ SNI handling.
 
 Separately we might try to replace using OCSP_basic_verify() - which seems to not
 be a public interface into the OpenSSL library (there's no manual entry) -
 But what with?  We also use OCSP_basic_verify in the client stapling callback.
 And there we NEED it; we must verify that status... unless the
 library does it for us anyway?  */
 
-if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
+if ((i = OCSP_basic_verify(basic_response, sk, NULL, OCSP_NOVERIFY)) < 0)
   {
   DEBUG(D_tls)
     {
     ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
     debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
     }
   goto bad;
@@ -1747,61 +1748,18 @@ if (opt_unset_or_noexpand(tls_eccurve))
   if (init_ecdh(ctx, &dummy_errstr))
     state_server.lib_state.ecdh = TRUE;
   }
 else
   DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n");
 
 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
-/* If we can, preload the server-side cert, key and ocsp */
-
-if (  opt_set_and_noexpand(tls_certificate)
-# ifndef DISABLE_OCSP
-   && opt_unset_or_noexpand(tls_ocsp_file)
-#endif
-   && opt_unset_or_noexpand(tls_privatekey))
-  {
-  /* Set watches on the filenames.  The implementation does de-duplication
-  so we can just blindly do them all.  */
-
-  if (  tls_set_watch(tls_certificate, TRUE)
-# ifndef DISABLE_OCSP
-     && tls_set_watch(tls_ocsp_file, TRUE)
-#endif
-     && tls_set_watch(tls_privatekey, TRUE))
-    {
-    state_server.certificate = tls_certificate;
-    state_server.privatekey = tls_privatekey;
-#ifndef DISABLE_OCSP
-    state_server.u_ocsp.server.file = tls_ocsp_file;
-#endif
-
-    DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
-    if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
-      state_server.lib_state.conn_certs = TRUE;
-    }
-  }
-else if (  !tls_certificate && !tls_privatekey
-# ifndef DISABLE_OCSP
-	&& !tls_ocsp_file
-#endif
-   )
-  {		/* Generate & preload a selfsigned cert. No files to watch. */
-  if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
-    {
-    state_server.lib_state.conn_certs = TRUE;
-    lifetime = f.running_in_test_harness ? 2 : 60 * 60;		/* 1 hour */
-    }
-  }
-else
-  DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
-
-
 /* If we can, preload the Authorities for checking client certs against.
 Actual choice to do verify is made (tls_{,try_}verify_hosts)
-at TLS conn startup */
+at TLS conn startup.
+Do this before the server ocsp so that its info can verify the ocsp. */
 
 if (  opt_set_and_noexpand(tls_verify_certificates)
    && opt_unset_or_noexpand(tls_crl))
   {
   /* Watch the default dir also as they are always included */
 
   if (  tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
@@ -1809,18 +1767,63 @@ if (  opt_set_and_noexpand(tls_verify_certificates)
      && tls_set_watch(tls_crl, FALSE))
     {
     DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
 
     if (setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, &dummy_errstr)
 	== OK)
       state_server.lib_state.cabundle = TRUE;
-    }
+
+    /* If we can, preload the server-side cert, key and ocsp */
+
+    if (  opt_set_and_noexpand(tls_certificate)
+# ifndef DISABLE_OCSP
+       && opt_unset_or_noexpand(tls_ocsp_file)
+# endif
+       && opt_unset_or_noexpand(tls_privatekey))
+      {
+      /* Set watches on the filenames.  The implementation does de-duplication
+      so we can just blindly do them all.  */
+
+      if (  tls_set_watch(tls_certificate, TRUE)
+# ifndef DISABLE_OCSP
+	 && tls_set_watch(tls_ocsp_file, TRUE)
+# endif
+	 && tls_set_watch(tls_privatekey, TRUE))
+	{
+	state_server.certificate = tls_certificate;
+	state_server.privatekey = tls_privatekey;
+#ifndef DISABLE_OCSP
+	state_server.u_ocsp.server.file = tls_ocsp_file;
+# endif
+
+	DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
+	if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
+	  state_server.lib_state.conn_certs = TRUE;
+	}
+      }
+    else if (  !tls_certificate && !tls_privatekey
+# ifndef DISABLE_OCSP
+	    && !tls_ocsp_file
+# endif
+       )
+      {		/* Generate & preload a selfsigned cert. No files to watch. */
+      if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
+	{
+	state_server.lib_state.conn_certs = TRUE;
+	lifetime = f.running_in_test_harness ? 2 : 60 * 60;		/* 1 hour */
+	}
+      }
+    else
+      DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
+	}
   }
 else
   DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
+
+
 #endif	/* EXIM_HAVE_INOTIFY */
 
 
 /* If we can, preload the ciphers control string */
 
 if (opt_set_and_noexpand(tls_require_ciphers))
   {
-- 
2.35.1





From 62b97c2ecf148ee86053d82e5509e4c3a5a20054 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 29 Oct 2022 22:33:43 +0100
Subject: [PATCH 2/2] OpenSSL: fix double-expansion of tls_verify_certificates

---
 src/tls-openssl.c | 66 +++++++++++++++++++++----------------------
 1 file changed, 33 insertions(+), 33 deletions(-)

diff --git a/src/tls-openssl.c b/src/tls-openssl.c
index fdf0d92b2..2e09882d2 100644
--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -435,15 +435,15 @@ typedef struct exim_openssl_state {
 /* should figure out a cleanup of API to handle state preserved per
 implementation, for various reasons, which can be void * in the APIs.
 For now, we hack around it. */
 exim_openssl_state_st *client_static_state = NULL;	/*XXX should not use static; multiple concurrent clients! */
 exim_openssl_state_st state_server = {.is_server = TRUE};
 
 static int
-setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host,
+setup_certs(SSL_CTX * sctx, uschar ** certs, uschar * crl, host_item * host,
     uschar ** errstr );
 
 /* Callbacks */
 #ifndef DISABLE_OCSP
 static int tls_server_stapling_cb(SSL *s, void *arg);
 static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk);
 static void x509_store_dump_cert_s_names(X509_STORE * store);
@@ -1762,18 +1762,18 @@ if (  opt_set_and_noexpand(tls_verify_certificates)
   {
   /* Watch the default dir also as they are always included */
 
   if (  tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
      && tls_set_watch(tls_verify_certificates, FALSE)
      && tls_set_watch(tls_crl, FALSE))
     {
+    uschar * v_certs = tls_verify_certificates;
     DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
 
-    if (setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, &dummy_errstr)
-	== OK)
+    if (setup_certs(ctx, &v_certs, tls_crl, NULL, &dummy_errstr) == OK)
       state_server.lib_state.cabundle = TRUE;
 
     /* If we can, preload the server-side cert, key and ocsp */
 
     if (  opt_set_and_noexpand(tls_certificate)
 # ifndef DISABLE_OCSP
        && opt_unset_or_noexpand(tls_ocsp_file)
@@ -1897,18 +1897,19 @@ if (  opt_set_and_noexpand(ob->tls_verify_certificates)
   {
   if (  !watch
      ||    tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
         && tls_set_watch(ob->tls_verify_certificates, FALSE)
 	&& tls_set_watch(ob->tls_crl, FALSE)
      )
     {
+    uschar * v_certs = ob->tls_verify_certificates;
     DEBUG(D_tls)
       debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
 
-    if (setup_certs(ctx, ob->tls_verify_certificates,
+    if (setup_certs(ctx, &v_certs,
 	  ob->tls_crl, dummy_host, &dummy_errstr) == OK)
       ob->tls_preload.cabundle = TRUE;
     }
   }
 else
   DEBUG(D_tls)
       debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
@@ -2238,22 +2239,20 @@ if (state->u_ocsp.server.file)
   {
   SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
   SSL_CTX_set_tlsext_status_arg(server_sni, state);
   }
 #endif
 
   {
-  uschar * expcerts;
-  if (  !expand_check(tls_verify_certificates, US"tls_verify_certificates",
-		  &expcerts, &dummy_errstr)
-     || (rc = setup_certs(server_sni, expcerts, tls_crl, NULL,
+  uschar * v_certs = tls_verify_certificates;
+  if ((rc = setup_certs(server_sni, &v_certs, tls_crl, NULL,
 			&dummy_errstr)) != OK)
     goto bad;
 
-  if (expcerts && *expcerts)
+  if (v_certs && *v_certs)
     setup_cert_verify(server_sni, FALSE, verify_callback_server);
   }
 
 /* do this after setup_certs, because this can require the certs for verifying
 OCSP information. */
 if ((rc = tls_expand_session_files(server_sni, state, &dummy_errstr)) != OK)
   goto bad;
@@ -3017,32 +3016,33 @@ return TRUE;
 
 
 /* Called by both client and server startup; on the server possibly
 repeated after a Server Name Indication.
 
 Arguments:
   sctx          SSL_CTX* to initialise
-  certs         certs file, expanded
+  certs         certs file, returned expanded
   crl           CRL file or NULL
   host          NULL in a server; the remote host in a client
   errstr	error string pointer
 
 Returns:        OK/DEFER/FAIL
 */
 
 static int
-setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host,
+setup_certs(SSL_CTX * sctx, uschar ** certsp, uschar * crl, host_item * host,
     uschar ** errstr)
 {
-uschar *expcerts, *expcrl;
+uschar * expcerts, * expcrl;
 
-if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
+if (!expand_check(*certsp, US"tls_verify_certificates", &expcerts, errstr))
   return DEFER;
 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
 
+*certsp = expcerts;
 if (expcerts && *expcerts)
   {
   /* Tell the library to use its compiled-in location for the system default
   CA bundle. Then add the ones specified in the config, if any. */
 
   if (!SSL_CTX_set_default_verify_paths(sctx))
     return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
@@ -3330,28 +3330,28 @@ if (verify_check_host(&tls_verify_hosts) == OK)
   server_verify_optional = FALSE;
 else if (verify_check_host(&tls_try_verify_hosts) == OK)
   server_verify_optional = TRUE;
 else
   goto skip_certs;
 
  {
-  uschar * expcerts;
-  if (!expand_check(tls_verify_certificates, US"tls_verify_certificates",
-		    &expcerts, errstr))
-    return DEFER;
-  DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
+  uschar * v_certs = tls_verify_certificates;
 
   if (state_server.lib_state.cabundle)
-    { DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n"); }
+    {
+    DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n");
+    setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
+    }
   else
-    if ((rc = setup_certs(ctx, expcerts, tls_crl, NULL, errstr)) != OK)
+    {
+    if ((rc = setup_certs(ctx, &v_certs, tls_crl, NULL, errstr)) != OK)
       return rc;
-
-  if (expcerts && *expcerts)
-    setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
+    if (v_certs && *v_certs)
+      setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
+    }
  }
 skip_certs: ;
 
 #ifndef DISABLE_TLS_RESUME
 # if OPENSSL_VERSION_NUMBER < 0x30000000L
 SSL_CTX_set_tlsext_ticket_key_cb(ctx, ticket_key_callback);
 /* despite working, appears to always return failure, so ignoring */
@@ -3606,28 +3606,28 @@ if (  (  (  !ob->tls_verify_hosts || !ob->tls_verify_hosts
   client_verify_optional = FALSE;
 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
   client_verify_optional = TRUE;
 else
   return OK;
 
  {
-  uschar * expcerts;
-  if (!expand_check(ob->tls_verify_certificates, US"tls_verify_certificates",
-		    &expcerts, errstr))
-    return DEFER;
-  DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
+  uschar * v_certs = ob->tls_verify_certificates;
 
   if (state->lib_state.cabundle)
-    { DEBUG(D_tls) debug_printf("TLS: CA bundle was preloaded\n"); }
+    {
+    DEBUG(D_tls) debug_printf("TLS: CA bundle for tpt was preloaded\n");
+    setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
+    }
   else
-    if ((rc = setup_certs(ctx, expcerts, ob->tls_crl, host, errstr)) != OK)
+    {
+    if ((rc = setup_certs(ctx, &v_certs, ob->tls_crl, host, errstr)) != OK)
       return rc;
-
-  if (expcerts && *expcerts)
-    setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
+    if (v_certs && *v_certs)
+      setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
+    }
  }
 
 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
   {
   state->verify_cert_hostnames =
 #ifdef SUPPORT_I18N
     string_domain_utf8_to_alabel(host->certname, NULL);
-- 
2.35.1





From 1ed24e36e279c922d3366f6c3144570cc5f54d7a Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon, 19 Dec 2022 21:09:17 +0000
Subject: [PATCH] Fix logging of max-size log line

Broken-by: d12746bc15d8
---
 src/log.c                |  7 ++++---
 test/confs/0633              | 21 ++++++++++++++++++++
 test/scripts/0000-Basic/0633 |  9 +++++++++
 test/stderr/0633             | 38 ++++++++++++++++++++++++++++++++++++
 test/stdout/0633             | 15 ++++++++++++++
 6 files changed, 92 insertions(+), 3 deletions(-)
 create mode 100644 test/confs/0633
 create mode 100644 test/scripts/0000-Basic/0633
 create mode 100644 test/stderr/0633
 create mode 100644 test/stdout/0633

--- a/src/log.c
+++ b/src/log.c
@@ -803,11 +803,11 @@ Returns:    nothing
 void
 log_write(unsigned int selector, int flags, const char *format, ...)
 {
 int paniclogfd;
 ssize_t written_len;
-gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
+gstring gs = { .size = LOG_BUFFER_SIZE-2, .ptr = 0, .s = log_buffer };
 gstring * g;
 va_list ap;
 
 /* If panic_recurseflag is set, we have failed to open the panic log. This is
 the ultimate disaster. First try to write the message to a debug file and/or
@@ -949,15 +949,14 @@ DEBUG(D_any|D_v)
     g->ptr = i;
     g = string_cat(g, US"**** log string overflowed log buffer ****");
     }
   va_end(ap);
 
-  g->size = LOG_BUFFER_SIZE;
   g = string_catn(g, US"\n", 1);
   debug_printf("%s", string_from_gstring(g));
 
-  gs.size = LOG_BUFFER_SIZE-1;	/* Having used the buffer for debug output, */
+  gs.size = LOG_BUFFER_SIZE-2;	/* Having used the buffer for debug output, */
   gs.ptr = 0;			/* reset it for the real use. */
   gs.s = log_buffer;
   }
 /* If no log file is specified, we are in a mess. */
 
@@ -1035,10 +1034,12 @@ if (  flags & LOG_RECIPIENTS
     if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
     g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s);
     }
   }
 
+/* actual size, now we are placing the newline (and space for NUL) */
+gs.size = LOG_BUFFER_SIZE;
 g = string_catn(g, US"\n", 1);
 string_from_gstring(g);
 
 /* Handle loggable errors when running a utility, or when address testing.
 Write to log_stderr unless debugging (when it will already have been written),




From 1d38781da934809e6ce0b8c3718c4b3bccdfe1d2 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 28 Dec 2022 19:39:06 +0000
Subject: [PATCH] Fix recursion on dns_again_means_nonexist. Bug 2911

---
 src/dns.c                | 12 ++++++++
 test/confs/2202              | 18 +++++++++--
 test/scripts/2200-dnsdb/2202 |  8 +++++
 test/stderr/2202             | 58 +++++++++++++++++++++++++++++++++++-
 test/stdout/2202             |  8 +++++
 6 files changed, 108 insertions(+), 4 deletions(-)

--- a/src/dns.c
+++ b/src/dns.c
@@ -799,10 +799,11 @@ int
 dns_basic_lookup(dns_answer * dnsa, const uschar * name, int type)
 {
 int rc;
 #ifndef STAND_ALONE
 const uschar * save_domain;
+static BOOL try_again_recursion = FALSE;
 #endif
 
 /* DNS lookup failures of any kind are cached in a tree. This is mainly so that
 a timeout on one domain doesn't happen time and time again for messages that
 have many addresses in the same domain. We rely on the resolver and name server
@@ -903,15 +904,26 @@ if (dnsa->answerlen < 0) switch (h_errno
     DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
       name, dns_text_type(type));
 
     /* Cut this out for various test programs */
 #ifndef STAND_ALONE
+    if (try_again_recursion)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+	"dns_again_means_nonexist recursion seen for %s (assuming nonexist)",
+	name);
+      return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
+      }
+
+    try_again_recursion = TRUE;
     save_domain = deliver_domain;
     deliver_domain = string_copy(name);  /* set $domain */
     rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
       &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
     deliver_domain = save_domain;
+    try_again_recursion = FALSE;
+
     if (rc != OK)
       {
       DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
       return dns_fail_return(name, type, 0, DNS_AGAIN);
       }




From 57d70161718e02927a22d6a3481803b72035ac46 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 31 Dec 2022 13:37:17 +0000
Subject: [PATCH] Close server smtp socket explicitly on connect ACL "drop"

---
 src/smtp_in.c            | 13 ++++++++
 test/confs/0022              |  2 ++
 test/log/0022                |  2 ++
 test/rejectlog/0022          |  3 ++
 test/scripts/0000-Basic/0022 | 13 ++++++++
 test/stderr/0022             | 60 ++++++++++++++++++------------------
 test/stdout/0022             |  6 ++++
 7 files changed, 69 insertions(+), 30 deletions(-)
 create mode 100644 test/rejectlog/0022

diff --git a/src/smtp_in.c b/src/smtp_in.c
index 1cfcc0404..6880e3c09 100644
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -3563,10 +3563,23 @@ log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
 /* Run the not-quit ACL, but without any custom messages. This should not be a
 problem, because we get here only if some other ACL has issued "drop", and
 in that case, *its* custom messages will have been used above. */
 
 smtp_notquit_exit(US"acl-drop", NULL, NULL);
+
+/* An overenthusiastic fail2ban/iptables implimentation has been seen to result
+in the TCP conn staying open, and retrying, despite this process exiting. A
+malicious client could possibly do the same, tying up server netowrking
+resources. Close the socket explicitly to try to avoid that (there's a note in
+the Linux socket(7) manpage, SO_LINGER para, to the effect that exim() without
+close() results in the socket always lingering). */
+
+(void) poll_one_fd(fileno(smtp_in), POLLIN, 200);
+DEBUG(D_any) debug_printf_indent("SMTP(close)>>\n");
+(void) fclose(smtp_in);
+(void) fclose(smtp_out);
+
 return 2;
 }
 
 
 
diff --git a/test/rejectlog/0022 b/test/rejectlog/0022
new file mode 100644
index 000000000..68e21fff3
-- 
2.39.0





From ca4014de81e6aa367aa0a54c49b4c3d4b137814c Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 1 Jan 2023 12:18:38 +0000
Subject: [PATCH] OpenSSL: fix tls_eccurve setting explicit curve/group.  Bug
 2954

---
 src/tls-openssl.c          | 39 ++++++++++++++----------
 test/confs/2148                | 54 ++++++++++++++++++++++++++++++++++
 test/confs/2149                | 39 +++++++++++++-----------
 test/log/2148                  | 48 ++++++++++++++++++++++++++++++
 test/log/2149                  | 39 ++++++++++++------------
 test/paniclog/{2149 => 2148}   |  0
 test/scripts/2100-OpenSSL/2148 | 50 +++++++++++++++++++++++++++++++
 test/scripts/2100-OpenSSL/2149 | 50 ++++++++++++++++---------------
 test/stderr/2148               |  5 ++++
 test/stderr/2149               |  3 --
 11 files changed, 250 insertions(+), 81 deletions(-)
 create mode 100644 test/confs/2148
 create mode 100644 test/log/2148
 rename test/paniclog/{2149 => 2148} (100%)
 create mode 100644 test/scripts/2100-OpenSSL/2148
 create mode 100644 test/stderr/2148

--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -657,16 +657,16 @@ if (dh_bitsize <= tls_dh_max_bits)
     /* EVP_PKEY_free(pkey);  crashes */
 #endif
     }
   else
     DEBUG(D_tls)
-      debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
+      debug_printf(" Diffie-Hellman initialized from %s with %d-bit prime\n",
 	dhexpanded ? dhexpanded : US"default", dh_bitsize);
   }
 else
   DEBUG(D_tls)
-    debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
+    debug_printf(" dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
 	dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
 
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 DH_free(dh);
 #endif
@@ -712,23 +712,31 @@ init_ecdh(SSL_CTX * sctx, uschar ** errs
 #ifdef OPENSSL_NO_ECDH
 return TRUE;
 #else
 
 uschar * exp_curve;
-int nid;
-BOOL rv;
+int nid, rc;
 
 # ifndef EXIM_HAVE_ECDH
 DEBUG(D_tls)
-  debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
+  debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n");
 return TRUE;
 # else
 
 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
   return FALSE;
+
+/* Is the option deliberately empty? */
+
 if (!exp_curve || !*exp_curve)
+  {
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+  DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n");
+  (void) SSL_CTX_set1_curves(sctx, &nid, 0);
+#endif
   return TRUE;
+  }
 
 /* "auto" needs to be handled carefully.
  * OpenSSL <  1.0.2: we do not select anything, but fallback to prime256v1
  * OpenSSL <  1.1.0: we have to call SSL_CTX_set_ecdh_auto
  *                   (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
@@ -737,27 +745,26 @@ if (!exp_curve || !*exp_curve)
  */
 if (Ustrcmp(exp_curve, "auto") == 0)
   {
 #if OPENSSL_VERSION_NUMBER < 0x10002000L
   DEBUG(D_tls) debug_printf(
-    "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
+    " ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
   exp_curve = US"prime256v1";
 #else
 # if defined SSL_CTRL_SET_ECDH_AUTO
   DEBUG(D_tls) debug_printf(
-    "ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
+    " ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
   SSL_CTX_set_ecdh_auto(sctx, 1);
   return TRUE;
 # else
   DEBUG(D_tls) debug_printf(
-    "ECDH OpenSSL 1.1.0+: temp key parameter settings: default selection\n");
+    " ECDH OpenSSL 1.1.0+: temp key parameter settings: library default selection\n");
   return TRUE;
 # endif
 #endif
   }
 
-DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
 if (  (nid = OBJ_sn2nid       (CCS exp_curve)) == NID_undef
 #   ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
    && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
 #   endif
    )
@@ -777,27 +784,27 @@ if (  (nid = OBJ_sn2nid       (CCS exp_c
     }
 
   /* The "tmp" in the name here refers to setting a temporary key
   not to the stability of the interface. */
 
-  if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
+  if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
     tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
   else
-    DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
+    DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
   EC_KEY_free(ecdh);
  }
 
 #else	/* v 3.0.0 + */
 
-if ((rv = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
+if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
   tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr);
 else
-  DEBUG(D_tls) debug_printf("ECDH: enabled '%s' group\n", exp_curve);
+  DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve);
 
 #endif
 
-return !rv;
+return !!rc;
 
 # endif	/*EXIM_HAVE_ECDH*/
 #endif /*OPENSSL_NO_ECDH*/
 }
 
@@ -1719,19 +1726,19 @@ state_server.lib_state.lib_ctx = ctx;
 
 /* Preload DH params and EC curve */
 
 if (opt_unset_or_noexpand(tls_dhparam))
   {
-  DEBUG(D_tls) debug_printf("TLS: preloading DH params for server\n");
+  DEBUG(D_tls) debug_printf("TLS: preloading DH params '%s' for server\n", tls_dhparam);
   if (init_dh(ctx, tls_dhparam, &dummy_errstr))
     state_server.lib_state.dh = TRUE;
   }
 else
   DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n");
 if (opt_unset_or_noexpand(tls_eccurve))
   {
-  DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for server\n");
+  DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve '%s' for server\n", tls_eccurve);
   if (init_ecdh(ctx, &dummy_errstr))
     state_server.lib_state.ecdh = TRUE;
   }
 else
   DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n");




From 7fa5764c203f2f4a900898a79ed02d674075313f Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon, 2 Jan 2023 15:04:14 +0000
Subject: [PATCH 1/3] OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0. 
 Bug 2954

Broken-by: ca4014de81e6
---
 src/tls-openssl.c          |  7 ++++---
 test/log/2149                  | 28 ++++++++++++++--------------
 test/runtest                   |  3 +++
 test/scripts/2100-OpenSSL/2149 | 22 ++++++++++++----------
 4 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/src/tls-openssl.c b/src/tls-openssl.c
index 4d0f99ea9..e063d29bd 100644
--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -786,8 +786,9 @@ if (  (nid = OBJ_sn2nid       (CCS exp_curve)) == NID_undef
 #   endif
    )
   {
-  tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
-    NULL, NULL, errstr);
+  uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve);
+  DEBUG(D_tls) debug_printf("TLS error '%s'\n", s);
+  if (errstr) *errstr = s;
   return FALSE;
   }
 
@@ -803,7 +804,7 @@ if (  (nid = OBJ_sn2nid       (CCS exp_curve)) == NID_undef
   /* The "tmp" in the name here refers to setting a temporary key
   not to the stability of the interface. */
 
-  if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
+  if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
     tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
   else
     DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
-- 
2.39.0





From e1aca33756f73c22b00a98d40ce2be8ed94464b1 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 5 Jan 2023 13:03:37 +0000
Subject: [PATCH 2/3] OpenSSL: log conns rejected for bad ALPN, with the
 offered value

Unfortunately, no way to do this under GnuTLS
---
 src/match.c       |  1 +
 src/tls-gnu.c     |  9 ++++++++-
 src/tls-openssl.c | 13 +++++++++++--
 test/log/1190         |  2 ++
 test/runtest          |  3 +++
 5 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/match.c b/src/match.c
index 91a49c0f0..07070362d 100644
--- a/src/match.c
+++ b/src/match.c
@@ -968,6 +968,7 @@ Arguments:
   s              string to search for
   listptr        ptr to ptr to colon separated list of patterns, or NULL
   sep            a separator value for the list (see string_nextinlist())
+		 or zero for auto
   anchorptr      ptr to tree for named items, or NULL if no named items
   cache_bits     ptr to cache_bits for ditto, or NULL if not caching
   type           MCL_DOMAIN when matching a domain list
diff --git a/src/tls-gnu.c b/src/tls-gnu.c
index 729fb5879..b47fabf1d 100644
--- a/src/tls-gnu.c
+++ b/src/tls-gnu.c
@@ -1119,21 +1119,28 @@ switch (tls_id)
     /* The format of "data" here doesn't seem to be documented, but appears
     to be a 2-byte field with a (redundant, given the "size" arg) total length
     then a sequence of one-byte size then string (not nul-term) names.  The
-    latter is as described in OpenSSL documentation. */
+    latter is as described in OpenSSL documentation.
+    Note that we do not get called for a match_fail, making it hard to log
+    a single bad ALPN being offered (the common case). */
+    {
+    gstring * g = NULL;
 
     DEBUG(D_tls) debug_printf("Seen ALPN extension from client (s=%u):", size);
     for (const uschar * s = data+2; s-data < size-1; s += *s + 1)
       {
       server_seen_alpn++;
+      g = string_append_listele_n(g, ':', s+1, *s);
       DEBUG(D_tls) debug_printf(" '%.*s'", (int)*s, s+1);
       }
     DEBUG(D_tls) debug_printf("\n");
     if (server_seen_alpn > 1)
       {
+      log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g));
       DEBUG(D_tls) debug_printf("TLS: too many ALPNs presented in handshake\n");
       return GNUTLS_E_NO_APPLICATION_PROTOCOL;
       }
     break;
+    }
 #endif
   }
 return 0;
diff --git a/src/tls-openssl.c b/src/tls-openssl.c
index e063d29bd..513ba0d3a 100644
--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -2324,6 +2324,8 @@ static int
 tls_server_alpn_cb(SSL *ssl, const uschar ** out, uschar * outlen,
   const uschar * in, unsigned int inlen, void * arg)
 {
+gstring * g = NULL;
+
 server_seen_alpn = TRUE;
 DEBUG(D_tls)
   {
@@ -2354,12 +2356,19 @@ if (  inlen > 1		/* at least one name */
       }
   }
 
-/* More than one name from clilent, or name did not match our list. */
+/* More than one name from client, or name did not match our list. */
 
 /* This will be fatal to the TLS conn; would be nice to kill TCP also.
 Maybe as an option in future; for now leave control to the config (must-tls). */
 
-DEBUG(D_tls) debug_printf("TLS ALPN rejected\n");
+for (int pos = 0, siz; pos < inlen; pos += siz+1)
+  {
+  siz = in[pos];
+  if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
+  g = string_append_listele_n(g, ':', in + pos + 1, siz);
+  }
+log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g));
+gstring_release_unused(g);
 return SSL_TLSEXT_ERR_ALERT_FATAL;
 }
 #endif	/* EXIM_HAVE_ALPN */
-- 
2.39.0





From 30520c8f87fcf660ed99a2344cae7f9787f7bc89 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 5 Jan 2023 18:39:51 +0000
Subject: [PATCH 3/3] DANE: do not check dns_again_means_nonexist for TLSA
 results of TRY_AGAIN

---
 src/dns.c             | 35 ++++++++++++++++++++++-------------
 doc/doc-docbook/spec.xfpt |  7 ++++++-
 3 files changed, 32 insertions(+), 14 deletions(-)

--- a/src/dns.c
+++ b/src/dns.c
@@ -904,25 +904,34 @@ if (dnsa->answerlen < 0) switch (h_errno
     DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
       name, dns_text_type(type));
 
     /* Cut this out for various test programs */
 #ifndef STAND_ALONE
-    if (try_again_recursion)
+    /* Permitting dns_again_means nonexist for TLSA lookups breaks the
+    doewngrade resistance of dane, so avoid for those. */
+
+    if (type == T_TLSA)
+      rc = FAIL;
+    else
       {
-      log_write(0, LOG_MAIN|LOG_PANIC,
-	"dns_again_means_nonexist recursion seen for %s (assuming nonexist)",
-	name);
-      return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
-      }
+      if (try_again_recursion)
+	{
+	log_write(0, LOG_MAIN|LOG_PANIC,
+	  "dns_again_means_nonexist recursion seen for %s"
+	  " (assuming nonexist)", name);
+	return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type),
+			      DNS_NOMATCH);
+	}
 
-    try_again_recursion = TRUE;
-    save_domain = deliver_domain;
-    deliver_domain = string_copy(name);  /* set $domain */
-    rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
-      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
-    deliver_domain = save_domain;
-    try_again_recursion = FALSE;
+      try_again_recursion = TRUE;
+      save_domain = deliver_domain;
+      deliver_domain = string_copy(name);  /* set $domain */
+      rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
+	&domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+      deliver_domain = save_domain;
+      try_again_recursion = FALSE;
+      }
 
     if (rc != OK)
       {
       DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
       return dns_fail_return(name, type, 0, DNS_AGAIN);
--- a/doc/spec.txt
+++ b/doc/spec.txt
@@ -14246,11 +14246,13 @@ dns_again_means_nonexist, it is treated
 should be used with care. You can make it apply to reverse lookups by a setting
 such as this:
 
 dns_again_means_nonexist = *.in-addr.arpa
 
-This option applies to all DNS lookups that Exim does. It also applies when the
+This option applies to all DNS lookups that Exim does, except for TLSA lookups
+(where knowing about such failures +is security-relevant). It also applies
+when the
 gethostbyname() or getipnodebyname() functions give temporary errors, since
 these are most likely to be caused by DNS lookup problems. The dnslookup router
 has some options of its own for controlling what happens when lookups for MX or
 SRV records give temporary errors. These more specific options are applied
 after this global option.




From 70069b65a39a7ba73a36fbd95371ff03cde1eb23 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 2 Feb 2023 20:00:35 +0000
Subject: [PATCH] Fix crash in expansions

Broken-by: 1058096b8c53
---
 src/expand.c      | 9 +++++----
 test/stderr/0630      | 1 +
 3 files changed, 10 insertions(+), 4 deletions(-)

--- a/src/expand.c
+++ b/src/expand.c
@@ -4652,11 +4652,11 @@ while (*s)
       yield = string_catn(yield, value, len);
 
     continue;
     }
 
-  if (isdigit(*s))
+  if (isdigit(*s))		/* A $<n> variable */
     {
     int n;
     s = read_cnumber(&n, s);
     if (n >= 0 && n <= expand_nmax)
       yield = string_catn(yield, expand_nstring[n], expand_nlength[n]);
@@ -7060,10 +7060,11 @@ NOT_ITEM: ;
       if (arg) *arg++ = '_';		/* Put back for error messages */
       }
 
     /* Deal specially with operators that might take a certificate variable
     as we do not want to do the usual expansion. For most, expand the string.*/
+
     switch(c)
       {
 #ifndef DISABLE_TLS
       case EOP_MD5:
       case EOP_SHA1:
@@ -7107,11 +7108,11 @@ NOT_ITEM: ;
 
     /* Otherwise, switch on the operator type.  After handling go back
     to the main loop top. */
 
      {
-     int start = yield->ptr;
+     unsigned expansion_start = gstring_length(yield);
      switch(c)
       {
       case EOP_BASE32:
 	{
 	uschar *t;
@@ -8168,12 +8169,12 @@ NOT_ITEM: ;
 	  goto EXPAND_FAILED;
 	}	/* EOP_* switch */
 
        DEBUG(D_expand)
 	{
-	const uschar * s = yield->s + start;
-	int i = yield->ptr - start;
+	const uschar * s = yield->s + expansion_start;
+	int i = gstring_length(yield) - expansion_start;
 	BOOL tainted = is_tainted(s);
 
 	DEBUG(D_noutf8)
 	  {
 	  debug_printf_indent("|-----op-res: %.*s\n", i, s);

Lines 5-11 Link Here

(-)b/mail/exim/pkg-plist (+2 lines)
5	%%EXIM%%sbin/exim_dbmbuild	5	%%EXIM%%sbin/exim_dbmbuild
6	%%EXIM%%sbin/exim_dumpdb	6	%%EXIM%%sbin/exim_dumpdb
7	%%EXIM%%sbin/exim_fixdb	7	%%EXIM%%sbin/exim_fixdb
		8	%%EXIM%%sbin/exim_id_update
8	%%EXIM%%sbin/exim_lock	9	%%EXIM%%sbin/exim_lock
		10	%%EXIM%%sbin/exim_msgdate
9	%%EXIM%%sbin/exim_tidydb	11	%%EXIM%%sbin/exim_tidydb
10	%%EXIM%%sbin/exicyclog	12	%%EXIM%%sbin/exicyclog
11	%%EXIM%%sbin/exigrep	13	%%EXIM%%sbin/exigrep

Return to bug 274909

Lines 47-52 AUTH_SASL_LIB_DEPENDS= libsasl2.so:security/cyrus-sasl2 Link Here

(-)b/mail/exim/Makefile (-27 / +7 lines)
47	BDB_USES= bdb	47	BDB_USES= bdb
48	DMARC_LIB_DEPENDS= libopendmarc.so:mail/opendmarc	48	DMARC_LIB_DEPENDS= libopendmarc.so:mail/opendmarc
49	EMBEDDED_PERL_USE= perl5=run,build	49	EMBEDDED_PERL_USE= perl5=run,build
		50	EMBEDDED_PERL_BUILD_DEPENDS= p5-File-FcntlLock>0:devel/p5-File-FcntlLock
		51	EMBEDDED_PERL_RUN_DEPENDS= p5-File-FcntlLock>0:devel/p5-File-FcntlLock
50	EXIMON_USES= xorg	52	EXIMON_USES= xorg
51	EXIMON_USE= xorg=x11,xaw,xext,xmu,xt	53	EXIMON_USE= xorg=x11,xaw,xext,xmu,xt
52	GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls	54	GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls
Lines 64-95 SPF_LIB_DEPENDS= libspf2.so:mail/libspf2 Link Here
64	SQLITE_LIB_DEPENDS= libicudata.so:devel/icu	66	SQLITE_LIB_DEPENDS= libicudata.so:devel/icu
65	SQLITE_USES= pkgconfig sqlite	67	SQLITE_USES= pkgconfig sqlite
66		68
67	DEBIAN_PATCHES_PREFIX= ${FILESDIR}/debian/75	69	#DEBIAN_PATCHES_PREFIX= ${FILESDIR}/debian/75
68	EXTRA_PATCHES= \	70	#EXTRA_PATCHES= \
69	${DEBIAN_PATCHES_PREFIX}_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch:-p1 \	71	# ${DEBIAN_PATCHES_PREFIX}_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch:-p1 \
70	${DEBIAN_PATCHES_PREFIX}_05-SPF-fix-memory-accounting-for-error-case.patch:-p1 \	72	# ${DEBIAN_PATCHES_PREFIX}_05-SPF-fix-memory-accounting-for-error-case.patch:-p1
71	${DEBIAN_PATCHES_PREFIX}_08-Fix-regex-n-use-after-free.-Bug-2915.patch:-p1 \
72	${DEBIAN_PATCHES_PREFIX}_09-Fix-non-WITH_CONTENT_SCAN-build.patch:-p1 \
73	${DEBIAN_PATCHES_PREFIX}_10-Fix-non-WITH_CONTENT_SCAN-build-2.patch:-p1 \
74	${DEBIAN_PATCHES_PREFIX}_11-Fix-non-WITH_CONTENT_SCAN-build-3.patch:-p1 \
75	${DEBIAN_PATCHES_PREFIX}_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch:-p1 \
76	${DEBIAN_PATCHES_PREFIX}_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch:-p1 \
77	${DEBIAN_PATCHES_PREFIX}_19-DMARC-fix-use-after-free-in-dmarc_dns_lookup.patch:-p1 \
78	${DEBIAN_PATCHES_PREFIX}_22-Fix-daemon-startup.-Bug-2930.patch:-p1 \
79	${DEBIAN_PATCHES_PREFIX}_23-Fix-reccipients-after-run.-.-Bug-2929.patch:-p1 \
80	${DEBIAN_PATCHES_PREFIX}_31-Fix-regext-substring-capture-variables-for-null-matc.patch:-p1 \
81	${DEBIAN_PATCHES_PREFIX}_32-Fix-regex-substring-capture-variables-for-null-match.patch:-p1 \
82	${DEBIAN_PATCHES_PREFIX}_34-Fix-regex-substring-capture-commentary.-Bug-2933.patch:-p1 \
83	${DEBIAN_PATCHES_PREFIX}_37-OpenSSL-when-preloading-creds-do-the-server-certs-be.patch:-p1 \
84	${DEBIAN_PATCHES_PREFIX}_38-OpenSSL-fix-double-expansion-of-tls_verify_certifica.patch:-p1 \
85	${DEBIAN_PATCHES_PREFIX}_50-Fix-logging-of-max-size-log-line.patch:-p1 \
86	${DEBIAN_PATCHES_PREFIX}_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch:-p1 \
87	${DEBIAN_PATCHES_PREFIX}_58-Close-server-smtp-socket-explicitly-on-connect-ACL-d.patch:-p1 \
88	${DEBIAN_PATCHES_PREFIX}_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch:-p1 \
89	${DEBIAN_PATCHES_PREFIX}_62-OpenSSL-Fix-tls_eccurve-on-earlier-versions-than-3.0.patch:-p1 \
90	${DEBIAN_PATCHES_PREFIX}_63-OpenSSL-log-conns-rejected-for-bad-ALPN-with-the-off.patch:-p1 \
91	${DEBIAN_PATCHES_PREFIX}_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch:-p1 \
92	${DEBIAN_PATCHES_PREFIX}_66-Fix-crash-in-expansions.patch:-p1
93		73
94	.include <bsd.port.options.mk>	74	.include <bsd.port.options.mk>
95		75
Lines 130-136 EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.c Link Here
130	EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.conf	110	EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.conf
131	.endif	111	.endif
132		112
133	EXIM_VERSION= 4.96.2	113	EXIM_VERSION= 4.97
134	SA_EXIM_VERSION=4.2.1	114	SA_EXIM_VERSION=4.2.1
135	EXIM_INSTALL_ARG+= "-no_chown" "-no_symlink"	115	EXIM_INSTALL_ARG+= "-no_chown" "-no_symlink"
136	EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name '74_*.patch'\|${SORT} -h`	116	EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name '74_*.patch'\|${SORT} -h`

Removed Link Here

(-)a/mail/exim/files/debian/75_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch (-39 lines)
1	From e7ec503729970a03d4509921342bc81313976126 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Tue, 12 Jul 2022 22:14:04 +0100
4	Subject: [PATCH] Fix exit on attempt to rewrite a malformed address. Bug 2903
5
6	---
7	src/rewrite.c \| 9 +-
8	test/confs/0471 \| 7 +
9	test/log/0471 \| 5 +
10	test/scripts/0000-Basic/0471 \| 4 +-
11	test/stderr/0471 \| 245 ++++++++++++++++++++++++++++++++++-
12	6 files changed, 267 insertions(+), 8 deletions(-)
13
14	--- a/src/rewrite.c
15	+++ b/src/rewrite.c
16	@@ -493,19 +493,18 @@
17	empty address, overlong addres. Sometimes the result matters, sometimes not.
18	It seems this function is called for any header we see. */
19
20	if (!recipient)
21	{
22	- /* Handle unparesable addresses in the header. Slightly ugly because a
23	+ /* Log unparesable addresses in the header. Slightly ugly because a
24	null output from the extract can also result from a header without an
25	- address, "To: undisclosed recpients:;" being the classic case. */
26	+ address, "To: undisclosed recpients:;" being the classic case. Ignore
27	+ this one and carry on. */
28
29	if ((rewrite_rules \|\| routed_old) && Ustrcmp(errmess, "empty address") != 0)
30	- {
31	log_write(0, LOG_MAIN, "rewrite: %s", errmess);
32	- exim_exit(EXIT_FAILURE);
33	- }
34	+
35	loop_reset_point = store_reset(loop_reset_point);
36	continue;
37	}
38
39	/* If routed_old is not NULL, this is a rewrite caused by a router,

Removed Link Here

(-)a/mail/exim/files/debian/75_05-SPF-fix-memory-accounting-for-error-case.patch (-25 lines)
1	From 93c722ce0549360af68269f088f4e59ed8fc130e Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Sun, 7 Aug 2022 17:00:27 +0100
4	Subject: [PATCH] SPF: fix memory accounting for error case
5
6	---
7	src/spf.c \| 2 +-
8	1 file changed, 1 insertion(+), 1 deletion(-)
9
10	diff --git a/src/spf.c b/src/spf.c
11	index db6eea3a8..a8c0f75c4 100644
12	--- a/src/spf.c
13	+++ b/src/spf.c
14	@@ -204,7 +204,7 @@ spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
15	"", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
16	if (!spf_nxdomain)
17	{
18	- free(spf_dns_server);
19	+ store_free(spf_dns_server);
20	return NULL;
21	}
22
23	--
24	2.35.1
25

Removed Link Here

(-)a/mail/exim/files/debian/75_08-Fix-regex-n-use-after-free.-Bug-2915.patch (-167 lines)
1	From 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Wed, 31 Aug 2022 15:37:40 +0100
4	Subject: [PATCH] Fix $regex<n> use-after-free. Bug 2915
5
6	---
7	src/exim.c \| 4 +---
8	src/expand.c \| 2 +-
9	src/functions.h \| 1 +
10	src/globals.c \| 2 +-
11	src/regex.c \| 29 ++++++++++++++++++-----------
12	src/smtp_in.c \| 2 ++
13	7 files changed, 55 insertions(+), 17 deletions(-)
14
15	--- a/src/exim.c
16	+++ b/src/exim.c
17	@@ -1999,12 +1999,10 @@
18
19	regex_whitelisted_macro =
20	regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
21	#endif
22
23	-for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
24	-
25	/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
26	this seems to be a generally accepted convention, since one finds symbolic
27	links called "mailq" in standard OS configurations. */
28
29	if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) \|\|
30	@@ -6082,11 +6080,11 @@
31	callout_address = NULL;
32	sending_ip_address = NULL;
33	deliver_localpart_data = deliver_domain_data =
34	recipient_data = sender_data = NULL;
35	acl_var_m = NULL;
36	- for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
37	+ regex_vars_clear();
38
39	store_reset(reset_point);
40	}
41
42	exim_exit(EXIT_SUCCESS); /* Never returns */
43	--- a/src/expand.c
44	+++ b/src/expand.c
45	@@ -1871,11 +1871,11 @@
46	{
47	tree_node * node = tree_search(router_var, name + 2);
48	return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
49	}
50
51	-/* Handle $auth<n> variables. */
52	+/* Handle $auth<n>, $regex<n> variables. */
53
54	if (Ustrncmp(name, "auth", 4) == 0)
55	{
56	uschar *endptr;
57	int n = Ustrtoul(name + 4, &endptr, 10);
58	--- a/src/functions.h
59	+++ b/src/functions.h
60	@@ -436,10 +436,11 @@
61	extern int regex(const uschar **);
62	#endif
63	extern BOOL regex_match(const pcre2_code , const uschar , int, uschar **);
64	extern BOOL regex_match_and_setup(const pcre2_code , const uschar , int, int);
65	extern const pcre2_code regex_must_compile(const uschar , BOOL, BOOL);
66	+extern void regex_vars_clear(void);
67	extern void retry_add_item(address_item , uschar , int);
68	extern BOOL retry_check_address(const uschar , host_item , uschar *, BOOL,
69	uschar , uschar );
70	extern retry_config retry_find_config(const uschar , const uschar *, int, int);
71	extern BOOL retry_ultimate_address_timeout(uschar , const uschar ,
72	--- a/src/globals.c
73	+++ b/src/globals.c
74	@@ -1313,11 +1313,11 @@
75	#ifndef DISABLE_PIPE_CONNECT
76	const pcre2_code *regex_EARLY_PIPE = NULL;
77	#endif
78	const pcre2_code *regex_ismsgid = NULL;
79	const pcre2_code *regex_smtp_code = NULL;
80	-const uschar *regex_vars[REGEX_VARS];
81	+const uschar *regex_vars[REGEX_VARS] = { 0 };;
82	#ifdef WHITELIST_D_MACROS
83	const pcre2_code *regex_whitelisted_macro = NULL;
84	#endif
85	#ifdef WITH_CONTENT_SCAN
86	uschar *regex_match_string = NULL;
87	--- a/src/regex.c
88	+++ b/src/regex.c
89	@@ -94,22 +94,32 @@
90	}
91	pcre2_match_data_free(md);
92	return FAIL;
93	}
94
95	+
96	+/* reset expansion variables */
97	+void
98	+regex_vars_clear(void)
99	+{
100	+regex_match_string = NULL;
101	+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
102	+}
103	+
104	+
105	+
106	int
107	-regex(const uschar **listptr)
108	+regex(const uschar ** listptr)
109	{
110	unsigned long mbox_size;
111	-FILE *mbox_file;
112	-pcre_list *re_list_head;
113	-uschar *linebuffer;
114	+FILE * mbox_file;
115	+pcre_list * re_list_head;
116	+uschar * linebuffer;
117	long f_pos = 0;
118	int ret = FAIL;
119
120	-/* reset expansion variable */
121	-regex_match_string = NULL;
122	+regex_vars_clear();
123
124	if (!mime_stream) /* We are in the DATA ACL */
125	{
126	if (!(mbox_file = spool_mbox(&mbox_size, NULL, NULL)))
127	{ /* error while spooling */
128	@@ -167,18 +177,17 @@
129
130
131	int
132	mime_regex(const uschar **listptr)
133	{
134	-pcre_list *re_list_head = NULL;
135	-FILE *f;
136	-uschar *mime_subject = NULL;
137	+pcre_list * re_list_head = NULL;
138	+FILE * f;
139	+uschar * mime_subject = NULL;
140	int mime_subject_len = 0;
141	int ret;
142
143	-/* reset expansion variable */
144	-regex_match_string = NULL;
145	+regex_vars_clear();
146
147	/* precompile our regexes */
148	if (!(re_list_head = compile(*listptr)))
149	return FAIL; /* no regexes -> nothing to do */
150
151	--- a/src/smtp_in.c
152	+++ b/src/smtp_in.c
153	@@ -2155,12 +2155,14 @@
154	prdr_requested = FALSE;
155	#endif
156	#ifdef SUPPORT_I18N
157	message_smtputf8 = FALSE;
158	#endif
159	+regex_vars_clear();
160	body_linecount = body_zerocount = 0;
161
162	+lookup_value = NULL; /* Can be set by ACL */
163	sender_rate = sender_rate_limit = sender_rate_period = NULL;
164	ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */
165	/* Note that ratelimiters_conn persists across resets. */
166
167	/* Reset message ACL variables */

Removed Link Here

(-)a/mail/exim/files/debian/75_09-Fix-non-WITH_CONTENT_SCAN-build.patch (-58 lines)
1	From d8ecc7bf97934a1e2244788c610c958cacd740bd Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Wed, 31 Aug 2022 17:03:37 +0100
4	Subject: [PATCH 1/3] Fix non-WITH_CONTENT_SCAN build.
5
6	Broken-by: 4e9ed49f8f
7	---
8	src/exim.c \| 11 +++++++++++
9	src/regex.c \| 10 ----------
10	2 files changed, 11 insertions(+), 10 deletions(-)
11
12	--- a/src/exim.c
13	+++ b/src/exim.c
14	@@ -1677,10 +1677,21 @@
15	if ((s = expand_string(big_buffer))) printf("%s\n", CS s);
16	else printf("Failed: %s\n", expand_string_message);
17	}
18
19
20	+/* reset regex expansion variables */
21	+void
22	+regex_vars_clear(void)
23	+{
24	+regex_match_string = NULL;
25	+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
26	+}
27	+
28	+
29	+
30	+
31
32	/*************************************************
33	* Entry point and high-level code *
34	*************************************************/
35
36	--- a/src/regex.c
37	+++ b/src/regex.c
38	@@ -95,20 +95,10 @@
39	pcre2_match_data_free(md);
40	return FAIL;
41	}
42
43
44	-/* reset expansion variables */
45	-void
46	-regex_vars_clear(void)
47	-{
48	-regex_match_string = NULL;
49	-for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
50	-}
51	-
52	-
53	-
54	int
55	regex(const uschar ** listptr)
56	{
57	unsigned long mbox_size;
58	FILE * mbox_file;

Removed Link Here

(-)a/mail/exim/files/debian/75_10-Fix-non-WITH_CONTENT_SCAN-build-2.patch (-135 lines)
1	From 158dff9936e36a2d31d037d3988b9353458d6471 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Wed, 31 Aug 2022 17:17:59 +0100
4	Subject: [PATCH 2/3] Fix non-WITH_CONTENT_SCAN build (2)
5
6	Broken-by: d8ecc7bf97
7	---
8	src/exim.c \| 13 +------------
9	src/functions.h \| 2 +-
10	src/globals.h \| 2 +-
11	src/regex.c \| 10 ++++++++++
12	src/smtp_in.c \| 2 ++
13	5 files changed, 15 insertions(+), 14 deletions(-)
14
15	--- a/src/exim.c
16	+++ b/src/exim.c
17	@@ -1677,21 +1677,10 @@
18	if ((s = expand_string(big_buffer))) printf("%s\n", CS s);
19	else printf("Failed: %s\n", expand_string_message);
20	}
21
22
23	-/* reset regex expansion variables */
24	-void
25	-regex_vars_clear(void)
26	-{
27	-regex_match_string = NULL;
28	-for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
29	-}
30	-
31	-
32	-
33	-
34
35	/*************************************************
36	* Entry point and high-level code *
37	*************************************************/
38
39	@@ -6085,17 +6074,17 @@
40	deliver_domain_orig = NULL;
41	deliver_host = deliver_host_address = NULL;
42	dnslist_domain = dnslist_matched = NULL;
43	#ifdef WITH_CONTENT_SCAN
44	malware_name = NULL;
45	+ regex_vars_clear();
46	#endif
47	callout_address = NULL;
48	sending_ip_address = NULL;
49	deliver_localpart_data = deliver_domain_data =
50	recipient_data = sender_data = NULL;
51	acl_var_m = NULL;
52	- regex_vars_clear();
53
54	store_reset(reset_point);
55	}
56
57	exim_exit(EXIT_SUCCESS); /* Never returns */
58	--- a/src/functions.h
59	+++ b/src/functions.h
60	@@ -432,15 +432,15 @@
61	extern BOOL receive_msg(BOOL);
62	extern int_eximarith_t receive_statvfs(BOOL, int *);
63	extern void receive_swallow_smtp(void);
64	#ifdef WITH_CONTENT_SCAN
65	extern int regex(const uschar **);
66	+extern void regex_vars_clear(void);
67	#endif
68	extern BOOL regex_match(const pcre2_code , const uschar , int, uschar **);
69	extern BOOL regex_match_and_setup(const pcre2_code , const uschar , int, int);
70	extern const pcre2_code regex_must_compile(const uschar , BOOL, BOOL);
71	-extern void regex_vars_clear(void);
72	extern void retry_add_item(address_item , uschar , int);
73	extern BOOL retry_check_address(const uschar , host_item , uschar *, BOOL,
74	uschar , uschar );
75	extern retry_config retry_find_config(const uschar , const uschar *, int, int);
76	extern BOOL retry_ultimate_address_timeout(uschar , const uschar ,
77	--- a/src/globals.h
78	+++ b/src/globals.h
79	@@ -895,16 +895,16 @@
80	#ifndef DISABLE_PIPE_CONNECT
81	extern const pcre2_code regex_EARLY_PIPE; / For recognizing PIPE_CONNCT */
82	#endif
83	extern const pcre2_code regex_ismsgid; / Compiled r.e. for message ID */
84	extern const pcre2_code regex_smtp_code; / For recognizing SMTP codes */
85	-extern const uschar regex_vars[]; / $regexN variables */
86	#ifdef WHITELIST_D_MACROS
87	extern const pcre2_code regex_whitelisted_macro; / For -D macro values */
88	#endif
89	#ifdef WITH_CONTENT_SCAN
90	extern uschar regex_match_string; / regex that matched a line (regex ACL condition) */
91	+extern const uschar *regex_vars[];
92	#endif
93	extern int remote_delivery_count; /* Number of remote addresses */
94	extern int remote_max_parallel; /* Maximum parallel delivery */
95	extern uschar remote_sort_domains; / Remote domain sorting order */
96	extern retry_config retries; / Chain of retry config information */
97	--- a/src/regex.c
98	+++ b/src/regex.c
99	@@ -95,10 +95,20 @@
100	pcre2_match_data_free(md);
101	return FAIL;
102	}
103
104
105	+/* reset expansion variables */
106	+void
107	+regex_vars_clear(void)
108	+{
109	+regex_match_string = NULL;
110	+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
111	+}
112	+
113	+
114	+
115	int
116	regex(const uschar ** listptr)
117	{
118	unsigned long mbox_size;
119	FILE * mbox_file;
120	--- a/src/smtp_in.c
121	+++ b/src/smtp_in.c
122	@@ -2155,11 +2155,13 @@
123	prdr_requested = FALSE;
124	#endif
125	#ifdef SUPPORT_I18N
126	message_smtputf8 = FALSE;
127	#endif
128	+#ifdef WITH_CONTENT_SCAN
129	regex_vars_clear();
130	+#endif
131	body_linecount = body_zerocount = 0;
132
133	lookup_value = NULL; /* Can be set by ACL */
134	sender_rate = sender_rate_limit = sender_rate_period = NULL;
135	ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */

Removed Link Here

(-)a/mail/exim/files/debian/75_11-Fix-non-WITH_CONTENT_SCAN-build-3.patch (-45 lines)
1	From 32da6327e434e986a18b75a84f2d8c687ba14619 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Thu, 1 Sep 2022 15:54:35 +0100
4	Subject: [PATCH 3/3] Fix non-WITH_CONTENT_SCAN build (3)
5
6	Broken-by: d8ecc7bf97
7	---
8	src/expand.c \| 4 ++++
9	1 file changed, 4 insertions(+)
10
11	diff --git a/src/expand.c b/src/expand.c
12	index 89de56255..831ca2b75 100644
13	--- a/src/expand.c
14	+++ b/src/expand.c
15	@@ -1869,6 +1869,7 @@ if (Ustrncmp(name, "auth", 4) == 0)
16	if (!*endptr && n != 0 && n <= AUTH_VARS)
17	return auth_vars[n-1] ? auth_vars[n-1] : US"";
18	}
19	+#ifdef WITH_CONTENT_SCAN
20	else if (Ustrncmp(name, "regex", 5) == 0)
21	{
22	uschar *endptr;
23	@@ -1876,6 +1877,7 @@ else if (Ustrncmp(name, "regex", 5) == 0)
24	if (!*endptr && n != 0 && n <= REGEX_VARS)
25	return regex_vars[n-1] ? regex_vars[n-1] : US"";
26	}
27	+#endif
28
29	/* For all other variables, search the table */
30
31	@@ -8715,9 +8717,11 @@ assert_variable_notin() treats as const, so deconst is safe. */
32	for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i])
33	assert_variable_notin(US"auth<n>", US auth_vars[i], &e);
34
35	+#ifdef WITH_CONTENT_SCAN
36	/* check regex<n> variables. assert_variable_notin() treats as const. */
37	for (int i = 0; i < REGEX_VARS; i++) if (regex_vars[i])
38	assert_variable_notin(US"regex<n>", US regex_vars[i], &e);
39	+#endif
40
41	/* check known-name variables */
42	for (var_entry * v = var_table; v < var_table + var_table_size; v++)
43	--
44	2.35.1
45

Removed Link Here

(-)a/mail/exim/files/debian/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch (-96 lines)
1	From ece23f05d6a430a461a75639197271c23f6858ec Mon Sep 17 00:00:00 2001
2	From: Jasen Betts <jasen@xnet.co.nz>
3	Date: Fri, 30 Sep 2022 13:49:41 +0100
4	Subject: [PATCH] GnuTLS: fix for clients offering no TLS extensions
5
6	---
7	src/tls-gnu.c \| 3 ++-
8	src/tls-openssl.c \| 39 +++++++++++++++---------------
9	test/confs/2091 \| 1 +
10	test/log/2091 \| 3 +++
11	test/scripts/2090-GnuTLS-ALPN/2091 \| 19 +++++++++++++++
12	test/stdout/2091 \| 21 ++++++++++++++++
13	7 files changed, 68 insertions(+), 21 deletions(-)
14	create mode 120000 test/confs/2091
15	create mode 100644 test/log/2091
16	create mode 100644 test/scripts/2090-GnuTLS-ALPN/2091
17	create mode 100644 test/stdout/2091
18
19	--- a/src/tls-gnu.c
20	+++ b/src/tls-gnu.c
21	@@ -1130,12 +1130,13 @@
22	static int
23	tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
24	unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
25	{
26	/* Call fn for each extension seen. 3.6.3 onwards */
27	-return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
28	+int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
29	GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
30	+return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc;
31	}
32
33
34	# ifdef notdef_crashes
35	/* Make a note that we saw a status-response */
36	--- a/src/tls-openssl.c
37	+++ b/src/tls-openssl.c
38	@@ -940,40 +940,39 @@
39
40	Returns: nothing
41	*/
42
43	static void
44	-info_callback(SSL *s, int where, int ret)
45	+info_callback(SSL * s, int where, int ret)
46	{
47	DEBUG(D_tls)
48	{
49	- const uschar * str;
50	+ gstring * g = NULL;
51
52	- if (where & SSL_ST_CONNECT)
53	- str = US"SSL_connect";
54	- else if (where & SSL_ST_ACCEPT)
55	- str = US"SSL_accept";
56	- else
57	- str = US"SSL info (undefined)";
58	+ if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect");
59	+ if (where & SSL_ST_ACCEPT) g = string_append_listele(g, ',', US"SSL_accept");
60	+ if (where & SSL_CB_LOOP) g = string_append_listele(g, ',', US"state_chg");
61	+ if (where & SSL_CB_EXIT) g = string_append_listele(g, ',', US"hshake_exit");
62	+ if (where & SSL_CB_READ) g = string_append_listele(g, ',', US"read");
63	+ if (where & SSL_CB_WRITE) g = string_append_listele(g, ',', US"write");
64	+ if (where & SSL_CB_ALERT) g = string_append_listele(g, ',', US"alert");
65	+ if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start");
66	+ if (where & SSL_CB_HANDSHAKE_DONE) g = string_append_listele(g, ',', US"hshake_done");
67
68	if (where & SSL_CB_LOOP)
69	- debug_printf("%s: %s\n", str, SSL_state_string_long(s));
70	+ debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
71	else if (where & SSL_CB_ALERT)
72	- debug_printf("SSL3 alert %s:%s:%s\n",
73	- str = where & SSL_CB_READ ? US"read" : US"write",
74	+ debug_printf("SSL %s %s:%s\n", g->s,
75	SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
76	else if (where & SSL_CB_EXIT)
77	{
78	- if (ret == 0)
79	- debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
80	- else if (ret < 0)
81	- debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
82	+ if (ret <= 0)
83	+ debug_printf("SSL %s: %s in %s\n", g->s,
84	+ ret == 0 ? "failed" : "error", SSL_state_string_long(s));
85	}
86	- else if (where & SSL_CB_HANDSHAKE_START)
87	- debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
88	- else if (where & SSL_CB_HANDSHAKE_DONE)
89	- debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
90	+ else if (where & (SSL_CB_HANDSHAKE_START \| SSL_CB_HANDSHAKE_DONE))
91	+ debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
92	}
93	}
94
95	#ifdef OPENSSL_HAVE_KEYLOG_CB
96	static void

Removed Link Here

(-)a/mail/exim/files/debian/75_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch (-71 lines)
1	From 1561c5d88b3a23a4348d8e3c1ce28554fcbcfe46 Mon Sep 17 00:00:00 2001
2	From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
3	Date: Sat, 15 Oct 2022 19:30:58 +0200
4	Subject: [PATCH 1/2] Fix: Build with libopendmarc 1.4.x (fixes 2728)
5
6	---
7	src/EDITME \| 7 +++++--
8	src/config.h.defaults \| 1 +
9	src/dmarc.c \| 7 ++++++-
10	4 files changed, 15 insertions(+), 3 deletions(-)
11
12	--- a/src/EDITME
13	+++ b/src/EDITME
14	@@ -600,18 +600,21 @@
15
16	# EXPERIMENTAL_DCC=yes
17
18	# Uncomment the following line to add DMARC checking capability, implemented
19	# using libopendmarc libraries. You must have SPF and DKIM support enabled also.
20	-# Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken;
21	-# 1.3.2-3 works. I seems that the OpenDMARC project broke their API.
22	# SUPPORT_DMARC=yes
23	# CFLAGS += -I/usr/local/include
24	# LDFLAGS += -lopendmarc
25	# Uncomment the following if you need to change the default. You can
26	# override it at runtime (main config option dmarc_tld_file)
27	# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds
28	+#
29	+# Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken;
30	+# 1.3.2-3 works. It seems that the OpenDMARC project broke their API.
31	+# Use this option if you need to build with an old library (1.3.x)
32	+# DMARC_API=100300
33
34	# Uncomment the following line to add ARC (Authenticated Received Chain)
35	# support. You must have SPF and DKIM support enabled also.
36	# EXPERIMENTAL_ARC=yes
37
38	--- a/src/config.h.defaults
39	+++ b/src/config.h.defaults
40	@@ -148,10 +148,11 @@
41	#define STRING_SPRINTF_BUFFER_SIZE (8192 * 4)
42
43	#define SUPPORT_CRYPTEQ
44	#define SUPPORT_DANE
45	#define SUPPORT_DMARC
46	+#define DMARC_API 100400
47	#define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
48	#define SUPPORT_I18N
49	#define SUPPORT_I18N_2008
50	#define SUPPORT_MAILDIR
51	#define SUPPORT_MAILSTORE
52	--- a/src/dmarc.c
53	+++ b/src/dmarc.c
54	@@ -457,11 +457,16 @@
55	dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS :
56	vs == PDKIM_VERIFY_FAIL ? DMARC_POLICY_DKIM_OUTCOME_FAIL :
57	vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
58	DMARC_POLICY_DKIM_OUTCOME_NONE;
59	libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
60	- dkim_result, US"");
61	+/* The opendmarc project broke its API in a way we can't detect * easily.
62	+ * The EDITME provides a DMARC_API variable */
63	+#if DMARC_API >= 100400
64	+ sig->selector,
65	+#endif
66	+ dkim_result, US"");
67	DEBUG(D_receive)
68	debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
69	if (libdm_status != DMARC_PARSE_OKAY)
70	log_write(0, LOG_MAIN\|LOG_PANIC,
71	"failure to store dkim (%s) for DMARC: %s",

Removed Link Here

(-)a/mail/exim/files/debian/75_19-DMARC-fix-use-after-free-in-dmarc_dns_lookup.patch (-39 lines)
1	From 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445 Mon Sep 17 00:00:00 2001
2	From: Lorenz Brun <lorenz@brun.one>
3	Date: Fri, 14 Oct 2022 21:02:51 +0200
4	Subject: [PATCH 2/2] DMARC: fix use-after-free in dmarc_dns_lookup
5
6	This fixes a use-after-free in dmarc_dns_lookup where the result
7	of dns_lookup in dnsa is freed before the required data is copied out.
8
9	Fixes: 9258363 ("DNS: explicit alloc/free of workspace")
10	---
11	src/dmarc.c \| 3 ++-
12	1 file changed, 2 insertions(+), 1 deletion(-)
13
14	diff --git a/src/dmarc.c b/src/dmarc.c
15	index ad0c26c91..53c2752ac 100644
16	--- a/src/dmarc.c
17	+++ b/src/dmarc.c
18	@@ -226,16 +226,17 @@ dns_scan dnss;
19	int rc = dns_lookup(dnsa, string_sprintf("_dmarc.%s", dom), T_TXT, NULL);
20
21	if (rc == DNS_SUCCEED)
22	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
23	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
24	if (rr->type == T_TXT && rr->size > 3)
25	{
26	+ uschar *record = string_copyn_taint(US rr->data, rr->size, GET_TAINTED);
27	store_free_dns_answer(dnsa);
28	- return string_copyn_taint(US rr->data, rr->size, GET_TAINTED);
29	+ return record;
30	}
31	store_free_dns_answer(dnsa);
32	return NULL;
33	}
34
35
36	static int
37	--
38	2.35.1
39

Removed Link Here

(-)a/mail/exim/files/debian/75_22-Fix-daemon-startup.-Bug-2930.patch (-50 lines)
1	From 221321d2c51b83d1feced80ecd6c2fe33ec5456c Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Thu, 3 Nov 2022 20:08:25 +0000
4	Subject: [PATCH 1/2] Fix daemon startup. Bug 2930
5
6	Broken-by: 7d5055276a
7	---
8	src/daemon.c \| 8 ++++++--
9	2 files changed, 10 insertions(+), 2 deletions(-)
10
11	--- a/src/daemon.c
12	+++ b/src/daemon.c
13	@@ -1744,19 +1744,23 @@
14	{
15	/* If the parent process of this one has pid == 1, we are re-initializing the
16	daemon as the result of a SIGHUP. In this case, there is no need to do
17	anything, because the controlling terminal has long gone. Otherwise, fork, in
18	case current process is a process group leader (see 'man setsid' for an
19	- explanation) before calling setsid(). */
20	+ explanation) before calling setsid().
21	+ All other forks want daemon_listen cleared. Rather than blow a register, jsut
22	+ restore it here. */
23
24	if (getppid() != 1)
25	{
26	+ BOOL daemon_listen = f.daemon_listen;
27	pid_t pid = exim_fork(US"daemon");
28	if (pid < 0) log_write(0, LOG_MAIN\|LOG_PANIC_DIE,
29	"fork() failed when starting daemon: %s", strerror(errno));
30	if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */
31	(void)setsid(); /* release controlling terminal */
32	+ f.daemon_listen = daemon_listen;
33	}
34	}
35
36	/* We are now in the disconnected, daemon process (unless debugging). Set up
37	the listening sockets if required. */
38	@@ -2090,11 +2094,11 @@
39	{ /* found; append port to list */
40	for (p = i2->log; p; ) p++; / end of existing string */
41	if (--p == '}') p = '\0'; /* drop EOL */
42	while (isdigit(--p)) ; / char before port */
43
44	- i2->log = p == ':' / no list yet? */
45	+ i2->log = p == ':' / no list yet? { */
46	? string_sprintf("%.*s{%s,%d}",
47	(int)(p - i2->log + 1), i2->log, p+1, ipa->port)
48	: string_sprintf("%s,%d}", i2->log, ipa->port);
49	ipa->log = NULL;
50	break;

Removed Link Here

(-)a/mail/exim/files/debian/75_23-Fix-reccipients-after-run.-.-Bug-2929.patch (-28 lines)
1	From 6b331d5834d12bdda21857cd6fffac17038ce3c7 Mon Sep 17 00:00:00 2001
2	From: Ruben Jenster <r.jenster@drachenfels.de>
3	Date: Thu, 3 Nov 2022 21:38:15 +0000
4	Subject: [PATCH 2/2] Fix $reccipients after ${run...}. Bug 2929
5
6	Broken-by: cfe6acff2d
7	---
8	src/transport.c \| 3 ++-
9	2 files changed, 5 insertions(+), 1 deletion(-)
10
11	--- a/src/transport.c
12	+++ b/src/transport.c
13	@@ -2342,13 +2342,14 @@
14	/* Handle normal expansion string */
15
16	else
17	{
18	const uschar *expanded_arg;
19	+ BOOL enable_dollar_recipients_g = f.enable_dollar_recipients;
20	f.enable_dollar_recipients = allow_dollar_recipients;
21	expanded_arg = expand_cstring(argv[i]);
22	- f.enable_dollar_recipients = FALSE;
23	+ f.enable_dollar_recipients = enable_dollar_recipients_g;
24
25	if (!expanded_arg)
26	{
27	uschar *msg = string_sprintf("Expansion of \"%s\" "
28	"from command \"%s\" in %s failed: %s",

Removed Link Here

(-)a/mail/exim/files/debian/75_31-Fix-regext-substring-capture-variables-for-null-matc.patch (-60 lines)
1	From e63825824cc406c160ccbf2b154c5d81b168604a Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Fri, 11 Nov 2022 00:05:59 +0000
4	Subject: [PATCH 1/2] Fix regext substring capture variables for null matches.
5	Bug 2933
6
7	broken-by: 59d66fdc13f0
8	---
9	src/exim.c \| 2 ++
10	src/malware.c \| 3 +++
11	src/regex.c \| 2 +-
12	4 files changed, 11 insertions(+), 1 deletion(-)
13
14	--- a/src/exim.c
15	+++ b/src/exim.c
16	@@ -167,10 +167,12 @@
17	for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++)
18	{
19	PCRE2_SIZE len;
20	pcre2_substring_get_bynumber(md, matchnum,
21	(PCRE2_UCHAR **)&expand_nstring[expand_nmax], &len);
22	+ if (!expand_nstring[expand_nmax])
23	+ { expand_nstring[expand_nmax] = US""; len = 0; }
24	expand_nlength[expand_nmax++] = (int)len;
25	}
26	expand_nmax--;
27	}
28	else if (res != PCRE2_ERROR_NOMATCH) DEBUG(D_any)
29	--- a/src/malware.c
30	+++ b/src/malware.c
31	@@ -323,11 +323,14 @@
32	int i = pcre2_match(cre, text, PCRE2_ZERO_TERMINATED, 0, 0, md, pcre_mtc_ctx);
33	PCRE2_UCHAR * substr = NULL;
34	PCRE2_SIZE slen;
35
36	if (i >= 2) /* Got it */
37	+ {
38	pcre2_substring_get_bynumber(md, 1, &substr, &slen);
39	+ if (!substr) substr = US"";
40	+ }
41	return US substr;
42	}
43
44	static const pcre2_code *
45	m_pcre_nextinlist(const uschar ** list, int * sep,
46	--- a/src/regex.c
47	+++ b/src/regex.c
48	@@ -84,11 +84,11 @@
49	for (int nn = 1; nn < n; nn++)
50	{
51	PCRE2_UCHAR * cstr;
52	PCRE2_SIZE cslen;
53	pcre2_substring_get_bynumber(md, nn, &cstr, &cslen);
54	- regex_vars[nn-1] = CUS cstr;
55	+ regex_vars[nn-1] = cstr ? CUS cstr : CUS"";
56	}
57
58	return OK;
59	}
60	}

Removed Link Here

(-)a/mail/exim/files/debian/75_32-Fix-regex-substring-capture-variables-for-null-match.patch (-94 lines)
1	From 7ad1a2b2cc57b5f4bcb59186a9a8abcbed9f4f76 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Fri, 11 Nov 2022 18:22:00 +0000
4	Subject: [PATCH 2/2] Fix regex substring capture variables for null matches
5	(again). Bug 2933
6
7	Broken-by: 59d66fdc13f0
8	---
9	src/exim.c \| 11 +++++------
10	src/malware.c \| 10 +++++-----
11	src/regex.c \| 8 ++++----
12	test/aux-var-src/0383.F \| 4 ++--
13	test/log/0383 \| 4 ++--
14	test/mail/0383.CALLER \| 8 ++++----
15	test/scripts/0000-Basic/0002 \| 2 ++
16	test/stdout/0002 \| 2 ++
17	8 files changed, 26 insertions(+), 23 deletions(-)
18
19	--- a/src/exim.c
20	+++ b/src/exim.c
21	@@ -160,20 +160,19 @@
22	PCRE_EOPT \| options, md, pcre_mtc_ctx);
23	BOOL yield;
24
25	if ((yield = (res >= 0)))
26	{
27	+ PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
28	res = pcre2_get_ovector_count(md);
29	expand_nmax = setup < 0 ? 0 : setup + 1;
30	for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++)
31	{
32	- PCRE2_SIZE len;
33	- pcre2_substring_get_bynumber(md, matchnum,
34	- (PCRE2_UCHAR **)&expand_nstring[expand_nmax], &len);
35	- if (!expand_nstring[expand_nmax])
36	- { expand_nstring[expand_nmax] = US""; len = 0; }
37	- expand_nlength[expand_nmax++] = (int)len;
38	+ int off = matchnum * 2;
39	+ int len = ovec[off + 1] - ovec[off];
40	+ expand_nstring[expand_nmax] = string_copyn(subject + ovec[off], len);
41	+ expand_nlength[expand_nmax++] = len;
42	}
43	expand_nmax--;
44	}
45	else if (res != PCRE2_ERROR_NOMATCH) DEBUG(D_any)
46	{
47	--- a/src/malware.c
48	+++ b/src/malware.c
49	@@ -319,19 +319,19 @@
50	uschar *
51	m_pcre_exec(const pcre2_code * cre, uschar * text)
52	{
53	pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx);
54	int i = pcre2_match(cre, text, PCRE2_ZERO_TERMINATED, 0, 0, md, pcre_mtc_ctx);
55	-PCRE2_UCHAR * substr = NULL;
56	-PCRE2_SIZE slen;
57	+uschar * substr = NULL;
58
59	if (i >= 2) /* Got it */
60	{
61	- pcre2_substring_get_bynumber(md, 1, &substr, &slen);
62	- if (!substr) substr = US"";
63	+ PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
64	+ int len = ovec[3] - ovec[2];
65	+ substr = string_copyn(text + ovec[2], len);
66	}
67	-return US substr;
68	+return substr;
69	}
70
71	static const pcre2_code *
72	m_pcre_nextinlist(const uschar ** list, int * sep,
73	char * listerr, uschar ** errstr)
74	--- a/src/regex.c
75	+++ b/src/regex.c
76	@@ -81,14 +81,14 @@
77	sizeof(regex_match_string_buffer)-1);
78	regex_match_string = regex_match_string_buffer;
79
80	for (int nn = 1; nn < n; nn++)
81	{
82	- PCRE2_UCHAR * cstr;
83	- PCRE2_SIZE cslen;
84	- pcre2_substring_get_bynumber(md, nn, &cstr, &cslen);
85	- regex_vars[nn-1] = cstr ? CUS cstr : CUS"";
86	+ PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
87	+ int off = nn * 2;
88	+ int len = ovec[off + 1] - ovec[off];
89	+ regex_vars[nn-1] = string_copyn(linebuffer + ovec[off], len);
90	}
91
92	return OK;
93	}
94	}

Removed Link Here

(-)a/mail/exim/files/debian/75_34-Fix-regex-substring-capture-commentary.-Bug-2933.patch (-48 lines)
1	From 9ba47886c71d40edc99b026a99edee269d9c9c6f Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Sat, 12 Nov 2022 12:38:22 +0000
4	Subject: [PATCH] Fix regex substring capture - commentary. Bug 2933
5
6	Broken-by (corrected): 22ed7a5295f1
7	---
8	src/exim.c \| 9 ++++++++-
9	1 file changed, 8 insertions(+), 1 deletion(-)
10
11	diff --git a/src/exim.c b/src/exim.c
12	index 16c0184e0..625494ce4 100644
13	--- a/src/exim.c
14	+++ b/src/exim.c
15	@@ -102,11 +102,13 @@ pcre_gen_mtc_ctx = pcre2_match_context_create(pcre_gen_ctx);
16	* Execute regular expression and set strings *
17	*************************************************/
18
19	/* This function runs a regular expression match, and sets up the pointers to
20	the matched substrings. The matched strings are copied so the lifetime of
21	-the subject is not a problem.
22	+the subject is not a problem. Matched strings will have the same taint status
23	+as the subject string (this is not a de-taint method, and must not be made so
24	+given the support for wildcards in REs).
25
26	Arguments:
27	re the compiled expression
28	subject the subject string
29	options additional PCRE options
30	@@ -130,10 +132,15 @@ if ((yield = (res >= 0)))
31	PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
32	res = pcre2_get_ovector_count(md);
33	expand_nmax = setup < 0 ? 0 : setup + 1;
34	for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++)
35	{
36	+ /* Although PCRE2 has a pcre2_substring_get_bynumber() conveneience, it
37	+ seems to return a bad pointer when a capture group had no data, eg. (.*)
38	+ matching zero letters. So use the underlying ovec and hope (!) that the
39	+ offsets are sane (including that case). Should we go further and range-
40	+ check each one vs. the subject string length? */
41	int off = matchnum * 2;
42	int len = ovec[off + 1] - ovec[off];
43	expand_nstring[expand_nmax] = string_copyn(subject + ovec[off], len);
44	expand_nlength[expand_nmax++] = len;
45	}
46	--
47	2.35.1
48

Removed Link Here

(-)a/mail/exim/files/debian/75_37-OpenSSL-when-preloading-creds-do-the-server-certs-be.patch (-232 lines)
1	From 7f65a63b60c6ea86db683ac00e221939f3bb1d47 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Tue, 25 Oct 2022 21:26:30 +0100
4	Subject: [PATCH 1/2] OpenSSL: when preloading creds do the server certs before
5	the OCSP proofs so that the latter can ve verified before loading
6
7	---
8	src/tls-openssl.c \| 113 ++++++++++++++++++++++--------------------
9	1 file changed, 58 insertions(+), 55 deletions(-)
10
11	diff --git a/src/tls-openssl.c b/src/tls-openssl.c
12	index 68ad6f15b..fdf0d92b2 100644
13	--- a/src/tls-openssl.c
14	+++ b/src/tls-openssl.c
15	@@ -441,14 +441,16 @@ exim_openssl_state_st state_server = {.is_server = TRUE};
16	static int
17	setup_certs(SSL_CTX sctx, uschar certs, uschar crl, host_item host,
18	uschar ** errstr );
19
20	/* Callbacks */
21	#ifndef DISABLE_OCSP
22	static int tls_server_stapling_cb(SSL s, void arg);
23	+static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk);
24	+static void x509_store_dump_cert_s_names(X509_STORE * store);
25	#endif
26
27
28
29	/* Daemon-called, before every connection, key create/rotate */
30	#ifndef DISABLE_TLS_RESUME
31	static void tk_init(void);
32	@@ -1307,15 +1309,14 @@ ocsp_load_response(exim_openssl_state_st * state, const uschar * filename,
33	{
34	BIO * bio;
35	OCSP_RESPONSE * resp;
36	OCSP_BASICRESP * basic_response;
37	OCSP_SINGLERESP * single_response;
38	ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
39	STACK_OF(X509) * sk;
40	-unsigned long verify_flags;
41	int status, reason, i;
42
43	DEBUG(D_tls)
44	debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
45
46	if (!filename \|\| !*filename) return;
47
48	@@ -1372,28 +1373,28 @@ if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
49	if (!(basic_response = OCSP_response_get1_basic(resp)))
50	{
51	DEBUG(D_tls)
52	debug_printf("OCSP response parse error: unable to extract basic response.\n");
53	goto bad;
54	}
55
56	-sk = state->verify_stack;
57	-verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
58	+sk = state->verify_stack; /* set by setup_certs() / chain_from_pem_file() */
59
60	/* May need to expose ability to adjust those flags?
61	OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
62	OCSP_TRUSTOTHER OCSP_NOINTERN */
63
64	-/* This does a full verify on the OCSP proof before we load it for serving
65	-up; possibly overkill - just date-checks might be nice enough.
66	+/* This does a partial verify (only the signer link, not the whole chain-to-CA)
67	+on the OCSP proof before we load it for serving up; possibly overkill -
68	+just date-checks might be nice enough.
69
70	OCSP_basic_verify takes a "store" arg, but does not
71	-use it for the chain verification, which is all we do
72	-when OCSP_NOVERIFY is set. The content from the wire
73	-"basic_response" and a cert-stack "sk" are all that is used.
74	+use it for the chain verification, when OCSP_NOVERIFY is set.
75	+The content from the wire "basic_response" and a cert-stack "sk" are all
76	+that is used.
77
78	We have a stack, loaded in setup_certs() if tls_verify_certificates
79	was a file (not a directory, or "system"). It is unfortunate we
80	cannot used the connection context store, as that would neatly
81	handle the "system" case too, but there seems to be no library
82	function for getting a stack from a store.
83	[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
84	@@ -1402,15 +1403,15 @@ SNI handling.
85
86	Separately we might try to replace using OCSP_basic_verify() - which seems to not
87	be a public interface into the OpenSSL library (there's no manual entry) -
88	But what with? We also use OCSP_basic_verify in the client stapling callback.
89	And there we NEED it; we must verify that status... unless the
90	library does it for us anyway? */
91
92	-if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
93	+if ((i = OCSP_basic_verify(basic_response, sk, NULL, OCSP_NOVERIFY)) < 0)
94	{
95	DEBUG(D_tls)
96	{
97	ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
98	debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
99	}
100	goto bad;
101	@@ -1747,61 +1748,18 @@ if (opt_unset_or_noexpand(tls_eccurve))
102	if (init_ecdh(ctx, &dummy_errstr))
103	state_server.lib_state.ecdh = TRUE;
104	}
105	else
106	DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n");
107
108	#if defined(EXIM_HAVE_INOTIFY) \|\| defined(EXIM_HAVE_KEVENT)
109	-/* If we can, preload the server-side cert, key and ocsp */
110	-
111	-if ( opt_set_and_noexpand(tls_certificate)
112	-# ifndef DISABLE_OCSP
113	- && opt_unset_or_noexpand(tls_ocsp_file)
114	-#endif
115	- && opt_unset_or_noexpand(tls_privatekey))
116	- {
117	- /* Set watches on the filenames. The implementation does de-duplication
118	- so we can just blindly do them all. */
119	-
120	- if ( tls_set_watch(tls_certificate, TRUE)
121	-# ifndef DISABLE_OCSP
122	- && tls_set_watch(tls_ocsp_file, TRUE)
123	-#endif
124	- && tls_set_watch(tls_privatekey, TRUE))
125	- {
126	- state_server.certificate = tls_certificate;
127	- state_server.privatekey = tls_privatekey;
128	-#ifndef DISABLE_OCSP
129	- state_server.u_ocsp.server.file = tls_ocsp_file;
130	-#endif
131	-
132	- DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
133	- if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
134	- state_server.lib_state.conn_certs = TRUE;
135	- }
136	- }
137	-else if ( !tls_certificate && !tls_privatekey
138	-# ifndef DISABLE_OCSP
139	- && !tls_ocsp_file
140	-#endif
141	- )
142	- { /* Generate & preload a selfsigned cert. No files to watch. */
143	- if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
144	- {
145	- state_server.lib_state.conn_certs = TRUE;
146	- lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
147	- }
148	- }
149	-else
150	- DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
151	-
152	-
153	/* If we can, preload the Authorities for checking client certs against.
154	Actual choice to do verify is made (tls_{,try_}verify_hosts)
155	-at TLS conn startup */
156	+at TLS conn startup.
157	+Do this before the server ocsp so that its info can verify the ocsp. */
158
159	if ( opt_set_and_noexpand(tls_verify_certificates)
160	&& opt_unset_or_noexpand(tls_crl))
161	{
162	/* Watch the default dir also as they are always included */
163
164	if ( tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
165	@@ -1809,18 +1767,63 @@ if ( opt_set_and_noexpand(tls_verify_certificates)
166	&& tls_set_watch(tls_crl, FALSE))
167	{
168	DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
169
170	if (setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, &dummy_errstr)
171	== OK)
172	state_server.lib_state.cabundle = TRUE;
173	- }
174	+
175	+ /* If we can, preload the server-side cert, key and ocsp */
176	+
177	+ if ( opt_set_and_noexpand(tls_certificate)
178	+# ifndef DISABLE_OCSP
179	+ && opt_unset_or_noexpand(tls_ocsp_file)
180	+# endif
181	+ && opt_unset_or_noexpand(tls_privatekey))
182	+ {
183	+ /* Set watches on the filenames. The implementation does de-duplication
184	+ so we can just blindly do them all. */
185	+
186	+ if ( tls_set_watch(tls_certificate, TRUE)
187	+# ifndef DISABLE_OCSP
188	+ && tls_set_watch(tls_ocsp_file, TRUE)
189	+# endif
190	+ && tls_set_watch(tls_privatekey, TRUE))
191	+ {
192	+ state_server.certificate = tls_certificate;
193	+ state_server.privatekey = tls_privatekey;
194	+#ifndef DISABLE_OCSP
195	+ state_server.u_ocsp.server.file = tls_ocsp_file;
196	+# endif
197	+
198	+ DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
199	+ if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
200	+ state_server.lib_state.conn_certs = TRUE;
201	+ }
202	+ }
203	+ else if ( !tls_certificate && !tls_privatekey
204	+# ifndef DISABLE_OCSP
205	+ && !tls_ocsp_file
206	+# endif
207	+ )
208	+ { /* Generate & preload a selfsigned cert. No files to watch. */
209	+ if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
210	+ {
211	+ state_server.lib_state.conn_certs = TRUE;
212	+ lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
213	+ }
214	+ }
215	+ else
216	+ DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
217	+ }
218	}
219	else
220	DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
221	+
222	+
223	#endif /* EXIM_HAVE_INOTIFY */
224
225
226	/* If we can, preload the ciphers control string */
227
228	if (opt_set_and_noexpand(tls_require_ciphers))
229	{
230	--
231	2.35.1
232

Removed Link Here

(-)a/mail/exim/files/debian/75_38-OpenSSL-fix-double-expansion-of-tls_verify_certifica.patch (-217 lines)
1	From 62b97c2ecf148ee86053d82e5509e4c3a5a20054 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Sat, 29 Oct 2022 22:33:43 +0100
4	Subject: [PATCH 2/2] OpenSSL: fix double-expansion of tls_verify_certificates
5
6	---
7	src/tls-openssl.c \| 66 +++++++++++++++++++++----------------------
8	1 file changed, 33 insertions(+), 33 deletions(-)
9
10	diff --git a/src/tls-openssl.c b/src/tls-openssl.c
11	index fdf0d92b2..2e09882d2 100644
12	--- a/src/tls-openssl.c
13	+++ b/src/tls-openssl.c
14	@@ -435,15 +435,15 @@ typedef struct exim_openssl_state {
15	/* should figure out a cleanup of API to handle state preserved per
16	implementation, for various reasons, which can be void * in the APIs.
17	For now, we hack around it. */
18	exim_openssl_state_st client_static_state = NULL; /XXX should not use static; multiple concurrent clients! */
19	exim_openssl_state_st state_server = {.is_server = TRUE};
20
21	static int
22	-setup_certs(SSL_CTX sctx, uschar certs, uschar crl, host_item host,
23	+setup_certs(SSL_CTX * sctx, uschar ** certs, uschar * crl, host_item * host,
24	uschar ** errstr );
25
26	/* Callbacks */
27	#ifndef DISABLE_OCSP
28	static int tls_server_stapling_cb(SSL s, void arg);
29	static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk);
30	static void x509_store_dump_cert_s_names(X509_STORE * store);
31	@@ -1762,18 +1762,18 @@ if ( opt_set_and_noexpand(tls_verify_certificates)
32	{
33	/* Watch the default dir also as they are always included */
34
35	if ( tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
36	&& tls_set_watch(tls_verify_certificates, FALSE)
37	&& tls_set_watch(tls_crl, FALSE))
38	{
39	+ uschar * v_certs = tls_verify_certificates;
40	DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
41
42	- if (setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, &dummy_errstr)
43	- == OK)
44	+ if (setup_certs(ctx, &v_certs, tls_crl, NULL, &dummy_errstr) == OK)
45	state_server.lib_state.cabundle = TRUE;
46
47	/* If we can, preload the server-side cert, key and ocsp */
48
49	if ( opt_set_and_noexpand(tls_certificate)
50	# ifndef DISABLE_OCSP
51	&& opt_unset_or_noexpand(tls_ocsp_file)
52	@@ -1897,18 +1897,19 @@ if ( opt_set_and_noexpand(ob->tls_verify_certificates)
53	{
54	if ( !watch
55	\|\| tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
56	&& tls_set_watch(ob->tls_verify_certificates, FALSE)
57	&& tls_set_watch(ob->tls_crl, FALSE)
58	)
59	{
60	+ uschar * v_certs = ob->tls_verify_certificates;
61	DEBUG(D_tls)
62	debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
63
64	- if (setup_certs(ctx, ob->tls_verify_certificates,
65	+ if (setup_certs(ctx, &v_certs,
66	ob->tls_crl, dummy_host, &dummy_errstr) == OK)
67	ob->tls_preload.cabundle = TRUE;
68	}
69	}
70	else
71	DEBUG(D_tls)
72	debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
73	@@ -2238,22 +2239,20 @@ if (state->u_ocsp.server.file)
74	{
75	SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
76	SSL_CTX_set_tlsext_status_arg(server_sni, state);
77	}
78	#endif
79
80	{
81	- uschar * expcerts;
82	- if ( !expand_check(tls_verify_certificates, US"tls_verify_certificates",
83	- &expcerts, &dummy_errstr)
84	- \|\| (rc = setup_certs(server_sni, expcerts, tls_crl, NULL,
85	+ uschar * v_certs = tls_verify_certificates;
86	+ if ((rc = setup_certs(server_sni, &v_certs, tls_crl, NULL,
87	&dummy_errstr)) != OK)
88	goto bad;
89
90	- if (expcerts && *expcerts)
91	+ if (v_certs && *v_certs)
92	setup_cert_verify(server_sni, FALSE, verify_callback_server);
93	}
94
95	/* do this after setup_certs, because this can require the certs for verifying
96	OCSP information. */
97	if ((rc = tls_expand_session_files(server_sni, state, &dummy_errstr)) != OK)
98	goto bad;
99	@@ -3017,32 +3016,33 @@ return TRUE;
100
101
102	/* Called by both client and server startup; on the server possibly
103	repeated after a Server Name Indication.
104
105	Arguments:
106	sctx SSL_CTX* to initialise
107	- certs certs file, expanded
108	+ certs certs file, returned expanded
109	crl CRL file or NULL
110	host NULL in a server; the remote host in a client
111	errstr error string pointer
112
113	Returns: OK/DEFER/FAIL
114	*/
115
116	static int
117	-setup_certs(SSL_CTX sctx, uschar certs, uschar crl, host_item host,
118	+setup_certs(SSL_CTX * sctx, uschar ** certsp, uschar * crl, host_item * host,
119	uschar ** errstr)
120	{
121	-uschar expcerts, expcrl;
122	+uschar * expcerts, * expcrl;
123
124	-if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
125	+if (!expand_check(*certsp, US"tls_verify_certificates", &expcerts, errstr))
126	return DEFER;
127	DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
128
129	+*certsp = expcerts;
130	if (expcerts && *expcerts)
131	{
132	/* Tell the library to use its compiled-in location for the system default
133	CA bundle. Then add the ones specified in the config, if any. */
134
135	if (!SSL_CTX_set_default_verify_paths(sctx))
136	return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
137	@@ -3330,28 +3330,28 @@ if (verify_check_host(&tls_verify_hosts) == OK)
138	server_verify_optional = FALSE;
139	else if (verify_check_host(&tls_try_verify_hosts) == OK)
140	server_verify_optional = TRUE;
141	else
142	goto skip_certs;
143
144	{
145	- uschar * expcerts;
146	- if (!expand_check(tls_verify_certificates, US"tls_verify_certificates",
147	- &expcerts, errstr))
148	- return DEFER;
149	- DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
150	+ uschar * v_certs = tls_verify_certificates;
151
152	if (state_server.lib_state.cabundle)
153	- { DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n"); }
154	+ {
155	+ DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n");
156	+ setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
157	+ }
158	else
159	- if ((rc = setup_certs(ctx, expcerts, tls_crl, NULL, errstr)) != OK)
160	+ {
161	+ if ((rc = setup_certs(ctx, &v_certs, tls_crl, NULL, errstr)) != OK)
162	return rc;
163	-
164	- if (expcerts && *expcerts)
165	- setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
166	+ if (v_certs && *v_certs)
167	+ setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
168	+ }
169	}
170	skip_certs: ;
171
172	#ifndef DISABLE_TLS_RESUME
173	# if OPENSSL_VERSION_NUMBER < 0x30000000L
174	SSL_CTX_set_tlsext_ticket_key_cb(ctx, ticket_key_callback);
175	/* despite working, appears to always return failure, so ignoring */
176	@@ -3606,28 +3606,28 @@ if ( ( ( !ob->tls_verify_hosts \|\| !ob->tls_verify_hosts
177	client_verify_optional = FALSE;
178	else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
179	client_verify_optional = TRUE;
180	else
181	return OK;
182
183	{
184	- uschar * expcerts;
185	- if (!expand_check(ob->tls_verify_certificates, US"tls_verify_certificates",
186	- &expcerts, errstr))
187	- return DEFER;
188	- DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
189	+ uschar * v_certs = ob->tls_verify_certificates;
190
191	if (state->lib_state.cabundle)
192	- { DEBUG(D_tls) debug_printf("TLS: CA bundle was preloaded\n"); }
193	+ {
194	+ DEBUG(D_tls) debug_printf("TLS: CA bundle for tpt was preloaded\n");
195	+ setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
196	+ }
197	else
198	- if ((rc = setup_certs(ctx, expcerts, ob->tls_crl, host, errstr)) != OK)
199	+ {
200	+ if ((rc = setup_certs(ctx, &v_certs, ob->tls_crl, host, errstr)) != OK)
201	return rc;
202	-
203	- if (expcerts && *expcerts)
204	- setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
205	+ if (v_certs && *v_certs)
206	+ setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
207	+ }
208	}
209
210	if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
211	{
212	state->verify_cert_hostnames =
213	#ifdef SUPPORT_I18N
214	string_domain_utf8_to_alabel(host->certname, NULL);
215	--
216	2.35.1
217

Removed Link Here

(-)a/mail/exim/files/debian/75_50-Fix-logging-of-max-size-log-line.patch (-63 lines)
1	From 1ed24e36e279c922d3366f6c3144570cc5f54d7a Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Mon, 19 Dec 2022 21:09:17 +0000
4	Subject: [PATCH] Fix logging of max-size log line
5
6	Broken-by: d12746bc15d8
7	---
8	src/log.c \| 7 ++++---
9	test/confs/0633 \| 21 ++++++++++++++++++++
10	test/scripts/0000-Basic/0633 \| 9 +++++++++
11	test/stderr/0633 \| 38 ++++++++++++++++++++++++++++++++++++
12	test/stdout/0633 \| 15 ++++++++++++++
13	6 files changed, 92 insertions(+), 3 deletions(-)
14	create mode 100644 test/confs/0633
15	create mode 100644 test/scripts/0000-Basic/0633
16	create mode 100644 test/stderr/0633
17	create mode 100644 test/stdout/0633
18
19	--- a/src/log.c
20	+++ b/src/log.c
21	@@ -803,11 +803,11 @@ Returns: nothing
22	void
23	log_write(unsigned int selector, int flags, const char *format, ...)
24	{
25	int paniclogfd;
26	ssize_t written_len;
27	-gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
28	+gstring gs = { .size = LOG_BUFFER_SIZE-2, .ptr = 0, .s = log_buffer };
29	gstring * g;
30	va_list ap;
31
32	/* If panic_recurseflag is set, we have failed to open the panic log. This is
33	the ultimate disaster. First try to write the message to a debug file and/or
34	@@ -949,15 +949,14 @@ DEBUG(D_any\|D_v)
35	g->ptr = i;
36	g = string_cat(g, US"** log string overflowed log buffer **");
37	}
38	va_end(ap);
39
40	- g->size = LOG_BUFFER_SIZE;
41	g = string_catn(g, US"\n", 1);
42	debug_printf("%s", string_from_gstring(g));
43
44	- gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */
45	+ gs.size = LOG_BUFFER_SIZE-2; /* Having used the buffer for debug output, */
46	gs.ptr = 0; /* reset it for the real use. */
47	gs.s = log_buffer;
48	}
49	/* If no log file is specified, we are in a mess. */
50
51	@@ -1035,10 +1034,12 @@ if ( flags & LOG_RECIPIENTS
52	if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
53	g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s);
54	}
55	}
56
57	+/* actual size, now we are placing the newline (and space for NUL) */
58	+gs.size = LOG_BUFFER_SIZE;
59	g = string_catn(g, US"\n", 1);
60	string_from_gstring(g);
61
62	/* Handle loggable errors when running a utility, or when address testing.
63	Write to log_stderr unless debugging (when it will already have been written),

Removed Link Here

(-)a/mail/exim/files/debian/75_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch (-54 lines)
1	From 1d38781da934809e6ce0b8c3718c4b3bccdfe1d2 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Wed, 28 Dec 2022 19:39:06 +0000
4	Subject: [PATCH] Fix recursion on dns_again_means_nonexist. Bug 2911
5
6	---
7	src/dns.c \| 12 ++++++++
8	test/confs/2202 \| 18 +++++++++--
9	test/scripts/2200-dnsdb/2202 \| 8 +++++
10	test/stderr/2202 \| 58 +++++++++++++++++++++++++++++++++++-
11	test/stdout/2202 \| 8 +++++
12	6 files changed, 108 insertions(+), 4 deletions(-)
13
14	--- a/src/dns.c
15	+++ b/src/dns.c
16	@@ -799,10 +799,11 @@ int
17	dns_basic_lookup(dns_answer * dnsa, const uschar * name, int type)
18	{
19	int rc;
20	#ifndef STAND_ALONE
21	const uschar * save_domain;
22	+static BOOL try_again_recursion = FALSE;
23	#endif
24
25	/* DNS lookup failures of any kind are cached in a tree. This is mainly so that
26	a timeout on one domain doesn't happen time and time again for messages that
27	have many addresses in the same domain. We rely on the resolver and name server
28	@@ -903,15 +904,26 @@ if (dnsa->answerlen < 0) switch (h_errno
29	DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
30	name, dns_text_type(type));
31
32	/* Cut this out for various test programs */
33	#ifndef STAND_ALONE
34	+ if (try_again_recursion)
35	+ {
36	+ log_write(0, LOG_MAIN\|LOG_PANIC,
37	+ "dns_again_means_nonexist recursion seen for %s (assuming nonexist)",
38	+ name);
39	+ return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
40	+ }
41	+
42	+ try_again_recursion = TRUE;
43	save_domain = deliver_domain;
44	deliver_domain = string_copy(name); /* set $domain */
45	rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
46	&domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
47	deliver_domain = save_domain;
48	+ try_again_recursion = FALSE;
49	+
50	if (rc != OK)
51	{
52	DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
53	return dns_fail_return(name, type, 0, DNS_AGAIN);
54	}

Removed Link Here

(-)a/mail/exim/files/debian/75_58-Close-server-smtp-socket-explicitly-on-connect-ACL-d.patch (-50 lines)
1	From 57d70161718e02927a22d6a3481803b72035ac46 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Sat, 31 Dec 2022 13:37:17 +0000
4	Subject: [PATCH] Close server smtp socket explicitly on connect ACL "drop"
5
6	---
7	src/smtp_in.c \| 13 ++++++++
8	test/confs/0022 \| 2 ++
9	test/log/0022 \| 2 ++
10	test/rejectlog/0022 \| 3 ++
11	test/scripts/0000-Basic/0022 \| 13 ++++++++
12	test/stderr/0022 \| 60 ++++++++++++++++++------------------
13	test/stdout/0022 \| 6 ++++
14	7 files changed, 69 insertions(+), 30 deletions(-)
15	create mode 100644 test/rejectlog/0022
16
17	diff --git a/src/smtp_in.c b/src/smtp_in.c
18	index 1cfcc0404..6880e3c09 100644
19	--- a/src/smtp_in.c
20	+++ b/src/smtp_in.c
21	@@ -3563,10 +3563,23 @@ log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
22	/* Run the not-quit ACL, but without any custom messages. This should not be a
23	problem, because we get here only if some other ACL has issued "drop", and
24	in that case, its custom messages will have been used above. */
25
26	smtp_notquit_exit(US"acl-drop", NULL, NULL);
27	+
28	+/* An overenthusiastic fail2ban/iptables implimentation has been seen to result
29	+in the TCP conn staying open, and retrying, despite this process exiting. A
30	+malicious client could possibly do the same, tying up server netowrking
31	+resources. Close the socket explicitly to try to avoid that (there's a note in
32	+the Linux socket(7) manpage, SO_LINGER para, to the effect that exim() without
33	+close() results in the socket always lingering). */
34	+
35	+(void) poll_one_fd(fileno(smtp_in), POLLIN, 200);
36	+DEBUG(D_any) debug_printf_indent("SMTP(close)>>\n");
37	+(void) fclose(smtp_in);
38	+(void) fclose(smtp_out);
39	+
40	return 2;
41	}
42
43
44
45	diff --git a/test/rejectlog/0022 b/test/rejectlog/0022
46	new file mode 100644
47	index 000000000..68e21fff3
48	--
49	2.39.0
50

Removed Link Here

(-)a/mail/exim/files/debian/75_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch (-166 lines)
1	From ca4014de81e6aa367aa0a54c49b4c3d4b137814c Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Sun, 1 Jan 2023 12:18:38 +0000
4	Subject: [PATCH] OpenSSL: fix tls_eccurve setting explicit curve/group. Bug
5	2954
6
7	---
8	src/tls-openssl.c \| 39 ++++++++++++++----------
9	test/confs/2148 \| 54 ++++++++++++++++++++++++++++++++++
10	test/confs/2149 \| 39 +++++++++++++-----------
11	test/log/2148 \| 48 ++++++++++++++++++++++++++++++
12	test/log/2149 \| 39 ++++++++++++------------
13	test/paniclog/{2149 => 2148} \| 0
14	test/scripts/2100-OpenSSL/2148 \| 50 +++++++++++++++++++++++++++++++
15	test/scripts/2100-OpenSSL/2149 \| 50 ++++++++++++++++---------------
16	test/stderr/2148 \| 5 ++++
17	test/stderr/2149 \| 3 --
18	11 files changed, 250 insertions(+), 81 deletions(-)
19	create mode 100644 test/confs/2148
20	create mode 100644 test/log/2148
21	rename test/paniclog/{2149 => 2148} (100%)
22	create mode 100644 test/scripts/2100-OpenSSL/2148
23	create mode 100644 test/stderr/2148
24
25	--- a/src/tls-openssl.c
26	+++ b/src/tls-openssl.c
27	@@ -657,16 +657,16 @@ if (dh_bitsize <= tls_dh_max_bits)
28	/* EVP_PKEY_free(pkey); crashes */
29	#endif
30	}
31	else
32	DEBUG(D_tls)
33	- debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
34	+ debug_printf(" Diffie-Hellman initialized from %s with %d-bit prime\n",
35	dhexpanded ? dhexpanded : US"default", dh_bitsize);
36	}
37	else
38	DEBUG(D_tls)
39	- debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
40	+ debug_printf(" dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
41	dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
42
43	#if OPENSSL_VERSION_NUMBER < 0x30000000L
44	DH_free(dh);
45	#endif
46	@@ -712,23 +712,31 @@ init_ecdh(SSL_CTX * sctx, uschar ** errs
47	#ifdef OPENSSL_NO_ECDH
48	return TRUE;
49	#else
50
51	uschar * exp_curve;
52	-int nid;
53	-BOOL rv;
54	+int nid, rc;
55
56	# ifndef EXIM_HAVE_ECDH
57	DEBUG(D_tls)
58	- debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
59	+ debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n");
60	return TRUE;
61	# else
62
63	if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
64	return FALSE;
65	+
66	+/* Is the option deliberately empty? */
67	+
68	if (!exp_curve \|\| !*exp_curve)
69	+ {
70	+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
71	+ DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n");
72	+ (void) SSL_CTX_set1_curves(sctx, &nid, 0);
73	+#endif
74	return TRUE;
75	+ }
76
77	/* "auto" needs to be handled carefully.
78	* OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
79	* OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
80	* (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
81	@@ -737,27 +745,26 @@ if (!exp_curve \|\| !*exp_curve)
82	*/
83	if (Ustrcmp(exp_curve, "auto") == 0)
84	{
85	#if OPENSSL_VERSION_NUMBER < 0x10002000L
86	DEBUG(D_tls) debug_printf(
87	- "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
88	+ " ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
89	exp_curve = US"prime256v1";
90	#else
91	# if defined SSL_CTRL_SET_ECDH_AUTO
92	DEBUG(D_tls) debug_printf(
93	- "ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
94	+ " ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
95	SSL_CTX_set_ecdh_auto(sctx, 1);
96	return TRUE;
97	# else
98	DEBUG(D_tls) debug_printf(
99	- "ECDH OpenSSL 1.1.0+: temp key parameter settings: default selection\n");
100	+ " ECDH OpenSSL 1.1.0+: temp key parameter settings: library default selection\n");
101	return TRUE;
102	# endif
103	#endif
104	}
105
106	-DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
107	if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
108	# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
109	&& (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
110	# endif
111	)
112	@@ -777,27 +784,27 @@ if ( (nid = OBJ_sn2nid (CCS exp_c
113	}
114
115	/* The "tmp" in the name here refers to setting a temporary key
116	not to the stability of the interface. */
117
118	- if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
119	+ if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
120	tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
121	else
122	- DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
123	+ DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
124	EC_KEY_free(ecdh);
125	}
126
127	#else /* v 3.0.0 + */
128
129	-if ((rv = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
130	+if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
131	tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr);
132	else
133	- DEBUG(D_tls) debug_printf("ECDH: enabled '%s' group\n", exp_curve);
134	+ DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve);
135
136	#endif
137
138	-return !rv;
139	+return !!rc;
140
141	# endif /EXIM_HAVE_ECDH/
142	#endif /OPENSSL_NO_ECDH/
143	}
144
145	@@ -1719,19 +1726,19 @@ state_server.lib_state.lib_ctx = ctx;
146
147	/* Preload DH params and EC curve */
148
149	if (opt_unset_or_noexpand(tls_dhparam))
150	{
151	- DEBUG(D_tls) debug_printf("TLS: preloading DH params for server\n");
152	+ DEBUG(D_tls) debug_printf("TLS: preloading DH params '%s' for server\n", tls_dhparam);
153	if (init_dh(ctx, tls_dhparam, &dummy_errstr))
154	state_server.lib_state.dh = TRUE;
155	}
156	else
157	DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n");
158	if (opt_unset_or_noexpand(tls_eccurve))
159	{
160	- DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for server\n");
161	+ DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve '%s' for server\n", tls_eccurve);
162	if (init_ecdh(ctx, &dummy_errstr))
163	state_server.lib_state.ecdh = TRUE;
164	}
165	else
166	DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n");

Removed Link Here

(-)a/mail/exim/files/debian/75_62-OpenSSL-Fix-tls_eccurve-on-earlier-versions-than-3.0.patch (-42 lines)
1	From 7fa5764c203f2f4a900898a79ed02d674075313f Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Mon, 2 Jan 2023 15:04:14 +0000
4	Subject: [PATCH 1/3] OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0.
5	Bug 2954
6
7	Broken-by: ca4014de81e6
8	---
9	src/tls-openssl.c \| 7 ++++---
10	test/log/2149 \| 28 ++++++++++++++--------------
11	test/runtest \| 3 +++
12	test/scripts/2100-OpenSSL/2149 \| 22 ++++++++++++----------
13	4 files changed, 33 insertions(+), 27 deletions(-)
14
15	diff --git a/src/tls-openssl.c b/src/tls-openssl.c
16	index 4d0f99ea9..e063d29bd 100644
17	--- a/src/tls-openssl.c
18	+++ b/src/tls-openssl.c
19	@@ -786,8 +786,9 @@ if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
20	# endif
21	)
22	{
23	- tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
24	- NULL, NULL, errstr);
25	+ uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve);
26	+ DEBUG(D_tls) debug_printf("TLS error '%s'\n", s);
27	+ if (errstr) *errstr = s;
28	return FALSE;
29	}
30
31	@@ -803,7 +804,7 @@ if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
32	/* The "tmp" in the name here refers to setting a temporary key
33	not to the stability of the interface. */
34
35	- if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
36	+ if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
37	tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
38	else
39	DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
40	--
41	2.39.0
42

Removed Link Here

(-)a/mail/exim/files/debian/75_63-OpenSSL-log-conns-rejected-for-bad-ALPN-with-the-off.patch (-99 lines)
1	From e1aca33756f73c22b00a98d40ce2be8ed94464b1 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Thu, 5 Jan 2023 13:03:37 +0000
4	Subject: [PATCH 2/3] OpenSSL: log conns rejected for bad ALPN, with the
5	offered value
6
7	Unfortunately, no way to do this under GnuTLS
8	---
9	src/match.c \| 1 +
10	src/tls-gnu.c \| 9 ++++++++-
11	src/tls-openssl.c \| 13 +++++++++++--
12	test/log/1190 \| 2 ++
13	test/runtest \| 3 +++
14	5 files changed, 25 insertions(+), 3 deletions(-)
15
16	diff --git a/src/match.c b/src/match.c
17	index 91a49c0f0..07070362d 100644
18	--- a/src/match.c
19	+++ b/src/match.c
20	@@ -968,6 +968,7 @@ Arguments:
21	s string to search for
22	listptr ptr to ptr to colon separated list of patterns, or NULL
23	sep a separator value for the list (see string_nextinlist())
24	+ or zero for auto
25	anchorptr ptr to tree for named items, or NULL if no named items
26	cache_bits ptr to cache_bits for ditto, or NULL if not caching
27	type MCL_DOMAIN when matching a domain list
28	diff --git a/src/tls-gnu.c b/src/tls-gnu.c
29	index 729fb5879..b47fabf1d 100644
30	--- a/src/tls-gnu.c
31	+++ b/src/tls-gnu.c
32	@@ -1119,21 +1119,28 @@ switch (tls_id)
33	/* The format of "data" here doesn't seem to be documented, but appears
34	to be a 2-byte field with a (redundant, given the "size" arg) total length
35	then a sequence of one-byte size then string (not nul-term) names. The
36	- latter is as described in OpenSSL documentation. */
37	+ latter is as described in OpenSSL documentation.
38	+ Note that we do not get called for a match_fail, making it hard to log
39	+ a single bad ALPN being offered (the common case). */
40	+ {
41	+ gstring * g = NULL;
42
43	DEBUG(D_tls) debug_printf("Seen ALPN extension from client (s=%u):", size);
44	for (const uschar * s = data+2; s-data < size-1; s += *s + 1)
45	{
46	server_seen_alpn++;
47	+ g = string_append_listele_n(g, ':', s+1, *s);
48	DEBUG(D_tls) debug_printf(" '%.s'", (int)s, s+1);
49	}
50	DEBUG(D_tls) debug_printf("\n");
51	if (server_seen_alpn > 1)
52	{
53	+ log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g));
54	DEBUG(D_tls) debug_printf("TLS: too many ALPNs presented in handshake\n");
55	return GNUTLS_E_NO_APPLICATION_PROTOCOL;
56	}
57	break;
58	+ }
59	#endif
60	}
61	return 0;
62	diff --git a/src/tls-openssl.c b/src/tls-openssl.c
63	index e063d29bd..513ba0d3a 100644
64	--- a/src/tls-openssl.c
65	+++ b/src/tls-openssl.c
66	@@ -2324,6 +2324,8 @@ static int
67	tls_server_alpn_cb(SSL ssl, const uschar * out, uschar * outlen,
68	const uschar * in, unsigned int inlen, void * arg)
69	{
70	+gstring * g = NULL;
71	+
72	server_seen_alpn = TRUE;
73	DEBUG(D_tls)
74	{
75	@@ -2354,12 +2356,19 @@ if ( inlen > 1 /* at least one name */
76	}
77	}
78
79	-/* More than one name from clilent, or name did not match our list. */
80	+/* More than one name from client, or name did not match our list. */
81
82	/* This will be fatal to the TLS conn; would be nice to kill TCP also.
83	Maybe as an option in future; for now leave control to the config (must-tls). */
84
85	-DEBUG(D_tls) debug_printf("TLS ALPN rejected\n");
86	+for (int pos = 0, siz; pos < inlen; pos += siz+1)
87	+ {
88	+ siz = in[pos];
89	+ if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
90	+ g = string_append_listele_n(g, ':', in + pos + 1, siz);
91	+ }
92	+log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g));
93	+gstring_release_unused(g);
94	return SSL_TLSEXT_ERR_ALERT_FATAL;
95	}
96	#endif /* EXIM_HAVE_ALPN */
97	--
98	2.39.0
99

Removed Link Here

(-)a/mail/exim/files/debian/75_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch (-78 lines)
1	From 30520c8f87fcf660ed99a2344cae7f9787f7bc89 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Thu, 5 Jan 2023 18:39:51 +0000
4	Subject: [PATCH 3/3] DANE: do not check dns_again_means_nonexist for TLSA
5	results of TRY_AGAIN
6
7	---
8	src/dns.c \| 35 ++++++++++++++++++++++-------------
9	doc/doc-docbook/spec.xfpt \| 7 ++++++-
10	3 files changed, 32 insertions(+), 14 deletions(-)
11
12	--- a/src/dns.c
13	+++ b/src/dns.c
14	@@ -904,25 +904,34 @@ if (dnsa->answerlen < 0) switch (h_errno
15	DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
16	name, dns_text_type(type));
17
18	/* Cut this out for various test programs */
19	#ifndef STAND_ALONE
20	- if (try_again_recursion)
21	+ /* Permitting dns_again_means nonexist for TLSA lookups breaks the
22	+ doewngrade resistance of dane, so avoid for those. */
23	+
24	+ if (type == T_TLSA)
25	+ rc = FAIL;
26	+ else
27	{
28	- log_write(0, LOG_MAIN\|LOG_PANIC,
29	- "dns_again_means_nonexist recursion seen for %s (assuming nonexist)",
30	- name);
31	- return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
32	- }
33	+ if (try_again_recursion)
34	+ {
35	+ log_write(0, LOG_MAIN\|LOG_PANIC,
36	+ "dns_again_means_nonexist recursion seen for %s"
37	+ " (assuming nonexist)", name);
38	+ return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type),
39	+ DNS_NOMATCH);
40	+ }
41
42	- try_again_recursion = TRUE;
43	- save_domain = deliver_domain;
44	- deliver_domain = string_copy(name); /* set $domain */
45	- rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
46	- &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
47	- deliver_domain = save_domain;
48	- try_again_recursion = FALSE;
49	+ try_again_recursion = TRUE;
50	+ save_domain = deliver_domain;
51	+ deliver_domain = string_copy(name); /* set $domain */
52	+ rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
53	+ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
54	+ deliver_domain = save_domain;
55	+ try_again_recursion = FALSE;
56	+ }
57
58	if (rc != OK)
59	{
60	DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
61	return dns_fail_return(name, type, 0, DNS_AGAIN);
62	--- a/doc/spec.txt
63	+++ b/doc/spec.txt
64	@@ -14246,11 +14246,13 @@ dns_again_means_nonexist, it is treated
65	should be used with care. You can make it apply to reverse lookups by a setting
66	such as this:
67
68	dns_again_means_nonexist = *.in-addr.arpa
69
70	-This option applies to all DNS lookups that Exim does. It also applies when the
71	+This option applies to all DNS lookups that Exim does, except for TLSA lookups
72	+(where knowing about such failures +is security-relevant). It also applies
73	+when the
74	gethostbyname() or getipnodebyname() functions give temporary errors, since
75	these are most likely to be caused by DNS lookup problems. The dnslookup router
76	has some options of its own for controlling what happens when lookups for MX or
77	SRV records give temporary errors. These more specific options are applied
78	after this global option.

Removed Link Here

(-)a/mail/exim/files/debian/75_66-Fix-crash-in-expansions.patch (-66 lines)
1	From 70069b65a39a7ba73a36fbd95371ff03cde1eb23 Mon Sep 17 00:00:00 2001
2	From: Jeremy Harris <jgh146exb@wizmail.org>
3	Date: Thu, 2 Feb 2023 20:00:35 +0000
4	Subject: [PATCH] Fix crash in expansions
5
6	Broken-by: 1058096b8c53
7	---
8	src/expand.c \| 9 +++++----
9	test/stderr/0630 \| 1 +
10	3 files changed, 10 insertions(+), 4 deletions(-)
11
12	--- a/src/expand.c
13	+++ b/src/expand.c
14	@@ -4652,11 +4652,11 @@ while (*s)
15	yield = string_catn(yield, value, len);
16
17	continue;
18	}
19
20	- if (isdigit(*s))
21	+ if (isdigit(s)) / A $<n> variable */
22	{
23	int n;
24	s = read_cnumber(&n, s);
25	if (n >= 0 && n <= expand_nmax)
26	yield = string_catn(yield, expand_nstring[n], expand_nlength[n]);
27	@@ -7060,10 +7060,11 @@ NOT_ITEM: ;
28	if (arg) arg++ = '_'; / Put back for error messages */
29	}
30
31	/* Deal specially with operators that might take a certificate variable
32	as we do not want to do the usual expansion. For most, expand the string.*/
33	+
34	switch(c)
35	{
36	#ifndef DISABLE_TLS
37	case EOP_MD5:
38	case EOP_SHA1:
39	@@ -7107,11 +7108,11 @@ NOT_ITEM: ;
40
41	/* Otherwise, switch on the operator type. After handling go back
42	to the main loop top. */
43
44	{
45	- int start = yield->ptr;
46	+ unsigned expansion_start = gstring_length(yield);
47	switch(c)
48	{
49	case EOP_BASE32:
50	{
51	uschar *t;
52	@@ -8168,12 +8169,12 @@ NOT_ITEM: ;
53	goto EXPAND_FAILED;
54	} /* EOP_* switch */
55
56	DEBUG(D_expand)
57	{
58	- const uschar * s = yield->s + start;
59	- int i = yield->ptr - start;
60	+ const uschar * s = yield->s + expansion_start;
61	+ int i = gstring_length(yield) - expansion_start;
62	BOOL tainted = is_tainted(s);
63
64	DEBUG(D_noutf8)
65	{
66	debug_printf_indent("\|-----op-res: %.*s\n", i, s);