Merge branch 'rspamd:master' into master

author: Ivan Stakhov <50211739+left-try@users.noreply.github.com> 2024-10-19 18:23:18 +0300
committer: GitHub <noreply@github.com> 2024-10-19 18:23:18 +0300
commit: 7ca76b8768adcdd1205b7bc8c7000be3bbc281fe (patch)
tree: c273e6772e14b585306930976852508356805d0f /src
parent: 3d02f65dcb90ae02ab840df8495f71655bd4cbbc (diff)
parent: c9b804517d25168ed4c03c70fcc808d38b86e785 (diff)
download: rspamd-7ca76b8768adcdd1205b7bc8c7000be3bbc281fe.tar.gz
rspamd-7ca76b8768adcdd1205b7bc8c7000be3bbc281fe.zip
18 files changed, 343 insertions, 278 deletions
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 173917703..f7fdcef7b 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -235,9 +235,9 @@ ADD_EXECUTABLE(rspamd ${RSPAMDSRC} ${CMAKE_CURRENT_BINARY_DIR}/workers.c ${CMAKE
 ADD_BACKWARD(rspamd)
 SET_TARGET_PROPERTIES(rspamd PROPERTIES LINKER_LANGUAGE CXX)
 SET_TARGET_PROPERTIES(rspamd-server PROPERTIES LINKER_LANGUAGE CXX)
-IF(NOT DEBIAN_BUILD)
+IF(NOT NO_TARGET_VERSIONS)
 	SET_TARGET_PROPERTIES(rspamd PROPERTIES VERSION ${RSPAMD_VERSION})
-ENDIF(NOT DEBIAN_BUILD)
+ENDIF()
 
 #TARGET_LINK_LIBRARIES(rspamd ${RSPAMD_REQUIRED_LIBRARIES})
 TARGET_LINK_LIBRARIES(rspamd rspamd-server)
diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt
index edf3cc1c4..543fc629c 100644
--- a/src/client/CMakeLists.txt
+++ b/src/client/CMakeLists.txt
@@ -9,8 +9,8 @@ SET_TARGET_PROPERTIES(rspamc PROPERTIES COMPILE_FLAGS "-I${CMAKE_SOURCE_DIR}/lib
 TARGET_LINK_LIBRARIES(rspamc rspamd-server)
 SET_TARGET_PROPERTIES(rspamc PROPERTIES LINKER_LANGUAGE CXX)
 
-IF(NOT DEBIAN_BUILD)
+IF(NOT NO_TARGET_VERSIONS)
 	SET_TARGET_PROPERTIES(rspamc PROPERTIES VERSION ${RSPAMD_VERSION})
-ENDIF(NOT DEBIAN_BUILD)
+ENDIF()
 
 INSTALL(TARGETS rspamc RUNTIME DESTINATION bin)
diff --git a/src/client/rspamdclient.c b/src/client/rspamdclient.c
index bcb3cf67c..d07b24332 100644
--- a/src/client/rspamdclient.c
+++ b/src/client/rspamdclient.c
@@ -441,6 +441,7 @@ rspamd_client_command(struct rspamd_client_connection *conn,
 
 	if (compressed) {
 		rspamd_http_message_add_header(req->msg, COMPRESSION_HEADER, "zstd");
+		rspamd_http_message_add_header(req->msg, CONTENT_ENCODING_HEADER, "zstd");
 
 		if (dict_id != 0) {
 			char dict_str[32];
diff --git a/src/libcryptobox/cryptobox.c b/src/libcryptobox/cryptobox.c
index a976653df..190d0e4a3 100644
--- a/src/libcryptobox/cryptobox.c
+++ b/src/libcryptobox/cryptobox.c
@@ -40,6 +40,7 @@
 #include <openssl/opensslv.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
+#include <openssl/err.h>
 #endif
 
 #include <signal.h>
@@ -456,9 +457,10 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid,
 									 gsize siglen,
 									 const unsigned char *digest,
 									 gsize dlen,
-									 EVP_PKEY *pub_key)
+									 EVP_PKEY *pub_key,
+									 GError **err)
 {
-	bool ret = false;
+	bool ret = false, r;
 
 	EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pub_key, NULL);
 	g_assert(pctx != NULL);
@@ -467,7 +469,18 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid,
 
 	g_assert(EVP_PKEY_verify_init(pctx) == 1);
 	g_assert(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) == 1);
-	g_assert(EVP_PKEY_CTX_set_signature_md(pctx, md) == 1);
+
+	if ((r = EVP_PKEY_CTX_set_signature_md(pctx, md)) <= 0) {
+		g_set_error(err, g_quark_from_static_string("OpenSSL"),
+					r,
+					"cannot set digest %s for RSA verification (%s returned from OpenSSL), try use `update-crypto-policies --set LEGACY` on RH",
+					EVP_MD_name(md),
+					ERR_lib_error_string(ERR_get_error()));
+		EVP_PKEY_CTX_free(pctx);
+		EVP_MD_CTX_free(mdctx);
+
+		return false;
+	}
 
 	ret = (EVP_PKEY_verify(pctx, sig, siglen, digest, dlen) == 1);
 
diff --git a/src/libcryptobox/cryptobox.h b/src/libcryptobox/cryptobox.h
index afe9c4f9a..8d1f5669e 100644
--- a/src/libcryptobox/cryptobox.h
+++ b/src/libcryptobox/cryptobox.h
@@ -238,7 +238,8 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid,
 									 gsize siglen,
 									 const unsigned char *digest,
 									 gsize dlen,
-									 EVP_PKEY *pub_key);
+									 EVP_PKEY *pub_key,
+									 GError **err);
 #endif
 
 /**
diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c
index a76ed31ab..0f51c66c0 100644
--- a/src/libserver/dkim.c
+++ b/src/libserver/dkim.c
@@ -2871,25 +2871,48 @@ rspamd_dkim_check(rspamd_dkim_context_t *ctx,
 		nid = NID_sha1;
 	}
 	switch (key->type) {
-	case RSPAMD_DKIM_KEY_RSA:
+	case RSPAMD_DKIM_KEY_RSA: {
+		GError *err = NULL;
+
 		if (!rspamd_cryptobox_verify_evp_rsa(nid, ctx->b, ctx->blen, raw_digest, dlen,
-											 key->specific.key_ssl.key_evp)) {
-			msg_debug_dkim("headers rsa verify failed");
-			ERR_clear_error();
-			res->rcode = DKIM_REJECT;
-			res->fail_reason = "headers rsa verify failed";
+											 key->specific.key_ssl.key_evp, &err)) {
 
-			msg_info_dkim(
-				"%s: headers RSA verification failure; "
-				"body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
-				rspamd_dkim_type_to_string(ctx->common.type),
-				(int) (body_end - body_start), ctx->common.body_canonicalised,
-				ctx->common.headers_canonicalised,
-				ctx->domain, ctx->selector,
-				RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
-				ctx->dkim_header);
+			if (err == NULL) {
+				msg_debug_dkim("headers rsa verify failed");
+				ERR_clear_error();
+				res->rcode = DKIM_REJECT;
+				res->fail_reason = "headers rsa verify failed";
+
+				msg_info_dkim(
+					"%s: headers RSA verification failure; "
+					"body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
+					rspamd_dkim_type_to_string(ctx->common.type),
+					(int) (body_end - body_start), ctx->common.body_canonicalised,
+					ctx->common.headers_canonicalised,
+					ctx->domain, ctx->selector,
+					RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
+					ctx->dkim_header);
+			}
+			else {
+				res->rcode = DKIM_PERM_ERROR;
+				res->fail_reason = "openssl internal error";
+				msg_err_dkim("internal OpenSSL error: %s", err->message);
+				msg_info_dkim(
+					"%s: headers RSA verification failure due to OpenSSL internal error; "
+					"body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
+					rspamd_dkim_type_to_string(ctx->common.type),
+					(int) (body_end - body_start), ctx->common.body_canonicalised,
+					ctx->common.headers_canonicalised,
+					ctx->domain, ctx->selector,
+					RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
+					ctx->dkim_header);
+
+				ERR_clear_error();
+				g_error_free(err);
+			}
 		}
 		break;
+	}
 	case RSPAMD_DKIM_KEY_ECDSA:
 		if (rspamd_cryptobox_verify_evp_ecdsa(nid, ctx->b, ctx->blen, raw_digest, dlen,
 											  key->specific.key_ssl.key_evp) != 1) {
diff --git a/src/libserver/protocol.c b/src/libserver/protocol.c
index a86111ff2..7d007370b 100644
--- a/src/libserver/protocol.c
+++ b/src/libserver/protocol.c
@@ -490,271 +490,271 @@ rspamd_protocol_handle_headers(struct rspamd_task *task,
 			hv_tok->len = h->value.len;
 
 			switch (*hn_tok->begin) {
-	case 'd':
-	case 'D':
-		IF_HEADER(DELIVER_TO_HEADER)
-		{
-			task->deliver_to = rspamd_protocol_escape_braces(task, hv_tok);
-			msg_debug_protocol("read deliver-to header, value: %s",
-							   task->deliver_to);
-		}
-		else
-		{
-			msg_debug_protocol("wrong header: %T", hn_tok);
-		}
-		break;
-	case 'h':
-	case 'H':
-		IF_HEADER(HELO_HEADER)
-		{
-			task->helo = rspamd_mempool_ftokdup(task->task_pool, hv_tok);
-			msg_debug_protocol("read helo header, value: %s", task->helo);
-		}
-		IF_HEADER(HOSTNAME_HEADER)
-		{
-			task->hostname = rspamd_mempool_ftokdup(task->task_pool,
-													hv_tok);
-			msg_debug_protocol("read hostname header, value: %s", task->hostname);
-		}
-		break;
-	case 'f':
-	case 'F':
-		IF_HEADER(FROM_HEADER)
-		{
-			if (hv_tok->len == 0) {
-				/* Replace '' with '<>' to fix parsing issue */
-				RSPAMD_FTOK_ASSIGN(hv_tok, "<>");
+		case 'd':
+		case 'D':
+			IF_HEADER(DELIVER_TO_HEADER)
+			{
+				task->deliver_to = rspamd_protocol_escape_braces(task, hv_tok);
+				msg_debug_protocol("read deliver-to header, value: %s",
+								   task->deliver_to);
 			}
-			task->from_envelope = rspamd_email_address_from_smtp(
-				hv_tok->begin,
-				hv_tok->len);
-			msg_debug_protocol("read from header, value: %T", hv_tok);
-
-			if (!task->from_envelope) {
-				msg_err_protocol("bad from header: '%T'", hv_tok);
-				task->flags |= RSPAMD_TASK_FLAG_BROKEN_HEADERS;
+			else
+			{
+				msg_debug_protocol("wrong header: %T", hn_tok);
 			}
-		}
-		IF_HEADER(FILENAME_HEADER)
-		{
-			task->msg.fpath = rspamd_mempool_ftokdup(task->task_pool,
-													 hv_tok);
-			msg_debug_protocol("read filename header, value: %s", task->msg.fpath);
-		}
-		IF_HEADER(FLAGS_HEADER)
-		{
-			msg_debug_protocol("read flags header, value: %T", hv_tok);
-			rspamd_protocol_process_flags(task, hv_tok);
-		}
-		break;
-	case 'q':
-	case 'Q':
-		IF_HEADER(QUEUE_ID_HEADER)
-		{
-			task->queue_id = rspamd_mempool_ftokdup(task->task_pool,
-													hv_tok);
-			msg_debug_protocol("read queue_id header, value: %s", task->queue_id);
-		}
-		else
-		{
-			msg_debug_protocol("wrong header: %T", hn_tok);
-		}
-		break;
-	case 'r':
-	case 'R':
-		IF_HEADER(RCPT_HEADER)
-		{
-			rspamd_protocol_process_recipients(task, hv_tok);
-			msg_debug_protocol("read rcpt header, value: %T", hv_tok);
-		}
-		IF_HEADER(RAW_DATA_HEADER)
-		{
-			srch.begin = "yes";
-			srch.len = 3;
-
-			msg_debug_protocol("read raw data header, value: %T", hv_tok);
+			break;
+		case 'h':
+		case 'H':
+			IF_HEADER(HELO_HEADER)
+			{
+				task->helo = rspamd_mempool_ftokdup(task->task_pool, hv_tok);
+				msg_debug_protocol("read helo header, value: %s", task->helo);
+			}
+			IF_HEADER(HOSTNAME_HEADER)
+			{
+				task->hostname = rspamd_mempool_ftokdup(task->task_pool,
+														hv_tok);
+				msg_debug_protocol("read hostname header, value: %s", task->hostname);
+			}
+			break;
+		case 'f':
+		case 'F':
+			IF_HEADER(FROM_HEADER)
+			{
+				if (hv_tok->len == 0) {
+					/* Replace '' with '<>' to fix parsing issue */
+					RSPAMD_FTOK_ASSIGN(hv_tok, "<>");
+				}
+				task->from_envelope = rspamd_email_address_from_smtp(
+					hv_tok->begin,
+					hv_tok->len);
+				msg_debug_protocol("read from header, value: %T", hv_tok);
 
-			if (rspamd_ftok_casecmp(hv_tok, &srch) == 0) {
-				task->flags &= ~RSPAMD_TASK_FLAG_MIME;
-				msg_debug_protocol("disable mime parsing");
+				if (!task->from_envelope) {
+					msg_err_protocol("bad from header: '%T'", hv_tok);
+					task->flags |= RSPAMD_TASK_FLAG_BROKEN_HEADERS;
+				}
 			}
-		}
-		break;
-	case 'i':
-	case 'I':
-		IF_HEADER(IP_ADDR_HEADER)
-		{
-			if (!rspamd_parse_inet_address(&task->from_addr,
-										   hv_tok->begin, hv_tok->len,
-										   RSPAMD_INET_ADDRESS_PARSE_DEFAULT)) {
-				msg_err_protocol("bad ip header: '%T'", hv_tok);
+			IF_HEADER(FILENAME_HEADER)
+			{
+				task->msg.fpath = rspamd_mempool_ftokdup(task->task_pool,
+														 hv_tok);
+				msg_debug_protocol("read filename header, value: %s", task->msg.fpath);
 			}
-			else {
-				msg_debug_protocol("read IP header, value: %T", hv_tok);
-				has_ip = TRUE;
+			IF_HEADER(FLAGS_HEADER)
+			{
+				msg_debug_protocol("read flags header, value: %T", hv_tok);
+				rspamd_protocol_process_flags(task, hv_tok);
 			}
-		}
-		else
-		{
-			msg_debug_protocol("wrong header: %T", hn_tok);
-		}
-		break;
-	case 'p':
-	case 'P':
-		IF_HEADER(PASS_HEADER)
-		{
-			srch.begin = "all";
-			srch.len = 3;
+			break;
+		case 'q':
+		case 'Q':
+			IF_HEADER(QUEUE_ID_HEADER)
+			{
+				task->queue_id = rspamd_mempool_ftokdup(task->task_pool,
+														hv_tok);
+				msg_debug_protocol("read queue_id header, value: %s", task->queue_id);
+			}
+			else
+			{
+				msg_debug_protocol("wrong header: %T", hn_tok);
+			}
+			break;
+		case 'r':
+		case 'R':
+			IF_HEADER(RCPT_HEADER)
+			{
+				rspamd_protocol_process_recipients(task, hv_tok);
+				msg_debug_protocol("read rcpt header, value: %T", hv_tok);
+			}
+			IF_HEADER(RAW_DATA_HEADER)
+			{
+				srch.begin = "yes";
+				srch.len = 3;
 
-			msg_debug_protocol("read pass header, value: %T", hv_tok);
+				msg_debug_protocol("read raw data header, value: %T", hv_tok);
 
-			if (rspamd_ftok_casecmp(hv_tok, &srch) == 0) {
-				task->flags |= RSPAMD_TASK_FLAG_PASS_ALL;
-				msg_debug_protocol("pass all filters");
+				if (rspamd_ftok_casecmp(hv_tok, &srch) == 0) {
+					task->flags &= ~RSPAMD_TASK_FLAG_MIME;
+					msg_debug_protocol("disable mime parsing");
+				}
 			}
-		}
-		IF_HEADER(PROFILE_HEADER)
-		{
-			msg_debug_protocol("read profile header, value: %T", hv_tok);
-			task->flags |= RSPAMD_TASK_FLAG_PROFILE;
-		}
-		break;
-	case 's':
-	case 'S':
-		IF_HEADER(SETTINGS_ID_HEADER)
-		{
-			msg_debug_protocol("read settings-id header, value: %T", hv_tok);
-			task->settings_elt = rspamd_config_find_settings_name_ref(
-				task->cfg, hv_tok->begin, hv_tok->len);
-
-			if (task->settings_elt == NULL) {
-				GString *known_ids = g_string_new(NULL);
-				struct rspamd_config_settings_elt *cur;
-
-				DL_FOREACH(task->cfg->setting_ids, cur)
-				{
-					rspamd_printf_gstring(known_ids, "%s(%ud);",
-										  cur->name, cur->id);
+			break;
+		case 'i':
+		case 'I':
+			IF_HEADER(IP_ADDR_HEADER)
+			{
+				if (!rspamd_parse_inet_address(&task->from_addr,
+											   hv_tok->begin, hv_tok->len,
+											   RSPAMD_INET_ADDRESS_PARSE_DEFAULT)) {
+					msg_err_protocol("bad ip header: '%T'", hv_tok);
+				}
+				else {
+					msg_debug_protocol("read IP header, value: %T", hv_tok);
+					has_ip = TRUE;
 				}
+			}
+			else
+			{
+				msg_debug_protocol("wrong header: %T", hn_tok);
+			}
+			break;
+		case 'p':
+		case 'P':
+			IF_HEADER(PASS_HEADER)
+			{
+				srch.begin = "all";
+				srch.len = 3;
+
+				msg_debug_protocol("read pass header, value: %T", hv_tok);
+
+				if (rspamd_ftok_casecmp(hv_tok, &srch) == 0) {
+					task->flags |= RSPAMD_TASK_FLAG_PASS_ALL;
+					msg_debug_protocol("pass all filters");
+				}
+			}
+			IF_HEADER(PROFILE_HEADER)
+			{
+				msg_debug_protocol("read profile header, value: %T", hv_tok);
+				task->flags |= RSPAMD_TASK_FLAG_PROFILE;
+			}
+			break;
+		case 's':
+		case 'S':
+			IF_HEADER(SETTINGS_ID_HEADER)
+			{
+				msg_debug_protocol("read settings-id header, value: %T", hv_tok);
+				task->settings_elt = rspamd_config_find_settings_name_ref(
+					task->cfg, hv_tok->begin, hv_tok->len);
+
+				if (task->settings_elt == NULL) {
+					GString *known_ids = g_string_new(NULL);
+					struct rspamd_config_settings_elt *cur;
+
+					DL_FOREACH(task->cfg->setting_ids, cur)
+					{
+						rspamd_printf_gstring(known_ids, "%s(%ud);",
+											  cur->name, cur->id);
+					}
 
-				msg_warn_protocol("unknown settings id: %T(%d); known_ids: %v",
-								  hv_tok,
-								  rspamd_config_name_to_id(hv_tok->begin, hv_tok->len),
-								  known_ids);
+					msg_warn_protocol("unknown settings id: %T(%d); known_ids: %v",
+									  hv_tok,
+									  rspamd_config_name_to_id(hv_tok->begin, hv_tok->len),
+									  known_ids);
 
-				g_string_free(known_ids, TRUE);
+					g_string_free(known_ids, TRUE);
+				}
+				else {
+					msg_debug_protocol("applied settings id %T -> %ud", hv_tok,
+									   task->settings_elt->id);
+				}
 			}
-			else {
-				msg_debug_protocol("applied settings id %T -> %ud", hv_tok,
-								   task->settings_elt->id);
+			IF_HEADER(SETTINGS_HEADER)
+			{
+				msg_debug_protocol("read settings header, value: %T", hv_tok);
+				seen_settings_header = TRUE;
 			}
-		}
-		IF_HEADER(SETTINGS_HEADER)
-		{
-			msg_debug_protocol("read settings header, value: %T", hv_tok);
-			seen_settings_header = TRUE;
-		}
-		break;
-	case 'u':
-	case 'U':
-		IF_HEADER(USER_HEADER)
-		{
-			/*
+			break;
+		case 'u':
+		case 'U':
+			IF_HEADER(USER_HEADER)
+			{
+				/*
 								 * We must ignore User header in case of spamc, as SA has
 								 * different meaning of this header
 								 */
-			msg_debug_protocol("read user header, value: %T", hv_tok);
-			if (!RSPAMD_TASK_IS_SPAMC(task)) {
-				task->auth_user = rspamd_mempool_ftokdup(task->task_pool,
-														 hv_tok);
-			}
-			else {
-				msg_info_protocol("ignore user header: legacy SA protocol");
+				msg_debug_protocol("read user header, value: %T", hv_tok);
+				if (!RSPAMD_TASK_IS_SPAMC(task)) {
+					task->auth_user = rspamd_mempool_ftokdup(task->task_pool,
+															 hv_tok);
+				}
+				else {
+					msg_info_protocol("ignore user header: legacy SA protocol");
+				}
 			}
-		}
-		IF_HEADER(URLS_HEADER)
-		{
-			msg_debug_protocol("read urls header, value: %T", hv_tok);
+			IF_HEADER(URLS_HEADER)
+			{
+				msg_debug_protocol("read urls header, value: %T", hv_tok);
 
-			srch.begin = "extended";
-			srch.len = 8;
+				srch.begin = "extended";
+				srch.len = 8;
 
-			if (rspamd_ftok_casecmp(hv_tok, &srch) == 0) {
-				task->protocol_flags |= RSPAMD_TASK_PROTOCOL_FLAG_EXT_URLS;
-				msg_debug_protocol("extended urls information");
-			}
-
-			/* TODO: add more formats there */
-		}
-		IF_HEADER(USER_AGENT_HEADER)
-		{
-			msg_debug_protocol("read user-agent header, value: %T", hv_tok);
+				if (rspamd_ftok_casecmp(hv_tok, &srch) == 0) {
+					task->protocol_flags |= RSPAMD_TASK_PROTOCOL_FLAG_EXT_URLS;
+					msg_debug_protocol("extended urls information");
+				}
 
-			if (hv_tok->len == 6 &&
-				rspamd_lc_cmp(hv_tok->begin, "rspamc", 6) == 0) {
-				task->protocol_flags |= RSPAMD_TASK_PROTOCOL_FLAG_LOCAL_CLIENT;
+				/* TODO: add more formats there */
 			}
-		}
-		break;
-	case 'l':
-	case 'L':
-		IF_HEADER(NO_LOG_HEADER)
-		{
-			msg_debug_protocol("read log header, value: %T", hv_tok);
-			srch.begin = "no";
-			srch.len = 2;
+			IF_HEADER(USER_AGENT_HEADER)
+			{
+				msg_debug_protocol("read user-agent header, value: %T", hv_tok);
 
-			if (rspamd_ftok_casecmp(hv_tok, &srch) == 0) {
-				task->flags |= RSPAMD_TASK_FLAG_NO_LOG;
+				if (hv_tok->len == 6 &&
+					rspamd_lc_cmp(hv_tok->begin, "rspamc", 6) == 0) {
+					task->protocol_flags |= RSPAMD_TASK_PROTOCOL_FLAG_LOCAL_CLIENT;
+				}
 			}
-		}
-		IF_HEADER(LOG_TAG_HEADER)
-		{
-			msg_debug_protocol("read log-tag header, value: %T", hv_tok);
-			/* Ensure that a tag is valid */
-			if (rspamd_fast_utf8_validate(hv_tok->begin, hv_tok->len) == 0) {
-				memcpy(task->task_pool->tag.uid, hv_tok->begin,
-					   MIN(hv_tok->len, sizeof(task->task_pool->tag.uid)));
+			break;
+		case 'l':
+		case 'L':
+			IF_HEADER(NO_LOG_HEADER)
+			{
+				msg_debug_protocol("read log header, value: %T", hv_tok);
+				srch.begin = "no";
+				srch.len = 2;
+
+				if (rspamd_ftok_casecmp(hv_tok, &srch) == 0) {
+					task->flags |= RSPAMD_TASK_FLAG_NO_LOG;
+				}
 			}
-		}
-		break;
-	case 'm':
-	case 'M':
-		IF_HEADER(MTA_TAG_HEADER)
-		{
-			char *mta_tag;
-			mta_tag = rspamd_mempool_ftokdup(task->task_pool, hv_tok);
-			rspamd_mempool_set_variable(task->task_pool,
-										RSPAMD_MEMPOOL_MTA_TAG,
-										mta_tag, NULL);
-			msg_debug_protocol("read MTA-Tag header, value: %s", mta_tag);
-		}
-		IF_HEADER(MTA_NAME_HEADER)
-		{
-			char *mta_name;
-			mta_name = rspamd_mempool_ftokdup(task->task_pool, hv_tok);
-			rspamd_mempool_set_variable(task->task_pool,
-										RSPAMD_MEMPOOL_MTA_NAME,
-										mta_name, NULL);
-			msg_debug_protocol("read MTA-Name header, value: %s", mta_name);
-		}
-		IF_HEADER(MILTER_HEADER)
-		{
-			task->protocol_flags |= RSPAMD_TASK_PROTOCOL_FLAG_MILTER;
-			msg_debug_protocol("read Milter header, value: %T", hv_tok);
-		}
-		break;
-	case 't':
-	case 'T':
-		IF_HEADER(TLS_CIPHER_HEADER)
-		{
-			task->flags |= RSPAMD_TASK_FLAG_SSL;
-			msg_debug_protocol("read TLS cipher header, value: %T", hv_tok);
-		}
-		break;
-	default:
-		msg_debug_protocol("generic header: %T", hn_tok);
-		break;
+			IF_HEADER(LOG_TAG_HEADER)
+			{
+				msg_debug_protocol("read log-tag header, value: %T", hv_tok);
+				/* Ensure that a tag is valid */
+				if (rspamd_fast_utf8_validate(hv_tok->begin, hv_tok->len) == 0) {
+					memcpy(task->task_pool->tag.uid, hv_tok->begin,
+						   MIN(hv_tok->len, sizeof(task->task_pool->tag.uid)));
+				}
+			}
+			break;
+		case 'm':
+		case 'M':
+			IF_HEADER(MTA_TAG_HEADER)
+			{
+				char *mta_tag;
+				mta_tag = rspamd_mempool_ftokdup(task->task_pool, hv_tok);
+				rspamd_mempool_set_variable(task->task_pool,
+											RSPAMD_MEMPOOL_MTA_TAG,
+											mta_tag, NULL);
+				msg_debug_protocol("read MTA-Tag header, value: %s", mta_tag);
+			}
+			IF_HEADER(MTA_NAME_HEADER)
+			{
+				char *mta_name;
+				mta_name = rspamd_mempool_ftokdup(task->task_pool, hv_tok);
+				rspamd_mempool_set_variable(task->task_pool,
+											RSPAMD_MEMPOOL_MTA_NAME,
+											mta_name, NULL);
+				msg_debug_protocol("read MTA-Name header, value: %s", mta_name);
+			}
+			IF_HEADER(MILTER_HEADER)
+			{
+				task->protocol_flags |= RSPAMD_TASK_PROTOCOL_FLAG_MILTER;
+				msg_debug_protocol("read Milter header, value: %T", hv_tok);
+			}
+			break;
+		case 't':
+		case 'T':
+			IF_HEADER(TLS_CIPHER_HEADER)
+			{
+				task->flags |= RSPAMD_TASK_FLAG_SSL;
+				msg_debug_protocol("read TLS cipher header, value: %T", hv_tok);
+			}
+			break;
+		default:
+			msg_debug_protocol("generic header: %T", hn_tok);
+			break;
 				}
 
 				rspamd_task_add_request_header (task, hn_tok, hv_tok);
@@ -1716,6 +1716,7 @@ void rspamd_protocol_http_reply(struct rspamd_http_message *msg,
 		rspamd_fstring_free(reply);
 		rspamd_http_message_set_body_from_fstring_steal(msg, compressed_reply);
 		rspamd_http_message_add_header(msg, COMPRESSION_HEADER, "zstd");
+		rspamd_http_message_add_header(msg, CONTENT_ENCODING_HEADER, "zstd");
 
 		if (task->cfg->libs_ctx->out_dict &&
 			task->cfg->libs_ctx->out_dict->id != 0) {
diff --git a/src/libserver/protocol_internal.h b/src/libserver/protocol_internal.h
index 11f21430e..5582908c2 100644
--- a/src/libserver/protocol_internal.h
+++ b/src/libserver/protocol_internal.h
@@ -93,6 +93,8 @@ extern "C" {
 #define RAW_DATA_HEADER "Raw"
 #define COMPRESSION_HEADER "Compression"
 #define MESSAGE_OFFSET_HEADER "Message-Offset"
+#define CONTENT_ENCODING_HEADER "Content-Encoding"
+#define ACCEPT_ENCODING_HEADER "Accept-Enconding"
 
 #ifdef __cplusplus
 }
diff --git a/src/libserver/ssl_util.c b/src/libserver/ssl_util.c
index b739961a8..c0443ecd9 100644
--- a/src/libserver/ssl_util.c
+++ b/src/libserver/ssl_util.c
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *    http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -1054,6 +1054,9 @@ gpointer rspamd_init_ssl_ctx_noverify(void)
 
 	return ssl_ctx_noverify;
 }
+#if defined(RSPAMD_LEGACY_SSL_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/provider.h>
+#endif
 
 void rspamd_openssl_maybe_init(void)
 {
@@ -1075,6 +1078,16 @@ void rspamd_openssl_maybe_init(void)
 #else
 		OPENSSL_init_ssl(0, NULL);
 #endif
+#if defined(RSPAMD_LEGACY_SSL_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+		if (OSSL_PROVIDER_load(NULL, "legacy") == NULL) {
+			msg_err("cannot load legacy OpenSSL provider: %s", ERR_lib_error_string(ERR_get_error()));
+			ERR_clear_error();
+		}
+		if (OSSL_PROVIDER_load(NULL, "default") == NULL) {
+			msg_err("cannot load default OpenSSL provider: %s", ERR_lib_error_string(ERR_get_error()));
+			ERR_clear_error();
+		}
+#endif
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 		OPENSSL_config(NULL);
diff --git a/src/libserver/task.c b/src/libserver/task.c
index 833046470..bd1e07549 100644
--- a/src/libserver/task.c
+++ b/src/libserver/task.c
@@ -519,7 +519,11 @@ rspamd_task_load_message(struct rspamd_task *task,
 	debug_task("got input of length %z", task->msg.len);
 
 	/* Check compression */
-	tok = rspamd_task_get_request_header(task, "compression");
+	tok = rspamd_task_get_request_header(task, COMPRESSION_HEADER);
+
+	if (!tok) {
+		tok = rspamd_task_get_request_header(task, CONTENT_ENCODING_HEADER);
+	}
 
 	if (tok) {
 		/* Need to uncompress */
diff --git a/src/libserver/worker_util.c b/src/libserver/worker_util.c
index 383d89c14..75836573f 100644
--- a/src/libserver/worker_util.c
+++ b/src/libserver/worker_util.c
@@ -57,6 +57,7 @@
 
 #include "contrib/libev/ev.h"
 #include "libstat/stat_api.h"
+#include "libserver/protocol_internal.h"
 
 struct rspamd_worker *rspamd_current_worker = NULL;
 
@@ -600,7 +601,7 @@ rspamd_controller_maybe_compress(struct rspamd_http_connection_entry *entry,
 {
 	if (entry->support_gzip) {
 		if (rspamd_fstring_gzip(&buf)) {
-			rspamd_http_message_add_header(msg, "Content-Encoding", "gzip");
+			rspamd_http_message_add_header(msg, CONTENT_ENCODING_HEADER, "gzip");
 		}
 	}
 
diff --git a/src/libstat/stat_internal.h b/src/libstat/stat_internal.h
index 96d67cbf6..663c39df5 100644
--- a/src/libstat/stat_internal.h
+++ b/src/libstat/stat_internal.h
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *    http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -41,8 +41,8 @@ struct rspamd_classifier {
 	GArray *statfiles_ids; /* int */
 	struct rspamd_stat_cache *cache;
 	gpointer cachecf;
-	gulong spam_learns;
-	gulong ham_learns;
+	guint64 spam_learns;
+	guint64 ham_learns;
 	int autolearn_cbref;
 	struct rspamd_classifier_config *cfg;
 	struct rspamd_stat_classifier *subrs;
diff --git a/src/libstat/stat_process.c b/src/libstat/stat_process.c
index 5db3af6ce..17caf4cc6 100644
--- a/src/libstat/stat_process.c
+++ b/src/libstat/stat_process.c
@@ -1017,6 +1017,9 @@ rspamd_stat_check_autolearn(struct rspamd_task *task)
 		cl = g_ptr_array_index(st_ctx->classifiers, i);
 		ret = FALSE;
 
+		rspamd_mempool_set_variable(task->task_pool, RSPAMD_MEMPOOL_HAM_LEARNS, (void *) &cl->ham_learns, NULL);
+		rspamd_mempool_set_variable(task->task_pool, RSPAMD_MEMPOOL_SPAM_LEARNS, (void *) &cl->spam_learns, NULL);
+
 		if (cl->cfg->opts) {
 			obj = ucl_object_lookup(cl->cfg->opts, "autolearn");
 
diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index 8ba612c1b..904f1cbbf 100644
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -21,6 +21,7 @@
 #include "unix-std.h"
 #include "zlib.h"
 #include "utlist.h"
+#include "libserver/protocol_internal.h"
 
 /***
  * @module rspamd_http
@@ -1107,7 +1108,7 @@ lua_http_request(lua_State *L)
 	if (body) {
 		if (gzip) {
 			if (rspamd_fstring_gzip(&body)) {
-				rspamd_http_message_add_header(msg, "Content-Encoding", "gzip");
+				rspamd_http_message_add_header(msg, CONTENT_ENCODING_HEADER, "gzip");
 			}
 		}
 
diff --git a/src/ragel/smtp_base.rl b/src/ragel/smtp_base.rl
index eefc430d5..952c3a5c3 100644
--- a/src/ragel/smtp_base.rl
+++ b/src/ragel/smtp_base.rl
@@ -1,5 +1,6 @@
 %%{
   machine smtp_base;
+  alphtype unsigned char;
 
   # Base SMTP definitions
   # Dependencies: none
diff --git a/src/rspamadm/CMakeLists.txt b/src/rspamadm/CMakeLists.txt
index 5e88ec8dd..2f32a95f5 100644
--- a/src/rspamadm/CMakeLists.txt
+++ b/src/rspamadm/CMakeLists.txt
@@ -22,9 +22,9 @@ ENDIF()
 ADD_EXECUTABLE(rspamadm ${RSPAMADMSRC})
 TARGET_LINK_LIBRARIES(rspamadm rspamd-server)
 
-IF (NOT DEBIAN_BUILD)
+IF (NOT NO_TARGET_VERSIONS)
     SET_TARGET_PROPERTIES(rspamadm PROPERTIES VERSION ${RSPAMD_VERSION})
-ENDIF (NOT DEBIAN_BUILD)
+ENDIF ()
 
 SET_TARGET_PROPERTIES(rspamadm PROPERTIES LINKER_LANGUAGE CXX)
 ADD_BACKWARD(rspamadm)
diff --git a/src/rspamd.c b/src/rspamd.c
index b6c361cb2..6c204e266 100644
--- a/src/rspamd.c
+++ b/src/rspamd.c
@@ -1326,7 +1326,7 @@ version(struct rspamd_main *rspamd_main)
 #ifndef __has_feature
 #define __has_feature(x) 0
 #endif
-#if (defined(__has_feature) && __has_feature(address_sanitizer)) || defined(ADDRESS_SANITIZER)
+#if (defined(__has_feature) && __has_feature(address_sanitizer)) || defined(ADDRESS_SANITIZER) || defined(__SANITIZE_ADDRESS__)
 	rspamd_printf("ASAN enabled: TRUE\n");
 #else
 	rspamd_printf("ASAN enabled: FALSE\n");
diff --git a/src/rspamd_proxy.c b/src/rspamd_proxy.c
index dbdd2e5a7..e2a866178 100644
--- a/src/rspamd_proxy.c
+++ b/src/rspamd_proxy.c
@@ -38,6 +38,7 @@
 #include "libmime/lang_detection.h"
 
 #include <math.h>
+#include <string.h>
 
 #ifdef HAVE_NETINET_TCP_H
 #include <netinet/tcp.h> /* for TCP_NODELAY */
@@ -2205,7 +2206,7 @@ proxy_client_finish_handler(struct rspamd_http_connection *conn,
 		rspamd_http_message_remove_header(msg, "Connection");
 		rspamd_http_message_remove_header(msg, "Key");
 		rspamd_http_message_add_header_len(msg, LOG_TAG_HEADER, session->pool->tag.uid,
-										   sizeof(session->pool->tag.uid));
+										   strnlen(session->pool->tag.uid, sizeof(session->pool->tag.uid)));
 
 		proxy_open_mirror_connections(session);
 		rspamd_http_connection_reset(session->client_conn);
author	Ivan Stakhov <50211739+left-try@users.noreply.github.com>	2024-10-19 18:23:18 +0300
committer	GitHub <noreply@github.com>	2024-10-19 18:23:18 +0300
commit	7ca76b8768adcdd1205b7bc8c7000be3bbc281fe (patch)
tree	c273e6772e14b585306930976852508356805d0f /src
parent	3d02f65dcb90ae02ab840df8495f71655bd4cbbc (diff)
parent	c9b804517d25168ed4c03c70fcc808d38b86e785 (diff)
download	rspamd-7ca76b8768adcdd1205b7bc8c7000be3bbc281fe.tar.gz rspamd-7ca76b8768adcdd1205b7bc8c7000be3bbc281fe.zip