pdkim_ctx *dkim_verify_ctx = NULL;
pdkim_signature *dkim_signatures = NULL;
pdkim_signature *dkim_cur_sig = NULL;
-static BOOL dkim_collect_error = FALSE;
+static const uschar * dkim_collect_error = NULL;
static int
dkim_exim_query_dns_txt(char *name, char *answer)
uschar len = rr->data[rr_offset++];
snprintf(answer + answer_offset,
PDKIM_DNS_TXT_MAX_RECLEN - answer_offset,
- "%.*s", (int)len, (char *) (rr->data + rr_offset));
+ "%.*s", (int)len, CS (rr->data + rr_offset));
rr_offset += len;
answer_offset += len;
if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN)
dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
dkim_collect_input = !!dkim_verify_ctx;
-dkim_collect_error = FALSE;
+dkim_collect_error = NULL;
/* Start feed up with any cached data */
receive_get_cache();
store_pool = POOL_PERM;
if ( dkim_collect_input
- && (rc = pdkim_feed(dkim_verify_ctx, CS data, len)) != PDKIM_OK)
+ && (rc = pdkim_feed(dkim_verify_ctx, data, len)) != PDKIM_OK)
{
+ dkim_collect_error = pdkim_errstr(rc);
log_write(0, LOG_MAIN,
- "DKIM: validation error: %.100s", pdkim_errstr(rc));
- dkim_collect_error = TRUE;
+ "DKIM: validation error: %.100s", dkim_collect_error);
dkim_collect_input = FALSE;
}
store_pool = dkim_verify_oldpool;
dkim_exim_verify_finish(void)
{
pdkim_signature * sig = NULL;
-int dkim_signers_size = 0;
-int dkim_signers_ptr = 0;
-int rc;
+int dkim_signers_size = 0, dkim_signers_ptr = 0, rc;
+const uschar * errstr;
store_pool = POOL_PERM;
if (dkim_collect_error)
{
log_write(0, LOG_MAIN,
- "DKIM: Error while running this message through validation,"
- " disabling signature verification.");
+ "DKIM: Error during validation, disabling signature verification: %.100s",
+ dkim_collect_error);
dkim_disable_verify = TRUE;
goto out;
}
/* Finish DKIM operation and fetch link to signatures chain */
-if ((rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures)) != PDKIM_OK)
+rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr);
+if (rc != PDKIM_OK)
{
- log_write(0, LOG_MAIN,
- "DKIM: validation error: %.100s", pdkim_errstr(rc));
+ log_write(0, LOG_MAIN, "DKIM: validation error: %.100s%s%s", pdkim_errstr(rc),
+ errstr ? ": " : "", errstr ? errstr : US"");
goto out;
}
: sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err",
string_sprintf(" b=%d",
(int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
- if ((s= sig->identity)) string_append(logmsg, &size, &ptr, 2, " i=", s);
- if (sig->created > 0) string_append(logmsg, &size, &ptr, 1,
+ if ((s= sig->identity)) logmsg = string_append(logmsg, &size, &ptr, 2, " i=", s);
+ if (sig->created > 0) logmsg = string_append(logmsg, &size, &ptr, 1,
string_sprintf(" t=%lu", sig->created));
- if (sig->expires > 0) string_append(logmsg, &size, &ptr, 1,
+ if (sig->expires > 0) logmsg = string_append(logmsg, &size, &ptr, 1,
string_sprintf(" x=%lu", sig->expires));
- if (sig->bodylength > -1) string_append(logmsg, &size, &ptr, 1,
+ if (sig->bodylength > -1) logmsg = string_append(logmsg, &size, &ptr, 1,
string_sprintf(" l=%lu", sig->bodylength));
switch (sig->verify_status)
/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
if (sig->domain)
- dkim_signers = string_append_listele(dkim_signers, ':', sig->domain);
+ dkim_signers = string_append_listele(dkim_signers, &dkim_signers_size,
+ &dkim_signers_ptr, ':', sig->domain);
if (sig->identity)
- dkim_signers = string_append_listele(dkim_signers, ':', sig->identity);
+ dkim_signers = string_append_listele(dkim_signers, &dkim_signers_size,
+ &dkim_signers_ptr, ':', sig->identity);
/* Process next signature */
}
}
+/* Generate signatures for the given file, returning a string.
+If a prefix is given, prepend it to the file for the calculations.
+*/
+
uschar *
-dkim_exim_sign(int dkim_fd, struct ob_dkim * dkim)
+dkim_exim_sign(int fd, off_t off, uschar * prefix,
+ struct ob_dkim * dkim, const uschar ** errstr)
{
const uschar * dkim_domain;
int sep = 0;
uschar *seen_items = NULL;
int seen_items_size = 0;
int seen_items_offset = 0;
-uschar itembuf[256];
uschar *dkim_canon_expanded;
uschar *dkim_sign_headers_expanded;
uschar *dkim_private_key_expanded;
int pdkim_canon;
int pdkim_rc;
int sread;
-char buf[4096];
+uschar buf[4096];
int save_errno = 0;
int old_pool = store_pool;
/* Set $dkim_domain expansion variable to each unique domain in list. */
-while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
- itembuf, sizeof(itembuf))))
+while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0)))
{
- if (!dkim_signing_domain || dkim_signing_domain[0] == '\0')
+ if (dkim_signing_domain[0] == '\0')
continue;
/* Only sign once for each domain, no matter how often it
if (dkim_private_key_expanded[0] == '/')
{
- int privkey_fd = 0;
+ int privkey_fd, off = 0, len;
/* Looks like a filename, load the private key. */
goto bad;
}
- if (read(privkey_fd, big_buffer, big_buffer_size - 2) < 0)
+ do
{
- log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s",
- dkim_private_key_expanded);
- goto bad;
+ if ((len = read(privkey_fd, big_buffer + off, big_buffer_size - 2 - off)) < 0)
+ {
+ (void) close(privkey_fd);
+ log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s",
+ dkim_private_key_expanded);
+ goto bad;
+ }
+ off += len;
}
+ while (len > 0);
(void) close(privkey_fd);
+ big_buffer[off] = '\0';
dkim_private_key_expanded = big_buffer;
}
- ctx = pdkim_init_sign(CS dkim_signing_domain,
+ if (!(ctx = pdkim_init_sign(CS dkim_signing_domain,
CS dkim_signing_selector,
CS dkim_private_key_expanded,
PDKIM_ALGO_RSA_SHA256,
dkim->dot_stuffed,
- &dkim_exim_query_dns_txt
- );
+ &dkim_exim_query_dns_txt,
+ errstr
+ )))
+ goto bad;
dkim_private_key_expanded[0] = '\0';
pdkim_set_optional(ctx,
CS dkim_sign_headers_expanded,
pdkim_canon,
pdkim_canon, -1, 0, 0);
- lseek(dkim_fd, 0, SEEK_SET);
+ if (prefix)
+ pdkim_feed(ctx, prefix, Ustrlen(prefix));
- while ((sread = read(dkim_fd, &buf, sizeof(buf))) > 0)
- if ((pdkim_rc = pdkim_feed(ctx, buf, sread)) != PDKIM_OK)
- goto pk_bad;
+ if (lseek(fd, off, SEEK_SET) < 0)
+ sread = -1;
+ else
+ while ((sread = read(fd, &buf, sizeof(buf))) > 0)
+ if ((pdkim_rc = pdkim_feed(ctx, buf, sread)) != PDKIM_OK)
+ goto pk_bad;
/* Handle failed read above. */
if (sread == -1)
goto bad;
}
- if ((pdkim_rc = pdkim_feed_finish(ctx, &signature)) != PDKIM_OK)
+ if ((pdkim_rc = pdkim_feed_finish(ctx, &signature, errstr)) != PDKIM_OK)
goto pk_bad;
sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,