DKIM: support multiple hash methods

[exim.git] / src / src / dkim.c

diff --git a/src/src/dkim.c b/src/src/dkim.c
index 33e7bc84cdc134d89111f7d4ece0e8d9d4c41bb6..2b7f55ae8596ea680f767a2a65a0a046987991fd 100644 (file)
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -20,6 +20,12 @@ pdkim_signature *dkim_signatures = NULL;
 pdkim_signature *dkim_cur_sig = NULL;
 static const uschar * dkim_collect_error = NULL;
 
+
+
+/*XXX the caller only uses the first record if we return multiple.
+Could we hand back an allocated string?
+*/
+
 static int
 dkim_exim_query_dns_txt(char *name, char *answer)
 {
@@ -48,7 +54,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
       uschar len = rr->data[rr_offset++];
       snprintf(answer + answer_offset,
                PDKIM_DNS_TXT_MAX_RECLEN - answer_offset,
-               "%.*s", (int)len, (char *) (rr->data + rr_offset));
+               "%.*s", (int)len, CS  (rr->data + rr_offset));
       rr_offset += len;
       answer_offset += len;
       if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN)
@@ -104,7 +110,7 @@ int rc;
 
 store_pool = POOL_PERM;
 if (  dkim_collect_input
-   && (rc = pdkim_feed(dkim_verify_ctx, CS data, len)) != PDKIM_OK)
+   && (rc = pdkim_feed(dkim_verify_ctx, data, len)) != PDKIM_OK)
   {
   dkim_collect_error = pdkim_errstr(rc);
   log_write(0, LOG_MAIN,
@@ -164,9 +170,7 @@ for (sig = dkim_signatures; sig; sig = sig->next)
   logmsg = string_append(logmsg, &size, &ptr, 7, 
        " c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
        "/",   sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
-       " a=", sig->algo == PDKIM_ALGO_RSA_SHA256
-               ? "rsa-sha256"
-               : sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err",
+       " a=", dkim_sig_to_a_tag(sig),
        string_sprintf(" b=%d",
                        (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
   if ((s= sig->identity)) logmsg = string_append(logmsg, &size, &ptr, 2, " i=", s);
@@ -338,12 +342,7 @@ if (!dkim_verify_ctx || dkim_disable_verify || !dkim_cur_sig)
 switch (what)
   {
   case DKIM_ALGO:
-    switch (dkim_cur_sig->algo)
-      {
-      case PDKIM_ALGO_RSA_SHA1:        return US"rsa-sha1";
-      case PDKIM_ALGO_RSA_SHA256:
-      default:                 return US"rsa-sha256";
-      }
+    return dkim_sig_to_a_tag(dkim_cur_sig);
 
   case DKIM_BODYLENGTH:
     return dkim_cur_sig->bodylength >= 0
@@ -466,6 +465,7 @@ int seen_items_offset = 0;
 uschar *dkim_canon_expanded;
 uschar *dkim_sign_headers_expanded;
 uschar *dkim_private_key_expanded;
+uschar *dkim_hash_expanded;
 pdkim_ctx *ctx = NULL;
 uschar *rc = NULL;
 uschar *sigbuf = NULL;
@@ -475,7 +475,7 @@ pdkim_signature *signature;
 int pdkim_canon;
 int pdkim_rc;
 int sread;
-char buf[4096];
+uschar buf[4096];
 int save_errno = 0;
 int old_pool = store_pool;
 
@@ -608,10 +608,20 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0)))
     dkim_private_key_expanded = big_buffer;
     }
 
-  if (!(ctx = pdkim_init_sign(CS dkim_signing_domain,
-                       CS dkim_signing_selector,
-                       CS dkim_private_key_expanded,
-                       PDKIM_ALGO_RSA_SHA256,
+  if (!(dkim_hash_expanded = expand_string(dkim->dkim_hash)))
+    {
+    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
+              "dkim_hash: %s", expand_string_message);
+    goto bad;
+    }
+
+/*XXX so we currently nail signing to RSA + given hash.
+Need to extract algo from privkey and check for disallowed combos. */
+
+  if (!(ctx = pdkim_init_sign(dkim_signing_domain,
+                       dkim_signing_selector,
+                       dkim_private_key_expanded,
+                       dkim_hash_expanded,
                        dkim->dot_stuffed,
                        &dkim_exim_query_dns_txt,
                        errstr