X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/41468ba140a1678e7491534fa3cddded53e1e6d2..a5ffa9b475a426bc73366db01f7cc92a3811bc3a:/src/src/dkim.c diff --git a/src/src/dkim.c b/src/src/dkim.c index 2873eda53..b9dbce68d 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -18,7 +18,7 @@ int dkim_verify_oldpool; pdkim_ctx *dkim_verify_ctx = NULL; pdkim_signature *dkim_signatures = NULL; pdkim_signature *dkim_cur_sig = NULL; -static BOOL dkim_collect_error = FALSE; +static const uschar * dkim_collect_error = NULL; static int dkim_exim_query_dns_txt(char *name, char *answer) @@ -88,7 +88,7 @@ if (dkim_verify_ctx) dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing); dkim_collect_input = !!dkim_verify_ctx; -dkim_collect_error = FALSE; +dkim_collect_error = NULL; /* Start feed up with any cached data */ receive_get_cache(); @@ -106,9 +106,9 @@ store_pool = POOL_PERM; if ( dkim_collect_input && (rc = pdkim_feed(dkim_verify_ctx, CS data, len)) != PDKIM_OK) { + dkim_collect_error = pdkim_errstr(rc); log_write(0, LOG_MAIN, - "DKIM: validation error: %.100s", pdkim_errstr(rc)); - dkim_collect_error = TRUE; + "DKIM: validation error: %.100s", dkim_collect_error); dkim_collect_input = FALSE; } store_pool = dkim_verify_oldpool; @@ -119,9 +119,8 @@ void dkim_exim_verify_finish(void) { pdkim_signature * sig = NULL; -int dkim_signers_size = 0; -int dkim_signers_ptr = 0; -int rc; +int dkim_signers_size = 0, dkim_signers_ptr = 0, rc; +const uschar * errstr; store_pool = POOL_PERM; @@ -133,8 +132,8 @@ dkim_signatures = NULL; if (dkim_collect_error) { log_write(0, LOG_MAIN, - "DKIM: Error while running this message through validation," - " disabling signature verification."); + "DKIM: Error during validation, disabling signature verification: %.100s", + dkim_collect_error); dkim_disable_verify = TRUE; goto out; } @@ -143,10 +142,11 @@ dkim_collect_input = FALSE; /* Finish DKIM operation and fetch link to signatures chain */ -if ((rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures)) != PDKIM_OK) +rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr); +if (rc != PDKIM_OK) { - log_write(0, LOG_MAIN, - "DKIM: validation error: %.100s", pdkim_errstr(rc)); + log_write(0, LOG_MAIN, "DKIM: validation error: %.100s%s%s", pdkim_errstr(rc), + errstr ? ": " : "", errstr ? errstr : US""); goto out; } @@ -448,15 +448,19 @@ switch (what) } +/* Generate signatures for the given file, returning a string. +If a prefix is given, prepend it to the file for the calculations. +*/ + uschar * -dkim_exim_sign(int dkim_fd, struct ob_dkim * dkim) +dkim_exim_sign(int fd, off_t off, uschar * prefix, + struct ob_dkim * dkim, const uschar ** errstr) { const uschar * dkim_domain; int sep = 0; uschar *seen_items = NULL; int seen_items_size = 0; int seen_items_offset = 0; -uschar itembuf[256]; uschar *dkim_canon_expanded; uschar *dkim_sign_headers_expanded; uschar *dkim_private_key_expanded; @@ -485,10 +489,9 @@ if (!(dkim_domain = expand_cstring(dkim->dkim_domain))) /* Set $dkim_domain expansion variable to each unique domain in list. */ -while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, - itembuf, sizeof(itembuf)))) +while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0))) { - if (!dkim_signing_domain || dkim_signing_domain[0] == '\0') + if (dkim_signing_domain[0] == '\0') continue; /* Only sign once for each domain, no matter how often it @@ -571,7 +574,7 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, if (dkim_private_key_expanded[0] == '/') { - int privkey_fd = 0; + int privkey_fd, off = 0, len; /* Looks like a filename, load the private key. */ @@ -585,24 +588,33 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, goto bad; } - if (read(privkey_fd, big_buffer, big_buffer_size - 2) < 0) + do { - log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s", - dkim_private_key_expanded); - goto bad; + if ((len = read(privkey_fd, big_buffer + off, big_buffer_size - 2 - off)) < 0) + { + (void) close(privkey_fd); + log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s", + dkim_private_key_expanded); + goto bad; + } + off += len; } + while (len > 0); (void) close(privkey_fd); + big_buffer[off] = '\0'; dkim_private_key_expanded = big_buffer; } - ctx = pdkim_init_sign(CS dkim_signing_domain, + if (!(ctx = pdkim_init_sign(CS dkim_signing_domain, CS dkim_signing_selector, CS dkim_private_key_expanded, PDKIM_ALGO_RSA_SHA256, dkim->dot_stuffed, - &dkim_exim_query_dns_txt - ); + &dkim_exim_query_dns_txt, + errstr + ))) + goto bad; dkim_private_key_expanded[0] = '\0'; pdkim_set_optional(ctx, CS dkim_sign_headers_expanded, @@ -610,11 +622,15 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, pdkim_canon, pdkim_canon, -1, 0, 0); - lseek(dkim_fd, 0, SEEK_SET); + if (prefix) + pdkim_feed(ctx, prefix, Ustrlen(prefix)); - while ((sread = read(dkim_fd, &buf, sizeof(buf))) > 0) - if ((pdkim_rc = pdkim_feed(ctx, buf, sread)) != PDKIM_OK) - goto pk_bad; + if (lseek(fd, off, SEEK_SET) < 0) + sread = -1; + else + while ((sread = read(fd, &buf, sizeof(buf))) > 0) + if ((pdkim_rc = pdkim_feed(ctx, buf, sread)) != PDKIM_OK) + goto pk_bad; /* Handle failed read above. */ if (sread == -1) @@ -624,7 +640,7 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, goto bad; } - if ((pdkim_rc = pdkim_feed_finish(ctx, &signature)) != PDKIM_OK) + if ((pdkim_rc = pdkim_feed_finish(ctx, &signature, errstr)) != PDKIM_OK) goto pk_bad; sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,