X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/59d9803955886f56f67e3ceff5632b704e4c5548..d73e45df63ef6602fa32bd3e196d20735a0b69b5:/src/src/dkim.c diff --git a/src/src/dkim.c b/src/src/dkim.c index f51021443..2b7f55ae8 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -20,6 +20,12 @@ pdkim_signature *dkim_signatures = NULL; pdkim_signature *dkim_cur_sig = NULL; static const uschar * dkim_collect_error = NULL; + + +/*XXX the caller only uses the first record if we return multiple. +Could we hand back an allocated string? +*/ + static int dkim_exim_query_dns_txt(char *name, char *answer) { @@ -48,7 +54,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); uschar len = rr->data[rr_offset++]; snprintf(answer + answer_offset, PDKIM_DNS_TXT_MAX_RECLEN - answer_offset, - "%.*s", (int)len, (char *) (rr->data + rr_offset)); + "%.*s", (int)len, CS (rr->data + rr_offset)); rr_offset += len; answer_offset += len; if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN) @@ -104,7 +110,7 @@ int rc; store_pool = POOL_PERM; if ( dkim_collect_input - && (rc = pdkim_feed(dkim_verify_ctx, CS data, len)) != PDKIM_OK) + && (rc = pdkim_feed(dkim_verify_ctx, data, len)) != PDKIM_OK) { dkim_collect_error = pdkim_errstr(rc); log_write(0, LOG_MAIN, @@ -164,17 +170,15 @@ for (sig = dkim_signatures; sig; sig = sig->next) logmsg = string_append(logmsg, &size, &ptr, 7, " c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed", "/", sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed", - " a=", sig->algo == PDKIM_ALGO_RSA_SHA256 - ? "rsa-sha256" - : sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err", + " a=", dkim_sig_to_a_tag(sig), string_sprintf(" b=%d", (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0)); - if ((s= sig->identity)) string_append(logmsg, &size, &ptr, 2, " i=", s); - if (sig->created > 0) string_append(logmsg, &size, &ptr, 1, + if ((s= sig->identity)) logmsg = string_append(logmsg, &size, &ptr, 2, " i=", s); + if (sig->created > 0) logmsg = string_append(logmsg, &size, &ptr, 1, string_sprintf(" t=%lu", sig->created)); - if (sig->expires > 0) string_append(logmsg, &size, &ptr, 1, + if (sig->expires > 0) logmsg = string_append(logmsg, &size, &ptr, 1, string_sprintf(" x=%lu", sig->expires)); - if (sig->bodylength > -1) string_append(logmsg, &size, &ptr, 1, + if (sig->bodylength > -1) logmsg = string_append(logmsg, &size, &ptr, 1, string_sprintf(" l=%lu", sig->bodylength)); switch (sig->verify_status) @@ -251,10 +255,12 @@ for (sig = dkim_signatures; sig; sig = sig->next) /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */ if (sig->domain) - dkim_signers = string_append_listele(dkim_signers, ':', sig->domain); + dkim_signers = string_append_listele(dkim_signers, &dkim_signers_size, + &dkim_signers_ptr, ':', sig->domain); if (sig->identity) - dkim_signers = string_append_listele(dkim_signers, ':', sig->identity); + dkim_signers = string_append_listele(dkim_signers, &dkim_signers_size, + &dkim_signers_ptr, ':', sig->identity); /* Process next signature */ } @@ -336,12 +342,7 @@ if (!dkim_verify_ctx || dkim_disable_verify || !dkim_cur_sig) switch (what) { case DKIM_ALGO: - switch (dkim_cur_sig->algo) - { - case PDKIM_ALGO_RSA_SHA1: return US"rsa-sha1"; - case PDKIM_ALGO_RSA_SHA256: - default: return US"rsa-sha256"; - } + return dkim_sig_to_a_tag(dkim_cur_sig); case DKIM_BODYLENGTH: return dkim_cur_sig->bodylength >= 0 @@ -448,18 +449,23 @@ switch (what) } +/* Generate signatures for the given file, returning a string. +If a prefix is given, prepend it to the file for the calculations. +*/ + uschar * -dkim_exim_sign(int dkim_fd, struct ob_dkim * dkim, const uschar ** errstr) +dkim_exim_sign(int fd, off_t off, uschar * prefix, + struct ob_dkim * dkim, const uschar ** errstr) { const uschar * dkim_domain; int sep = 0; uschar *seen_items = NULL; int seen_items_size = 0; int seen_items_offset = 0; -uschar itembuf[256]; uschar *dkim_canon_expanded; uschar *dkim_sign_headers_expanded; uschar *dkim_private_key_expanded; +uschar *dkim_hash_expanded; pdkim_ctx *ctx = NULL; uschar *rc = NULL; uschar *sigbuf = NULL; @@ -469,7 +475,7 @@ pdkim_signature *signature; int pdkim_canon; int pdkim_rc; int sread; -char buf[4096]; +uschar buf[4096]; int save_errno = 0; int old_pool = store_pool; @@ -485,10 +491,9 @@ if (!(dkim_domain = expand_cstring(dkim->dkim_domain))) /* Set $dkim_domain expansion variable to each unique domain in list. */ -while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, - itembuf, sizeof(itembuf)))) +while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0))) { - if (!dkim_signing_domain || dkim_signing_domain[0] == '\0') + if (dkim_signing_domain[0] == '\0') continue; /* Only sign once for each domain, no matter how often it @@ -603,10 +608,20 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, dkim_private_key_expanded = big_buffer; } - if (!(ctx = pdkim_init_sign(CS dkim_signing_domain, - CS dkim_signing_selector, - CS dkim_private_key_expanded, - PDKIM_ALGO_RSA_SHA256, + if (!(dkim_hash_expanded = expand_string(dkim->dkim_hash))) + { + log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand " + "dkim_hash: %s", expand_string_message); + goto bad; + } + +/*XXX so we currently nail signing to RSA + given hash. +Need to extract algo from privkey and check for disallowed combos. */ + + if (!(ctx = pdkim_init_sign(dkim_signing_domain, + dkim_signing_selector, + dkim_private_key_expanded, + dkim_hash_expanded, dkim->dot_stuffed, &dkim_exim_query_dns_txt, errstr @@ -619,11 +634,15 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, pdkim_canon, pdkim_canon, -1, 0, 0); - lseek(dkim_fd, 0, SEEK_SET); + if (prefix) + pdkim_feed(ctx, prefix, Ustrlen(prefix)); - while ((sread = read(dkim_fd, &buf, sizeof(buf))) > 0) - if ((pdkim_rc = pdkim_feed(ctx, buf, sread)) != PDKIM_OK) - goto pk_bad; + if (lseek(fd, off, SEEK_SET) < 0) + sread = -1; + else + while ((sread = read(fd, &buf, sizeof(buf))) > 0) + if ((pdkim_rc = pdkim_feed(ctx, buf, sread)) != PDKIM_OK) + goto pk_bad; /* Handle failed read above. */ if (sread == -1)