#include "rsa.h"
#define PDKIM_SIGNATURE_VERSION "1"
-#define PDKIM_PUB_RECORD_VERSION "DKIM1"
+#define PDKIM_PUB_RECORD_VERSION US "DKIM1"
#define PDKIM_MAX_HEADER_LEN 65536
#define PDKIM_MAX_HEADERS 512
/* -------------------------------------------------------------------------- */
struct pdkim_stringlist {
- char *value;
- int tag;
- void *next;
-};
-
-#define PDKIM_STR_ALLOC_FRAG 256
-struct pdkim_str {
- char *str;
- unsigned int len;
- unsigned int allocated;
+ uschar * value;
+ int tag;
+ void * next;
};
/* -------------------------------------------------------------------------- */
/* A bunch of list constants */
-const char *pdkim_querymethods[] = {
- "dns/txt",
+const uschar * pdkim_querymethods[] = {
+ US"dns/txt",
NULL
};
-const char *pdkim_algos[] = {
- "rsa-sha256",
- "rsa-sha1",
+const uschar * pdkim_algos[] = {
+ US"rsa-sha256",
+ US"rsa-sha1",
NULL
};
-const char *pdkim_canons[] = {
- "simple",
- "relaxed",
+const uschar * pdkim_canons[] = {
+ US"simple",
+ US"relaxed",
NULL
};
-const char *pdkim_hashes[] = {
- "sha256",
- "sha1",
+const uschar * pdkim_hashes[] = {
+ US"sha256",
+ US"sha1",
NULL
};
-const char *pdkim_keytypes[] = {
- "rsa",
+const uschar * pdkim_keytypes[] = {
+ US"rsa",
NULL
};
typedef struct pdkim_combined_canon_entry {
- const char *str;
+ const uschar * str;
int canon_headers;
int canon_body;
} pdkim_combined_canon_entry;
pdkim_combined_canon_entry pdkim_combined_canons[] = {
- { "simple/simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
- { "simple/relaxed", PDKIM_CANON_SIMPLE, PDKIM_CANON_RELAXED },
- { "relaxed/simple", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
- { "relaxed/relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_RELAXED },
- { "simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
- { "relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
- { NULL, 0, 0 }
+ { US"simple/simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
+ { US"simple/relaxed", PDKIM_CANON_SIMPLE, PDKIM_CANON_RELAXED },
+ { US"relaxed/simple", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
+ { US"relaxed/relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_RELAXED },
+ { US"simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
+ { US"relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
+ { NULL, 0, 0 }
};
const char *
pdkim_verify_status_str(int status)
{
- switch(status) {
- case PDKIM_VERIFY_NONE: return "PDKIM_VERIFY_NONE";
- case PDKIM_VERIFY_INVALID: return "PDKIM_VERIFY_INVALID";
- case PDKIM_VERIFY_FAIL: return "PDKIM_VERIFY_FAIL";
- case PDKIM_VERIFY_PASS: return "PDKIM_VERIFY_PASS";
- default: return "PDKIM_VERIFY_UNKNOWN";
+switch(status)
+ {
+ case PDKIM_VERIFY_NONE: return "PDKIM_VERIFY_NONE";
+ case PDKIM_VERIFY_INVALID: return "PDKIM_VERIFY_INVALID";
+ case PDKIM_VERIFY_FAIL: return "PDKIM_VERIFY_FAIL";
+ case PDKIM_VERIFY_PASS: return "PDKIM_VERIFY_PASS";
+ default: return "PDKIM_VERIFY_UNKNOWN";
}
}
const char *
pdkim_verify_ext_status_str(int ext_status)
{
- switch(ext_status) {
- case PDKIM_VERIFY_FAIL_BODY: return "PDKIM_VERIFY_FAIL_BODY";
- case PDKIM_VERIFY_FAIL_MESSAGE: return "PDKIM_VERIFY_FAIL_MESSAGE";
- case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE: return "PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE";
- case PDKIM_VERIFY_INVALID_BUFFER_SIZE: return "PDKIM_VERIFY_INVALID_BUFFER_SIZE";
- case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD: return "PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD";
- case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return "PDKIM_VERIFY_INVALID_PUBKEY_IMPORT";
- default: return "PDKIM_VERIFY_UNKNOWN";
+switch(ext_status)
+ {
+ case PDKIM_VERIFY_FAIL_BODY: return "PDKIM_VERIFY_FAIL_BODY";
+ case PDKIM_VERIFY_FAIL_MESSAGE: return "PDKIM_VERIFY_FAIL_MESSAGE";
+ case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE: return "PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE";
+ case PDKIM_VERIFY_INVALID_BUFFER_SIZE: return "PDKIM_VERIFY_INVALID_BUFFER_SIZE";
+ case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD: return "PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD";
+ case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return "PDKIM_VERIFY_INVALID_PUBKEY_IMPORT";
+ case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR: return "PDKIM_VERIFY_INVALID_SIGNATURE_ERROR";
+ case PDKIM_VERIFY_INVALID_DKIM_VERSION: return "PDKIM_VERIFY_INVALID_DKIM_VERSION";
+ default: return "PDKIM_VERIFY_UNKNOWN";
+ }
+}
+
+const char *
+pdkim_errstr(int status)
+{
+switch(status)
+ {
+ case PDKIM_OK: return "OK";
+ case PDKIM_FAIL: return "FAIL";
+ case PDKIM_ERR_RSA_PRIVKEY: return "RSA_PRIVKEY";
+ case PDKIM_ERR_RSA_SIGNING: return "RSA SIGNING";
+ case PDKIM_ERR_LONG_LINE: return "RSA_LONG_LINE";
+ case PDKIM_ERR_BUFFER_TOO_SMALL: return "BUFFER_TOO_SMALL";
+ case PDKIM_SIGN_PRIVKEY_WRAP: return "PRIVKEY_WRAP";
+ case PDKIM_SIGN_PRIVKEY_B64D: return "PRIVKEY_B64D";
+ default: return "(unknown)";
}
}
/* -------------------------------------------------------------------------- */
/* Print debugging functions */
static void
-pdkim_quoteprint(const char *data, int len)
+pdkim_quoteprint(const uschar *data, int len)
{
int i;
-const unsigned char *p = (const unsigned char *)data;
-
for (i = 0; i < len; i++)
{
- const int c = p[i];
+ const int c = data[i];
switch (c)
{
case ' ' : debug_printf("{SP}"); break;
}
static void
-pdkim_hexprint(const char *data, int len)
+pdkim_hexprint(const uschar *data, int len)
{
int i;
-const unsigned char *p = (const unsigned char *)data;
-
-for (i = 0 ; i < len; i++)
- debug_printf("%02x", p[i]);
+for (i = 0 ; i < len; i++) debug_printf("%02x", data[i]);
debug_printf("\n");
}
-/* SSS probably want to keep the "stringlist" notion */
-
static pdkim_stringlist *
-pdkim_prepend_stringlist(pdkim_stringlist *base, char *str)
+pdkim_prepend_stringlist(pdkim_stringlist * base, const uschar * str)
{
-pdkim_stringlist *new_entry = malloc(sizeof(pdkim_stringlist));
+pdkim_stringlist * new_entry = store_get(sizeof(pdkim_stringlist));
-if (!new_entry) return NULL;
memset(new_entry, 0, sizeof(pdkim_stringlist));
-if (!(new_entry->value = strdup(str))) return NULL;
+new_entry->value = string_copy(str);
if (base) new_entry->next = base;
return new_entry;
}
-/* -------------------------------------------------------------------------- */
-/* A small "growing string" implementation to escape malloc/realloc hell */
-/* String package: should be replaced by Exim standard ones */
-/* SSS Ustrcpy */
-
-static pdkim_str *
-pdkim_strnew (const char *cstr)
-{
-unsigned int len = cstr ? strlen(cstr) : 0;
-pdkim_str *p = malloc(sizeof(pdkim_str));
-
-if (!p) return NULL;
-memset(p, 0, sizeof(pdkim_str));
-if (!(p->str = malloc(len+1)))
- {
- free(p);
- return NULL;
- }
-p->allocated = len+1;
-p->len = len;
-if (cstr)
- strcpy(p->str, cstr);
-else
- p->str[p->len] = '\0';
-return p;
-}
-
-
-/*SSS Ustrncat */
-
-static char *
-pdkim_strncat(pdkim_str *str, const char *data, int len)
-{
-if ((str->allocated - str->len) < (len+1))
- {
- /* Extend the buffer */
- int num_frags = ((len+1)/PDKIM_STR_ALLOC_FRAG)+1;
- char *n = realloc(str->str,
- (str->allocated+(num_frags*PDKIM_STR_ALLOC_FRAG)));
- if (n == NULL) return NULL;
- str->str = n;
- str->allocated += (num_frags*PDKIM_STR_ALLOC_FRAG);
- }
-strncpy(&(str->str[str->len]), data, len);
-str->len += len;
-str->str[str->len] = '\0';
-return str->str;
-}
-
-
-/* SSS Ustrcat */
-
-static char *
-pdkim_strcat(pdkim_str *str, const char *cstr)
-{
-return pdkim_strncat(str, cstr, strlen(cstr));
-}
-
-
/* Trim whitespace fore & aft */
-static char *
-pdkim_strtrim(pdkim_str *str)
+static void
+pdkim_strtrim(uschar * str)
{
-char *p = str->str;
-char *q = str->str;
+uschar * p = str;
+uschar * q = str;
while (*p == '\t' || *p == ' ') p++; /* skip whitespace */
while (*p) {*q = *p; q++; p++;} /* dump the leading whitespace */
*q = '\0';
-while (q != str->str && ( (*q == '\0') || (*q == '\t') || (*q == ' ') ) )
+while (q != str && ( (*q == '\0') || (*q == '\t') || (*q == ' ') ) )
{ /* dump trailing whitespace */
*q = '\0';
q--;
}
-str->len = strlen(str->str);
-return str->str;
}
-static char *
-pdkim_strclear(pdkim_str *str)
-{
-str->str[0] = '\0';
-str->len = 0;
-return str->str;
-}
-
-
-
-static void
-pdkim_strfree(pdkim_str *str)
-{
-if (!str) return;
-if (str->str) free(str->str);
-free(str);
-}
-
-
-static void
-pdkim_stringlist_free(pdkim_stringlist * e)
-{
-while(e)
- {
- pdkim_stringlist * c = e;
- if (e->value) free(e->value);
- e = e->next;
- free(c);
- }
-}
-
-
-
-/* -------------------------------------------------------------------------- */
-
-static void
-pdkim_free_pubkey(pdkim_pubkey *pub)
-{
-if (pub)
- {
- if (pub->version ) free(pub->version);
- if (pub->granularity) free(pub->granularity);
- if (pub->hashes ) free(pub->hashes);
- if (pub->keytype ) free(pub->keytype);
- if (pub->srvtype ) free(pub->srvtype);
- if (pub->notes ) free(pub->notes);
- free(pub);
- }
-}
-
-
-/* -------------------------------------------------------------------------- */
-
-static void
-pdkim_free_sig(pdkim_signature *sig)
-{
-if (sig)
- {
- pdkim_signature *next = (pdkim_signature *)sig->next;
-
- pdkim_stringlist_free(sig->headers);
- if (sig->selector ) free(sig->selector);
- if (sig->domain ) free(sig->domain);
- if (sig->identity ) free(sig->identity);
- if (sig->copiedheaders ) free(sig->copiedheaders);
- if (sig->rsa_privkey ) free(sig->rsa_privkey);
- if (sig->sign_headers ) free(sig->sign_headers);
- if (sig->signature_header) free(sig->signature_header);
-
- if (sig->pubkey) pdkim_free_pubkey(sig->pubkey);
-
- free(sig);
- if (next) pdkim_free_sig(next);
- }
-}
-
-
/* -------------------------------------------------------------------------- */
DLLEXPORT void
pdkim_free_ctx(pdkim_ctx *ctx)
{
-if (ctx)
- {
- pdkim_stringlist_free(ctx->headers);
- pdkim_free_sig(ctx->sig);
- pdkim_strfree(ctx->cur_header);
- free(ctx);
- }
}
/*XXX might be safer done using a pdkim_stringlist for "tick" */
static int
-header_name_match(const char * header, char * tick)
+header_name_match(const uschar * header, uschar * tick)
{
-char *hname;
-char *lcopy;
-char *p;
-char *q;
-int rc = PDKIM_FAIL;
-
-/* Get header name */
-char *hcolon = strchr(header, ':');
+uschar * hname;
+uschar * lcopy;
+uschar * p;
+uschar * q;
+uschar * hcolon = Ustrchr(header, ':'); /* Get header name */
-if (!hcolon) return rc; /* This isn't a header */
+if (!hcolon)
+ return PDKIM_FAIL; /* This isn't a header */
-if (!(hname = malloc((hcolon-header)+1)))
- return PDKIM_ERR_OOM;
-memset(hname, 0, (hcolon-header)+1);
-strncpy(hname, header, (hcolon-header));
+/* if we had strncmpic() we wouldn't need this copy */
+hname = string_copyn(header, hcolon-header);
/* Copy tick-off list locally, so we can punch zeroes into it */
-if (!(lcopy = strdup(tick)))
- {
- free(hname);
- return PDKIM_ERR_OOM;
- }
-p = lcopy;
-q = strchr(p, ':');
-while (q)
+p = lcopy = string_copy(tick);
+
+for (q = Ustrchr(p, ':'); q; q = Ustrchr(p, ':'))
{
*q = '\0';
-
- if (strcasecmp(p, hname) == 0)
- {
- rc = PDKIM_OK;
- /* Invalidate header name instance in tick-off list */
- tick[p-lcopy] = '_';
- goto BAIL;
- }
+ if (strcmpic(p, hname) == 0)
+ goto found;
p = q+1;
- q = strchr(p, ':');
}
-if (strcasecmp(p, hname) == 0)
- {
- rc = PDKIM_OK;
+if (strcmpic(p, hname) == 0)
+ goto found;
+
+return PDKIM_FAIL;
+
+found:
/* Invalidate header name instance in tick-off list */
tick[p-lcopy] = '_';
- }
-
-BAIL:
-free(hname);
-free(lcopy);
-return rc;
+ return PDKIM_OK;
}
/* -------------------------------------------------------------------------- */
-/* Performs "relaxed" canonicalization of a header. The returned pointer needs
- to be free()d. */
+/* Performs "relaxed" canonicalization of a header. */
-static char *
-pdkim_relax_header (char *header, int crlf)
+static uschar *
+pdkim_relax_header(const uschar * header, int crlf)
{
BOOL past_field_name = FALSE;
BOOL seen_wsp = FALSE;
-char *p;
-char *q;
-char *relaxed = malloc(strlen(header)+3);
+const uschar * p;
+uschar * relaxed = store_get(Ustrlen(header)+3);
+uschar * q = relaxed;
-if (!relaxed) return NULL;
-
-q = relaxed;
-for (p = header; *p != '\0'; p++)
+for (p = header; *p; p++)
{
- int c = *p;
+ uschar c = *p;
/* Ignore CR & LF */
if (c == '\r' || c == '\n')
continue;
}
if (q > relaxed && q[-1] == ' ') q--; /* Squash eventual trailing SP */
-*q = '\0';
-if (crlf) strcat(relaxed, "\r\n");
+if (crlf) { *q++ = '\r'; *q++ = '\n'; }
+*q = '\0';
return relaxed;
}
/* -------------------------------------------------------------------------- */
#define PDKIM_QP_ERROR_DECODE -1
-static char *
-pdkim_decode_qp_char(char *qp_p, int *c)
+static uschar *
+pdkim_decode_qp_char(uschar *qp_p, int *c)
{
-char *initial_pos = qp_p;
+uschar *initial_pos = qp_p;
/* Advance one char */
qp_p++;
/* -------------------------------------------------------------------------- */
-static char *
-pdkim_decode_qp(char *str)
+static uschar *
+pdkim_decode_qp(uschar * str)
{
int nchar = 0;
-char *q;
-char *p = str;
-char *n = malloc(strlen(p)+1);
-
-if (!n) return NULL;
+uschar * q;
+uschar * p = str;
+uschar * n = store_get(Ustrlen(str)+1);
*n = '\0';
q = n;
-while (*p != '\0')
+while (*p)
{
if (*p == '=')
{
pdkim_decode_base64(uschar *str, blob * b)
{
int dlen;
-char *res;
dlen = b64decode(str, &b->data);
if (dlen < 0) b->data = NULL;
b->len = dlen;
}
-/* -------------------------------------------------------------------------- */
-
-static char *
+static uschar *
pdkim_encode_base64(blob * b)
{
-char * ret;
-int old_pool = store_pool;
-
-store_pool = POOL_PERM;
-ret = CS b64encode(b->data, b->len);
-store_pool = old_pool;
-return ret;
+return b64encode(b->data, b->len);
}
#define PDKIM_HDR_VALUE 2
static pdkim_signature *
-pdkim_parse_sig_header(pdkim_ctx *ctx, char *raw_hdr)
+pdkim_parse_sig_header(pdkim_ctx *ctx, uschar * raw_hdr)
{
pdkim_signature *sig ;
-char *p, *q;
-pdkim_str *cur_tag = NULL;
-pdkim_str *cur_val = NULL;
+uschar *p, *q;
+uschar * cur_tag = NULL; int ts = 0, tl = 0;
+uschar * cur_val = NULL; int vs = 0, vl = 0;
BOOL past_hname = FALSE;
BOOL in_b_val = FALSE;
int where = PDKIM_HDR_LIMBO;
int i;
-int old_pool = store_pool;
-
-/* There is a store-reset between header & body reception
-so cannot use the main pool. Any allocs done by Exim
-memory-handling must use the perm pool. */
-
-store_pool = POOL_PERM;
-if (!(sig = malloc(sizeof(pdkim_signature)))) return NULL;
+sig = store_get(sizeof(pdkim_signature));
memset(sig, 0, sizeof(pdkim_signature));
sig->bodylength = -1;
-if (!(sig->rawsig_no_b_val = malloc(strlen(raw_hdr)+1)))
- {
- free(sig);
- return NULL;
- }
+/* Set so invalid/missing data error display is accurate */
+sig->algo = -1;
+sig->version = 0;
-q = sig->rawsig_no_b_val;
+q = sig->rawsig_no_b_val = store_get(Ustrlen(raw_hdr)+1);
for (p = raw_hdr; ; p++)
{
if (where == PDKIM_HDR_TAG)
{
- if (!cur_tag)
- cur_tag = pdkim_strnew(NULL);
-
if (c >= 'a' && c <= 'z')
- pdkim_strncat(cur_tag, p, 1);
+ cur_tag = string_catn(cur_tag, &ts, &tl, p, 1);
if (c == '=')
{
- if (strcmp(cur_tag->str, "b") == 0)
+ cur_tag[tl] = '\0';
+ if (Ustrcmp(cur_tag, "b") == 0)
{
- *q = '='; q++;
+ *q++ = '=';
in_b_val = TRUE;
}
where = PDKIM_HDR_VALUE;
if (where == PDKIM_HDR_VALUE)
{
- if (!cur_val)
- cur_val = pdkim_strnew(NULL);
-
if (c == '\r' || c == '\n' || c == ' ' || c == '\t')
goto NEXT_CHAR;
if (c == ';' || c == '\0')
{
- if (cur_tag->len > 0)
+ if (tl && vl)
{
+ cur_val[vl] = '\0';
pdkim_strtrim(cur_val);
- DEBUG(D_acl) debug_printf(" %s=%s\n", cur_tag->str, cur_val->str);
+ DEBUG(D_acl) debug_printf(" %s=%s\n", cur_tag, cur_val);
- switch (cur_tag->str[0])
+ switch (*cur_tag)
{
case 'b':
- if (cur_tag->str[1] == 'h')
- pdkim_decode_base64(US cur_val->str, &sig->bodyhash);
+ if (cur_tag[1] == 'h')
+ pdkim_decode_base64(cur_val, &sig->bodyhash);
else
- pdkim_decode_base64(US cur_val->str, &sig->sigdata);
+ pdkim_decode_base64(cur_val, &sig->sigdata);
break;
case 'v':
/* We only support version 1, and that is currently the
only version there is. */
- if (strcmp(cur_val->str, PDKIM_SIGNATURE_VERSION) == 0)
- sig->version = 1;
+ sig->version =
+ Ustrcmp(cur_val, PDKIM_SIGNATURE_VERSION) == 0 ? 1 : -1;
break;
case 'a':
for (i = 0; pdkim_algos[i]; i++)
- if (strcmp(cur_val->str, pdkim_algos[i]) == 0)
+ if (Ustrcmp(cur_val, pdkim_algos[i]) == 0)
{
sig->algo = i;
break;
break;
case 'c':
for (i = 0; pdkim_combined_canons[i].str; i++)
- if (strcmp(cur_val->str, pdkim_combined_canons[i].str) == 0)
+ if (Ustrcmp(cur_val, pdkim_combined_canons[i].str) == 0)
{
sig->canon_headers = pdkim_combined_canons[i].canon_headers;
sig->canon_body = pdkim_combined_canons[i].canon_body;
break;
case 'q':
for (i = 0; pdkim_querymethods[i]; i++)
- if (strcmp(cur_val->str, pdkim_querymethods[i]) == 0)
+ if (Ustrcmp(cur_val, pdkim_querymethods[i]) == 0)
{
sig->querymethod = i;
break;
}
break;
case 's':
- sig->selector = strdup(cur_val->str); break;
+ sig->selector = string_copy(cur_val); break;
case 'd':
- sig->domain = strdup(cur_val->str); break;
+ sig->domain = string_copy(cur_val); break;
case 'i':
- sig->identity = pdkim_decode_qp(cur_val->str); break;
+ sig->identity = pdkim_decode_qp(cur_val); break;
case 't':
- sig->created = strtoul(cur_val->str, NULL, 10); break;
+ sig->created = strtoul(CS cur_val, NULL, 10); break;
case 'x':
- sig->expires = strtoul(cur_val->str, NULL, 10); break;
+ sig->expires = strtoul(CS cur_val, NULL, 10); break;
case 'l':
- sig->bodylength = strtol(cur_val->str, NULL, 10); break;
+ sig->bodylength = strtol(CS cur_val, NULL, 10); break;
case 'h':
- sig->headernames = string_copy(cur_val->str); break;
+ sig->headernames = string_copy(cur_val); break;
case 'z':
- sig->copiedheaders = pdkim_decode_qp(cur_val->str); break;
+ sig->copiedheaders = pdkim_decode_qp(cur_val); break;
default:
DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
break;
}
}
- pdkim_strclear(cur_tag);
- pdkim_strclear(cur_val);
+ tl = 0;
+ vl = 0;
in_b_val = FALSE;
where = PDKIM_HDR_LIMBO;
}
else
- pdkim_strncat(cur_val, p, 1);
+ cur_val = string_catn(cur_val, &vs, &vl, p, 1);
}
NEXT_CHAR:
*q++ = c;
}
-store_pool = old_pool;
-
-/* Make sure the most important bits are there. */
-if (!(sig->domain && (*(sig->domain) != '\0') &&
- sig->selector && (*(sig->selector) != '\0') &&
- sig->headernames && (*(sig->headernames) != '\0') &&
- sig->version))
- {
- pdkim_free_sig(sig);
- return NULL;
- }
-
*q = '\0';
/* Chomp raw header. The final newline must not be added to the signature. */
-q--;
-while (q > sig->rawsig_no_b_val && (*q == '\r' || *q == '\n'))
- *q = '\0'; q--; /*XXX questionable code layout; possible bug */
+while (--q > sig->rawsig_no_b_val && (*q == '\r' || *q == '\n'))
+ *q = '\0';
DEBUG(D_acl)
{
debug_printf(
"PDKIM >> Raw signature w/o b= tag value >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
- pdkim_quoteprint(sig->rawsig_no_b_val, strlen(sig->rawsig_no_b_val));
+ pdkim_quoteprint(US sig->rawsig_no_b_val, Ustrlen(sig->rawsig_no_b_val));
debug_printf(
- "PDKIM >> Sig size: %4d bits\n", sig->sigdata.len*8);
+ "PDKIM >> Sig size: %4u bits\n", (unsigned) sig->sigdata.len*8);
debug_printf(
"PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
}
-exim_sha_init(&sig->body_hash, sig->algo == PDKIM_ALGO_RSA_SHA1);
+exim_sha_init(&sig->body_hash, sig->algo == PDKIM_ALGO_RSA_SHA1 ? HASH_SHA1 : HASH_SHA256);
return sig;
}
/* -------------------------------------------------------------------------- */
static pdkim_pubkey *
-pdkim_parse_pubkey_record(pdkim_ctx *ctx, char *raw_record)
+pdkim_parse_pubkey_record(pdkim_ctx *ctx, const uschar *raw_record)
{
pdkim_pubkey *pub;
-char *p;
-pdkim_str *cur_tag = NULL;
-pdkim_str *cur_val = NULL;
+const uschar *p;
+uschar * cur_tag = NULL; int ts = 0, tl = 0;
+uschar * cur_val = NULL; int vs = 0, vl = 0;
int where = PDKIM_HDR_LIMBO;
-if (!(pub = malloc(sizeof(pdkim_pubkey)))) return NULL;
+pub = store_get(sizeof(pdkim_pubkey));
memset(pub, 0, sizeof(pdkim_pubkey));
for (p = raw_record; ; p++)
- {
- char c = *p;
-
- /* Ignore FWS */
- if (c == '\r' || c == '\n')
- goto NEXT_CHAR;
-
- if (where == PDKIM_HDR_LIMBO)
- {
- /* In limbo, just wait for a tag-char to appear */
- if (!(c >= 'a' && c <= 'z'))
- goto NEXT_CHAR;
-
- where = PDKIM_HDR_TAG;
- }
-
- if (where == PDKIM_HDR_TAG)
{
- if (!cur_tag)
- cur_tag = pdkim_strnew(NULL);
+ uschar c = *p;
- if (c >= 'a' && c <= 'z')
- pdkim_strncat(cur_tag, p, 1);
-
- if (c == '=')
+ /* Ignore FWS */
+ if (c != '\r' && c != '\n') switch (where)
{
- where = PDKIM_HDR_VALUE;
- goto NEXT_CHAR;
- }
- }
+ case PDKIM_HDR_LIMBO: /* In limbo, just wait for a tag-char to appear */
+ if (!(c >= 'a' && c <= 'z'))
+ break;
+ where = PDKIM_HDR_TAG;
+ /*FALLTHROUGH*/
- if (where == PDKIM_HDR_VALUE)
- {
- if (!cur_val)
- cur_val = pdkim_strnew(NULL);
+ case PDKIM_HDR_TAG:
+ if (c >= 'a' && c <= 'z')
+ cur_tag = string_catn(cur_tag, &ts, &tl, p, 1);
- if (c == '\r' || c == '\n')
- goto NEXT_CHAR;
-
- if (c == ';' || c == '\0')
- {
- if (cur_tag->len > 0)
- {
- pdkim_strtrim(cur_val);
- DEBUG(D_acl) debug_printf(" %s=%s\n", cur_tag->str, cur_val->str);
+ if (c == '=')
+ {
+ cur_tag[tl] = '\0';
+ where = PDKIM_HDR_VALUE;
+ }
+ break;
- switch (cur_tag->str[0])
+ case PDKIM_HDR_VALUE:
+ if (c == ';' || c == '\0')
{
- case 'v':
- /* This tag isn't evaluated because:
- - We only support version DKIM1.
- - Which is the default for this value (set below)
- - Other versions are currently not specified. */
- break;
- case 'h':
- pub->hashes = strdup(cur_val->str); break;
- case 'g':
- pub->granularity = strdup(cur_val->str); break;
- case 'n':
- pub->notes = pdkim_decode_qp(cur_val->str); break;
- case 'p':
- pdkim_decode_base64(US cur_val->str, &pub->key);
- break;
- case 'k':
- pub->hashes = strdup(cur_val->str); break;
- case 's':
- pub->srvtype = strdup(cur_val->str); break;
- case 't':
- if (strchr(cur_val->str, 'y') != NULL) pub->testing = 1;
- if (strchr(cur_val->str, 's') != NULL) pub->no_subdomaining = 1;
- break;
- default:
- DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
- break;
+ if (tl && vl)
+ {
+ cur_val[vl] = '\0';
+ pdkim_strtrim(cur_val);
+ DEBUG(D_acl) debug_printf(" %s=%s\n", cur_tag, cur_val);
+
+ switch (cur_tag[0])
+ {
+ case 'v':
+ pub->version = string_copy(cur_val); break;
+ case 'h':
+ case 'k':
+/* This field appears to never be used. Also, unclear why
+a 'k' (key-type_ would go in this field name. There is a field
+"keytype", also never used.
+ pub->hashes = string_copy(cur_val);
+*/
+ break;
+ case 'g':
+ pub->granularity = string_copy(cur_val); break;
+ case 'n':
+ pub->notes = pdkim_decode_qp(cur_val); break;
+ case 'p':
+ pdkim_decode_base64(US cur_val, &pub->key); break;
+ case 's':
+ pub->srvtype = string_copy(cur_val); break;
+ case 't':
+ if (Ustrchr(cur_val, 'y') != NULL) pub->testing = 1;
+ if (Ustrchr(cur_val, 's') != NULL) pub->no_subdomaining = 1;
+ break;
+ default:
+ DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
+ break;
+ }
+ }
+ tl = 0;
+ vl = 0;
+ where = PDKIM_HDR_LIMBO;
}
- }
- pdkim_strclear(cur_tag);
- pdkim_strclear(cur_val);
- where = PDKIM_HDR_LIMBO;
+ else
+ cur_val = string_catn(cur_val, &vs, &vl, p, 1);
+ break;
}
- else
- pdkim_strncat(cur_val, p, 1);
- }
-NEXT_CHAR:
- if (c == '\0') break;
- }
+ if (c == '\0') break;
+ }
/* Set fallback defaults */
-if (!pub->version ) pub->version = strdup(PDKIM_PUB_RECORD_VERSION);
-if (!pub->granularity) pub->granularity = strdup("*");
-if (!pub->keytype ) pub->keytype = strdup("rsa");
-if (!pub->srvtype ) pub->srvtype = strdup("*");
+if (!pub->version ) pub->version = string_copy(PDKIM_PUB_RECORD_VERSION);
+else if (Ustrcmp(pub->version, PDKIM_PUB_RECORD_VERSION) != 0) return NULL;
+
+if (!pub->granularity) pub->granularity = string_copy(US"*");
+/*
+if (!pub->keytype ) pub->keytype = string_copy(US"rsa");
+*/
+if (!pub->srvtype ) pub->srvtype = string_copy(US"*");
/* p= is required */
if (pub->key.data)
return pub;
-pdkim_free_pubkey(pub);
return NULL;
}
{
pdkim_signature *sig = ctx->sig;
/* Cache relaxed version of data */
-char *relaxed_data = NULL;
-int relaxed_len = 0;
+uschar *relaxed_data = NULL;
+int relaxed_len = 0;
/* Traverse all signatures, updating their hashes. */
while (sig)
{
/* Defaults to simple canon (no further treatment necessary) */
- const char *canon_data = data;
- int canon_len = len;
+ const uschar *canon_data = CUS data;
+ int canon_len = len;
if (sig->canon_body == PDKIM_CANON_RELAXED)
{
const char *p;
int q = 0;
- if (!(relaxed_data = malloc(len+1)))
- return PDKIM_ERR_OOM;
+ /* We want to be able to free this else we allocate
+ for the entire message which could be many MB. Since
+ we don't know what allocations the SHA routines might
+ do, not safe to use store_get()/store_reset(). */
+
+ relaxed_data = store_malloc(len+1);
for (p = data; *p; p++)
{
if (canon_len > 0)
{
- exim_sha_update(&sig->body_hash, canon_data, canon_len);
+ exim_sha_update(&sig->body_hash, CUS canon_data, canon_len);
sig->signed_body_bytes += canon_len;
DEBUG(D_acl) pdkim_quoteprint(canon_data, canon_len);
}
sig = sig->next;
}
-if (relaxed_data) free(relaxed_data);
+if (relaxed_data) store_free(relaxed_data);
return PDKIM_OK;
}
/* -------------------------------------------------------------------------- */
-static int
+static void
pdkim_finish_bodyhash(pdkim_ctx *ctx)
{
pdkim_signature *sig;
DEBUG(D_acl)
{
debug_printf("PDKIM [%s] Body bytes hashed: %lu\n"
- "PDKIM [%s] bh computed: ",
+ "PDKIM [%s] Body hash computed: ",
sig->domain, sig->signed_body_bytes, sig->domain);
- pdkim_hexprint(CS bh.data, bh.len);
+ pdkim_hexprint(CUS bh.data, bh.len);
}
/* SIGNING -------------------------------------------------------------- */
- if (ctx->mode == PDKIM_MODE_SIGN)
+ if (ctx->flags & PDKIM_MODE_SIGN)
{
sig->bodyhash = bh;
{
DEBUG(D_acl)
{
- debug_printf("PDKIM [%s] bh signature: ", sig->domain);
+ debug_printf("PDKIM [%s] Body hash signature from headers: ", sig->domain);
pdkim_hexprint(sig->bodyhash.data,
exim_sha_hashlen(&sig->body_hash));
debug_printf("PDKIM [%s] Body hash did NOT verify\n", sig->domain);
}
}
}
+}
+
+
+
+static int
+pdkim_body_complete(pdkim_ctx * ctx)
+{
+pdkim_signature * sig = ctx->sig; /*XXX assumes only one sig */
+/* In simple body mode, if any empty lines were buffered,
+replace with one. rfc 4871 3.4.3 */
+/*XXX checking the signed-body-bytes is a gross hack; I think
+it indicates that all linebreaks should be buffered, including
+the one terminating a text line */
+
+if ( sig && sig->canon_body == PDKIM_CANON_SIMPLE
+ && sig->signed_body_bytes == 0
+ && ctx->num_buffered_crlf > 0
+ )
+ pdkim_update_bodyhash(ctx, "\r\n", 2);
+
+ctx->flags |= PDKIM_SEEN_EOD;
+ctx->linebuf_offset = 0;
return PDKIM_OK;
}
/* -------------------------------------------------------------------------- */
-/* Callback from pdkim_feed below for processing complete body lines */
+/* Call from pdkim_feed below for processing complete body lines */
static int
pdkim_bodyline_complete(pdkim_ctx *ctx)
pdkim_signature *sig = ctx->sig; /*XXX assumes only one sig */
/* Ignore extra data if we've seen the end-of-data marker */
-if (ctx->seen_eod) goto BAIL;
+if (ctx->flags & PDKIM_SEEN_EOD) goto BAIL;
/* We've always got one extra byte to stuff a zero ... */
ctx->linebuf[ctx->linebuf_offset] = '\0';
/* Terminate on EOD marker */
-if (memcmp(p, ".\r\n", 3) == 0)
+if (ctx->flags & PDKIM_DOT_TERM)
{
- /* In simple body mode, if any empty lines were buffered,
- replace with one. rfc 4871 3.4.3 */
- /*XXX checking the signed-body-bytes is a gross hack; I think
- it indicates that all linebreaks should be buffered, including
- the one terminating a text line */
- if ( sig && sig->canon_body == PDKIM_CANON_SIMPLE
- && sig->signed_body_bytes == 0
- && ctx->num_buffered_crlf > 0
- )
- pdkim_update_bodyhash(ctx, "\r\n", 2);
+ if ( memcmp(p, ".\r\n", 3) == 0)
+ return pdkim_body_complete(ctx);
- ctx->seen_eod = TRUE;
- goto BAIL;
- }
-/* Unstuff dots */
-if (memcmp(p, "..", 2) == 0)
- {
- p++;
- n--;
+ /* Unstuff dots */
+ if (memcmp(p, "..", 2) == 0)
+ {
+ p++;
+ n--;
+ }
}
/* Empty lines need to be buffered until we find a non-empty line */
pdkim_header_complete(pdkim_ctx *ctx)
{
/* Special case: The last header can have an extra \r appended */
-if ( (ctx->cur_header->len > 1) &&
- (ctx->cur_header->str[(ctx->cur_header->len)-1] == '\r') )
- {
- ctx->cur_header->str[(ctx->cur_header->len)-1] = '\0';
- ctx->cur_header->len--;
- }
+if ( (ctx->cur_header_len > 1) &&
+ (ctx->cur_header[(ctx->cur_header_len)-1] == '\r') )
+ --ctx->cur_header_len;
+ctx->cur_header[ctx->cur_header_len] = '\0';
ctx->num_headers++;
if (ctx->num_headers > PDKIM_MAX_HEADERS) goto BAIL;
/* SIGNING -------------------------------------------------------------- */
-if (ctx->mode == PDKIM_MODE_SIGN)
+if (ctx->flags & PDKIM_MODE_SIGN)
{
pdkim_signature *sig;
for (sig = ctx->sig; sig; sig = sig->next) /* Traverse all signatures */
- {
- pdkim_stringlist *list;
/* Add header to the signed headers list (in reverse order) */
- if (!(list = pdkim_prepend_stringlist(sig->headers,
- ctx->cur_header->str)))
- return PDKIM_ERR_OOM;
- sig->headers = list;
- }
+ sig->headers = pdkim_prepend_stringlist(sig->headers,
+ ctx->cur_header);
}
/* VERIFICATION ----------------------------------------------------------- */
/* DKIM-Signature: headers are added to the verification list */
-if (ctx->mode == PDKIM_MODE_VERIFY)
+else
{
- if (strncasecmp(ctx->cur_header->str,
+ if (strncasecmp(CCS ctx->cur_header,
DKIM_SIGNATURE_HEADERNAME,
- strlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
+ Ustrlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
{
pdkim_signature *new_sig;
DEBUG(D_acl) debug_printf(
"PDKIM >> Found sig, trying to parse >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
- if ((new_sig = pdkim_parse_sig_header(ctx, ctx->cur_header->str)))
+ if ((new_sig = pdkim_parse_sig_header(ctx, ctx->cur_header)))
{
pdkim_signature *last_sig = ctx->sig;
if (!last_sig)
/* every other header is stored for signature verification */
else
- {
- pdkim_stringlist *list;
-
- if (!(list = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->str)))
- return PDKIM_ERR_OOM;
- ctx->headers = list;
- }
+ ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header);
}
BAIL:
-pdkim_strclear(ctx->cur_header); /* Re-use existing pdkim_str */
+*ctx->cur_header = '\0';
+ctx->cur_header_len = 0; /* leave buffer for reuse */
return PDKIM_OK;
}
#define HEADER_BUFFER_FRAG_SIZE 256
DLLEXPORT int
-pdkim_feed (pdkim_ctx *ctx, char *data, int len)
+pdkim_feed(pdkim_ctx *ctx, char *data, int len)
{
int p;
-for (p = 0; p<len; p++)
+/* Alternate EOD signal, used in non-dotstuffing mode */
+if (!data)
+ pdkim_body_complete(ctx);
+
+else for (p = 0; p<len; p++)
{
- char c = data[p];
+ uschar c = data[p];
- if (ctx->past_headers)
+ if (ctx->flags & PDKIM_PAST_HDRS)
{
/* Processing body byte */
ctx->linebuf[ctx->linebuf_offset++] = c;
{
if (c == '\n')
{
- if (ctx->seen_lf)
+ if (ctx->flags & PDKIM_SEEN_LF)
{
int rc = pdkim_header_complete(ctx); /* Seen last header line */
if (rc != PDKIM_OK) return rc;
- ctx->past_headers = TRUE;
- ctx->seen_lf = 0;
+ ctx->flags = ctx->flags & ~PDKIM_SEEN_LF | PDKIM_PAST_HDRS;
DEBUG(D_acl) debug_printf(
"PDKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>\n");
continue;
}
else
- ctx->seen_lf = TRUE;
+ ctx->flags |= PDKIM_SEEN_LF;
}
- else if (ctx->seen_lf)
+ else if (ctx->flags & PDKIM_SEEN_LF)
{
if (!(c == '\t' || c == ' '))
{
int rc = pdkim_header_complete(ctx); /* End of header */
if (rc != PDKIM_OK) return rc;
}
- ctx->seen_lf = FALSE;
+ ctx->flags &= ~PDKIM_SEEN_LF;
}
}
- if (!ctx->cur_header)
- if (!(ctx->cur_header = pdkim_strnew(NULL)))
- return PDKIM_ERR_OOM;
-
- if (ctx->cur_header->len < PDKIM_MAX_HEADER_LEN)
- if (!pdkim_strncat(ctx->cur_header, &data[p], 1))
- return PDKIM_ERR_OOM;
+ if (ctx->cur_header_len < PDKIM_MAX_HEADER_LEN)
+ ctx->cur_header = string_catn(ctx->cur_header, &ctx->cur_header_size,
+ &ctx->cur_header_len, CUS &data[p], 1);
}
}
return PDKIM_OK;
}
+
+
+/* Extend a grwong header with a continuation-linebreak */
+static uschar *
+pdkim_hdr_cont(uschar * str, int * size, int * ptr, int * col)
+{
+*col = 1;
+return string_catn(str, size, ptr, US"\r\n\t", 3);
+}
+
+
+
/*
* RFC 5322 specifies that header line length SHOULD be no more than 78
* lets make it so!
* pdkim_headcat
- * returns char*
+ *
+ * returns uschar * (not nul-terminated)
*
* col: this int holds and receives column number (octets since last '\n')
* str: partial string to append to
+ * size: current buffer size for str
+ * ptr: current tail-pointer for str
* pad: padding, split line or space after before or after eg: ";"
* intro: - must join to payload eg "h=", usually the tag name
* payload: eg base64 data - long data can be split arbitrarily.
* names longer than 78, or bogus col. Input is assumed to be free of line breaks.
*/
-static char *
-pdkim_headcat(int *col, pdkim_str *str, const char * pad,
- const char *intro, const char *payload)
+static uschar *
+pdkim_headcat(int * col, uschar * str, int * size, int * ptr,
+ const uschar * pad, const uschar * intro, const uschar * payload)
{
size_t l;
if (pad)
{
- l = strlen(pad);
+ l = Ustrlen(pad);
if (*col + l > 78)
- {
- pdkim_strcat(str, "\r\n\t");
- *col = 1;
- }
- pdkim_strncat(str, pad, l);
+ str = pdkim_hdr_cont(str, size, ptr, col);
+ str = string_catn(str, size, ptr, pad, l);
*col += l;
}
-l = (pad?1:0) + (intro?strlen(intro):0);
+l = (pad?1:0) + (intro?Ustrlen(intro):0);
if (*col + l > 78)
{ /*can't fit intro - start a new line to make room.*/
- pdkim_strcat(str, "\r\n\t");
- *col = 1;
- l = intro?strlen(intro):0;
+ str = pdkim_hdr_cont(str, size, ptr, col);
+ l = intro?Ustrlen(intro):0;
}
-l += payload ? strlen(payload):0 ;
+l += payload ? Ustrlen(payload):0 ;
while (l>77)
{ /* this fragment will not fit on a single line */
if (pad)
{
- pdkim_strcat(str, " ");
+ str = string_catn(str, size, ptr, US" ", 1);
*col += 1;
pad = NULL; /* only want this once */
l--;
if (intro)
{
- size_t sl = strlen(intro);
+ size_t sl = Ustrlen(intro);
- pdkim_strncat(str, intro, sl);
+ str = string_catn(str, size, ptr, intro, sl);
*col += sl;
l -= sl;
intro = NULL; /* only want this once */
if (payload)
{
- size_t sl = strlen(payload);
+ size_t sl = Ustrlen(payload);
size_t chomp = *col+sl < 77 ? sl : 78-*col;
- pdkim_strncat(str, payload, chomp);
+ str = string_catn(str, size, ptr, payload, chomp);
*col += chomp;
payload += chomp;
l -= chomp-1;
}
/* the while precondition tells us it didn't fit. */
- pdkim_strcat(str, "\r\n\t");
- *col = 1;
+ str = pdkim_hdr_cont(str, size, ptr, col);
}
if (*col + l > 78)
{
- pdkim_strcat(str, "\r\n\t");
- *col = 1;
+ str = pdkim_hdr_cont(str, size, ptr, col);
pad = NULL;
}
if (pad)
{
- pdkim_strcat(str, " ");
+ str = string_catn(str, size, ptr, US" ", 1);
*col += 1;
pad = NULL;
}
if (intro)
{
- size_t sl = strlen(intro);
+ size_t sl = Ustrlen(intro);
- pdkim_strncat(str, intro, sl);
+ str = string_catn(str, size, ptr, intro, sl);
*col += sl;
l -= sl;
intro = NULL;
if (payload)
{
- size_t sl = strlen(payload);
+ size_t sl = Ustrlen(payload);
- pdkim_strncat(str, payload, sl);
+ str = string_catn(str, size, ptr, payload, sl);
*col += sl;
}
-return str->str;
+return str;
}
/* -------------------------------------------------------------------------- */
-static char *
+static uschar *
pdkim_create_header(pdkim_signature *sig, BOOL final)
{
-char *rc = NULL;
-char *base64_bh = NULL;
-char *base64_b = NULL;
+uschar * base64_bh;
+uschar * base64_b;
int col = 0;
-pdkim_str *hdr;
-pdkim_str *canon_all;
-
-if (!(hdr = pdkim_strnew("DKIM-Signature: v="PDKIM_SIGNATURE_VERSION)))
- return NULL;
+uschar * hdr; int hdr_size = 0, hdr_len = 0;
+uschar * canon_all; int can_size = 0, can_len = 0;
-if (!(canon_all = pdkim_strnew(pdkim_canons[sig->canon_headers])))
- goto BAIL;
-
-if (!(base64_bh = pdkim_encode_base64(&sig->bodyhash)))
- goto BAIL;
+canon_all = string_cat (NULL, &can_size, &can_len,
+ pdkim_canons[sig->canon_headers]);
+canon_all = string_catn(canon_all, &can_size, &can_len, US"/", 1);
+canon_all = string_cat (canon_all, &can_size, &can_len,
+ pdkim_canons[sig->canon_body]);
+canon_all[can_len] = '\0';
-col = strlen(hdr->str);
+hdr = string_cat(NULL, &hdr_size, &hdr_len,
+ US"DKIM-Signature: v="PDKIM_SIGNATURE_VERSION);
+col = hdr_len;
/* Required and static bits */
-if ( pdkim_headcat(&col, hdr, ";", "a=", pdkim_algos[sig->algo])
- && pdkim_headcat(&col, hdr, ";", "q=", pdkim_querymethods[sig->querymethod])
- && pdkim_strcat(canon_all, "/")
- && pdkim_strcat(canon_all, pdkim_canons[sig->canon_body])
- && pdkim_headcat(&col, hdr, ";", "c=", canon_all->str)
- && pdkim_headcat(&col, hdr, ";", "d=", sig->domain)
- && pdkim_headcat(&col, hdr, ";", "s=", sig->selector)
- )
+hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"a=",
+ pdkim_algos[sig->algo]);
+hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"q=",
+ pdkim_querymethods[sig->querymethod]);
+hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"c=",
+ canon_all);
+hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"d=",
+ sig->domain);
+hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"s=",
+ sig->selector);
+
+/* list of header names can be split between items. */
{
- /* list of header names can be split between items. */
- {
- char *n = CS string_copy(sig->headernames);
- char *f = n;
- char *i = "h=";
- char *s = ";";
+ uschar * n = string_copy(sig->headernames);
+ uschar * i = US"h=";
+ uschar * s = US";";
- if (!n) goto BAIL;
- while (*n)
- {
- char *c = strchr(n, ':');
+ while (*n)
+ {
+ uschar * c = Ustrchr(n, ':');
- if (c) *c ='\0';
+ if (c) *c ='\0';
- if (!i)
- if (!pdkim_headcat(&col, hdr, NULL, NULL, ":"))
- {
- goto BAIL;
- }
+ if (!i)
+ hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, NULL, NULL, US":");
- if (!pdkim_headcat(&col, hdr, s, i, n))
- {
- goto BAIL;
- }
+ hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, s, i, n);
- if (!c)
- break;
+ if (!c)
+ break;
- n = c+1;
- s = NULL;
- i = NULL;
- }
+ n = c+1;
+ s = NULL;
+ i = NULL;
}
+ }
- if(!pdkim_headcat(&col, hdr, ";", "bh=", base64_bh))
- goto BAIL;
+base64_bh = pdkim_encode_base64(&sig->bodyhash);
+hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"bh=", base64_bh);
- /* Optional bits */
- if (sig->identity)
- if(!pdkim_headcat(&col, hdr, ";", "i=", sig->identity))
- goto BAIL;
+/* Optional bits */
+if (sig->identity)
+ hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"i=", sig->identity);
- if (sig->created > 0)
- {
- char minibuf[20];
+if (sig->created > 0)
+ {
+ uschar minibuf[20];
- snprintf(minibuf, 20, "%lu", sig->created);
- if(!pdkim_headcat(&col, hdr, ";", "t=", minibuf))
- goto BAIL;
+ snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->created);
+ hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"t=", minibuf);
+}
+
+if (sig->expires > 0)
+ {
+ uschar minibuf[20];
+
+ snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->expires);
+ hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"x=", minibuf);
}
- if (sig->expires > 0)
- {
- char minibuf[20];
+if (sig->bodylength >= 0)
+ {
+ uschar minibuf[20];
- snprintf(minibuf, 20, "%lu", sig->expires);
- if(!pdkim_headcat(&col, hdr, ";", "x=", minibuf))
- goto BAIL;
- }
+ snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->bodylength);
+ hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"l=", minibuf);
+ }
- if (sig->bodylength >= 0)
- {
- char minibuf[20];
+/* Preliminary or final version? */
+base64_b = final ? pdkim_encode_base64(&sig->sigdata) : US"";
+hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"b=", base64_b);
- snprintf(minibuf, 20, "%lu", sig->bodylength);
- if(!pdkim_headcat(&col, hdr, ";", "l=", minibuf))
- goto BAIL;
- }
+/* add trailing semicolon: I'm not sure if this is actually needed */
+hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, NULL, US";", US"");
- /* Preliminary or final version? */
- if (final)
- {
- if (!(base64_b = pdkim_encode_base64(&sig->sigdata)))
- goto BAIL;
- if (!pdkim_headcat(&col, hdr, ";", "b=", base64_b))
- goto BAIL;
+hdr[hdr_len] = '\0';
+return hdr;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+static pdkim_pubkey *
+pdkim_key_from_dns(pdkim_ctx * ctx, pdkim_signature * sig, ev_ctx * vctx)
+{
+uschar * dns_txt_name, * dns_txt_reply;
+pdkim_pubkey * p;
+const uschar * errstr;
+
+/* Fetch public key for signing domain, from DNS */
+
+dns_txt_name = string_sprintf("%s._domainkey.%s.", sig->selector, sig->domain);
+
+dns_txt_reply = store_get(PDKIM_DNS_TXT_MAX_RECLEN);
+memset(dns_txt_reply, 0, PDKIM_DNS_TXT_MAX_RECLEN);
+
+if ( ctx->dns_txt_callback(CS dns_txt_name, CS dns_txt_reply) != PDKIM_OK
+ || dns_txt_reply[0] == '\0'
+ )
+ {
+ sig->verify_status = PDKIM_VERIFY_INVALID;
+ sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE;
+ return NULL;
}
- else
- if(!pdkim_headcat(&col, hdr, ";", "b=", ""))
- goto BAIL;
- /* add trailing semicolon: I'm not sure if this is actually needed */
- if (!pdkim_headcat(&col, hdr, NULL, ";", ""))
- goto BAIL;
+DEBUG(D_acl)
+ {
+ debug_printf(
+ "PDKIM >> Parsing public key record >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
+ " Raw record: ");
+ pdkim_quoteprint(CUS dns_txt_reply, Ustrlen(dns_txt_reply));
}
-rc = strdup(hdr->str);
+if ( !(p = pdkim_parse_pubkey_record(ctx, CUS dns_txt_reply))
+ || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
+ )
+ {
+ sig->verify_status = PDKIM_VERIFY_INVALID;
+ sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD;
-BAIL:
-pdkim_strfree(hdr);
-if (canon_all) pdkim_strfree(canon_all);
-return rc;
+ DEBUG(D_acl)
+ {
+ if (p)
+ debug_printf(" Invalid public key service type '%s'\n", p->srvtype);
+ else
+ debug_printf(" Error while parsing public key record\n");
+ debug_printf(
+ "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+ }
+ return NULL;
+ }
+
+DEBUG(D_acl) debug_printf(
+ "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+
+/* Import public key */
+if ((errstr = exim_rsa_verify_init(&p->key, vctx)))
+ {
+ DEBUG(D_acl) debug_printf("verify_init: %s\n", errstr);
+ sig->verify_status = PDKIM_VERIFY_INVALID;
+ sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
+ return NULL;
+ }
+
+return p;
}
pdkim_feed_finish(pdkim_ctx *ctx, pdkim_signature **return_signatures)
{
pdkim_signature *sig = ctx->sig;
-pdkim_str *headernames = NULL; /* Collected signed header names */
/* Check if we must still flush a (partial) header. If that is the
case, the message has no body, and we must compute a body hash
out of '<CR><LF>' */
-if (ctx->cur_header && ctx->cur_header->len)
+if (ctx->cur_header && ctx->cur_header_len)
{
int rc = pdkim_header_complete(ctx);
if (rc != PDKIM_OK) return rc;
"PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
/* Build (and/or evaluate) body hash */
-if (pdkim_finish_bodyhash(ctx) != PDKIM_OK)
- return PDKIM_ERR_OOM;
-
-/* SIGNING -------------------------------------------------------------- */
-if (ctx->mode == PDKIM_MODE_SIGN)
- if (!(headernames = pdkim_strnew(NULL)))
- return PDKIM_ERR_OOM;
-/* ---------------------------------------------------------------------- */
+pdkim_finish_bodyhash(ctx);
while (sig)
{
BOOL is_sha1 = sig->algo == PDKIM_ALGO_RSA_SHA1;
hctx hhash_ctx;
- char * sig_hdr;
+ uschar * sig_hdr = US"";
blob hhash;
blob hdata;
int hdata_alloc = 0;
hdata.data = NULL;
hdata.len = 0;
- exim_sha_init(&hhash_ctx, is_sha1);
+ exim_sha_init(&hhash_ctx, is_sha1 ? HASH_SHA1 : HASH_SHA256);
DEBUG(D_acl) debug_printf(
- "PDKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>\n");
+ "PDKIM >> Header data for hash, canonicalized, in sequence >>>>>>>>>>>>>>\n");
/* SIGNING ---------------------------------------------------------------- */
/* When signing, walk through our header list and add them to the hash. As we
Then append to that list any remaining header names for which there was no
header to sign. */
- if (ctx->mode == PDKIM_MODE_SIGN)
+ if (ctx->flags & PDKIM_MODE_SIGN)
{
+ uschar * headernames = NULL; /* Collected signed header names */
+ int hs = 0, hl = 0;
pdkim_stringlist *p;
const uschar * l;
uschar * s;
/* Collect header names (Note: colon presence is guaranteed here) */
uschar * q = Ustrchr(p->value, ':');
- if (!(pdkim_strncat(headernames, p->value,
- (q - US p->value) + (p->next ? 1 : 0))))
- return PDKIM_ERR_OOM;
+ headernames = string_catn(headernames, &hs, &hl,
+ p->value, (q - US p->value) + (p->next ? 1 : 0));
rh = sig->canon_headers == PDKIM_CANON_RELAXED
- ? US pdkim_relax_header(p->value, 1) /* cook header for relaxed canon */
- : string_copy(p->value); /* just copy it for simple canon */
- if (!rh)
- return PDKIM_ERR_OOM;
+ ? pdkim_relax_header(p->value, 1) /* cook header for relaxed canon */
+ : string_copy(CUS p->value); /* just copy it for simple canon */
/* Feed header to the hash algorithm */
- exim_sha_update(&hhash_ctx, rh, strlen(rh));
+ exim_sha_update(&hhash_ctx, CUS rh, Ustrlen(rh));
/* Remember headers block for signing (when the library cannot do incremental) */
(void) exim_rsa_data_append(&hdata, &hdata_alloc, rh);
DEBUG(D_acl) pdkim_quoteprint(rh, Ustrlen(rh));
}
- l = US sig->sign_headers;
+ l = sig->sign_headers;
while((s = string_nextinlist(&l, &sep, NULL, 0)))
if (*s != '_')
{ /*SSS string_append_listele() */
- if (headernames->len > 0 && headernames->str[headernames->len-1] != ':')
- if (!(pdkim_strncat(headernames, ":", 1)))
- return PDKIM_ERR_OOM;
- if (!(pdkim_strncat(headernames, CS s, Ustrlen(s))))
- return PDKIM_ERR_OOM;
+ if (hl > 0 && headernames[hl-1] != ':')
+ headernames = string_catn(headernames, &hs, &hl, US":", 1);
+
+ headernames = string_cat(headernames, &hs, &hl, s);
}
+ headernames[hl] = '\0';
+
+ /* Copy headernames to signature struct */
+ sig->headernames = headernames;
+
+ /* Create signature header with b= omitted */
+ sig_hdr = pdkim_create_header(sig, FALSE);
}
/* VERIFICATION ----------------------------------------------------------- */
add the headers to the hash in that order. */
else
{
- uschar * b = string_copy(sig->headernames);
- uschar * p = b;
+ uschar * p = sig->headernames;
uschar * q;
pdkim_stringlist * hdrs;
- if (!b) return PDKIM_ERR_OOM;
-
- /* clear tags */
- for (hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
- hdrs->tag = 0;
-
- while(1)
+ if (p)
{
- if ((q = Ustrchr(p, ':')))
- *q = '\0';
-
-/*XXX walk the list of headers in same order as received. */
+ /* clear tags */
for (hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
- if ( hdrs->tag == 0
- && strncasecmp(hdrs->value, CS p, Ustrlen(p)) == 0
- && (hdrs->value)[Ustrlen(p)] == ':'
- )
- {
- uschar * rh = sig->canon_headers == PDKIM_CANON_RELAXED
- ? US pdkim_relax_header(hdrs->value, 1) /* cook header for relaxed canon */
- : string_copy(hdrs->value); /* just copy it for simple canon */
- if (!rh)
- return PDKIM_ERR_OOM;
+ hdrs->tag = 0;
- /* Feed header to the hash algorithm */
- exim_sha_update(&hhash_ctx, rh, strlen(rh));
+ p = string_copy(p);
+ while(1)
+ {
+ if ((q = Ustrchr(p, ':')))
+ *q = '\0';
+
+ /*XXX walk the list of headers in same order as received. */
+ for (hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
+ if ( hdrs->tag == 0
+ && strncasecmp(CCS hdrs->value, CCS p, Ustrlen(p)) == 0
+ && (hdrs->value)[Ustrlen(p)] == ':'
+ )
+ {
+ /* cook header for relaxed canon, or just copy it for simple */
+
+ uschar * rh = sig->canon_headers == PDKIM_CANON_RELAXED
+ ? pdkim_relax_header(hdrs->value, 1)
+ : string_copy(CUS hdrs->value);
+
+ /* Feed header to the hash algorithm */
+ exim_sha_update(&hhash_ctx, CUS rh, Ustrlen(rh));
+
+ DEBUG(D_acl) pdkim_quoteprint(rh, Ustrlen(rh));
+ hdrs->tag = 1;
+ break;
+ }
- DEBUG(D_acl) pdkim_quoteprint(rh, Ustrlen(rh));
- hdrs->tag = 1;
- break;
- }
+ if (!q) break;
+ p = q+1;
+ }
- if (!q) break;
- p = q+1;
+ sig_hdr = string_copy(sig->rawsig_no_b_val);
}
}
DEBUG(D_acl) debug_printf(
"PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
- /* SIGNING ---------------------------------------------------------------- */
- if (ctx->mode == PDKIM_MODE_SIGN)
- {
- /* Copy headernames to signature struct */
- sig->headernames = string_copy(US headernames->str);
- pdkim_strfree(headernames);
-
- /* Create signature header with b= omitted */
- sig_hdr = pdkim_create_header(sig, FALSE);
- }
-
- /* VERIFICATION ----------------------------------------------------------- */
- else
- sig_hdr = strdup(sig->rawsig_no_b_val);
- /* ------------------------------------------------------------------------ */
-
- if (!sig_hdr)
- return PDKIM_ERR_OOM;
-
/* Relax header if necessary */
if (sig->canon_headers == PDKIM_CANON_RELAXED)
- {
- char *relaxed_hdr = pdkim_relax_header(sig_hdr, 0);
-
- free(sig_hdr);
- if (!relaxed_hdr)
- return PDKIM_ERR_OOM;
- sig_hdr = relaxed_hdr;
- }
+ sig_hdr = pdkim_relax_header(sig_hdr, 0);
DEBUG(D_acl)
{
debug_printf(
"PDKIM >> Signed DKIM-Signature header, canonicalized >>>>>>>>>>>>>>>>>\n");
- pdkim_quoteprint(sig_hdr, strlen(sig_hdr));
+ pdkim_quoteprint(CUS sig_hdr, Ustrlen(sig_hdr));
debug_printf(
"PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
}
/* Finalize header hash */
- exim_sha_update(&hhash_ctx, sig_hdr, strlen(sig_hdr));
+ exim_sha_update(&hhash_ctx, CUS sig_hdr, Ustrlen(sig_hdr));
exim_sha_finish(&hhash_ctx, &hhash);
DEBUG(D_acl)
{
- debug_printf("PDKIM [%s] hh computed: ", sig->domain);
+ debug_printf("PDKIM [%s] Header hash computed: ", sig->domain);
pdkim_hexprint(hhash.data, hhash.len);
}
/* Remember headers block for signing (when the library cannot do incremental) */
- if (ctx->mode == PDKIM_MODE_SIGN)
- (void) exim_rsa_data_append(&hdata, &hdata_alloc, sig_hdr);
-
- free(sig_hdr);
+ if (ctx->flags & PDKIM_MODE_SIGN)
+ (void) exim_rsa_data_append(&hdata, &hdata_alloc, US sig_hdr);
/* SIGNING ---------------------------------------------------------------- */
- if (ctx->mode == PDKIM_MODE_SIGN)
+ if (ctx->flags & PDKIM_MODE_SIGN)
{
es_ctx sctx;
const uschar * errstr;
/* Import private key */
- if ((errstr = exim_rsa_signing_init(sig->rsa_privkey, &sctx)))
+ if ((errstr = exim_rsa_signing_init(US sig->rsa_privkey, &sctx)))
{
DEBUG(D_acl) debug_printf("signing_init: %s\n", errstr);
return PDKIM_ERR_RSA_PRIVKEY;
pdkim_hexprint(sig->sigdata.data, sig->sigdata.len);
}
- if (!(sig->signature_header = pdkim_create_header(sig, TRUE)))
- return PDKIM_ERR_OOM;
+ sig->signature_header = pdkim_create_header(sig, TRUE);
}
/* VERIFICATION ----------------------------------------------------------- */
{
ev_ctx vctx;
const uschar * errstr;
-
- char *dns_txt_name, *dns_txt_reply;
-
- /* Fetch public key for signing domain, from DNS */
-
- if (!(dns_txt_name = malloc(PDKIM_DNS_TXT_MAX_NAMELEN)))
- return PDKIM_ERR_OOM;
-
- if (!(dns_txt_reply = malloc(PDKIM_DNS_TXT_MAX_RECLEN)))
+ pdkim_pubkey * p;
+
+ /* Make sure we have all required signature tags */
+ if (!( sig->domain && *sig->domain
+ && sig->selector && *sig->selector
+ && sig->headernames && *sig->headernames
+ && sig->bodyhash.data
+ && sig->sigdata.data
+ && sig->algo > -1
+ && sig->version
+ ) )
{
- free(dns_txt_name);
- return PDKIM_ERR_OOM;
- }
-
- memset(dns_txt_reply, 0, PDKIM_DNS_TXT_MAX_RECLEN);
- memset(dns_txt_name , 0, PDKIM_DNS_TXT_MAX_NAMELEN);
-
- if (snprintf(dns_txt_name, PDKIM_DNS_TXT_MAX_NAMELEN,
- "%s._domainkey.%s.",
- sig->selector, sig->domain) >= PDKIM_DNS_TXT_MAX_NAMELEN)
- {
- sig->verify_status = PDKIM_VERIFY_INVALID;
- sig->verify_ext_status = PDKIM_VERIFY_INVALID_BUFFER_SIZE;
- goto NEXT_VERIFY;
- }
+ sig->verify_status = PDKIM_VERIFY_INVALID;
+ sig->verify_ext_status = PDKIM_VERIFY_INVALID_SIGNATURE_ERROR;
- if ( ctx->dns_txt_callback(dns_txt_name, dns_txt_reply) != PDKIM_OK
- || dns_txt_reply[0] == '\0')
- {
- sig->verify_status = PDKIM_VERIFY_INVALID;
- sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE;
+ DEBUG(D_acl) debug_printf(
+ " Error in DKIM-Signature header: tags missing or invalid\n"
+ "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
goto NEXT_VERIFY;
}
- DEBUG(D_acl)
- {
- debug_printf(
- "PDKIM >> Parsing public key record >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
- " Raw record: ");
- pdkim_quoteprint(dns_txt_reply, strlen(dns_txt_reply));
- }
-
- if (!(sig->pubkey = pdkim_parse_pubkey_record(ctx, dns_txt_reply)))
+ /* Make sure sig uses supported DKIM version (only v1) */
+ if (sig->version != 1)
{
- sig->verify_status = PDKIM_VERIFY_INVALID;
- sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD;
+ sig->verify_status = PDKIM_VERIFY_INVALID;
+ sig->verify_ext_status = PDKIM_VERIFY_INVALID_DKIM_VERSION;
DEBUG(D_acl) debug_printf(
- " Error while parsing public key record\n"
- "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+ " Error in DKIM-Signature header: unsupported DKIM version\n"
+ "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
goto NEXT_VERIFY;
}
- DEBUG(D_acl) debug_printf(
- "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
-
- /* Import public key */
- if ((errstr = exim_rsa_verify_init(&sig->pubkey->key, &vctx)))
- {
- DEBUG(D_acl) debug_printf("verify_init: %s\n", errstr);
- sig->verify_status = PDKIM_VERIFY_INVALID;
- sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
+ if (!(sig->pubkey = pdkim_key_from_dns(ctx, sig, &vctx)))
goto NEXT_VERIFY;
- }
/* Check the signature */
if ((errstr = exim_rsa_verify(&vctx, is_sha1, &hhash, &sig->sigdata)))
}
- /* We have a winner! (if bodydhash was correct earlier) */
+ /* We have a winner! (if bodyhash was correct earlier) */
if (sig->verify_status == PDKIM_VERIFY_NONE)
sig->verify_status = PDKIM_VERIFY_PASS;
else
debug_printf("\n");
}
-
- free(dns_txt_name);
- free(dns_txt_reply);
}
sig = sig->next;
/* -------------------------------------------------------------------------- */
DLLEXPORT pdkim_ctx *
-pdkim_init_verify(int(*dns_txt_callback)(char *, char *))
+pdkim_init_verify(int(*dns_txt_callback)(char *, char *), BOOL dot_stuffing)
{
-pdkim_ctx *ctx = malloc(sizeof(pdkim_ctx));
+pdkim_ctx * ctx;
-if (!ctx)
- return NULL;
+ctx = store_get(sizeof(pdkim_ctx));
memset(ctx, 0, sizeof(pdkim_ctx));
-if (!(ctx->linebuf = malloc(PDKIM_MAX_BODY_LINE_LEN)))
- {
- free(ctx);
- return NULL;
- }
-
-ctx->mode = PDKIM_MODE_VERIFY;
+if (dot_stuffing) ctx->flags = PDKIM_DOT_TERM;
+ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN);
ctx->dns_txt_callback = dns_txt_callback;
return ctx;
/* -------------------------------------------------------------------------- */
DLLEXPORT pdkim_ctx *
-pdkim_init_sign(char *domain, char *selector, char *rsa_privkey, int algo)
+pdkim_init_sign(char * domain, char * selector, char * rsa_privkey, int algo,
+ BOOL dot_stuffed, int(*dns_txt_callback)(char *, char *))
{
-pdkim_ctx *ctx;
-pdkim_signature *sig;
+pdkim_ctx * ctx;
+pdkim_signature * sig;
if (!domain || !selector || !rsa_privkey)
return NULL;
-if (!(ctx = malloc(sizeof(pdkim_ctx))))
- return NULL;
+ctx = store_get(sizeof(pdkim_ctx) + PDKIM_MAX_BODY_LINE_LEN + sizeof(pdkim_signature));
memset(ctx, 0, sizeof(pdkim_ctx));
-if (!(ctx->linebuf = malloc(PDKIM_MAX_BODY_LINE_LEN)))
- {
- free(ctx);
- return NULL;
- }
+ctx->flags = dot_stuffed ? PDKIM_MODE_SIGN | PDKIM_DOT_TERM : PDKIM_MODE_SIGN;
+ctx->linebuf = CS (ctx+1);
-if (!(sig = malloc(sizeof(pdkim_signature))))
- {
- free(ctx->linebuf);
- free(ctx);
- return NULL;
- }
+DEBUG(D_acl) ctx->dns_txt_callback = dns_txt_callback;
+
+sig = (pdkim_signature *)(ctx->linebuf + PDKIM_MAX_BODY_LINE_LEN);
memset(sig, 0, sizeof(pdkim_signature));
sig->bodylength = -1;
-
-ctx->mode = PDKIM_MODE_SIGN;
ctx->sig = sig;
-sig->domain = strdup(domain);
-sig->selector = strdup(selector);
-sig->rsa_privkey = strdup(rsa_privkey);
+sig->domain = string_copy(US domain);
+sig->selector = string_copy(US selector);
+sig->rsa_privkey = string_copy(US rsa_privkey);
sig->algo = algo;
-if (!sig->domain || !sig->selector || !sig->rsa_privkey)
- goto BAIL;
+exim_sha_init(&sig->body_hash, algo == PDKIM_ALGO_RSA_SHA1 ? HASH_SHA1 : HASH_SHA256);
-exim_sha_init(&sig->body_hash, algo == PDKIM_ALGO_RSA_SHA1);
-return ctx;
+DEBUG(D_acl)
+ {
+ pdkim_signature s = *sig;
+ ev_ctx vctx;
-BAIL:
- pdkim_free_ctx(ctx);
- return NULL;
+ debug_printf("PDKIM (checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+ if (!pdkim_key_from_dns(ctx, &s, &vctx))
+ debug_printf("WARNING: bad dkim key in dns\n");
+ debug_printf("PDKIM (finished checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+ }
+
+return ctx;
}
pdkim_signature * sig = ctx->sig;
if (identity)
- if (!(sig->identity = strdup(identity)))
- return PDKIM_ERR_OOM;
+ sig->identity = string_copy(US identity);
-if (!(sig->sign_headers = strdup(sign_headers
- ? sign_headers : PDKIM_DEFAULT_SIGN_HEADERS)))
- return PDKIM_ERR_OOM;
+sig->sign_headers = string_copy(sign_headers
+ ? US sign_headers : US PDKIM_DEFAULT_SIGN_HEADERS);
sig->canon_headers = canon_headers;
sig->canon_body = canon_body;