1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
|
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
/* Copyright (c) The Exim Maintainers 2020 - 2022 */
/* Copyright (c) University of Cambridge, 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* Code for DKIM support. Other DKIM relevant code is in
receive.c, transport.c and transports/smtp.c */
#include "exim.h"
#ifndef DISABLE_DKIM
# include "pdkim/pdkim.h"
# ifdef MACRO_PREDEF
# include "macro_predef.h"
void
params_dkim(void)
{
builtin_macro_create_var(US"_DKIM_SIGN_HEADERS", US PDKIM_DEFAULT_SIGN_HEADERS);
builtin_macro_create_var(US"_DKIM_OVERSIGN_HEADERS", US PDKIM_OVERSIGN_HEADERS);
}
# else /*!MACRO_PREDEF*/
pdkim_ctx dkim_sign_ctx;
int dkim_verify_oldpool;
pdkim_ctx *dkim_verify_ctx = NULL;
pdkim_signature *dkim_cur_sig = NULL;
static const uschar * dkim_collect_error = NULL;
#define DKIM_MAX_SIGNATURES 20
/* Look up the DKIM record in DNS for the given hostname.
Will use the first found if there are multiple.
The return string is tainted, having come from off-site.
*/
uschar *
dkim_exim_query_dns_txt(const uschar * name)
{
dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
rmark reset_point = store_mark();
gstring * g = string_get_tainted(256, GET_TAINTED);
lookup_dnssec_authenticated = NULL;
if (dns_lookup(dnsa, name, T_TXT, NULL) != DNS_SUCCEED)
goto bad;
/* Search for TXT record */
for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
rr;
rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
if (rr->type == T_TXT)
{ /* Copy record content to the answer buffer */
for (int rr_offset = 0; rr_offset < rr->size; )
{
uschar len = rr->data[rr_offset++];
g = string_catn(g, US(rr->data + rr_offset), len);
if (g->ptr >= PDKIM_DNS_TXT_MAX_RECLEN)
goto bad;
rr_offset += len;
}
/* Check if this looks like a DKIM record */
if (Ustrncmp(g->s, "v=", 2) != 0 || strncasecmp(CS g->s, "v=dkim", 6) == 0)
{
store_free_dns_answer(dnsa);
gstring_release_unused(g);
return string_from_gstring(g);
}
g->ptr = 0; /* overwrite previous record */
}
bad:
store_reset(reset_point);
store_free_dns_answer(dnsa);
return NULL; /*XXX better error detail? logging? */
}
void
dkim_exim_init(void)
{
if (f.dkim_init_done) return;
f.dkim_init_done = TRUE;
pdkim_init();
}
void
dkim_exim_verify_init(BOOL dot_stuffing)
{
dkim_exim_init();
/* There is a store-reset between header & body reception for the main pool
(actually, after every header line) so cannot use that as we need the data we
store per-header, during header processing, at the end of body reception
for evaluating the signature. Any allocs done for dkim verify
memory-handling must use a different pool. We use a separate one that we
can reset per message. */
dkim_verify_oldpool = store_pool;
store_pool = POOL_MESSAGE;
/* Free previous context if there is one */
if (dkim_verify_ctx)
pdkim_free_ctx(dkim_verify_ctx);
/* Create new context */
dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
dkim_collect_input = dkim_verify_ctx ? DKIM_MAX_SIGNATURES : 0;
dkim_collect_error = NULL;
/* Start feed up with any cached data, but limited to message data */
receive_get_cache(chunking_state == CHUNKING_LAST
? chunking_data_left : GETC_BUFFER_UNLIMITED);
store_pool = dkim_verify_oldpool;
}
/* Submit a chunk of data for verification input.
Only use the data when the feed is activated. */
void
dkim_exim_verify_feed(uschar * data, int len)
{
int rc;
store_pool = POOL_MESSAGE;
if ( dkim_collect_input
&& (rc = pdkim_feed(dkim_verify_ctx, data, len)) != PDKIM_OK)
{
dkim_collect_error = pdkim_errstr(rc);
log_write(0, LOG_MAIN,
"DKIM: validation error: %.100s", dkim_collect_error);
dkim_collect_input = 0;
}
store_pool = dkim_verify_oldpool;
}
/* Log the result for the given signature */
static void
dkim_exim_verify_log_sig(pdkim_signature * sig)
{
gstring * logmsg;
uschar * s;
if (!sig) return;
/* Remember the domain for the first pass result */
if ( !dkim_verify_overall
&& dkim_verify_status
? Ustrcmp(dkim_verify_status, US"pass") == 0
: sig->verify_status == PDKIM_VERIFY_PASS
)
dkim_verify_overall = string_copy(sig->domain);
/* Rewrite the sig result if the ACL overrode it. This is only
needed because the DMARC code (sigh) peeks at the dkim sigs.
Mark the sig for this having been done. */
if ( dkim_verify_status
&& ( dkim_verify_status != dkim_exim_expand_query(DKIM_VERIFY_STATUS)
|| dkim_verify_reason != dkim_exim_expand_query(DKIM_VERIFY_REASON)
) )
{ /* overridden by ACL */
sig->verify_ext_status = -1;
if (Ustrcmp(dkim_verify_status, US"fail") == 0)
sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_FAIL;
else if (Ustrcmp(dkim_verify_status, US"invalid") == 0)
sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_INVALID;
else if (Ustrcmp(dkim_verify_status, US"none") == 0)
sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_NONE;
else if (Ustrcmp(dkim_verify_status, US"pass") == 0)
sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_PASS;
else
sig->verify_status = -1;
}
if (!LOGGING(dkim_verbose)) return;
logmsg = string_catn(NULL, US"DKIM: ", 6);
if (!(s = sig->domain)) s = US"<UNSET>";
logmsg = string_append(logmsg, 2, "d=", s);
if (!(s = sig->selector)) s = US"<UNSET>";
logmsg = string_append(logmsg, 2, " s=", s);
logmsg = string_fmt_append(logmsg, " c=%s/%s a=%s b=" SIZE_T_FMT,
sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
dkim_sig_to_a_tag(sig),
(int)sig->sighash.len > -1 ? sig->sighash.len * 8 : (size_t)0);
if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
if (sig->created > 0) logmsg = string_fmt_append(logmsg, " t=%lu",
sig->created);
if (sig->expires > 0) logmsg = string_fmt_append(logmsg, " x=%lu",
sig->expires);
if (sig->bodylength > -1) logmsg = string_fmt_append(logmsg, " l=%lu",
sig->bodylength);
if (sig->verify_status & PDKIM_VERIFY_POLICY)
logmsg = string_append(logmsg, 5,
US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
else
switch (sig->verify_status)
{
case PDKIM_VERIFY_NONE:
logmsg = string_cat(logmsg, US" [not verified]");
break;
case PDKIM_VERIFY_INVALID:
logmsg = string_cat(logmsg, US" [invalid - ");
switch (sig->verify_ext_status)
{
case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
logmsg = string_cat(logmsg,
US"public key record (currently?) unavailable]");
break;
case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
logmsg = string_cat(logmsg, US"overlong public key record]");
break;
case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
logmsg = string_cat(logmsg, US"syntax error in public key record]");
break;
case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
logmsg = string_cat(logmsg, US"signature tag missing or invalid]");
break;
case PDKIM_VERIFY_INVALID_DKIM_VERSION:
logmsg = string_cat(logmsg, US"unsupported DKIM version]");
break;
default:
logmsg = string_cat(logmsg, US"unspecified problem]");
}
break;
case PDKIM_VERIFY_FAIL:
logmsg = string_cat(logmsg, US" [verification failed - ");
switch (sig->verify_ext_status)
{
case PDKIM_VERIFY_FAIL_BODY:
logmsg = string_cat(logmsg,
US"body hash mismatch (body probably modified in transit)]");
break;
case PDKIM_VERIFY_FAIL_MESSAGE:
logmsg = string_cat(logmsg,
US"signature did not verify "
"(headers probably modified in transit)]");
break;
case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE:
logmsg = string_cat(logmsg,
US"signature invalid (key too short)]");
break;
default:
logmsg = string_cat(logmsg, US"unspecified reason]");
}
break;
case PDKIM_VERIFY_PASS:
logmsg = string_cat(logmsg, US" [verification succeeded]");
break;
}
log_write(0, LOG_MAIN, "%s", string_from_gstring(logmsg));
return;
}
/* Log a line for each signature */
void
dkim_exim_verify_log_all(void)
{
for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
dkim_exim_verify_log_sig(sig);
}
void
dkim_exim_verify_finish(void)
{
int rc;
gstring * g = NULL;
const uschar * errstr = NULL;
store_pool = POOL_MESSAGE;
/* Delete eventual previous signature chain */
dkim_signers = NULL;
dkim_signatures = NULL;
if (dkim_collect_error)
{
log_write(0, LOG_MAIN,
"DKIM: Error during validation, disabling signature verification: %.100s",
dkim_collect_error);
f.dkim_disable_verify = TRUE;
goto out;
}
dkim_collect_input = 0;
/* Finish DKIM operation and fetch link to signatures chain */
rc = pdkim_feed_finish(dkim_verify_ctx, (pdkim_signature **)&dkim_signatures,
&errstr);
if (rc != PDKIM_OK && errstr)
log_write(0, LOG_MAIN, "DKIM: validation error: %s", errstr);
/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
{
if (sig->domain) g = string_append_listele(g, ':', sig->domain);
if (sig->identity) g = string_append_listele(g, ':', sig->identity);
}
if (g) dkim_signers = g->s;
out:
store_pool = dkim_verify_oldpool;
}
/* Args as per dkim_exim_acl_run() below */
static int
dkim_acl_call(uschar * id, gstring ** res_ptr,
uschar ** user_msgptr, uschar ** log_msgptr)
{
int rc;
DEBUG(D_receive)
debug_printf("calling acl_smtp_dkim for dkim_cur_signer='%s'\n", id);
rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim, user_msgptr, log_msgptr);
dkim_exim_verify_log_sig(dkim_cur_sig);
*res_ptr = string_append_listele(*res_ptr, ':', dkim_verify_status);
return rc;
}
/* For the given identity, run the DKIM ACL once for each matching signature.
Arguments
id Identity to look for in dkim signatures
res_ptr ptr to growable string-list of status results,
appended to per ACL run
user_msgptr where to put a user error (for SMTP response)
log_msgptr where to put a logging message (not for SMTP response)
Returns: OK access is granted by an ACCEPT verb
DISCARD access is granted by a DISCARD verb
FAIL access is denied
FAIL_DROP access is denied; drop the connection
DEFER can't tell at the moment
ERROR disaster
*/
int
dkim_exim_acl_run(uschar * id, gstring ** res_ptr,
uschar ** user_msgptr, uschar ** log_msgptr)
{
uschar * cmp_val;
int rc = -1;
dkim_verify_status = US"none";
dkim_verify_reason = US"";
dkim_cur_signer = id;
if (f.dkim_disable_verify || !id || !dkim_verify_ctx)
return OK;
/* Find signatures to run ACL on */
for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
if ( (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
&& strcmpic(cmp_val, id) == 0
)
{
/* The "dkim_domain" and "dkim_selector" expansion variables have
related globals, since they are used in the signing code too.
Instead of inventing separate names for verification, we set
them here. This is easy since a domain and selector is guaranteed
to be in a signature. The other dkim_* expansion items are
dynamically fetched from dkim_cur_sig at expansion time (see
dkim_exim_expand_query() below). */
dkim_cur_sig = sig;
dkim_signing_domain = US sig->domain;
dkim_signing_selector = US sig->selector;
dkim_key_length = sig->keybits;
/* These two return static strings, so we can compare the addr
later to see if the ACL overwrote them. Check that when logging */
dkim_verify_status = dkim_exim_expand_query(DKIM_VERIFY_STATUS);
dkim_verify_reason = dkim_exim_expand_query(DKIM_VERIFY_REASON);
if ((rc = dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr)) != OK)
return rc;
}
if (rc != -1)
return rc;
/* No matching sig found. Call ACL once anyway. */
dkim_cur_sig = NULL;
return dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr);
}
static uschar *
dkim_exim_expand_defaults(int what)
{
switch (what)
{
case DKIM_ALGO: return US"";
case DKIM_BODYLENGTH: return US"9999999999999";
case DKIM_CANON_BODY: return US"";
case DKIM_CANON_HEADERS: return US"";
case DKIM_COPIEDHEADERS: return US"";
case DKIM_CREATED: return US"0";
case DKIM_EXPIRES: return US"9999999999999";
case DKIM_HEADERNAMES: return US"";
case DKIM_IDENTITY: return US"";
case DKIM_KEY_GRANULARITY: return US"*";
case DKIM_KEY_SRVTYPE: return US"*";
case DKIM_KEY_NOTES: return US"";
case DKIM_KEY_TESTING: return US"0";
case DKIM_NOSUBDOMAINS: return US"0";
case DKIM_VERIFY_STATUS: return US"none";
case DKIM_VERIFY_REASON: return US"";
default: return US"";
}
}
uschar *
dkim_exim_expand_query(int what)
{
if (!dkim_verify_ctx || f.dkim_disable_verify || !dkim_cur_sig)
return dkim_exim_expand_defaults(what);
switch (what)
{
case DKIM_ALGO:
return dkim_sig_to_a_tag(dkim_cur_sig);
case DKIM_BODYLENGTH:
return dkim_cur_sig->bodylength >= 0
? string_sprintf("%ld", dkim_cur_sig->bodylength)
: dkim_exim_expand_defaults(what);
case DKIM_CANON_BODY:
switch (dkim_cur_sig->canon_body)
{
case PDKIM_CANON_RELAXED: return US"relaxed";
case PDKIM_CANON_SIMPLE:
default: return US"simple";
}
case DKIM_CANON_HEADERS:
switch (dkim_cur_sig->canon_headers)
{
case PDKIM_CANON_RELAXED: return US"relaxed";
case PDKIM_CANON_SIMPLE:
default: return US"simple";
}
case DKIM_COPIEDHEADERS:
return dkim_cur_sig->copiedheaders
? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);
case DKIM_CREATED:
return dkim_cur_sig->created > 0
? string_sprintf("%lu", dkim_cur_sig->created)
: dkim_exim_expand_defaults(what);
case DKIM_EXPIRES:
return dkim_cur_sig->expires > 0
? string_sprintf("%lu", dkim_cur_sig->expires)
: dkim_exim_expand_defaults(what);
case DKIM_HEADERNAMES:
return dkim_cur_sig->headernames
? dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);
case DKIM_IDENTITY:
return dkim_cur_sig->identity
? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);
case DKIM_KEY_GRANULARITY:
return dkim_cur_sig->pubkey
? dkim_cur_sig->pubkey->granularity
? US dkim_cur_sig->pubkey->granularity
: dkim_exim_expand_defaults(what)
: dkim_exim_expand_defaults(what);
case DKIM_KEY_SRVTYPE:
return dkim_cur_sig->pubkey
? dkim_cur_sig->pubkey->srvtype
? US dkim_cur_sig->pubkey->srvtype
: dkim_exim_expand_defaults(what)
: dkim_exim_expand_defaults(what);
case DKIM_KEY_NOTES:
return dkim_cur_sig->pubkey
? dkim_cur_sig->pubkey->notes
? US dkim_cur_sig->pubkey->notes
: dkim_exim_expand_defaults(what)
: dkim_exim_expand_defaults(what);
case DKIM_KEY_TESTING:
return dkim_cur_sig->pubkey
? dkim_cur_sig->pubkey->testing
? US"1"
: dkim_exim_expand_defaults(what)
: dkim_exim_expand_defaults(what);
case DKIM_NOSUBDOMAINS:
return dkim_cur_sig->pubkey
? dkim_cur_sig->pubkey->no_subdomaining
? US"1"
: dkim_exim_expand_defaults(what)
: dkim_exim_expand_defaults(what);
case DKIM_VERIFY_STATUS:
switch (dkim_cur_sig->verify_status)
{
case PDKIM_VERIFY_INVALID: return US"invalid";
case PDKIM_VERIFY_FAIL: return US"fail";
case PDKIM_VERIFY_PASS: return US"pass";
case PDKIM_VERIFY_NONE:
default: return US"none";
}
case DKIM_VERIFY_REASON:
switch (dkim_cur_sig->verify_ext_status)
{
case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
return US"pubkey_unavailable";
case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:return US"pubkey_dns_syntax";
case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return US"pubkey_der_syntax";
case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE: return US"pubkey_too_short";
case PDKIM_VERIFY_FAIL_BODY: return US"bodyhash_mismatch";
case PDKIM_VERIFY_FAIL_MESSAGE: return US"signature_incorrect";
}
default:
return US"";
}
}
void
dkim_exim_sign_init(void)
{
int old_pool = store_pool;
dkim_exim_init();
store_pool = POOL_MAIN;
pdkim_init_context(&dkim_sign_ctx, FALSE, &dkim_exim_query_dns_txt);
store_pool = old_pool;
}
/* Generate signatures for the given file.
If a prefix is given, prepend it to the file for the calculations.
Return:
NULL: error; error string written
string: signature header(s), or a zero-length string (not an error)
*/
gstring *
dkim_exim_sign(int fd, off_t off, uschar * prefix,
struct ob_dkim * dkim, const uschar ** errstr)
{
const uschar * dkim_domain = NULL;
int sep = 0;
gstring * seen_doms = NULL;
pdkim_signature * sig;
gstring * sigbuf;
int pdkim_rc;
int sread;
uschar buf[4096];
int save_errno = 0;
int old_pool = store_pool;
uschar * errwhen;
const uschar * s;
if (dkim->dot_stuffed)
dkim_sign_ctx.flags |= PDKIM_DOT_TERM;
store_pool = POOL_MAIN;
if ((s = dkim->dkim_domain) && !(dkim_domain = expand_cstring(s)))
/* expansion error, do not send message. */
{ errwhen = US"dkim_domain"; goto expand_bad; }
/* Set $dkim_domain expansion variable to each unique domain in list. */
if (dkim_domain)
while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0)))
{
const uschar * dkim_sel;
int sel_sep = 0;
if (dkim_signing_domain[0] == '\0')
continue;
/* Only sign once for each domain, no matter how often it
appears in the expanded list. */
dkim_signing_domain = string_copylc(dkim_signing_domain);
if (match_isinlist(dkim_signing_domain, CUSS &seen_doms,
0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK)
continue;
seen_doms = string_append_listele(seen_doms, ':', dkim_signing_domain);
/* Set $dkim_selector expansion variable to each selector in list,
for this domain. */
if (!(dkim_sel = expand_string(dkim->dkim_selector)))
{ errwhen = US"dkim_selector"; goto expand_bad; }
while ((dkim_signing_selector = string_nextinlist(&dkim_sel, &sel_sep,
NULL, 0)))
{
uschar * dkim_canon_expanded;
int pdkim_canon;
uschar * dkim_sign_headers_expanded = NULL;
uschar * dkim_private_key_expanded;
uschar * dkim_hash_expanded;
uschar * dkim_identity_expanded = NULL;
uschar * dkim_timestamps_expanded = NULL;
unsigned long tval = 0, xval = 0;
/* Get canonicalization to use */
dkim_canon_expanded = dkim->dkim_canon
? expand_string(dkim->dkim_canon) : US"relaxed";
if (!dkim_canon_expanded) /* expansion error, do not send message. */
{ errwhen = US"dkim_canon"; goto expand_bad; }
if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
pdkim_canon = PDKIM_CANON_RELAXED;
else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
pdkim_canon = PDKIM_CANON_SIMPLE;
else
{
log_write(0, LOG_MAIN,
"DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
dkim_canon_expanded);
pdkim_canon = PDKIM_CANON_RELAXED;
}
if ( dkim->dkim_sign_headers
&& !(dkim_sign_headers_expanded = expand_string(dkim->dkim_sign_headers)))
{ errwhen = US"dkim_sign_header"; goto expand_bad; }
/* else pass NULL, which means default header list */
/* Get private key to use. */
if (!(dkim_private_key_expanded = expand_string(dkim->dkim_private_key)))
{ errwhen = US"dkim_private_key"; goto expand_bad; }
if ( Ustrlen(dkim_private_key_expanded) == 0
|| Ustrcmp(dkim_private_key_expanded, "0") == 0
|| Ustrcmp(dkim_private_key_expanded, "false") == 0
)
continue; /* don't sign, but no error */
if ( dkim_private_key_expanded[0] == '/'
&& !(dkim_private_key_expanded =
expand_file_big_buffer(dkim_private_key_expanded)))
goto bad;
if (!(dkim_hash_expanded = expand_string(dkim->dkim_hash)))
{ errwhen = US"dkim_hash"; goto expand_bad; }
if (dkim->dkim_identity)
if (!(dkim_identity_expanded = expand_string(dkim->dkim_identity)))
{ errwhen = US"dkim_identity"; goto expand_bad; }
else if (!*dkim_identity_expanded)
dkim_identity_expanded = NULL;
if (dkim->dkim_timestamps)
if (!(dkim_timestamps_expanded = expand_string(dkim->dkim_timestamps)))
{ errwhen = US"dkim_timestamps"; goto expand_bad; }
else
xval = (tval = (unsigned long) time(NULL))
+ strtoul(CCS dkim_timestamps_expanded, NULL, 10);
if (!(sig = pdkim_init_sign(&dkim_sign_ctx, dkim_signing_domain,
dkim_signing_selector,
dkim_private_key_expanded,
dkim_hash_expanded,
errstr
)))
goto bad;
dkim_private_key_expanded[0] = '\0';
pdkim_set_optional(sig,
CS dkim_sign_headers_expanded,
CS dkim_identity_expanded,
pdkim_canon,
pdkim_canon, -1, tval, xval);
if (!pdkim_set_sig_bodyhash(&dkim_sign_ctx, sig))
goto bad;
if (!dkim_sign_ctx.sig) /* link sig to context chain */
dkim_sign_ctx.sig = sig;
else
{
pdkim_signature * n = dkim_sign_ctx.sig;
while (n->next) n = n->next;
n->next = sig;
}
}
}
/* We may need to carry on with the data-feed even if there are no DKIM sigs to
produce, if some other package (eg. ARC) is signing. */
if (!dkim_sign_ctx.sig && !dkim->force_bodyhash)
{
DEBUG(D_transport) debug_printf("DKIM: no viable signatures to use\n");
sigbuf = string_get(1); /* return a zero-len string */
}
else
{
if (prefix && (pdkim_rc = pdkim_feed(&dkim_sign_ctx, prefix, Ustrlen(prefix))) != PDKIM_OK)
goto pk_bad;
if (lseek(fd, off, SEEK_SET) < 0)
sread = -1;
else
while ((sread = read(fd, &buf, sizeof(buf))) > 0)
if ((pdkim_rc = pdkim_feed(&dkim_sign_ctx, buf, sread)) != PDKIM_OK)
goto pk_bad;
/* Handle failed read above. */
if (sread == -1)
{
debug_printf("DKIM: Error reading -K file.\n");
save_errno = errno;
goto bad;
}
/* Build string of headers, one per signature */
if ((pdkim_rc = pdkim_feed_finish(&dkim_sign_ctx, &sig, errstr)) != PDKIM_OK)
goto pk_bad;
if (!sig)
{
DEBUG(D_transport) debug_printf("DKIM: no signatures to use\n");
sigbuf = string_get(1); /* return a zero-len string */
}
else for (sigbuf = NULL; sig; sig = sig->next)
sigbuf = string_append(sigbuf, 2, US sig->signature_header, US"\r\n");
}
CLEANUP:
(void) string_from_gstring(sigbuf);
store_pool = old_pool;
errno = save_errno;
return sigbuf;
pk_bad:
log_write(0, LOG_MAIN|LOG_PANIC,
"DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc));
bad:
sigbuf = NULL;
goto CLEANUP;
expand_bad:
*errstr = string_sprintf("failed to expand %s: %s",
errwhen, expand_string_message);
log_write(0, LOG_MAIN | LOG_PANIC, "%s", *errstr);
goto bad;
}
gstring *
authres_dkim(gstring * g)
{
int start = 0; /* compiler quietening */
DEBUG(D_acl) start = g->ptr;
for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
{
g = string_catn(g, US";\n\tdkim=", 8);
if (sig->verify_status & PDKIM_VERIFY_POLICY)
g = string_append(g, 5,
US"policy (", dkim_verify_status, US" - ", dkim_verify_reason, US")");
else switch(sig->verify_status)
{
case PDKIM_VERIFY_NONE: g = string_cat(g, US"none"); break;
case PDKIM_VERIFY_INVALID:
switch (sig->verify_ext_status)
{
case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
g = string_cat(g, US"tmperror (pubkey unavailable)\n\t\t"); break;
case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
g = string_cat(g, US"permerror (overlong public key record)\n\t\t"); break;
case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
g = string_cat(g, US"neutral (public key record import problem)\n\t\t");
break;
case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
g = string_cat(g, US"neutral (signature tag missing or invalid)\n\t\t");
break;
case PDKIM_VERIFY_INVALID_DKIM_VERSION:
g = string_cat(g, US"neutral (unsupported DKIM version)\n\t\t");
break;
default:
g = string_cat(g, US"permerror (unspecified problem)\n\t\t"); break;
}
break;
case PDKIM_VERIFY_FAIL:
switch (sig->verify_ext_status)
{
case PDKIM_VERIFY_FAIL_BODY:
g = string_cat(g,
US"fail (body hash mismatch; body probably modified in transit)\n\t\t");
break;
case PDKIM_VERIFY_FAIL_MESSAGE:
g = string_cat(g,
US"fail (signature did not verify; headers probably modified in transit)\n\t\t");
break;
case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE: /* should this really be "polcy"? */
g = string_fmt_append(g, "fail (public key too short: %u bits)\n\t\t", sig->keybits);
break;
default:
g = string_cat(g, US"fail (unspecified reason)\n\t\t");
break;
}
break;
case PDKIM_VERIFY_PASS: g = string_cat(g, US"pass"); break;
default: g = string_cat(g, US"permerror"); break;
}
if (sig->domain) g = string_append(g, 2, US" header.d=", sig->domain);
if (sig->identity) g = string_append(g, 2, US" header.i=", sig->identity);
if (sig->selector) g = string_append(g, 2, US" header.s=", sig->selector);
g = string_append(g, 2, US" header.a=", dkim_sig_to_a_tag(sig));
}
DEBUG(D_acl)
if (g->ptr == start)
debug_printf("DKIM: no authres\n");
else
debug_printf("DKIM: authres '%.*s'\n", g->ptr - start - 3, g->s + start + 3);
return g;
}
# endif /*!MACRO_PREDEF*/
#endif /*!DISABLE_DKIM*/
|
