1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge, 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Code for DKIM support. Other DKIM relevant code is in
9 receive.c, transport.c and transports/smtp.c */
15 # include "pdkim/pdkim.h"
18 # include "macro_predef.h"
23 builtin_macro_create_var(US"_DKIM_SIGN_HEADERS", US PDKIM_DEFAULT_SIGN_HEADERS);
25 # else /*!MACRO_PREDEF*/
29 pdkim_ctx dkim_sign_ctx;
31 int dkim_verify_oldpool;
32 pdkim_ctx *dkim_verify_ctx = NULL;
33 pdkim_signature *dkim_cur_sig = NULL;
34 static const uschar * dkim_collect_error = NULL;
36 #define DKIM_MAX_SIGNATURES 20
40 /*XXX the caller only uses the first record if we return multiple.
44 dkim_exim_query_dns_txt(uschar * name)
46 /*XXX need to always alloc the dnsa, from tainted mem.
47 Then, we hope, the answers will be tainted */
51 rmark reset_point = store_mark();
54 lookup_dnssec_authenticated = NULL;
55 if (dns_lookup(&dnsa, name, T_TXT, NULL) != DNS_SUCCEED)
56 return NULL; /*XXX better error detail? logging? */
58 /* Search for TXT record */
60 for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
62 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
63 if (rr->type == T_TXT)
67 /* Copy record content to the answer buffer */
69 while (rr_offset < rr->size)
71 uschar len = rr->data[rr_offset++];
73 g = string_catn(g, US(rr->data + rr_offset), len);
74 if (g->ptr >= PDKIM_DNS_TXT_MAX_RECLEN)
80 /* check if this looks like a DKIM record */
81 if (Ustrncmp(g->s, "v=", 2) != 0 || strncasecmp(CS g->s, "v=dkim", 6) == 0)
83 gstring_release_unused(g);
84 return string_from_gstring(g);
87 if (g) g->ptr = 0; /* overwrite previous record */
91 store_reset(reset_point);
92 return NULL; /*XXX better error detail? logging? */
105 dkim_exim_verify_init(BOOL dot_stuffing)
107 /* There is a store-reset between header & body reception
108 so cannot use the main pool. Any allocs done by Exim
109 memory-handling must use the perm pool. */
111 dkim_verify_oldpool = store_pool;
112 store_pool = POOL_PERM;
114 /* Free previous context if there is one */
117 pdkim_free_ctx(dkim_verify_ctx);
119 /* Create new context */
121 dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
122 dkim_collect_input = dkim_verify_ctx ? DKIM_MAX_SIGNATURES : 0;
123 dkim_collect_error = NULL;
125 /* Start feed up with any cached data */
128 store_pool = dkim_verify_oldpool;
133 dkim_exim_verify_feed(uschar * data, int len)
137 store_pool = POOL_PERM;
138 if ( dkim_collect_input
139 && (rc = pdkim_feed(dkim_verify_ctx, data, len)) != PDKIM_OK)
141 dkim_collect_error = pdkim_errstr(rc);
142 log_write(0, LOG_MAIN,
143 "DKIM: validation error: %.100s", dkim_collect_error);
144 dkim_collect_input = 0;
146 store_pool = dkim_verify_oldpool;
150 /* Log the result for the given signature */
152 dkim_exim_verify_log_sig(pdkim_signature * sig)
159 /* Remember the domain for the first pass result */
161 if ( !dkim_verify_overall
162 && dkim_verify_status
163 ? Ustrcmp(dkim_verify_status, US"pass") == 0
164 : sig->verify_status == PDKIM_VERIFY_PASS
166 dkim_verify_overall = string_copy(sig->domain);
168 /* Rewrite the sig result if the ACL overrode it. This is only
169 needed because the DMARC code (sigh) peeks at the dkim sigs.
170 Mark the sig for this having been done. */
172 if ( dkim_verify_status
173 && ( dkim_verify_status != dkim_exim_expand_query(DKIM_VERIFY_STATUS)
174 || dkim_verify_reason != dkim_exim_expand_query(DKIM_VERIFY_REASON)
176 { /* overridden by ACL */
177 sig->verify_ext_status = -1;
178 if (Ustrcmp(dkim_verify_status, US"fail") == 0)
179 sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_FAIL;
180 else if (Ustrcmp(dkim_verify_status, US"invalid") == 0)
181 sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_INVALID;
182 else if (Ustrcmp(dkim_verify_status, US"none") == 0)
183 sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_NONE;
184 else if (Ustrcmp(dkim_verify_status, US"pass") == 0)
185 sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_PASS;
187 sig->verify_status = -1;
190 if (!LOGGING(dkim_verbose)) return;
193 logmsg = string_catn(NULL, US"DKIM: ", 6);
194 if (!(s = sig->domain)) s = US"<UNSET>";
195 logmsg = string_append(logmsg, 2, "d=", s);
196 if (!(s = sig->selector)) s = US"<UNSET>";
197 logmsg = string_append(logmsg, 2, " s=", s);
198 logmsg = string_fmt_append(logmsg, " c=%s/%s a=%s b=" SIZE_T_FMT,
199 sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
200 sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
201 dkim_sig_to_a_tag(sig),
202 (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : (size_t)0);
203 if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
204 if (sig->created > 0) logmsg = string_fmt_append(logmsg, " t=%lu",
206 if (sig->expires > 0) logmsg = string_fmt_append(logmsg, " x=%lu",
208 if (sig->bodylength > -1) logmsg = string_fmt_append(logmsg, " l=%lu",
211 if (sig->verify_status & PDKIM_VERIFY_POLICY)
212 logmsg = string_append(logmsg, 5,
213 US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
215 switch (sig->verify_status)
217 case PDKIM_VERIFY_NONE:
218 logmsg = string_cat(logmsg, US" [not verified]");
221 case PDKIM_VERIFY_INVALID:
222 logmsg = string_cat(logmsg, US" [invalid - ");
223 switch (sig->verify_ext_status)
225 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
226 logmsg = string_cat(logmsg,
227 US"public key record (currently?) unavailable]");
230 case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
231 logmsg = string_cat(logmsg, US"overlong public key record]");
234 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
235 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
236 logmsg = string_cat(logmsg, US"syntax error in public key record]");
239 case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
240 logmsg = string_cat(logmsg, US"signature tag missing or invalid]");
243 case PDKIM_VERIFY_INVALID_DKIM_VERSION:
244 logmsg = string_cat(logmsg, US"unsupported DKIM version]");
248 logmsg = string_cat(logmsg, US"unspecified problem]");
252 case PDKIM_VERIFY_FAIL:
253 logmsg = string_cat(logmsg, US" [verification failed - ");
254 switch (sig->verify_ext_status)
256 case PDKIM_VERIFY_FAIL_BODY:
257 logmsg = string_cat(logmsg,
258 US"body hash mismatch (body probably modified in transit)]");
261 case PDKIM_VERIFY_FAIL_MESSAGE:
262 logmsg = string_cat(logmsg,
263 US"signature did not verify "
264 "(headers probably modified in transit)]");
268 logmsg = string_cat(logmsg, US"unspecified reason]");
272 case PDKIM_VERIFY_PASS:
273 logmsg = string_cat(logmsg, US" [verification succeeded]");
277 log_write(0, LOG_MAIN, "%s", string_from_gstring(logmsg));
282 /* Log a line for each signature */
284 dkim_exim_verify_log_all(void)
286 for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
287 dkim_exim_verify_log_sig(sig);
292 dkim_exim_verify_finish(void)
296 const uschar * errstr = NULL;
298 store_pool = POOL_PERM;
300 /* Delete eventual previous signature chain */
303 dkim_signatures = NULL;
305 if (dkim_collect_error)
307 log_write(0, LOG_MAIN,
308 "DKIM: Error during validation, disabling signature verification: %.100s",
310 f.dkim_disable_verify = TRUE;
314 dkim_collect_input = 0;
316 /* Finish DKIM operation and fetch link to signatures chain */
318 rc = pdkim_feed_finish(dkim_verify_ctx, (pdkim_signature **)&dkim_signatures,
320 if (rc != PDKIM_OK && errstr)
321 log_write(0, LOG_MAIN, "DKIM: validation error: %s", errstr);
323 /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
325 for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
327 if (sig->domain) g = string_append_listele(g, ':', sig->domain);
328 if (sig->identity) g = string_append_listele(g, ':', sig->identity);
331 if (g) dkim_signers = g->s;
334 store_pool = dkim_verify_oldpool;
339 /* Args as per dkim_exim_acl_run() below */
341 dkim_acl_call(uschar * id, gstring ** res_ptr,
342 uschar ** user_msgptr, uschar ** log_msgptr)
346 debug_printf("calling acl_smtp_dkim for dkim_cur_signer='%s'\n", id);
348 rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim, user_msgptr, log_msgptr);
349 dkim_exim_verify_log_sig(dkim_cur_sig);
350 *res_ptr = string_append_listele(*res_ptr, ':', dkim_verify_status);
356 /* For the given identity, run the DKIM ACL once for each matching signature.
359 id Identity to look for in dkim signatures
360 res_ptr ptr to growable string-list of status results,
361 appended to per ACL run
362 user_msgptr where to put a user error (for SMTP response)
363 log_msgptr where to put a logging message (not for SMTP response)
365 Returns: OK access is granted by an ACCEPT verb
366 DISCARD access is granted by a DISCARD verb
367 FAIL access is denied
368 FAIL_DROP access is denied; drop the connection
369 DEFER can't tell at the moment
374 dkim_exim_acl_run(uschar * id, gstring ** res_ptr,
375 uschar ** user_msgptr, uschar ** log_msgptr)
380 dkim_verify_status = US"none";
381 dkim_verify_reason = US"";
382 dkim_cur_signer = id;
384 if (f.dkim_disable_verify || !id || !dkim_verify_ctx)
387 /* Find signatures to run ACL on */
389 for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
390 if ( (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
391 && strcmpic(cmp_val, id) == 0
394 /* The "dkim_domain" and "dkim_selector" expansion variables have
395 related globals, since they are used in the signing code too.
396 Instead of inventing separate names for verification, we set
397 them here. This is easy since a domain and selector is guaranteed
398 to be in a signature. The other dkim_* expansion items are
399 dynamically fetched from dkim_cur_sig at expansion time (see
400 dkim_exim_expand_query() below). */
403 dkim_signing_domain = US sig->domain;
404 dkim_signing_selector = US sig->selector;
405 dkim_key_length = sig->sighash.len * 8;
407 /* These two return static strings, so we can compare the addr
408 later to see if the ACL overwrote them. Check that when logging */
410 dkim_verify_status = dkim_exim_expand_query(DKIM_VERIFY_STATUS);
411 dkim_verify_reason = dkim_exim_expand_query(DKIM_VERIFY_REASON);
413 if ((rc = dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr)) != OK)
420 /* No matching sig found. Call ACL once anyway. */
423 return dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr);
428 dkim_exim_expand_defaults(int what)
432 case DKIM_ALGO: return US"";
433 case DKIM_BODYLENGTH: return US"9999999999999";
434 case DKIM_CANON_BODY: return US"";
435 case DKIM_CANON_HEADERS: return US"";
436 case DKIM_COPIEDHEADERS: return US"";
437 case DKIM_CREATED: return US"0";
438 case DKIM_EXPIRES: return US"9999999999999";
439 case DKIM_HEADERNAMES: return US"";
440 case DKIM_IDENTITY: return US"";
441 case DKIM_KEY_GRANULARITY: return US"*";
442 case DKIM_KEY_SRVTYPE: return US"*";
443 case DKIM_KEY_NOTES: return US"";
444 case DKIM_KEY_TESTING: return US"0";
445 case DKIM_NOSUBDOMAINS: return US"0";
446 case DKIM_VERIFY_STATUS: return US"none";
447 case DKIM_VERIFY_REASON: return US"";
448 default: return US"";
454 dkim_exim_expand_query(int what)
456 if (!dkim_verify_ctx || f.dkim_disable_verify || !dkim_cur_sig)
457 return dkim_exim_expand_defaults(what);
462 return dkim_sig_to_a_tag(dkim_cur_sig);
464 case DKIM_BODYLENGTH:
465 return dkim_cur_sig->bodylength >= 0
466 ? string_sprintf("%ld", dkim_cur_sig->bodylength)
467 : dkim_exim_expand_defaults(what);
469 case DKIM_CANON_BODY:
470 switch (dkim_cur_sig->canon_body)
472 case PDKIM_CANON_RELAXED: return US"relaxed";
473 case PDKIM_CANON_SIMPLE:
474 default: return US"simple";
477 case DKIM_CANON_HEADERS:
478 switch (dkim_cur_sig->canon_headers)
480 case PDKIM_CANON_RELAXED: return US"relaxed";
481 case PDKIM_CANON_SIMPLE:
482 default: return US"simple";
485 case DKIM_COPIEDHEADERS:
486 return dkim_cur_sig->copiedheaders
487 ? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);
490 return dkim_cur_sig->created > 0
491 ? string_sprintf("%lu", dkim_cur_sig->created)
492 : dkim_exim_expand_defaults(what);
495 return dkim_cur_sig->expires > 0
496 ? string_sprintf("%lu", dkim_cur_sig->expires)
497 : dkim_exim_expand_defaults(what);
499 case DKIM_HEADERNAMES:
500 return dkim_cur_sig->headernames
501 ? dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);
504 return dkim_cur_sig->identity
505 ? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);
507 case DKIM_KEY_GRANULARITY:
508 return dkim_cur_sig->pubkey
509 ? dkim_cur_sig->pubkey->granularity
510 ? US dkim_cur_sig->pubkey->granularity
511 : dkim_exim_expand_defaults(what)
512 : dkim_exim_expand_defaults(what);
514 case DKIM_KEY_SRVTYPE:
515 return dkim_cur_sig->pubkey
516 ? dkim_cur_sig->pubkey->srvtype
517 ? US dkim_cur_sig->pubkey->srvtype
518 : dkim_exim_expand_defaults(what)
519 : dkim_exim_expand_defaults(what);
522 return dkim_cur_sig->pubkey
523 ? dkim_cur_sig->pubkey->notes
524 ? US dkim_cur_sig->pubkey->notes
525 : dkim_exim_expand_defaults(what)
526 : dkim_exim_expand_defaults(what);
528 case DKIM_KEY_TESTING:
529 return dkim_cur_sig->pubkey
530 ? dkim_cur_sig->pubkey->testing
532 : dkim_exim_expand_defaults(what)
533 : dkim_exim_expand_defaults(what);
535 case DKIM_NOSUBDOMAINS:
536 return dkim_cur_sig->pubkey
537 ? dkim_cur_sig->pubkey->no_subdomaining
539 : dkim_exim_expand_defaults(what)
540 : dkim_exim_expand_defaults(what);
542 case DKIM_VERIFY_STATUS:
543 switch (dkim_cur_sig->verify_status)
545 case PDKIM_VERIFY_INVALID: return US"invalid";
546 case PDKIM_VERIFY_FAIL: return US"fail";
547 case PDKIM_VERIFY_PASS: return US"pass";
548 case PDKIM_VERIFY_NONE:
549 default: return US"none";
552 case DKIM_VERIFY_REASON:
553 switch (dkim_cur_sig->verify_ext_status)
555 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
556 return US"pubkey_unavailable";
557 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:return US"pubkey_dns_syntax";
558 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return US"pubkey_der_syntax";
559 case PDKIM_VERIFY_FAIL_BODY: return US"bodyhash_mismatch";
560 case PDKIM_VERIFY_FAIL_MESSAGE: return US"signature_incorrect";
570 dkim_exim_sign_init(void)
572 int old_pool = store_pool;
573 store_pool = POOL_MAIN;
574 pdkim_init_context(&dkim_sign_ctx, FALSE, &dkim_exim_query_dns_txt);
575 store_pool = old_pool;
579 /* Generate signatures for the given file.
580 If a prefix is given, prepend it to the file for the calculations.
583 NULL: error; error string written
584 string: signature header(s), or a zero-length string (not an error)
588 dkim_exim_sign(int fd, off_t off, uschar * prefix,
589 struct ob_dkim * dkim, const uschar ** errstr)
591 const uschar * dkim_domain = NULL;
593 gstring * seen_doms = NULL;
594 pdkim_signature * sig;
600 int old_pool = store_pool;
604 if (dkim->dot_stuffed)
605 dkim_sign_ctx.flags |= PDKIM_DOT_TERM;
607 store_pool = POOL_MAIN;
609 if ((s = dkim->dkim_domain) && !(dkim_domain = expand_cstring(s)))
610 /* expansion error, do not send message. */
611 { errwhen = US"dkim_domain"; goto expand_bad; }
613 /* Set $dkim_domain expansion variable to each unique domain in list. */
616 while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0)))
618 const uschar * dkim_sel;
621 if (dkim_signing_domain[0] == '\0')
624 /* Only sign once for each domain, no matter how often it
625 appears in the expanded list. */
627 dkim_signing_domain = string_copylc(dkim_signing_domain);
628 if (match_isinlist(dkim_signing_domain, CUSS &seen_doms,
629 0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK)
632 seen_doms = string_append_listele(seen_doms, ':', dkim_signing_domain);
634 /* Set $dkim_selector expansion variable to each selector in list,
637 if (!(dkim_sel = expand_string(dkim->dkim_selector)))
638 { errwhen = US"dkim_selector"; goto expand_bad; }
640 while ((dkim_signing_selector = string_nextinlist(&dkim_sel, &sel_sep,
643 uschar * dkim_canon_expanded;
645 uschar * dkim_sign_headers_expanded = NULL;
646 uschar * dkim_private_key_expanded;
647 uschar * dkim_hash_expanded;
648 uschar * dkim_identity_expanded = NULL;
649 uschar * dkim_timestamps_expanded = NULL;
650 unsigned long tval = 0, xval = 0;
652 /* Get canonicalization to use */
654 dkim_canon_expanded = dkim->dkim_canon
655 ? expand_string(dkim->dkim_canon) : US"relaxed";
656 if (!dkim_canon_expanded) /* expansion error, do not send message. */
657 { errwhen = US"dkim_canon"; goto expand_bad; }
659 if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
660 pdkim_canon = PDKIM_CANON_RELAXED;
661 else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
662 pdkim_canon = PDKIM_CANON_SIMPLE;
665 log_write(0, LOG_MAIN,
666 "DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
667 dkim_canon_expanded);
668 pdkim_canon = PDKIM_CANON_RELAXED;
671 if ( dkim->dkim_sign_headers
672 && !(dkim_sign_headers_expanded = expand_string(dkim->dkim_sign_headers)))
673 { errwhen = US"dkim_sign_header"; goto expand_bad; }
674 /* else pass NULL, which means default header list */
676 /* Get private key to use. */
678 if (!(dkim_private_key_expanded = expand_string(dkim->dkim_private_key)))
679 { errwhen = US"dkim_private_key"; goto expand_bad; }
681 if ( Ustrlen(dkim_private_key_expanded) == 0
682 || Ustrcmp(dkim_private_key_expanded, "0") == 0
683 || Ustrcmp(dkim_private_key_expanded, "false") == 0
685 continue; /* don't sign, but no error */
687 if ( dkim_private_key_expanded[0] == '/'
688 && !(dkim_private_key_expanded =
689 expand_file_big_buffer(dkim_private_key_expanded)))
692 if (!(dkim_hash_expanded = expand_string(dkim->dkim_hash)))
693 { errwhen = US"dkim_hash"; goto expand_bad; }
695 if (dkim->dkim_identity)
696 if (!(dkim_identity_expanded = expand_string(dkim->dkim_identity)))
697 { errwhen = US"dkim_identity"; goto expand_bad; }
698 else if (!*dkim_identity_expanded)
699 dkim_identity_expanded = NULL;
701 if (dkim->dkim_timestamps)
702 if (!(dkim_timestamps_expanded = expand_string(dkim->dkim_timestamps)))
703 { errwhen = US"dkim_timestamps"; goto expand_bad; }
705 xval = (tval = (unsigned long) time(NULL))
706 + strtoul(CCS dkim_timestamps_expanded, NULL, 10);
708 if (!(sig = pdkim_init_sign(&dkim_sign_ctx, dkim_signing_domain,
709 dkim_signing_selector,
710 dkim_private_key_expanded,
715 dkim_private_key_expanded[0] = '\0';
717 pdkim_set_optional(sig,
718 CS dkim_sign_headers_expanded,
719 CS dkim_identity_expanded,
721 pdkim_canon, -1, tval, xval);
723 if (!pdkim_set_sig_bodyhash(&dkim_sign_ctx, sig))
726 if (!dkim_sign_ctx.sig) /* link sig to context chain */
727 dkim_sign_ctx.sig = sig;
730 pdkim_signature * n = dkim_sign_ctx.sig;
731 while (n->next) n = n->next;
737 /* We may need to carry on with the data-feed even if there are no DKIM sigs to
738 produce, if some other package (eg. ARC) is signing. */
740 if (!dkim_sign_ctx.sig && !dkim->force_bodyhash)
742 DEBUG(D_transport) debug_printf("DKIM: no viable signatures to use\n");
743 sigbuf = string_get(1); /* return a zero-len string */
747 if (prefix && (pdkim_rc = pdkim_feed(&dkim_sign_ctx, prefix, Ustrlen(prefix))) != PDKIM_OK)
750 if (lseek(fd, off, SEEK_SET) < 0)
753 while ((sread = read(fd, &buf, sizeof(buf))) > 0)
754 if ((pdkim_rc = pdkim_feed(&dkim_sign_ctx, buf, sread)) != PDKIM_OK)
757 /* Handle failed read above. */
760 debug_printf("DKIM: Error reading -K file.\n");
765 /* Build string of headers, one per signature */
767 if ((pdkim_rc = pdkim_feed_finish(&dkim_sign_ctx, &sig, errstr)) != PDKIM_OK)
772 DEBUG(D_transport) debug_printf("DKIM: no signatures to use\n");
773 sigbuf = string_get(1); /* return a zero-len string */
775 else for (sigbuf = NULL; sig; sig = sig->next)
776 sigbuf = string_append(sigbuf, 2, US sig->signature_header, US"\r\n");
780 (void) string_from_gstring(sigbuf);
781 store_pool = old_pool;
786 log_write(0, LOG_MAIN|LOG_PANIC,
787 "DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc));
793 *errstr = string_sprintf("failed to expand %s: %s",
794 errwhen, expand_string_message);
795 log_write(0, LOG_MAIN | LOG_PANIC, "%s", *errstr);
803 authres_dkim(gstring * g)
805 int start = 0; /* compiler quietening */
807 DEBUG(D_acl) start = g->ptr;
809 for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
811 g = string_catn(g, US";\n\tdkim=", 8);
813 if (sig->verify_status & PDKIM_VERIFY_POLICY)
814 g = string_append(g, 5,
815 US"policy (", dkim_verify_status, US" - ", dkim_verify_reason, US")");
816 else switch(sig->verify_status)
818 case PDKIM_VERIFY_NONE: g = string_cat(g, US"none"); break;
819 case PDKIM_VERIFY_INVALID:
820 switch (sig->verify_ext_status)
822 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
823 g = string_cat(g, US"tmperror (pubkey unavailable)\n\t\t"); break;
824 case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
825 g = string_cat(g, US"permerror (overlong public key record)\n\t\t"); break;
826 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
827 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
828 g = string_cat(g, US"neutral (public key record import problem)\n\t\t");
830 case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
831 g = string_cat(g, US"neutral (signature tag missing or invalid)\n\t\t");
833 case PDKIM_VERIFY_INVALID_DKIM_VERSION:
834 g = string_cat(g, US"neutral (unsupported DKIM version)\n\t\t");
837 g = string_cat(g, US"permerror (unspecified problem)\n\t\t"); break;
840 case PDKIM_VERIFY_FAIL:
841 switch (sig->verify_ext_status)
843 case PDKIM_VERIFY_FAIL_BODY:
845 US"fail (body hash mismatch; body probably modified in transit)\n\t\t");
847 case PDKIM_VERIFY_FAIL_MESSAGE:
849 US"fail (signature did not verify; headers probably modified in transit)\n\t\t");
852 g = string_cat(g, US"fail (unspecified reason)\n\t\t");
856 case PDKIM_VERIFY_PASS: g = string_cat(g, US"pass"); break;
857 default: g = string_cat(g, US"permerror"); break;
859 if (sig->domain) g = string_append(g, 2, US" header.d=", sig->domain);
860 if (sig->identity) g = string_append(g, 2, US" header.i=", sig->identity);
861 if (sig->selector) g = string_append(g, 2, US" header.s=", sig->selector);
862 g = string_append(g, 2, US" header.a=", dkim_sig_to_a_tag(sig));
867 debug_printf("DKIM: no authres\n");
869 debug_printf("DKIM: authres '%.*s'\n", g->ptr - start - 3, g->s + start + 3);
874 # endif /*!MACRO_PREDEF*/
875 #endif /*!DISABLE_DKIM*/