X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fdkim.c;h=3fa11c80075b8a23b4d25892fe5f5045b807b31c;hb=7495ef81389e682f08d57d40df1b7e852d4cdcc8;hp=a09ec7ecae62d60c9a35dc4eb1d5427aa619d9a0;hpb=584e96c65f12aca9414450b656504af6e3f7a399;p=user%2Fhenk%2Fcode%2Fexim.git

diff --git a/src/src/dkim.c b/src/src/dkim.c
index a09ec7eca..3fa11c800 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -28,7 +28,7 @@ dns_record *rr;
 
 lookup_dnssec_authenticated = NULL;
 if (dns_lookup(&dnsa, US name, T_TXT, NULL) != DNS_SUCCEED)
-  return PDKIM_FAIL;
+  return PDKIM_FAIL;	/*XXX better error detail?  logging? */
 
 /* Search for TXT record */
 
@@ -51,12 +51,12 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
       rr_offset += len;
       answer_offset += len;
       if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN)
-	return PDKIM_FAIL;
+	return PDKIM_FAIL;	/*XXX better error detail?  logging? */
       }
     return PDKIM_OK;
     }
 
-return PDKIM_FAIL;
+return PDKIM_FAIL;	/*XXX better error detail?  logging? */
 }
 
 
@@ -69,7 +69,7 @@ pdkim_init();
 
 
 void
-dkim_exim_verify_init(void)
+dkim_exim_verify_init(BOOL dot_stuffing)
 {
 /* There is a store-reset between header & body reception
 so cannot use the main pool. Any allocs done by Exim
@@ -85,7 +85,7 @@ if (dkim_verify_ctx)
 
 /* Create new context */
 
-dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt);
+dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
 dkim_collect_input = !!dkim_verify_ctx;
 
 /* Start feed up with any cached data */
@@ -98,10 +98,16 @@ store_pool = dkim_verify_oldpool;
 void
 dkim_exim_verify_feed(uschar * data, int len)
 {
+int rc;
+
 store_pool = POOL_PERM;
 if (  dkim_collect_input
-   && pdkim_feed(dkim_verify_ctx, (char *)data, len) != PDKIM_OK)
+   && (rc = pdkim_feed(dkim_verify_ctx, CS data, len)) != PDKIM_OK)
+  {
+  log_write(0, LOG_MAIN,
+	     "DKIM: validation error: %.100s", pdkim_errstr(rc));
   dkim_collect_input = FALSE;
+  }
 store_pool = dkim_verify_oldpool;
 }
 
@@ -113,6 +119,7 @@ pdkim_signature *sig = NULL;
 int dkim_signers_size = 0;
 int dkim_signers_ptr = 0;
 dkim_signers = NULL;
+int rc;
 
 store_pool = POOL_PERM;
 
@@ -137,8 +144,12 @@ dkim_collect_input = FALSE;
 
 /* Finish DKIM operation and fetch link to signatures chain */
 
-if (pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures) != PDKIM_OK)
+if ((rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures)) != PDKIM_OK)
+  {
+  log_write(0, LOG_MAIN,
+	     "DKIM: validation error: %.100s", pdkim_errstr(rc));
   goto out;
+  }
 
 for (sig = dkim_signatures; sig; sig = sig->next)
   {
@@ -449,10 +460,9 @@ switch (what)
 
 
 uschar *
-dkim_exim_sign(int dkim_fd, uschar * dkim_private_key,
-		const uschar * dkim_domain, uschar * dkim_selector,
-		uschar * dkim_canon, uschar * dkim_sign_headers)
+dkim_exim_sign(int dkim_fd, struct ob_dkim * dkim)
 {
+const uschar * dkim_domain;
 int sep = 0;
 uschar *seen_items = NULL;
 int seen_items_size = 0;
@@ -476,13 +486,12 @@ int old_pool = store_pool;
 
 store_pool = POOL_MAIN;
 
-if (!(dkim_domain = expand_cstring(dkim_domain)))
+if (!(dkim_domain = expand_cstring(dkim->dkim_domain)))
   {
   /* expansion error, do not send message. */
   log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
 	     "dkim_domain: %s", expand_string_message);
-  rc = NULL;
-  goto CLEANUP;
+  goto bad;
   }
 
 /* Set $dkim_domain expansion variable to each unique domain in list. */
@@ -515,24 +524,23 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
 
   /* Set up $dkim_selector expansion variable. */
 
-  if (!(dkim_signing_selector = expand_string(dkim_selector)))
+  if (!(dkim_signing_selector = expand_string(dkim->dkim_selector)))
     {
     log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
 	       "dkim_selector: %s", expand_string_message);
-    rc = NULL;
-    goto CLEANUP;
+    goto bad;
     }
 
   /* Get canonicalization to use */
 
-  dkim_canon_expanded = dkim_canon ? expand_string(dkim_canon) : US"relaxed";
+  dkim_canon_expanded = dkim->dkim_canon
+    ? expand_string(dkim->dkim_canon) : US"relaxed";
   if (!dkim_canon_expanded)
     {
     /* expansion error, do not send message. */
     log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
 	       "dkim_canon: %s", expand_string_message);
-    rc = NULL;
-    goto CLEANUP;
+    goto bad;
     }
 
   if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
@@ -548,24 +556,22 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
     }
 
   dkim_sign_headers_expanded = NULL;
-  if (dkim_sign_headers)
-    if (!(dkim_sign_headers_expanded = expand_string(dkim_sign_headers)))
+  if (dkim->dkim_sign_headers)
+    if (!(dkim_sign_headers_expanded = expand_string(dkim->dkim_sign_headers)))
       {
       log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
 		 "dkim_sign_headers: %s", expand_string_message);
-      rc = NULL;
-      goto CLEANUP;
+      goto bad;
       }
     			/* else pass NULL, which means default header list */
 
   /* Get private key to use. */
 
-  if (!(dkim_private_key_expanded = expand_string(dkim_private_key)))
+  if (!(dkim_private_key_expanded = expand_string(dkim->dkim_private_key)))
     {
     log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
 	       "dkim_private_key: %s", expand_string_message);
-    rc = NULL;
-    goto CLEANUP;
+    goto bad;
     }
 
   if (  Ustrlen(dkim_private_key_expanded) == 0
@@ -581,62 +587,53 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
     /* Looks like a filename, load the private key. */
 
     memset(big_buffer, 0, big_buffer_size);
-    privkey_fd = open(CS dkim_private_key_expanded, O_RDONLY);
-    if (privkey_fd < 0)
+
+    if ((privkey_fd = open(CS dkim_private_key_expanded, O_RDONLY)) < 0)
       {
       log_write(0, LOG_MAIN | LOG_PANIC, "unable to open "
 		 "private key file for reading: %s",
 		 dkim_private_key_expanded);
-      rc = NULL;
-      goto CLEANUP;
+      goto bad;
       }
 
     if (read(privkey_fd, big_buffer, big_buffer_size - 2) < 0)
       {
       log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s",
 		 dkim_private_key_expanded);
-      rc = NULL;
-      goto CLEANUP;
+      goto bad;
       }
 
     (void) close(privkey_fd);
     dkim_private_key_expanded = big_buffer;
     }
 
-  ctx = pdkim_init_sign( (char *) dkim_signing_domain,
-			 (char *) dkim_signing_selector,
-			 (char *) dkim_private_key_expanded,
-			 PDKIM_ALGO_RSA_SHA256);
+  ctx = pdkim_init_sign( CS dkim_signing_domain,
+			 CS dkim_signing_selector,
+			 CS dkim_private_key_expanded,
+			 PDKIM_ALGO_RSA_SHA256,
+			 dkim->dot_stuffed);
   pdkim_set_optional(ctx,
-		      (char *) dkim_sign_headers_expanded,
+		      CS dkim_sign_headers_expanded,
 		      NULL,
 		      pdkim_canon,
 		      pdkim_canon, -1, 0, 0);
 
   lseek(dkim_fd, 0, SEEK_SET);
 
-  while ((sread = read(dkim_fd, &buf, 4096)) > 0)
-    if (pdkim_feed(ctx, buf, sread) != PDKIM_OK)
-      {
-      rc = NULL;
-      goto CLEANUP;
-      }
+  while ((sread = read(dkim_fd, &buf, sizeof(buf))) > 0)
+    if ((pdkim_rc = pdkim_feed(ctx, buf, sread)) != PDKIM_OK)
+      goto pk_bad;
 
   /* Handle failed read above. */
   if (sread == -1)
     {
     debug_printf("DKIM: Error reading -K file.\n");
     save_errno = errno;
-    rc = NULL;
-    goto CLEANUP;
+    goto bad;
     }
 
   if ((pdkim_rc = pdkim_feed_finish(ctx, &signature)) != PDKIM_OK)
-    {
-    log_write(0, LOG_MAIN|LOG_PANIC, "DKIM: signing failed (RC %d)", pdkim_rc);
-    rc = NULL;
-    goto CLEANUP;
-    }
+    goto pk_bad;
 
   sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,
 			  US signature->signature_header, US"\r\n");
@@ -654,11 +651,18 @@ else
   rc = US"";
 
 CLEANUP:
-if (ctx)
-  pdkim_free_ctx(ctx);
-store_pool = old_pool;
-errno = save_errno;
-return rc;
+  if (ctx)
+    pdkim_free_ctx(ctx);
+  store_pool = old_pool;
+  errno = save_errno;
+  return rc;
+
+pk_bad:
+  log_write(0, LOG_MAIN|LOG_PANIC,
+	       	"DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc));
+bad:
+  rc = NULL;
+  goto CLEANUP;
 }
 
 #endif