X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fdkim.c;h=4d1822e2e12a09dede66e02876db68cefd325fdb;hb=624f33dfeab938e907251e3cc3062aa45353384f;hp=d223f9e62e2d0d545c7a34926d3677460806e0f0;hpb=b4757e3611c457affce455100c7c7c43784ccfea;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/dkim.c b/src/src/dkim.c index d223f9e62..4d1822e2e 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -33,6 +33,8 @@ pdkim_ctx *dkim_verify_ctx = NULL; pdkim_signature *dkim_cur_sig = NULL; static const uschar * dkim_collect_error = NULL; +#define DKIM_MAX_SIGNATURES 20 + /*XXX the caller only uses the first record if we return multiple. @@ -114,7 +116,7 @@ if (dkim_verify_ctx) /* Create new context */ dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing); -dkim_collect_input = !!dkim_verify_ctx; +dkim_collect_input = dkim_verify_ctx ? DKIM_MAX_SIGNATURES : 0; dkim_collect_error = NULL; /* Start feed up with any cached data */ @@ -136,7 +138,7 @@ if ( dkim_collect_input dkim_collect_error = pdkim_errstr(rc); log_write(0, LOG_MAIN, "DKIM: validation error: %.100s", dkim_collect_error); - dkim_collect_input = FALSE; + dkim_collect_input = 0; } store_pool = dkim_verify_oldpool; } @@ -304,11 +306,11 @@ if (dkim_collect_error) log_write(0, LOG_MAIN, "DKIM: Error during validation, disabling signature verification: %.100s", dkim_collect_error); - dkim_disable_verify = TRUE; + f.dkim_disable_verify = TRUE; goto out; } -dkim_collect_input = FALSE; +dkim_collect_input = 0; /* Finish DKIM operation and fetch link to signatures chain */ @@ -379,7 +381,7 @@ dkim_verify_status = US"none"; dkim_verify_reason = US""; dkim_cur_signer = id; -if (dkim_disable_verify || !id || !dkim_verify_ctx) +if (f.dkim_disable_verify || !id || !dkim_verify_ctx) return OK; /* Find signatures to run ACL on */ @@ -451,7 +453,7 @@ switch (what) uschar * dkim_exim_expand_query(int what) { -if (!dkim_verify_ctx || dkim_disable_verify || !dkim_cur_sig) +if (!dkim_verify_ctx || f.dkim_disable_verify || !dkim_cur_sig) return dkim_exim_expand_defaults(what); switch (what) @@ -643,6 +645,8 @@ if (dkim_domain) uschar * dkim_private_key_expanded; uschar * dkim_hash_expanded; uschar * dkim_identity_expanded = NULL; + uschar * dkim_timestamps_expanded = NULL; + unsigned long tval = 0, xval = 0; /* Get canonicalization to use */ @@ -693,6 +697,13 @@ if (dkim_domain) else if (!*dkim_identity_expanded) dkim_identity_expanded = NULL; + if (dkim->dkim_timestamps) + if (!(dkim_timestamps_expanded = expand_string(dkim->dkim_timestamps))) + { errwhen = US"dkim_timestamps"; goto expand_bad; } + else + xval = (tval = (unsigned long) time(NULL)) + + strtoul(CCS dkim_timestamps_expanded, NULL, 10); + if (!(sig = pdkim_init_sign(&dkim_sign_ctx, dkim_signing_domain, dkim_signing_selector, dkim_private_key_expanded, @@ -706,7 +717,7 @@ if (dkim_domain) CS dkim_sign_headers_expanded, CS dkim_identity_expanded, pdkim_canon, - pdkim_canon, -1, 0, 0); + pdkim_canon, -1, tval, xval); if (!pdkim_set_sig_bodyhash(&dkim_sign_ctx, sig)) goto bad; @@ -813,7 +824,7 @@ for (sig = dkim_signatures; sig; sig = sig->next) g = string_cat(g, US"permerror (overlong public key record)\n\t\t"); break; case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD: case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: - g = string_cat(g, US"neutral (syntax error in public key record)\n\t\t"); + g = string_cat(g, US"neutral (public key record import problem)\n\t\t"); break; case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR: g = string_cat(g, US"neutral (signature tag missing or invalid)\n\t\t");