X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fpdkim%2Fpdkim.c;h=0ad4d12d8171288b0d085bcea8b386e8add4d1f3;hb=873db3a8000c99e3f0d0a62bb9f70672e1268047;hp=79e7c633d7f895d473cd171ba05109191ec00bed;hpb=042e558f346b01902dd414206a047fa47b686f0b;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c index 79e7c633d..0ad4d12d8 100644 --- a/src/src/pdkim/pdkim.c +++ b/src/src/pdkim/pdkim.c @@ -2,7 +2,7 @@ * PDKIM - a RFC4871 (DKIM) implementation * * Copyright (C) 2009 - 2016 Tom Kistner - * Copyright (C) 2016 - 2018 Jeremy Harris + * Copyright (C) 2016 - 2020 Jeremy Harris * * http://duncanthrax.net/pdkim/ * @@ -181,6 +181,7 @@ switch(ext_status) case PDKIM_VERIFY_INVALID_BUFFER_SIZE: return "PDKIM_VERIFY_INVALID_BUFFER_SIZE"; case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD: return "PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD"; case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return "PDKIM_VERIFY_INVALID_PUBKEY_IMPORT"; + case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE: return "PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE"; case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR: return "PDKIM_VERIFY_INVALID_SIGNATURE_ERROR"; case PDKIM_VERIFY_INVALID_DKIM_VERSION: return "PDKIM_VERIFY_INVALID_DKIM_VERSION"; default: return "PDKIM_VERIFY_UNKNOWN"; @@ -638,12 +639,12 @@ while (--q > sig->rawsig_no_b_val && (*q == '\r' || *q == '\n')) DEBUG(D_acl) { debug_printf( - "PDKIM >> Raw signature w/o b= tag value >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); + "DKIM >> Raw signature w/o b= tag value >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); pdkim_quoteprint(US sig->rawsig_no_b_val, Ustrlen(sig->rawsig_no_b_val)); debug_printf( - "PDKIM >> Sig size: %4u bits\n", (unsigned) sig->sighash.len*8); + "DKIM >> Sig size: %4u bits\n", (unsigned) sig->sighash.len*8); debug_printf( - "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); } if (!pdkim_set_sig_bodyhash(ctx, sig)) @@ -719,9 +720,11 @@ return NULL; If we have to relax the data for this sig, return our copy of it. */ static blob * -pdkim_update_ctx_bodyhash(pdkim_bodyhash * b, blob * orig_data, blob * relaxed_data) +pdkim_update_ctx_bodyhash(pdkim_bodyhash * b, const blob const * orig_data, blob * relaxed_data) { -blob * canon_data = orig_data; +const blob const * canon_data = orig_data; +size_t left; + /* Defaults to simple canon (no further treatment necessary) */ if (b->canon_method == PDKIM_CANON_RELAXED) @@ -766,16 +769,17 @@ if (b->canon_method == PDKIM_CANON_RELAXED) } /* Make sure we don't exceed the to-be-signed body length */ +left = canon_data->len; if ( b->bodylength >= 0 - && b->signed_body_bytes + (unsigned long)canon_data->len > b->bodylength + && b->signed_body_bytes + left > b->bodylength ) - canon_data->len = b->bodylength - b->signed_body_bytes; + left = b->bodylength - b->signed_body_bytes; -if (canon_data->len > 0) +if (left > 0) { - exim_sha_update(&b->body_hash_ctx, CUS canon_data->data, canon_data->len); - b->signed_body_bytes += canon_data->len; - DEBUG(D_acl) pdkim_quoteprint(canon_data->data, canon_data->len); + exim_sha_update(&b->body_hash_ctx, CUS canon_data->data, left); + b->signed_body_bytes += left; + DEBUG(D_acl) pdkim_quoteprint(canon_data->data, left); } return relaxed_data; @@ -789,7 +793,7 @@ pdkim_finish_bodyhash(pdkim_ctx * ctx) { for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next) /* Finish hashes */ { - DEBUG(D_acl) debug_printf("PDKIM: finish bodyhash %d/%d/%ld len %ld\n", + DEBUG(D_acl) debug_printf("DKIM: finish bodyhash %d/%d/%ld len %ld\n", b->hashtype, b->canon_method, b->bodylength, b->signed_body_bytes); exim_sha_finish(&b->body_hash_ctx, &b->bh); } @@ -801,8 +805,8 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) DEBUG(D_acl) { - debug_printf("PDKIM [%s] Body bytes (%s) hashed: %lu\n" - "PDKIM [%s] Body %s computed: ", + debug_printf("DKIM [%s] Body bytes (%s) hashed: %lu\n" + "DKIM [%s] Body %s computed: ", sig->domain, pdkim_canons[b->canon_method], b->signed_body_bytes, sig->domain, pdkim_hashes[b->hashtype].dkim_hashname); pdkim_hexprint(CUS b->bh.data, b->bh.len); @@ -824,15 +828,15 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) if ( sig->bodyhash.data && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0) { - DEBUG(D_acl) debug_printf("PDKIM [%s] Body hash compared OK\n", sig->domain); + DEBUG(D_acl) debug_printf("DKIM [%s] Body hash compared OK\n", sig->domain); } else { DEBUG(D_acl) { - debug_printf("PDKIM [%s] Body hash signature from headers: ", sig->domain); + debug_printf("DKIM [%s] Body hash signature from headers: ", sig->domain); pdkim_hexprint(sig->bodyhash.data, sig->bodyhash.len); - debug_printf("PDKIM [%s] Body hash did NOT verify\n", sig->domain); + debug_printf("DKIM [%s] Body hash did NOT verify\n", sig->domain); } sig->verify_status = PDKIM_VERIFY_FAIL; sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY; @@ -976,7 +980,7 @@ else #ifdef notdef DEBUG(D_acl) { - debug_printf("PDKIM >> raw hdr: "); + debug_printf("DKIM >> raw hdr: "); pdkim_quoteprint(CUS ctx->cur_header->s, ctx->cur_header->ptr); } #endif @@ -990,7 +994,7 @@ else fail verification of it later. */ DEBUG(D_acl) debug_printf( - "PDKIM >> Found sig, trying to parse >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); + "DKIM >> Found sig, trying to parse >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); sig = pdkim_parse_sig_header(ctx, ctx->cur_header->s); @@ -1002,7 +1006,7 @@ else last_sig->next = sig; } - if (--dkim_collect_input == 0) + if (dkim_collect_input && --dkim_collect_input == 0) { ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s); ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0'; @@ -1075,7 +1079,7 @@ else for (int p = 0; p < len; p++) ctx->flags = (ctx->flags & ~(PDKIM_SEEN_LF|PDKIM_SEEN_CR)) | PDKIM_PAST_HDRS; DEBUG(D_acl) debug_printf( - "PDKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); + "DKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); continue; } else @@ -1110,14 +1114,14 @@ return string_catn(str, US"\r\n\t", 3); /* * RFC 5322 specifies that header line length SHOULD be no more than 78 - * lets make it so! * pdkim_headcat * - * returns uschar * (not nul-terminated) + * Returns gstring (not nul-terminated) appending to one supplied * * col: this int holds and receives column number (octets since last '\n') * str: partial string to append to - * pad: padding, split line or space after before or after eg: ";" + * pad: padding, split line or space after before or after eg: ";". + * Only the initial charater is used. * intro: - must join to payload eg "h=", usually the tag name * payload: eg base64 data - long data can be split arbitrarily. * @@ -1126,7 +1130,7 @@ return string_catn(str, US"\r\n\t", 3); * pairs and inside long values. it also always spaces or breaks after the * "pad" * - * no guarantees are made for output given out-of range input. like tag + * No guarantees are made for output given out-of range input. like tag * names longer than 78, or bogus col. Input is assumed to be free of line breaks. */ @@ -1134,92 +1138,64 @@ static gstring * pdkim_headcat(int * col, gstring * str, const uschar * pad, const uschar * intro, const uschar * payload) { -size_t l; - -if (pad) - { - l = Ustrlen(pad); - if (*col + l > 78) - str = pdkim_hdr_cont(str, col); - str = string_catn(str, pad, l); - *col += l; - } - -l = (pad?1:0) + (intro?Ustrlen(intro):0); - -if (*col + l > 78) - { /*can't fit intro - start a new line to make room.*/ - str = pdkim_hdr_cont(str, col); - l = intro?Ustrlen(intro):0; - } - -l += payload ? Ustrlen(payload):0 ; - -while (l>77) - { /* this fragment will not fit on a single line */ - if (pad) - { - str = string_catn(str, US" ", 1); - *col += 1; - pad = NULL; /* only want this once */ - l--; - } - - if (intro) - { - size_t sl = Ustrlen(intro); +int len, chomp, padded = 0; - str = string_catn(str, intro, sl); - *col += sl; - l -= sl; - intro = NULL; /* only want this once */ - } +/* If we can fit at least the pad at the end of current line, do it now. +Otherwise, wrap if there is a pad. */ - if (payload) +if (pad) + if (*col + 1 <= 78) { - size_t sl = Ustrlen(payload); - size_t chomp = *col+sl < 77 ? sl : 78-*col; - - str = string_catn(str, payload, chomp); - *col += chomp; - payload += chomp; - l -= chomp-1; + str = string_catn(str, pad, 1); + (*col)++; + pad = NULL; + padded = 1; } + else + str = pdkim_hdr_cont(str, col); - /* the while precondition tells us it didn't fit. */ - str = pdkim_hdr_cont(str, col); - } +/* Special case: if the whole addition does not fit at the end of the current +line, but could fit on a new line, wrap to give it its full, dedicated line. */ -if (*col + l > 78) +len = (pad ? 2 : padded) + + (intro ? Ustrlen(intro) : 0) + + (payload ? Ustrlen(payload) : 0); +if (len <= 77 && *col+len > 78) { str = pdkim_hdr_cont(str, col); - pad = NULL; + padded = 0; } +/* Either we already dealt with the pad or we know there is room */ + if (pad) { + str = string_catn(str, pad, 1); str = string_catn(str, US" ", 1); - *col += 1; - pad = NULL; + *col += 2; } - -if (intro) +else if (padded && *col < 78) { - size_t sl = Ustrlen(intro); - - str = string_catn(str, intro, sl); - *col += sl; - l -= sl; - intro = NULL; + str = string_catn(str, US" ", 1); + (*col)++; } -if (payload) - { - size_t sl = Ustrlen(payload); +/* Call recursively with intro as payload: it gets the same, special treatment +(that is, not split if < 78). */ - str = string_catn(str, payload, sl); - *col += sl; - } +if (intro) + str = pdkim_headcat(col, str, NULL, NULL, intro); + +if (payload) + for (len = Ustrlen(payload); len; len -= chomp) + { + if (*col >= 78) + str = pdkim_hdr_cont(str, col); + chomp = *col+len > 78 ? 78 - *col : len; + str = string_catn(str, payload, chomp); + *col += chomp; + payload += chomp; + } return str; } @@ -1351,7 +1327,8 @@ check_bare_ed25519_pubkey(pdkim_pubkey * p) int excess = p->key.len - 32; if (excess > 0) { - DEBUG(D_acl) debug_printf("PDKIM: unexpected pubkey len %lu\n", p->key.len); + DEBUG(D_acl) + debug_printf("DKIM: unexpected pubkey len %lu\n", (unsigned long) p->key.len); p->key.data += excess; p->key.len = 32; } } @@ -1380,7 +1357,7 @@ if ( !(dns_txt_reply = ctx->dns_txt_callback(dns_txt_name)) DEBUG(D_acl) { debug_printf( - "PDKIM >> Parsing public key record >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n" + "DKIM >> Parsing public key record >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n" " %s\n" " Raw record: ", dns_txt_name); @@ -1401,13 +1378,13 @@ if ( !(p = pdkim_parse_pubkey_record(CUS dns_txt_reply)) else debug_printf(" Error while parsing public key record\n"); debug_printf( - "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); } return NULL; } DEBUG(D_acl) debug_printf( - "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); /* Import public key */ @@ -1430,7 +1407,7 @@ if (sig->keytype == KEYTYPE_ED25519) if ((*errstr = exim_dkim_verify_init(&p->key, sig->keytype == KEYTYPE_ED25519 ? KEYFMT_ED25519_BARE : KEYFMT_DER, - vctx))) + vctx, &sig->keybits))) { DEBUG(D_acl) debug_printf("verify_init: %s\n", *errstr); sig->verify_status = PDKIM_VERIFY_INVALID; @@ -1457,7 +1434,7 @@ int sep; if (!siglist) return NULL; /* first select in order of hashtypes */ -DEBUG(D_acl) debug_printf("PDKIM: dkim_verify_hashes '%s'\n", dkim_verify_hashes); +DEBUG(D_acl) debug_printf("DKIM: dkim_verify_hashes '%s'\n", dkim_verify_hashes); for (prefs = dkim_verify_hashes, sep = 0, yield = NULL, ss = &yield; ele = string_nextinlist(&prefs, &sep, NULL, 0); ) { @@ -1475,7 +1452,7 @@ for (prefs = dkim_verify_hashes, sep = 0, yield = NULL, ss = &yield; /* then in order of keytypes */ siglist = yield; -DEBUG(D_acl) debug_printf("PDKIM: dkim_verify_keytypes '%s'\n", dkim_verify_keytypes); +DEBUG(D_acl) debug_printf("DKIM: dkim_verify_keytypes '%s'\n", dkim_verify_keytypes); for (prefs = dkim_verify_keytypes, sep = 0, yield = NULL, ss = &yield; ele = string_nextinlist(&prefs, &sep, NULL, 0); ) { @@ -1523,7 +1500,7 @@ if (ctx->cur_header && ctx->cur_header->ptr > 0) } else DEBUG(D_acl) debug_printf( - "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); /* Build (and/or evaluate) body hash. Do this even if no DKIM sigs, in case we have a hash to do for ARC. */ @@ -1537,7 +1514,7 @@ if (!(ctx->flags & PDKIM_MODE_SIGN)) if (!ctx->sig) { - DEBUG(D_acl) debug_printf("PDKIM: no signatures\n"); + DEBUG(D_acl) debug_printf("DKIM: no signatures\n"); *return_signatures = NULL; return PDKIM_OK; } @@ -1554,7 +1531,7 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) && sig->verify_status == PDKIM_VERIFY_FAIL) { DEBUG(D_acl) - debug_printf("PDKIM: [%s] abandoning this signature\n", sig->domain); + debug_printf("DKIM: [%s] abandoning this signature\n", sig->domain); continue; } @@ -1569,7 +1546,7 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) do this hash incrementally. We don't need the hash we're calculating here for the GnuTLS and OpenSSL cases of RSA signing, since those library routines can do hash-and-sign. - + Some time in the future we could easily avoid doing the hash here for those cases (which will be common for a long while. We could also change from the current copy-all-the-headers-into-one-block, then call the hash-and-sign @@ -1582,18 +1559,18 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) if (!exim_sha_init(&hhash_ctx, pdkim_hashes[sig->hashtype].exim_hashmethod)) { log_write(0, LOG_MAIN|LOG_PANIC, - "PDKIM: hash setup error, possibly nonhandled hashtype"); + "DKIM: hash setup error, possibly nonhandled hashtype"); break; } if (ctx->flags & PDKIM_MODE_SIGN) DEBUG(D_acl) debug_printf( - "PDKIM >> Headers to be signed: >>>>>>>>>>>>\n" + "DKIM >> Headers to be signed: >>>>>>>>>>>>\n" " %s\n", sig->sign_headers); DEBUG(D_acl) debug_printf( - "PDKIM >> Header data for hash, canonicalized (%-7s), in sequence >>\n", + "DKIM >> Header data for hash, canonicalized (%-7s), in sequence >>\n", pdkim_canons[sig->canon_headers]); @@ -1711,15 +1688,15 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) } DEBUG(D_acl) debug_printf( - "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); DEBUG(D_acl) { debug_printf( - "PDKIM >> Signed DKIM-Signature header, pre-canonicalized >>>>>>>>>>>>>\n"); + "DKIM >> Signed DKIM-Signature header, pre-canonicalized >>>>>>>>>>>>>\n"); pdkim_quoteprint(CUS sig_hdr, Ustrlen(sig_hdr)); debug_printf( - "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); } /* Relax header if necessary */ @@ -1728,11 +1705,11 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) DEBUG(D_acl) { - debug_printf("PDKIM >> Signed DKIM-Signature header, canonicalized (%-7s) >>>>>>>\n", + debug_printf("DKIM >> Signed DKIM-Signature header, canonicalized (%-7s) >>>>>>>\n", pdkim_canons[sig->canon_headers]); pdkim_quoteprint(CUS sig_hdr, Ustrlen(sig_hdr)); debug_printf( - "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); } /* Finalize header hash */ @@ -1741,7 +1718,7 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) DEBUG(D_acl) { - debug_printf("PDKIM [%s] Header %s computed: ", + debug_printf("DKIM [%s] Header %s computed: ", sig->domain, pdkim_hashes[sig->hashtype].dkim_hashname); pdkim_hexprint(hhash.data, hhash.len); } @@ -1781,7 +1758,7 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) DEBUG(D_acl) { - debug_printf( "PDKIM [%s] b computed: ", sig->domain); + debug_printf( "DKIM [%s] b computed: ", sig->domain); pdkim_hexprint(sig->sighash.data, sig->sighash.len); } @@ -1810,7 +1787,7 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) DEBUG(D_acl) debug_printf( " Error in DKIM-Signature header: tags missing or invalid (%s)\n" - "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n", + "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n", !(sig->domain && *sig->domain) ? "d=" : !(sig->selector && *sig->selector) ? "s=" : !(sig->headernames && *sig->headernames) ? "h=" @@ -1821,7 +1798,7 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) ); goto NEXT_VERIFY; } - + /* Make sure sig uses supported DKIM version (only v1) */ if (sig->version != 1) { @@ -1830,19 +1807,19 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) DEBUG(D_acl) debug_printf( " Error in DKIM-Signature header: unsupported DKIM version\n" - "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); goto NEXT_VERIFY; } DEBUG(D_acl) { - debug_printf( "PDKIM [%s] b from mail: ", sig->domain); + debug_printf( "DKIM [%s] b from mail: ", sig->domain); pdkim_hexprint(sig->sighash.data, sig->sighash.len); } if (!(sig->pubkey = pdkim_key_from_dns(ctx, sig, &vctx, err))) { - log_write(0, LOG_MAIN, "PDKIM: %s%s %s%s [failed key import]", + log_write(0, LOG_MAIN, "DKIM: %s%s %s%s [failed key import]", sig->domain ? "d=" : "", sig->domain ? sig->domain : US"", sig->selector ? "s=" : "", sig->selector ? sig->selector : US""); goto NEXT_VERIFY; @@ -1886,6 +1863,19 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) sig->verify_ext_status = PDKIM_VERIFY_FAIL_MESSAGE; goto NEXT_VERIFY; } + if (*dkim_verify_min_keysizes) + { + unsigned minbits; + uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype], + dkim_verify_min_keysizes); + if (ss && (minbits = atoi(CS ss)) > sig->keybits) + { + DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u Minima '%s'\n", + pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes); + sig->verify_status = PDKIM_VERIFY_FAIL; + sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE; + } + } /* We have a winner! (if bodyhash was correct earlier) */ @@ -1900,7 +1890,7 @@ NEXT_VERIFY: DEBUG(D_acl) { - debug_printf("PDKIM [%s] %s signature status: %s", + debug_printf("DKIM [%s] %s signature status: %s", sig->domain, dkim_sig_to_a_tag(sig), pdkim_verify_status_str(sig->verify_status)); if (sig->verify_ext_status > 0) @@ -1935,6 +1925,7 @@ if (dot_stuffing) ctx->flags = PDKIM_DOT_TERM; /* The line-buffer is for message data, hence tainted */ ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, TRUE); ctx->dns_txt_callback = dns_txt_callback; +ctx->cur_header = string_get_tainted(36, TRUE); return ctx; } @@ -1971,7 +1962,7 @@ for (hashtype = 0; hashtype < nelem(pdkim_hashes); hashtype++) if (hashtype >= nelem(pdkim_hashes)) { log_write(0, LOG_MAIN|LOG_PANIC, - "PDKIM: unrecognised hashname '%s'", hashname); + "DKIM: unrecognised hashname '%s'", hashname); return NULL; } @@ -1980,10 +1971,10 @@ DEBUG(D_acl) pdkim_signature s = *sig; ev_ctx vctx; - debug_printf("PDKIM (checking verify key)>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); + debug_printf("DKIM (checking verify key)>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); if (!pdkim_key_from_dns(ctx, &s, &vctx, errstr)) debug_printf("WARNING: bad dkim key in dns\n"); - debug_printf("PDKIM (finished checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); + debug_printf("DKIM (finished checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); } return sig; } @@ -2029,17 +2020,19 @@ pdkim_set_bodyhash(pdkim_ctx * ctx, int hashtype, int canon_method, { pdkim_bodyhash * b; +if (hashtype == -1 || canon_method == -1) return NULL; + for (b = ctx->bodyhash; b; b = b->next) if ( hashtype == b->hashtype && canon_method == b->canon_method && bodylength == b->bodylength) { - DEBUG(D_receive) debug_printf("PDKIM: using existing bodyhash %d/%d/%ld\n", + DEBUG(D_receive) debug_printf("DKIM: using existing bodyhash %d/%d/%ld\n", hashtype, canon_method, bodylength); return b; } -DEBUG(D_receive) debug_printf("PDKIM: new bodyhash %d/%d/%ld\n", +DEBUG(D_receive) debug_printf("DKIM: new bodyhash %d/%d/%ld\n", hashtype, canon_method, bodylength); b = store_get(sizeof(pdkim_bodyhash), FALSE); b->next = ctx->bodyhash; @@ -2050,7 +2043,7 @@ if (!exim_sha_init(&b->body_hash_ctx, /*XXX hash method: extend for sha512 */ pdkim_hashes[hashtype].exim_hashmethod)) { DEBUG(D_acl) - debug_printf("PDKIM: hash init error, possibly nonhandled hashtype\n"); + debug_printf("DKIM: hash init error, possibly nonhandled hashtype\n"); return NULL; } b->signed_body_bytes = 0;