[exim.git] / src / src / dkim.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge, 1995 - 2015 */
/* See the file NOTICE for conditions of use and distribution. */

/* Code for DKIM support. Other DKIM relevant code is in
   receive.c, transport.c and transports/smtp.c */

#include "exim.h"

#ifndef DISABLE_DKIM

#include "pdkim/pdkim.h"

pdkim_ctx *dkim_verify_ctx = NULL;
pdkim_signature *dkim_signatures = NULL;
pdkim_signature *dkim_cur_sig = NULL;

static int
dkim_exim_query_dns_txt(char *name, char *answer)
{
dns_answer dnsa;
dns_scan dnss;
dns_record *rr;

lookup_dnssec_authenticated = NULL;
if (dns_lookup(&dnsa, US name, T_TXT, NULL) != DNS_SUCCEED)
  return PDKIM_FAIL;

/* Search for TXT record */

for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
     rr;
     rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
  if (rr->type == T_TXT)
    {
    int rr_offset = 0;
    int answer_offset = 0;

    /* Copy record content to the answer buffer */

    while (rr_offset < rr->size)
      {
      uschar len = rr->data[rr_offset++];
      snprintf(answer + answer_offset,
		PDKIM_DNS_TXT_MAX_RECLEN - answer_offset,
		"%.*s", (int)len, (char *) (rr->data + rr_offset));
      rr_offset += len;
      answer_offset += len;
      if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN)
	return PDKIM_FAIL;
      }
    return PDKIM_OK;
    }

return PDKIM_FAIL;
}


void
dkim_exim_verify_init(void)
{
/* Free previous context if there is one */

if (dkim_verify_ctx)
  pdkim_free_ctx(dkim_verify_ctx);

/* Create new context */

dkim_verify_ctx = pdkim_init_verify(PDKIM_INPUT_SMTP, &dkim_exim_query_dns_txt);
dkim_collect_input = !!dkim_verify_ctx;
#ifdef PDKIM_DEBUG
if (dkim_collect_input)
  pdkim_set_debug_stream(dkim_verify_ctx, debug_file);
#endif
}


void
dkim_exim_verify_feed(uschar * data, int len)
{
if (  dkim_collect_input
   && pdkim_feed(dkim_verify_ctx, (char *)data, len) != PDKIM_OK)
  dkim_collect_input = FALSE;
}


void
dkim_exim_verify_finish(void)
{
pdkim_signature *sig = NULL;
int dkim_signers_size = 0;
int dkim_signers_ptr = 0;
dkim_signers = NULL;

/* Delete eventual previous signature chain */

dkim_signatures = NULL;

/* If we have arrived here with dkim_collect_input == FALSE, it
means there was a processing error somewhere along the way.
Log the incident and disable futher verification. */

if (!dkim_collect_input)
  {
  log_write(0, LOG_MAIN,
	     "DKIM: Error while running this message through validation,"
	     " disabling signature verification.");
  dkim_disable_verify = TRUE;
  return;
  }

dkim_collect_input = FALSE;

/* Finish DKIM operation and fetch link to signatures chain */

if (pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures) != PDKIM_OK)
  return;

for (sig = dkim_signatures; sig; sig = sig->next)
  {
  int size = 0;
  int ptr = 0;

  /* Log a line for each signature */

  uschar *logmsg = string_append(NULL, &size, &ptr, 5,
	string_sprintf("d=%s s=%s c=%s/%s a=%s ",
	      sig->domain,
	      sig->selector,
	      sig->canon_headers == PDKIM_CANON_SIMPLE ?  "simple" : "relaxed",
	      sig->canon_body == PDKIM_CANON_SIMPLE ?  "simple" : "relaxed",
	      sig->algo == PDKIM_ALGO_RSA_SHA256 ?  "rsa-sha256" : "rsa-sha1"),

	sig->identity ? string_sprintf("i=%s ", sig->identity) : US"",
	sig->created > 0 ? string_sprintf("t=%lu ", sig->created) : US"",
	sig->expires > 0 ? string_sprintf("x=%lu ", sig->expires) : US"",
	sig->bodylength > -1 ? string_sprintf("l=%lu ", sig->bodylength) : US""
	);

  switch (sig->verify_status)
    {
    case PDKIM_VERIFY_NONE:
      logmsg = string_append(logmsg, &size, &ptr, 1, "[not verified]");
      break;

    case PDKIM_VERIFY_INVALID:
      logmsg = string_append(logmsg, &size, &ptr, 1, "[invalid - ");
      switch (sig->verify_ext_status)
	{
	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		        "public key record (currently?) unavailable]");
	  break;

	case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
			"overlong public key record]");
	  break;

	case PDKIM_VERIFY_INVALID_PUBKEY_PARSING:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		       "syntax error in public key record]");
	  break;

	default:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
			"unspecified problem]");
	}
      break;

    case PDKIM_VERIFY_FAIL:
      logmsg =
	string_append(logmsg, &size, &ptr, 1, "[verification failed - ");
      switch (sig->verify_ext_status)
	{
	case PDKIM_VERIFY_FAIL_BODY:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		       "body hash mismatch (body probably modified in transit)]");
	  break;

	case PDKIM_VERIFY_FAIL_MESSAGE:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		       "signature did not verify (headers probably modified in transit)]");
	break;

	default:
	  logmsg = string_append(logmsg, &size, &ptr, 1, "unspecified reason]");
	}
      break;

    case PDKIM_VERIFY_PASS:
      logmsg =
	string_append(logmsg, &size, &ptr, 1, "[verification succeeded]");
      break;
    }

  logmsg[ptr] = '\0';
  log_write(0, LOG_MAIN, "DKIM: %s", logmsg);

  /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */

  dkim_signers = string_append(dkim_signers,
				&dkim_signers_size,
				&dkim_signers_ptr, 2, sig->domain, ":");

  if (sig->identity)
    dkim_signers = string_append(dkim_signers,
				  &dkim_signers_size,
				  &dkim_signers_ptr, 2, sig->identity, ":");

  /* Process next signature */
  }

/* NULL-terminate and chop the last colon from the domain list */

if (dkim_signers)
  {
  dkim_signers[dkim_signers_ptr] = '\0';
  if (Ustrlen(dkim_signers) > 0)
  dkim_signers[Ustrlen(dkim_signers) - 1] = '\0';
  }
}


void
dkim_exim_acl_setup(uschar * id)
{
pdkim_signature * sig;
uschar * cmp_val;

dkim_cur_sig = NULL;
dkim_cur_signer = id;

if (dkim_disable_verify || !id || !dkim_verify_ctx)
  return;

/* Find signature to run ACL on */

for (sig = dkim_signatures; sig; sig = sig->next)
  if (  (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
     && strcmpic(cmp_val, id) == 0
     )
    {
    dkim_cur_sig = sig;

    /* The "dkim_domain" and "dkim_selector" expansion variables have
       related globals, since they are used in the signing code too.
       Instead of inventing separate names for verification, we set
       them here. This is easy since a domain and selector is guaranteed
       to be in a signature. The other dkim_* expansion items are
       dynamically fetched from dkim_cur_sig at expansion time (see
       function below). */

    dkim_signing_domain = US sig->domain;
    dkim_signing_selector = US sig->selector;
    return;
    }
}


static uschar *
dkim_exim_expand_defaults(int what)
{
switch (what)
  {
  case DKIM_ALGO:		return US"";
  case DKIM_BODYLENGTH:		return US"9999999999999";
  case DKIM_CANON_BODY:		return US"";
  case DKIM_CANON_HEADERS:	return US"";
  case DKIM_COPIEDHEADERS:	return US"";
  case DKIM_CREATED:		return US"0";
  case DKIM_EXPIRES:		return US"9999999999999";
  case DKIM_HEADERNAMES:	return US"";
  case DKIM_IDENTITY:		return US"";
  case DKIM_KEY_GRANULARITY:	return US"*";
  case DKIM_KEY_SRVTYPE:	return US"*";
  case DKIM_KEY_NOTES:		return US"";
  case DKIM_KEY_TESTING:	return US"0";
  case DKIM_NOSUBDOMAINS:	return US"0";
  case DKIM_VERIFY_STATUS:	return US"none";
  case DKIM_VERIFY_REASON:	return US"";
  default:			return US"";
  }
}


uschar *
dkim_exim_expand_query(int what)
{
if (!dkim_verify_ctx || dkim_disable_verify || !dkim_cur_sig)
  return dkim_exim_expand_defaults(what);

switch (what)
  {
  case DKIM_ALGO:
    switch (dkim_cur_sig->algo)
      {
      case PDKIM_ALGO_RSA_SHA1:	return US"rsa-sha1";
      case PDKIM_ALGO_RSA_SHA256:
      default:			return US"rsa-sha256";
      }

  case DKIM_BODYLENGTH:
    return dkim_cur_sig->bodylength >= 0
      ? string_sprintf(OFF_T_FMT, (LONGLONG_T) dkim_cur_sig->bodylength)
      : dkim_exim_expand_defaults(what);

  case DKIM_CANON_BODY:
    switch (dkim_cur_sig->canon_body)
      {
      case PDKIM_CANON_RELAXED:	return US"relaxed";
      case PDKIM_CANON_SIMPLE:
      default:			return US"simple";
      }

  case DKIM_CANON_HEADERS:
  switch (dkim_cur_sig->canon_headers)
    {
    case PDKIM_CANON_RELAXED:	return US"relaxed";
    case PDKIM_CANON_SIMPLE:
    default:			return US"simple";
    }

  case DKIM_COPIEDHEADERS:
    return dkim_cur_sig->copiedheaders
      ? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);

  case DKIM_CREATED:
    return dkim_cur_sig->created > 0
      ? string_sprintf("%llu", dkim_cur_sig->created)
      : dkim_exim_expand_defaults(what);

  case DKIM_EXPIRES:
    return dkim_cur_sig->expires > 0
      ? string_sprintf("%llu", dkim_cur_sig->expires)
      : dkim_exim_expand_defaults(what);

  case DKIM_HEADERNAMES:
    return dkim_cur_sig->headernames
      ?  US dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);

  case DKIM_IDENTITY:
    return dkim_cur_sig->identity
      ? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);

  case DKIM_KEY_GRANULARITY:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->granularity
      ? US dkim_cur_sig->pubkey->granularity
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_KEY_SRVTYPE:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->srvtype
      ? US dkim_cur_sig->pubkey->srvtype
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_KEY_NOTES:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->notes
      ? US dkim_cur_sig->pubkey->notes
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_KEY_TESTING:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->testing
      ? US"1"
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_NOSUBDOMAINS:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->no_subdomaining
      ? US"1"
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_VERIFY_STATUS:
    switch (dkim_cur_sig->verify_status)
      {
      case PDKIM_VERIFY_INVALID:	return US"invalid";
      case PDKIM_VERIFY_FAIL:		return US"fail";
      case PDKIM_VERIFY_PASS:		return US"pass";
      case PDKIM_VERIFY_NONE:
      default:				return US"none";
      }

  case DKIM_VERIFY_REASON:
    switch (dkim_cur_sig->verify_ext_status)
      {
      case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
						return US"pubkey_unavailable";
      case PDKIM_VERIFY_INVALID_PUBKEY_PARSING:	return US"pubkey_syntax";
      case PDKIM_VERIFY_FAIL_BODY:		return US"bodyhash_mismatch";
      case PDKIM_VERIFY_FAIL_MESSAGE:		return US"signature_incorrect";
      }

  default:
    return US"";
  }
}


uschar *
dkim_exim_sign(int dkim_fd, uschar * dkim_private_key,
		const uschar * dkim_domain, uschar * dkim_selector,
		uschar * dkim_canon, uschar * dkim_sign_headers)
{
int sep = 0;
uschar *seen_items = NULL;
int seen_items_size = 0;
int seen_items_offset = 0;
uschar itembuf[256];
uschar *dkim_canon_expanded;
uschar *dkim_sign_headers_expanded;
uschar *dkim_private_key_expanded;
pdkim_ctx *ctx = NULL;
uschar *rc = NULL;
uschar *sigbuf = NULL;
int sigsize = 0;
int sigptr = 0;
pdkim_signature *signature;
int pdkim_canon;
int pdkim_rc;
int sread;
char buf[4096];
int save_errno = 0;
int old_pool = store_pool;

store_pool = POOL_MAIN;

if (!(dkim_domain = expand_cstring(dkim_domain)))
  {
  /* expansion error, do not send message. */
  log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	     "dkim_domain: %s", expand_string_message);
  rc = NULL;
  goto CLEANUP;
  }

/* Set $dkim_domain expansion variable to each unique domain in list. */

while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
				   itembuf, sizeof(itembuf))))
  {
  if (!dkim_signing_domain || dkim_signing_domain[0] == '\0')
    continue;

  /* Only sign once for each domain, no matter how often it
  appears in the expanded list. */

  if (seen_items)
    {
    const uschar *seen_items_list = seen_items;
    if (match_isinlist(dkim_signing_domain,
			&seen_items_list, 0, NULL, NULL, MCL_STRING, TRUE,
			NULL) == OK)
      continue;

    seen_items =
      string_append(seen_items, &seen_items_size, &seen_items_offset, 1, ":");
    }

  seen_items =
    string_append(seen_items, &seen_items_size, &seen_items_offset, 1,
		 dkim_signing_domain);
  seen_items[seen_items_offset] = '\0';

  /* Set up $dkim_selector expansion variable. */

  if (!(dkim_signing_selector = expand_string(dkim_selector)))
    {
    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	       "dkim_selector: %s", expand_string_message);
    rc = NULL;
    goto CLEANUP;
    }

  /* Get canonicalization to use */

  dkim_canon_expanded = dkim_canon ? expand_string(dkim_canon) : US"relaxed";
  if (!dkim_canon_expanded)
    {
    /* expansion error, do not send message. */
    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	       "dkim_canon: %s", expand_string_message);
    rc = NULL;
    goto CLEANUP;
    }

  if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
    pdkim_canon = PDKIM_CANON_RELAXED;
  else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
    pdkim_canon = PDKIM_CANON_SIMPLE;
  else
    {
    log_write(0, LOG_MAIN,
	       "DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
	       dkim_canon_expanded);
    pdkim_canon = PDKIM_CANON_RELAXED;
    }

  dkim_sign_headers_expanded = NULL;
  if (dkim_sign_headers)
    if (!(dkim_sign_headers_expanded = expand_string(dkim_sign_headers)))
      {
      log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
		 "dkim_sign_headers: %s", expand_string_message);
      rc = NULL;
      goto CLEANUP;
      }
    			/* else pass NULL, which means default header list */

  /* Get private key to use. */

  if (!(dkim_private_key_expanded = expand_string(dkim_private_key)))
    {
    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	       "dkim_private_key: %s", expand_string_message);
    rc = NULL;
    goto CLEANUP;
    }

  if (  Ustrlen(dkim_private_key_expanded) == 0
     || Ustrcmp(dkim_private_key_expanded, "0") == 0
     || Ustrcmp(dkim_private_key_expanded, "false") == 0
     )
    continue;		/* don't sign, but no error */

  if (dkim_private_key_expanded[0] == '/')
    {
    int privkey_fd = 0;

    /* Looks like a filename, load the private key. */

    memset(big_buffer, 0, big_buffer_size);
    privkey_fd = open(CS dkim_private_key_expanded, O_RDONLY);
    if (privkey_fd < 0)
      {
      log_write(0, LOG_MAIN | LOG_PANIC, "unable to open "
		 "private key file for reading: %s",
		 dkim_private_key_expanded);
      rc = NULL;
      goto CLEANUP;
      }

    if (read(privkey_fd, big_buffer, big_buffer_size - 2) < 0)
      {
      log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s",
		 dkim_private_key_expanded);
      rc = NULL;
      goto CLEANUP;
      }

    (void) close(privkey_fd);
    dkim_private_key_expanded = big_buffer;
    }

  ctx = pdkim_init_sign(PDKIM_INPUT_SMTP,
			 (char *) dkim_signing_domain,
			 (char *) dkim_signing_selector,
			 (char *) dkim_private_key_expanded);
#ifdef PDKIM_DEBUG
  pdkim_set_debug_stream(ctx, debug_file);
#endif
  pdkim_set_optional(ctx,
		      (char *) dkim_sign_headers_expanded,
		      NULL,
		      pdkim_canon,
		      pdkim_canon, -1, PDKIM_ALGO_RSA_SHA256, 0, 0);

  lseek(dkim_fd, 0, SEEK_SET);

  while ((sread = read(dkim_fd, &buf, 4096)) > 0)
    if (pdkim_feed(ctx, buf, sread) != PDKIM_OK)
      {
      rc = NULL;
      goto CLEANUP;
      }

  /* Handle failed read above. */
  if (sread == -1)
    {
    debug_printf("DKIM: Error reading -K file.\n");
    save_errno = errno;
    rc = NULL;
    goto CLEANUP;
    }

  if ((pdkim_rc = pdkim_feed_finish(ctx, &signature)) != PDKIM_OK)
    {
    log_write(0, LOG_MAIN|LOG_PANIC, "DKIM: signing failed (RC %d)", pdkim_rc);
    rc = NULL;
    goto CLEANUP;
    }

  sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,
			  US signature->signature_header, US"\r\n");

  pdkim_free_ctx(ctx);
  ctx = NULL;
  }

if (sigbuf)
  {
  sigbuf[sigptr] = '\0';
  rc = sigbuf;
  }
else
  rc = US"";

CLEANUP:
if (ctx)
  pdkim_free_ctx(ctx);
store_pool = old_pool;
errno = save_errno;
return rc;
}

#endif
Commit	Line	Data
80a47a2c TK	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
3386088d	5	/* Copyright (c) University of Cambridge, 1995 - 2015 */
80a47a2c TK	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	/* Code for DKIM support. Other DKIM relevant code is in
	9	receive.c, transport.c and transports/smtp.c */
	10
	11	#include "exim.h"
	12
	13	#ifndef DISABLE_DKIM
	14
	15	#include "pdkim/pdkim.h"
	16
1cfe5c1c	17	pdkim_ctx *dkim_verify_ctx = NULL;
80a47a2c	18	pdkim_signature *dkim_signatures = NULL;
1cfe5c1c	19	pdkim_signature *dkim_cur_sig = NULL;
80a47a2c	20
1cfe5c1c JH	21	static int
	22	dkim_exim_query_dns_txt(char name, char answer)
	23	{
	24	dns_answer dnsa;
	25	dns_scan dnss;
	26	dns_record *rr;
80a47a2c	27
1cfe5c1c JH	28	lookup_dnssec_authenticated = NULL;
	29	if (dns_lookup(&dnsa, US name, T_TXT, NULL) != DNS_SUCCEED)
	30	return PDKIM_FAIL;
80a47a2c	31
1cfe5c1c	32	/* Search for TXT record */
80a47a2c	33
1cfe5c1c JH	34	for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
	35	rr;
	36	rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
	37	if (rr->type == T_TXT)
	38	{
80a47a2c TK	39	int rr_offset = 0;
80a47a2c TK	40	int answer_offset = 0;
1cfe5c1c JH	41
	42	/* Copy record content to the answer buffer */
	43
	44	while (rr_offset < rr->size)
	45	{
	46	uschar len = rr->data[rr_offset++];
	47	snprintf(answer + answer_offset,
	48	PDKIM_DNS_TXT_MAX_RECLEN - answer_offset,
	49	"%.s", (int)len, (char ) (rr->data + rr_offset));
	50	rr_offset += len;
	51	answer_offset += len;
	52	if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN)
	53	return PDKIM_FAIL;
4263f395	54	}
1cfe5c1c	55	return PDKIM_OK;
80a47a2c	56	}
80a47a2c	57
1cfe5c1c	58	return PDKIM_FAIL;
80a47a2c TK	59	}
	60
	61
1cfe5c1c JH	62	void
	63	dkim_exim_verify_init(void)
	64	{
	65	/* Free previous context if there is one */
80a47a2c	66
1cfe5c1c JH	67	if (dkim_verify_ctx)
1cfe5c1c JH	68	pdkim_free_ctx(dkim_verify_ctx);
80a47a2c	69
1cfe5c1c	70	/* Create new context */
80a47a2c	71
1cfe5c1c	72	dkim_verify_ctx = pdkim_init_verify(PDKIM_INPUT_SMTP, &dkim_exim_query_dns_txt);
3b957582 JB	73	dkim_collect_input = !!dkim_verify_ctx;
	74	#ifdef PDKIM_DEBUG
	75	if (dkim_collect_input)
1cfe5c1c	76	pdkim_set_debug_stream(dkim_verify_ctx, debug_file);
3b957582	77	#endif
80a47a2c TK	78	}
	79
	80
1cfe5c1c JH	81	void
	82	dkim_exim_verify_feed(uschar * data, int len)
	83	{
	84	if ( dkim_collect_input
	85	&& pdkim_feed(dkim_verify_ctx, (char *)data, len) != PDKIM_OK)
	86	dkim_collect_input = FALSE;
80a47a2c TK	87	}
	88
	89
1cfe5c1c JH	90	void
	91	dkim_exim_verify_finish(void)
	92	{
	93	pdkim_signature *sig = NULL;
	94	int dkim_signers_size = 0;
	95	int dkim_signers_ptr = 0;
	96	dkim_signers = NULL;
	97
	98	/* Delete eventual previous signature chain */
	99
	100	dkim_signatures = NULL;
	101
	102	/* If we have arrived here with dkim_collect_input == FALSE, it
	103	means there was a processing error somewhere along the way.
	104	Log the incident and disable futher verification. */
	105
	106	if (!dkim_collect_input)
	107	{
	108	log_write(0, LOG_MAIN,
	109	"DKIM: Error while running this message through validation,"
	110	" disabling signature verification.");
	111	dkim_disable_verify = TRUE;
	112	return;
	113	}
80a47a2c	114
1cfe5c1c	115	dkim_collect_input = FALSE;
80a47a2c	116
1cfe5c1c	117	/* Finish DKIM operation and fetch link to signatures chain */
80a47a2c	118
1cfe5c1c JH	119	if (pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures) != PDKIM_OK)
	120	return;
	121
	122	for (sig = dkim_signatures; sig; sig = sig->next)
	123	{
	124	int size = 0;
	125	int ptr = 0;
	126
	127	/* Log a line for each signature */
	128
	129	uschar *logmsg = string_append(NULL, &size, &ptr, 5,
	130	string_sprintf("d=%s s=%s c=%s/%s a=%s ",
	131	sig->domain,
	132	sig->selector,
	133	sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	134	sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	135	sig->algo == PDKIM_ALGO_RSA_SHA256 ? "rsa-sha256" : "rsa-sha1"),
	136
	137	sig->identity ? string_sprintf("i=%s ", sig->identity) : US"",
	138	sig->created > 0 ? string_sprintf("t=%lu ", sig->created) : US"",
	139	sig->expires > 0 ? string_sprintf("x=%lu ", sig->expires) : US"",
	140	sig->bodylength > -1 ? string_sprintf("l=%lu ", sig->bodylength) : US""
	141	);
	142
	143	switch (sig->verify_status)
	144	{
	145	case PDKIM_VERIFY_NONE:
	146	logmsg = string_append(logmsg, &size, &ptr, 1, "[not verified]");
80a47a2c	147	break;
1cfe5c1c JH	148
	149	case PDKIM_VERIFY_INVALID:
	150	logmsg = string_append(logmsg, &size, &ptr, 1, "[invalid - ");
	151	switch (sig->verify_ext_status)
	152	{
	153	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
	154	logmsg = string_append(logmsg, &size, &ptr, 1,
	155	"public key record (currently?) unavailable]");
	156	break;
	157
	158	case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
	159	logmsg = string_append(logmsg, &size, &ptr, 1,
	160	"overlong public key record]");
	161	break;
	162
	163	case PDKIM_VERIFY_INVALID_PUBKEY_PARSING:
	164	logmsg = string_append(logmsg, &size, &ptr, 1,
	165	"syntax error in public key record]");
	166	break;
	167
	168	default:
	169	logmsg = string_append(logmsg, &size, &ptr, 1,
	170	"unspecified problem]");
	171	}
80a47a2c	172	break;
1cfe5c1c JH	173
	174	case PDKIM_VERIFY_FAIL:
	175	logmsg =
	176	string_append(logmsg, &size, &ptr, 1, "[verification failed - ");
	177	switch (sig->verify_ext_status)
	178	{
	179	case PDKIM_VERIFY_FAIL_BODY:
	180	logmsg = string_append(logmsg, &size, &ptr, 1,
	181	"body hash mismatch (body probably modified in transit)]");
	182	break;
	183
	184	case PDKIM_VERIFY_FAIL_MESSAGE:
	185	logmsg = string_append(logmsg, &size, &ptr, 1,
	186	"signature did not verify (headers probably modified in transit)]");
	187	break;
	188
	189	default:
	190	logmsg = string_append(logmsg, &size, &ptr, 1, "unspecified reason]");
	191	}
80a47a2c	192	break;
1cfe5c1c JH	193
	194	case PDKIM_VERIFY_PASS:
	195	logmsg =
	196	string_append(logmsg, &size, &ptr, 1, "[verification succeeded]");
80a47a2c TK	197	break;
	198	}
	199
1cfe5c1c JH	200	logmsg[ptr] = '\0';
1cfe5c1c JH	201	log_write(0, LOG_MAIN, "DKIM: %s", logmsg);
80a47a2c	202
1cfe5c1c JH	203	/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
	204
	205	dkim_signers = string_append(dkim_signers,
	206	&dkim_signers_size,
	207	&dkim_signers_ptr, 2, sig->domain, ":");
	208
	209	if (sig->identity)
9e5d6b55	210	dkim_signers = string_append(dkim_signers,
1cfe5c1c JH	211	&dkim_signers_size,
1cfe5c1c JH	212	&dkim_signers_ptr, 2, sig->identity, ":");
80a47a2c	213
1cfe5c1c	214	/* Process next signature */
80a47a2c TK	215	}
80a47a2c TK	216
1cfe5c1c JH	217	/* NULL-terminate and chop the last colon from the domain list */
	218
	219	if (dkim_signers)
	220	{
	221	dkim_signers[dkim_signers_ptr] = '\0';
	222	if (Ustrlen(dkim_signers) > 0)
	223	dkim_signers[Ustrlen(dkim_signers) - 1] = '\0';
0d2b278d	224	}
80a47a2c TK	225	}
	226
	227
1cfe5c1c JH	228	void
	229	dkim_exim_acl_setup(uschar * id)
	230	{
	231	pdkim_signature * sig;
	232	uschar * cmp_val;
	233
1cfe5c1c JH	234	dkim_cur_sig = NULL;
	235	dkim_cur_signer = id;
	236
	237	if (dkim_disable_verify \|\| !id \|\| !dkim_verify_ctx)
	238	return;
	239
	240	/* Find signature to run ACL on */
	241
	242	for (sig = dkim_signatures; sig; sig = sig->next)
	243	if ( (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
	244	&& strcmpic(cmp_val, id) == 0
	245	)
	246	{
	247	dkim_cur_sig = sig;
	248
	249	/* The "dkim_domain" and "dkim_selector" expansion variables have
	250	related globals, since they are used in the signing code too.
	251	Instead of inventing separate names for verification, we set
	252	them here. This is easy since a domain and selector is guaranteed
	253	to be in a signature. The other dkim_* expansion items are
	254	dynamically fetched from dkim_cur_sig at expansion time (see
	255	function below). */
	256
	257	dkim_signing_domain = US sig->domain;
	258	dkim_signing_selector = US sig->selector;
	259	return;
80a47a2c	260	}
80a47a2c TK	261	}
	262
	263
1cfe5c1c JH	264	static uschar *
	265	dkim_exim_expand_defaults(int what)
	266	{
	267	switch (what)
	268	{
	269	case DKIM_ALGO: return US"";
	270	case DKIM_BODYLENGTH: return US"9999999999999";
	271	case DKIM_CANON_BODY: return US"";
	272	case DKIM_CANON_HEADERS: return US"";
	273	case DKIM_COPIEDHEADERS: return US"";
	274	case DKIM_CREATED: return US"0";
	275	case DKIM_EXPIRES: return US"9999999999999";
	276	case DKIM_HEADERNAMES: return US"";
	277	case DKIM_IDENTITY: return US"";
	278	case DKIM_KEY_GRANULARITY: return US"*";
	279	case DKIM_KEY_SRVTYPE: return US"*";
	280	case DKIM_KEY_NOTES: return US"";
	281	case DKIM_KEY_TESTING: return US"0";
	282	case DKIM_NOSUBDOMAINS: return US"0";
	283	case DKIM_VERIFY_STATUS: return US"none";
	284	case DKIM_VERIFY_REASON: return US"";
	285	default: return US"";
	286	}
	287	}
80a47a2c	288
80a47a2c	289
1cfe5c1c JH	290	uschar *
	291	dkim_exim_expand_query(int what)
	292	{
	293	if (!dkim_verify_ctx \|\| dkim_disable_verify \|\| !dkim_cur_sig)
	294	return dkim_exim_expand_defaults(what);
	295
	296	switch (what)
	297	{
	298	case DKIM_ALGO:
	299	switch (dkim_cur_sig->algo)
	300	{
	301	case PDKIM_ALGO_RSA_SHA1: return US"rsa-sha1";
	302	case PDKIM_ALGO_RSA_SHA256:
	303	default: return US"rsa-sha256";
da5dfc3a	304	}
1cfe5c1c JH	305
	306	case DKIM_BODYLENGTH:
	307	return dkim_cur_sig->bodylength >= 0
	308	? string_sprintf(OFF_T_FMT, (LONGLONG_T) dkim_cur_sig->bodylength)
	309	: dkim_exim_expand_defaults(what);
	310
	311	case DKIM_CANON_BODY:
	312	switch (dkim_cur_sig->canon_body)
	313	{
	314	case PDKIM_CANON_RELAXED: return US"relaxed";
	315	case PDKIM_CANON_SIMPLE:
	316	default: return US"simple";
80a47a2c	317	}
1cfe5c1c JH	318
	319	case DKIM_CANON_HEADERS:
	320	switch (dkim_cur_sig->canon_headers)
	321	{
	322	case PDKIM_CANON_RELAXED: return US"relaxed";
	323	case PDKIM_CANON_SIMPLE:
	324	default: return US"simple";
	325	}
	326
	327	case DKIM_COPIEDHEADERS:
	328	return dkim_cur_sig->copiedheaders
	329	? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);
	330
	331	case DKIM_CREATED:
	332	return dkim_cur_sig->created > 0
	333	? string_sprintf("%llu", dkim_cur_sig->created)
	334	: dkim_exim_expand_defaults(what);
	335
	336	case DKIM_EXPIRES:
	337	return dkim_cur_sig->expires > 0
	338	? string_sprintf("%llu", dkim_cur_sig->expires)
	339	: dkim_exim_expand_defaults(what);
	340
	341	case DKIM_HEADERNAMES:
	342	return dkim_cur_sig->headernames
	343	? US dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);
	344
	345	case DKIM_IDENTITY:
	346	return dkim_cur_sig->identity
	347	? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);
	348
	349	case DKIM_KEY_GRANULARITY:
	350	return dkim_cur_sig->pubkey
	351	? dkim_cur_sig->pubkey->granularity
	352	? US dkim_cur_sig->pubkey->granularity
	353	: dkim_exim_expand_defaults(what)
	354	: dkim_exim_expand_defaults(what);
	355
	356	case DKIM_KEY_SRVTYPE:
	357	return dkim_cur_sig->pubkey
	358	? dkim_cur_sig->pubkey->srvtype
	359	? US dkim_cur_sig->pubkey->srvtype
	360	: dkim_exim_expand_defaults(what)
	361	: dkim_exim_expand_defaults(what);
	362
	363	case DKIM_KEY_NOTES:
	364	return dkim_cur_sig->pubkey
	365	? dkim_cur_sig->pubkey->notes
	366	? US dkim_cur_sig->pubkey->notes
	367	: dkim_exim_expand_defaults(what)
	368	: dkim_exim_expand_defaults(what);
	369
	370	case DKIM_KEY_TESTING:
	371	return dkim_cur_sig->pubkey
	372	? dkim_cur_sig->pubkey->testing
	373	? US"1"
	374	: dkim_exim_expand_defaults(what)
	375	: dkim_exim_expand_defaults(what);
	376
	377	case DKIM_NOSUBDOMAINS:
	378	return dkim_cur_sig->pubkey
	379	? dkim_cur_sig->pubkey->no_subdomaining
	380	? US"1"
	381	: dkim_exim_expand_defaults(what)
382	: dkim_exim_expand_defaults(what);
383
384	case DKIM_VERIFY_STATUS:
385	switch (dkim_cur_sig->verify_status)
386	{
387	case PDKIM_VERIFY_INVALID: return US"invalid";
388	case PDKIM_VERIFY_FAIL: return US"fail";
389	case PDKIM_VERIFY_PASS: return US"pass";
390	case PDKIM_VERIFY_NONE:
391	default: return US"none";
80a47a2c	392	}
80a47a2c	393
1cfe5c1c JH	394	case DKIM_VERIFY_REASON:
	395	switch (dkim_cur_sig->verify_ext_status)
	396	{
	397	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
	398	return US"pubkey_unavailable";
	399	case PDKIM_VERIFY_INVALID_PUBKEY_PARSING: return US"pubkey_syntax";
	400	case PDKIM_VERIFY_FAIL_BODY: return US"bodyhash_mismatch";
	401	case PDKIM_VERIFY_FAIL_MESSAGE: return US"signature_incorrect";
	402	}
80a47a2c	403
1cfe5c1c JH	404	default:
1cfe5c1c JH	405	return US"";
80a47a2c TK	406	}
	407	}
	408
	409
55414b25	410	uschar *
1cfe5c1c JH	411	dkim_exim_sign(int dkim_fd, uschar * dkim_private_key,
	412	const uschar * dkim_domain, uschar * dkim_selector,
	413	uschar * dkim_canon, uschar * dkim_sign_headers)
55414b25	414	{
1cfe5c1c JH	415	int sep = 0;
	416	uschar *seen_items = NULL;
	417	int seen_items_size = 0;
	418	int seen_items_offset = 0;
	419	uschar itembuf[256];
	420	uschar *dkim_canon_expanded;
	421	uschar *dkim_sign_headers_expanded;
	422	uschar *dkim_private_key_expanded;
	423	pdkim_ctx *ctx = NULL;
	424	uschar *rc = NULL;
	425	uschar *sigbuf = NULL;
	426	int sigsize = 0;
	427	int sigptr = 0;
	428	pdkim_signature *signature;
	429	int pdkim_canon;
	430	int pdkim_rc;
	431	int sread;
	432	char buf[4096];
	433	int save_errno = 0;
	434	int old_pool = store_pool;
	435
	436	store_pool = POOL_MAIN;
	437
	438	if (!(dkim_domain = expand_cstring(dkim_domain)))
	439	{
	440	/* expansion error, do not send message. */
	441	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	442	"dkim_domain: %s", expand_string_message);
	443	rc = NULL;
	444	goto CLEANUP;
	445	}
	446
	447	/* Set $dkim_domain expansion variable to each unique domain in list. */
	448
	449	while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
	450	itembuf, sizeof(itembuf))))
	451	{
	452	if (!dkim_signing_domain \|\| dkim_signing_domain[0] == '\0')
	453	continue;
	454
	455	/* Only sign once for each domain, no matter how often it
	456	appears in the expanded list. */
	457
	458	if (seen_items)
	459	{
	460	const uschar *seen_items_list = seen_items;
	461	if (match_isinlist(dkim_signing_domain,
	462	&seen_items_list, 0, NULL, NULL, MCL_STRING, TRUE,
	463	NULL) == OK)
	464	continue;
	465
	466	seen_items =
	467	string_append(seen_items, &seen_items_size, &seen_items_offset, 1, ":");
	468	}
	469
	470	seen_items =
	471	string_append(seen_items, &seen_items_size, &seen_items_offset, 1,
	472	dkim_signing_domain);
	473	seen_items[seen_items_offset] = '\0';
	474
	475	/* Set up $dkim_selector expansion variable. */
	476
	477	if (!(dkim_signing_selector = expand_string(dkim_selector)))
	478	{
479	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
480	"dkim_selector: %s", expand_string_message);
481	rc = NULL;
482	goto CLEANUP;
483	}
484
485	/* Get canonicalization to use */
486
487	dkim_canon_expanded = dkim_canon ? expand_string(dkim_canon) : US"relaxed";
488	if (!dkim_canon_expanded)
489	{
80a47a2c	490	/* expansion error, do not send message. */
1cfe5c1c JH	491	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
1cfe5c1c JH	492	"dkim_canon: %s", expand_string_message);
80a47a2c TK	493	rc = NULL;
80a47a2c TK	494	goto CLEANUP;
1cfe5c1c	495	}
80a47a2c	496
1cfe5c1c JH	497	if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
	498	pdkim_canon = PDKIM_CANON_RELAXED;
	499	else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
	500	pdkim_canon = PDKIM_CANON_SIMPLE;
	501	else
	502	{
	503	log_write(0, LOG_MAIN,
	504	"DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
	505	dkim_canon_expanded);
	506	pdkim_canon = PDKIM_CANON_RELAXED;
a8e1eeba	507	}
1cfe5c1c JH	508
	509	dkim_sign_headers_expanded = NULL;
	510	if (dkim_sign_headers)
	511	if (!(dkim_sign_headers_expanded = expand_string(dkim_sign_headers)))
	512	{
	513	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	514	"dkim_sign_headers: %s", expand_string_message);
a8e1eeba MH	515	rc = NULL;
a8e1eeba MH	516	goto CLEANUP;
1cfe5c1c JH	517	}
	518	/* else pass NULL, which means default header list */
	519
	520	/* Get private key to use. */
	521
	522	if (!(dkim_private_key_expanded = expand_string(dkim_private_key)))
	523	{
	524	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	525	"dkim_private_key: %s", expand_string_message);
	526	rc = NULL;
	527	goto CLEANUP;
a8e1eeba	528	}
80a47a2c	529
1cfe5c1c JH	530	if ( Ustrlen(dkim_private_key_expanded) == 0
	531	\|\| Ustrcmp(dkim_private_key_expanded, "0") == 0
	532	\|\| Ustrcmp(dkim_private_key_expanded, "false") == 0
	533	)
	534	continue; /* don't sign, but no error */
	535
	536	if (dkim_private_key_expanded[0] == '/')
	537	{
	538	int privkey_fd = 0;
	539
	540	/* Looks like a filename, load the private key. */
	541
	542	memset(big_buffer, 0, big_buffer_size);
	543	privkey_fd = open(CS dkim_private_key_expanded, O_RDONLY);
	544	if (privkey_fd < 0)
	545	{
	546	log_write(0, LOG_MAIN \| LOG_PANIC, "unable to open "
	547	"private key file for reading: %s",
	548	dkim_private_key_expanded);
80a47a2c TK	549	rc = NULL;
80a47a2c TK	550	goto CLEANUP;
db4d0902	551	}
80a47a2c	552
1cfe5c1c JH	553	if (read(privkey_fd, big_buffer, big_buffer_size - 2) < 0)
	554	{
	555	log_write(0, LOG_MAIN\|LOG_PANIC, "unable to read private key file: %s",
	556	dkim_private_key_expanded);
cf745305 TK	557	rc = NULL;
cf745305 TK	558	goto CLEANUP;
1ac6b2e7	559	}
80a47a2c	560
1cfe5c1c JH	561	(void) close(privkey_fd);
1cfe5c1c JH	562	dkim_private_key_expanded = big_buffer;
a8e1eeba	563	}
1cfe5c1c JH	564
	565	ctx = pdkim_init_sign(PDKIM_INPUT_SMTP,
	566	(char *) dkim_signing_domain,
	567	(char *) dkim_signing_selector,
	568	(char *) dkim_private_key_expanded);
3b957582	569	#ifdef PDKIM_DEBUG
1cfe5c1c	570	pdkim_set_debug_stream(ctx, debug_file);
3b957582	571	#endif
1cfe5c1c JH	572	pdkim_set_optional(ctx,
	573	(char *) dkim_sign_headers_expanded,
	574	NULL,
	575	pdkim_canon,
	576	pdkim_canon, -1, PDKIM_ALGO_RSA_SHA256, 0, 0);
	577
	578	lseek(dkim_fd, 0, SEEK_SET);
	579
	580	while ((sread = read(dkim_fd, &buf, 4096)) > 0)
	581	if (pdkim_feed(ctx, buf, sread) != PDKIM_OK)
	582	{
80a47a2c TK	583	rc = NULL;
80a47a2c TK	584	goto CLEANUP;
1cfe5c1c JH	585	}
	586
	587	/* Handle failed read above. */
	588	if (sread == -1)
	589	{
	590	debug_printf("DKIM: Error reading -K file.\n");
	591	save_errno = errno;
	592	rc = NULL;
	593	goto CLEANUP;
80a47a2c	594	}
80a47a2c	595
1cfe5c1c JH	596	if ((pdkim_rc = pdkim_feed_finish(ctx, &signature)) != PDKIM_OK)
	597	{
	598	log_write(0, LOG_MAIN\|LOG_PANIC, "DKIM: signing failed (RC %d)", pdkim_rc);
	599	rc = NULL;
	600	goto CLEANUP;
a8e1eeba	601	}
80a47a2c	602
1cfe5c1c JH	603	sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,
1cfe5c1c JH	604	US signature->signature_header, US"\r\n");
80a47a2c	605
1cfe5c1c JH	606	pdkim_free_ctx(ctx);
1cfe5c1c JH	607	ctx = NULL;
80a47a2c	608	}
a8e1eeba	609
1cfe5c1c JH	610	if (sigbuf)
	611	{
	612	sigbuf[sigptr] = '\0';
	613	rc = sigbuf;
	614	}
	615	else
	616	rc = US"";
	617
	618	CLEANUP:
	619	if (ctx)
	620	pdkim_free_ctx(ctx);
	621	store_pool = old_pool;
	622	errno = save_errno;
	623	return rc;
93f2d376	624	}
80a47a2c TK	625
80a47a2c TK	626	#endif