[exim.git] / src / src / dkim.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge, 1995 - 2017 */
/* See the file NOTICE for conditions of use and distribution. */

/* Code for DKIM support. Other DKIM relevant code is in
   receive.c, transport.c and transports/smtp.c */

#include "exim.h"

#ifndef DISABLE_DKIM

#include "pdkim/pdkim.h"

int dkim_verify_oldpool;
pdkim_ctx *dkim_verify_ctx = NULL;
pdkim_signature *dkim_signatures = NULL;
pdkim_signature *dkim_cur_sig = NULL;
static const uschar * dkim_collect_error = NULL;

static int
dkim_exim_query_dns_txt(char *name, char *answer)
{
dns_answer dnsa;
dns_scan dnss;
dns_record *rr;

lookup_dnssec_authenticated = NULL;
if (dns_lookup(&dnsa, US name, T_TXT, NULL) != DNS_SUCCEED)
  return PDKIM_FAIL;	/*XXX better error detail?  logging? */

/* Search for TXT record */

for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
     rr;
     rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
  if (rr->type == T_TXT)
    {
    int rr_offset = 0;
    int answer_offset = 0;

    /* Copy record content to the answer buffer */

    while (rr_offset < rr->size)
      {
      uschar len = rr->data[rr_offset++];
      snprintf(answer + answer_offset,
		PDKIM_DNS_TXT_MAX_RECLEN - answer_offset,
		"%.*s", (int)len, (char *) (rr->data + rr_offset));
      rr_offset += len;
      answer_offset += len;
      if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN)
	return PDKIM_FAIL;	/*XXX better error detail?  logging? */
      }
    return PDKIM_OK;
    }

return PDKIM_FAIL;	/*XXX better error detail?  logging? */
}


void
dkim_exim_init(void)
{
pdkim_init();
}


void
dkim_exim_verify_init(BOOL dot_stuffing)
{
/* There is a store-reset between header & body reception
so cannot use the main pool. Any allocs done by Exim
memory-handling must use the perm pool. */

dkim_verify_oldpool = store_pool;
store_pool = POOL_PERM;

/* Free previous context if there is one */

if (dkim_verify_ctx)
  pdkim_free_ctx(dkim_verify_ctx);

/* Create new context */

dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
dkim_collect_input = !!dkim_verify_ctx;
dkim_collect_error = NULL;

/* Start feed up with any cached data */
receive_get_cache();

store_pool = dkim_verify_oldpool;
}


void
dkim_exim_verify_feed(uschar * data, int len)
{
int rc;

store_pool = POOL_PERM;
if (  dkim_collect_input
   && (rc = pdkim_feed(dkim_verify_ctx, CS data, len)) != PDKIM_OK)
  {
  dkim_collect_error = pdkim_errstr(rc);
  log_write(0, LOG_MAIN,
	     "DKIM: validation error: %.100s", dkim_collect_error);
  dkim_collect_input = FALSE;
  }
store_pool = dkim_verify_oldpool;
}


void
dkim_exim_verify_finish(void)
{
pdkim_signature * sig = NULL;
int dkim_signers_size = 0, dkim_signers_ptr = 0, rc;
const uschar * errstr;

store_pool = POOL_PERM;

/* Delete eventual previous signature chain */

dkim_signers = NULL;
dkim_signatures = NULL;

if (dkim_collect_error)
  {
  log_write(0, LOG_MAIN,
      "DKIM: Error during validation, disabling signature verification: %.100s",
      dkim_collect_error);
  dkim_disable_verify = TRUE;
  goto out;
  }

dkim_collect_input = FALSE;

/* Finish DKIM operation and fetch link to signatures chain */

rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr);
if (rc != PDKIM_OK)
  {
  log_write(0, LOG_MAIN, "DKIM: validation error: %.100s%s%s", pdkim_errstr(rc),
	    errstr ? ": " : "", errstr ? errstr : US"");
  goto out;
  }

for (sig = dkim_signatures; sig; sig = sig->next)
  {
  int size = 0, ptr = 0;
  uschar * logmsg = NULL, * s;

  /* Log a line for each signature */

  if (!(s = sig->domain)) s = US"<UNSET>";
  logmsg = string_append(logmsg, &size, &ptr, 2, "d=", s);
  if (!(s = sig->selector)) s = US"<UNSET>";
  logmsg = string_append(logmsg, &size, &ptr, 2, " s=", s);
  logmsg = string_append(logmsg, &size, &ptr, 7, 
	" c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	"/",   sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	" a=", sig->algo == PDKIM_ALGO_RSA_SHA256
		? "rsa-sha256"
		: sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err",
	string_sprintf(" b=%d",
			(int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
  if ((s= sig->identity)) string_append(logmsg, &size, &ptr, 2, " i=", s);
  if (sig->created > 0) string_append(logmsg, &size, &ptr, 1,
				      string_sprintf(" t=%lu", sig->created));
  if (sig->expires > 0) string_append(logmsg, &size, &ptr, 1,
				      string_sprintf(" x=%lu", sig->expires));
  if (sig->bodylength > -1) string_append(logmsg, &size, &ptr, 1,
				      string_sprintf(" l=%lu", sig->bodylength));

  switch (sig->verify_status)
    {
    case PDKIM_VERIFY_NONE:
      logmsg = string_append(logmsg, &size, &ptr, 1, " [not verified]");
      break;

    case PDKIM_VERIFY_INVALID:
      logmsg = string_append(logmsg, &size, &ptr, 1, " [invalid - ");
      switch (sig->verify_ext_status)
	{
	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		        "public key record (currently?) unavailable]");
	  break;

	case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
			"overlong public key record]");
	  break;

	case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
	case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		       "syntax error in public key record]");
	  break;

        case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
          logmsg = string_append(logmsg, &size, &ptr, 1,
                       "signature tag missing or invalid]");
          break;

        case PDKIM_VERIFY_INVALID_DKIM_VERSION:
          logmsg = string_append(logmsg, &size, &ptr, 1,
                       "unsupported DKIM version]");
          break;

	default:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
			"unspecified problem]");
	}
      break;

    case PDKIM_VERIFY_FAIL:
      logmsg =
	string_append(logmsg, &size, &ptr, 1, " [verification failed - ");
      switch (sig->verify_ext_status)
	{
	case PDKIM_VERIFY_FAIL_BODY:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		       "body hash mismatch (body probably modified in transit)]");
	  break;

	case PDKIM_VERIFY_FAIL_MESSAGE:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		       "signature did not verify (headers probably modified in transit)]");
	break;

	default:
	  logmsg = string_append(logmsg, &size, &ptr, 1, "unspecified reason]");
	}
      break;

    case PDKIM_VERIFY_PASS:
      logmsg =
	string_append(logmsg, &size, &ptr, 1, " [verification succeeded]");
      break;
    }

  logmsg[ptr] = '\0';
  log_write(0, LOG_MAIN, "DKIM: %s", logmsg);

  /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */

  if (sig->domain)
    dkim_signers = string_append_listele(dkim_signers, ':', sig->domain);

  if (sig->identity)
    dkim_signers = string_append_listele(dkim_signers, ':', sig->identity);

  /* Process next signature */
  }

out:
store_pool = dkim_verify_oldpool;
}


void
dkim_exim_acl_setup(uschar * id)
{
pdkim_signature * sig;
uschar * cmp_val;

dkim_cur_sig = NULL;
dkim_cur_signer = id;

if (dkim_disable_verify || !id || !dkim_verify_ctx)
  return;

/* Find signature to run ACL on */

for (sig = dkim_signatures; sig; sig = sig->next)
  if (  (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
     && strcmpic(cmp_val, id) == 0
     )
    {
    dkim_cur_sig = sig;

    /* The "dkim_domain" and "dkim_selector" expansion variables have
       related globals, since they are used in the signing code too.
       Instead of inventing separate names for verification, we set
       them here. This is easy since a domain and selector is guaranteed
       to be in a signature. The other dkim_* expansion items are
       dynamically fetched from dkim_cur_sig at expansion time (see
       function below). */

    dkim_signing_domain = US sig->domain;
    dkim_signing_selector = US sig->selector;
    dkim_key_length = sig->sighash.len * 8;
    return;
    }
}


static uschar *
dkim_exim_expand_defaults(int what)
{
switch (what)
  {
  case DKIM_ALGO:		return US"";
  case DKIM_BODYLENGTH:		return US"9999999999999";
  case DKIM_CANON_BODY:		return US"";
  case DKIM_CANON_HEADERS:	return US"";
  case DKIM_COPIEDHEADERS:	return US"";
  case DKIM_CREATED:		return US"0";
  case DKIM_EXPIRES:		return US"9999999999999";
  case DKIM_HEADERNAMES:	return US"";
  case DKIM_IDENTITY:		return US"";
  case DKIM_KEY_GRANULARITY:	return US"*";
  case DKIM_KEY_SRVTYPE:	return US"*";
  case DKIM_KEY_NOTES:		return US"";
  case DKIM_KEY_TESTING:	return US"0";
  case DKIM_NOSUBDOMAINS:	return US"0";
  case DKIM_VERIFY_STATUS:	return US"none";
  case DKIM_VERIFY_REASON:	return US"";
  default:			return US"";
  }
}


uschar *
dkim_exim_expand_query(int what)
{
if (!dkim_verify_ctx || dkim_disable_verify || !dkim_cur_sig)
  return dkim_exim_expand_defaults(what);

switch (what)
  {
  case DKIM_ALGO:
    switch (dkim_cur_sig->algo)
      {
      case PDKIM_ALGO_RSA_SHA1:	return US"rsa-sha1";
      case PDKIM_ALGO_RSA_SHA256:
      default:			return US"rsa-sha256";
      }

  case DKIM_BODYLENGTH:
    return dkim_cur_sig->bodylength >= 0
      ? string_sprintf(OFF_T_FMT, (LONGLONG_T) dkim_cur_sig->bodylength)
      : dkim_exim_expand_defaults(what);

  case DKIM_CANON_BODY:
    switch (dkim_cur_sig->canon_body)
      {
      case PDKIM_CANON_RELAXED:	return US"relaxed";
      case PDKIM_CANON_SIMPLE:
      default:			return US"simple";
      }

  case DKIM_CANON_HEADERS:
  switch (dkim_cur_sig->canon_headers)
    {
    case PDKIM_CANON_RELAXED:	return US"relaxed";
    case PDKIM_CANON_SIMPLE:
    default:			return US"simple";
    }

  case DKIM_COPIEDHEADERS:
    return dkim_cur_sig->copiedheaders
      ? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);

  case DKIM_CREATED:
    return dkim_cur_sig->created > 0
      ? string_sprintf("%llu", dkim_cur_sig->created)
      : dkim_exim_expand_defaults(what);

  case DKIM_EXPIRES:
    return dkim_cur_sig->expires > 0
      ? string_sprintf("%llu", dkim_cur_sig->expires)
      : dkim_exim_expand_defaults(what);

  case DKIM_HEADERNAMES:
    return dkim_cur_sig->headernames
      ? dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);

  case DKIM_IDENTITY:
    return dkim_cur_sig->identity
      ? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);

  case DKIM_KEY_GRANULARITY:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->granularity
      ? US dkim_cur_sig->pubkey->granularity
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_KEY_SRVTYPE:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->srvtype
      ? US dkim_cur_sig->pubkey->srvtype
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_KEY_NOTES:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->notes
      ? US dkim_cur_sig->pubkey->notes
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_KEY_TESTING:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->testing
      ? US"1"
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_NOSUBDOMAINS:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->no_subdomaining
      ? US"1"
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_VERIFY_STATUS:
    switch (dkim_cur_sig->verify_status)
      {
      case PDKIM_VERIFY_INVALID:	return US"invalid";
      case PDKIM_VERIFY_FAIL:		return US"fail";
      case PDKIM_VERIFY_PASS:		return US"pass";
      case PDKIM_VERIFY_NONE:
      default:				return US"none";
      }

  case DKIM_VERIFY_REASON:
    switch (dkim_cur_sig->verify_ext_status)
      {
      case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
						return US"pubkey_unavailable";
      case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:return US"pubkey_dns_syntax";
      case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:	return US"pubkey_der_syntax";
      case PDKIM_VERIFY_FAIL_BODY:		return US"bodyhash_mismatch";
      case PDKIM_VERIFY_FAIL_MESSAGE:		return US"signature_incorrect";
      }

  default:
    return US"";
  }
}


uschar *
dkim_exim_sign(int dkim_fd, struct ob_dkim * dkim, const uschar ** errstr)
{
const uschar * dkim_domain;
int sep = 0;
uschar *seen_items = NULL;
int seen_items_size = 0;
int seen_items_offset = 0;
uschar itembuf[256];
uschar *dkim_canon_expanded;
uschar *dkim_sign_headers_expanded;
uschar *dkim_private_key_expanded;
pdkim_ctx *ctx = NULL;
uschar *rc = NULL;
uschar *sigbuf = NULL;
int sigsize = 0;
int sigptr = 0;
pdkim_signature *signature;
int pdkim_canon;
int pdkim_rc;
int sread;
char buf[4096];
int save_errno = 0;
int old_pool = store_pool;

store_pool = POOL_MAIN;

if (!(dkim_domain = expand_cstring(dkim->dkim_domain)))
  {
  /* expansion error, do not send message. */
  log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	     "dkim_domain: %s", expand_string_message);
  goto bad;
  }

/* Set $dkim_domain expansion variable to each unique domain in list. */

while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
				   itembuf, sizeof(itembuf))))
  {
  if (!dkim_signing_domain || dkim_signing_domain[0] == '\0')
    continue;

  /* Only sign once for each domain, no matter how often it
  appears in the expanded list. */

  if (seen_items)
    {
    const uschar *seen_items_list = seen_items;
    if (match_isinlist(dkim_signing_domain,
			&seen_items_list, 0, NULL, NULL, MCL_STRING, TRUE,
			NULL) == OK)
      continue;

    seen_items =
      string_append(seen_items, &seen_items_size, &seen_items_offset, 1, ":");
    }

  seen_items =
    string_append(seen_items, &seen_items_size, &seen_items_offset, 1,
		 dkim_signing_domain);
  seen_items[seen_items_offset] = '\0';

  /* Set up $dkim_selector expansion variable. */

  if (!(dkim_signing_selector = expand_string(dkim->dkim_selector)))
    {
    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	       "dkim_selector: %s", expand_string_message);
    goto bad;
    }

  /* Get canonicalization to use */

  dkim_canon_expanded = dkim->dkim_canon
    ? expand_string(dkim->dkim_canon) : US"relaxed";
  if (!dkim_canon_expanded)
    {
    /* expansion error, do not send message. */
    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	       "dkim_canon: %s", expand_string_message);
    goto bad;
    }

  if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
    pdkim_canon = PDKIM_CANON_RELAXED;
  else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
    pdkim_canon = PDKIM_CANON_SIMPLE;
  else
    {
    log_write(0, LOG_MAIN,
	       "DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
	       dkim_canon_expanded);
    pdkim_canon = PDKIM_CANON_RELAXED;
    }

  dkim_sign_headers_expanded = NULL;
  if (dkim->dkim_sign_headers)
    if (!(dkim_sign_headers_expanded = expand_string(dkim->dkim_sign_headers)))
      {
      log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
		 "dkim_sign_headers: %s", expand_string_message);
      goto bad;
      }
    			/* else pass NULL, which means default header list */

  /* Get private key to use. */

  if (!(dkim_private_key_expanded = expand_string(dkim->dkim_private_key)))
    {
    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	       "dkim_private_key: %s", expand_string_message);
    goto bad;
    }

  if (  Ustrlen(dkim_private_key_expanded) == 0
     || Ustrcmp(dkim_private_key_expanded, "0") == 0
     || Ustrcmp(dkim_private_key_expanded, "false") == 0
     )
    continue;		/* don't sign, but no error */

  if (dkim_private_key_expanded[0] == '/')
    {
    int privkey_fd, off = 0, len;

    /* Looks like a filename, load the private key. */

    memset(big_buffer, 0, big_buffer_size);

    if ((privkey_fd = open(CS dkim_private_key_expanded, O_RDONLY)) < 0)
      {
      log_write(0, LOG_MAIN | LOG_PANIC, "unable to open "
		 "private key file for reading: %s",
		 dkim_private_key_expanded);
      goto bad;
      }

    do
      {
      if ((len = read(privkey_fd, big_buffer + off, big_buffer_size - 2 - off)) < 0)
	{
	(void) close(privkey_fd);
	log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s",
		   dkim_private_key_expanded);
	goto bad;
	}
      off += len;
      }
    while (len > 0);

    (void) close(privkey_fd);
    big_buffer[off] = '\0';
    dkim_private_key_expanded = big_buffer;
    }

  if (!(ctx = pdkim_init_sign(CS dkim_signing_domain,
			CS dkim_signing_selector,
			CS dkim_private_key_expanded,
			PDKIM_ALGO_RSA_SHA256,
			dkim->dot_stuffed,
			&dkim_exim_query_dns_txt,
			errstr
			)))
    goto bad;
  dkim_private_key_expanded[0] = '\0';
  pdkim_set_optional(ctx,
		      CS dkim_sign_headers_expanded,
		      NULL,
		      pdkim_canon,
		      pdkim_canon, -1, 0, 0);

  lseek(dkim_fd, 0, SEEK_SET);

  while ((sread = read(dkim_fd, &buf, sizeof(buf))) > 0)
    if ((pdkim_rc = pdkim_feed(ctx, buf, sread)) != PDKIM_OK)
      goto pk_bad;

  /* Handle failed read above. */
  if (sread == -1)
    {
    debug_printf("DKIM: Error reading -K file.\n");
    save_errno = errno;
    goto bad;
    }

  if ((pdkim_rc = pdkim_feed_finish(ctx, &signature, errstr)) != PDKIM_OK)
    goto pk_bad;

  sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,
			  US signature->signature_header, US"\r\n");

  pdkim_free_ctx(ctx);
  ctx = NULL;
  }

if (sigbuf)
  {
  sigbuf[sigptr] = '\0';
  rc = sigbuf;
  }
else
  rc = US"";

CLEANUP:
  if (ctx)
    pdkim_free_ctx(ctx);
  store_pool = old_pool;
  errno = save_errno;
  return rc;

pk_bad:
  log_write(0, LOG_MAIN|LOG_PANIC,
	       	"DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc));
bad:
  rc = NULL;
  goto CLEANUP;
}

#endif
Commit	Line	Data
80a47a2c TK	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
d4e5e70b	5	/* Copyright (c) University of Cambridge, 1995 - 2017 */
80a47a2c TK	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	/* Code for DKIM support. Other DKIM relevant code is in
	9	receive.c, transport.c and transports/smtp.c */
	10
	11	#include "exim.h"
	12
	13	#ifndef DISABLE_DKIM
	14
	15	#include "pdkim/pdkim.h"
	16
ca9cb170	17	int dkim_verify_oldpool;
1cfe5c1c	18	pdkim_ctx *dkim_verify_ctx = NULL;
80a47a2c	19	pdkim_signature *dkim_signatures = NULL;
1cfe5c1c	20	pdkim_signature *dkim_cur_sig = NULL;
b9df1829	21	static const uschar * dkim_collect_error = NULL;
80a47a2c	22
1cfe5c1c JH	23	static int
	24	dkim_exim_query_dns_txt(char name, char answer)
	25	{
	26	dns_answer dnsa;
	27	dns_scan dnss;
	28	dns_record *rr;
80a47a2c	29
1cfe5c1c JH	30	lookup_dnssec_authenticated = NULL;
1cfe5c1c JH	31	if (dns_lookup(&dnsa, US name, T_TXT, NULL) != DNS_SUCCEED)
f7302073	32	return PDKIM_FAIL; /XXX better error detail? logging? /
80a47a2c	33
1cfe5c1c	34	/* Search for TXT record */
80a47a2c	35
1cfe5c1c JH	36	for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
	37	rr;
	38	rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
	39	if (rr->type == T_TXT)
	40	{
80a47a2c TK	41	int rr_offset = 0;
80a47a2c TK	42	int answer_offset = 0;
1cfe5c1c JH	43
	44	/* Copy record content to the answer buffer */
	45
	46	while (rr_offset < rr->size)
	47	{
	48	uschar len = rr->data[rr_offset++];
	49	snprintf(answer + answer_offset,
	50	PDKIM_DNS_TXT_MAX_RECLEN - answer_offset,
	51	"%.s", (int)len, (char ) (rr->data + rr_offset));
	52	rr_offset += len;
	53	answer_offset += len;
	54	if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN)
f7302073	55	return PDKIM_FAIL; /XXX better error detail? logging? /
4263f395	56	}
1cfe5c1c	57	return PDKIM_OK;
80a47a2c	58	}
80a47a2c	59
f7302073	60	return PDKIM_FAIL; /XXX better error detail? logging? /
80a47a2c TK	61	}
	62
	63
2592e6c0 JH	64	void
	65	dkim_exim_init(void)
	66	{
	67	pdkim_init();
	68	}
	69
	70
ca9cb170	71
1cfe5c1c	72	void
e983e85a	73	dkim_exim_verify_init(BOOL dot_stuffing)
1cfe5c1c	74	{
ca9cb170 JH	75	/* There is a store-reset between header & body reception
	76	so cannot use the main pool. Any allocs done by Exim
	77	memory-handling must use the perm pool. */
	78
	79	dkim_verify_oldpool = store_pool;
	80	store_pool = POOL_PERM;
	81
1cfe5c1c	82	/* Free previous context if there is one */
80a47a2c	83
1cfe5c1c JH	84	if (dkim_verify_ctx)
1cfe5c1c JH	85	pdkim_free_ctx(dkim_verify_ctx);
80a47a2c	86
1cfe5c1c	87	/* Create new context */
80a47a2c	88
e983e85a	89	dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
3b957582	90	dkim_collect_input = !!dkim_verify_ctx;
b9df1829	91	dkim_collect_error = NULL;
ca9cb170	92
584e96c6 JH	93	/* Start feed up with any cached data */
	94	receive_get_cache();
	95
ca9cb170	96	store_pool = dkim_verify_oldpool;
80a47a2c TK	97	}
	98
	99
1cfe5c1c JH	100	void
	101	dkim_exim_verify_feed(uschar * data, int len)
	102	{
f7302073 JH	103	int rc;
f7302073 JH	104
ca9cb170	105	store_pool = POOL_PERM;
1cfe5c1c	106	if ( dkim_collect_input
e983e85a	107	&& (rc = pdkim_feed(dkim_verify_ctx, CS data, len)) != PDKIM_OK)
f7302073	108	{
b9df1829	109	dkim_collect_error = pdkim_errstr(rc);
f7302073	110	log_write(0, LOG_MAIN,
b9df1829	111	"DKIM: validation error: %.100s", dkim_collect_error);
1cfe5c1c	112	dkim_collect_input = FALSE;
f7302073	113	}
ca9cb170	114	store_pool = dkim_verify_oldpool;
80a47a2c TK	115	}
	116
	117
1cfe5c1c JH	118	void
	119	dkim_exim_verify_finish(void)
	120	{
41468ba1	121	pdkim_signature * sig = NULL;
b9df1829 JH	122	int dkim_signers_size = 0, dkim_signers_ptr = 0, rc;
b9df1829 JH	123	const uschar * errstr;
1cfe5c1c	124
ca9cb170 JH	125	store_pool = POOL_PERM;
ca9cb170 JH	126
1cfe5c1c JH	127	/* Delete eventual previous signature chain */
1cfe5c1c JH	128
41468ba1	129	dkim_signers = NULL;
1cfe5c1c JH	130	dkim_signatures = NULL;
1cfe5c1c JH	131
bd8fbe36	132	if (dkim_collect_error)
1cfe5c1c JH	133	{
1cfe5c1c JH	134	log_write(0, LOG_MAIN,
b9df1829 JH	135	"DKIM: Error during validation, disabling signature verification: %.100s",
b9df1829 JH	136	dkim_collect_error);
1cfe5c1c	137	dkim_disable_verify = TRUE;
ca9cb170	138	goto out;
1cfe5c1c	139	}
80a47a2c	140
1cfe5c1c	141	dkim_collect_input = FALSE;
80a47a2c	142
1cfe5c1c	143	/* Finish DKIM operation and fetch link to signatures chain */
80a47a2c	144
b9df1829 JH	145	rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr);
b9df1829 JH	146	if (rc != PDKIM_OK)
f7302073	147	{
b9df1829 JH	148	log_write(0, LOG_MAIN, "DKIM: validation error: %.100s%s%s", pdkim_errstr(rc),
b9df1829 JH	149	errstr ? ": " : "", errstr ? errstr : US"");
ca9cb170	150	goto out;
f7302073	151	}
1cfe5c1c JH	152
	153	for (sig = dkim_signatures; sig; sig = sig->next)
	154	{
41468ba1 JH	155	int size = 0, ptr = 0;
41468ba1 JH	156	uschar * logmsg = NULL, * s;
1cfe5c1c JH	157
	158	/* Log a line for each signature */
	159
41468ba1 JH	160	if (!(s = sig->domain)) s = US"<UNSET>";
	161	logmsg = string_append(logmsg, &size, &ptr, 2, "d=", s);
	162	if (!(s = sig->selector)) s = US"<UNSET>";
	163	logmsg = string_append(logmsg, &size, &ptr, 2, " s=", s);
	164	logmsg = string_append(logmsg, &size, &ptr, 7,
	165	" c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	166	"/", sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	167	" a=", sig->algo == PDKIM_ALGO_RSA_SHA256
	168	? "rsa-sha256"
	169	: sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err",
	170	string_sprintf(" b=%d",
	171	(int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
	172	if ((s= sig->identity)) string_append(logmsg, &size, &ptr, 2, " i=", s);
	173	if (sig->created > 0) string_append(logmsg, &size, &ptr, 1,
	174	string_sprintf(" t=%lu", sig->created));
	175	if (sig->expires > 0) string_append(logmsg, &size, &ptr, 1,
	176	string_sprintf(" x=%lu", sig->expires));
	177	if (sig->bodylength > -1) string_append(logmsg, &size, &ptr, 1,
	178	string_sprintf(" l=%lu", sig->bodylength));
1cfe5c1c JH	179
	180	switch (sig->verify_status)
	181	{
	182	case PDKIM_VERIFY_NONE:
41468ba1	183	logmsg = string_append(logmsg, &size, &ptr, 1, " [not verified]");
80a47a2c	184	break;
1cfe5c1c JH	185
1cfe5c1c JH	186	case PDKIM_VERIFY_INVALID:
41468ba1	187	logmsg = string_append(logmsg, &size, &ptr, 1, " [invalid - ");
1cfe5c1c JH	188	switch (sig->verify_ext_status)
	189	{
	190	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
	191	logmsg = string_append(logmsg, &size, &ptr, 1,
	192	"public key record (currently?) unavailable]");
	193	break;
	194
	195	case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
	196	logmsg = string_append(logmsg, &size, &ptr, 1,
	197	"overlong public key record]");
	198	break;
	199
df3def24 JH	200	case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
df3def24 JH	201	case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
1cfe5c1c JH	202	logmsg = string_append(logmsg, &size, &ptr, 1,
	203	"syntax error in public key record]");
	204	break;
07eeb4df	205
	206	case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
	207	logmsg = string_append(logmsg, &size, &ptr, 1,
	208	"signature tag missing or invalid]");
	209	break;
	210
	211	case PDKIM_VERIFY_INVALID_DKIM_VERSION:
	212	logmsg = string_append(logmsg, &size, &ptr, 1,
	213	"unsupported DKIM version]");
	214	break;
1cfe5c1c JH	215
	216	default:
	217	logmsg = string_append(logmsg, &size, &ptr, 1,
	218	"unspecified problem]");
	219	}
80a47a2c	220	break;
1cfe5c1c JH	221
	222	case PDKIM_VERIFY_FAIL:
	223	logmsg =
41468ba1	224	string_append(logmsg, &size, &ptr, 1, " [verification failed - ");
1cfe5c1c JH	225	switch (sig->verify_ext_status)
	226	{
	227	case PDKIM_VERIFY_FAIL_BODY:
	228	logmsg = string_append(logmsg, &size, &ptr, 1,
	229	"body hash mismatch (body probably modified in transit)]");
	230	break;
	231
	232	case PDKIM_VERIFY_FAIL_MESSAGE:
	233	logmsg = string_append(logmsg, &size, &ptr, 1,
	234	"signature did not verify (headers probably modified in transit)]");
	235	break;
	236
	237	default:
	238	logmsg = string_append(logmsg, &size, &ptr, 1, "unspecified reason]");
	239	}
80a47a2c	240	break;
1cfe5c1c JH	241
	242	case PDKIM_VERIFY_PASS:
	243	logmsg =
41468ba1	244	string_append(logmsg, &size, &ptr, 1, " [verification succeeded]");
80a47a2c TK	245	break;
	246	}
	247
1cfe5c1c JH	248	logmsg[ptr] = '\0';
1cfe5c1c JH	249	log_write(0, LOG_MAIN, "DKIM: %s", logmsg);
80a47a2c	250
1cfe5c1c JH	251	/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
1cfe5c1c JH	252
41468ba1 JH	253	if (sig->domain)
41468ba1 JH	254	dkim_signers = string_append_listele(dkim_signers, ':', sig->domain);
1cfe5c1c JH	255
1cfe5c1c JH	256	if (sig->identity)
41468ba1	257	dkim_signers = string_append_listele(dkim_signers, ':', sig->identity);
80a47a2c	258
1cfe5c1c	259	/* Process next signature */
80a47a2c TK	260	}
80a47a2c TK	261
ca9cb170 JH	262	out:
ca9cb170 JH	263	store_pool = dkim_verify_oldpool;
80a47a2c TK	264	}
	265
	266
1cfe5c1c JH	267	void
	268	dkim_exim_acl_setup(uschar * id)
	269	{
	270	pdkim_signature * sig;
	271	uschar * cmp_val;
	272
1cfe5c1c JH	273	dkim_cur_sig = NULL;
	274	dkim_cur_signer = id;
	275
	276	if (dkim_disable_verify \|\| !id \|\| !dkim_verify_ctx)
	277	return;
	278
	279	/* Find signature to run ACL on */
	280
	281	for (sig = dkim_signatures; sig; sig = sig->next)
	282	if ( (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
	283	&& strcmpic(cmp_val, id) == 0
	284	)
	285	{
	286	dkim_cur_sig = sig;
	287
	288	/* The "dkim_domain" and "dkim_selector" expansion variables have
	289	related globals, since they are used in the signing code too.
	290	Instead of inventing separate names for verification, we set
	291	them here. This is easy since a domain and selector is guaranteed
	292	to be in a signature. The other dkim_* expansion items are
	293	dynamically fetched from dkim_cur_sig at expansion time (see
	294	function below). */
	295
	296	dkim_signing_domain = US sig->domain;
	297	dkim_signing_selector = US sig->selector;
dcd03763	298	dkim_key_length = sig->sighash.len * 8;
1cfe5c1c	299	return;
80a47a2c	300	}
80a47a2c TK	301	}
	302
	303
1cfe5c1c JH	304	static uschar *
	305	dkim_exim_expand_defaults(int what)
	306	{
	307	switch (what)
	308	{
	309	case DKIM_ALGO: return US"";
	310	case DKIM_BODYLENGTH: return US"9999999999999";
	311	case DKIM_CANON_BODY: return US"";
	312	case DKIM_CANON_HEADERS: return US"";
	313	case DKIM_COPIEDHEADERS: return US"";
	314	case DKIM_CREATED: return US"0";
	315	case DKIM_EXPIRES: return US"9999999999999";
	316	case DKIM_HEADERNAMES: return US"";
	317	case DKIM_IDENTITY: return US"";
	318	case DKIM_KEY_GRANULARITY: return US"*";
	319	case DKIM_KEY_SRVTYPE: return US"*";
	320	case DKIM_KEY_NOTES: return US"";
	321	case DKIM_KEY_TESTING: return US"0";
	322	case DKIM_NOSUBDOMAINS: return US"0";
	323	case DKIM_VERIFY_STATUS: return US"none";
	324	case DKIM_VERIFY_REASON: return US"";
	325	default: return US"";
	326	}
	327	}
80a47a2c	328
80a47a2c	329
1cfe5c1c JH	330	uschar *
	331	dkim_exim_expand_query(int what)
	332	{
	333	if (!dkim_verify_ctx \|\| dkim_disable_verify \|\| !dkim_cur_sig)
	334	return dkim_exim_expand_defaults(what);
	335
	336	switch (what)
	337	{
	338	case DKIM_ALGO:
	339	switch (dkim_cur_sig->algo)
	340	{
	341	case PDKIM_ALGO_RSA_SHA1: return US"rsa-sha1";
	342	case PDKIM_ALGO_RSA_SHA256:
	343	default: return US"rsa-sha256";
da5dfc3a	344	}
1cfe5c1c JH	345
	346	case DKIM_BODYLENGTH:
	347	return dkim_cur_sig->bodylength >= 0
	348	? string_sprintf(OFF_T_FMT, (LONGLONG_T) dkim_cur_sig->bodylength)
	349	: dkim_exim_expand_defaults(what);
	350
	351	case DKIM_CANON_BODY:
	352	switch (dkim_cur_sig->canon_body)
	353	{
	354	case PDKIM_CANON_RELAXED: return US"relaxed";
	355	case PDKIM_CANON_SIMPLE:
	356	default: return US"simple";
80a47a2c	357	}
1cfe5c1c JH	358
	359	case DKIM_CANON_HEADERS:
	360	switch (dkim_cur_sig->canon_headers)
	361	{
	362	case PDKIM_CANON_RELAXED: return US"relaxed";
	363	case PDKIM_CANON_SIMPLE:
	364	default: return US"simple";
	365	}
	366
	367	case DKIM_COPIEDHEADERS:
	368	return dkim_cur_sig->copiedheaders
	369	? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);
	370
	371	case DKIM_CREATED:
	372	return dkim_cur_sig->created > 0
	373	? string_sprintf("%llu", dkim_cur_sig->created)
	374	: dkim_exim_expand_defaults(what);
	375
	376	case DKIM_EXPIRES:
	377	return dkim_cur_sig->expires > 0
	378	? string_sprintf("%llu", dkim_cur_sig->expires)
	379	: dkim_exim_expand_defaults(what);
	380
	381	case DKIM_HEADERNAMES:
	382	return dkim_cur_sig->headernames
2592e6c0	383	? dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);
1cfe5c1c JH	384
	385	case DKIM_IDENTITY:
	386	return dkim_cur_sig->identity
	387	? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);
	388
	389	case DKIM_KEY_GRANULARITY:
	390	return dkim_cur_sig->pubkey
	391	? dkim_cur_sig->pubkey->granularity
	392	? US dkim_cur_sig->pubkey->granularity
	393	: dkim_exim_expand_defaults(what)
	394	: dkim_exim_expand_defaults(what);
	395
	396	case DKIM_KEY_SRVTYPE:
	397	return dkim_cur_sig->pubkey
	398	? dkim_cur_sig->pubkey->srvtype
	399	? US dkim_cur_sig->pubkey->srvtype
	400	: dkim_exim_expand_defaults(what)
	401	: dkim_exim_expand_defaults(what);
	402
	403	case DKIM_KEY_NOTES:
	404	return dkim_cur_sig->pubkey
	405	? dkim_cur_sig->pubkey->notes
	406	? US dkim_cur_sig->pubkey->notes
	407	: dkim_exim_expand_defaults(what)
	408	: dkim_exim_expand_defaults(what);
	409
	410	case DKIM_KEY_TESTING:
	411	return dkim_cur_sig->pubkey
	412	? dkim_cur_sig->pubkey->testing
	413	? US"1"
	414	: dkim_exim_expand_defaults(what)
	415	: dkim_exim_expand_defaults(what);
	416
	417	case DKIM_NOSUBDOMAINS:
	418	return dkim_cur_sig->pubkey
	419	? dkim_cur_sig->pubkey->no_subdomaining
	420	? US"1"
	421	: dkim_exim_expand_defaults(what)
	422	: dkim_exim_expand_defaults(what);
	423
	424	case DKIM_VERIFY_STATUS:
	425	switch (dkim_cur_sig->verify_status)
	426	{
	427	case PDKIM_VERIFY_INVALID: return US"invalid";
	428	case PDKIM_VERIFY_FAIL: return US"fail";
	429	case PDKIM_VERIFY_PASS: return US"pass";
	430	case PDKIM_VERIFY_NONE:
	431	default: return US"none";
80a47a2c	432	}
80a47a2c	433
1cfe5c1c JH	434	case DKIM_VERIFY_REASON:
	435	switch (dkim_cur_sig->verify_ext_status)
	436	{
	437	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
	438	return US"pubkey_unavailable";
df3def24 JH	439	case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:return US"pubkey_dns_syntax";
df3def24 JH	440	case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return US"pubkey_der_syntax";
1cfe5c1c JH	441	case PDKIM_VERIFY_FAIL_BODY: return US"bodyhash_mismatch";
	442	case PDKIM_VERIFY_FAIL_MESSAGE: return US"signature_incorrect";
	443	}
80a47a2c	444
1cfe5c1c JH	445	default:
1cfe5c1c JH	446	return US"";
80a47a2c TK	447	}
	448	}
	449
	450
55414b25	451	uschar *
b9df1829	452	dkim_exim_sign(int dkim_fd, struct ob_dkim * dkim, const uschar ** errstr)
55414b25	453	{
e983e85a	454	const uschar * dkim_domain;
1cfe5c1c JH	455	int sep = 0;
	456	uschar *seen_items = NULL;
	457	int seen_items_size = 0;
	458	int seen_items_offset = 0;
	459	uschar itembuf[256];
	460	uschar *dkim_canon_expanded;
	461	uschar *dkim_sign_headers_expanded;
	462	uschar *dkim_private_key_expanded;
	463	pdkim_ctx *ctx = NULL;
	464	uschar *rc = NULL;
	465	uschar *sigbuf = NULL;
	466	int sigsize = 0;
	467	int sigptr = 0;
	468	pdkim_signature *signature;
	469	int pdkim_canon;
	470	int pdkim_rc;
	471	int sread;
	472	char buf[4096];
	473	int save_errno = 0;
	474	int old_pool = store_pool;
	475
	476	store_pool = POOL_MAIN;
	477
e983e85a	478	if (!(dkim_domain = expand_cstring(dkim->dkim_domain)))
1cfe5c1c JH	479	{
	480	/* expansion error, do not send message. */
	481	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	482	"dkim_domain: %s", expand_string_message);
f7302073	483	goto bad;
1cfe5c1c JH	484	}
	485
	486	/* Set $dkim_domain expansion variable to each unique domain in list. */
	487
	488	while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
	489	itembuf, sizeof(itembuf))))
	490	{
	491	if (!dkim_signing_domain \|\| dkim_signing_domain[0] == '\0')
	492	continue;
	493
	494	/* Only sign once for each domain, no matter how often it
	495	appears in the expanded list. */
	496
	497	if (seen_items)
	498	{
	499	const uschar *seen_items_list = seen_items;
	500	if (match_isinlist(dkim_signing_domain,
	501	&seen_items_list, 0, NULL, NULL, MCL_STRING, TRUE,
	502	NULL) == OK)
	503	continue;
	504
	505	seen_items =
	506	string_append(seen_items, &seen_items_size, &seen_items_offset, 1, ":");
	507	}
	508
	509	seen_items =
	510	string_append(seen_items, &seen_items_size, &seen_items_offset, 1,
	511	dkim_signing_domain);
	512	seen_items[seen_items_offset] = '\0';
	513
	514	/* Set up $dkim_selector expansion variable. */
	515
e983e85a	516	if (!(dkim_signing_selector = expand_string(dkim->dkim_selector)))
1cfe5c1c JH	517	{
	518	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	519	"dkim_selector: %s", expand_string_message);
f7302073	520	goto bad;
1cfe5c1c JH	521	}
	522
	523	/* Get canonicalization to use */
	524
e983e85a JH	525	dkim_canon_expanded = dkim->dkim_canon
e983e85a JH	526	? expand_string(dkim->dkim_canon) : US"relaxed";
1cfe5c1c JH	527	if (!dkim_canon_expanded)
1cfe5c1c JH	528	{
80a47a2c	529	/* expansion error, do not send message. */
1cfe5c1c JH	530	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
1cfe5c1c JH	531	"dkim_canon: %s", expand_string_message);
f7302073	532	goto bad;
1cfe5c1c	533	}
80a47a2c	534
1cfe5c1c JH	535	if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
	536	pdkim_canon = PDKIM_CANON_RELAXED;
	537	else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
	538	pdkim_canon = PDKIM_CANON_SIMPLE;
	539	else
	540	{
	541	log_write(0, LOG_MAIN,
	542	"DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
	543	dkim_canon_expanded);
	544	pdkim_canon = PDKIM_CANON_RELAXED;
a8e1eeba	545	}
1cfe5c1c JH	546
1cfe5c1c JH	547	dkim_sign_headers_expanded = NULL;
e983e85a JH	548	if (dkim->dkim_sign_headers)
e983e85a JH	549	if (!(dkim_sign_headers_expanded = expand_string(dkim->dkim_sign_headers)))
1cfe5c1c JH	550	{
	551	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	552	"dkim_sign_headers: %s", expand_string_message);
f7302073	553	goto bad;
1cfe5c1c JH	554	}
	555	/* else pass NULL, which means default header list */
	556
	557	/* Get private key to use. */
	558
e983e85a	559	if (!(dkim_private_key_expanded = expand_string(dkim->dkim_private_key)))
1cfe5c1c JH	560	{
	561	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	562	"dkim_private_key: %s", expand_string_message);
f7302073	563	goto bad;
a8e1eeba	564	}
80a47a2c	565
1cfe5c1c JH	566	if ( Ustrlen(dkim_private_key_expanded) == 0
	567	\|\| Ustrcmp(dkim_private_key_expanded, "0") == 0
	568	\|\| Ustrcmp(dkim_private_key_expanded, "false") == 0
	569	)
	570	continue; /* don't sign, but no error */
	571
	572	if (dkim_private_key_expanded[0] == '/')
	573	{
59d98039	574	int privkey_fd, off = 0, len;
1cfe5c1c JH	575
	576	/* Looks like a filename, load the private key. */
	577
	578	memset(big_buffer, 0, big_buffer_size);
e983e85a JH	579
e983e85a JH	580	if ((privkey_fd = open(CS dkim_private_key_expanded, O_RDONLY)) < 0)
1cfe5c1c JH	581	{
	582	log_write(0, LOG_MAIN \| LOG_PANIC, "unable to open "
	583	"private key file for reading: %s",
	584	dkim_private_key_expanded);
f7302073	585	goto bad;
db4d0902	586	}
80a47a2c	587
59d98039	588	do
1cfe5c1c	589	{
59d98039 JH	590	if ((len = read(privkey_fd, big_buffer + off, big_buffer_size - 2 - off)) < 0)
	591	{
	592	(void) close(privkey_fd);
	593	log_write(0, LOG_MAIN\|LOG_PANIC, "unable to read private key file: %s",
	594	dkim_private_key_expanded);
	595	goto bad;
	596	}
	597	off += len;
1ac6b2e7	598	}
59d98039	599	while (len > 0);
80a47a2c	600
1cfe5c1c	601	(void) close(privkey_fd);
59d98039	602	big_buffer[off] = '\0';
1cfe5c1c	603	dkim_private_key_expanded = big_buffer;
a8e1eeba	604	}
1cfe5c1c	605
b9df1829	606	if (!(ctx = pdkim_init_sign(CS dkim_signing_domain,
cd1a5fe0 JH	607	CS dkim_signing_selector,
	608	CS dkim_private_key_expanded,
	609	PDKIM_ALGO_RSA_SHA256,
	610	dkim->dot_stuffed,
b9df1829 JH	611	&dkim_exim_query_dns_txt,
	612	errstr
	613	)))
	614	goto bad;
87cb4a16	615	dkim_private_key_expanded[0] = '\0';
1cfe5c1c	616	pdkim_set_optional(ctx,
e983e85a	617	CS dkim_sign_headers_expanded,
1cfe5c1c JH	618	NULL,
1cfe5c1c JH	619	pdkim_canon,
f444c2c7	620	pdkim_canon, -1, 0, 0);
1cfe5c1c JH	621
	622	lseek(dkim_fd, 0, SEEK_SET);
	623
e983e85a	624	while ((sread = read(dkim_fd, &buf, sizeof(buf))) > 0)
f7302073 JH	625	if ((pdkim_rc = pdkim_feed(ctx, buf, sread)) != PDKIM_OK)
f7302073 JH	626	goto pk_bad;
1cfe5c1c JH	627
	628	/* Handle failed read above. */
	629	if (sread == -1)
	630	{
	631	debug_printf("DKIM: Error reading -K file.\n");
	632	save_errno = errno;
f7302073	633	goto bad;
80a47a2c	634	}
80a47a2c	635
b9df1829	636	if ((pdkim_rc = pdkim_feed_finish(ctx, &signature, errstr)) != PDKIM_OK)
f7302073	637	goto pk_bad;
80a47a2c	638
1cfe5c1c JH	639	sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,
1cfe5c1c JH	640	US signature->signature_header, US"\r\n");
80a47a2c	641
1cfe5c1c JH	642	pdkim_free_ctx(ctx);
1cfe5c1c JH	643	ctx = NULL;
80a47a2c	644	}
a8e1eeba	645
1cfe5c1c JH	646	if (sigbuf)
	647	{
	648	sigbuf[sigptr] = '\0';
	649	rc = sigbuf;
	650	}
	651	else
	652	rc = US"";
	653
	654	CLEANUP:
f7302073 JH	655	if (ctx)
	656	pdkim_free_ctx(ctx);
	657	store_pool = old_pool;
	658	errno = save_errno;
	659	return rc;
	660
	661	pk_bad:
	662	log_write(0, LOG_MAIN\|LOG_PANIC,
	663	"DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc));
	664	bad:
	665	rc = NULL;
	666	goto CLEANUP;
93f2d376	667	}
80a47a2c TK	668
80a47a2c TK	669	#endif