X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;ds=sidebyside;f=src%2Fsrc%2Fdkim.c;h=f510214439b23605335945a27a40911ade2da981;hb=59d9803955886f56f67e3ceff5632b704e4c5548;hp=a2574c15b7e9b59e80a72b723642ff0ef35208d3;hpb=cd1a5fe0ed22087c6afbe585ab0206c2a4a267aa;p=exim.git

diff --git a/src/src/dkim.c b/src/src/dkim.c
index a2574c15b..f51021443 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -2,7 +2,7 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge, 1995 - 2016 */
+/* Copyright (c) University of Cambridge, 1995 - 2017 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Code for DKIM support. Other DKIM relevant code is in
@@ -18,6 +18,7 @@ int dkim_verify_oldpool;
 pdkim_ctx *dkim_verify_ctx = NULL;
 pdkim_signature *dkim_signatures = NULL;
 pdkim_signature *dkim_cur_sig = NULL;
+static const uschar * dkim_collect_error = NULL;
 
 static int
 dkim_exim_query_dns_txt(char *name, char *answer)
@@ -87,6 +88,7 @@ if (dkim_verify_ctx)
 
 dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
 dkim_collect_input = !!dkim_verify_ctx;
+dkim_collect_error = NULL;
 
 /* Start feed up with any cached data */
 receive_get_cache();
@@ -104,8 +106,9 @@ store_pool = POOL_PERM;
 if (  dkim_collect_input
    && (rc = pdkim_feed(dkim_verify_ctx, CS data, len)) != PDKIM_OK)
   {
+  dkim_collect_error = pdkim_errstr(rc);
   log_write(0, LOG_MAIN,
-	     "DKIM: validation error: %.100s", pdkim_errstr(rc));
+	     "DKIM: validation error: %.100s", dkim_collect_error);
   dkim_collect_input = FALSE;
   }
 store_pool = dkim_verify_oldpool;
@@ -115,27 +118,22 @@ store_pool = dkim_verify_oldpool;
 void
 dkim_exim_verify_finish(void)
 {
-pdkim_signature *sig = NULL;
-int dkim_signers_size = 0;
-int dkim_signers_ptr = 0;
-dkim_signers = NULL;
-int rc;
+pdkim_signature * sig = NULL;
+int dkim_signers_size = 0, dkim_signers_ptr = 0, rc;
+const uschar * errstr;
 
 store_pool = POOL_PERM;
 
 /* Delete eventual previous signature chain */
 
+dkim_signers = NULL;
 dkim_signatures = NULL;
 
-/* If we have arrived here with dkim_collect_input == FALSE, it
-means there was a processing error somewhere along the way.
-Log the incident and disable futher verification. */
-
-if (!dkim_collect_input)
+if (dkim_collect_error)
   {
   log_write(0, LOG_MAIN,
-	     "DKIM: Error while running this message through validation,"
-	     " disabling signature verification.");
+      "DKIM: Error during validation, disabling signature verification: %.100s",
+      dkim_collect_error);
   dkim_disable_verify = TRUE;
   goto out;
   }
@@ -144,46 +142,49 @@ dkim_collect_input = FALSE;
 
 /* Finish DKIM operation and fetch link to signatures chain */
 
-if ((rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures)) != PDKIM_OK)
+rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr);
+if (rc != PDKIM_OK)
   {
-  log_write(0, LOG_MAIN,
-	     "DKIM: validation error: %.100s", pdkim_errstr(rc));
+  log_write(0, LOG_MAIN, "DKIM: validation error: %.100s%s%s", pdkim_errstr(rc),
+	    errstr ? ": " : "", errstr ? errstr : US"");
   goto out;
   }
 
 for (sig = dkim_signatures; sig; sig = sig->next)
   {
-  int size = 0;
-  int ptr = 0;
+  int size = 0, ptr = 0;
+  uschar * logmsg = NULL, * s;
 
   /* Log a line for each signature */
 
-  uschar *logmsg = string_append(NULL, &size, &ptr, 5,
-	string_sprintf("d=%s s=%s c=%s/%s a=%s b=%d ",
-	      sig->domain,
-	      sig->selector,
-	      sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
-	      sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
-	      sig->algo == PDKIM_ALGO_RSA_SHA256
-	      ? "rsa-sha256"
-	      : sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err",
-	      (int)sig->sigdata.len > -1 ? sig->sigdata.len * 8 : 0
-	      ),
-
-	sig->identity ? string_sprintf("i=%s ", sig->identity) : US"",
-	sig->created > 0 ? string_sprintf("t=%lu ", sig->created) : US"",
-	sig->expires > 0 ? string_sprintf("x=%lu ", sig->expires) : US"",
-	sig->bodylength > -1 ? string_sprintf("l=%lu ", sig->bodylength) : US""
-	);
+  if (!(s = sig->domain)) s = US"<UNSET>";
+  logmsg = string_append(logmsg, &size, &ptr, 2, "d=", s);
+  if (!(s = sig->selector)) s = US"<UNSET>";
+  logmsg = string_append(logmsg, &size, &ptr, 2, " s=", s);
+  logmsg = string_append(logmsg, &size, &ptr, 7, 
+	" c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+	"/",   sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+	" a=", sig->algo == PDKIM_ALGO_RSA_SHA256
+		? "rsa-sha256"
+		: sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err",
+	string_sprintf(" b=%d",
+			(int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
+  if ((s= sig->identity)) string_append(logmsg, &size, &ptr, 2, " i=", s);
+  if (sig->created > 0) string_append(logmsg, &size, &ptr, 1,
+				      string_sprintf(" t=%lu", sig->created));
+  if (sig->expires > 0) string_append(logmsg, &size, &ptr, 1,
+				      string_sprintf(" x=%lu", sig->expires));
+  if (sig->bodylength > -1) string_append(logmsg, &size, &ptr, 1,
+				      string_sprintf(" l=%lu", sig->bodylength));
 
   switch (sig->verify_status)
     {
     case PDKIM_VERIFY_NONE:
-      logmsg = string_append(logmsg, &size, &ptr, 1, "[not verified]");
+      logmsg = string_append(logmsg, &size, &ptr, 1, " [not verified]");
       break;
 
     case PDKIM_VERIFY_INVALID:
-      logmsg = string_append(logmsg, &size, &ptr, 1, "[invalid - ");
+      logmsg = string_append(logmsg, &size, &ptr, 1, " [invalid - ");
       switch (sig->verify_ext_status)
 	{
 	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
@@ -220,7 +221,7 @@ for (sig = dkim_signatures; sig; sig = sig->next)
 
     case PDKIM_VERIFY_FAIL:
       logmsg =
-	string_append(logmsg, &size, &ptr, 1, "[verification failed - ");
+	string_append(logmsg, &size, &ptr, 1, " [verification failed - ");
       switch (sig->verify_ext_status)
 	{
 	case PDKIM_VERIFY_FAIL_BODY:
@@ -240,7 +241,7 @@ for (sig = dkim_signatures; sig; sig = sig->next)
 
     case PDKIM_VERIFY_PASS:
       logmsg =
-	string_append(logmsg, &size, &ptr, 1, "[verification succeeded]");
+	string_append(logmsg, &size, &ptr, 1, " [verification succeeded]");
       break;
     }
 
@@ -249,27 +250,15 @@ for (sig = dkim_signatures; sig; sig = sig->next)
 
   /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
 
-  dkim_signers = string_append(dkim_signers,
-				&dkim_signers_size,
-				&dkim_signers_ptr, 2, sig->domain, ":");
+  if (sig->domain)
+    dkim_signers = string_append_listele(dkim_signers, ':', sig->domain);
 
   if (sig->identity)
-    dkim_signers = string_append(dkim_signers,
-				  &dkim_signers_size,
-				  &dkim_signers_ptr, 2, sig->identity, ":");
+    dkim_signers = string_append_listele(dkim_signers, ':', sig->identity);
 
   /* Process next signature */
   }
 
-/* NULL-terminate and chop the last colon from the domain list */
-
-if (dkim_signers)
-  {
-  dkim_signers[dkim_signers_ptr] = '\0';
-  if (Ustrlen(dkim_signers) > 0)
-  dkim_signers[Ustrlen(dkim_signers) - 1] = '\0';
-  }
-
 out:
 store_pool = dkim_verify_oldpool;
 }
@@ -306,7 +295,7 @@ for (sig = dkim_signatures; sig; sig = sig->next)
 
     dkim_signing_domain = US sig->domain;
     dkim_signing_selector = US sig->selector;
-    dkim_key_length = sig->sigdata.len * 8;
+    dkim_key_length = sig->sighash.len * 8;
     return;
     }
 }
@@ -460,7 +449,7 @@ switch (what)
 
 
 uschar *
-dkim_exim_sign(int dkim_fd, struct ob_dkim * dkim)
+dkim_exim_sign(int dkim_fd, struct ob_dkim * dkim, const uschar ** errstr)
 {
 const uschar * dkim_domain;
 int sep = 0;
@@ -582,7 +571,7 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
 
   if (dkim_private_key_expanded[0] == '/')
     {
-    int privkey_fd = 0;
+    int privkey_fd, off = 0, len;
 
     /* Looks like a filename, load the private key. */
 
@@ -596,24 +585,33 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
       goto bad;
       }
 
-    if (read(privkey_fd, big_buffer, big_buffer_size - 2) < 0)
+    do
       {
-      log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s",
-		 dkim_private_key_expanded);
-      goto bad;
+      if ((len = read(privkey_fd, big_buffer + off, big_buffer_size - 2 - off)) < 0)
+	{
+	(void) close(privkey_fd);
+	log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s",
+		   dkim_private_key_expanded);
+	goto bad;
+	}
+      off += len;
       }
+    while (len > 0);
 
     (void) close(privkey_fd);
+    big_buffer[off] = '\0';
     dkim_private_key_expanded = big_buffer;
     }
 
-  ctx = pdkim_init_sign(CS dkim_signing_domain,
+  if (!(ctx = pdkim_init_sign(CS dkim_signing_domain,
 			CS dkim_signing_selector,
 			CS dkim_private_key_expanded,
 			PDKIM_ALGO_RSA_SHA256,
 			dkim->dot_stuffed,
-			&dkim_exim_query_dns_txt
-			);
+			&dkim_exim_query_dns_txt,
+			errstr
+			)))
+    goto bad;
   dkim_private_key_expanded[0] = '\0';
   pdkim_set_optional(ctx,
 		      CS dkim_sign_headers_expanded,
@@ -635,7 +633,7 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
     goto bad;
     }
 
-  if ((pdkim_rc = pdkim_feed_finish(ctx, &signature)) != PDKIM_OK)
+  if ((pdkim_rc = pdkim_feed_finish(ctx, &signature, errstr)) != PDKIM_OK)
     goto pk_bad;
 
   sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,