X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Fdkim.c;h=031372720c4e950d57594349453209e3656624e9;hb=d34c22b8288153f147af068d4c14ed8fcc8b9692;hp=a0becd45be9d64ab1a6b51c81e919a27c75d0229;hpb=db3f7b6972f3b003c0413b78afcfbe295ffe0b97;p=exim.git diff --git a/src/src/dkim.c b/src/src/dkim.c index a0becd45b..031372720 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -21,6 +21,7 @@ void params_dkim(void) { builtin_macro_create_var(US"_DKIM_SIGN_HEADERS", US PDKIM_DEFAULT_SIGN_HEADERS); +builtin_macro_create_var(US"_DKIM_OVERSIGN_HEADERS", US PDKIM_OVERSIGN_HEADERS); } # else /*!MACRO_PREDEF*/ @@ -37,25 +38,28 @@ static const uschar * dkim_collect_error = NULL; -/*XXX the caller only uses the first record if we return multiple. +/* Look up the DKIM record in DNS for the given hostname. +Will use the first found if there are multiple. +The return string is tainted, having come from off-site. */ uschar * -dkim_exim_query_dns_txt(uschar * name) +dkim_exim_query_dns_txt(const uschar * name) { -dns_answer dnsa; +dns_answer * dnsa = store_get_dns_answer(); dns_scan dnss; +rmark reset_point = store_mark(); gstring * g = NULL; lookup_dnssec_authenticated = NULL; -if (dns_lookup(&dnsa, name, T_TXT, NULL) != DNS_SUCCEED) +if (dns_lookup(dnsa, name, T_TXT, NULL) != DNS_SUCCEED) return NULL; /*XXX better error detail? logging? */ /* Search for TXT record */ -for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); +for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; - rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT)) + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TXT) { int rr_offset = 0; @@ -76,7 +80,7 @@ for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); /* check if this looks like a DKIM record */ if (Ustrncmp(g->s, "v=", 2) != 0 || strncasecmp(CS g->s, "v=dkim", 6) == 0) { - gstring_reset_unused(g); + gstring_release_unused(g); return string_from_gstring(g); } @@ -84,7 +88,7 @@ for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); } bad: -if (g) store_reset(g); +store_reset(reset_point); return NULL; /*XXX better error detail? logging? */ } @@ -92,6 +96,8 @@ return NULL; /*XXX better error detail? logging? */ void dkim_exim_init(void) { +if (f.dkim_init_done) return; +f.dkim_init_done = TRUE; pdkim_init(); } @@ -100,6 +106,8 @@ pdkim_init(); void dkim_exim_verify_init(BOOL dot_stuffing) { +dkim_exim_init(); + /* There is a store-reset between header & body reception so cannot use the main pool. Any allocs done by Exim memory-handling must use the perm pool. */ @@ -566,6 +574,8 @@ void dkim_exim_sign_init(void) { int old_pool = store_pool; + +dkim_exim_init(); store_pool = POOL_MAIN; pdkim_init_context(&dkim_sign_ctx, FALSE, &dkim_exim_query_dns_txt); store_pool = old_pool; @@ -620,6 +630,7 @@ if (dkim_domain) /* Only sign once for each domain, no matter how often it appears in the expanded list. */ + dkim_signing_domain = string_copylc(dkim_signing_domain); if (match_isinlist(dkim_signing_domain, CUSS &seen_doms, 0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK) continue; @@ -779,14 +790,15 @@ CLEANUP: pk_bad: log_write(0, LOG_MAIN|LOG_PANIC, - "DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc)); + "DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc)); bad: sigbuf = NULL; goto CLEANUP; expand_bad: - log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand %s: %s", - errwhen, expand_string_message); + *errstr = string_sprintf("failed to expand %s: %s", + errwhen, expand_string_message); + log_write(0, LOG_MAIN | LOG_PANIC, "%s", *errstr); goto bad; }