From 0b8f4f1a0c68bd48a98fb033039bac7d88182b6f Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 7 Jan 2018 15:03:25 +0000 Subject: [PATCH] DKIM: permit dkim_private_key to override dkim_strict on signing. Bug 2220 --- doc/doc-docbook/spec.xfpt | 7 ++++--- src/src/dkim.c | 19 ++++++++++++++----- test/confs/4520 | 3 +++ test/log/4520 | 8 ++++++++ test/scripts/4500-DKIM/4520 | 7 +++++++ test/stderr/4507 | 4 +++- 6 files changed, 39 insertions(+), 9 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index aa6da73d3..b6d283b95 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -38579,7 +38579,8 @@ The domain(s) you want to sign with. After expansion, this can be a list. Each element in turn is put into the &%$dkim_domain%& expansion variable while expanding the remaining signing options. -If it is empty after expansion, DKIM signing is not done. +If it is empty after expansion, DKIM signing is not done, +and no error will result even if &%dkim_strict%& is set. .option dkim_selector smtp string list&!! unset This sets the key selector string. @@ -38587,7 +38588,8 @@ After expansion, which can use &$dkim_domain$&, this can be a list. Each element in turn is put in the expansion variable &%$dkim_selector%& which may be used in the &%dkim_private_key%& option along with &%$dkim_domain%&. -If the option is empty after expansion, DKIM signing is not done for this domain. +If the option is empty after expansion, DKIM signing is not done for this domain, +and no error will result even if &%dkim_strict%& is set. .option dkim_private_key smtp string&!! unset This sets the private key to use. @@ -38604,7 +38606,6 @@ be "0", "false" or the empty string, in which case the message will not be signed. This case will not result in an error, even if &%dkim_strict%& is set. .endlist -If the option is empty after expansion, DKIM signing is not done. .option dkim_hash smtp string&!! sha256 Can be set alternatively to &"sha1"& to use an alternate hash diff --git a/src/src/dkim.c b/src/src/dkim.c index 746a7a6b7..8c03d48ce 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -540,8 +540,12 @@ switch (what) } -/* Generate signatures for the given file, returning a string. +/* Generate signatures for the given file. If a prefix is given, prepend it to the file for the calculations. + +Return: + NULL: error; error string written + string: signature header(s), or a zero-length string (not an error) */ gstring * @@ -711,9 +715,15 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0))) } } } +if (!ctx.sig) + { + DEBUG(D_transport) debug_printf("DKIM: no viable signatures to use\n"); + sigbuf = string_get(1); /* return a zero-len string */ + goto CLEANUP; + } -if (prefix) - pdkim_feed(&ctx, prefix, Ustrlen(prefix)); +if (prefix && (pdkim_feed(&ctx, prefix, Ustrlen(prefix))) != PDKIM_OK) + goto pk_bad; if (lseek(fd, off, SEEK_SET) < 0) sread = -1; @@ -738,9 +748,8 @@ if ((pdkim_rc = pdkim_feed_finish(&ctx, &sig, errstr)) != PDKIM_OK) for (sigbuf = NULL; sig; sig = sig->next) sigbuf = string_append(sigbuf, 2, US sig->signature_header, US"\r\n"); -(void) string_from_gstring(sigbuf); - CLEANUP: + (void) string_from_gstring(sigbuf); store_pool = old_pool; errno = save_errno; return sigbuf; diff --git a/test/confs/4520 b/test/confs/4520 index 8515d050d..9092c74dc 100644 --- a/test/confs/4520 +++ b/test/confs/4520 @@ -62,5 +62,8 @@ send_to_server: .ifdef VALUE dkim_hash = VALUE .endif +.ifdef STRICT + dkim_strict = STRICT +.endif # End diff --git a/test/log/4520 b/test/log/4520 index 4a6502bb6..593cd6692 100644 --- a/test/log/4520 +++ b/test/log/4520 @@ -22,6 +22,9 @@ 1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbL-0005vi-00 => d@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbM-0005vi-00" 1999-03-02 09:44:33 10HmbL-0005vi-00 Completed +1999-03-02 09:44:33 10HmbN-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbN-0005vi-00 => a@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbO-0005vi-00" +1999-03-02 09:44:33 10HmbN-0005vi-00 Completed ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 @@ -83,3 +86,8 @@ 1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbL-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 10HmbM-0005vi-00 => :blackhole: R=server_dump 1999-03-02 09:44:33 10HmbM-0005vi-00 Completed +1999-03-02 09:44:33 rcpt acl: macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive +1999-03-02 09:44:33 10HmbO-0005vi-00 data acl: dkim status +1999-03-02 09:44:33 10HmbO-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbN-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbO-0005vi-00 => :blackhole: R=server_dump +1999-03-02 09:44:33 10HmbO-0005vi-00 Completed diff --git a/test/scripts/4500-DKIM/4520 b/test/scripts/4500-DKIM/4520 index 1bc4c6030..406db39a5 100644 --- a/test/scripts/4500-DKIM/4520 +++ b/test/scripts/4500-DKIM/4520 @@ -62,6 +62,13 @@ content exim -d-all+acl -DOPT=From -DSELECTOR=sel_bad -odf d@test.ex From: nobody@example.com +content +**** +# +# check that an empty dkim_privatekey overrides dkim_strict +exim -DOPT=From -DSTRICT=true -DSELECTOR=none -odf a@test.ex +From: nobody@example.com + content **** # diff --git a/test/stderr/4507 b/test/stderr/4507 index 56fe4e977..8a4dd6bff 100644 --- a/test/stderr/4507 +++ b/test/stderr/4507 @@ -14,10 +14,12 @@ >>> end of inline ACL: ACCEPT >>> host in ignore_fromline_hosts? no (option unset) >>> using ACL "check_dkim" ->>> processing "accept" +>>> processing "warn" >>> check logwrite = signer: $dkim_cur_signer bits: $dkim_key_length >>> = signer: test.ex bits: 1024 LOG: 10HmaX-0005vi-00 signer: test.ex bits: 1024 +>>> warn: condition test succeeded in ACL "check_dkim" +>>> processing "accept" >>> accept: condition test succeeded in ACL "check_dkim" >>> end of ACL "check_dkim": ACCEPT LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded] -- 2.25.1