projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
DKIM: support timestamp and expiry tags in signing. Bug 2260
[exim.git] / src / src / dkim.c
CommitLineData
80a47a2c
TK		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge, 1995 - 2018 */
80a47a2c
TK		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for DKIM support. Other DKIM relevant code is in
9 receive.c, transport.c and transports/smtp.c */
10
11#include "exim.h"
12
13#ifndef DISABLE_DKIM
14
970424a5
JH		 15# include "pdkim/pdkim.h"
16
17# ifdef MACRO_PREDEF
5f69a529 18# include "macro_predef.h"
970424a5
JH		 19
20void
a2701501 21params_dkim(void)
970424a5
JH		 22{
23builtin_macro_create_var(US"_DKIM_SIGN_HEADERS", US PDKIM_DEFAULT_SIGN_HEADERS);
24}
25# else /*!MACRO_PREDEF*/
26
27
28
617d3932 29pdkim_ctx dkim_sign_ctx;
80a47a2c 30
ca9cb170 31int dkim_verify_oldpool;
1cfe5c1c 32pdkim_ctx *dkim_verify_ctx = NULL;
1cfe5c1c 33pdkim_signature *dkim_cur_sig = NULL;
b9df1829 34static const uschar * dkim_collect_error = NULL;
80a47a2c 35
64b67b65
JH		 36#define DKIM_MAX_SIGNATURES 20
37
d73e45df
JH		 38
39
40/*XXX the caller only uses the first record if we return multiple.
d73e45df
JH		 41*/
42
617d3932
JH		 43uschar *
44dkim_exim_query_dns_txt(uschar * name)
1cfe5c1c
JH		 45{
46dns_answer dnsa;
47dns_scan dnss;
48dns_record *rr;
1eedc10f 49gstring * g = NULL;
80a47a2c 50
1cfe5c1c 51lookup_dnssec_authenticated = NULL;
617d3932 52if (dns_lookup(&dnsa, name, T_TXT, NULL) != DNS_SUCCEED)
1eedc10f 53 return NULL; /*XXX better error detail? logging? */
80a47a2c 54
1cfe5c1c 55/* Search for TXT record */
80a47a2c 56
1cfe5c1c
JH		 57for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
58 rr;
59 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
60 if (rr->type == T_TXT)
61 {
80a47a2c 62 int rr_offset = 0;
1cfe5c1c
JH		 63
64 /* Copy record content to the answer buffer */
65
66 while (rr_offset < rr->size)
67 {
68 uschar len = rr->data[rr_offset++];
1eedc10f
JH		 69
70 g = string_catn(g, US(rr->data + rr_offset), len);
71 if (g->ptr >= PDKIM_DNS_TXT_MAX_RECLEN)
72 goto bad;
73
1cfe5c1c 74 rr_offset += len;
4263f395 75 }
dd33c4e6
HSHR		 76
77 /* check if this looks like a DKIM record */
d011368a 78 if (Ustrncmp(g->s, "v=", 2) != 0 || strncasecmp(CS g->s, "v=dkim", 6) == 0)
1eedc10f 79 {
617d3932 80 gstring_reset_unused(g);
1eedc10f
JH		 81 return string_from_gstring(g);
82 }
83
84 if (g) g->ptr = 0; /* overwrite previous record */
80a47a2c 85 }
80a47a2c 86
1eedc10f
JH		 87bad:
88if (g) store_reset(g);
89return NULL; /*XXX better error detail? logging? */
80a47a2c
TK		 90}
91
92
2592e6c0
JH		 93void
94dkim_exim_init(void)
95{
96pdkim_init();
97}
98
99
ca9cb170 100
1cfe5c1c 101void
e983e85a 102dkim_exim_verify_init(BOOL dot_stuffing)
1cfe5c1c 103{
ca9cb170
JH		 104/* There is a store-reset between header & body reception
105so cannot use the main pool. Any allocs done by Exim
106memory-handling must use the perm pool. */
107
108dkim_verify_oldpool = store_pool;
109store_pool = POOL_PERM;
110
1cfe5c1c 111/* Free previous context if there is one */
80a47a2c 112
1cfe5c1c
JH		 113if (dkim_verify_ctx)
114 pdkim_free_ctx(dkim_verify_ctx);
80a47a2c 115
1cfe5c1c 116/* Create new context */
80a47a2c 117
e983e85a 118dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
64b67b65 119dkim_collect_input = dkim_verify_ctx ? DKIM_MAX_SIGNATURES : 0;
b9df1829 120dkim_collect_error = NULL;
ca9cb170 121
584e96c6
JH		 122/* Start feed up with any cached data */
123receive_get_cache();
124
ca9cb170 125store_pool = dkim_verify_oldpool;
80a47a2c
TK		 126}
127
128
1cfe5c1c
JH		 129void
130dkim_exim_verify_feed(uschar * data, int len)
131{
f7302073
JH		 132int rc;
133
ca9cb170 134store_pool = POOL_PERM;
1cfe5c1c 135if ( dkim_collect_input
ef698bf6 136 && (rc = pdkim_feed(dkim_verify_ctx, data, len)) != PDKIM_OK)
f7302073 137 {
b9df1829 138 dkim_collect_error = pdkim_errstr(rc);
f7302073 139 log_write(0, LOG_MAIN,
b9df1829 140 "DKIM: validation error: %.100s", dkim_collect_error);
64b67b65 141 dkim_collect_input = 0;
f7302073 142 }
ca9cb170 143store_pool = dkim_verify_oldpool;
80a47a2c
TK		 144}
145
146
a79d8834
JH		 147/* Log the result for the given signature */
148static void
149dkim_exim_verify_log_sig(pdkim_signature * sig)
1cfe5c1c 150{
cc55f420 151gstring * logmsg;
a79d8834
JH		 152uschar * s;
153
cc55f420
JH		 154if (!sig) return;
155
6678c382 156/* Remember the domain for the first pass result */
dfbcb5ac 157
2c47372f
JH		 158if ( !dkim_verify_overall
159 && dkim_verify_status
160 ? Ustrcmp(dkim_verify_status, US"pass") == 0
161 : sig->verify_status == PDKIM_VERIFY_PASS
162 )
163 dkim_verify_overall = string_copy(sig->domain);
164
6678c382
JH		 165/* Rewrite the sig result if the ACL overrode it. This is only
166needed because the DMARC code (sigh) peeks at the dkim sigs.
167Mark the sig for this having been done. */
168
169if ( dkim_verify_status
170 && ( dkim_verify_status != dkim_exim_expand_query(DKIM_VERIFY_STATUS)
171 || dkim_verify_reason != dkim_exim_expand_query(DKIM_VERIFY_REASON)
172 ) )
173 { /* overridden by ACL */
174 sig->verify_ext_status = -1;
175 if (Ustrcmp(dkim_verify_status, US"fail") == 0)
176 sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_FAIL;
177 else if (Ustrcmp(dkim_verify_status, US"invalid") == 0)
178 sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_INVALID;
179 else if (Ustrcmp(dkim_verify_status, US"none") == 0)
180 sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_NONE;
181 else if (Ustrcmp(dkim_verify_status, US"pass") == 0)
182 sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_PASS;
183 else
184 sig->verify_status = -1;
185 }
186
2c47372f
JH		 187if (!LOGGING(dkim_verbose)) return;
188
6678c382 189
aaaa94ea 190logmsg = string_catn(NULL, US"DKIM: ", 6);
a79d8834
JH		 191if (!(s = sig->domain)) s = US"<UNSET>";
192logmsg = string_append(logmsg, 2, "d=", s);
193if (!(s = sig->selector)) s = US"<UNSET>";
194logmsg = string_append(logmsg, 2, " s=", s);
dd33c4e6 195logmsg = string_append(logmsg, 7,
dfbcb5ac
JH		 196 " c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
197 "/", sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
198 " a=", dkim_sig_to_a_tag(sig),
a79d8834
JH		 199string_sprintf(" b=" SIZE_T_FMT,
200 (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
201if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
202if (sig->created > 0) logmsg = string_cat(logmsg,
203 string_sprintf(" t=%lu", sig->created));
204if (sig->expires > 0) logmsg = string_cat(logmsg,
205 string_sprintf(" x=%lu", sig->expires));
206if (sig->bodylength > -1) logmsg = string_cat(logmsg,
207 string_sprintf(" l=%lu", sig->bodylength));
208
dfbcb5ac
JH		 209if (sig->verify_status & PDKIM_VERIFY_POLICY)
210 logmsg = string_append(logmsg, 5,
211 US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
212else
1cfe5c1c
JH		 213 switch (sig->verify_status)
214 {
215 case PDKIM_VERIFY_NONE:
aaaa94ea 216 logmsg = string_cat(logmsg, US" [not verified]");
80a47a2c 217 break;
1cfe5c1c
JH		 218
219 case PDKIM_VERIFY_INVALID:
aaaa94ea 220 logmsg = string_cat(logmsg, US" [invalid - ");
1cfe5c1c
JH		 221 switch (sig->verify_ext_status)
222 {
223 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
acec9514 224 logmsg = string_cat(logmsg,
aaaa94ea 225 US"public key record (currently?) unavailable]");
1cfe5c1c
JH		 226 break;
227
228 case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
aaaa94ea 229 logmsg = string_cat(logmsg, US"overlong public key record]");
1cfe5c1c
JH		 230 break;
231
df3def24
JH		 232 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
233 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
aaaa94ea 234 logmsg = string_cat(logmsg, US"syntax error in public key record]");
1cfe5c1c 235 break;
07eeb4df 236
a79d8834 237 case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
aaaa94ea 238 logmsg = string_cat(logmsg, US"signature tag missing or invalid]");
a79d8834 239 break;
07eeb4df 240
a79d8834 241 case PDKIM_VERIFY_INVALID_DKIM_VERSION:
aaaa94ea 242 logmsg = string_cat(logmsg, US"unsupported DKIM version]");
a79d8834 243 break;
1cfe5c1c
JH		 244
245 default:
aaaa94ea 246 logmsg = string_cat(logmsg, US"unspecified problem]");
1cfe5c1c 247 }
80a47a2c 248 break;
1cfe5c1c
JH		 249
250 case PDKIM_VERIFY_FAIL:
aaaa94ea 251 logmsg = string_cat(logmsg, US" [verification failed - ");
1cfe5c1c
JH		 252 switch (sig->verify_ext_status)
253 {
254 case PDKIM_VERIFY_FAIL_BODY:
acec9514 255 logmsg = string_cat(logmsg,
aaaa94ea 256 US"body hash mismatch (body probably modified in transit)]");
1cfe5c1c
JH		 257 break;
258
259 case PDKIM_VERIFY_FAIL_MESSAGE:
acec9514 260 logmsg = string_cat(logmsg,
aaaa94ea
JH		 261 US"signature did not verify "
262 "(headers probably modified in transit)]");
dfbcb5ac 263 break;
1cfe5c1c
JH		 264
265 default:
aaaa94ea 266 logmsg = string_cat(logmsg, US"unspecified reason]");
1cfe5c1c 267 }
80a47a2c 268 break;
1cfe5c1c
JH		 269
270 case PDKIM_VERIFY_PASS:
aaaa94ea 271 logmsg = string_cat(logmsg, US" [verification succeeded]");
80a47a2c
TK		 272 break;
273 }
a79d8834 274
aaaa94ea 275log_write(0, LOG_MAIN, "%s", string_from_gstring(logmsg));
a79d8834
JH		 276return;
277}
278
80a47a2c 279
a79d8834
JH		 280/* Log a line for each signature */
281void
282dkim_exim_verify_log_all(void)
283{
284pdkim_signature * sig;
285for (sig = dkim_signatures; sig; sig = sig->next) dkim_exim_verify_log_sig(sig);
286}
1cfe5c1c 287
80a47a2c 288
a79d8834
JH		 289void
290dkim_exim_verify_finish(void)
291{
292pdkim_signature * sig;
293int rc;
294gstring * g = NULL;
286b9d5f 295const uschar * errstr = NULL;
a79d8834
JH		 296
297store_pool = POOL_PERM;
298
299/* Delete eventual previous signature chain */
300
301dkim_signers = NULL;
302dkim_signatures = NULL;
303
304if (dkim_collect_error)
305 {
306 log_write(0, LOG_MAIN,
307 "DKIM: Error during validation, disabling signature verification: %.100s",
308 dkim_collect_error);
309 dkim_disable_verify = TRUE;
310 goto out;
311 }
312
64b67b65 313dkim_collect_input = 0;
a79d8834
JH		 314
315/* Finish DKIM operation and fetch link to signatures chain */
316
b4757e36
JH		 317rc = pdkim_feed_finish(dkim_verify_ctx, (pdkim_signature **)&dkim_signatures,
318 &errstr);
286b9d5f
JH		 319if (rc != PDKIM_OK && errstr)
320 log_write(0, LOG_MAIN, "DKIM: validation error: %s", errstr);
a79d8834
JH		 321
322/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
323
324for (sig = dkim_signatures; sig; sig = sig->next)
325 {
326 if (sig->domain) g = string_append_listele(g, ':', sig->domain);
327 if (sig->identity) g = string_append_listele(g, ':', sig->identity);
80a47a2c
TK		 328 }
329
acec9514
JH		 330if (g) dkim_signers = g->s;
331
ca9cb170
JH		 332out:
333store_pool = dkim_verify_oldpool;
80a47a2c
TK		 334}
335
336
18067c75
JH		 337
338/* Args as per dkim_exim_acl_run() below */
339static int
340dkim_acl_call(uschar * id, gstring ** res_ptr,
341 uschar ** user_msgptr, uschar ** log_msgptr)
342{
343int rc;
344DEBUG(D_receive)
345 debug_printf("calling acl_smtp_dkim for dkim_cur_signer='%s'\n", id);
346
347rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim, user_msgptr, log_msgptr);
348dkim_exim_verify_log_sig(dkim_cur_sig);
349*res_ptr = string_append_listele(*res_ptr, ':', dkim_verify_status);
350return rc;
351}
352
353
354
355/* For the given identity, run the DKIM ACL once for each matching signature.
356
357Arguments
358 id Identity to look for in dkim signatures
359 res_ptr ptr to growable string-list of status results,
360 appended to per ACL run
361 user_msgptr where to put a user error (for SMTP response)
362 log_msgptr where to put a logging message (not for SMTP response)
363
364Returns: OK access is granted by an ACCEPT verb
365 DISCARD access is granted by a DISCARD verb
366 FAIL access is denied
367 FAIL_DROP access is denied; drop the connection
368 DEFER can't tell at the moment
369 ERROR disaster
370*/
371
372int
373dkim_exim_acl_run(uschar * id, gstring ** res_ptr,
374 uschar ** user_msgptr, uschar ** log_msgptr)
1cfe5c1c
JH		 375{
376pdkim_signature * sig;
377uschar * cmp_val;
18067c75 378int rc = -1;
1cfe5c1c 379
cc55f420
JH		 380dkim_verify_status = US"none";
381dkim_verify_reason = US"";
1cfe5c1c
JH		 382dkim_cur_signer = id;
383
384if (dkim_disable_verify || !id || !dkim_verify_ctx)
18067c75 385 return OK;
1cfe5c1c 386
18067c75 387/* Find signatures to run ACL on */
1cfe5c1c
JH		 388
389for (sig = dkim_signatures; sig; sig = sig->next)
390 if ( (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
391 && strcmpic(cmp_val, id) == 0
392 )
393 {
1cfe5c1c 394 /* The "dkim_domain" and "dkim_selector" expansion variables have
18067c75
JH		 395 related globals, since they are used in the signing code too.
396 Instead of inventing separate names for verification, we set
397 them here. This is easy since a domain and selector is guaranteed
398 to be in a signature. The other dkim_* expansion items are
399 dynamically fetched from dkim_cur_sig at expansion time (see
b4757e36 400 dkim_exim_expand_query() below). */
1cfe5c1c 401
18067c75 402 dkim_cur_sig = sig;
1cfe5c1c
JH		 403 dkim_signing_domain = US sig->domain;
404 dkim_signing_selector = US sig->selector;
dcd03763 405 dkim_key_length = sig->sighash.len * 8;
a79d8834
JH		 406
407 /* These two return static strings, so we can compare the addr
408 later to see if the ACL overwrote them. Check that when logging */
409
410 dkim_verify_status = dkim_exim_expand_query(DKIM_VERIFY_STATUS);
411 dkim_verify_reason = dkim_exim_expand_query(DKIM_VERIFY_REASON);
dd33c4e6 412
18067c75
JH		 413 if ((rc = dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr)) != OK)
414 return rc;
80a47a2c 415 }
18067c75
JH		 416
417if (rc != -1)
418 return rc;
419
420/* No matching sig found. Call ACL once anyway. */
421
422dkim_cur_sig = NULL;
423return dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr);
80a47a2c
TK		 424}
425
426
1cfe5c1c
JH		 427static uschar *
428dkim_exim_expand_defaults(int what)
429{
430switch (what)
431 {
432 case DKIM_ALGO: return US"";
433 case DKIM_BODYLENGTH: return US"9999999999999";
434 case DKIM_CANON_BODY: return US"";
435 case DKIM_CANON_HEADERS: return US"";
436 case DKIM_COPIEDHEADERS: return US"";
437 case DKIM_CREATED: return US"0";
438 case DKIM_EXPIRES: return US"9999999999999";
439 case DKIM_HEADERNAMES: return US"";
440 case DKIM_IDENTITY: return US"";
441 case DKIM_KEY_GRANULARITY: return US"*";
442 case DKIM_KEY_SRVTYPE: return US"*";
443 case DKIM_KEY_NOTES: return US"";
444 case DKIM_KEY_TESTING: return US"0";
445 case DKIM_NOSUBDOMAINS: return US"0";
446 case DKIM_VERIFY_STATUS: return US"none";
447 case DKIM_VERIFY_REASON: return US"";
448 default: return US"";
449 }
450}
80a47a2c 451
80a47a2c 452
1cfe5c1c
JH		 453uschar *
454dkim_exim_expand_query(int what)
455{
456if (!dkim_verify_ctx || dkim_disable_verify || !dkim_cur_sig)
457 return dkim_exim_expand_defaults(what);
458
459switch (what)
460 {
461 case DKIM_ALGO:
d73e45df 462 return dkim_sig_to_a_tag(dkim_cur_sig);
1cfe5c1c
JH		 463
464 case DKIM_BODYLENGTH:
465 return dkim_cur_sig->bodylength >= 0
bb07bcd3 466 ? string_sprintf("%ld", dkim_cur_sig->bodylength)
1cfe5c1c
JH		 467 : dkim_exim_expand_defaults(what);
468
469 case DKIM_CANON_BODY:
470 switch (dkim_cur_sig->canon_body)
471 {
472 case PDKIM_CANON_RELAXED: return US"relaxed";
473 case PDKIM_CANON_SIMPLE:
474 default: return US"simple";
80a47a2c 475 }
1cfe5c1c
JH		 476
477 case DKIM_CANON_HEADERS:
a79d8834
JH		 478 switch (dkim_cur_sig->canon_headers)
479 {
480 case PDKIM_CANON_RELAXED: return US"relaxed";
481 case PDKIM_CANON_SIMPLE:
482 default: return US"simple";
483 }
1cfe5c1c
JH		 484
485 case DKIM_COPIEDHEADERS:
486 return dkim_cur_sig->copiedheaders
487 ? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);
488
489 case DKIM_CREATED:
490 return dkim_cur_sig->created > 0
bb07bcd3 491 ? string_sprintf("%lu", dkim_cur_sig->created)
1cfe5c1c
JH		 492 : dkim_exim_expand_defaults(what);
493
494 case DKIM_EXPIRES:
495 return dkim_cur_sig->expires > 0
bb07bcd3 496 ? string_sprintf("%lu", dkim_cur_sig->expires)
1cfe5c1c
JH		 497 : dkim_exim_expand_defaults(what);
498
499 case DKIM_HEADERNAMES:
500 return dkim_cur_sig->headernames
2592e6c0 501 ? dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);
1cfe5c1c
JH		 502
503 case DKIM_IDENTITY:
504 return dkim_cur_sig->identity
505 ? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);
506
507 case DKIM_KEY_GRANULARITY:
508 return dkim_cur_sig->pubkey
509 ? dkim_cur_sig->pubkey->granularity
510 ? US dkim_cur_sig->pubkey->granularity
511 : dkim_exim_expand_defaults(what)
512 : dkim_exim_expand_defaults(what);
513
514 case DKIM_KEY_SRVTYPE:
515 return dkim_cur_sig->pubkey
516 ? dkim_cur_sig->pubkey->srvtype
517 ? US dkim_cur_sig->pubkey->srvtype
518 : dkim_exim_expand_defaults(what)
519 : dkim_exim_expand_defaults(what);
520
521 case DKIM_KEY_NOTES:
522 return dkim_cur_sig->pubkey
523 ? dkim_cur_sig->pubkey->notes
524 ? US dkim_cur_sig->pubkey->notes
525 : dkim_exim_expand_defaults(what)
526 : dkim_exim_expand_defaults(what);
527
528 case DKIM_KEY_TESTING:
529 return dkim_cur_sig->pubkey
530 ? dkim_cur_sig->pubkey->testing
531 ? US"1"
532 : dkim_exim_expand_defaults(what)
533 : dkim_exim_expand_defaults(what);
534
535 case DKIM_NOSUBDOMAINS:
536 return dkim_cur_sig->pubkey
537 ? dkim_cur_sig->pubkey->no_subdomaining
538 ? US"1"
539 : dkim_exim_expand_defaults(what)
540 : dkim_exim_expand_defaults(what);
541
542 case DKIM_VERIFY_STATUS:
543 switch (dkim_cur_sig->verify_status)
544 {
545 case PDKIM_VERIFY_INVALID: return US"invalid";
546 case PDKIM_VERIFY_FAIL: return US"fail";
547 case PDKIM_VERIFY_PASS: return US"pass";
548 case PDKIM_VERIFY_NONE:
549 default: return US"none";
80a47a2c 550 }
80a47a2c 551
1cfe5c1c
JH		 552 case DKIM_VERIFY_REASON:
553 switch (dkim_cur_sig->verify_ext_status)
554 {
555 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
556 return US"pubkey_unavailable";
df3def24
JH		 557 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:return US"pubkey_dns_syntax";
558 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return US"pubkey_der_syntax";
1cfe5c1c
JH		 559 case PDKIM_VERIFY_FAIL_BODY: return US"bodyhash_mismatch";
560 case PDKIM_VERIFY_FAIL_MESSAGE: return US"signature_incorrect";
561 }
80a47a2c 562
1cfe5c1c
JH		 563 default:
564 return US"";
80a47a2c
TK		 565 }
566}
567
568
617d3932
JH		 569void
570dkim_exim_sign_init(void)
571{
572int old_pool = store_pool;
573store_pool = POOL_MAIN;
574pdkim_init_context(&dkim_sign_ctx, FALSE, &dkim_exim_query_dns_txt);
575store_pool = old_pool;
576}
577
578
0b8f4f1a 579/* Generate signatures for the given file.
42055a33 580If a prefix is given, prepend it to the file for the calculations.
0b8f4f1a
JH		 581
582Return:
583 NULL: error; error string written
584 string: signature header(s), or a zero-length string (not an error)
42055a33
JH		 585*/
586
acec9514 587gstring *
42055a33
JH		 588dkim_exim_sign(int fd, off_t off, uschar * prefix,
589 struct ob_dkim * dkim, const uschar ** errstr)
55414b25 590{
617d3932 591const uschar * dkim_domain = NULL;
1cfe5c1c 592int sep = 0;
acec9514 593gstring * seen_doms = NULL;
9e70917d 594pdkim_signature * sig;
acec9514 595gstring * sigbuf;
1cfe5c1c
JH		 596int pdkim_rc;
597int sread;
ef698bf6 598uschar buf[4096];
1cfe5c1c
JH		 599int save_errno = 0;
600int old_pool = store_pool;
7c6ec81b 601uschar * errwhen;
617d3932 602const uschar * s;
1cfe5c1c 603
617d3932
JH		 604if (dkim->dot_stuffed)
605 dkim_sign_ctx.flags |= PDKIM_DOT_TERM;
1cfe5c1c 606
617d3932 607store_pool = POOL_MAIN;
9e70917d 608
617d3932 609if ((s = dkim->dkim_domain) && !(dkim_domain = expand_cstring(s)))
1cfe5c1c 610 /* expansion error, do not send message. */
7c6ec81b 611 { errwhen = US"dkim_domain"; goto expand_bad; }
1cfe5c1c
JH		 612
613/* Set $dkim_domain expansion variable to each unique domain in list. */
614
617d3932
JH		 615if (dkim_domain)
616 while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0)))
1cfe5c1c 617 {
9e70917d
JH		 618 const uschar * dkim_sel;
619 int sel_sep = 0;
620
42055a33 621 if (dkim_signing_domain[0] == '\0')
1cfe5c1c
JH		 622 continue;
623
624 /* Only sign once for each domain, no matter how often it
625 appears in the expanded list. */
626
9e70917d
JH		 627 if (match_isinlist(dkim_signing_domain, CUSS &seen_doms,
628 0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK)
629 continue;
1cfe5c1c 630
acec9514 631 seen_doms = string_append_listele(seen_doms, ':', dkim_signing_domain);
1cfe5c1c 632
9e70917d
JH		 633 /* Set $dkim_selector expansion variable to each selector in list,
634 for this domain. */
1cfe5c1c 635
9e70917d 636 if (!(dkim_sel = expand_string(dkim->dkim_selector)))
7c6ec81b 637 { errwhen = US"dkim_selector"; goto expand_bad; }
1cfe5c1c 638
9e70917d
JH		 639 while ((dkim_signing_selector = string_nextinlist(&dkim_sel, &sel_sep,
640 NULL, 0)))
1cfe5c1c 641 {
9e70917d
JH		 642 uschar * dkim_canon_expanded;
643 int pdkim_canon;
644 uschar * dkim_sign_headers_expanded = NULL;
645 uschar * dkim_private_key_expanded;
646 uschar * dkim_hash_expanded;
7c6ec81b 647 uschar * dkim_identity_expanded = NULL;
2bc0f45e
JH		 648 uschar * dkim_timestamps_expanded = NULL;
649 unsigned long tval = 0, xval = 0;
80a47a2c 650
9e70917d 651 /* Get canonicalization to use */
1cfe5c1c 652
9e70917d
JH		 653 dkim_canon_expanded = dkim->dkim_canon
654 ? expand_string(dkim->dkim_canon) : US"relaxed";
7c6ec81b
JH		 655 if (!dkim_canon_expanded) /* expansion error, do not send message. */
656 { errwhen = US"dkim_canon"; goto expand_bad; }
1cfe5c1c 657
9e70917d
JH		 658 if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
659 pdkim_canon = PDKIM_CANON_RELAXED;
660 else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
661 pdkim_canon = PDKIM_CANON_SIMPLE;
662 else
663 {
664 log_write(0, LOG_MAIN,
665 "DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
666 dkim_canon_expanded);
667 pdkim_canon = PDKIM_CANON_RELAXED;
668 }
1cfe5c1c 669
7c6ec81b
JH		 670 if ( dkim->dkim_sign_headers
671 && !(dkim_sign_headers_expanded = expand_string(dkim->dkim_sign_headers)))
672 { errwhen = US"dkim_sign_header"; goto expand_bad; }
673 /* else pass NULL, which means default header list */
1cfe5c1c 674
9e70917d 675 /* Get private key to use. */
e983e85a 676
9e70917d 677 if (!(dkim_private_key_expanded = expand_string(dkim->dkim_private_key)))
7c6ec81b 678 { errwhen = US"dkim_private_key"; goto expand_bad; }
80a47a2c 679
9e70917d
JH		 680 if ( Ustrlen(dkim_private_key_expanded) == 0
681 || Ustrcmp(dkim_private_key_expanded, "0") == 0
682 || Ustrcmp(dkim_private_key_expanded, "false") == 0
683 )
684 continue; /* don't sign, but no error */
685
617d3932
JH		 686 if ( dkim_private_key_expanded[0] == '/'
687 && !(dkim_private_key_expanded =
688 expand_file_big_buffer(dkim_private_key_expanded)))
689 goto bad;
80a47a2c 690
9e70917d 691 if (!(dkim_hash_expanded = expand_string(dkim->dkim_hash)))
7c6ec81b
JH		 692 { errwhen = US"dkim_hash"; goto expand_bad; }
693
694 if (dkim->dkim_identity)
695 if (!(dkim_identity_expanded = expand_string(dkim->dkim_identity)))
696 { errwhen = US"dkim_identity"; goto expand_bad; }
697 else if (!*dkim_identity_expanded)
698 dkim_identity_expanded = NULL;
1cfe5c1c 699
2bc0f45e
JH		 700 if (dkim->dkim_timestamps)
701 if (!(dkim_timestamps_expanded = expand_string(dkim->dkim_timestamps)))
702 { errwhen = US"dkim_timestamps"; goto expand_bad; }
703 else
704 xval = (tval = (unsigned long) time(NULL))
705 + strtoul(dkim_timestamps_expanded, NULL, 10);
706
617d3932 707 if (!(sig = pdkim_init_sign(&dkim_sign_ctx, dkim_signing_domain,
9e70917d
JH		 708 dkim_signing_selector,
709 dkim_private_key_expanded,
710 dkim_hash_expanded,
711 errstr
712 )))
713 goto bad;
714 dkim_private_key_expanded[0] = '\0';
715
716 pdkim_set_optional(sig,
717 CS dkim_sign_headers_expanded,
27fd1318 718 CS dkim_identity_expanded,
9e70917d 719 pdkim_canon,
2bc0f45e 720 pdkim_canon, -1, tval, xval);
9e70917d 721
617d3932 722 if (!pdkim_set_sig_bodyhash(&dkim_sign_ctx, sig))
cf1cce5e
JH		 723 goto bad;
724
617d3932
JH		 725 if (!dkim_sign_ctx.sig) /* link sig to context chain */
726 dkim_sign_ctx.sig = sig;
9e70917d
JH		 727 else
728 {
617d3932 729 pdkim_signature * n = dkim_sign_ctx.sig;
9e70917d
JH		 730 while (n->next) n = n->next;
731 n->next = sig;
732 }
80a47a2c 733 }
9e70917d 734 }
617d3932
JH		 735
736/* We may need to carry on with the data-feed even if there are no DKIM sigs to
737produce, if some other package (eg. ARC) is signing. */
738
739if (!dkim_sign_ctx.sig && !dkim->force_bodyhash)
0b8f4f1a
JH		 740 {
741 DEBUG(D_transport) debug_printf("DKIM: no viable signatures to use\n");
742 sigbuf = string_get(1); /* return a zero-len string */
0b8f4f1a 743 }
9e70917d 744else
9e70917d 745 {
617d3932
JH		 746 if (prefix && (pdkim_rc = pdkim_feed(&dkim_sign_ctx, prefix, Ustrlen(prefix))) != PDKIM_OK)
747 goto pk_bad;
a8e1eeba 748
617d3932
JH		 749 if (lseek(fd, off, SEEK_SET) < 0)
750 sread = -1;
751 else
752 while ((sread = read(fd, &buf, sizeof(buf))) > 0)
753 if ((pdkim_rc = pdkim_feed(&dkim_sign_ctx, buf, sread)) != PDKIM_OK)
754 goto pk_bad;
9e70917d 755
617d3932
JH		 756 /* Handle failed read above. */
757 if (sread == -1)
758 {
759 debug_printf("DKIM: Error reading -K file.\n");
760 save_errno = errno;
761 goto bad;
762 }
763
764 /* Build string of headers, one per signature */
9e70917d 765
617d3932
JH		 766 if ((pdkim_rc = pdkim_feed_finish(&dkim_sign_ctx, &sig, errstr)) != PDKIM_OK)
767 goto pk_bad;
768
769 if (!sig)
770 {
771 DEBUG(D_transport) debug_printf("DKIM: no signatures to use\n");
772 sigbuf = string_get(1); /* return a zero-len string */
773 }
774 else for (sigbuf = NULL; sig; sig = sig->next)
775 sigbuf = string_append(sigbuf, 2, US sig->signature_header, US"\r\n");
776 }
9e70917d 777
1cfe5c1c 778CLEANUP:
0b8f4f1a 779 (void) string_from_gstring(sigbuf);
f7302073
JH		 780 store_pool = old_pool;
781 errno = save_errno;
9e70917d 782 return sigbuf;
f7302073
JH		 783
784pk_bad:
785 log_write(0, LOG_MAIN|LOG_PANIC,
786 "DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc));
787bad:
9e70917d 788 sigbuf = NULL;
f7302073 789 goto CLEANUP;
7c6ec81b
JH		 790
791expand_bad:
792 log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand %s: %s",
793 errwhen, expand_string_message);
794 goto bad;
93f2d376 795}
80a47a2c 796
dfbcb5ac
JH		 797
798
799
800gstring *
801authres_dkim(gstring * g)
802{
803pdkim_signature * sig;
0ae2cff6 804int start = 0; /* compiler quietening */
617d3932
JH		 805
806DEBUG(D_acl) start = g->ptr;
dfbcb5ac
JH		 807
808for (sig = dkim_signatures; sig; sig = sig->next)
809 {
e34f8ca2 810 g = string_catn(g, US";\n\tdkim=", 8);
dfbcb5ac
JH		 811
812 if (sig->verify_status & PDKIM_VERIFY_POLICY)
813 g = string_append(g, 5,
814 US"policy (", dkim_verify_status, US" - ", dkim_verify_reason, US")");
815 else switch(sig->verify_status)
816 {
817 case PDKIM_VERIFY_NONE: g = string_cat(g, US"none"); break;
818 case PDKIM_VERIFY_INVALID:
819 switch (sig->verify_ext_status)
820 {
821 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
617d3932 822 g = string_cat(g, US"tmperror (pubkey unavailable)\n\t\t"); break;
dfbcb5ac 823 case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
617d3932 824 g = string_cat(g, US"permerror (overlong public key record)\n\t\t"); break;
dfbcb5ac
JH		 825 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
826 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
0e8aed8a 827 g = string_cat(g, US"neutral (public key record import problem)\n\t\t");
dfbcb5ac
JH		 828 break;
829 case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
617d3932 830 g = string_cat(g, US"neutral (signature tag missing or invalid)\n\t\t");
dfbcb5ac
JH		 831 break;
832 case PDKIM_VERIFY_INVALID_DKIM_VERSION:
617d3932 833 g = string_cat(g, US"neutral (unsupported DKIM version)\n\t\t");
dfbcb5ac
JH		 834 break;
835 default:
617d3932 836 g = string_cat(g, US"permerror (unspecified problem)\n\t\t"); break;
dfbcb5ac
JH		 837 }
838 break;
839 case PDKIM_VERIFY_FAIL:
840 switch (sig->verify_ext_status)
841 {
842 case PDKIM_VERIFY_FAIL_BODY:
843 g = string_cat(g,
617d3932 844 US"fail (body hash mismatch; body probably modified in transit)\n\t\t");
dfbcb5ac
JH		 845 break;
846 case PDKIM_VERIFY_FAIL_MESSAGE:
847 g = string_cat(g,
617d3932 848 US"fail (signature did not verify; headers probably modified in transit)\n\t\t");
dfbcb5ac
JH		 849 break;
850 default:
617d3932 851 g = string_cat(g, US"fail (unspecified reason)\n\t\t");
dfbcb5ac
JH		 852 break;
853 }
854 break;
855 case PDKIM_VERIFY_PASS: g = string_cat(g, US"pass"); break;
856 default: g = string_cat(g, US"permerror"); break;
857 }
858 if (sig->domain) g = string_append(g, 2, US" header.d=", sig->domain);
859 if (sig->identity) g = string_append(g, 2, US" header.i=", sig->identity);
860 if (sig->selector) g = string_append(g, 2, US" header.s=", sig->selector);
861 g = string_append(g, 2, US" header.a=", dkim_sig_to_a_tag(sig));
862 }
617d3932
JH		 863
864DEBUG(D_acl)
865 if (g->ptr == start)
866 debug_printf("DKIM: no authres\n");
867 else
868 debug_printf("DKIM: authres '%.*s'\n", g->ptr - start - 3, g->s + start + 3);
dfbcb5ac
JH		 869return g;
870}
871
872
970424a5
JH		 873# endif /*!MACRO_PREDEF*/
874#endif /*!DISABLE_DKIM*/
Unnamed repository; edit this file 'description' to name the repository.