[exim.git] / src / src / dkim.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge, 1995 - 2016 */
/* See the file NOTICE for conditions of use and distribution. */

/* Code for DKIM support. Other DKIM relevant code is in
   receive.c, transport.c and transports/smtp.c */

#include "exim.h"

#ifndef DISABLE_DKIM

#include "pdkim/pdkim.h"

int dkim_verify_oldpool;
pdkim_ctx *dkim_verify_ctx = NULL;
pdkim_signature *dkim_signatures = NULL;
pdkim_signature *dkim_cur_sig = NULL;

static int
dkim_exim_query_dns_txt(char *name, char *answer)
{
dns_answer dnsa;
dns_scan dnss;
dns_record *rr;

lookup_dnssec_authenticated = NULL;
if (dns_lookup(&dnsa, US name, T_TXT, NULL) != DNS_SUCCEED)
  return PDKIM_FAIL;

/* Search for TXT record */

for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
     rr;
     rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
  if (rr->type == T_TXT)
    {
    int rr_offset = 0;
    int answer_offset = 0;

    /* Copy record content to the answer buffer */

    while (rr_offset < rr->size)
      {
      uschar len = rr->data[rr_offset++];
      snprintf(answer + answer_offset,
		PDKIM_DNS_TXT_MAX_RECLEN - answer_offset,
		"%.*s", (int)len, (char *) (rr->data + rr_offset));
      rr_offset += len;
      answer_offset += len;
      if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN)
	return PDKIM_FAIL;
      }
    return PDKIM_OK;
    }

return PDKIM_FAIL;
}


void
dkim_exim_init(void)
{
pdkim_init();
}


void
dkim_exim_verify_init(void)
{
/* There is a store-reset between header & body reception
so cannot use the main pool. Any allocs done by Exim
memory-handling must use the perm pool. */

dkim_verify_oldpool = store_pool;
store_pool = POOL_PERM;

/* Free previous context if there is one */

if (dkim_verify_ctx)
  pdkim_free_ctx(dkim_verify_ctx);

/* Create new context */

dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt);
dkim_collect_input = !!dkim_verify_ctx;

/* Start feed up with any cached data */
receive_get_cache();

store_pool = dkim_verify_oldpool;
}


void
dkim_exim_verify_feed(uschar * data, int len)
{
store_pool = POOL_PERM;
if (  dkim_collect_input
   && pdkim_feed(dkim_verify_ctx, (char *)data, len) != PDKIM_OK)
  dkim_collect_input = FALSE;
store_pool = dkim_verify_oldpool;
}


void
dkim_exim_verify_finish(void)
{
pdkim_signature *sig = NULL;
int dkim_signers_size = 0;
int dkim_signers_ptr = 0;
dkim_signers = NULL;

store_pool = POOL_PERM;

/* Delete eventual previous signature chain */

dkim_signatures = NULL;

/* If we have arrived here with dkim_collect_input == FALSE, it
means there was a processing error somewhere along the way.
Log the incident and disable futher verification. */

if (!dkim_collect_input)
  {
  log_write(0, LOG_MAIN,
	     "DKIM: Error while running this message through validation,"
	     " disabling signature verification.");
  dkim_disable_verify = TRUE;
  goto out;
  }

dkim_collect_input = FALSE;

/* Finish DKIM operation and fetch link to signatures chain */

if (pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures) != PDKIM_OK)
  goto out;

for (sig = dkim_signatures; sig; sig = sig->next)
  {
  int size = 0;
  int ptr = 0;

  /* Log a line for each signature */

  uschar *logmsg = string_append(NULL, &size, &ptr, 5,
	string_sprintf("d=%s s=%s c=%s/%s a=%s b=%d ",
	      sig->domain,
	      sig->selector,
	      sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	      sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	      sig->algo == PDKIM_ALGO_RSA_SHA256
	      ? "rsa-sha256"
	      : sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err",
	      (int)sig->sigdata.len > -1 ? sig->sigdata.len * 8 : 0
	      ),

	sig->identity ? string_sprintf("i=%s ", sig->identity) : US"",
	sig->created > 0 ? string_sprintf("t=%lu ", sig->created) : US"",
	sig->expires > 0 ? string_sprintf("x=%lu ", sig->expires) : US"",
	sig->bodylength > -1 ? string_sprintf("l=%lu ", sig->bodylength) : US""
	);

  switch (sig->verify_status)
    {
    case PDKIM_VERIFY_NONE:
      logmsg = string_append(logmsg, &size, &ptr, 1, "[not verified]");
      break;

    case PDKIM_VERIFY_INVALID:
      logmsg = string_append(logmsg, &size, &ptr, 1, "[invalid - ");
      switch (sig->verify_ext_status)
	{
	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		        "public key record (currently?) unavailable]");
	  break;

	case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
			"overlong public key record]");
	  break;

	case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
	case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		       "syntax error in public key record]");
	  break;

        case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
          logmsg = string_append(logmsg, &size, &ptr, 1,
                       "signature tag missing or invalid]");
          break;

        case PDKIM_VERIFY_INVALID_DKIM_VERSION:
          logmsg = string_append(logmsg, &size, &ptr, 1,
                       "unsupported DKIM version]");
          break;

	default:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
			"unspecified problem]");
	}
      break;

    case PDKIM_VERIFY_FAIL:
      logmsg =
	string_append(logmsg, &size, &ptr, 1, "[verification failed - ");
      switch (sig->verify_ext_status)
	{
	case PDKIM_VERIFY_FAIL_BODY:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		       "body hash mismatch (body probably modified in transit)]");
	  break;

	case PDKIM_VERIFY_FAIL_MESSAGE:
	  logmsg = string_append(logmsg, &size, &ptr, 1,
		       "signature did not verify (headers probably modified in transit)]");
	break;

	default:
	  logmsg = string_append(logmsg, &size, &ptr, 1, "unspecified reason]");
	}
      break;

    case PDKIM_VERIFY_PASS:
      logmsg =
	string_append(logmsg, &size, &ptr, 1, "[verification succeeded]");
      break;
    }

  logmsg[ptr] = '\0';
  log_write(0, LOG_MAIN, "DKIM: %s", logmsg);

  /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */

  dkim_signers = string_append(dkim_signers,
				&dkim_signers_size,
				&dkim_signers_ptr, 2, sig->domain, ":");

  if (sig->identity)
    dkim_signers = string_append(dkim_signers,
				  &dkim_signers_size,
				  &dkim_signers_ptr, 2, sig->identity, ":");

  /* Process next signature */
  }

/* NULL-terminate and chop the last colon from the domain list */

if (dkim_signers)
  {
  dkim_signers[dkim_signers_ptr] = '\0';
  if (Ustrlen(dkim_signers) > 0)
  dkim_signers[Ustrlen(dkim_signers) - 1] = '\0';
  }

out:
store_pool = dkim_verify_oldpool;
}


void
dkim_exim_acl_setup(uschar * id)
{
pdkim_signature * sig;
uschar * cmp_val;

dkim_cur_sig = NULL;
dkim_cur_signer = id;

if (dkim_disable_verify || !id || !dkim_verify_ctx)
  return;

/* Find signature to run ACL on */

for (sig = dkim_signatures; sig; sig = sig->next)
  if (  (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
     && strcmpic(cmp_val, id) == 0
     )
    {
    dkim_cur_sig = sig;

    /* The "dkim_domain" and "dkim_selector" expansion variables have
       related globals, since they are used in the signing code too.
       Instead of inventing separate names for verification, we set
       them here. This is easy since a domain and selector is guaranteed
       to be in a signature. The other dkim_* expansion items are
       dynamically fetched from dkim_cur_sig at expansion time (see
       function below). */

    dkim_signing_domain = US sig->domain;
    dkim_signing_selector = US sig->selector;
    dkim_key_length = sig->sigdata.len * 8;
    return;
    }
}


static uschar *
dkim_exim_expand_defaults(int what)
{
switch (what)
  {
  case DKIM_ALGO:		return US"";
  case DKIM_BODYLENGTH:		return US"9999999999999";
  case DKIM_CANON_BODY:		return US"";
  case DKIM_CANON_HEADERS:	return US"";
  case DKIM_COPIEDHEADERS:	return US"";
  case DKIM_CREATED:		return US"0";
  case DKIM_EXPIRES:		return US"9999999999999";
  case DKIM_HEADERNAMES:	return US"";
  case DKIM_IDENTITY:		return US"";
  case DKIM_KEY_GRANULARITY:	return US"*";
  case DKIM_KEY_SRVTYPE:	return US"*";
  case DKIM_KEY_NOTES:		return US"";
  case DKIM_KEY_TESTING:	return US"0";
  case DKIM_NOSUBDOMAINS:	return US"0";
  case DKIM_VERIFY_STATUS:	return US"none";
  case DKIM_VERIFY_REASON:	return US"";
  default:			return US"";
  }
}


uschar *
dkim_exim_expand_query(int what)
{
if (!dkim_verify_ctx || dkim_disable_verify || !dkim_cur_sig)
  return dkim_exim_expand_defaults(what);

switch (what)
  {
  case DKIM_ALGO:
    switch (dkim_cur_sig->algo)
      {
      case PDKIM_ALGO_RSA_SHA1:	return US"rsa-sha1";
      case PDKIM_ALGO_RSA_SHA256:
      default:			return US"rsa-sha256";
      }

  case DKIM_BODYLENGTH:
    return dkim_cur_sig->bodylength >= 0
      ? string_sprintf(OFF_T_FMT, (LONGLONG_T) dkim_cur_sig->bodylength)
      : dkim_exim_expand_defaults(what);

  case DKIM_CANON_BODY:
    switch (dkim_cur_sig->canon_body)
      {
      case PDKIM_CANON_RELAXED:	return US"relaxed";
      case PDKIM_CANON_SIMPLE:
      default:			return US"simple";
      }

  case DKIM_CANON_HEADERS:
  switch (dkim_cur_sig->canon_headers)
    {
    case PDKIM_CANON_RELAXED:	return US"relaxed";
    case PDKIM_CANON_SIMPLE:
    default:			return US"simple";
    }

  case DKIM_COPIEDHEADERS:
    return dkim_cur_sig->copiedheaders
      ? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);

  case DKIM_CREATED:
    return dkim_cur_sig->created > 0
      ? string_sprintf("%llu", dkim_cur_sig->created)
      : dkim_exim_expand_defaults(what);

  case DKIM_EXPIRES:
    return dkim_cur_sig->expires > 0
      ? string_sprintf("%llu", dkim_cur_sig->expires)
      : dkim_exim_expand_defaults(what);

  case DKIM_HEADERNAMES:
    return dkim_cur_sig->headernames
      ? dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);

  case DKIM_IDENTITY:
    return dkim_cur_sig->identity
      ? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);

  case DKIM_KEY_GRANULARITY:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->granularity
      ? US dkim_cur_sig->pubkey->granularity
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_KEY_SRVTYPE:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->srvtype
      ? US dkim_cur_sig->pubkey->srvtype
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_KEY_NOTES:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->notes
      ? US dkim_cur_sig->pubkey->notes
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_KEY_TESTING:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->testing
      ? US"1"
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_NOSUBDOMAINS:
    return dkim_cur_sig->pubkey
      ? dkim_cur_sig->pubkey->no_subdomaining
      ? US"1"
      : dkim_exim_expand_defaults(what)
      : dkim_exim_expand_defaults(what);

  case DKIM_VERIFY_STATUS:
    switch (dkim_cur_sig->verify_status)
      {
      case PDKIM_VERIFY_INVALID:	return US"invalid";
      case PDKIM_VERIFY_FAIL:		return US"fail";
      case PDKIM_VERIFY_PASS:		return US"pass";
      case PDKIM_VERIFY_NONE:
      default:				return US"none";
      }

  case DKIM_VERIFY_REASON:
    switch (dkim_cur_sig->verify_ext_status)
      {
      case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
						return US"pubkey_unavailable";
      case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:return US"pubkey_dns_syntax";
      case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:	return US"pubkey_der_syntax";
      case PDKIM_VERIFY_FAIL_BODY:		return US"bodyhash_mismatch";
      case PDKIM_VERIFY_FAIL_MESSAGE:		return US"signature_incorrect";
      }

  default:
    return US"";
  }
}


uschar *
dkim_exim_sign(int dkim_fd, uschar * dkim_private_key,
		const uschar * dkim_domain, uschar * dkim_selector,
		uschar * dkim_canon, uschar * dkim_sign_headers)
{
int sep = 0;
uschar *seen_items = NULL;
int seen_items_size = 0;
int seen_items_offset = 0;
uschar itembuf[256];
uschar *dkim_canon_expanded;
uschar *dkim_sign_headers_expanded;
uschar *dkim_private_key_expanded;
pdkim_ctx *ctx = NULL;
uschar *rc = NULL;
uschar *sigbuf = NULL;
int sigsize = 0;
int sigptr = 0;
pdkim_signature *signature;
int pdkim_canon;
int pdkim_rc;
int sread;
char buf[4096];
int save_errno = 0;
int old_pool = store_pool;

store_pool = POOL_MAIN;

if (!(dkim_domain = expand_cstring(dkim_domain)))
  {
  /* expansion error, do not send message. */
  log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	     "dkim_domain: %s", expand_string_message);
  rc = NULL;
  goto CLEANUP;
  }

/* Set $dkim_domain expansion variable to each unique domain in list. */

while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
				   itembuf, sizeof(itembuf))))
  {
  if (!dkim_signing_domain || dkim_signing_domain[0] == '\0')
    continue;

  /* Only sign once for each domain, no matter how often it
  appears in the expanded list. */

  if (seen_items)
    {
    const uschar *seen_items_list = seen_items;
    if (match_isinlist(dkim_signing_domain,
			&seen_items_list, 0, NULL, NULL, MCL_STRING, TRUE,
			NULL) == OK)
      continue;

    seen_items =
      string_append(seen_items, &seen_items_size, &seen_items_offset, 1, ":");
    }

  seen_items =
    string_append(seen_items, &seen_items_size, &seen_items_offset, 1,
		 dkim_signing_domain);
  seen_items[seen_items_offset] = '\0';

  /* Set up $dkim_selector expansion variable. */

  if (!(dkim_signing_selector = expand_string(dkim_selector)))
    {
    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	       "dkim_selector: %s", expand_string_message);
    rc = NULL;
    goto CLEANUP;
    }

  /* Get canonicalization to use */

  dkim_canon_expanded = dkim_canon ? expand_string(dkim_canon) : US"relaxed";
  if (!dkim_canon_expanded)
    {
    /* expansion error, do not send message. */
    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	       "dkim_canon: %s", expand_string_message);
    rc = NULL;
    goto CLEANUP;
    }

  if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
    pdkim_canon = PDKIM_CANON_RELAXED;
  else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
    pdkim_canon = PDKIM_CANON_SIMPLE;
  else
    {
    log_write(0, LOG_MAIN,
	       "DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
	       dkim_canon_expanded);
    pdkim_canon = PDKIM_CANON_RELAXED;
    }

  dkim_sign_headers_expanded = NULL;
  if (dkim_sign_headers)
    if (!(dkim_sign_headers_expanded = expand_string(dkim_sign_headers)))
      {
      log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
		 "dkim_sign_headers: %s", expand_string_message);
      rc = NULL;
      goto CLEANUP;
      }
    			/* else pass NULL, which means default header list */

  /* Get private key to use. */

  if (!(dkim_private_key_expanded = expand_string(dkim_private_key)))
    {
    log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand "
	       "dkim_private_key: %s", expand_string_message);
    rc = NULL;
    goto CLEANUP;
    }

  if (  Ustrlen(dkim_private_key_expanded) == 0
     || Ustrcmp(dkim_private_key_expanded, "0") == 0
     || Ustrcmp(dkim_private_key_expanded, "false") == 0
     )
    continue;		/* don't sign, but no error */

  if (dkim_private_key_expanded[0] == '/')
    {
    int privkey_fd = 0;

    /* Looks like a filename, load the private key. */

    memset(big_buffer, 0, big_buffer_size);
    privkey_fd = open(CS dkim_private_key_expanded, O_RDONLY);
    if (privkey_fd < 0)
      {
      log_write(0, LOG_MAIN | LOG_PANIC, "unable to open "
		 "private key file for reading: %s",
		 dkim_private_key_expanded);
      rc = NULL;
      goto CLEANUP;
      }

    if (read(privkey_fd, big_buffer, big_buffer_size - 2) < 0)
      {
      log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s",
		 dkim_private_key_expanded);
      rc = NULL;
      goto CLEANUP;
      }

    (void) close(privkey_fd);
    dkim_private_key_expanded = big_buffer;
    }

  ctx = pdkim_init_sign( (char *) dkim_signing_domain,
			 (char *) dkim_signing_selector,
			 (char *) dkim_private_key_expanded,
			 PDKIM_ALGO_RSA_SHA256);
  pdkim_set_optional(ctx,
		      (char *) dkim_sign_headers_expanded,
		      NULL,
		      pdkim_canon,
		      pdkim_canon, -1, 0, 0);

  lseek(dkim_fd, 0, SEEK_SET);

  while ((sread = read(dkim_fd, &buf, 4096)) > 0)
    if (pdkim_feed(ctx, buf, sread) != PDKIM_OK)
      {
      rc = NULL;
      goto CLEANUP;
      }

  /* Handle failed read above. */
  if (sread == -1)
    {
    debug_printf("DKIM: Error reading -K file.\n");
    save_errno = errno;
    rc = NULL;
    goto CLEANUP;
    }

  if ((pdkim_rc = pdkim_feed_finish(ctx, &signature)) != PDKIM_OK)
    {
    log_write(0, LOG_MAIN|LOG_PANIC, "DKIM: signing failed (RC %d)", pdkim_rc);
    rc = NULL;
    goto CLEANUP;
    }

  sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,
			  US signature->signature_header, US"\r\n");

  pdkim_free_ctx(ctx);
  ctx = NULL;
  }

if (sigbuf)
  {
  sigbuf[sigptr] = '\0';
  rc = sigbuf;
  }
else
  rc = US"";

CLEANUP:
if (ctx)
  pdkim_free_ctx(ctx);
store_pool = old_pool;
errno = save_errno;
return rc;
}

#endif
Commit	Line	Data
80a47a2c TK	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
80fea873	5	/* Copyright (c) University of Cambridge, 1995 - 2016 */
80a47a2c TK	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	/* Code for DKIM support. Other DKIM relevant code is in
	9	receive.c, transport.c and transports/smtp.c */
	10
	11	#include "exim.h"
	12
	13	#ifndef DISABLE_DKIM
	14
	15	#include "pdkim/pdkim.h"
	16
ca9cb170	17	int dkim_verify_oldpool;
1cfe5c1c	18	pdkim_ctx *dkim_verify_ctx = NULL;
80a47a2c	19	pdkim_signature *dkim_signatures = NULL;
1cfe5c1c	20	pdkim_signature *dkim_cur_sig = NULL;
80a47a2c	21
1cfe5c1c JH	22	static int
	23	dkim_exim_query_dns_txt(char name, char answer)
	24	{
	25	dns_answer dnsa;
	26	dns_scan dnss;
	27	dns_record *rr;
80a47a2c	28
1cfe5c1c JH	29	lookup_dnssec_authenticated = NULL;
	30	if (dns_lookup(&dnsa, US name, T_TXT, NULL) != DNS_SUCCEED)
	31	return PDKIM_FAIL;
80a47a2c	32
1cfe5c1c	33	/* Search for TXT record */
80a47a2c	34
1cfe5c1c JH	35	for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
	36	rr;
	37	rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
	38	if (rr->type == T_TXT)
	39	{
80a47a2c TK	40	int rr_offset = 0;
80a47a2c TK	41	int answer_offset = 0;
1cfe5c1c JH	42
	43	/* Copy record content to the answer buffer */
	44
	45	while (rr_offset < rr->size)
	46	{
	47	uschar len = rr->data[rr_offset++];
	48	snprintf(answer + answer_offset,
	49	PDKIM_DNS_TXT_MAX_RECLEN - answer_offset,
	50	"%.s", (int)len, (char ) (rr->data + rr_offset));
	51	rr_offset += len;
	52	answer_offset += len;
	53	if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN)
	54	return PDKIM_FAIL;
4263f395	55	}
1cfe5c1c	56	return PDKIM_OK;
80a47a2c	57	}
80a47a2c	58
1cfe5c1c	59	return PDKIM_FAIL;
80a47a2c TK	60	}
	61
	62
2592e6c0 JH	63	void
	64	dkim_exim_init(void)
	65	{
	66	pdkim_init();
	67	}
	68
	69
ca9cb170	70
1cfe5c1c JH	71	void
	72	dkim_exim_verify_init(void)
	73	{
ca9cb170 JH	74	/* There is a store-reset between header & body reception
	75	so cannot use the main pool. Any allocs done by Exim
	76	memory-handling must use the perm pool. */
	77
	78	dkim_verify_oldpool = store_pool;
	79	store_pool = POOL_PERM;
	80
1cfe5c1c	81	/* Free previous context if there is one */
80a47a2c	82
1cfe5c1c JH	83	if (dkim_verify_ctx)
1cfe5c1c JH	84	pdkim_free_ctx(dkim_verify_ctx);
80a47a2c	85
1cfe5c1c	86	/* Create new context */
80a47a2c	87
0d04a285	88	dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt);
3b957582	89	dkim_collect_input = !!dkim_verify_ctx;
ca9cb170	90
584e96c6 JH	91	/* Start feed up with any cached data */
	92	receive_get_cache();
	93
ca9cb170	94	store_pool = dkim_verify_oldpool;
80a47a2c TK	95	}
	96
	97
1cfe5c1c JH	98	void
	99	dkim_exim_verify_feed(uschar * data, int len)
	100	{
ca9cb170	101	store_pool = POOL_PERM;
1cfe5c1c JH	102	if ( dkim_collect_input
	103	&& pdkim_feed(dkim_verify_ctx, (char *)data, len) != PDKIM_OK)
	104	dkim_collect_input = FALSE;
ca9cb170	105	store_pool = dkim_verify_oldpool;
80a47a2c TK	106	}
	107
	108
1cfe5c1c JH	109	void
	110	dkim_exim_verify_finish(void)
	111	{
	112	pdkim_signature *sig = NULL;
	113	int dkim_signers_size = 0;
	114	int dkim_signers_ptr = 0;
	115	dkim_signers = NULL;
	116
ca9cb170 JH	117	store_pool = POOL_PERM;
ca9cb170 JH	118
1cfe5c1c JH	119	/* Delete eventual previous signature chain */
	120
	121	dkim_signatures = NULL;
	122
	123	/* If we have arrived here with dkim_collect_input == FALSE, it
	124	means there was a processing error somewhere along the way.
	125	Log the incident and disable futher verification. */
	126
	127	if (!dkim_collect_input)
	128	{
	129	log_write(0, LOG_MAIN,
	130	"DKIM: Error while running this message through validation,"
	131	" disabling signature verification.");
	132	dkim_disable_verify = TRUE;
ca9cb170	133	goto out;
1cfe5c1c	134	}
80a47a2c	135
1cfe5c1c	136	dkim_collect_input = FALSE;
80a47a2c	137
1cfe5c1c	138	/* Finish DKIM operation and fetch link to signatures chain */
80a47a2c	139
1cfe5c1c	140	if (pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures) != PDKIM_OK)
ca9cb170	141	goto out;
1cfe5c1c JH	142
	143	for (sig = dkim_signatures; sig; sig = sig->next)
	144	{
	145	int size = 0;
	146	int ptr = 0;
	147
	148	/* Log a line for each signature */
	149
	150	uschar *logmsg = string_append(NULL, &size, &ptr, 5,
abe1010c	151	string_sprintf("d=%s s=%s c=%s/%s a=%s b=%d ",
1cfe5c1c JH	152	sig->domain,
1cfe5c1c JH	153	sig->selector,
07eeb4df	154	sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	155	sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
	156	sig->algo == PDKIM_ALGO_RSA_SHA256
	157	? "rsa-sha256"
	158	: sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err",
	159	(int)sig->sigdata.len > -1 ? sig->sigdata.len * 8 : 0
abe1010c	160	),
1cfe5c1c JH	161
	162	sig->identity ? string_sprintf("i=%s ", sig->identity) : US"",
	163	sig->created > 0 ? string_sprintf("t=%lu ", sig->created) : US"",
	164	sig->expires > 0 ? string_sprintf("x=%lu ", sig->expires) : US"",
	165	sig->bodylength > -1 ? string_sprintf("l=%lu ", sig->bodylength) : US""
	166	);
	167
	168	switch (sig->verify_status)
	169	{
	170	case PDKIM_VERIFY_NONE:
	171	logmsg = string_append(logmsg, &size, &ptr, 1, "[not verified]");
80a47a2c	172	break;
1cfe5c1c JH	173
	174	case PDKIM_VERIFY_INVALID:
	175	logmsg = string_append(logmsg, &size, &ptr, 1, "[invalid - ");
	176	switch (sig->verify_ext_status)
	177	{
	178	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
	179	logmsg = string_append(logmsg, &size, &ptr, 1,
	180	"public key record (currently?) unavailable]");
	181	break;
	182
	183	case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
	184	logmsg = string_append(logmsg, &size, &ptr, 1,
	185	"overlong public key record]");
	186	break;
	187
df3def24 JH	188	case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
df3def24 JH	189	case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
1cfe5c1c JH	190	logmsg = string_append(logmsg, &size, &ptr, 1,
	191	"syntax error in public key record]");
	192	break;
07eeb4df	193
	194	case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
	195	logmsg = string_append(logmsg, &size, &ptr, 1,
	196	"signature tag missing or invalid]");
	197	break;
	198
	199	case PDKIM_VERIFY_INVALID_DKIM_VERSION:
	200	logmsg = string_append(logmsg, &size, &ptr, 1,
	201	"unsupported DKIM version]");
	202	break;
1cfe5c1c JH	203
	204	default:
	205	logmsg = string_append(logmsg, &size, &ptr, 1,
	206	"unspecified problem]");
	207	}
80a47a2c	208	break;
1cfe5c1c JH	209
	210	case PDKIM_VERIFY_FAIL:
	211	logmsg =
	212	string_append(logmsg, &size, &ptr, 1, "[verification failed - ");
	213	switch (sig->verify_ext_status)
	214	{
	215	case PDKIM_VERIFY_FAIL_BODY:
	216	logmsg = string_append(logmsg, &size, &ptr, 1,
	217	"body hash mismatch (body probably modified in transit)]");
	218	break;
	219
	220	case PDKIM_VERIFY_FAIL_MESSAGE:
	221	logmsg = string_append(logmsg, &size, &ptr, 1,
	222	"signature did not verify (headers probably modified in transit)]");
	223	break;
	224
	225	default:
	226	logmsg = string_append(logmsg, &size, &ptr, 1, "unspecified reason]");
	227	}
80a47a2c	228	break;
1cfe5c1c JH	229
	230	case PDKIM_VERIFY_PASS:
	231	logmsg =
	232	string_append(logmsg, &size, &ptr, 1, "[verification succeeded]");
80a47a2c TK	233	break;
	234	}
	235
1cfe5c1c JH	236	logmsg[ptr] = '\0';
1cfe5c1c JH	237	log_write(0, LOG_MAIN, "DKIM: %s", logmsg);
80a47a2c	238
1cfe5c1c JH	239	/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
	240
	241	dkim_signers = string_append(dkim_signers,
	242	&dkim_signers_size,
	243	&dkim_signers_ptr, 2, sig->domain, ":");
	244
	245	if (sig->identity)
9e5d6b55	246	dkim_signers = string_append(dkim_signers,
1cfe5c1c JH	247	&dkim_signers_size,
1cfe5c1c JH	248	&dkim_signers_ptr, 2, sig->identity, ":");
80a47a2c	249
1cfe5c1c	250	/* Process next signature */
80a47a2c TK	251	}
80a47a2c TK	252
1cfe5c1c JH	253	/* NULL-terminate and chop the last colon from the domain list */
	254
	255	if (dkim_signers)
	256	{
	257	dkim_signers[dkim_signers_ptr] = '\0';
	258	if (Ustrlen(dkim_signers) > 0)
	259	dkim_signers[Ustrlen(dkim_signers) - 1] = '\0';
0d2b278d	260	}
ca9cb170 JH	261
	262	out:
	263	store_pool = dkim_verify_oldpool;
80a47a2c TK	264	}
	265
	266
1cfe5c1c JH	267	void
	268	dkim_exim_acl_setup(uschar * id)
	269	{
	270	pdkim_signature * sig;
	271	uschar * cmp_val;
	272
1cfe5c1c JH	273	dkim_cur_sig = NULL;
	274	dkim_cur_signer = id;
	275
	276	if (dkim_disable_verify \|\| !id \|\| !dkim_verify_ctx)
	277	return;
	278
	279	/* Find signature to run ACL on */
	280
	281	for (sig = dkim_signatures; sig; sig = sig->next)
	282	if ( (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
	283	&& strcmpic(cmp_val, id) == 0
	284	)
	285	{
	286	dkim_cur_sig = sig;
	287
	288	/* The "dkim_domain" and "dkim_selector" expansion variables have
	289	related globals, since they are used in the signing code too.
	290	Instead of inventing separate names for verification, we set
	291	them here. This is easy since a domain and selector is guaranteed
	292	to be in a signature. The other dkim_* expansion items are
	293	dynamically fetched from dkim_cur_sig at expansion time (see
	294	function below). */
	295
	296	dkim_signing_domain = US sig->domain;
	297	dkim_signing_selector = US sig->selector;
2592e6c0	298	dkim_key_length = sig->sigdata.len * 8;
1cfe5c1c	299	return;
80a47a2c	300	}
80a47a2c TK	301	}
	302
	303
1cfe5c1c JH	304	static uschar *
	305	dkim_exim_expand_defaults(int what)
	306	{
	307	switch (what)
	308	{
	309	case DKIM_ALGO: return US"";
	310	case DKIM_BODYLENGTH: return US"9999999999999";
	311	case DKIM_CANON_BODY: return US"";
	312	case DKIM_CANON_HEADERS: return US"";
	313	case DKIM_COPIEDHEADERS: return US"";
	314	case DKIM_CREATED: return US"0";
	315	case DKIM_EXPIRES: return US"9999999999999";
	316	case DKIM_HEADERNAMES: return US"";
	317	case DKIM_IDENTITY: return US"";
	318	case DKIM_KEY_GRANULARITY: return US"*";
	319	case DKIM_KEY_SRVTYPE: return US"*";
	320	case DKIM_KEY_NOTES: return US"";
	321	case DKIM_KEY_TESTING: return US"0";
	322	case DKIM_NOSUBDOMAINS: return US"0";
	323	case DKIM_VERIFY_STATUS: return US"none";
	324	case DKIM_VERIFY_REASON: return US"";
	325	default: return US"";
	326	}
	327	}
80a47a2c	328
80a47a2c	329
1cfe5c1c JH	330	uschar *
	331	dkim_exim_expand_query(int what)
	332	{
	333	if (!dkim_verify_ctx \|\| dkim_disable_verify \|\| !dkim_cur_sig)
	334	return dkim_exim_expand_defaults(what);
	335
	336	switch (what)
	337	{
	338	case DKIM_ALGO:
	339	switch (dkim_cur_sig->algo)
	340	{
	341	case PDKIM_ALGO_RSA_SHA1: return US"rsa-sha1";
	342	case PDKIM_ALGO_RSA_SHA256:
	343	default: return US"rsa-sha256";
da5dfc3a	344	}
1cfe5c1c JH	345
	346	case DKIM_BODYLENGTH:
	347	return dkim_cur_sig->bodylength >= 0
	348	? string_sprintf(OFF_T_FMT, (LONGLONG_T) dkim_cur_sig->bodylength)
	349	: dkim_exim_expand_defaults(what);
	350
	351	case DKIM_CANON_BODY:
	352	switch (dkim_cur_sig->canon_body)
	353	{
	354	case PDKIM_CANON_RELAXED: return US"relaxed";
	355	case PDKIM_CANON_SIMPLE:
	356	default: return US"simple";
80a47a2c	357	}
1cfe5c1c JH	358
	359	case DKIM_CANON_HEADERS:
	360	switch (dkim_cur_sig->canon_headers)
	361	{
	362	case PDKIM_CANON_RELAXED: return US"relaxed";
	363	case PDKIM_CANON_SIMPLE:
	364	default: return US"simple";
	365	}
	366
	367	case DKIM_COPIEDHEADERS:
	368	return dkim_cur_sig->copiedheaders
	369	? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);
	370
	371	case DKIM_CREATED:
	372	return dkim_cur_sig->created > 0
	373	? string_sprintf("%llu", dkim_cur_sig->created)
	374	: dkim_exim_expand_defaults(what);
	375
	376	case DKIM_EXPIRES:
	377	return dkim_cur_sig->expires > 0
	378	? string_sprintf("%llu", dkim_cur_sig->expires)
	379	: dkim_exim_expand_defaults(what);
	380
	381	case DKIM_HEADERNAMES:
	382	return dkim_cur_sig->headernames
2592e6c0	383	? dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);
1cfe5c1c JH	384
	385	case DKIM_IDENTITY:
	386	return dkim_cur_sig->identity
	387	? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);
	388
	389	case DKIM_KEY_GRANULARITY:
	390	return dkim_cur_sig->pubkey
	391	? dkim_cur_sig->pubkey->granularity
	392	? US dkim_cur_sig->pubkey->granularity
	393	: dkim_exim_expand_defaults(what)
	394	: dkim_exim_expand_defaults(what);
	395
	396	case DKIM_KEY_SRVTYPE:
	397	return dkim_cur_sig->pubkey
	398	? dkim_cur_sig->pubkey->srvtype
	399	? US dkim_cur_sig->pubkey->srvtype
	400	: dkim_exim_expand_defaults(what)
	401	: dkim_exim_expand_defaults(what);
	402
	403	case DKIM_KEY_NOTES:
	404	return dkim_cur_sig->pubkey
	405	? dkim_cur_sig->pubkey->notes
	406	? US dkim_cur_sig->pubkey->notes
	407	: dkim_exim_expand_defaults(what)
	408	: dkim_exim_expand_defaults(what);
	409
	410	case DKIM_KEY_TESTING:
	411	return dkim_cur_sig->pubkey
	412	? dkim_cur_sig->pubkey->testing
	413	? US"1"
	414	: dkim_exim_expand_defaults(what)
	415	: dkim_exim_expand_defaults(what);
	416
	417	case DKIM_NOSUBDOMAINS:
	418	return dkim_cur_sig->pubkey
	419	? dkim_cur_sig->pubkey->no_subdomaining
	420	? US"1"
	421	: dkim_exim_expand_defaults(what)
	422	: dkim_exim_expand_defaults(what);
	423
	424	case DKIM_VERIFY_STATUS:
	425	switch (dkim_cur_sig->verify_status)
	426	{
	427	case PDKIM_VERIFY_INVALID: return US"invalid";
	428	case PDKIM_VERIFY_FAIL: return US"fail";
	429	case PDKIM_VERIFY_PASS: return US"pass";
	430	case PDKIM_VERIFY_NONE:
	431	default: return US"none";
80a47a2c	432	}
80a47a2c	433
1cfe5c1c JH	434	case DKIM_VERIFY_REASON:
	435	switch (dkim_cur_sig->verify_ext_status)
	436	{
	437	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
	438	return US"pubkey_unavailable";
df3def24 JH	439	case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:return US"pubkey_dns_syntax";
df3def24 JH	440	case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return US"pubkey_der_syntax";
1cfe5c1c JH	441	case PDKIM_VERIFY_FAIL_BODY: return US"bodyhash_mismatch";
	442	case PDKIM_VERIFY_FAIL_MESSAGE: return US"signature_incorrect";
	443	}
80a47a2c	444
1cfe5c1c JH	445	default:
1cfe5c1c JH	446	return US"";
80a47a2c TK	447	}
	448	}
	449
	450
55414b25	451	uschar *
1cfe5c1c JH	452	dkim_exim_sign(int dkim_fd, uschar * dkim_private_key,
	453	const uschar * dkim_domain, uschar * dkim_selector,
	454	uschar * dkim_canon, uschar * dkim_sign_headers)
55414b25	455	{
1cfe5c1c JH	456	int sep = 0;
	457	uschar *seen_items = NULL;
	458	int seen_items_size = 0;
	459	int seen_items_offset = 0;
	460	uschar itembuf[256];
	461	uschar *dkim_canon_expanded;
	462	uschar *dkim_sign_headers_expanded;
	463	uschar *dkim_private_key_expanded;
	464	pdkim_ctx *ctx = NULL;
	465	uschar *rc = NULL;
	466	uschar *sigbuf = NULL;
	467	int sigsize = 0;
	468	int sigptr = 0;
	469	pdkim_signature *signature;
	470	int pdkim_canon;
	471	int pdkim_rc;
	472	int sread;
	473	char buf[4096];
	474	int save_errno = 0;
	475	int old_pool = store_pool;
	476
	477	store_pool = POOL_MAIN;
	478
	479	if (!(dkim_domain = expand_cstring(dkim_domain)))
	480	{
	481	/* expansion error, do not send message. */
	482	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	483	"dkim_domain: %s", expand_string_message);
	484	rc = NULL;
	485	goto CLEANUP;
	486	}
	487
	488	/* Set $dkim_domain expansion variable to each unique domain in list. */
	489
	490	while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
	491	itembuf, sizeof(itembuf))))
	492	{
	493	if (!dkim_signing_domain \|\| dkim_signing_domain[0] == '\0')
	494	continue;
	495
	496	/* Only sign once for each domain, no matter how often it
	497	appears in the expanded list. */
	498
	499	if (seen_items)
	500	{
	501	const uschar *seen_items_list = seen_items;
	502	if (match_isinlist(dkim_signing_domain,
	503	&seen_items_list, 0, NULL, NULL, MCL_STRING, TRUE,
	504	NULL) == OK)
	505	continue;
	506
	507	seen_items =
	508	string_append(seen_items, &seen_items_size, &seen_items_offset, 1, ":");
	509	}
	510
	511	seen_items =
	512	string_append(seen_items, &seen_items_size, &seen_items_offset, 1,
	513	dkim_signing_domain);
	514	seen_items[seen_items_offset] = '\0';
	515
	516	/* Set up $dkim_selector expansion variable. */
	517
	518	if (!(dkim_signing_selector = expand_string(dkim_selector)))
	519	{
520	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
521	"dkim_selector: %s", expand_string_message);
522	rc = NULL;
523	goto CLEANUP;
524	}
525
526	/* Get canonicalization to use */
527
528	dkim_canon_expanded = dkim_canon ? expand_string(dkim_canon) : US"relaxed";
529	if (!dkim_canon_expanded)
530	{
80a47a2c	531	/* expansion error, do not send message. */
1cfe5c1c JH	532	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
1cfe5c1c JH	533	"dkim_canon: %s", expand_string_message);
80a47a2c TK	534	rc = NULL;
80a47a2c TK	535	goto CLEANUP;
1cfe5c1c	536	}
80a47a2c	537
1cfe5c1c JH	538	if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
	539	pdkim_canon = PDKIM_CANON_RELAXED;
	540	else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
	541	pdkim_canon = PDKIM_CANON_SIMPLE;
	542	else
	543	{
	544	log_write(0, LOG_MAIN,
	545	"DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
	546	dkim_canon_expanded);
	547	pdkim_canon = PDKIM_CANON_RELAXED;
a8e1eeba	548	}
1cfe5c1c JH	549
	550	dkim_sign_headers_expanded = NULL;
	551	if (dkim_sign_headers)
	552	if (!(dkim_sign_headers_expanded = expand_string(dkim_sign_headers)))
	553	{
	554	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	555	"dkim_sign_headers: %s", expand_string_message);
a8e1eeba MH	556	rc = NULL;
a8e1eeba MH	557	goto CLEANUP;
1cfe5c1c JH	558	}
	559	/* else pass NULL, which means default header list */
	560
	561	/* Get private key to use. */
	562
	563	if (!(dkim_private_key_expanded = expand_string(dkim_private_key)))
	564	{
	565	log_write(0, LOG_MAIN \| LOG_PANIC, "failed to expand "
	566	"dkim_private_key: %s", expand_string_message);
	567	rc = NULL;
	568	goto CLEANUP;
a8e1eeba	569	}
80a47a2c	570
1cfe5c1c JH	571	if ( Ustrlen(dkim_private_key_expanded) == 0
	572	\|\| Ustrcmp(dkim_private_key_expanded, "0") == 0
	573	\|\| Ustrcmp(dkim_private_key_expanded, "false") == 0
	574	)
	575	continue; /* don't sign, but no error */
	576
	577	if (dkim_private_key_expanded[0] == '/')
	578	{
	579	int privkey_fd = 0;
	580
	581	/* Looks like a filename, load the private key. */
	582
	583	memset(big_buffer, 0, big_buffer_size);
	584	privkey_fd = open(CS dkim_private_key_expanded, O_RDONLY);
	585	if (privkey_fd < 0)
	586	{
	587	log_write(0, LOG_MAIN \| LOG_PANIC, "unable to open "
	588	"private key file for reading: %s",
	589	dkim_private_key_expanded);
80a47a2c TK	590	rc = NULL;
80a47a2c TK	591	goto CLEANUP;
db4d0902	592	}
80a47a2c	593
1cfe5c1c JH	594	if (read(privkey_fd, big_buffer, big_buffer_size - 2) < 0)
	595	{
	596	log_write(0, LOG_MAIN\|LOG_PANIC, "unable to read private key file: %s",
	597	dkim_private_key_expanded);
cf745305 TK	598	rc = NULL;
cf745305 TK	599	goto CLEANUP;
1ac6b2e7	600	}
80a47a2c	601
1cfe5c1c JH	602	(void) close(privkey_fd);
1cfe5c1c JH	603	dkim_private_key_expanded = big_buffer;
a8e1eeba	604	}
1cfe5c1c	605
0d04a285	606	ctx = pdkim_init_sign( (char *) dkim_signing_domain,
1cfe5c1c	607	(char *) dkim_signing_selector,
f444c2c7 JH	608	(char *) dkim_private_key_expanded,
f444c2c7 JH	609	PDKIM_ALGO_RSA_SHA256);
1cfe5c1c JH	610	pdkim_set_optional(ctx,
	611	(char *) dkim_sign_headers_expanded,
	612	NULL,
	613	pdkim_canon,
f444c2c7	614	pdkim_canon, -1, 0, 0);
1cfe5c1c JH	615
	616	lseek(dkim_fd, 0, SEEK_SET);
	617
	618	while ((sread = read(dkim_fd, &buf, 4096)) > 0)
	619	if (pdkim_feed(ctx, buf, sread) != PDKIM_OK)
	620	{
80a47a2c TK	621	rc = NULL;
80a47a2c TK	622	goto CLEANUP;
1cfe5c1c JH	623	}
	624
	625	/* Handle failed read above. */
	626	if (sread == -1)
	627	{
	628	debug_printf("DKIM: Error reading -K file.\n");
	629	save_errno = errno;
	630	rc = NULL;
	631	goto CLEANUP;
80a47a2c	632	}
80a47a2c	633
1cfe5c1c JH	634	if ((pdkim_rc = pdkim_feed_finish(ctx, &signature)) != PDKIM_OK)
	635	{
	636	log_write(0, LOG_MAIN\|LOG_PANIC, "DKIM: signing failed (RC %d)", pdkim_rc);
	637	rc = NULL;
	638	goto CLEANUP;
a8e1eeba	639	}
80a47a2c	640
1cfe5c1c JH	641	sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,
1cfe5c1c JH	642	US signature->signature_header, US"\r\n");
80a47a2c	643
1cfe5c1c JH	644	pdkim_free_ctx(ctx);
1cfe5c1c JH	645	ctx = NULL;
80a47a2c	646	}
a8e1eeba	647
1cfe5c1c JH	648	if (sigbuf)
	649	{
	650	sigbuf[sigptr] = '\0';
	651	rc = sigbuf;
	652	}
	653	else
	654	rc = US"";
	655
	656	CLEANUP:
	657	if (ctx)
	658	pdkim_free_ctx(ctx);
	659	store_pool = old_pool;
	660	errno = save_errno;
	661	return rc;
93f2d376	662	}
80a47a2c TK	663
80a47a2c TK	664	#endif