From: Jeremy Harris Date: Sat, 7 Apr 2018 19:58:14 +0000 (+0100) Subject: Clear more globals between messages X-Git-Tag: exim-4.92-RC1~216^2~1 X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=commitdiff_plain;h=50891fa36050cd6e1ff902bc0cf3b82ad4399417 Clear more globals between messages --- diff --git a/src/src/dkim.c b/src/src/dkim.c index 043fcc6dc..e26ae7bbd 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -30,7 +30,6 @@ pdkim_ctx dkim_sign_ctx; int dkim_verify_oldpool; pdkim_ctx *dkim_verify_ctx = NULL; -pdkim_signature *dkim_signatures = NULL; pdkim_signature *dkim_cur_sig = NULL; static const uschar * dkim_collect_error = NULL; @@ -313,7 +312,8 @@ dkim_collect_input = FALSE; /* Finish DKIM operation and fetch link to signatures chain */ -rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr); +rc = pdkim_feed_finish(dkim_verify_ctx, (pdkim_signature **)&dkim_signatures, + &errstr); if (rc != PDKIM_OK && errstr) log_write(0, LOG_MAIN, "DKIM: validation error: %s", errstr); @@ -395,7 +395,7 @@ for (sig = dkim_signatures; sig; sig = sig->next) them here. This is easy since a domain and selector is guaranteed to be in a signature. The other dkim_* expansion items are dynamically fetched from dkim_cur_sig at expansion time (see - function below). */ + dkim_exim_expand_query() below). */ dkim_cur_sig = sig; dkim_signing_domain = US sig->domain; diff --git a/src/src/dmarc.c b/src/src/dmarc.c index 0032afe87..eb4d63620 100644 --- a/src/src/dmarc.c +++ b/src/src/dmarc.c @@ -28,7 +28,6 @@ OPENDMARC_STATUS_T libdm_status, action, dmarc_policy; OPENDMARC_STATUS_T da, sa, action; BOOL dmarc_abort = FALSE; uschar *dmarc_pass_fail = US"skipped"; -extern pdkim_signature *dkim_signatures; header_line *from_header = NULL; extern SPF_response_t *spf_response; int dmarc_spf_ares_result = 0; @@ -217,7 +216,7 @@ dmarc_process() int sr, origin; /* used in SPF section */ int dmarc_spf_result = 0; /* stores spf into dmarc conn ctx */ int tmp_ans, c; -pdkim_signature *sig = NULL; +pdkim_signature * sig = dkim_signatures; BOOL has_dmarc_record = TRUE; u_char **ruf; /* forensic report addressees, if called for */ @@ -238,27 +237,27 @@ if (!from_header || dmarc_abort) dmarc_abort = TRUE; else { - uschar * errormsg; - int dummy, domain; - uschar * p; - uschar saveend; - - parse_allow_group = TRUE; - p = parse_find_address_end(from_header->text, FALSE); - saveend = *p; *p = '\0'; - if ((header_from_sender = parse_extract_address(from_header->text, &errormsg, - &dummy, &dummy, &domain, FALSE))) - header_from_sender += domain; - *p = saveend; - - /* The opendmarc library extracts the domain from the email address, but - * only try to store it if it's not empty. Otherwise, skip out of DMARC. */ - if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0)) - dmarc_abort = TRUE; - libdm_status = dmarc_abort ? - DMARC_PARSE_OKAY : - opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender); - if (libdm_status != DMARC_PARSE_OKAY) + uschar * errormsg; + int dummy, domain; + uschar * p; + uschar saveend; + + parse_allow_group = TRUE; + p = parse_find_address_end(from_header->text, FALSE); + saveend = *p; *p = '\0'; + if ((header_from_sender = parse_extract_address(from_header->text, &errormsg, + &dummy, &dummy, &domain, FALSE))) + header_from_sender += domain; + *p = saveend; + + /* The opendmarc library extracts the domain from the email address, but + * only try to store it if it's not empty. Otherwise, skip out of DMARC. */ + if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0)) + dmarc_abort = TRUE; + libdm_status = dmarc_abort + ? DMARC_PARSE_OKAY + : opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender); + if (libdm_status != DMARC_PARSE_OKAY) { log_write(0, LOG_MAIN|LOG_PANIC, "failure to store header From: in DMARC: %s, header was '%s'", @@ -271,6 +270,8 @@ else * instead do this in the ACLs. */ if (!dmarc_abort && !sender_host_authenticated) { + uschar * dmarc_domain; + /* Use the envelope sender domain for this part of DMARC */ spf_sender_domain = expand_string(US"$sender_address_domain"); if (!spf_response) @@ -325,11 +326,11 @@ if (!dmarc_abort && !sender_host_authenticated) /* Now we cycle through the dkim signature results and put into * the opendmarc context, further building the DMARC reply. */ - sig = dkim_signatures; dkim_history_buffer = US""; while (sig) { int dkim_result, dkim_ares_result, vs, ves; + vs = sig->verify_status & ~PDKIM_VERIFY_POLICY; ves = sig->verify_ext_status; dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS : @@ -398,9 +399,9 @@ if (!dmarc_abort && !sender_host_authenticated) } /* Can't use exim's string manipulation functions so allocate memory - * for libopendmarc using its max hostname length definition. */ + for libopendmarc using its max hostname length definition. */ - uschar *dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar)); + dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar)); libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx, dmarc_domain, DMARC_MAXHOSTNAMELEN-1); dmarc_used_domain = string_copy(dmarc_domain); @@ -411,8 +412,7 @@ if (!dmarc_abort && !sender_host_authenticated) "failure to read domainname used for DMARC lookup: %s", opendmarc_policy_status_to_str(libdm_status)); - libdm_status = opendmarc_get_policy_to_enforce(dmarc_pctx); - dmarc_policy = libdm_status; + dmarc_policy = libdm_status = opendmarc_get_policy_to_enforce(dmarc_pctx); switch(libdm_status) { case DMARC_POLICY_ABSENT: /* No DMARC record found */ @@ -464,7 +464,7 @@ if (!dmarc_abort && !sender_host_authenticated) log_write(0, LOG_MAIN|LOG_PANIC, "failure to read DMARC alignment: %s", opendmarc_policy_status_to_str(libdm_status)); - if (has_dmarc_record == TRUE) + if (has_dmarc_record) { log_write(0, LOG_MAIN, "DMARC results: spf_domain=%s dmarc_domain=%s " "spf_align=%s dkim_align=%s enforcement='%s'", @@ -483,9 +483,9 @@ if (!dmarc_abort && !sender_host_authenticated) dmarc_ar_header = dmarc_auth_results_header(from_header, NULL); /* shut down libopendmarc */ -if ( dmarc_pctx != NULL ) +if (dmarc_pctx) (void) opendmarc_policy_connect_shutdown(dmarc_pctx); -if ( dmarc_disable_verify == FALSE ) +if (!dmarc_disable_verify) (void) opendmarc_policy_library_shutdown(&dmarc_ctx); return OK; diff --git a/src/src/globals.c b/src/src/globals.c index 705b1dd0c..16a5ab42e 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -672,6 +672,7 @@ BOOL dkim_collect_input = FALSE; uschar *dkim_cur_signer = NULL; BOOL dkim_disable_verify = FALSE; int dkim_key_length = 0; +void *dkim_signatures = NULL; uschar *dkim_signers = NULL; uschar *dkim_signing_domain = NULL; uschar *dkim_signing_selector = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index dbc706037..7e3b69260 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -395,6 +395,7 @@ extern BOOL dkim_collect_input; /* Runtime flag that tracks wether SMTP i extern uschar *dkim_cur_signer; /* Expansion variable, holds the current "signer" domain or identity during a acl_smtp_dkim run */ extern BOOL dkim_disable_verify; /* Set via ACL control statement. When set, DKIM verification is disabled for the current message */ extern int dkim_key_length; /* Expansion variable, length of signing key in bits */ +extern void *dkim_signatures; /* Actually a (pdkim_signature *) but most files do not need to know */ extern uschar *dkim_signers; /* Expansion variable, holds colon-separated list of domains and identities that have signed a message */ extern uschar *dkim_signing_domain; /* Expansion variable, domain used for signing a message. */ extern uschar *dkim_signing_selector; /* Expansion variable, selector used for signing a message. */ diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 823fcd27d..2881dd959 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -2040,9 +2040,16 @@ bmi_verdicts = NULL; #endif dnslist_domain = dnslist_matched = NULL; #ifndef DISABLE_DKIM -dkim_cur_signer = dkim_signers = NULL; +dkim_cur_signer = dkim_signers = +dkim_signing_domain = dkim_signing_selector = dkim_signatures = NULL; dkim_disable_verify = dkim_collect_input = FALSE; #endif +#ifdef EXPERIMENTAL_DMARC +dmarc_has_been_checked = dmarc_disable_verify = dmarc_enable_forensic = FALSE; +dmarc_ar_header = dmarc_domain_policy = dmarc_forensic_sender = +dmarc_history_file = dmarc_status = dmarc_status_text = dmarc_tld_file = +dmarc_used_domain = NULL; +#endif dsn_ret = 0; dsn_envid = NULL; deliver_host = deliver_host_address = NULL; /* Can be set by ACL */