Ejemplo n.º 1
0
void
dkim_exim_verify_init(void)
{
/* Free previous context if there is one */

if (dkim_verify_ctx)
  pdkim_free_ctx(dkim_verify_ctx);

/* Create new context */

dkim_verify_ctx = pdkim_init_verify(PDKIM_INPUT_SMTP, &dkim_exim_query_dns_txt);

if ((dkim_collect_input = !!dkim_verify_ctx))
  pdkim_set_debug_stream(dkim_verify_ctx, debug_file);
}
Ejemplo n.º 2
0
uschar *dkim_exim_sign(int dkim_fd,
                       uschar *dkim_private_key,
                       uschar *dkim_domain,
                       uschar *dkim_selector,
                       uschar *dkim_canon,
                       uschar *dkim_sign_headers) {
  int sep = 0;
  uschar *seen_items = NULL;
  int seen_items_size = 0;
  int seen_items_offset = 0;
  uschar itembuf[256];
  uschar *dkim_canon_expanded;
  uschar *dkim_sign_headers_expanded;
  uschar *dkim_private_key_expanded;
  pdkim_ctx *ctx = NULL;
  uschar *rc = NULL;
  uschar *sigbuf = NULL;
  int sigsize = 0;
  int sigptr = 0;
  pdkim_signature *signature;
  int pdkim_canon;
  int pdkim_rc;
  int sread;
  char buf[4096];
  int save_errno = 0;
  int old_pool = store_pool;

  store_pool = POOL_MAIN;

  dkim_domain = expand_string(dkim_domain);
  if (dkim_domain == NULL) {
    /* expansion error, do not send message. */
    log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
          "dkim_domain: %s", expand_string_message);
    rc = NULL;
    goto CLEANUP;
  }

  /* Set $dkim_domain expansion variable to each unique domain in list. */
  while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
                                                  itembuf,
                                                  sizeof(itembuf))) != NULL) {
    if (!dkim_signing_domain || (dkim_signing_domain[0] == '\0')) continue;
    /* Only sign once for each domain, no matter how often it
       appears in the expanded list. */
    if (seen_items != NULL) {
      uschar *seen_items_list = seen_items;
      if (match_isinlist(dkim_signing_domain,
                         &seen_items_list,0,NULL,NULL,MCL_STRING,TRUE,NULL) == OK)
        continue;
      seen_items = string_append(seen_items,&seen_items_size,&seen_items_offset,1,":");
    }
    seen_items = string_append(seen_items,&seen_items_size,&seen_items_offset,1,dkim_signing_domain);
    seen_items[seen_items_offset] = '\0';

    /* Set up $dkim_selector expansion variable. */
    dkim_signing_selector = expand_string(dkim_selector);
    if (dkim_signing_selector == NULL) {
      log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
                "dkim_selector: %s", expand_string_message);
      rc = NULL;
      goto CLEANUP;
    }

    /* Get canonicalization to use */
    dkim_canon_expanded = expand_string(dkim_canon?dkim_canon:US"relaxed");
    if (dkim_canon_expanded == NULL) {
      /* expansion error, do not send message. */
      log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
                "dkim_canon: %s", expand_string_message);
      rc = NULL;
      goto CLEANUP;
    }
    if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
      pdkim_canon = PDKIM_CANON_RELAXED;
    else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
      pdkim_canon = PDKIM_CANON_SIMPLE;
    else {
      log_write(0, LOG_MAIN, "DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",dkim_canon_expanded);
      pdkim_canon = PDKIM_CANON_RELAXED;
    }

    if (dkim_sign_headers) {
      dkim_sign_headers_expanded = expand_string(dkim_sign_headers);
      if (dkim_sign_headers_expanded == NULL) {
        log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
                  "dkim_sign_headers: %s", expand_string_message);
        rc = NULL;
        goto CLEANUP;
      }
    }
    else {
      /* pass NULL, which means default header list */
      dkim_sign_headers_expanded = NULL;
    }

    /* Get private key to use. */
    dkim_private_key_expanded = expand_string(dkim_private_key);
    if (dkim_private_key_expanded == NULL) {
      log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
                "dkim_private_key: %s", expand_string_message);
      rc = NULL;
      goto CLEANUP;
    }
    if ( (Ustrlen(dkim_private_key_expanded) == 0) ||
         (Ustrcmp(dkim_private_key_expanded,"0") == 0) ||
         (Ustrcmp(dkim_private_key_expanded,"false") == 0) ) {
      /* don't sign, but no error */
      continue;
    }

    if (dkim_private_key_expanded[0] == '/') {
      int privkey_fd = 0;
      /* Looks like a filename, load the private key. */
      memset(big_buffer,0,big_buffer_size);
      privkey_fd = open(CS dkim_private_key_expanded,O_RDONLY);
      if (privkey_fd < 0) {
        log_write(0, LOG_MAIN|LOG_PANIC, "unable to open "
                  "private key file for reading: %s", dkim_private_key_expanded);
        rc = NULL;
        goto CLEANUP;
      }
      if (read(privkey_fd,big_buffer,(big_buffer_size-2)) < 0) {
        log_write(0, LOG_MAIN|LOG_PANIC, "unable to read private key file: %s",
	  dkim_private_key_expanded);
        rc = NULL;
        goto CLEANUP;
      }
      (void)close(privkey_fd);
      dkim_private_key_expanded = big_buffer;
    }

    ctx = pdkim_init_sign(PDKIM_INPUT_SMTP,
                          (char *)dkim_signing_domain,
                          (char *)dkim_signing_selector,
                          (char *)dkim_private_key_expanded
                         );

    pdkim_set_debug_stream(ctx,debug_file);

    pdkim_set_optional(ctx,
                       (char *)dkim_sign_headers_expanded,
                       NULL,
                       pdkim_canon,
                       pdkim_canon,
                       -1,
                       PDKIM_ALGO_RSA_SHA256,
                       0,
                       0);

    lseek(dkim_fd, 0, SEEK_SET);
    while((sread = read(dkim_fd,&buf,4096)) > 0) {
      if (pdkim_feed(ctx,buf,sread) != PDKIM_OK) {
        rc = NULL;
        goto CLEANUP;
      }
    }
    /* Handle failed read above. */
    if (sread == -1) {
      debug_printf("DKIM: Error reading -K file.\n");
      save_errno = errno;
      rc = NULL;
      goto CLEANUP;
    }

    pdkim_rc = pdkim_feed_finish(ctx,&signature);
    if (pdkim_rc != PDKIM_OK) {
      log_write(0, LOG_MAIN|LOG_PANIC, "DKIM: signing failed (RC %d)", pdkim_rc);
      rc = NULL;
      goto CLEANUP;
    }

    sigbuf = string_append(sigbuf, &sigsize, &sigptr, 2,
                           US signature->signature_header,
                           US"\r\n");

    pdkim_free_ctx(ctx);
    ctx = NULL;
  }

  if (sigbuf != NULL) {
    sigbuf[sigptr] = '\0';
    rc = sigbuf;
  } else
    rc = US"";

  CLEANUP:
  if (ctx != NULL)
    pdkim_free_ctx(ctx);
  store_pool = old_pool;
  errno = save_errno;
  return rc;
}
Ejemplo n.º 3
0
int main(int argc, char *argv[]) {
  FILE *debug;
  int i;

  pdkim_ctx       *ctx;
  pdkim_signature *signature;

  /* pdkim_ctx *pdkim_init_sign(int mode,
   *                            char *domain,
   *                            char *selector,
   *                            char *rsa_privkey)
   *
   * Initialize context for signing.
   *
   *    int mode
   *      PDKIM_INPUT_NORMAL or PDKIM_INPUT_SMTP. When SMTP
   *      input is used, the lib will deflate double-dots at
   *      the start of atline to a single dot, and it will
   *      stop processing input when a line with and single
   *      dot is received (Excess input will simply be ignored).
   *
   *    char *domain
   *      The domain to sign as. This value will land in the
   *      d= tag of the signature.
   *
   *    char *selector
   *      The selector string to use. This value will land in
   *      the s= tag of the signature.
   *
   *    char *rsa_privkey
   *      The private RSA key, in ASCII armor. It MUST NOT be
   *      encrypted.
   *
   * Returns: A pointer to a freshly allocated pdkim_ctx
   *          context.
   */
  ctx = pdkim_init_sign(PDKIM_INPUT_NORMAL,  /* Input type */
                        DOMAIN,              /* Domain   */
                        SELECTOR,            /* Selector */
                        RSA_PRIVKEY          /* Private RSA key */
                       );

  /* void pdkim_set_debug_stream(pdkim_ctx *ctx,
   *                             FILE *debug)
   *
   * Set up debugging stream.
   *
   * When PDKIM was compiled with DEBUG defined (which is the
   * recommended default), you can set up a stream where it
   * sends debug output to. In this example, we simply use
   * STDERR (fd 2) for that purpose. If you don't set a debug
   * stream, no debug output is generated.
   */
  debug = fdopen(2,"a");
  pdkim_set_debug_stream(ctx,debug);

  /* int pdkim_set_optional(pdkim_ctx *ctx,
   *                        char *sign_headers,
   *                        char *identity,
   *                        int canon_headers,
   *                        int canon_body,
   *                        long bodylength,
   *                        int algo,
   *                        unsigned long created,
   *                        unsigned long expires)
   *
   * OPTIONAL: Set additional optional signing options. If you do
   * not use this function, sensible defaults (see below) are used.
   * Any strings you pass in are dup'ed, so you can safely release
   * your copy even before calling pdkim_free() on your context.
   *
   *    char *sign_headers (default NULL)
   *      Colon-separated list of header names. Headers with
   *      a name matching the list will be included in the
   *      signature. When this is NULL, the list of headers
   *      recommended in RFC4781 will be used.
   *
   *    char *identity (default NULL)
   *      An identity string as described in RFC4781. It will
   *      be put into the i= tag of the signature.
   *
   *    int canon_headers (default PDKIM_CANON_SIMPLE)
   *      Canonicalization algorithm to use for headers. One
   *      of PDKIM_CANON_SIMPLE or PDKIM_CANON_RELAXED.
   *
   *    int canon_body (default PDKIM_CANON_SIMPLE)
   *      Canonicalization algorithm to use for the body. One
   *      of PDKIM_CANON_SIMPLE or PDKIM_CANON_RELAXED.
   *
   *    long bodylength (default -1)
   *      Amount of canonicalized body bytes to include in
   *      the body hash calculation. A value of 0 means that
   *      the body is not included in the signature. A value
   *      of -1 (the default) means that there is no limit.
   *
   *    int algo (default PDKIM_ALGO_RSA_SHA256)
   *      One of PDKIM_ALGO_RSA_SHA256 or PDKIM_ALGO_RSA_SHA1.
   *
   *    unsigned long created (default 0)
   *      Seconds since the epoch, describing when the signature
   *      was created. This is copied to the t= tag of the
   *      signature. Setting a value of 0 (the default) omits
   *      the tag from the signature.
   *
   *    unsigned long expires (default 0)
   *      Seconds since the epoch, describing when the signature
   *      expires. This is copied to the x= tag of the
   *      signature. Setting a value of 0 (the default) omits
   *      the tag from the signature.
   *
   *  Returns: 0 (PDKIM_OK) for success or a PDKIM_ERR_* constant
   */
  pdkim_set_optional(ctx, NULL, NULL,
                     PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE,
                     -1, PDKIM_ALGO_RSA_SHA256, 0, 0);

  /* int pdkim_feed(pdkim_ctx *ctx,
   *                char *data,
   *                int data_len)
   *
   * (Repeatedly) feed data to the signing algorithm. The message
   * data MUST use CRLF line endings (like SMTP uses on the
   * wire). The data chunks do not need to be a "line" - you
   * can split chunks at arbitrary locations.
   *
   *    char *data
   *      Pointer to data to feed. Please note that despite
   *      the example given below, this is not necessarily a
   *      C string.
   *
   *    int data_len
   *      Length of data being fed, in bytes.
   *
   * Returns: 0 (PDKIM_OK) for success or a PDKIM_ERR_* constant
   */
  i = 0;
  while (test_message[i] != NULL) {
    if (pdkim_feed(ctx,
                   test_message[i],
                   strlen(test_message[i])) != PDKIM_OK) {
      printf("pdkim_feed() error\n");
      goto BAIL;
    }
    i++;
  }

  /* int pdkim_feed_finish(pdkim_ctx *ctx,
   *                       pdkim_signature **signature,
   *
   * Signal end-of-message and retrieve the signature block.
   *
   *    pdkim_signature **signature
   *      Pass in a pointer to a pdkim_signature pointer.
   *      If the function returns PDKIM_OK, it will be set
   *      up to point to a freshly allocated pdkim_signature
   *      block. See pdkim.h for documentation on what that
   *      block contains. Hint: Most implementations will
   *      simply want to retrieve a ready-to-use
   *      DKIM-Signature header, which can be found in
   *      *signature->signature_header. See the code below.
   *
   * Returns: 0 (PDKIM_OK) for success or a PDKIM_ERR_* constant
   */
  if (pdkim_feed_finish(ctx,&signature) == PDKIM_OK) {

    /* Print signature to STDOUT, followed by the original
     * message. We can then pipe the output directly to
     * test_verify.c.
     */
    printf(signature->signature_header);
    printf("\r\n");

    i = 0;
    while (test_message[i] != NULL) {
      printf(test_message[i]);
      i++;
    }

  }

  BAIL:
  /* void pdkim_free_ctx(pdkim_ctx *ctx)
   *
   *  Free all allocated memory blocks referenced from
   *  the context, as well as the context itself.
   */
  pdkim_free_ctx(ctx);

  fclose(debug);
}