DomainKeys signature have a greater chance of being useful (i.e.
successfully verifying when they should) if they include the "h" tag,
which lists the header fields included in the signature. This patch
should accomplish that. It also fixes what looks like an error: The
call to dk_getsig() claimed that the buffer is 8192 bytes, when in
fact it's only 1024. (I don't think it's counted in bits.)
diff -urNad exim4-4.62~/src/dk.c exim4-4.62/src/dk.c
--- exim4-4.62.orig/src/dk.c
+++ exim4-4.62/src/dk.c
@@ -239,6 +239,8 @@
uschar *dk_selector,
uschar *dk_canon) {
uschar *rc = NULL;
+ uschar *headers = NULL;
+ int headers_len;
int dk_canon_int = DK_CANON_SIMPLE;
char c;
int seen_lf = 0;
@@ -398,7 +400,7 @@
}
/* Get the signature. */
- dk_internal_status = dk_getsig(dk_context, dk_private_key, sig, 8192);
+ dk_internal_status = dk_getsig(dk_context, dk_private_key, sig, 1024);
/* Check for unuseable key */
if (dk_internal_status != DK_STAT_OK) {
@@ -407,13 +409,17 @@
goto CLEANUP;
}
- rc = store_get(1024);
+ headers_len = dk_headers(dk_context, NULL);
+ rc = store_get(1024+256+headers_len);
+ headers = store_malloc(headers_len);
+ dk_headers(dk_context, headers);
/* Build DomainKey-Signature header to return. */
- (void)string_format(rc, 1024, "DomainKey-Signature: a=rsa-sha1; q=dns; c=%s;\r\n"
- "\ts=%s; d=%s;\r\n"
- "\tb=%s;\r\n", dk_canon, dk_selector, dk_domain, sig);
+ (void)string_format(rc, 1024+256+headers_len, "DomainKey-Signature: a=rsa-sha1; q=dns; c=%s; s=%s; d=%s;\r\n"
+ "\th=%s;\r\n"
+ "\tb=%s;\r\n", dk_canon, dk_selector, dk_domain, headers, sig);
- log_write(0, LOG_MAIN, "DK: message signed using a=rsa-sha1; q=dns; c=%s; s=%s; d=%s;", dk_canon, dk_selector, dk_domain);
+ log_write(0, LOG_MAIN, "DK: message signed using a=rsa-sha1; q=dns; c=%s; s=%s; d=%s; h=%s;", dk_canon, dk_selector, dk_domain, headers);
+ store_free(headers);
CLEANUP:
if (dk_context != NULL) {
--
Magnus Holmgren holmgren@???
(No Cc of list mail needed, thanks)