[exim-cvs] cvs commit: exim/exim-src/src acl.c dkim.c dkim.h…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Tom Kistner
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] cvs commit: exim/exim-src/src acl.c dkim.c dkim.h globals.c globals.h readconf.c receive.c smtp_in.c spool_in.c tls-gnu.c tls-openssl.c exim/exim-src/src/pdkim pdkim.c pdkim.h
tom 2009/05/20 15:30:15 BST

  Modified files:        (Branch: DEVEL_PDKIM)
    exim-src/src         acl.c dkim.c dkim.h globals.c globals.h 
                         readconf.c receive.c smtp_in.c spool_in.c 
                         tls-gnu.c tls-openssl.c 
    exim-src/src/pdkim   pdkim.c pdkim.h 
  Log:
  More DKIM wip. I now have a plan, and we are slowly getting there ...


  Revision  Changes    Path
  1.82.2.2  +4 -4      exim/exim-src/src/acl.c
  1.1.2.12  +30 -25    exim/exim-src/src/dkim.c
  1.1.2.4   +6 -6      exim/exim-src/src/dkim.h
  1.81.2.4  +3 -2      exim/exim-src/src/globals.c
  1.62.2.3  +3 -2      exim/exim-src/src/globals.h
  1.1.2.16  +65 -27    exim/exim-src/src/pdkim/pdkim.c
  1.1.2.12  +1 -1      exim/exim-src/src/pdkim/pdkim.h
  1.35.2.1  +3 -0      exim/exim-src/src/readconf.c
  1.45.2.3  +2 -4      exim/exim-src/src/receive.c
  1.63.2.3  +3 -3      exim/exim-src/src/smtp_in.c
  1.23.2.3  +2 -2      exim/exim-src/src/spool_in.c
  1.20.2.2  +1 -1      exim/exim-src/src/tls-gnu.c
  1.13.2.2  +1 -1      exim/exim-src/src/tls-openssl.c


  Index: acl.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/acl.c,v
  retrieving revision 1.82.2.1
  retrieving revision 1.82.2.2
  diff -u -r1.82.2.1 -r1.82.2.2
  --- acl.c    24 Feb 2009 15:57:55 -0000    1.82.2.1
  +++ acl.c    20 May 2009 14:30:14 -0000    1.82.2.2
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/acl.c,v 1.82.2.1 2009/02/24 15:57:55 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/acl.c,v 1.82.2.2 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -197,7 +197,7 @@
     US"bmi_run",
     #endif
     #ifndef DISABLE_DKIM
  -  US"dkim_verify",
  +  US"dkim_disable_verify",
     #endif
     US"error",
     US"caseful_local_part",
  @@ -493,7 +493,7 @@
     #endif


     #ifndef DISABLE_DKIM
  -  (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|      /* dkim_verify */
  +  (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|      /* dkim_disable_verify */
       (1<<ACL_WHERE_NOTSMTP_START),
     #endif


  @@ -574,7 +574,7 @@
     { US"bmi_run",                 CONTROL_BMI_RUN, FALSE },
   #endif
   #ifndef DISABLE_DKIM
  -  { US"dkim_verify",             CONTROL_DKIM_VERIFY, FALSE },
  +  { US"dkim_disable_verify",     CONTROL_DKIM_VERIFY, FALSE },
   #endif
     { US"caseful_local_part",      CONTROL_CASEFUL_LOCAL_PART, FALSE },
     { US"caselower_local_part",    CONTROL_CASELOWER_LOCAL_PART, FALSE },
  @@ -2556,7 +2556,7 @@


         #ifndef DISABLE_DKIM
         case CONTROL_DKIM_VERIFY:
  -      dkim_do_verify = 1;
  +      dkim_disable_verify = TRUE;
         break;
         #endif



  Index: dkim.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/Attic/dkim.c,v
  retrieving revision 1.1.2.11
  retrieving revision 1.1.2.12
  diff -u -r1.1.2.11 -r1.1.2.12
  --- dkim.c    19 May 2009 09:49:14 -0000    1.1.2.11
  +++ dkim.c    20 May 2009 14:30:14 -0000    1.1.2.12
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/dkim.c,v 1.1.2.11 2009/05/19 09:49:14 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/dkim.c,v 1.1.2.12 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -24,7 +24,7 @@
     dns_scan   dnss;
     dns_record *rr;


- if (dns_lookup(&dnsa, (uschar *)name, T_TXT, NULL) != DNS_SUCCEED) return 1;
+ if (dns_lookup(&dnsa, (uschar *)name, T_TXT, NULL) != DNS_SUCCEED) return PDKIM_FAIL;

     /* Search for TXT record */
     for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
  @@ -45,13 +45,13 @@
         answer_offset+=len;
       }
     }
  -  else return 1;
  +  else return PDKIM_FAIL;


     return PDKIM_OK;
   }



-int dkim_exim_verify_init(void) {
+void dkim_exim_verify_init(void) {

     /* Free previous context if there is one */
     if (dkim_verify_ctx) pdkim_free_ctx(dkim_verify_ctx);
  @@ -62,37 +62,47 @@
                                        );


     if (dkim_verify_ctx != NULL) {
  -    dkim_collect_input = 1;
  +    dkim_collect_input = TRUE;
       pdkim_set_debug_stream(dkim_verify_ctx,debug_file);
  -    return 1;
  -  }
  -  else {
  -    dkim_collect_input = 0;
  -    return 0;
     }
  +  else dkim_collect_input = FALSE;
  +
   }



  -int dkim_exim_verify_feed(uschar *data, int len) {
  -  if (pdkim_feed(dkim_verify_ctx,
  +void dkim_exim_verify_feed(uschar *data, int len) {
  +  if (dkim_collect_input &&
  +      pdkim_feed(dkim_verify_ctx,
                    (char *)data,
  -                 len) != PDKIM_OK) return 0;
  -  return 1;
  +                 len) != PDKIM_OK) dkim_collect_input = FALSE;
   }



  -int dkim_exim_verify_finish(void) {
  +void dkim_exim_verify_finish(void) {
  +
  +  /* Delete eventual previous signature chain */
     dkim_signatures = NULL;
  -  dkim_collect_input = 0;
  -  if (pdkim_feed_finish(dkim_verify_ctx,&dkim_signatures) != PDKIM_OK) return 0;


  +  /* If we have arrived here with dkim_collect_input == FALSE, it
  +     means there was a processing error somewhere along the way.
  +     Log the incident and disable futher verification. */
  +  if (!dkim_collect_input) {
  +    log_write(0, LOG_MAIN|LOG_PANIC, "DKIM: Error while running this message through validation, disabling signature verification.");
  +    dkim_disable_verify = TRUE;
  +    return;
  +  }
  +  dkim_collect_input = FALSE;
  +
  +  /* Finish DKIM operation and fetch link to signatures chain */
  +  if (pdkim_feed_finish(dkim_verify_ctx,&dkim_signatures) != PDKIM_OK) return;
  +
  +  /* Log a line for each signature */
     while (dkim_signatures != NULL) {
       int size = 0;
       int ptr = 0;
       uschar *logmsg = string_append(NULL, &size, &ptr, 5,


  -      string_sprintf( "DKIM: v=%u d=%s s=%s c=%s/%s a=%s ",
  -                      dkim_signatures->version,
  +      string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ",
                         dkim_signatures->domain,
                         dkim_signatures->selector,
                         (dkim_signatures->canon_headers == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
  @@ -163,21 +173,16 @@
       logmsg[ptr] = '\0';
       log_write(0, LOG_MAIN, (char *)logmsg);


  -    /* Try next signature */
  +    /* Log next signature */
       dkim_signatures = dkim_signatures->next;
     }
  -
  -  return dkim_signatures?1:0;
   }



  -int dkim_exim_verify_result(uschar *domain, uschar **result, uschar **error) {
  -
  +void dkim_exim_verify_result(uschar *domain, uschar **result, uschar **error) {
     if (dkim_verify_ctx) {


     }
  -
  -  return OK;
   }




  Index: dkim.h
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/Attic/dkim.h,v
  retrieving revision 1.1.2.3
  retrieving revision 1.1.2.4
  diff -u -r1.1.2.3 -r1.1.2.4
  --- dkim.h    9 Apr 2009 13:57:21 -0000    1.1.2.3
  +++ dkim.h    20 May 2009 14:30:14 -0000    1.1.2.4
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/dkim.h,v 1.1.2.3 2009/04/09 13:57:21 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/dkim.h,v 1.1.2.4 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -14,9 +14,9 @@
                          uschar *,
                          uschar *);


  -int dkim_exim_verify_init(void);
  -int dkim_exim_verify_feed(uschar *, int);
  -int dkim_exim_verify_finish(void);
  -int dkim_exim_verify_result(uschar *,
  -                            uschar **,
  -                            uschar **);
  +void dkim_exim_verify_init(void);
  +void dkim_exim_verify_feed(uschar *, int);
  +void dkim_exim_verify_finish(void);
  +void dkim_exim_verify_result(uschar *,
  +                             uschar **,
  +                             uschar **);


  Index: globals.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/globals.c,v
  retrieving revision 1.81.2.3
  retrieving revision 1.81.2.4
  diff -u -r1.81.2.3 -r1.81.2.4
  --- globals.c    9 Apr 2009 14:00:51 -0000    1.81.2.3
  +++ globals.c    20 May 2009 14:30:14 -0000    1.81.2.4
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/globals.c,v 1.81.2.3 2009/04/09 14:00:51 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/globals.c,v 1.81.2.4 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -529,8 +529,9 @@
   #ifndef DISABLE_DKIM
   uschar *dkim_signing_domain      = NULL;
   uschar *dkim_signing_selector    = NULL;
  -int     dkim_do_verify           = 0;
  -int     dkim_collect_input       = 0;
  +uschar *dkim_verify_domains      = US"@dkim_signed";
  +BOOL    dkim_collect_input       = FALSE;
  +BOOL    dkim_disable_verify      = FALSE;
   #endif


uschar *dns_again_means_nonexist = NULL;

  Index: globals.h
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/globals.h,v
  retrieving revision 1.62.2.2
  retrieving revision 1.62.2.3
  diff -u -r1.62.2.2 -r1.62.2.3
  --- globals.h    9 Apr 2009 13:57:21 -0000    1.62.2.2
  +++ globals.h    20 May 2009 14:30:14 -0000    1.62.2.3
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/globals.h,v 1.62.2.2 2009/04/09 13:57:21 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/globals.h,v 1.62.2.3 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -298,8 +298,9 @@
   #ifndef DISABLE_DKIM
   extern uschar *dkim_signing_domain;      /* Domain used for signing a message. */
   extern uschar *dkim_signing_selector;    /* Selector used for signing a message. */
  -extern int     dkim_do_verify;           /* DKIM verification switch. Set with ACL control statement. */
  -extern int     dkim_collect_input;       /* Set during message reception, when SMTP input is to be fed to the validator. */
  +extern uschar *dkim_verify_domains;      /* Colon-separated list of domains for each of which we call the DKIM ACL */
  +extern BOOL    dkim_collect_input;       /* Runtime flag that tracks wether SMTP input is fed to DKIM validation */
  +extern BOOL    dkim_disable_verify;      /* Set via ACL control statement. When set, DKIM verification is disabled for the current message */
   #endif


extern uschar *dns_again_means_nonexist; /* Domains that are badly set up */

  Index: readconf.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/readconf.c,v
  retrieving revision 1.35
  retrieving revision 1.35.2.1
  diff -u -r1.35 -r1.35.2.1
  --- readconf.c    12 Feb 2008 12:52:51 -0000    1.35
  +++ readconf.c    20 May 2009 14:30:14 -0000    1.35.2.1
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/readconf.c,v 1.35 2008/02/12 12:52:51 nm4 Exp $ */
  +/* $Cambridge: exim/exim-src/src/readconf.c,v 1.35.2.1 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -205,6 +205,9 @@
     { "disable_fsync",            opt_bool,        &disable_fsync },
   #endif
     { "disable_ipv6",             opt_bool,        &disable_ipv6 },
  +#ifndef DISABLE_DKIM
  +  { "dkim_verify_domains",      opt_stringptr,   &dkim_verify_domains },
  +#endif
     { "dns_again_means_nonexist", opt_stringptr,   &dns_again_means_nonexist },
     { "dns_check_names_pattern",  opt_stringptr,   &check_dns_names_pattern },
     { "dns_csa_search_limit",     opt_int,         &dns_csa_search_limit },


  Index: receive.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/receive.c,v
  retrieving revision 1.45.2.2
  retrieving revision 1.45.2.3
  diff -u -r1.45.2.2 -r1.45.2.3
  --- receive.c    9 Apr 2009 13:57:21 -0000    1.45.2.2
  +++ receive.c    20 May 2009 14:30:14 -0000    1.45.2.3
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/receive.c,v 1.45.2.2 2009/04/09 13:57:21 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/receive.c,v 1.45.2.3 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -1386,11 +1386,9 @@


#ifndef DISABLE_DKIM
/* Call into DKIM to set up the context. */
-if (smtp_input && dkim_do_verify) dkim_do_verify = dkim_exim_verify_init();
-else dkim_do_verify = 0;
+if (smtp_input && !smtp_batched_input && !dkim_disable_verify) dkim_exim_verify_init();
#endif

  -
   /* Remember the time of reception. Exim uses time+pid for uniqueness of message
   ids, and fractions of a second are required. See the comments that precede the
   message id creation below. */
  @@ -2971,7 +2969,7 @@
       {


   #ifndef DISABLE_DKIM
  -    if (dkim_do_verify) dkim_do_verify = dkim_exim_verify_finish();
  +    if (!dkim_disable_verify) dkim_exim_verify_finish();
   #endif


#ifdef WITH_CONTENT_SCAN

  Index: smtp_in.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/smtp_in.c,v
  retrieving revision 1.63.2.2
  retrieving revision 1.63.2.3
  diff -u -r1.63.2.2 -r1.63.2.3
  --- smtp_in.c    9 Apr 2009 13:57:21 -0000    1.63.2.2
  +++ smtp_in.c    20 May 2009 14:30:14 -0000    1.63.2.3
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/smtp_in.c,v 1.63.2.2 2009/04/09 13:57:21 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/smtp_in.c,v 1.63.2.3 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -265,7 +265,7 @@
       return EOF;
       }
   #ifndef DISABLE_DKIM
  -  if (dkim_collect_input) dkim_collect_input = dkim_exim_verify_feed(smtp_inbuffer, rc);
  +  dkim_exim_verify_feed(smtp_inbuffer, rc);
   #endif
     smtp_inend = smtp_inbuffer + rc;
     smtp_inptr = smtp_inbuffer;
  @@ -1041,8 +1041,8 @@
   bmi_verdicts = NULL;
   #endif
   #ifndef DISABLE_DKIM
  -dkim_do_verify = 0;
  -dkim_collect_input = 0;
  +dkim_disable_verify = FALSE;
  +dkim_collect_input = FALSE;
   #endif
   #ifdef EXPERIMENTAL_SPF
   spf_header_comment = NULL;


  Index: spool_in.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/spool_in.c,v
  retrieving revision 1.23.2.2
  retrieving revision 1.23.2.3
  diff -u -r1.23.2.2 -r1.23.2.3
  --- spool_in.c    9 Apr 2009 13:57:21 -0000    1.23.2.2
  +++ spool_in.c    20 May 2009 14:30:14 -0000    1.23.2.3
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/spool_in.c,v 1.23.2.2 2009/04/09 13:57:21 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/spool_in.c,v 1.23.2.3 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -279,8 +279,8 @@
   #endif


#ifndef DISABLE_DKIM
-dkim_do_verify = 0;
-dkim_collect_input = 0;
+dkim_disable_verify = FALSE;
+dkim_collect_input = FALSE;
#endif

#ifdef SUPPORT_TLS

  Index: tls-gnu.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/tls-gnu.c,v
  retrieving revision 1.20.2.1
  retrieving revision 1.20.2.2
  diff -u -r1.20.2.1 -r1.20.2.2
  --- tls-gnu.c    9 Apr 2009 13:57:21 -0000    1.20.2.1
  +++ tls-gnu.c    20 May 2009 14:30:14 -0000    1.20.2.2
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/tls-gnu.c,v 1.20.2.1 2009/04/09 13:57:21 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/tls-gnu.c,v 1.20.2.2 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -1173,7 +1173,7 @@
       return EOF;
       }
   #ifndef DISABLE_DKIM
  -  if (dkim_collect_input) dkim_collect_input = dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
  +  dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
   #endif
     ssl_xfer_buffer_hwm = inbytes;
     ssl_xfer_buffer_lwm = 0;


  Index: tls-openssl.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/tls-openssl.c,v
  retrieving revision 1.13.2.1
  retrieving revision 1.13.2.2
  diff -u -r1.13.2.1 -r1.13.2.2
  --- tls-openssl.c    9 Apr 2009 13:57:21 -0000    1.13.2.1
  +++ tls-openssl.c    20 May 2009 14:30:14 -0000    1.13.2.2
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/tls-openssl.c,v 1.13.2.1 2009/04/09 13:57:21 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/tls-openssl.c,v 1.13.2.2 2009/05/20 14:30:14 tom Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -888,7 +888,7 @@
       return EOF;
       }
   #ifndef DISABLE_DKIM
  -  if (dkim_collect_input) dkim_collect_input = dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
  +  dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
   #endif
     ssl_xfer_buffer_hwm = inbytes;
     ssl_xfer_buffer_lwm = 0;


  Index: pdkim.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/pdkim/Attic/pdkim.c,v
  retrieving revision 1.1.2.15
  retrieving revision 1.1.2.16
  diff -u -r1.1.2.15 -r1.1.2.16
  --- pdkim.c    19 May 2009 09:49:14 -0000    1.1.2.15
  +++ pdkim.c    20 May 2009 14:30:15 -0000    1.1.2.16
  @@ -20,7 +20,7 @@
    *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
    */


-/* $Cambridge: exim/exim-src/src/pdkim/pdkim.c,v 1.1.2.15 2009/05/19 09:49:14 tom Exp $ */
+/* $Cambridge: exim/exim-src/src/pdkim/pdkim.c,v 1.1.2.16 2009/05/20 14:30:15 tom Exp $ */

   #include <stdlib.h>
   #include <stdio.h>
  @@ -1286,7 +1286,6 @@
     while (sig != NULL) {
       sha1_context sha1_headers;
       sha2_context sha2_headers;
  -    pdkim_stringlist *p = sig->headers;
       char *sig_hdr;
       char headerhash[32];


  @@ -1301,37 +1300,77 @@
                 "PDKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>\n");
       #endif


  -    while (p != NULL) {
  -      char *rh;
  -
  -      /* SIGNING -------------------------------------------------------------- */
  -      if (ctx->mode == PDKIM_MODE_SIGN) {
  +    /* SIGNING ---------------------------------------------------------------- */
  +    /* When signing, walk through our header list and add them to the hash. As we
  +       go, construct a list of the header's names to use for the h= parameter. */
  +    if (ctx->mode == PDKIM_MODE_SIGN) {
  +      pdkim_stringlist *p = sig->headers;
  +      while (p != NULL) {
  +        char *rh = NULL;
           /* Collect header names (Note: colon presence is guaranteed here) */
           char *q = strchr(p->value,':');
           if (pdkim_strncat(headernames, p->value,
                             (q-(p->value))+((p->next==NULL)?0:1)) == NULL)
             return PDKIM_ERR_OOM;
  -      }
  -      /* ---------------------------------------------------------------------- */


  -      if (sig->canon_headers == PDKIM_CANON_RELAXED)
  -        rh = pdkim_relax_header(p->value,1); /* cook header for relaxed canon */
  -      else
  -        rh = strdup(p->value);               /* just copy it for simple canon */
  +        if (sig->canon_headers == PDKIM_CANON_RELAXED)
  +          rh = pdkim_relax_header(p->value,1); /* cook header for relaxed canon */
  +        else
  +          rh = strdup(p->value);               /* just copy it for simple canon */


  -      if (rh == NULL) return PDKIM_ERR_OOM;
  +        if (rh == NULL) return PDKIM_ERR_OOM;


  -      /* Feed header to the hash algorithm */
  -      if (sig->algo == PDKIM_ALGO_RSA_SHA1)
  -        sha1_update(&(sha1_headers),(unsigned char *)rh,strlen(rh));
  -      else
  -        sha2_update(&(sha2_headers),(unsigned char *)rh,strlen(rh));
  -      #ifdef PDKIM_DEBUG
  -      if (ctx->debug_stream)
  -        pdkim_quoteprint(ctx->debug_stream, rh, strlen(rh), 1);
  -      #endif
  -      free(rh);
  -      p = p->next;
  +        /* Feed header to the hash algorithm */
  +        if (sig->algo == PDKIM_ALGO_RSA_SHA1)
  +          sha1_update(&(sha1_headers),(unsigned char *)rh,strlen(rh));
  +        else
  +          sha2_update(&(sha2_headers),(unsigned char *)rh,strlen(rh));
  +        #ifdef PDKIM_DEBUG
  +        if (ctx->debug_stream)
  +          pdkim_quoteprint(ctx->debug_stream, rh, strlen(rh), 1);
  +        #endif
  +        free(rh);
  +        p = p->next;
  +      }
  +    }
  +    /* VERIFICATION ----------------------------------------------------------- */
  +    /* When verifying, walk through the header name list in the h= parameter and
  +       add the headers to the hash in that order. */
  +    else {
  +      char *b = strdup(sig->headernames);
  +      char *p = b;
  +      char *q = NULL;
  +      if (b == NULL) return PDKIM_ERR_OOM;
  +
  +      while(1) {
  +        pdkim_stringlist *hdrs = sig->headers;
  +        q = strchr(p,':');
  +        if (q != NULL) *q = '\0';
  +        while (hdrs != NULL) {
  +          if (strncasecmp(hdrs->value,p,strlen(p)) == 0) {
  +            char *rh = NULL;
  +            if (sig->canon_headers == PDKIM_CANON_RELAXED)
  +              rh = pdkim_relax_header(hdrs->value,1); /* cook header for relaxed canon */
  +            else
  +              rh = strdup(hdrs->value);               /* just copy it for simple canon */
  +            if (rh == NULL) return PDKIM_ERR_OOM;
  +            /* Feed header to the hash algorithm */
  +            if (sig->algo == PDKIM_ALGO_RSA_SHA1)
  +              sha1_update(&(sha1_headers),(unsigned char *)rh,strlen(rh));
  +            else
  +              sha2_update(&(sha2_headers),(unsigned char *)rh,strlen(rh));
  +            #ifdef PDKIM_DEBUG
  +            if (ctx->debug_stream)
  +              pdkim_quoteprint(ctx->debug_stream, rh, strlen(rh), 1);
  +            #endif
  +            free(rh);
  +          }
  +          hdrs = hdrs->next;
  +        }
  +        if (q == NULL) break;
  +        p = q+1;
  +      }
  +      free(b);
       }


       #ifdef PDKIM_DEBUG
  @@ -1340,7 +1379,6 @@
                 "PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
       #endif


  -
       /* SIGNING ---------------------------------------------------------------- */
       if (ctx->mode == PDKIM_MODE_SIGN) {
         /* Copy headernames to signature struct */


  Index: pdkim.h
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/pdkim/Attic/pdkim.h,v
  retrieving revision 1.1.2.11
  retrieving revision 1.1.2.12
  diff -u -r1.1.2.11 -r1.1.2.12
  --- pdkim.h    30 Apr 2009 15:25:39 -0000    1.1.2.11
  +++ pdkim.h    20 May 2009 14:30:15 -0000    1.1.2.12
  @@ -20,7 +20,7 @@
    *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
    */


-/* $Cambridge: exim/exim-src/src/pdkim/pdkim.h,v 1.1.2.11 2009/04/30 15:25:39 tom Exp $ */
+/* $Cambridge: exim/exim-src/src/pdkim/pdkim.h,v 1.1.2.12 2009/05/20 14:30:15 tom Exp $ */

   /* -------------------------------------------------------------------------- */
   /* Debugging. This can also be enabled/disabled at run-time. I recommend to
  @@ -242,7 +242,7 @@
     /* Verification specific -------------------------------------------- */
     char *hnames_check;    /* Tick-off header list that we use to keep
                               track of header names that we have already
  -                            added to the signature                      */
  +                            added to the signature candidates.          */
     char *rawsig_no_b_val; /* Original signature header w/o b= tag value. */
   } pdkim_signature;