Re: [exim-dev] [exim] Using ADSP?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Michael Haardt
Date:  
À: exim-dev
Sujet: Re: [exim-dev] [exim] Using ADSP?
Let's move this to exim-dev.

> > It does not look like I can add multiple signatures, though, because
> > dkim_domain is not a list that sets $dkim_domain to each element,
> > expanding dkim_selector and dkim_private_key using that value and acting
> > upon it. Any other way?
>
> Sorry, signing with several sigs concurrently is not supported (at least
> not without looping the message through several processes). I know
> you're quite the versatile guy, so if you want to take a shot at an
> implementation ... go ahead :)


The patch below sketches my suggestion in terms of code (neither tested
not finished). I broke indentation for a readable patch, the whole
block inside the loop should be indented of course. The transport option
dkim_domain should be renamed to dkim_add_signers, because that's what
it does. It may be a good idea not to add signatures already existing
in the mail, e.g. by initialising the seen_items code. Should that be
configurable?

What I meant to implement is a loop through all signers, much like
verification works. For each signer, available in $dkim_domain, the
other dkim transport options are expanded and if there is a $dkim_key
afterwards, the mail is signed using those values.

Any opinions are welcome.

Michael
----------------------------------------------------------------------
--- ./src/dkim.c.orig    2010-01-27 11:05:45.000000000 +0100
+++ ./src/dkim.c    2010-01-27 14:20:34.000000000 +0100
@@ -387,6 +387,14 @@
                        uschar *dkim_selector,
                        uschar *dkim_canon,
                        uschar *dkim_sign_headers) {
+  int sep = 0;
+  uschar *seen_items = NULL;
+  int seen_items_size = 0;
+  int seen_items_offset = 0;
+  uschar itembuf[256];
+  uschar *dkim_canon_expanded;
+  uschar *dkim_sign_headers_expanded;
+  uschar *dkim_private_key_expanded;
   pdkim_ctx *ctx = NULL;
   uschar *rc = NULL;
   pdkim_signature *signature;
@@ -405,42 +413,54 @@
     rc = NULL;
     goto CLEANUP;
   }
-  /* Set up $dkim_domain expansion variable. */
-  dkim_signing_domain = dkim_domain;


-  /* Get selector to use. */
-  dkim_selector = expand_string(dkim_selector);
-  if (dkim_selector == NULL) {
+  /* Set $dkim_domain expansion variable to each unique domain in list. */
+  while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
+                                                  itembuf,
+                                                  sizeof(itembuf))) != NULL) {
+    if (!dkim_signing_domain || (dkim_signing_domain[0] == '\0')) continue;
+    /* Only sign once for each domain, no matter how often it
+       appears in the expanded list. */
+    if (seen_items != NULL) {
+      uschar *seen_items_list = seen_items;
+      if (match_isinlist(dkim_signing_domain,
+                         &seen_items_list,0,NULL,NULL,MCL_STRING,TRUE,NULL) == OK)
+        continue;
+      seen_items = string_append(seen_items,&seen_items_size,&seen_items_offset,1,":");
+    }
+    seen_items = string_append(seen_items,&seen_items_size,&seen_items_offset,1,dkim_signing_domain);
+    seen_items[seen_items_offset] = '\0';
+
+  /* Set up $dkim_selector expansion variable. */
+  dkim_signing_selector = expand_string(dkim_selector);
+  if (dkim_signing_selector == NULL) {
     log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
       "dkim_selector: %s", expand_string_message);
     rc = NULL;
     goto CLEANUP;
   }
-  /* Set up $dkim_selector expansion variable. */
-  dkim_signing_selector = dkim_selector;


   /* Get canonicalization to use */
-  dkim_canon = expand_string(dkim_canon?dkim_canon:US"relaxed");
-  if (dkim_canon == NULL) {
+  dkim_canon_expanded = expand_string(dkim_canon?dkim_canon:US"relaxed");
+  if (dkim_canon_expanded == NULL) {
     /* expansion error, do not send message. */
     log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
           "dkim_canon: %s", expand_string_message);
     rc = NULL;
     goto CLEANUP;
   }
-  if (Ustrcmp(dkim_canon, "relaxed") == 0)
+  if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
     pdkim_canon = PDKIM_CANON_RELAXED;
-  else if (Ustrcmp(dkim_canon, "simple") == 0)
+  else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
     pdkim_canon = PDKIM_CANON_SIMPLE;
   else {
-    log_write(0, LOG_MAIN, "DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",dkim_canon);
+    log_write(0, LOG_MAIN, "DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",dkim_canon_expanded);
     pdkim_canon = PDKIM_CANON_RELAXED;
   }


-  /* Expand signing headers once */
   if (dkim_sign_headers != NULL) {
-    dkim_sign_headers = expand_string(dkim_sign_headers);
-    if (dkim_sign_headers == NULL) {
+    dkim_sign_headers_expanded = expand_string(dkim_sign_headers);
+    if (dkim_sign_headers_expanded == NULL) {
       log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
         "dkim_sign_headers: %s", expand_string_message);
       rc = NULL;
@@ -449,47 +469,49 @@
   }


   /* Get private key to use. */
-  dkim_private_key = expand_string(dkim_private_key);
-  if (dkim_private_key == NULL) {
+  dkim_private_key_expanded = expand_string(dkim_private_key);
+  if (dkim_private_key_expanded == NULL) {
     log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
       "dkim_private_key: %s", expand_string_message);
     rc = NULL;
     goto CLEANUP;
   }
-  if ( (Ustrlen(dkim_private_key) == 0) ||
-       (Ustrcmp(dkim_private_key,"0") == 0) ||
-       (Ustrcmp(dkim_private_key,"false") == 0) ) {
+  if ( (Ustrlen(dkim_private_key_expanded) == 0) ||
+       (Ustrcmp(dkim_private_key_expanded,"0") == 0) ||
+       (Ustrcmp(dkim_private_key_expanded,"false") == 0) ) {
     /* don't sign, but no error */
     rc = US"";
     goto CLEANUP;
   }


-  if (dkim_private_key[0] == '/') {
+
+
+  if (dkim_private_key_expanded[0] == '/') {
     int privkey_fd = 0;
     /* Looks like a filename, load the private key. */
     memset(big_buffer,0,big_buffer_size);
-    privkey_fd = open(CS dkim_private_key,O_RDONLY);
+    privkey_fd = open(CS dkim_private_key_expanded,O_RDONLY);
     if (privkey_fd < 0) {
       log_write(0, LOG_MAIN|LOG_PANIC, "unable to open "
-        "private key file for reading: %s", dkim_private_key);
+        "private key file for reading: %s", dkim_private_key_expanded);
       rc = NULL;
       goto CLEANUP;
     }
     (void)read(privkey_fd,big_buffer,(big_buffer_size-2));
     (void)close(privkey_fd);
-    dkim_private_key = big_buffer;
+    dkim_private_key_expanded = big_buffer;
   }


   ctx = pdkim_init_sign(PDKIM_INPUT_SMTP,
                         (char *)dkim_signing_domain,
                         (char *)dkim_signing_selector,
-                        (char *)dkim_private_key
+                        (char *)dkim_private_key_expanded
                        );


pdkim_set_debug_stream(ctx,debug_file);

   pdkim_set_optional(ctx,
-                     (char *)dkim_sign_headers,
+                     (char *)dkim_sign_headers_expanded,
                      NULL,
                      pdkim_canon,
                      pdkim_canon,
@@ -522,6 +544,11 @@
   Ustrcpy(rc,US signature->signature_header);
   Ustrcat(rc,US"\r\n");


+  pdkim_free_ctx(ctx);
+  ctx = NULL;
+
+  }
+
   CLEANUP:
   if (ctx != NULL) {
     pdkim_free_ctx(ctx);