[exim-cvs] Fix dkim_verify_signers option. Bug 2366

Gitweb: https://git.exim.org/exim.git/commitdiff/ae63862ba6f6ee0c17ec865cc6cf0eebb3ca2389

Commit:     ae63862ba6f6ee0c17ec865cc6cf0eebb3ca2389
Parent:     3f9700ab53b9f4fa4a2667957afb249f5639da9d
Author:     Mad Alex <alex.exim@???>
AuthorDate: Wed Jan 30 13:57:36 2019 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Wed Jan 30 13:59:52 2019 +0000

    Fix dkim_verify_signers option.  Bug 2366
    Testsuite coverage by jgh.

    Broken-by: d342446f29
---
 doc/doc-txt/ChangeLog       |   3 +
 src/src/smtp_in.c           |   1 -
 test/confs/4508             |  33 ++++++++++
 test/confs/4520             |   2 +-
 test/log/4508               |  25 ++++++++
 test/scripts/4500-DKIM/4508 | 149 ++++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 211 insertions(+), 2 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e2dd71b..7da07ad 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -191,6 +191,9 @@ JH/41 Fix the loop reading a message header line to check for integer overflow,
       and more-often against header_maxsize.  Previously a crafted message could
       induce a crash of the recive process; now the message is cleanly rejected.

+JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option.  It had
+      been totally disabled for all of 4.91.  Discovery and fix by "Mad Alex".
+

 Exim version 4.91
 -----------------
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index af2cdb2..86f87ea 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2084,7 +2084,6 @@ f.dkim_disable_verify = FALSE;
 dkim_collect_input = 0;
 dkim_verify_overall = dkim_verify_status = dkim_verify_reason = NULL;
 dkim_key_length = 0;
-dkim_verify_signers = US"$dkim_signers";
 #endif
 #ifdef EXPERIMENTAL_DMARC
 f.dmarc_has_been_checked = f.dmarc_disable_verify = f.dmarc_enable_forensic = FALSE;
diff --git a/test/confs/4508 b/test/confs/4508
new file mode 100644
index 0000000..dae4a8a
--- /dev/null
+++ b/test/confs/4508
@@ -0,0 +1,33 @@
+# Exim test configuration 4508
+
+SERVER=
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+acl_smtp_dkim = check_dkim
+acl_smtp_data = check_data
+
+log_selector = +dkim_verbose
+dkim_verify_signers = DYNAMIC_OPTION
+
+queue_only
+queue_run_in_order
+
+# ----- ACL ---------
+
+begin acl
+
+check_dkim:
+  accept
+    logwrite = DKIM: acl called - signer: $dkim_cur_signer bits: $dkim_key_length
+
+check_data:
+  accept logwrite = overall \$dkim_verify_status: $dkim_verify_status
+     logwrite = ${authresults {$primary_hostname}}
+
+# End
diff --git a/test/confs/4520 b/test/confs/4520
index 8976923..1a8e34f 100644
--- a/test/confs/4520
+++ b/test/confs/4520
@@ -14,7 +14,7 @@ acl_smtp_rcpt = accept logwrite = rcpt acl: macro: _DKIM_SIGN_HEADERS
 acl_smtp_dkim = accept logwrite = dkim_acl: signer: $dkim_cur_signer bits: $dkim_key_length h=$dkim_headernames
 acl_smtp_data = accept logwrite = data acl: dkim status $dkim_verify_status

-dkim_verify_signers = $dkim_signers : FAKE
+dkim_verify_signers = $dkim_signers

DDIR=DIR/aux-fixed/dkim

diff --git a/test/log/4508 b/test/log/4508
new file mode 100644
index 0000000..4a031f2
--- /dev/null
+++ b/test/log/4508
@@ -0,0 +1,25 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: acl called - signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaX-0005vi-00 overall $dkim_verify_status: pass
+1999-03-02 09:44:33 10HmaX-0005vi-00 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaY-0005vi-00 overall $dkim_verify_status: 
+1999-03-02 09:44:33 10HmaY-0005vi-00 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: acl called - signer: nothere.example.com bits: 0
+1999-03-02 09:44:33 10HmaZ-0005vi-00 overall $dkim_verify_status: none
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: acl called - signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: acl called - signer: different.example.com bits: 1024
+1999-03-02 09:44:33 10HmbA-0005vi-00 overall $dkim_verify_status: pass:none
+1999-03-02 09:44:33 10HmbA-0005vi-00 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
diff --git a/test/scripts/4500-DKIM/4508 b/test/scripts/4500-DKIM/4508
new file mode 100644
index 0000000..b9eaabe
--- /dev/null
+++ b/test/scripts/4500-DKIM/4508
@@ -0,0 +1,149 @@
+# DKIM verify, dkim_verify_signers option
+#
+exim -DSERVER=server -DDYNAMIC_OPTION='$dkim_signers' -bd -oX PORT_D
+****
+#
+# Same as default. This should pass.
+#  - sha256, 1024b
+# Mail original in aux-fixed/4500.msg1.txt
+# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha256 \
+#            --method=simple/simple < aux-fixed/4500.msg1.txt
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@???>
+??? 250
+RCPT TO:<a@???>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to
+    :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1
+    6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP
+    Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh
+    +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY=
+From: mrgus@???
+To: bakawolf@???
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@???>
+Subject: simple test
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+killdaemon
+#
+exim -DSERVER=server -DDYNAMIC_OPTION='' -bd -oX PORT_D
+****
+# Empty.  Should avoid calling dkim ACL.
+#  - sha256, 1024b
+# Mail original in aux-fixed/4500.msg1.txt
+# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha256 \
+#            --method=simple/simple < aux-fixed/4500.msg1.txt
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@???>
+??? 250
+RCPT TO:<a@???>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to
+    :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1
+    6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP
+    Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh
+    +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY=
+From: mrgus@???
+To: bakawolf@???
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@???>
+Subject: simple test
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+killdaemon
+#
+exim -DSERVER=server -DDYNAMIC_OPTION='nothere.example.com' -bd -oX PORT_D
+****
+# Different domain.  Should fail DKIM verify.
+#  - sha256, 1024b
+# Mail original in aux-fixed/4500.msg1.txt
+# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha256 \
+#            --method=simple/simple < aux-fixed/4500.msg1.txt
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@???>
+??? 250
+RCPT TO:<a@???>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to
+    :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1
+    6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP
+    Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh
+    +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY=
+From: mrgus@???
+To: bakawolf@???
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@???>
+Subject: simple test
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+killdaemon
+#
+exim -DSERVER=server -DDYNAMIC_OPTION='test.ex : different.example.com' -bd -oX PORT_D
+****
+# Mixed set.  Should get one DKIM verify pass.
+#  - sha256, 1024b
+# Mail original in aux-fixed/4500.msg1.txt
+# Sig generated by: perl aux-fixed/dkim/sign.pl --algorithm=rsa-sha256 \
+#            --method=simple/simple < aux-fixed/4500.msg1.txt
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@???>
+??? 250
+RCPT TO:<a@???>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to
+    :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1
+    6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP
+    Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh
+    +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY=
+From: mrgus@???
+To: bakawolf@???
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@???>
+Subject: simple test
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+killdaemon
+#
+no_stdout_check
+no_msglog_check