Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The consistency check of SigningTable and KeyTable on loading config load does not work properly #229

Open
futatuki opened this issue Oct 7, 2024 · 0 comments
Open

The consistency check of SigningTable and KeyTable on loading config load does not work properly #229

futatuki opened this issue Oct 7, 2024 · 0 comments

Comments

@futatuki
Copy link

futatuki commented Oct 7, 2024

If SigingTable and KeyTable is specified in config file and the dataset type of SigningTable has capability of db walk operation, opendkim milter performs consistency check on loading config file, for each entry in SigningTable if the keyname specified by the entry exists in KeyTable.

However while retrieving a SigningTable entry, it does not check error status on dkimf_db_walk() .

OpenDKIM/opendkim/opendkim.c

Lines 8348 to 8349 in 835834e

while (dkimf_db_walk(conf->conf_signtabledb, first,
NULL, NULL, dbd, 2) == 0)

So if there exists an bogus entry that causes error in SigingTable, the check would finish without error here, and rest of records in SigningTables does not checked.

Also, although the second field in values in SigningTable should be optional, it does not treat them in the consistency check above.

OpenDKIM/opendkim/opendkim.c

Lines 8341 to 8349 in 835834e

dbd[0].dbdata_buffer = keyname;
dbd[0].dbdata_buflen = sizeof keyname - 1;
dbd[0].dbdata_flags = 0;
dbd[1].dbdata_buffer = signer;
dbd[1].dbdata_buflen = sizeof signer - 1;
dbd[1].dbdata_flags = 0;
while (dkimf_db_walk(conf->conf_signtabledb, first,
NULL, NULL, dbd, 2) == 0)

e.g. a flat file SigningTable like below would not be checked at all:

foo.example.org		default._domainkey.foo.example.org
[email protected]	bar.default._domainkey.foo.example.org:[email protected]
baz.example.com		default._domainkey.baz.example.com:@baz.example.com
@futatuki futatuki mentioned this issue Oct 7, 2024
Open
futatuki added a commit to futatuki/OpenDKIM that referenced this issue Oct 7, 2024
@futatuki
Merge branch pull request trusteddomainproject#230 from futatuki/issu…
720ca95 
…e229-fix-signingtable-verification

Fix issue trusteddomainproject#229: fix db handling on verification of SigningTable
in dkimf_config_load

- check error on calling dkimf_db_walk()
- fix request parameter for "signer" field in SigningTable

trusteddomainproject#230
trusteddomainproject#229
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@futatuki