From 9aa364f66fd792a201e15ccb43f811cad74bc956 Mon Sep 17 00:00:00 2001 From: Ivan Remen Date: Tue, 9 Aug 2016 05:49:05 -0400 Subject: [PATCH] DKIM: if one of signatures are correct for dkim domain, then use it, not the first one --- src/src/dkim.c | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/src/src/dkim.c b/src/src/dkim.c index 3fa11c8007..b968e1b5b5 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -279,6 +279,7 @@ void dkim_exim_acl_setup(uschar * id) { pdkim_signature * sig; +pdkim_signature *candidate_sig = NULL; uschar * cmp_val; dkim_cur_sig = NULL; @@ -295,20 +296,28 @@ for (sig = dkim_signatures; sig; sig = sig->next) ) { dkim_cur_sig = sig; - - /* The "dkim_domain" and "dkim_selector" expansion variables have - related globals, since they are used in the signing code too. - Instead of inventing separate names for verification, we set - them here. This is easy since a domain and selector is guaranteed - to be in a signature. The other dkim_* expansion items are - dynamically fetched from dkim_cur_sig at expansion time (see - function below). */ - - dkim_signing_domain = US sig->domain; - dkim_signing_selector = US sig->selector; - dkim_key_length = sig->sigdata.len * 8; - return; + if (!candidate_sig) candidate_sig = sig; + if (sig->verify_status == PDKIM_VERIFY_PASS) + { + candidate_sig = sig; + break; + } } + + if (candidate_sig) + { + /* The "dkim_domain" and "dkim_selector" expansion variables have + related globals, since they are used in the signing code too. + Instead of inventing separate names for verification, we set + them here. This is easy since a domain and selector is guaranteed + to be in a signature. The other dkim_* expansion items are + dynamically fetched from dkim_cur_sig at expansion time (see + function below). */ + + dkim_signing_domain = US candidate_sig->domain; + dkim_signing_selector = US candidate_sig->selector; + dkim_key_length = candidate_sig->sigdata.len * 8; + } }