Fixed DKIM

Defuzzified patches and fixed some whitespaces

exim-4.88-DKIM-fix.patch

@@ -0,0 +1,630 @@
+diff --git a/src/auths/get_data.c b/src/auths/get_data.c
+index f839a01..11bc581 100644
+--- a/src/auths/get_data.c
++++ b/src/auths/get_data.c
+@@ -31,7 +31,7 @@ auth_get_data(uschar **aptr, uschar *challenge, int challen)
+ int c;
+ int p = 0;
+ smtp_printf("334 %s\r\n", b64encode(challenge, challen));
+-while ((c = receive_getc()) != '\n' && c != EOF)
++while ((c = receive_getc(GETC_BUFFER_UNLIMITED)) != '\n' && c != EOF)
+   {
+   if (p >= big_buffer_size - 1) return BAD64;
+   big_buffer[p++] = c;
+diff --git a/src/auths/get_no64_data.c b/src/auths/get_no64_data.c
+index d3ffe08..71e7139 100644
+--- a/src/auths/get_no64_data.c
++++ b/src/auths/get_no64_data.c
+@@ -32,7 +32,7 @@ auth_get_no64_data(uschar **aptr, uschar *challenge)
+ int c;
+ int p = 0;
+ smtp_printf("334 %s\r\n", challenge);
+-while ((c = receive_getc()) != '\n' && c != EOF)
++while ((c = receive_getc(GETC_BUFFER_UNLIMITED)) != '\n' && c != EOF)
+   {
+   if (p >= big_buffer_size - 1) return BAD64;
+   big_buffer[p++] = c;
+diff --git a/src/dkim.c b/src/dkim.c
+index 70c9547..445d246 100644
+--- a/src/dkim.c
++++ b/src/dkim.c
+@@ -18,6 +18,7 @@ int dkim_verify_oldpool;
+ pdkim_ctx *dkim_verify_ctx = NULL;
+ pdkim_signature *dkim_signatures = NULL;
+ pdkim_signature *dkim_cur_sig = NULL;
++static BOOL dkim_collect_error = FALSE;
+ 
+ static int
+ dkim_exim_query_dns_txt(char *name, char *answer)
+@@ -87,6 +88,7 @@ if (dkim_verify_ctx)
+ 
+ dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
+ dkim_collect_input = !!dkim_verify_ctx;
++dkim_collect_error = FALSE;
+ 
+ /* Start feed up with any cached data */
+ receive_get_cache();
+@@ -106,6 +108,7 @@ if (  dkim_collect_input
+   {
+   log_write(0, LOG_MAIN,
+ 	     "DKIM: validation error: %.100s", pdkim_errstr(rc));
++  dkim_collect_error = TRUE;
+   dkim_collect_input = FALSE;
+   }
+ store_pool = dkim_verify_oldpool;
+@@ -127,11 +130,7 @@ store_pool = POOL_PERM;
+ 
+ dkim_signatures = NULL;
+ 
+-/* If we have arrived here with dkim_collect_input == FALSE, it
+-means there was a processing error somewhere along the way.
+-Log the incident and disable futher verification. */
+-
+-if (!dkim_collect_input)
++if (dkim_collect_error)
+   {
+   log_write(0, LOG_MAIN,
+ 	     "DKIM: Error while running this message through validation,"
+diff --git a/src/functions.h b/src/functions.h
+index 04d9410..9c60090 100644
+--- a/src/functions.h
++++ b/src/functions.h
+@@ -55,7 +55,7 @@ extern int     tls_export_cert(uschar *, size_t, void *);
+ extern int     tls_feof(void);
+ extern int     tls_ferror(void);
+ extern void    tls_free_cert(void **);
+-extern int     tls_getc(void);
++extern int     tls_getc(unsigned);
+ extern void    tls_get_cache(void);
+ extern int     tls_import_cert(const uschar *, void **);
+ extern int     tls_read(BOOL, uschar *, size_t);
+@@ -101,7 +101,7 @@ extern int     auth_xtextdecode(uschar *, uschar **);
+ 
+ extern uschar *b64encode(uschar *, int);
+ extern int     b64decode(uschar *, uschar **);
+-extern int     bdat_getc(void);
++extern int     bdat_getc(unsigned);
+ extern void    bits_clear(unsigned int *, size_t, int *);
+ extern void    bits_set(unsigned int *, size_t, int *);
+ 
+@@ -395,7 +395,7 @@ extern uschar *smtp_get_connection_info(void);
+ extern BOOL    smtp_get_interface(uschar *, int, address_item *,
+                  uschar **, uschar *);
+ extern BOOL    smtp_get_port(uschar *, address_item *, int *, uschar *);
+-extern int     smtp_getc(void);
++extern int     smtp_getc(unsigned);
+ extern void    smtp_get_cache(void);
+ extern int     smtp_handle_acl_fail(int, int, uschar *, uschar *);
+ extern void    smtp_log_no_mail(void);
+@@ -421,7 +421,7 @@ extern int     spool_open_datafile(uschar *);
+ extern int     spool_open_temp(uschar *);
+ extern int     spool_read_header(uschar *, BOOL, BOOL);
+ extern int     spool_write_header(uschar *, int, uschar **);
+-extern int     stdin_getc(void);
++extern int     stdin_getc(unsigned);
+ extern int     stdin_feof(void);
+ extern int     stdin_ferror(void);
+ extern int     stdin_ungetc(int);
+diff --git a/src/globals.c b/src/globals.c
+index c722059..649335f 100644
+--- a/src/globals.c
++++ b/src/globals.c
+@@ -187,9 +187,9 @@ incoming TCP/IP. The defaults use stdin. We never need these for any
+ stand-alone tests. */
+ 
+ #ifndef STAND_ALONE
+-int (*lwr_receive_getc)(void)  = stdin_getc;
++int (*lwr_receive_getc)(unsigned) = stdin_getc;
+ int (*lwr_receive_ungetc)(int) = stdin_ungetc;
+-int (*receive_getc)(void)      = stdin_getc;
++int (*receive_getc)(unsigned)  = stdin_getc;
+ void (*receive_get_cache)(void)= NULL;
+ int (*receive_ungetc)(int)     = stdin_ungetc;
+ int (*receive_feof)(void)      = stdin_feof;
+diff --git a/src/globals.h b/src/globals.h
+index e3dd507..344f8ef 100644
+--- a/src/globals.h
++++ b/src/globals.h
+@@ -141,9 +141,9 @@ extern uschar  *dsn_advertise_hosts;   /* host for which TLS is advertised */
+ /* Input-reading functions for messages, so we can use special ones for
+ incoming TCP/IP. */
+ 
+-extern int (*lwr_receive_getc)(void);
++extern int (*lwr_receive_getc)(unsigned);
+ extern int (*lwr_receive_ungetc)(int);
+-extern int (*receive_getc)(void);
++extern int (*receive_getc)(unsigned);
+ extern void (*receive_get_cache)(void);
+ extern int (*receive_ungetc)(int);
+ extern int (*receive_feof)(void);
+diff --git a/src/macros.h b/src/macros.h
+index 1b7cf4a..c8957d8 100644
+--- a/src/macros.h
++++ b/src/macros.h
+@@ -968,5 +968,9 @@ enum { FILTER_UNSET, FILTER_FORWARD, FILTER_EXIM, FILTER_SIEVE };
+ #define PEER_OFFERED_SIZE	BIT(6)
+ #define PEER_OFFERED_CHUNKING	BIT(7)
+ 
++/* Argument for *_getc */
++
++#define GETC_BUFFER_UNLIMITED	UINT_MAX
++
+ 
+ /* End of macros.h */
+diff --git a/src/pdkim/pdkim.c b/src/pdkim/pdkim.c
+index 7bfcdf4..bcc3f09 100644
+--- a/src/pdkim/pdkim.c
++++ b/src/pdkim/pdkim.c
+@@ -962,6 +962,11 @@ if (ctx->flags & PDKIM_MODE_SIGN)
+ /* DKIM-Signature: headers are added to the verification list */
+ else
+   {
++  DEBUG(D_acl)
++    {
++    debug_printf("PDKIM >> raw hdr: ");
++    pdkim_quoteprint(CUS ctx->cur_header, Ustrlen(ctx->cur_header));
++    }
+   if (strncasecmp(CCS ctx->cur_header,
+ 		  DKIM_SIGNATURE_HEADERNAME,
+ 		  Ustrlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
+diff --git a/src/receive.c b/src/receive.c
+index e535876..9155cf1 100644
+--- a/src/receive.c
++++ b/src/receive.c
+@@ -37,7 +37,7 @@ the file. (When SMTP input is occurring, different functions are used by
+ changing the pointer variables.) */
+ 
+ int
+-stdin_getc(void)
++stdin_getc(unsigned lim)
+ {
+ return getc(stdin);
+ }
+@@ -626,7 +626,7 @@ if (!dot_ends)
+   {
+   register int last_ch = '\n';
+ 
+-  for (; (ch = (receive_getc)()) != EOF; last_ch = ch)
++  for (; (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF; last_ch = ch)
+     {
+     if (ch == 0) body_zerocount++;
+     if (last_ch == '\r' && ch != '\n')
+@@ -668,7 +668,7 @@ if (!dot_ends)
+ 
+ ch_state = 1;
+ 
+-while ((ch = (receive_getc)()) != EOF)
++while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
+   {
+   if (ch == 0) body_zerocount++;
+   switch (ch_state)
+@@ -786,7 +786,7 @@ int ch_state = 0;
+ int ch;
+ int linelength = 0;
+ 
+-while ((ch = (receive_getc)()) != EOF)
++while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
+   {
+   if (ch == 0) body_zerocount++;
+   switch (ch_state)
+@@ -913,7 +913,7 @@ read_message_bdat_smtp(FILE *fout)
+ int ch;
+ int linelength = 0;
+ 
+-for (;;) switch (ch = bdat_getc())
++for (;;) switch (ch = bdat_getc(GETC_BUFFER_UNLIMITED))
+   {
+   case EOF: return END_EOF;
+   case EOD: return END_DOT;
+@@ -1682,7 +1682,7 @@ next->text. */
+ 
+ for (;;)
+   {
+-  int ch = (receive_getc)();
++  int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+ 
+   /* If we hit EOF on a SMTP connection, it's an error, since incoming
+   SMTP must have a correct "." terminator. */
+@@ -1761,10 +1761,10 @@ for (;;)
+ 
+   if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+     {
+-    ch = (receive_getc)();
++    ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+     if (ch == '\r')
+       {
+-      ch = (receive_getc)();
++      ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+       if (ch != '\n')
+         {
+         receive_ungetc(ch);
+@@ -1795,7 +1795,7 @@ for (;;)
+ 
+   if (ch == '\r')
+     {
+-    ch = (receive_getc)();
++    ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+     if (ch == '\n')
+       {
+       if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
+@@ -1890,7 +1890,7 @@ for (;;)
+ 
+   if (ch != EOF)
+     {
+-    int nextch = (receive_getc)();
++    int nextch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+     if (nextch == ' ' || nextch == '\t')
+       {
+       next->text[ptr++] = nextch;
+@@ -4024,7 +4024,7 @@ if (smtp_input && sender_host_address != NULL && !sender_host_notsocket &&
+ 
+   if (select(fileno(smtp_in) + 1, &select_check, NULL, NULL, &tv) != 0)
+     {
+-    int c = (receive_getc)();
++    int c = (receive_getc)(GETC_BUFFER_UNLIMITED);
+     if (c != EOF) (receive_ungetc)(c); else
+       {
+       smtp_notquit_exit(US"connection-lost", NULL, NULL);
+diff --git a/src/smtp_in.c b/src/smtp_in.c
+index 1484861..82900d9 100644
+--- a/src/smtp_in.c
++++ b/src/smtp_in.c
+@@ -44,11 +44,11 @@ The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and
+ we need room to handle large base64-encoded AUTHs for GSSAPI.
+ */
+ 
+-#define smtp_cmd_buffer_size  16384
++#define SMTP_CMD_BUFFER_SIZE  16384
+ 
+ /* Size of buffer for reading SMTP incoming packets */
+ 
+-#define in_buffer_size  8192
++#define IN_BUFFER_SIZE  8192
+ 
+ /* Structure for SMTP command list */
+ 
+@@ -301,7 +301,7 @@ static int     smtp_had_error;
+ 
+ /* forward declarations */
+ int bdat_ungetc(int ch);
+-static int smtp_read_command(BOOL check_sync);
++static int smtp_read_command(BOOL check_sync, unsigned buffer_lim);
+ static int synprot_error(int type, int code, uschar *data, uschar *errmess);
+ static void smtp_quit_handler(uschar **, uschar **);
+ static void smtp_rset_handler(void);
+@@ -315,12 +315,12 @@ it flushes the output, and refills the buffer, with a timeout. The signal
+ handler is set appropriately by the calling function. This function is not used
+ after a connection has negotated itself into an TLS/SSL state.
+ 
+-Arguments:  none
++Arguments:  lim		Maximum amount to read/buffer
+ Returns:    the next character or EOF
+ */
+ 
+ int
+-smtp_getc(void)
++smtp_getc(unsigned lim)
+ {
+ if (smtp_inptr >= smtp_inend)
+   {
+@@ -328,7 +328,10 @@ if (smtp_inptr >= smtp_inend)
+   if (!smtp_out) return EOF;
+   fflush(smtp_out);
+   if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
+-  rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
++
++  /* Limit amount read, so non-message data is not fed to DKIM */
++
++  rc = read(fileno(smtp_in), smtp_inbuffer, MIN(IN_BUFFER_SIZE, lim));
+   save_errno = errno;
+   alarm(0);
+   if (rc <= 0)
+@@ -376,23 +379,26 @@ to handle the BDAT command/response.
+ Placed here due to the correlation with the above smtp_getc(), which it wraps,
+ and also by the need to do smtp command/response handling.
+ 
+-Arguments:  none
++Arguments:  lim		(ignored)
+ Returns:    the next character or ERR, EOD or EOF
+ */
+ 
+ int
+-bdat_getc(void)
++bdat_getc(unsigned lim)
+ {
+ uschar * user_msg = NULL;
+ uschar * log_msg;
+ 
+ for(;;)
+   {
+-  if (chunking_data_left-- > 0)
+-    return lwr_receive_getc();
++  if (chunking_data_left > 0)
++    return lwr_receive_getc(chunking_data_left--);
+ 
+   receive_getc = lwr_receive_getc;
+   receive_ungetc = lwr_receive_ungetc;
++#ifndef DISABLE_DKIM
++  dkim_collect_input = FALSE;
++#endif
+ 
+   /* If not the last, ack the received chunk.  The last response is delayed
+   until after the data ACL decides on it */
+@@ -405,21 +411,22 @@ for(;;)
+     return EOD;
+     }
+ 
+-  chunking_state = CHUNKING_OFFERED;
+   smtp_printf("250 %u byte chunk received\r\n", chunking_datasize);
++  chunking_state = CHUNKING_OFFERED;
++  DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
+ 
+   /* Expect another BDAT cmd from input. RFC 3030 says nothing about
+   QUIT, RSET or NOOP but handling them seems obvious */
+ 
+ next_cmd:
+-  switch(smtp_read_command(TRUE))
++  switch(smtp_read_command(TRUE, 1))
+     {
+     default:
+       (void) synprot_error(L_smtp_protocol_error, 503, NULL,
+ 	US"only BDAT permissible after non-LAST BDAT");
+ 
+   repeat_until_rset:
+-      switch(smtp_read_command(TRUE))
++      switch(smtp_read_command(TRUE, 1))
+ 	{
+ 	case QUIT_CMD:	smtp_quit_handler(&user_msg, &log_msg);	/*FALLTHROUGH */
+ 	case EOF_CMD:	return EOF;
+@@ -458,6 +465,8 @@ next_cmd:
+       chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
+ 	? CHUNKING_LAST : CHUNKING_ACTIVE;
+       chunking_data_left = chunking_datasize;
++      DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
++				    (int)chunking_state, chunking_data_left);
+ 
+       if (chunking_datasize == 0)
+ 	if (chunking_state == CHUNKING_LAST)
+@@ -471,6 +480,9 @@ next_cmd:
+ 
+       receive_getc = bdat_getc;
+       receive_ungetc = bdat_ungetc;
++#ifndef DISABLE_DKIM
++      dkim_collect_input = TRUE;
++#endif
+       break;	/* to top of main loop */
+       }
+     }
+@@ -480,15 +492,18 @@ next_cmd:
+ static void
+ bdat_flush_data(void)
+ {
+-while (chunking_data_left-- > 0)
+-  if (lwr_receive_getc() < 0)
++while (chunking_data_left > 0)
++  if (lwr_receive_getc(chunking_data_left--) < 0)
+     break;
+ 
+ receive_getc = lwr_receive_getc;
+ receive_ungetc = lwr_receive_ungetc;
+ 
+ if (chunking_state != CHUNKING_LAST)
++  {
+   chunking_state = CHUNKING_OFFERED;
++  DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
++  }
+ }
+ 
+ 
+@@ -1126,13 +1141,14 @@ signal handler that closes down the session on a timeout. Control does not
+ return when it runs.
+ 
+ Arguments:
+-  check_sync   if TRUE, check synchronization rules if global option is TRUE
++  check_sync	if TRUE, check synchronization rules if global option is TRUE
++  buffer_lim	maximum to buffer in lower layer
+ 
+ Returns:       a code identifying the command (enumerated above)
+ */
+ 
+ static int
+-smtp_read_command(BOOL check_sync)
++smtp_read_command(BOOL check_sync, unsigned buffer_lim)
+ {
+ int c;
+ int ptr = 0;
+@@ -1141,9 +1157,9 @@ BOOL hadnull = FALSE;
+ 
+ os_non_restarting_signal(SIGALRM, command_timeout_handler);
+ 
+-while ((c = (receive_getc)()) != '\n' && c != EOF)
++while ((c = (receive_getc)(buffer_lim)) != '\n' && c != EOF)
+   {
+-  if (ptr >= smtp_cmd_buffer_size)
++  if (ptr >= SMTP_CMD_BUFFER_SIZE)
+     {
+     os_non_restarting_signal(SIGALRM, sigalrm_handler);
+     return OTHER_CMD;
+@@ -1301,7 +1317,7 @@ tzero.tv_usec = 0;
+ rc = select(fd + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, &tzero);
+ 
+ if (rc <= 0) return TRUE;     /* Not ready to read */
+-rc = smtp_getc();
++rc = smtp_getc(GETC_BUFFER_UNLIMITED);
+ if (rc < 0) return TRUE;      /* End of file or error */
+ 
+ smtp_ungetc(rc);
+@@ -1337,7 +1353,7 @@ if (smtp_in == NULL || smtp_batched_input) return;
+ receive_swallow_smtp();
+ smtp_printf("421 %s\r\n", message);
+ 
+-for (;;) switch(smtp_read_command(FALSE))
++for (;;) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
+   {
+   case EOF_CMD:
+   return;
+@@ -1781,7 +1797,7 @@ while (done <= 0)
+   uschar *recipient = NULL;
+   int start, end, sender_domain, recipient_domain;
+ 
+-  switch(smtp_read_command(FALSE))
++  switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
+     {
+     /* The HELO/EHLO commands set sender_address_helo if they have
+     valid data; otherwise they are ignored, except that they do
+@@ -2040,12 +2056,12 @@ acl_var_c = NULL;
+ 
+ /* Allow for trailing 0 in the command and data buffers. */
+ 
+-if (!(smtp_cmd_buffer = US malloc(2*smtp_cmd_buffer_size + 2)))
++if (!(smtp_cmd_buffer = US malloc(2*SMTP_CMD_BUFFER_SIZE + 2)))
+   log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+     "malloc() failed for SMTP command buffer");
+ 
+ smtp_cmd_buffer[0] = 0;
+-smtp_data_buffer = smtp_cmd_buffer + smtp_cmd_buffer_size + 1;
++smtp_data_buffer = smtp_cmd_buffer + SMTP_CMD_BUFFER_SIZE + 1;
+ 
+ /* For batched input, the protocol setting can be overridden from the
+ command line by a trusted caller. */
+@@ -2065,7 +2081,7 @@ else
+ /* Set up the buffer for inputting using direct read() calls, and arrange to
+ call the local functions instead of the standard C ones. */
+ 
+-if (!(smtp_inbuffer = (uschar *)malloc(in_buffer_size)))
++if (!(smtp_inbuffer = (uschar *)malloc(IN_BUFFER_SIZE)))
+   log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
+ 
+ receive_getc = smtp_getc;
+@@ -3550,7 +3566,7 @@ while (done <= 0)
+ 	    US &off, sizeof(off));
+ #endif
+ 
+-  switch(smtp_read_command(TRUE))
++  switch(smtp_read_command(TRUE, GETC_BUFFER_UNLIMITED))
+     {
+     /* The AUTH command is not permitted to occur inside a transaction, and may
+     occur successfully only once per connection. Actually, that isn't quite
+@@ -4750,14 +4766,14 @@ while (done <= 0)
+       chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
+ 	? CHUNKING_LAST : CHUNKING_ACTIVE;
+       chunking_data_left = chunking_datasize;
++      DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
++				    (int)chunking_state, chunking_data_left);
+ 
+       lwr_receive_getc = receive_getc;
+       lwr_receive_ungetc = receive_ungetc;
+       receive_getc = bdat_getc;
+       receive_ungetc = bdat_ungetc;
+ 
+-      DEBUG(D_any)
+-        debug_printf("chunking state %d\n", (int)chunking_state);
+       goto DATA_BDAT;
+       }
+ 
+@@ -4973,7 +4989,7 @@ while (done <= 0)
+     It seems safest to just wipe away the content rather than leave it as a
+     target to jump to. */
+ 
+-    memset(smtp_inbuffer, 0, in_buffer_size);
++    memset(smtp_inbuffer, 0, IN_BUFFER_SIZE);
+ 
+     /* Attempt to start up a TLS session, and if successful, discard all
+     knowledge that was obtained previously. At least, that's what the RFC says,
+@@ -5027,7 +5043,7 @@ while (done <= 0)
+     set, but we must still reject all incoming commands. */
+ 
+     DEBUG(D_tls) debug_printf("TLS failed to start\n");
+-    while (done <= 0) switch(smtp_read_command(FALSE))
++    while (done <= 0) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
+       {
+       case EOF_CMD:
+ 	log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
+@@ -5315,8 +5331,8 @@ while (done <= 0)
+ 
+     case BADSYN_CMD:
+     SYNC_FAILURE:
+-    if (smtp_inend >= smtp_inbuffer + in_buffer_size)
+-      smtp_inend = smtp_inbuffer + in_buffer_size - 1;
++    if (smtp_inend >= smtp_inbuffer + IN_BUFFER_SIZE)
++      smtp_inend = smtp_inbuffer + IN_BUFFER_SIZE - 1;
+     c = smtp_inend - smtp_inptr;
+     if (c > 150) c = 150;
+     smtp_inptr[c] = 0;
+diff --git a/src/tls-gnu.c b/src/tls-gnu.c
+index 10bfaca..181dde4 100644
+--- a/src/tls-gnu.c
++++ b/src/tls-gnu.c
+@@ -2158,12 +2158,12 @@ Only used by the server-side TLS.
+ 
+ This feeds DKIM and should be used for all message-body reads.
+ 
+-Arguments:  none
++Arguments:  lim		Maximum amount to read/bufffer
+ Returns:    the next character or EOF
+ */
+ 
+ int
+-tls_getc(void)
++tls_getc(unsigned lim)
+ {
+ exim_gnutls_state_st *state = &state_server;
+ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
+@@ -2175,7 +2175,7 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
+ 
+   if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
+   inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
+-    ssl_xfer_buffer_size);
++    MIN(ssl_xfer_buffer_size, lim));
+   alarm(0);
+ 
+   /* Timeouts do not get this far; see command_timeout_handler().
+@@ -2213,7 +2213,7 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
+     state->tlsp->peercert = NULL;
+     state->tlsp->peerdn = NULL;
+ 
+-    return smtp_getc();
++    return smtp_getc(lim);
+     }
+ 
+   /* Handle genuine errors */
+diff --git a/src/tls-openssl.c b/src/tls-openssl.c
+index d9426ac..0ac7d03 100644
+--- a/src/tls-openssl.c
++++ b/src/tls-openssl.c
+@@ -2360,14 +2360,14 @@ return OK;
+ /* This gets the next byte from the TLS input buffer. If the buffer is empty,
+ it refills the buffer via the SSL reading function.
+ 
+-Arguments:  none
++Arguments:  lim		Maximum amount to read/buffer
+ Returns:    the next character or EOF
+ 
+ Only used by the server-side TLS.
+ */
+ 
+ int
+-tls_getc(void)
++tls_getc(unsigned lim)
+ {
+ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
+   {
+@@ -2378,7 +2378,8 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
+     ssl_xfer_buffer, ssl_xfer_buffer_size);
+ 
+   if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
+-  inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
++  inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
++		    MIN(ssl_xfer_buffer_size, lim));
+   error = SSL_get_error(server_ssl, inbytes);
+   alarm(0);
+ 
+@@ -2405,7 +2406,7 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
+     tls_in.peerdn = NULL;
+     tls_in.sni = NULL;
+ 
+-    return smtp_getc();
++    return smtp_getc(lim);
+     }
+ 
+   /* Handle genuine errors */

exim-4.88-allow-filter.patch

@@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index e4ca5b9..d1ce2f1 100644
+index 1e3c63f..0e7854c 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -722,7 +722,7 @@ userforward:
+@@ -724,7 +724,7 @@ userforward:
  # local_part_suffix = +* : -*
  # local_part_suffix_optional
    file = $home/.forward

exim-4.88-cyrus.patch

@@ -1,12 +1,12 @@
 diff --git a/src/configure.default b/src/configure.default
-index 12ed1e0..0af6fb8 100644
+index 8b6162b..d588898 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -763,6 +763,16 @@ address_reply:
+@@ -765,6 +765,16 @@ address_reply:
    driver = autoreply
  
  
-+# This transport is used to deliver local mail to cyrus IMAP server via UNIX 
++# This transport is used to deliver local mail to cyrus IMAP server via UNIX
 +# socket. You'll need to configure the 'localuser' router above to use it.
 +#
 +#lmtp_delivery:

exim-4.88-dlopen-localscan.patch

@@ -1,8 +1,8 @@
 diff --git a/src/EDITME b/src/EDITME
-index bbb7527..df3dcc8 100644
+index 5a08197..3921db6 100644
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -784,6 +784,20 @@ TLS_LIBS=-lssl -lcrypto
+@@ -792,6 +792,20 @@ TLS_LIBS=-lssl -lcrypto
  
  
  #------------------------------------------------------------------------------
@@ -24,7 +24,7 @@ index bbb7527..df3dcc8 100644
  # documentation. Other forms are available separately. If you want to install
  # the documentation in "info" format, first fetch the Texinfo documentation
 diff --git a/src/config.h.defaults b/src/config.h.defaults
-index 266c268..6a4a1f8 100644
+index bafdc1b..c6ba256 100644
 --- a/src/config.h.defaults
 +++ b/src/config.h.defaults
 @@ -28,6 +28,8 @@ it's a default value. */
@@ -37,10 +37,10 @@ index 266c268..6a4a1f8 100644
  
  #define CONFIGURE_FILE
 diff --git a/src/globals.c b/src/globals.c
-index ec2685b..f8375bf 100644
+index f83d850..c722059 100644
 --- a/src/globals.c
 +++ b/src/globals.c
-@@ -171,6 +171,10 @@ uschar *tls_verify_hosts       = NULL;
+@@ -167,6 +167,10 @@ uschar *tls_verify_hosts       = NULL;
  uschar *tls_advertise_hosts    = NULL;
  #endif
  
@@ -52,10 +52,10 @@ index ec2685b..f8375bf 100644
  /* Per Recipient Data Response variables */
  BOOL    prdr_enable            = FALSE;
 diff --git a/src/globals.h b/src/globals.h
-index 57a5695..0a60902 100644
+index b3747a8..e3dd507 100644
 --- a/src/globals.h
 +++ b/src/globals.h
-@@ -129,6 +129,11 @@ extern uschar *tls_try_verify_hosts;   /* Optional client verification */
+@@ -126,6 +126,11 @@ extern uschar *tls_try_verify_hosts;   /* Optional client verification */
  extern uschar *tls_verify_certificates;/* Path for certificates to check */
  extern uschar *tls_verify_hosts;       /* Mandatory client verification */
  #endif
@@ -251,10 +251,10 @@ index 3500047..8599172 100644
 +
  /* End of local_scan.c */
 diff --git a/src/readconf.c b/src/readconf.c
-index 5ca6a84..f1ec503 100644
+index b2a3c73..6f2efa0 100644
 --- a/src/readconf.c
 +++ b/src/readconf.c
-@@ -317,6 +317,9 @@ static optionlist optionlist_config[] = {
+@@ -314,6 +314,9 @@ static optionlist optionlist_config[] = {
    { "local_from_prefix",        opt_stringptr,   &local_from_prefix },
    { "local_from_suffix",        opt_stringptr,   &local_from_suffix },
    { "local_interfaces",         opt_stringptr,   &local_interfaces },

exim-4.88-greylist-conf.patch

@@ -1,5 +1,5 @@
 diff --git a/src/configure.default b/src/configure.default
-index 1f10008..40b3bb2 100644
+index 921c53b..a92c954 100644
 --- a/src/configure.default
 +++ b/src/configure.default
 @@ -107,6 +107,7 @@ hostlist   relay_from_hosts = localhost
@@ -72,7 +72,7 @@ index 1f10008..40b3bb2 100644
    # At this point, the address has passed all the checks that have been
    # configured, so we accept it unconditionally.
  
-@@ -544,6 +577,12 @@ acl_check_data:
+@@ -546,6 +579,12 @@ acl_check_data:
    # deny    condition  = ${if !def:h_Message-ID: {1}}
    #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
    #                      Most messages without it are spam, so your mail has been rejected.
@@ -85,7 +85,7 @@ index 1f10008..40b3bb2 100644
  
    # Deny if the message contains a virus. Before enabling this check, you
    # must install a virus scanner and set the av_scanner option above.
-@@ -578,8 +617,30 @@ acl_check_data:
+@@ -580,8 +619,30 @@ acl_check_data:
    #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
    #  	    	        $spam_report
  

exim-4.88-pamconfig.patch

@@ -1,5 +1,5 @@
 diff --git a/src/configure.default b/src/configure.default
-index 0af6fb8..531435b 100644
+index d588898..61bdae8 100644
 --- a/src/configure.default
 +++ b/src/configure.default
 @@ -142,7 +142,7 @@ acl_smtp_data = acl_check_data
@@ -43,7 +43,7 @@ index 0af6fb8..531435b 100644
 +# Kerberos rather than only local users, then you possibly also want
 +# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism
 +# too. Once a user is authenticated, the acl_check_rcpt ACL then
-+# allows them to relay through the system. 
++# allows them to relay through the system.
 +#
 +# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
 +#
@@ -58,7 +58,7 @@ index 0af6fb8..531435b 100644
  
  # The settings below cause Exim to make RFC 1413 (ident) callbacks
  # for all incoming SMTP calls. You can limit the hosts to which these
-@@ -842,7 +860,7 @@ begin authenticators
+@@ -844,7 +862,7 @@ begin authenticators
  #  driver                     = plaintext
  #  server_set_id              = $auth2
  #  server_prompts             = :
@@ -67,7 +67,7 @@ index 0af6fb8..531435b 100644
  #  server_advertise_condition = ${if def:tls_in_cipher }
  
  # LOGIN authentication has traditional prompts and responses. There is no
-@@ -854,7 +872,7 @@ begin authenticators
+@@ -856,7 +874,7 @@ begin authenticators
  #  driver                     = plaintext
  #  server_set_id              = $auth1
  #  server_prompts             = <| Username: | Password:

exim-4.88-procmail.patch

@@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 374c51d..e4ca5b9 100644
+index ecc3d6e..1e3c63f 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -730,6 +730,12 @@ userforward:
+@@ -732,6 +732,12 @@ userforward:
    pipe_transport = address_pipe
    reply_transport = address_reply
  
@@ -15,7 +15,7 @@ index 374c51d..e4ca5b9 100644
  
  # This router matches local user mailboxes. If the router fails, the error
  # message is "Unknown user".
-@@ -771,6 +777,16 @@ remote_smtp:
+@@ -773,6 +779,16 @@ remote_smtp:
    driver = smtp
    message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
  

exim-4.88-rhl.patch

@@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 3c8cf97..12ed1e0 100644
+index 985f1d0..8b6162b 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -628,7 +628,7 @@ system_aliases:
+@@ -630,7 +630,7 @@ system_aliases:
    driver = redirect
    allow_fail
    allow_defer
@@ -11,7 +11,7 @@ index 3c8cf97..12ed1e0 100644
  # user = exim
    file_transport = address_file
    pipe_transport = address_pipe
-@@ -729,8 +729,8 @@ local_delivery:
+@@ -731,8 +731,8 @@ local_delivery:
    delivery_date_add
    envelope_to_add
    return_path_add

exim-4.88-smarthost-config.patch

@@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 40b3bb2..9acae90 100644
+index a92c954..13599ae 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -838,6 +838,15 @@ remote_smtp:
+@@ -840,6 +840,15 @@ remote_smtp:
    driver = smtp
    message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
  
@@ -18,7 +18,7 @@ index 40b3bb2..9acae90 100644
  # This transport invokes procmail to deliver mail
  procmail:
    driver = pipe
-@@ -946,6 +955,21 @@ begin rewrite
+@@ -948,6 +957,21 @@ begin rewrite
  #                   AUTHENTICATION CONFIGURATION                     #
  ######################################################################
  
@@ -40,7 +40,7 @@ index 40b3bb2..9acae90 100644
  # The following authenticators support plaintext username/password
  # authentication using the standard PLAIN mechanism and the traditional
  # but non-standard LOGIN mechanism, with Exim acting as the server.
-@@ -961,7 +985,7 @@ begin rewrite
+@@ -963,7 +987,7 @@ begin rewrite
  # The default RCPT ACL checks for successful authentication, and will accept
  # messages from authenticated users from anywhere on the Internet.
  

exim.spec

@@ -14,7 +14,7 @@
 Summary: The exim mail transfer agent
 Name: exim
 Version: 4.88
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Url: http://www.exim.org/
 Group: System Environment/Daemons
@@ -46,22 +46,25 @@ Source24: exim.service
 Source25: exim-gen-cert
 Source26: clamd.exim.service
 
-Patch4: exim-4.87-rhl.patch
+Patch4: exim-4.88-rhl.patch
 Patch6: exim-4.88-config.patch
 Patch8: exim-4.82-libdir.patch
-Patch12: exim-4.87-cyrus.patch
-Patch13: exim-4.87-pamconfig.patch
+Patch12: exim-4.88-cyrus.patch
+Patch13: exim-4.88-pamconfig.patch
 Patch14: exim-4.87-spamdconf.patch
-Patch18: exim-4.87-dlopen-localscan.patch
-Patch19: exim-4.87-procmail.patch
-Patch20: exim-4.87-allow-filter.patch
+Patch18: exim-4.88-dlopen-localscan.patch
+Patch19: exim-4.88-procmail.patch
+Patch20: exim-4.88-allow-filter.patch
 Patch21: exim-4.87-localhost-is-local.patch
-Patch22: exim-4.87-greylist-conf.patch
-Patch23: exim-4.87-smarthost-config.patch
+Patch22: exim-4.88-greylist-conf.patch
+Patch23: exim-4.88-smarthost-config.patch
 Patch25: exim-4.87-dynlookup-config.patch
 # Upstream ticket: http://bugs.exim.org/show_bug.cgi?id=1584
 Patch26: exim-4.85-pic.patch
 Patch27: exim-4.87-environment.patch
+# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2016
+# Upsream patch: https://git.exim.org/exim.git/patch/bd8fbe3606d80e5a3fc02fe71b521146c6938448
+Patch28: exim-4.88-DKIM-fix.patch
 
 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@@ -208,6 +211,7 @@ greylisting unconditional.
 %patch25 -p1 -b .dynconfig
 %patch26 -p1 -b .fpic
 %patch27 -p1 -b .environment
+%patch28 -p1 -b .DKIM-fix
 
 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@@ -588,6 +592,10 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 
 %changelog
+* Mon Jan 23 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.88-3
+- Fixed DKIM
+- Defuzzified patches and fixed some whitespaces
+
 * Sat Jan 14 2017 Ville Skyttä <ville.skytta@iki.fi> - 4.88-2
 - Move tmpfiles.d config to %%{_tmpfilesdir}
 - Install license files as %%license