Re-merge update of pull request trusteddomainproject#228 from r-a-z-v…

…-a-n/CheckSigningTable

Add command line option to override CheckSigningTable setting on
config file.

trusteddomainproject#228

opendkim/opendkim.8.in

@@ -7,6 +7,7 @@
 [\-A]
 [\-b modes]
 [\-c canon]
+[\-G|\-g]
 [\-d domain[,...]]
 [\-D]
 [\-e name]
@@ -283,8 +284,17 @@ forks and exits immediately, leaving the service running in the background.
 This flag suppresses that behaviour so that it runs in the foreground.
 .TP
 .I \-g
-Skip checking the SigningTable for any missing keys in the KeyTable.  This 
-is the same as setting CheckSigningTable=no in opendkim.conf(5).
+Skip walking the SigningTable for any missing keys in the KeyTable.
+This overrides the config option CheckSigningTable in
+.I opendkim.conf(5).
+.TP
+.I \-G
+Walk the SigningTable for any missing keys in the KeyTable on
+loading config file.  This overrides config option CheckSigningTable in
+.I opendkim.conf(5).
+In conjunction with
+.I \-n
+option described below, you can perform the check only.
 .TP
 .I \-F time
 Specifies a fixed time to use when generating signatures.  Ignored unless

opendkim/opendkim.c

@@ -137,7 +137,7 @@
 #endif /* _FFR_REPUTATION */
 
 /* macros */
-#define CMDLINEOPTS	"Ab:c:d:De:fF:gk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?"
+#define CMDLINEOPTS	"Ab:c:d:De:fF:Ggk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?"
 
 #ifndef MIN
 # define MIN(x,y)	((x) < (y) ? (x) : (y))
@@ -248,7 +248,7 @@ struct dkimf_config
 	_Bool		conf_noheaderb;		/* suppress "header.b" */
 	_Bool		conf_singleauthres;	/* single Auth-Results */
 	_Bool		conf_safekeys;		/* check key permissions */
-	_Bool		conf_checksigningtable; /* skip checking keys on startup */
+	_Bool		conf_checksigningtable; /* check keys on dkimf_config_load */
 #ifdef _FFR_RESIGN
 	_Bool		conf_resignall;		/* resign unverified mail */
 #endif /* _FFR_RESIGN */
@@ -735,6 +735,8 @@ _Bool reload;					/* reload requested */
 _Bool no_i_whine;				/* noted ${i} is undefined */
 _Bool testmode;					/* test mode */
 _Bool allowdeprecated;				/* allow deprecated config values */
+_Bool init_checksigningtable;			/* initializing value for CheckSigningTable */
+_Bool use_cf_checksigningtable;			/* use CheckSigningTable on config file? */
 #ifdef QUERY_CACHE
 _Bool querycache;				/* local query cache */
 #endif /* QUERY_CACHE */
@@ -5893,7 +5895,7 @@ dkimf_config_new(void)
 	new->conf_atpshash = dkimf_atpshash[0].str;
 #endif /* _FFR_ATPS */
 	new->conf_selectcanonhdr = SELECTCANONHDR;
-	new->conf_checksigningtable = TRUE;
+	new->conf_checksigningtable = init_checksigningtable;
 
 	memcpy(&new->conf_handling, &defaults, sizeof new->conf_handling);
 
@@ -6211,10 +6213,12 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf,
 		                  sizeof conf->conf_softstart);
 #endif /* (USE_LDAP || USE_ODBX) */
 
-		(void) config_get(data, "CheckSigningTable",
-		                  &conf->conf_checksigningtable,
-		                  sizeof conf->conf_checksigningtable);
-
+		if (use_cf_checksigningtable)
+		{
+			(void) config_get(data, "CheckSigningTable",
+			                  &conf->conf_checksigningtable,
+			                  sizeof conf->conf_checksigningtable);
+		}
 		(void) config_get(data, "DNSConnect",
 		                  &conf->conf_dnsconnect,
 		                  sizeof conf->conf_dnsconnect);
@@ -15529,6 +15533,7 @@ usage(void)
 	                "\t-A          \tauto-restart\n"
 	                "\t-b modes    \tselect operating modes\n"
 	                "\t-c canon    \tcanonicalization to use when signing\n"
+	                "\t-G          \tforce walk SigningTable when loading config\n"
 	                "\t-d domlist  \tdomains to sign\n"
 	                "\t-D          \talso sign subdomains\n"
 	                "\t-e name     \textract configuration value and exit\n"
@@ -15627,6 +15632,8 @@ main(int argc, char **argv)
 #endif /* POPAUTH */
 	no_i_whine = TRUE;
 	conffile = NULL;
+	init_checksigningtable = TRUE;
+	use_cf_checksigningtable = TRUE;
 
 	memset(myhostname, '\0', sizeof myhostname);
 	(void) gethostname(myhostname, sizeof myhostname);
@@ -15715,9 +15722,16 @@ main(int argc, char **argv)
 			break;
 
 		  case 'g':
+			use_cf_checksigningtable = FALSE;
+			init_checksigningtable = FALSE;
 			curconf->conf_checksigningtable = FALSE;
 			break;
 
+		  case 'G':
+			use_cf_checksigningtable = FALSE;
+			init_checksigningtable = TRUE;
+			curconf->conf_checksigningtable = TRUE;
+			break;
 
 		  case 'k':
 			if (optarg == NULL || *optarg == '\0')

opendkim/opendkim.conf.5.in

@@ -181,8 +181,8 @@ is not also set.
 
 .TP
 .I CheckSigningTable (Boolean)
-If set to yes, it walks the SigningTable on boot when it loads the config
-file to check for missing keys in KeyTable.  The default is yes.
+If set to yes, it walks the SigningTable when loading the config file
+to check for missing keys in KeyTable.  The default is yes.
 
 .TP
 .I ClockDrift (integer)