add CheckSigningTable config option

opendkim/opendkim-config.h

@@ -44,6 +44,7 @@ struct configdef dkimf_config[] =
 	{ "Canonicalization",		CONFIG_TYPE_STRING,	FALSE },
 	{ "CaptureUnknownErrors",	CONFIG_TYPE_BOOLEAN,	FALSE },
 	{ "ChangeRootDirectory",	CONFIG_TYPE_STRING,	FALSE },
+	{ "CheckSigningTable",		CONFIG_TYPE_BOOLEAN,	FALSE },
 	{ "ClockDrift",			CONFIG_TYPE_INTEGER,	FALSE },
 #ifdef _FFR_CONDITIONAL
 	{ "ConditionalSignatures",	CONFIG_TYPE_STRING,	FALSE },

opendkim/opendkim.8.in

@@ -7,6 +7,7 @@
 [\-A]
 [\-b modes]
 [\-c canon]
+[\-G|\-g]
 [\-d domain[,...]]
 [\-D]
 [\-e name]
@@ -282,6 +283,19 @@ Normally
 forks and exits immediately, leaving the service running in the background.
 This flag suppresses that behaviour so that it runs in the foreground.
 .TP
+.I \-g
+Skip walking the SigningTable for any missing keys in the KeyTable.
+This overrides the config option CheckSigningTable in
+.I opendkim.conf(5).
+.TP
+.I \-G
+Walk the SigningTable for any missing keys in the KeyTable on
+loading config file.  This overrides config option CheckSigningTable in
+.I opendkim.conf(5).
+In conjunction with
+.I \-n
+option described below, you can perform the check only.
+.TP
 .I \-F time
 Specifies a fixed time to use when generating signatures.  Ignored unless
 also used in conjunction with

opendkim/opendkim.c

@@ -137,7 +137,7 @@
 #endif /* _FFR_REPUTATION */
 
 /* macros */
-#define CMDLINEOPTS	"Ab:c:d:De:fF:k:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?"
+#define CMDLINEOPTS	"Ab:c:d:De:fF:Ggk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?"
 
 #ifndef MIN
 # define MIN(x,y)	((x) < (y) ? (x) : (y))
@@ -248,6 +248,7 @@ struct dkimf_config
 	_Bool		conf_noheaderb;		/* suppress "header.b" */
 	_Bool		conf_singleauthres;	/* single Auth-Results */
 	_Bool		conf_safekeys;		/* check key permissions */
+	_Bool		conf_checksigningtable; /* check keys on dkimf_config_load */
 #ifdef _FFR_RESIGN
 	_Bool		conf_resignall;		/* resign unverified mail */
 #endif /* _FFR_RESIGN */
@@ -749,6 +750,8 @@ _Bool reload;					/* reload requested */
 _Bool no_i_whine;				/* noted ${i} is undefined */
 _Bool testmode;					/* test mode */
 _Bool allowdeprecated;				/* allow deprecated config values */
+_Bool init_checksigningtable;			/* initializing value for CheckSigningTable */
+_Bool use_cf_checksigningtable;			/* use CheckSigningTable on config file? */
 #ifdef QUERY_CACHE
 _Bool querycache;				/* local query cache */
 #endif /* QUERY_CACHE */
@@ -5882,6 +5885,7 @@ dkimf_config_new(void)
 	new->conf_atpshash = dkimf_atpshash[0].str;
 #endif /* _FFR_ATPS */
 	new->conf_selectcanonhdr = SELECTCANONHDR;
+	new->conf_checksigningtable = init_checksigningtable;
 
 	memcpy(&new->conf_handling, &defaults, sizeof new->conf_handling);
 
@@ -6199,6 +6203,12 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf,
 		                  sizeof conf->conf_softstart);
 #endif /* (USE_LDAP || USE_ODBX) */
 
+		if (use_cf_checksigningtable)
+		{
+			(void) config_get(data, "CheckSigningTable",
+			                  &conf->conf_checksigningtable,
+			                  sizeof conf->conf_checksigningtable);
+		}
 		(void) config_get(data, "DNSConnect",
 		                  &conf->conf_dnsconnect,
 		                  sizeof conf->conf_dnsconnect);
@@ -8323,7 +8333,7 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf,
 		**  missing KeyTable entries.
 		*/
 
-		if (conf->conf_signtabledb != NULL)
+		if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable != FALSE)
 		{
 			_Bool first = TRUE;
 			_Bool found;
@@ -15469,6 +15479,8 @@ usage(void)
 	                "\t-e name     \textract configuration value and exit\n"
 	                "\t-f          \tdon't fork-and-exit\n"
 	                "\t-F time     \tfixed timestamp to use when signing (test mode only)\n"
+	                "\t-g          \tdo not walk SigningTable when loading config\n"
+	                "\t-G          \tforce walk SigningTable when loading config\n"
 	                "\t-k keyfile  \tlocation of secret key file\n"
 	                "\t-l          \tlog activity to system log\n"
 	                "\t-L limit    \tsignature limit requirements\n"
@@ -15557,6 +15569,8 @@ main(int argc, char **argv)
 #endif /* POPAUTH */
 	no_i_whine = TRUE;
 	conffile = NULL;
+	init_checksigningtable = TRUE;
+	use_cf_checksigningtable = TRUE;
 
 	memset(myhostname, '\0', sizeof myhostname);
 	(void) gethostname(myhostname, sizeof myhostname);
@@ -15644,6 +15658,18 @@ main(int argc, char **argv)
 			}
 			break;
 
+		  case 'g':
+			use_cf_checksigningtable = FALSE;
+			init_checksigningtable = FALSE;
+			curconf->conf_checksigningtable = FALSE;
+			break;
+
+		  case 'G':
+			use_cf_checksigningtable = FALSE;
+			init_checksigningtable = TRUE;
+			curconf->conf_checksigningtable = TRUE;
+			break;
+
 		  case 'k':
 			if (optarg == NULL || *optarg == '\0')
 				return usage();

opendkim/opendkim.conf.5.in

@@ -179,6 +179,11 @@ requires superuser access. A warning will be generated if
 .I UserID
 is not also set.
 
+.TP
+.I CheckSigningTable (Boolean)
+If set to yes, it walks the SigningTable when loading the config file
+to check for missing keys in KeyTable.  The default is yes.
+
 .TP
 .I ClockDrift (integer)
 Sets the tolerance in seconds to be applied when determining whether a

opendkim/opendkim.conf.sample

@@ -129,6 +129,15 @@
 
 # Canonicalization	simple/simple
 
+##  CheckSigningTable  { yes | no }
+##  	default "yes"
+##
+##  If set, the SigningTable will be checked for missing keys in
+##  KeyTable when loading the config. This can take a longer time with 
+##  larger databases. Requires opendbx.
+
+# CheckSigningTable		yes
+
 ##  ClockDrift n
 ##  	default 300
 ##