upas/dkim: seal the signed header fields

"Signers MAY claim to have signed header fields that do not exist
...
A header field name need only be listed once more
than the actual number of that header field in a message
at the time of signing in order to prevent any further additions."

https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields
---
diff 742fd9b6fa574793f709fa69b791196438ad1ee8 c24531318db27a706d0af70f69ae7f524ba1754a
--- a/sys/src/cmd/upas/dkim/dkim.c
+++ b/sys/src/cmd/upas/dkim/dkim.c
@@ -33,6 +33,18 @@
 	return e - p;
 }		
 
+void
+addallhdrs(char **hs)
+{
+	char **p;
+
+	for(p = signhdr; *p; p++){
+		if((*hs = realloc(*hs, strlen(*hs) + strlen(*p) + 1)) == nil)
+			sysfatal("realloc: %r");
+		strcat(*hs, *p);
+	}
+}
+
 int
 usehdr(char *ln, char **hs)
 {
@@ -165,6 +177,7 @@
 		}
 		append(&hdr, &nhdr, &hdrsz, ln, n);
 	}
+	addallhdrs(&hdrset); /* https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields */
 
 	sb = nil;
 	ntail = 0;