/*
* PDKIM - a RFC4871 (DKIM) implementation
*
- * Copyright (c) The Exim Maintainers 2021 - 2022
- * Copyright (C) 2009 - 2016 Tom Kistner <tom@duncanthrax.net>
+ * Copyright (c) The Exim Maintainers 2021 - 2023
* Copyright (C) 2016 - 2020 Jeremy Harris <jgh@exim.org>
+ * Copyright (C) 2009 - 2016 Tom Kistner <tom@duncanthrax.net>
+ * SPDX-License-Identifier: GPL-2.0-or-later
*
* http://duncanthrax.net/pdkim/
*
void
pdkim_decode_base64(const uschar * str, blob * b)
{
-int dlen = b64decode(str, &b->data);
+int dlen = b64decode(str, &b->data, str);
if (dlen < 0) b->data = NULL;
b->len = dlen;
}
}
if (where == PDKIM_HDR_TAG)
- {
- if (c >= 'a' && c <= 'z')
- cur_tag = string_catn(cur_tag, p, 1);
-
if (c == '=')
{
if (Ustrcmp(string_from_gstring(cur_tag), "b") == 0)
where = PDKIM_HDR_VALUE;
goto NEXT_CHAR;
}
- }
+ else if (!isspace(c))
+ cur_tag = string_catn(cur_tag, p, 1);
if (where == PDKIM_HDR_VALUE)
{
switch (cur_tag->s[1])
{
case '\0': pdkim_decode_base64(cur_val->s, &sig->sighash); break;
- case 'h': if (cur_tag->ptr == 2)
- pdkim_decode_base64(cur_val->s, &sig->bodyhash);
+ case 'h': if (cur_tag->ptr != 2) goto bad_tag;
+ pdkim_decode_base64(cur_val->s, &sig->bodyhash);
break;
- default: break;
+ default: goto bad_tag;
}
break;
case 'v': /* version */
/* We only support version 1, and that is currently the
only version there is. */
sig->version =
- Ustrcmp(cur_val->s, PDKIM_SIGNATURE_VERSION) == 0 ? 1 : -1;
+ Ustrcmp(cur_val->s, PDKIM_SIGNATURE_VERSION) == 0 ? 1 : -1;
break;
case 'a': /* algorithm */
{
if (Ustrcmp(elem, pdkim_hashes[i].dkim_hashname) == 0)
{ sig->hashtype = i; break; }
}
+ break;
case 'c': /* canonicalization */
pdkim_cstring_to_canons(cur_val->s, 0,
case 'q': /* Query method (for pubkey)*/
for (int i = 0; pdkim_querymethods[i]; i++)
if (Ustrcmp(cur_val->s, pdkim_querymethods[i]) == 0)
- {
+ {
sig->querymethod = i; /* we never actually use this */
break;
}
break;
case 's': /* Selector */
- sig->selector = string_copyn(cur_val->s, cur_val->ptr); break;
+ sig->selector = string_copy_from_gstring(cur_val); break;
case 'd': /* SDID */
- sig->domain = string_copyn(cur_val->s, cur_val->ptr); break;
+ sig->domain = string_copy_from_gstring(cur_val); break;
case 'i': /* AUID */
sig->identity = pdkim_decode_qp(cur_val->s); break;
case 't': /* Timestamp */
case 'l': /* Body length count */
sig->bodylength = strtol(CS cur_val->s, NULL, 10); break;
case 'h': /* signed header fields */
- sig->headernames = string_copyn(cur_val->s, cur_val->ptr); break;
+ sig->headernames = string_copy_from_gstring(cur_val); break;
case 'z': /* Copied headfields */
sig->copiedheaders = pdkim_decode_qp(cur_val->s); break;
/*XXX draft-ietf-dcrup-dkim-crypto-05 would need 'p' tag support
for rsafp signatures. But later discussion is dropping those. */
default:
- DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
- break;
+ goto bad_tag;
}
}
+ else
+bad_tag: DEBUG(D_acl) debug_printf(" Unknown tag encountered: %Y\n", cur_tag);
+
cur_tag = cur_val = NULL;
in_b_val = FALSE;
where = PDKIM_HDR_LIMBO;
/* -------------------------------------------------------------------------- */
pdkim_pubkey *
-pdkim_parse_pubkey_record(const uschar *raw_record)
+pdkim_parse_pubkey_record(const uschar * raw_record)
{
-const uschar * ele;
-int sep = ';';
-pdkim_pubkey * pub;
+pdkim_pubkey * pub = store_get(sizeof(pdkim_pubkey), GET_TAINTED);
-pub = store_get(sizeof(pdkim_pubkey), GET_TAINTED);
memset(pub, 0, sizeof(pdkim_pubkey));
-while ((ele = string_nextinlist(&raw_record, &sep, NULL, 0)))
+for (const uschar * ele = raw_record, * tspec, * end, * val; *ele; ele = end)
{
- const uschar * val;
+ Uskip_whitespace(&ele);
+ end = US strchrnul(CS ele, ';');
+ tspec = string_copyn(ele, end - ele);
+ if (*end) end++; /* skip the ; */
- if ((val = Ustrchr(ele, '=')))
+ if ((val = Ustrchr(tspec, '=')))
{
- int taglen = val++ - ele;
+ int taglen = val++ - tspec;
+
+ DEBUG(D_acl) debug_printf(" %.*s=%s\n", taglen, tspec, val);
+ while (taglen > 1 && isspace(tspec[taglen-1]))
+ taglen--; /* Ignore whitespace before = */
+ Uskip_whitespace(&val); /* Ignore whitespace after = */
+ if (isspace(val[ Ustrlen(val)-1 ]))
+ { /* Ignore whitespace after value */
+ gstring * g = string_cat(NULL, val);
+ while (isspace(gstring_last_char(g)))
+ gstring_trim(g, 1);
+ val = string_from_gstring(g);
+ }
- DEBUG(D_acl) debug_printf(" %.*s=%s\n", taglen, ele, val);
- switch (ele[0])
+ if (taglen == 1) switch (tspec[0])
{
case 'v': pub->version = val; break;
case 'h': pub->hashes = val; break;
case 't': if (Ustrchr(val, 'y')) pub->testing = 1;
if (Ustrchr(val, 's')) pub->no_subdomaining = 1;
break;
- default: DEBUG(D_acl) debug_printf(" Unknown tag encountered\n"); break;
+ default: goto bad_tag;
}
+ else
+bad_tag:
+ DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
}
}
static int
pdkim_header_complete(pdkim_ctx * ctx)
{
-if ( (ctx->cur_header->ptr > 1) &&
- (ctx->cur_header->s[ctx->cur_header->ptr-1] == '\r') )
- --ctx->cur_header->ptr;
+if (ctx->cur_header->ptr > 1)
+ gstring_trim_trailing(ctx->cur_header, '\r');
(void) string_from_gstring(ctx->cur_header);
#ifdef EXPERIMENTAL_ARC
if (*dkim_verify_min_keysizes)
{
unsigned minbits;
- uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
+ const uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
dkim_verify_min_keysizes);
- if (ss && (minbits = atoi(CS ss)) > sig->keybits)
+ if (ss && (minbits = atoi(CCS ss)) > sig->keybits)
{
DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u Minima '%s'\n",
pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes);