1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4 /* Experimental ARC support for Exim
5 Copyright (c) Jeremy Harris 2018 - 2020
6 Copyright (c) The Exim Maintainers 2021 - 2022
8 SPDX-License-Identifier: GPL-2.0-or-later
12 #if defined EXPERIMENTAL_ARC
13 # if defined DISABLE_DKIM
14 # error DKIM must also be enabled for ARC
17 # include "functions.h"
18 # include "pdkim/pdkim.h"
19 # include "pdkim/signing.h"
21 extern pdkim_ctx * dkim_verify_ctx;
22 extern pdkim_ctx dkim_sign_ctx;
24 #define ARC_SIGN_OPT_TSTAMP BIT(0)
25 #define ARC_SIGN_OPT_EXPIRE BIT(1)
27 #define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
29 /******************************************************************************/
31 typedef struct hdr_rlist {
32 struct hdr_rlist * prev;
37 typedef struct arc_line {
38 header_line * complete; /* including the header name; nul-term */
41 /* identified tag contents */
54 /* tag content sub-portions */
61 /* modified copy of b= field in line */
65 typedef struct arc_set {
66 struct arc_set * next;
67 struct arc_set * prev;
74 const uschar * ams_verify_done;
75 BOOL ams_verify_passed;
78 typedef struct arc_ctx {
79 arc_set * arcset_chain;
80 arc_set * arcset_chain_last;
83 #define ARC_HDR_AAR US"ARC-Authentication-Results:"
84 #define ARC_HDRLEN_AAR 27
85 #define ARC_HDR_AMS US"ARC-Message-Signature:"
86 #define ARC_HDRLEN_AMS 22
87 #define ARC_HDR_AS US"ARC-Seal:"
88 #define ARC_HDRLEN_AS 9
89 #define HDR_AR US"Authentication-Results:"
94 static hdr_rlist * headers_rlist;
95 static arc_ctx arc_sign_ctx = { NULL };
96 static arc_ctx arc_verify_ctx = { NULL };
99 /******************************************************************************/
102 /* Get the instance number from the header.
105 arc_instance_from_hdr(const arc_line * al)
107 const uschar * s = al->i.data;
108 if (!s || !al->i.len) return 0;
109 return (unsigned) atoi(CCS s);
117 while (c && (c == ' ' || c == '\t' || c == '\n' || c == '\r')) c = *++s;
122 /* Locate instance struct on chain, inserting a new one if
123 needed. The chain is in increasing-instance-number order
124 by the "next" link, and we have a "prev" link also.
128 arc_find_set(arc_ctx * ctx, unsigned i)
130 arc_set ** pas, * as, * next, * prev;
132 for (pas = &ctx->arcset_chain, prev = NULL, next = ctx->arcset_chain;
133 as = *pas; pas = &as->next)
135 if (as->instance > i) break;
136 if (as->instance == i)
138 DEBUG(D_acl) debug_printf("ARC: existing instance %u\n", i);
145 DEBUG(D_acl) debug_printf("ARC: new instance %u\n", i);
146 *pas = as = store_get(sizeof(arc_set), GET_UNTAINTED);
147 memset(as, 0, sizeof(arc_set));
154 ctx->arcset_chain_last = as;
160 /* Insert a tag content into the line structure.
161 Note this is a reference to existing data, not a copy.
162 Check for already-seen tag.
163 The string-pointer is on the '=' for entry. Update it past the
164 content (to the ;) on return;
168 arc_insert_tagvalue(arc_line * al, unsigned loff, uschar ** ss)
172 blob * b = (blob *)(US al + loff);
175 /* [FWS] tag-value [FWS] */
177 if (b->data) return US"fail";
178 s = skip_fws(s); /* FWS */
181 while ((c = *s) && c != ';') { len++; s++; }
183 while (len && ((c = s[-1]) == ' ' || c == '\t' || c == '\n' || c == '\r'))
184 { s--; len--; } /* FWS */
190 /* Inspect a header line, noting known tag fields.
191 Check for duplicates. */
194 arc_parse_line(arc_line * al, header_line * h, unsigned off, BOOL instance_only)
196 uschar * s = h->text + off;
197 uschar * r = NULL; /* compiler-quietening */
204 al->rawsig_no_b_val.data = store_get(h->slen + 1, GET_TAINTED);
205 memcpy(al->rawsig_no_b_val.data, h->text, off); /* copy the header name blind */
206 r = al->rawsig_no_b_val.data + off;
207 al->rawsig_no_b_val.len = off;
210 /* tag-list = tag-spec *( ";" tag-spec ) [ ";" ] */
217 uschar * fieldstart = s;
218 uschar * bstart = NULL, * bend;
220 /* tag-spec = [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS] */
222 s = skip_fws(s); /* FWS */
224 /* debug_printf("%s: consider '%s'\n", __FUNCTION__, s); */
226 s = skip_fws(s); /* FWS */
229 if (!instance_only || tagchar == 'i') switch (tagchar)
231 case 'a': /* a= AMS algorithm */
233 if (*s != '=') return US"no 'a' value";
234 if (arc_insert_tagvalue(al, offsetof(arc_line, a), &s)) return US"a tag dup";
236 /* substructure: algo-hash (eg. rsa-sha256) */
238 t = al->a_algo.data = al->a.data;
240 if (!*t++ || ++i > al->a.len) return US"no '-' in 'a' value";
242 if (*t++ != '-') return US"no '-' in 'a' value";
244 al->a_hash.len = al->a.len - i - 1;
253 case '=': /* b= AMS signature */
254 if (al->b.data) return US"already b data";
257 /* The signature can have FWS inserted in the content;
258 make a stripped copy */
260 while ((c = *++s) && c != ';')
261 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
262 g = string_catn(g, s, 1);
263 if (!g) return US"no b= value";
264 al->b.len = len_string_from_gstring(g, &al->b.data);
265 gstring_release_unused(g);
268 case 'h': /* bh= AMS body hash */
269 s = skip_fws(++s); /* FWS */
270 if (*s != '=') return US"no bh value";
271 if (al->bh.data) return US"already bh data";
273 /* The bodyhash can have FWS inserted in the content;
274 make a stripped copy */
276 while ((c = *++s) && c != ';')
277 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
278 g = string_catn(g, s, 1);
279 if (!g) return US"no bh= value";
280 al->bh.len = len_string_from_gstring(g, &al->bh.data);
281 gstring_release_unused(g);
291 case '=': /* c= AMS canonicalisation */
292 if (arc_insert_tagvalue(al, offsetof(arc_line, c), &s)) return US"c tag dup";
294 /* substructure: head/body (eg. relaxed/simple)) */
296 t = al->c_head.data = al->c.data;
298 if (!*t++ || ++i > al->a.len) break;
300 if (*t++ == '/') /* /body is optional */
303 al->c_body.len = al->c.len - i - 1;
307 al->c_body.data = US"simple";
311 case 'v': /* cv= AS validity */
312 if (*++s != '=') return US"cv tag val";
313 if (arc_insert_tagvalue(al, offsetof(arc_line, cv), &s)) return US"cv tag dup";
319 case 'd': /* d= AMS domain */
320 if (*s != '=') return US"d tag val";
321 if (arc_insert_tagvalue(al, offsetof(arc_line, d), &s)) return US"d tag dup";
323 case 'h': /* h= AMS headers */
324 if (*s != '=') return US"h tag val";
325 if (arc_insert_tagvalue(al, offsetof(arc_line, h), &s)) return US"h tag dup";
327 case 'i': /* i= ARC set instance */
328 if (*s != '=') return US"i tag val";
329 if (arc_insert_tagvalue(al, offsetof(arc_line, i), &s)) return US"i tag dup";
330 if (instance_only) goto done;
332 case 'l': /* l= bodylength */
333 if (*s != '=') return US"l tag val";
334 if (arc_insert_tagvalue(al, offsetof(arc_line, l), &s)) return US"l tag dup";
336 case 's': /* s= AMS selector */
337 if (*s != '=') return US"s tag val";
338 if (arc_insert_tagvalue(al, offsetof(arc_line, s), &s)) return US"s tag dup";
342 while ((c = *s) && c != ';') s++;
343 if (c) s++; /* ; after tag-spec */
345 /* for all but the b= tag, copy the field including FWS. For the b=,
346 drop the tag content. */
351 size_t n = bstart - fieldstart;
352 memcpy(r, fieldstart, n); /* FWS "b=" */
354 al->rawsig_no_b_val.len += n;
356 memcpy(r, bend, n); /* FWS ";" */
358 al->rawsig_no_b_val.len += n;
362 size_t n = s - fieldstart;
363 memcpy(r, fieldstart, n);
365 al->rawsig_no_b_val.len += n;
373 /* debug_printf("%s: finshed\n", __FUNCTION__); */
378 /* Insert one header line in the correct set of the chain,
379 adding instances as needed and checking for duplicate lines.
383 arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
384 BOOL instance_only, arc_line ** alp_ret)
388 arc_line * al = store_get(sizeof(arc_line), GET_UNTAINTED), ** alp;
391 memset(al, 0, sizeof(arc_line));
393 if ((e = arc_parse_line(al, h, off, instance_only)))
395 DEBUG(D_acl) if (e) debug_printf("ARC: %s\n", e);
396 return US"line parse";
398 if (!(i = arc_instance_from_hdr(al))) return US"instance find";
399 if (i > 50) return US"overlarge instance number";
400 if (!(as = arc_find_set(ctx, i))) return US"set find";
401 if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
404 if (alp_ret) *alp_ret = al;
411 static const uschar *
412 arc_try_header(arc_ctx * ctx, header_line * h, BOOL instance_only)
416 /*debug_printf("consider hdr '%s'\n", h->text);*/
417 if (strncmpic(ARC_HDR_AAR, h->text, ARC_HDRLEN_AAR) == 0)
423 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
425 debug_printf("ARC: found AAR: %.*s\n", len, h->text);
427 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AAR, offsetof(arc_set, hdr_aar),
430 DEBUG(D_acl) debug_printf("inserting AAR: %s\n", e);
431 return US"inserting AAR";
434 else if (strncmpic(ARC_HDR_AMS, h->text, ARC_HDRLEN_AMS) == 0)
442 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
444 debug_printf("ARC: found AMS: %.*s\n", len, h->text);
446 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AMS, offsetof(arc_set, hdr_ams),
447 instance_only, &ams)))
449 DEBUG(D_acl) debug_printf("inserting AMS: %s\n", e);
450 return US"inserting AMS";
456 ams->c_head.data = US"simple"; ams->c_head.len = 6;
457 ams->c_body = ams->c_head;
460 else if (strncmpic(ARC_HDR_AS, h->text, ARC_HDRLEN_AS) == 0)
466 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
468 debug_printf("ARC: found AS: %.*s\n", len, h->text);
470 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AS, offsetof(arc_set, hdr_as),
471 instance_only, NULL)))
473 DEBUG(D_acl) debug_printf("inserting AS: %s\n", e);
474 return US"inserting AS";
482 /* Gather the chain of arc sets from the headers.
483 Check for duplicates while that is done. Also build the
484 reverse-order headers list;
486 Return: ARC state if determined, eg. by lack of any ARC chain.
489 static const uschar *
490 arc_vfy_collect_hdrs(arc_ctx * ctx)
493 hdr_rlist * r = NULL, * rprev = NULL;
496 DEBUG(D_acl) debug_printf("ARC: collecting arc sets\n");
497 for (h = header_list; h; h = h->next)
499 r = store_get(sizeof(hdr_rlist), GET_UNTAINTED);
505 if ((e = arc_try_header(ctx, h, FALSE)))
507 arc_state_reason = string_sprintf("collecting headers: %s", e);
513 if (!ctx->arcset_chain) return US"none";
519 arc_cv_match(arc_line * al, const uschar * s)
521 return Ustrncmp(s, al->cv.data, al->cv.len) == 0;
524 /******************************************************************************/
526 /* Return the hash of headers from the message that the AMS claims it
531 arc_get_verify_hhash(arc_ctx * ctx, arc_line * ams, blob * hhash)
533 const uschar * headernames = string_copyn(ams->h.data, ams->h.len);
537 BOOL relaxed = Ustrncmp(US"relaxed", ams->c_head.data, ams->c_head.len) == 0;
538 int hashtype = pdkim_hashname_to_hashtype(
539 ams->a_hash.data, ams->a_hash.len);
545 || !exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
548 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
552 /* For each headername in the list from the AMS (walking in order)
553 walk the message headers in reverse order, adding to the hash any
554 found for the first time. For that last point, maintain used-marks
555 on the list of message headers. */
557 DEBUG(D_acl) debug_printf("ARC: AMS header data for verification:\n");
559 for (r = headers_rlist; r; r = r->prev)
561 while ((hn = string_nextinlist(&headernames, &sep, NULL, 0)))
562 for (r = headers_rlist; r; r = r->prev)
564 && strncasecmp(CCS (s = r->h->text), CCS hn, Ustrlen(hn)) == 0
567 if (relaxed) s = pdkim_relax_header_n(s, r->h->slen, TRUE);
570 DEBUG(D_acl) pdkim_quoteprint(s, len);
571 exim_sha_update_string(&hhash_ctx, s);
576 /* Finally add in the signature header (with the b= tag stripped); no CRLF */
578 s = ams->rawsig_no_b_val.data, len = ams->rawsig_no_b_val.len;
580 len = Ustrlen(s = pdkim_relax_header_n(s, len, FALSE));
581 DEBUG(D_acl) pdkim_quoteprint(s, len);
582 exim_sha_update(&hhash_ctx, s, len);
584 exim_sha_finish(&hhash_ctx, hhash);
586 { debug_printf("ARC: header hash: "); pdkim_hexprint(hhash->data, hhash->len); }
593 static pdkim_pubkey *
594 arc_line_to_pubkey(arc_line * al)
599 if (!(dns_txt = dkim_exim_query_dns_txt(string_sprintf("%.*s._domainkey.%.*s",
600 (int)al->s.len, al->s.data, (int)al->d.len, al->d.data))))
602 DEBUG(D_acl) debug_printf("pubkey dns lookup fail\n");
606 if ( !(p = pdkim_parse_pubkey_record(dns_txt))
607 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
610 DEBUG(D_acl) debug_printf("pubkey dns lookup format error\n");
614 /* If the pubkey limits use to specified hashes, reject unusable
615 signatures. XXX should we have looked for multiple dns records? */
619 const uschar * list = p->hashes, * ele;
622 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
623 if (Ustrncmp(ele, al->a_hash.data, al->a_hash.len) == 0) break;
626 DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%.*s\n",
627 p->hashes, (int)al->a.len, al->a.data);
637 static pdkim_bodyhash *
638 arc_ams_setup_vfy_bodyhash(arc_line * ams)
640 int canon_head = -1, canon_body = -1;
643 if (!ams->c.data) ams->c.data = US"simple"; /* RFC 6376 (DKIM) default */
644 pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
645 bodylen = ams->l.data
646 ? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
648 return pdkim_set_bodyhash(dkim_verify_ctx,
649 pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len),
656 /* Verify an AMS. This is a DKIM-sig header, but with an ARC i= tag
657 and without a DKIM v= tag.
660 static const uschar *
661 arc_ams_verify(arc_ctx * ctx, arc_set * as)
663 arc_line * ams = as->hdr_ams;
670 const uschar * errstr;
672 as->ams_verify_done = US"in-progress";
674 /* Check the AMS has all the required tags:
678 "d=" domain (for key lookup)
679 "h=" headers (included in signature)
680 "s=" key-selector (for key lookup)
682 if ( !ams->a.data || !ams->b.data || !ams->bh.data || !ams->d.data
683 || !ams->h.data || !ams->s.data)
685 as->ams_verify_done = arc_state_reason = US"required tag missing";
690 /* The bodyhash should have been created earlier, and the dkim code should
691 have managed calculating it during message input. Find the reference to it. */
693 if (!(b = arc_ams_setup_vfy_bodyhash(ams)))
695 as->ams_verify_done = arc_state_reason = US"internal hash setup error";
701 debug_printf("ARC i=%d AMS Body bytes hashed: %lu\n"
702 " Body %.*s computed: ",
703 as->instance, b->signed_body_bytes,
704 (int)ams->a_hash.len, ams->a_hash.data);
705 pdkim_hexprint(CUS b->bh.data, b->bh.len);
708 /* We know the bh-tag blob is of a nul-term string, so safe as a string */
711 || (pdkim_decode_base64(ams->bh.data, &sighash), sighash.len != b->bh.len)
712 || memcmp(sighash.data, b->bh.data, b->bh.len) != 0
717 debug_printf("ARC i=%d AMS Body hash from headers: ", as->instance);
718 pdkim_hexprint(sighash.data, sighash.len);
719 debug_printf("ARC i=%d AMS Body hash did NOT match\n", as->instance);
721 return as->ams_verify_done = arc_state_reason = US"AMS body hash miscompare";
724 DEBUG(D_acl) debug_printf("ARC i=%d AMS Body hash compared OK\n", as->instance);
726 /* Get the public key from DNS */
728 if (!(p = arc_line_to_pubkey(ams)))
729 return as->ams_verify_done = arc_state_reason = US"pubkey problem";
731 /* We know the b-tag blob is of a nul-term string, so safe as a string */
732 pdkim_decode_base64(ams->b.data, &sighash);
734 arc_get_verify_hhash(ctx, ams, &hhash);
736 /* Setup the interface to the signing library */
738 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx, NULL)))
740 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
741 as->ams_verify_done = arc_state_reason = US"internal sigverify init error";
745 hashtype = pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len);
748 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify bad a_hash\n", as->instance);
749 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
752 if ((errstr = exim_dkim_verify(&vctx,
753 pdkim_hashes[hashtype].exim_hashmethod, &hhash, &sighash)))
755 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify %s\n", as->instance, errstr);
756 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
759 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify pass\n", as->instance);
760 as->ams_verify_passed = TRUE;
766 /* Check the sets are instance-continuous and that all
767 members are present. Check that no arc_seals are "fail".
768 Set the highest instance number global.
769 Verify the latest AMS.
772 arc_headers_check(arc_ctx * ctx)
776 BOOL ams_fail_found = FALSE;
778 if (!(as = ctx->arcset_chain_last))
781 for(inst = as->instance; as; as = as->prev, inst--)
783 if (as->instance != inst)
784 arc_state_reason = string_sprintf("i=%d (sequence; expected %d)",
786 else if (!as->hdr_aar || !as->hdr_ams || !as->hdr_as)
787 arc_state_reason = string_sprintf("i=%d (missing header)", as->instance);
788 else if (arc_cv_match(as->hdr_as, US"fail"))
789 arc_state_reason = string_sprintf("i=%d (cv)", as->instance);
793 DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
797 /* Evaluate the oldest-pass AMS validation while we're here.
798 It does not affect the AS chain validation but is reported as
802 if (arc_ams_verify(ctx, as))
803 ams_fail_found = TRUE;
805 arc_oldest_pass = inst;
806 arc_state_reason = NULL;
810 arc_state_reason = string_sprintf("(sequence; expected i=%d)", inst);
811 DEBUG(D_acl) debug_printf("ARC chain fail %s\n", arc_state_reason);
815 arc_received = ctx->arcset_chain_last;
816 arc_received_instance = arc_received->instance;
818 /* We can skip the latest-AMS validation, if we already did it. */
820 as = ctx->arcset_chain_last;
821 if (!as->ams_verify_passed)
823 if (as->ams_verify_done)
825 arc_state_reason = as->ams_verify_done;
828 if (!!arc_ams_verify(ctx, as))
835 /******************************************************************************/
836 static const uschar *
837 arc_seal_verify(arc_ctx * ctx, arc_set * as)
839 arc_line * hdr_as = as->hdr_as;
847 const uschar * errstr;
849 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d\n", as->instance);
851 1. If the value of the "cv" tag on that seal is "fail", the
852 chain state is "fail" and the algorithm stops here. (This
853 step SHOULD be skipped if the earlier step (2.1) was
856 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
857 == "none" && i != 1)) then the chain state is "fail" and the
858 algorithm stops here (note that the ordering of the logic is
859 structured for short-circuit evaluation).
862 if ( as->instance == 1 && !arc_cv_match(hdr_as, US"none")
863 || arc_cv_match(hdr_as, US"none") && as->instance != 1
866 arc_state_reason = US"seal cv state";
871 3. Initialize a hash function corresponding to the "a" tag of
875 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
878 || !exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
881 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
882 arc_state_reason = US"seal hash setup error";
887 4. Compute the canonicalized form of the ARC header fields, in
888 the order described in Section 5.4.2, using the "relaxed"
889 header canonicalization defined in Section 3.4.2 of
890 [RFC6376]. Pass the canonicalized result to the hash
893 Headers are CRLF-separated, but the last one is not crlf-terminated.
896 DEBUG(D_acl) debug_printf("ARC: AS header data for verification:\n");
897 for (as2 = ctx->arcset_chain;
898 as2 && as2->instance <= as->instance;
906 if (!(s = al->relaxed))
907 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
908 al->complete->slen, TRUE);
910 DEBUG(D_acl) pdkim_quoteprint(s, len);
911 exim_sha_update(&hhash_ctx, s, len);
914 if (!(s = al->relaxed))
915 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
916 al->complete->slen, TRUE);
918 DEBUG(D_acl) pdkim_quoteprint(s, len);
919 exim_sha_update(&hhash_ctx, s, len);
922 if (as2->instance == as->instance)
923 s = pdkim_relax_header_n(al->rawsig_no_b_val.data,
924 al->rawsig_no_b_val.len, FALSE);
925 else if (!(s = al->relaxed))
926 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
927 al->complete->slen, TRUE);
929 DEBUG(D_acl) pdkim_quoteprint(s, len);
930 exim_sha_update(&hhash_ctx, s, len);
934 5. Retrieve the final digest from the hash function.
937 exim_sha_finish(&hhash_ctx, &hhash_computed);
940 debug_printf("ARC i=%d AS Header %.*s computed: ",
941 as->instance, (int)hdr_as->a_hash.len, hdr_as->a_hash.data);
942 pdkim_hexprint(hhash_computed.data, hhash_computed.len);
947 6. Retrieve the public key identified by the "s" and "d" tags in
948 the ARC-Seal, as described in Section 4.1.6.
951 if (!(p = arc_line_to_pubkey(hdr_as)))
952 return US"pubkey problem";
955 7. Determine whether the signature portion ("b" tag) of the ARC-
956 Seal and the digest computed above are valid according to the
957 public key. (See also Section Section 8.4 for failure case
960 8. If the signature is not valid, the chain state is "fail" and
961 the algorithm stops here.
964 /* We know the b-tag blob is of a nul-term string, so safe as a string */
965 pdkim_decode_base64(hdr_as->b.data, &sighash);
967 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx, NULL)))
969 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
973 if ((errstr = exim_dkim_verify(&vctx,
974 pdkim_hashes[hashtype].exim_hashmethod,
975 &hhash_computed, &sighash)))
978 debug_printf("ARC i=%d AS headers verify: %s\n", as->instance, errstr);
979 arc_state_reason = US"seal sigverify error";
983 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d pass\n", as->instance);
988 static const uschar *
989 arc_verify_seals(arc_ctx * ctx)
991 arc_set * as = ctx->arcset_chain_last;
996 for ( ; as; as = as->prev) if (arc_seal_verify(ctx, as)) return US"fail";
998 DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
1001 /******************************************************************************/
1003 /* Do ARC verification. Called from DATA ACL, on a verify = arc
1004 condition. No arguments; we are checking globals.
1006 Return: The ARC state, or NULL on error.
1010 acl_verify_arc(void)
1014 memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
1016 if (!dkim_verify_ctx)
1018 DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
1022 /* AS evaluation, per
1023 https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-6
1025 /* 1. Collect all ARC sets currently on the message. If there were
1026 none, the ARC state is "none" and the algorithm stops here.
1029 if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
1032 /* 2. If the form of any ARC set is invalid (e.g., does not contain
1033 exactly one of each of the three ARC-specific header fields),
1034 then the chain state is "fail" and the algorithm stops here.
1036 1. To avoid the overhead of unnecessary computation and delay
1037 from crypto and DNS operations, the cv value for all ARC-
1038 Seal(s) MAY be checked at this point. If any of the values
1039 are "fail", then the overall state of the chain is "fail" and
1040 the algorithm stops here.
1042 3. Conduct verification of the ARC-Message-Signature header field
1043 bearing the highest instance number. If this verification fails,
1044 then the chain state is "fail" and the algorithm stops here.
1047 if ((res = arc_headers_check(&arc_verify_ctx)))
1050 /* 4. For each ARC-Seal from the "N"th instance to the first, apply the
1053 1. If the value of the "cv" tag on that seal is "fail", the
1054 chain state is "fail" and the algorithm stops here. (This
1055 step SHOULD be skipped if the earlier step (2.1) was
1058 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
1059 == "none" && i != 1)) then the chain state is "fail" and the
1060 algorithm stops here (note that the ordering of the logic is
1061 structured for short-circuit evaluation).
1063 3. Initialize a hash function corresponding to the "a" tag of
1066 4. Compute the canonicalized form of the ARC header fields, in
1067 the order described in Section 5.4.2, using the "relaxed"
1068 header canonicalization defined in Section 3.4.2 of
1069 [RFC6376]. Pass the canonicalized result to the hash
1072 5. Retrieve the final digest from the hash function.
1074 6. Retrieve the public key identified by the "s" and "d" tags in
1075 the ARC-Seal, as described in Section 4.1.6.
1077 7. Determine whether the signature portion ("b" tag) of the ARC-
1078 Seal and the digest computed above are valid according to the
1079 public key. (See also Section Section 8.4 for failure case
1082 8. If the signature is not valid, the chain state is "fail" and
1083 the algorithm stops here.
1085 5. If all seals pass validation, then the chain state is "pass", and
1086 the algorithm is complete.
1089 if ((res = arc_verify_seals(&arc_verify_ctx)))
1098 /******************************************************************************/
1100 /* Prepend the header to the rlist */
1103 arc_rlist_entry(hdr_rlist * list, const uschar * s, int len)
1105 hdr_rlist * r = store_get(sizeof(hdr_rlist) + sizeof(header_line), GET_UNTAINTED);
1106 header_line * h = r->h = (header_line *)(r+1);
1119 /* Walk the given headers strings identifying each header, and construct
1120 a reverse-order list.
1124 arc_sign_scan_headers(arc_ctx * ctx, gstring * sigheaders)
1127 hdr_rlist * rheaders = NULL;
1129 s = sigheaders ? sigheaders->s : NULL;
1132 const uschar * s2 = s;
1134 /* This works for either NL or CRLF lines; also nul-termination */
1136 if (*s2 == '\n' && s2[1] != '\t' && s2[1] != ' ') break;
1137 s2++; /* move past end of line */
1139 rheaders = arc_rlist_entry(rheaders, s, s2 - s);
1147 /* Return the A-R content, without identity, with line-ending and
1151 arc_sign_find_ar(header_line * headers, const uschar * identity, blob * ret)
1154 int ilen = Ustrlen(identity);
1157 for(h = headers; h; h = h->next)
1159 uschar * s = h->text, c;
1162 if (Ustrncmp(s, HDR_AR, HDRLEN_AR) != 0) continue;
1163 s += HDRLEN_AR, len -= HDRLEN_AR; /* header name */
1165 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1166 s++, len--; /* FWS */
1167 if (Ustrncmp(s, identity, ilen) != 0) continue;
1168 s += ilen; len -= ilen; /* identity */
1169 if (len <= 0) continue;
1170 if ((c = *s) && c == ';') s++, len--; /* identity terminator */
1172 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1173 s++, len--; /* FWS */
1174 if (len <= 0) continue;
1184 /* Append a constructed AAR including CRLF. Add it to the arc_ctx too. */
1187 arc_sign_append_aar(gstring * g, arc_ctx * ctx,
1188 const uschar * identity, int instance, blob * ar)
1190 int aar_off = gstring_length(g);
1192 store_get(sizeof(arc_set) + sizeof(arc_line) + sizeof(header_line), GET_UNTAINTED);
1193 arc_line * al = (arc_line *)(as+1);
1194 header_line * h = (header_line *)(al+1);
1196 g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
1197 g = string_fmt_append(g, " i=%d; %s;\r\n\t", instance, identity);
1198 g = string_catn(g, US ar->data, ar->len);
1200 h->slen = g->ptr - aar_off;
1201 h->text = g->s + aar_off;
1204 as->prev = ctx->arcset_chain_last;
1205 as->instance = instance;
1208 ctx->arcset_chain = as;
1210 ctx->arcset_chain_last->next = as;
1211 ctx->arcset_chain_last = as;
1213 DEBUG(D_transport) debug_printf("ARC: AAR '%.*s'\n", h->slen - 2, h->text);
1220 arc_sig_from_pseudoheader(gstring * hdata, int hashtype, const uschar * privkey,
1221 blob * sig, const uschar * why)
1223 hashmethod hm = /*sig->keytype == KEYTYPE_ED25519*/ FALSE
1224 ? HASH_SHA2_512 : pdkim_hashes[hashtype].exim_hashmethod;
1227 const uschar * errstr;
1232 debug_printf("ARC: %s header data for signing:\n", why);
1233 pdkim_quoteprint(hdata->s, hdata->ptr);
1235 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1236 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1237 exim_sha_finish(&hhash_ctx, &hhash);
1238 debug_printf("ARC: header hash: "); pdkim_hexprint(hhash.data, hhash.len);
1241 if (FALSE /*need hash for Ed25519 or GCrypt signing*/ )
1244 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1245 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1246 exim_sha_finish(&hhash_ctx, &hhash);
1250 hhash.data = hdata->s;
1251 hhash.len = hdata->ptr;
1254 if ( (errstr = exim_dkim_signing_init(privkey, &sctx))
1255 || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
1257 log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
1259 debug_printf("private key, or private-key file content, was: '%s'\n",
1269 arc_sign_append_sig(gstring * g, blob * sig)
1271 /*debug_printf("%s: raw sig ", __FUNCTION__); pdkim_hexprint(sig->data, sig->len);*/
1272 sig->data = pdkim_encode_base64(sig);
1273 sig->len = Ustrlen(sig->data);
1276 int len = MIN(sig->len, 74);
1277 g = string_catn(g, sig->data, len);
1278 if ((sig->len -= len) == 0) break;
1280 g = string_catn(g, US"\r\n\t ", 5);
1282 g = string_catn(g, US";\r\n", 3);
1283 gstring_release_unused(g);
1284 string_from_gstring(g);
1289 /* Append a constructed AMS including CRLF. Add it to the arc_ctx too. */
1292 arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
1293 const uschar * identity, const uschar * selector, blob * bodyhash,
1294 hdr_rlist * rheaders, const uschar * privkey, unsigned options)
1297 gstring * hdata = NULL;
1299 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1302 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line), GET_UNTAINTED);
1303 header_line * h = (header_line *)(al+1);
1305 /* debug_printf("%s\n", __FUNCTION__); */
1307 /* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
1309 ams_off = gstring_length(g);
1310 g = string_fmt_append(g, "%s i=%d; a=rsa-sha256; c=relaxed; d=%s; s=%s",
1311 ARC_HDR_AMS, instance, identity, selector); /*XXX hardwired a= */
1312 if (options & ARC_SIGN_OPT_TSTAMP)
1313 g = string_fmt_append(g, "; t=%lu", (u_long)now);
1314 if (options & ARC_SIGN_OPT_EXPIRE)
1315 g = string_fmt_append(g, "; x=%lu", (u_long)expire);
1316 g = string_fmt_append(g, ";\r\n\tbh=%s;\r\n\th=",
1317 pdkim_encode_base64(bodyhash));
1319 for(col = 3; rheaders; rheaders = rheaders->prev)
1321 const uschar * hnames = US"DKIM-Signature:" PDKIM_DEFAULT_SIGN_HEADERS;
1322 uschar * name, * htext = rheaders->h->text;
1325 /* Spot headers of interest */
1327 while ((name = string_nextinlist(&hnames, &sep, NULL, 0)))
1329 int len = Ustrlen(name);
1330 if (strncasecmp(CCS htext, CCS name, len) == 0)
1332 /* If too long, fold line in h= field */
1334 if (col + len > 78) g = string_catn(g, US"\r\n\t ", 5), col = 3;
1336 /* Add name to h= list */
1338 g = string_catn(g, name, len);
1339 g = string_catn(g, US":", 1);
1342 /* Accumulate header for hashing/signing */
1344 hdata = string_cat(hdata,
1345 pdkim_relax_header_n(htext, rheaders->h->slen, TRUE)); /*XXX hardwired */
1351 /* Lose the last colon from the h= list */
1353 gstring_trim_trailing(g, ':');
1355 g = string_catn(g, US";\r\n\tb=;", 7);
1357 /* Include the pseudo-header in the accumulation */
1359 s = pdkim_relax_header_n(g->s + ams_off, g->ptr - ams_off, FALSE);
1360 hdata = string_cat(hdata, s);
1362 /* Calculate the signature from the accumulation */
1363 /*XXX does that need further relaxation? there are spaces embedded in the b= strings! */
1365 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AMS"))
1368 /* Lose the trailing semicolon from the psuedo-header, and append the signature
1369 (folded over lines) and termination to complete it. */
1372 g = arc_sign_append_sig(g, &sig);
1374 h->slen = g->ptr - ams_off;
1375 h->text = g->s + ams_off;
1377 ctx->arcset_chain_last->hdr_ams = al;
1379 DEBUG(D_transport) debug_printf("ARC: AMS '%.*s'\n", h->slen - 2, h->text);
1385 /* Look for an arc= result in an A-R header blob. We know that its data
1386 happens to be a NUL-term string. */
1389 arc_ar_cv_status(blob * ar)
1391 const uschar * resinfo = ar->data;
1393 uschar * methodspec, * s;
1395 while ((methodspec = string_nextinlist(&resinfo, &sep, NULL, 0)))
1396 if (Ustrncmp(methodspec, US"arc=", 4) == 0)
1399 for (s = methodspec += 4;
1400 (c = *s) && c != ';' && c != ' ' && c != '\r' && c != '\n'; ) s++;
1401 return string_copyn(methodspec, s - methodspec);
1408 /* Build the AS header and prepend it */
1411 arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
1412 int instance, const uschar * identity, const uschar * selector, blob * ar,
1413 const uschar * privkey, unsigned options)
1416 uschar * status = arc_ar_cv_status(ar);
1417 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line), GET_UNTAINTED);
1418 header_line * h = (header_line *)(al+1);
1419 uschar * badline_str;
1421 gstring * hdata = NULL;
1422 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1428 - no h= tag; implicit coverage
1429 - arc status from A-R
1431 - coverage is just the new ARC set
1432 including self (but with an empty b= in self)
1434 - all ARC set headers, set-number order, aar then ams then as,
1435 including self (but with an empty b= in self)
1437 DEBUG(D_transport) debug_printf("ARC: building AS for status '%s'\n", status);
1439 /* Construct the AS except for the signature */
1441 arcset = string_append(NULL, 9,
1443 US" i=", string_sprintf("%d", instance),
1445 US"; a=rsa-sha256; d=", identity, /*XXX hardwired */
1446 US"; s=", selector); /*XXX same as AMS */
1447 if (options & ARC_SIGN_OPT_TSTAMP)
1448 arcset = string_append(arcset, 2,
1449 US"; t=", string_sprintf("%lu", (u_long)now));
1450 arcset = string_cat(arcset,
1453 h->slen = arcset->ptr;
1454 h->text = arcset->s;
1456 ctx->arcset_chain_last->hdr_as = al;
1458 /* For any but "fail" chain-verify status, walk the entire chain in order by
1459 instance. For fail, only the new arc-set. Accumulate the elements walked. */
1461 for (arc_set * as = Ustrcmp(status, US"fail") == 0
1462 ? ctx->arcset_chain_last : ctx->arcset_chain;
1466 /* Accumulate AAR then AMS then AS. Relaxed canonicalisation
1467 is required per standard. */
1469 badline_str = US"aar";
1470 if (!(l = as->hdr_aar)) goto badline;
1472 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1473 badline_str = US"ams";
1474 if (!(l = as->hdr_ams)) goto badline;
1476 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1477 badline_str = US"as";
1478 if (!(l = as->hdr_as)) goto badline;
1480 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, !!as->next));
1483 /* Calculate the signature from the accumulation */
1485 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AS"))
1488 /* Lose the trailing semicolon */
1490 arcset = arc_sign_append_sig(arcset, &sig);
1491 DEBUG(D_transport) debug_printf("ARC: AS '%.*s'\n", arcset->ptr - 2, arcset->s);
1493 /* Finally, append the AMS and AAR to the new AS */
1495 return string_catn(arcset, arcset_interim->s, arcset_interim->ptr);
1499 debug_printf("ARC: while building AS, missing %s in chain\n", badline_str);
1504 /**************************************/
1506 /* Return pointer to pdkim_bodyhash for given hash method, creating new
1511 arc_ams_setup_sign_bodyhash(void)
1513 int canon_head, canon_body;
1515 DEBUG(D_transport) debug_printf("ARC: requesting bodyhash\n");
1516 pdkim_cstring_to_canons(US"relaxed", 7, &canon_head, &canon_body); /*XXX hardwired */
1517 return pdkim_set_bodyhash(&dkim_sign_ctx,
1518 pdkim_hashname_to_hashtype(US"sha256", 6), /*XXX hardwired */
1528 memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
1529 headers_rlist = NULL;
1534 /* A "normal" header line, identified by DKIM processing. These arrive before
1535 the call to arc_sign(), which carries any newly-created DKIM headers - and
1536 those go textually before the normal ones in the message.
1538 We have to take the feed from DKIM as, in the transport-filter case, the
1539 headers are not in memory at the time of the call to arc_sign().
1541 Take a copy of the header and construct a reverse-order list.
1542 Also parse ARC-chain headers and build the chain struct, retaining pointers
1546 static const uschar *
1547 arc_header_sign_feed(gstring * g)
1549 uschar * s = string_copy_from_gstring(g);
1550 headers_rlist = arc_rlist_entry(headers_rlist, s, g->ptr);
1551 return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
1556 /* Per RFCs 6376, 7489 the only allowed chars in either an ADMD id
1557 or a selector are ALPHA/DIGGIT/'-'/'.'
1559 Check, to help catch misconfigurations such as a missing selector
1560 element in the arc_sign list.
1564 arc_valid_id(const uschar * s)
1566 for (uschar c; c = *s++; )
1567 if (!isalnum(c) && c != '-' && c != '.') return FALSE;
1573 /* ARC signing. Called from the smtp transport, if the arc_sign option is set.
1574 The dkim_exim_sign() function has already been called, so will have hashed the
1575 message body for us so long as we requested a hash previously.
1578 signspec Three-element colon-sep list: identity, selector, privkey.
1579 Optional fourth element: comma-sep list of options.
1581 sigheaders Any signature headers already generated, eg. by DKIM, or NULL
1585 Set of headers to prepend to the message, including the supplied sigheaders
1586 but not the plainheaders.
1590 arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
1592 const uschar * identity, * selector, * privkey, * opts, * s;
1593 unsigned options = 0;
1595 header_line * headers;
1596 hdr_rlist * rheaders;
1604 /* Parse the signing specification */
1606 if (!(identity = string_nextinlist(&signspec, &sep, NULL, 0)) || !*identity)
1607 { s = US"identity"; goto bad_arg_ret; }
1608 if (!(selector = string_nextinlist(&signspec, &sep, NULL, 0)) || !*selector)
1609 { s = US"selector"; goto bad_arg_ret; }
1610 if (!(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
1611 { s = US"privkey"; goto bad_arg_ret; }
1612 if (!arc_valid_id(identity))
1613 { s = US"identity"; goto bad_arg_ret; }
1614 if (!arc_valid_id(selector))
1615 { s = US"selector"; goto bad_arg_ret; }
1616 if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
1617 goto ret_sigheaders;
1619 if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
1622 while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
1623 if (Ustrcmp(s, "timestamps") == 0)
1625 options |= ARC_SIGN_OPT_TSTAMP;
1626 if (!now) now = time(NULL);
1628 else if (Ustrncmp(s, "expire", 6) == 0)
1630 options |= ARC_SIGN_OPT_EXPIRE;
1631 if (*(s += 6) == '=')
1634 if (!(expire = (time_t)atoi(CS ++s)))
1635 expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1636 if (!now) now = time(NULL);
1640 expire = (time_t)atol(CS s);
1643 if (!now) now = time(NULL);
1644 expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1649 DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
1651 /* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
1652 Then scan the list for an A-R header. */
1654 string_from_gstring(sigheaders);
1655 if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
1658 for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
1662 /* Finally, build a normal-order headers list */
1663 /*XXX only needed for hunt-the-AR? */
1664 /*XXX also, we really should be accepting any number of ADMD-matching ARs */
1666 header_line * hnext = NULL;
1667 for (rheaders = headers_rlist; rheaders;
1668 hnext = rheaders->h, rheaders = rheaders->prev)
1669 rheaders->h->next = hnext;
1673 if (!(arc_sign_find_ar(headers, identity, &ar)))
1675 log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
1676 goto ret_sigheaders;
1679 /* We previously built the data-struct for the existing ARC chain, if any, using a headers
1680 feed from the DKIM module. Use that to give the instance number for the ARC set we are
1684 if (arc_sign_ctx.arcset_chain_last)
1685 debug_printf("ARC: existing chain highest instance: %d\n",
1686 arc_sign_ctx.arcset_chain_last->instance);
1688 debug_printf("ARC: no existing chain\n");
1690 instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
1694 - copy the A-R; prepend i= & identity
1697 g = arc_sign_append_aar(g, &arc_sign_ctx, identity, instance, &ar);
1701 - Looks fairly like a DKIM sig
1702 - Cover all DKIM sig headers as well as the usuals
1705 - we must have requested a suitable bodyhash previously
1708 b = arc_ams_setup_sign_bodyhash();
1709 g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
1710 &b->bh, headers_rlist, privkey, options);
1715 - no h= tag; implicit coverage
1716 - arc status from A-R
1718 - coverage is just the new ARC set
1719 including self (but with an empty b= in self)
1721 - all ARC set headers, set-number order, aar then ams then as,
1722 including self (but with an empty b= in self)
1726 g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
1729 /* Finally, append the dkim headers and return the lot. */
1731 if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr);
1734 if (!g) return string_get(1);
1735 (void) string_from_gstring(g);
1736 gstring_release_unused(g);
1741 log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)", s);
1748 /******************************************************************************/
1750 /* Check to see if the line is an AMS and if so, set up to validate it.
1751 Called from the DKIM input processing. This must be done now as the message
1752 body data is hashed during input.
1754 We call the DKIM code to request a body-hash; it has the facility already
1755 and the hash parameters might be common with other requests.
1758 static const uschar *
1759 arc_header_vfy_feed(gstring * g)
1766 if (!dkim_verify_ctx) return US"no dkim context";
1768 if (strncmpic(ARC_HDR_AMS, g->s, ARC_HDRLEN_AMS) != 0) return US"not AMS";
1770 DEBUG(D_receive) debug_printf("ARC: spotted AMS header\n");
1771 /* Parse the AMS header */
1773 memset(&al, 0, sizeof(arc_line));
1775 h.slen = len_string_from_gstring(g, &h.text);
1776 if ((errstr = arc_parse_line(&al, &h, ARC_HDRLEN_AMS, FALSE)))
1778 DEBUG(D_acl) if (errstr) debug_printf("ARC: %s\n", errstr);
1782 if (!al.a_hash.data)
1784 DEBUG(D_acl) debug_printf("ARC: no a_hash from '%.*s'\n", h.slen, h.text);
1791 al.c_body.data = US"simple"; al.c_body.len = 6;
1792 al.c_head = al.c_body;
1795 /* Ask the dkim code to calc a bodyhash with those specs */
1797 if (!(b = arc_ams_setup_vfy_bodyhash(&al)))
1798 return US"dkim hash setup fail";
1800 /* Discard the reference; search again at verify time, knowing that one
1801 should have been created here. */
1806 return US"line parsing error";
1811 /* A header line has been identified by DKIM processing.
1815 is_vfy TRUE for verify mode or FALSE for signing mode
1818 NULL for success, or an error string (probably unused)
1822 arc_header_feed(gstring * g, BOOL is_vfy)
1824 return is_vfy ? arc_header_vfy_feed(g) : arc_header_sign_feed(g);
1829 /******************************************************************************/
1831 /* Construct the list of domains from the ARC chain after validation */
1834 fn_arc_domains(void)
1840 for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
1842 arc_line * hdr_as = as->hdr_as;
1845 blob * d = &hdr_as->d;
1847 for (; inst < as->instance; inst++)
1848 g = string_catn(g, US":", 1);
1850 g = d->data && d->len
1851 ? string_append_listele_n(g, ':', d->data, d->len)
1852 : string_catn(g, US":", 1);
1855 g = string_catn(g, US":", 1);
1857 if (!g) return US"";
1858 return string_from_gstring(g);
1862 /* Construct an Authentication-Results header portion, for the ARC module */
1865 authres_arc(gstring * g)
1869 arc_line * highest_ams;
1870 int start = 0; /* Compiler quietening */
1871 DEBUG(D_acl) start = gstring_length(g);
1873 g = string_append(g, 2, US";\n\tarc=", arc_state);
1874 if (arc_received_instance > 0)
1876 g = string_fmt_append(g, " (i=%d)", arc_received_instance);
1877 if (arc_state_reason)
1878 g = string_append(g, 3, US"(", arc_state_reason, US")");
1879 g = string_catn(g, US" header.s=", 10);
1880 highest_ams = arc_received->hdr_ams;
1881 g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
1883 g = string_fmt_append(g, " arc.oldest-pass=%d", arc_oldest_pass);
1885 if (sender_host_address)
1886 g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
1888 else if (arc_state_reason)
1889 g = string_append(g, 3, US" (", arc_state_reason, US")");
1890 DEBUG(D_acl) debug_printf("ARC: authres '%.*s'\n",
1891 gstring_length(g) - start - 3, g->s + start + 3);
1894 DEBUG(D_acl) debug_printf("ARC: no authres\n");
1899 # endif /* DISABLE_DKIM */
1900 #endif /* EXPERIMENTAL_ARC */