2 * PDKIM - a RFC4871 (DKIM) implementation
4 * Copyright (c) The Exim Maintainers 2021 - 2024
5 * Copyright (C) 2016 - 2020 Jeremy Harris <jgh@exim.org>
6 * Copyright (C) 2009 - 2016 Tom Kistner <tom@duncanthrax.net>
7 * SPDX-License-Identifier: GPL-2.0-or-later
9 * http://duncanthrax.net/pdkim/
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 #ifndef DISABLE_DKIM /* entire file */
32 # error Must not DISABLE_TLS, for DKIM
35 #include "crypt_ver.h"
38 # include <openssl/rsa.h>
39 # include <openssl/ssl.h>
40 # include <openssl/err.h>
41 #elif defined(SIGN_GNUTLS)
42 # include <gnutls/gnutls.h>
43 # include <gnutls/x509.h>
49 #define PDKIM_SIGNATURE_VERSION "1"
50 #define PDKIM_PUB_RECORD_VERSION US "DKIM1"
52 #define PDKIM_MAX_HEADER_LEN 65536
53 #define PDKIM_MAX_HEADERS 512
54 #define PDKIM_MAX_BODY_LINE_LEN 16384
55 #define PDKIM_DNS_TXT_MAX_NAMELEN 1024
57 /* -------------------------------------------------------------------------- */
58 struct pdkim_stringlist {
64 /* -------------------------------------------------------------------------- */
65 /* A bunch of list constants */
66 const uschar * pdkim_querymethods[] = {
70 const uschar * pdkim_canons[] = {
76 const pdkim_hashtype pdkim_hashes[] = {
77 { US"sha1", HASH_SHA1 },
78 { US"sha256", HASH_SHA2_256 },
79 { US"sha512", HASH_SHA2_512 }
82 const uschar * pdkim_keytypes[] = {
83 [KEYTYPE_RSA] = US"rsa",
84 #ifdef SIGN_HAVE_ED25519
85 [KEYTYPE_ED25519] = US"ed25519", /* Works for 3.6.0 GnuTLS, OpenSSL 1.1.1 */
88 #ifdef notyet_EC_dkim_extensions /* https://tools.ietf.org/html/draft-srose-dkim-ecc-00 */
95 typedef struct pdkim_combined_canon_entry {
99 } pdkim_combined_canon_entry;
101 pdkim_combined_canon_entry pdkim_combined_canons[] = {
102 { US"simple/simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
103 { US"simple/relaxed", PDKIM_CANON_SIMPLE, PDKIM_CANON_RELAXED },
104 { US"relaxed/simple", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
105 { US"relaxed/relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_RELAXED },
106 { US"simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
107 { US"relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
112 static const blob lineending = {.data = US"\r\n", .len = 2};
114 /* -------------------------------------------------------------------------- */
116 dkim_sig_to_a_tag(const pdkim_signature * sig)
118 if ( sig->keytype < 0 || sig->keytype > nelem(pdkim_keytypes)
119 || sig->hashtype < 0 || sig->hashtype > nelem(pdkim_hashes))
121 return string_sprintf("%s-%s",
122 pdkim_keytypes[sig->keytype], pdkim_hashes[sig->hashtype].dkim_hashname);
127 pdkim_keyname_to_keytype(const uschar * s)
129 for (int i = 0; i < nelem(pdkim_keytypes); i++)
130 if (Ustrcmp(s, pdkim_keytypes[i]) == 0) return i;
135 pdkim_hashname_to_hashtype(const uschar * s, unsigned len)
137 if (!len) len = Ustrlen(s);
138 for (int i = 0; i < nelem(pdkim_hashes); i++)
139 if (Ustrncmp(s, pdkim_hashes[i].dkim_hashname, len) == 0)
145 pdkim_cstring_to_canons(const uschar * s, unsigned len,
146 int * canon_head, int * canon_body)
148 if (!len) len = Ustrlen(s);
149 for (int i = 0; pdkim_combined_canons[i].str; i++)
150 if ( Ustrncmp(s, pdkim_combined_canons[i].str, len) == 0
151 && len == Ustrlen(pdkim_combined_canons[i].str))
153 *canon_head = pdkim_combined_canons[i].canon_headers;
154 *canon_body = pdkim_combined_canons[i].canon_body;
162 pdkim_verify_status_str(int status)
166 case PDKIM_VERIFY_NONE: return "PDKIM_VERIFY_NONE";
167 case PDKIM_VERIFY_INVALID: return "PDKIM_VERIFY_INVALID";
168 case PDKIM_VERIFY_FAIL: return "PDKIM_VERIFY_FAIL";
169 case PDKIM_VERIFY_PASS: return "PDKIM_VERIFY_PASS";
170 default: return "PDKIM_VERIFY_UNKNOWN";
175 pdkim_verify_ext_status_str(int ext_status)
179 case PDKIM_VERIFY_FAIL_BODY: return "PDKIM_VERIFY_FAIL_BODY";
180 case PDKIM_VERIFY_FAIL_MESSAGE: return "PDKIM_VERIFY_FAIL_MESSAGE";
181 case PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH: return "PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH";
182 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE: return "PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE";
183 case PDKIM_VERIFY_INVALID_BUFFER_SIZE: return "PDKIM_VERIFY_INVALID_BUFFER_SIZE";
184 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD: return "PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD";
185 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return "PDKIM_VERIFY_INVALID_PUBKEY_IMPORT";
186 case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE: return "PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE";
187 case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR: return "PDKIM_VERIFY_INVALID_SIGNATURE_ERROR";
188 case PDKIM_VERIFY_INVALID_DKIM_VERSION: return "PDKIM_VERIFY_INVALID_DKIM_VERSION";
189 default: return "PDKIM_VERIFY_UNKNOWN";
194 pdkim_errstr(int status)
198 case PDKIM_OK: return US"OK";
199 case PDKIM_FAIL: return US"FAIL";
200 case PDKIM_ERR_RSA_PRIVKEY: return US"PRIVKEY";
201 case PDKIM_ERR_RSA_SIGNING: return US"SIGNING";
202 case PDKIM_ERR_LONG_LINE: return US"LONG_LINE";
203 case PDKIM_ERR_BUFFER_TOO_SMALL: return US"BUFFER_TOO_SMALL";
204 case PDKIM_ERR_EXCESS_SIGS: return US"EXCESS_SIGS";
205 case PDKIM_SIGN_PRIVKEY_WRAP: return US"PRIVKEY_WRAP";
206 case PDKIM_SIGN_PRIVKEY_B64D: return US"PRIVKEY_B64D";
207 default: return US"(unknown)";
212 /* -------------------------------------------------------------------------- */
215 static pdkim_stringlist *
216 pdkim_prepend_stringlist(pdkim_stringlist * base, const uschar * str)
218 pdkim_stringlist * new_entry = store_get(sizeof(pdkim_stringlist), GET_UNTAINTED);
220 memset(new_entry, 0, sizeof(pdkim_stringlist));
221 new_entry->value = string_copy(str);
222 if (base) new_entry->next = base;
228 /* Trim whitespace fore & aft */
231 pdkim_strtrim(gstring * str)
236 while (*p == '\t' || *p == ' ') /* dump the leading whitespace */
237 { str->size--; str->ptr--; str->s++; }
240 && ((q = str->s + str->ptr - 1), (*q == '\t' || *q == ' '))
242 str->ptr--; /* dump trailing whitespace */
244 (void) string_from_gstring(str);
249 /* -------------------------------------------------------------------------- */
252 pdkim_free_ctx(pdkim_ctx *ctx)
257 /* -------------------------------------------------------------------------- */
258 /* Matches the name of the passed raw "header" against
259 the passed colon-separated "tick", and invalidates
260 the entry in tick. Entries can be prefixed for multi- or over-signing,
261 in which case do not invalidate.
263 Returns OK for a match, or fail-code
267 header_name_match(const uschar * header, uschar * tick)
269 const uschar * ticklist = tick;
272 uschar * hname, * p, * ele;
273 uschar * hcolon = Ustrchr(header, ':'); /* Get header name */
276 return PDKIM_FAIL; /* This isn't a header */
278 /* if we had strncmpic() we wouldn't need this copy */
279 hname = string_copyn(header, hcolon-header);
281 while (p = US ticklist, ele = string_nextinlist(&ticklist, &sep, NULL, 0))
285 case '=': case '+': multisign = TRUE; ele++; break;
286 default: multisign = FALSE; break;
289 if (strcmpic(ele, hname) == 0)
292 *p = '_'; /* Invalidate this header name instance in tick-off list */
300 /* -------------------------------------------------------------------------- */
301 /* Performs "relaxed" canonicalization of a header. */
304 pdkim_relax_header_n(const uschar * header, int len, BOOL append_crlf)
306 BOOL past_field_name = FALSE;
307 BOOL seen_wsp = FALSE;
308 uschar * relaxed = store_get(len+3, GET_TAINTED);
309 uschar * q = relaxed;
311 for (const uschar * p = header; p - header < len; p++)
315 if (c == '\r' || c == '\n') /* Ignore CR & LF */
317 if (c == '\t' || c == ' ')
321 c = ' '; /* Turns WSP into SP */
325 if (!past_field_name && c == ':')
327 if (seen_wsp) q--; /* This removes WSP immediately before the colon */
328 seen_wsp = TRUE; /* This removes WSP immediately after the colon */
329 past_field_name = TRUE;
334 /* Lowercase header name */
335 if (!past_field_name) c = tolower(c);
339 if (q > relaxed && q[-1] == ' ') q--; /* Squash eventual trailing SP */
341 if (append_crlf) { *q++ = '\r'; *q++ = '\n'; }
348 pdkim_relax_header(const uschar * header, BOOL append_crlf)
350 return pdkim_relax_header_n(header, Ustrlen(header), append_crlf);
354 /* -------------------------------------------------------------------------- */
355 #define PDKIM_QP_ERROR_DECODE -1
357 static const uschar *
358 pdkim_decode_qp_char(const uschar *qp_p, int *c)
360 const uschar *initial_pos = qp_p;
362 /* Advance one char */
365 /* Check for two hex digits and decode them */
366 if (isxdigit(*qp_p) && isxdigit(qp_p[1]))
368 /* Do hex conversion */
369 *c = (isdigit(*qp_p) ? *qp_p - '0' : toupper(*qp_p) - 'A' + 10) << 4;
370 *c |= isdigit(qp_p[1]) ? qp_p[1] - '0' : toupper(qp_p[1]) - 'A' + 10;
374 /* Illegal char here */
375 *c = PDKIM_QP_ERROR_DECODE;
380 /* -------------------------------------------------------------------------- */
383 pdkim_decode_qp(const uschar * str)
387 const uschar * p = str;
388 uschar * n = store_get(Ustrlen(str)+1, GET_TAINTED);
396 p = pdkim_decode_qp_char(p, &nchar);
412 /* -------------------------------------------------------------------------- */
415 pdkim_decode_base64(const uschar * str, blob * b)
417 int dlen = b64decode(str, &b->data, str);
418 if (dlen < 0) b->data = NULL;
423 pdkim_encode_base64(blob * b)
425 return b64encode(CUS b->data, b->len);
429 /* -------------------------------------------------------------------------- */
430 #define PDKIM_HDR_LIMBO 0
431 #define PDKIM_HDR_TAG 1
432 #define PDKIM_HDR_VALUE 2
434 static pdkim_signature *
435 pdkim_parse_sig_header(pdkim_ctx * ctx, uschar * raw_hdr)
437 pdkim_signature * sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
439 gstring * cur_tag = NULL, * cur_val = NULL;
440 BOOL past_hname = FALSE, in_b_val = FALSE;
441 int where = PDKIM_HDR_LIMBO;
443 memset(sig, 0, sizeof(pdkim_signature));
444 sig->bodylength = -1;
446 /* Set so invalid/missing data error display is accurate */
451 q = sig->rawsig_no_b_val = store_get(Ustrlen(raw_hdr)+1, GET_TAINTED);
453 for (uschar * p = raw_hdr; ; p++)
458 if (c == '\r' || c == '\n')
461 /* Fast-forward through header name */
464 if (c == ':') past_hname = TRUE;
468 if (where == PDKIM_HDR_LIMBO)
470 /* In limbo, just wait for a tag-char to appear */
471 if (!(c >= 'a' && c <= 'z'))
474 where = PDKIM_HDR_TAG;
477 if (where == PDKIM_HDR_TAG)
480 if (Ustrcmp(string_from_gstring(cur_tag), "b") == 0)
485 where = PDKIM_HDR_VALUE;
488 else if (!isspace(c))
489 cur_tag = string_catn(cur_tag, p, 1);
491 if (where == PDKIM_HDR_VALUE)
493 if (c == '\r' || c == '\n' || c == ' ' || c == '\t')
496 if (c == ';' || c == '\0')
498 /* We must have both tag and value, and tags must be one char except
499 for the possibility of "bh". */
501 if ( cur_tag && cur_val
502 && (cur_tag->ptr == 1 || *cur_tag->s == 'b')
505 (void) string_from_gstring(cur_val);
506 pdkim_strtrim(cur_val);
508 DEBUG(D_acl) debug_printf(" %s=%s\n", cur_tag->s, cur_val->s);
512 case 'b': /* sig-data or body-hash */
513 switch (cur_tag->s[1])
515 case '\0': pdkim_decode_base64(cur_val->s, &sig->sighash); break;
516 case 'h': if (cur_tag->ptr != 2) goto bad_tag;
517 pdkim_decode_base64(cur_val->s, &sig->bodyhash);
519 default: goto bad_tag;
522 case 'v': /* version */
523 /* We only support version 1, and that is currently the
524 only version there is. */
526 Ustrcmp(cur_val->s, PDKIM_SIGNATURE_VERSION) == 0 ? 1 : -1;
528 case 'a': /* algorithm */
530 const uschar * list = cur_val->s;
534 if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
535 sig->keytype = pdkim_keyname_to_keytype(elem);
536 if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
537 for (int i = 0; i < nelem(pdkim_hashes); i++)
538 if (Ustrcmp(elem, pdkim_hashes[i].dkim_hashname) == 0)
539 { sig->hashtype = i; break; }
543 case 'c': /* canonicalization */
544 pdkim_cstring_to_canons(cur_val->s, 0,
545 &sig->canon_headers, &sig->canon_body);
547 case 'q': /* Query method (for pubkey)*/
548 for (int i = 0; pdkim_querymethods[i]; i++)
549 if (Ustrcmp(cur_val->s, pdkim_querymethods[i]) == 0)
551 sig->querymethod = i; /* we never actually use this */
555 case 's': /* Selector */
556 sig->selector = string_copy_from_gstring(cur_val); break;
558 sig->domain = string_copy_from_gstring(cur_val); break;
560 sig->identity = pdkim_decode_qp(cur_val->s); break;
561 case 't': /* Timestamp */
562 sig->created = strtoul(CS cur_val->s, NULL, 10); break;
563 case 'x': /* Expiration */
564 sig->expires = strtoul(CS cur_val->s, NULL, 10); break;
565 case 'l': /* Body length count */
566 sig->bodylength = strtol(CS cur_val->s, NULL, 10); break;
567 case 'h': /* signed header fields */
568 sig->headernames = string_copy_from_gstring(cur_val); break;
569 case 'z': /* Copied headfields */
570 sig->copiedheaders = pdkim_decode_qp(cur_val->s); break;
571 /*XXX draft-ietf-dcrup-dkim-crypto-05 would need 'p' tag support
572 for rsafp signatures. But later discussion is dropping those. */
578 bad_tag: DEBUG(D_acl) debug_printf(" Unknown tag encountered: %Y\n", cur_tag);
580 cur_tag = cur_val = NULL;
582 where = PDKIM_HDR_LIMBO;
585 cur_val = string_catn(cur_val, p, 1);
596 if (sig->keytype < 0 || sig->hashtype < 0) /* Cannot verify this signature */
600 /* Chomp raw header. The final newline must not be added to the signature. */
601 while (--q > sig->rawsig_no_b_val && (*q == '\r' || *q == '\n'))
607 "DKIM >> Raw signature w/o b= tag value >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
608 debug_printf("%Z\n", US sig->rawsig_no_b_val);
610 "DKIM >> Sig size: %4u bits\n", (unsigned) sig->sighash.len*8);
612 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
615 if (!pdkim_set_sig_bodyhash(ctx, sig))
622 /* -------------------------------------------------------------------------- */
625 pdkim_parse_pubkey_record(const uschar * raw_record)
627 pdkim_pubkey * pub = store_get(sizeof(pdkim_pubkey), GET_TAINTED);
629 memset(pub, 0, sizeof(pdkim_pubkey));
631 for (const uschar * ele = raw_record, * tspec, * end, * val; *ele; ele = end)
633 Uskip_whitespace(&ele);
634 end = Ustrchrnul(ele, ';');
635 tspec = string_copyn(ele, end - ele);
636 if (*end) end++; /* skip the ; */
638 if ((val = Ustrchr(tspec, '=')))
640 int taglen = val++ - tspec;
642 DEBUG(D_acl) debug_printf(" %.*s=%s\n", taglen, tspec, val);
643 while (taglen > 1 && isspace(tspec[taglen-1]))
644 taglen--; /* Ignore whitespace before = */
645 Uskip_whitespace(&val); /* Ignore whitespace after = */
646 if (isspace(val[ Ustrlen(val)-1 ]))
647 { /* Ignore whitespace after value */
648 gstring * g = string_cat(NULL, val);
649 while (isspace(gstring_last_char(g)))
651 val = string_from_gstring(g);
654 if (taglen == 1) switch (tspec[0])
656 case 'v': pub->version = val; break;
657 case 'h': pub->hashes = val; break;
658 case 'k': pub->keytype = val; break;
659 case 'g': pub->granularity = val; break;
660 case 'n': pub->notes = pdkim_decode_qp(val); break;
661 case 'p': pdkim_decode_base64(val, &pub->key); break;
662 case 's': pub->srvtype = val; break;
663 case 't': if (Ustrchr(val, 'y')) pub->testing = 1;
664 if (Ustrchr(val, 's')) pub->no_subdomaining = 1;
666 default: goto bad_tag;
670 DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
674 /* Set fallback defaults */
676 pub->version = string_copy(PDKIM_PUB_RECORD_VERSION);
677 else if (Ustrcmp(pub->version, PDKIM_PUB_RECORD_VERSION) != 0)
679 DEBUG(D_acl) debug_printf(" Bad v= field\n");
683 if (!pub->granularity) pub->granularity = US"*";
684 if (!pub->keytype ) pub->keytype = US"rsa";
685 if (!pub->srvtype ) pub->srvtype = US"*";
691 DEBUG(D_acl) debug_printf(" Missing p= field\n");
696 /* -------------------------------------------------------------------------- */
698 /* Update one bodyhash with some additional data.
699 If we have to relax the data for this sig, return our copy of it. */
702 pdkim_update_ctx_bodyhash(pdkim_bodyhash * b, const blob * orig_data, blob * relaxed_data)
704 const blob * canon_data = orig_data;
707 /* Defaults to simple canon (no further treatment necessary) */
709 if (b->canon_method == PDKIM_CANON_RELAXED)
711 /* Relax the line if not done already */
714 BOOL seen_wsp = FALSE;
717 /* We want to be able to free this else we allocate
718 for the entire message which could be many MB. Since
719 we don't know what allocations the SHA routines might
720 do, not safe to use store_get()/store_reset(). */
722 relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1);
723 relaxed_data->data = US (relaxed_data+1);
725 for (const uschar * p = orig_data->data, * r = p + orig_data->len; p < r; p++)
730 if (q > 0 && relaxed_data->data[q-1] == ' ')
733 else if (c == '\t' || c == ' ')
735 c = ' '; /* Turns WSP into SP */
742 relaxed_data->data[q++] = c;
744 relaxed_data->data[q] = '\0';
745 relaxed_data->len = q;
747 canon_data = relaxed_data;
750 /* Make sure we don't exceed the to-be-signed body length */
751 left = canon_data->len;
752 if ( b->bodylength >= 0
753 && left > (unsigned long)b->bodylength - b->signed_body_bytes
755 left = (unsigned long)b->bodylength - b->signed_body_bytes;
759 exim_sha_update(&b->body_hash_ctx, CUS canon_data->data, left);
760 b->signed_body_bytes += left;
761 DEBUG(D_acl) debug_printf("%.*Z\n", left, canon_data->data);
768 /* -------------------------------------------------------------------------- */
771 pdkim_finish_bodyhash(pdkim_ctx * ctx)
773 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next) /* Finish hashes */
775 DEBUG(D_acl) debug_printf("DKIM: finish bodyhash %s/%s/%ld len %ld\n",
776 pdkim_hashes[b->hashtype].dkim_hashname, pdkim_canons[b->canon_method],
777 b->bodylength, b->signed_body_bytes);
778 exim_sha_finish(&b->body_hash_ctx, &b->bh);
781 /* Traverse all signatures */
782 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
784 pdkim_bodyhash * b = sig->calc_body_hash;
788 debug_printf("DKIM [%s]%s Body bytes (%s) hashed: %lu\n"
789 "DKIM [%s]%s Body %s computed: ",
790 sig->domain, sig->selector, pdkim_canons[b->canon_method], b->signed_body_bytes,
791 sig->domain, sig->selector, pdkim_hashes[b->hashtype].dkim_hashname);
792 debug_printf("%.*H\n", b->bh.len, CUS b->bh.data);
795 /* SIGNING -------------------------------------------------------------- */
796 if (ctx->flags & PDKIM_MODE_SIGN)
798 /* If bodylength limit is set, and we have received less bytes
799 than the requested amount, effectively remove the limit tag. */
800 if (b->signed_body_bytes < sig->bodylength)
801 sig->bodylength = -1;
805 /* VERIFICATION --------------------------------------------------------- */
806 /* Be careful that the header sig included a bodyash */
808 if (sig->bodyhash.data && sig->bodyhash.len == b->bh.len
809 && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0)
811 DEBUG(D_acl) debug_printf("DKIM [%s] Body hash compared OK\n", sig->domain);
817 debug_printf("DKIM [%s] Body hash signature from headers: ", sig->domain);
818 debug_printf("%.*H\n", sig->bodyhash.len, sig->bodyhash.data);
819 debug_printf("DKIM [%s] Body hash did NOT verify\n", sig->domain);
821 sig->verify_status = PDKIM_VERIFY_FAIL;
822 sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY;
830 pdkim_body_complete(pdkim_ctx * ctx)
832 /* In simple body mode, if any empty lines were buffered,
833 replace with one. rfc 4871 3.4.3 */
834 /*XXX checking the signed-body-bytes is a gross hack; I think
835 it indicates that all linebreaks should be buffered, including
836 the one terminating a text line */
838 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
839 if ( b->canon_method == PDKIM_CANON_SIMPLE
840 && b->signed_body_bytes == 0
841 && b->num_buffered_blanklines > 0
843 (void) pdkim_update_ctx_bodyhash(b, &lineending, NULL);
845 ctx->flags |= PDKIM_SEEN_EOD;
846 ctx->linebuf_offset = 0;
851 /* -------------------------------------------------------------------------- */
852 /* Call from pdkim_feed below for processing complete body lines */
853 /* NOTE: the line is not NUL-terminated; but we have a count */
856 pdkim_bodyline_complete(pdkim_ctx * ctx)
858 blob line = {.data = ctx->linebuf, .len = ctx->linebuf_offset};
862 /* Ignore extra data if we've seen the end-of-data marker */
863 if (ctx->flags & PDKIM_SEEN_EOD) goto all_skip;
865 /* We've always got one extra byte to stuff a zero ... */
866 ctx->linebuf[line.len] = '\0';
868 /* Terminate on EOD marker */
869 if (ctx->flags & PDKIM_DOT_TERM)
871 if (memcmp(line.data, ".\r\n", 3) == 0)
872 { pdkim_body_complete(ctx); return; }
875 if (memcmp(line.data, "..", 2) == 0)
876 { line.data++; line.len--; }
879 /* Empty lines need to be buffered until we find a non-empty line */
880 if (memcmp(line.data, "\r\n", 2) == 0)
882 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
883 b->num_buffered_blanklines++;
887 /* Process line for each bodyhash separately */
888 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
890 if (b->canon_method == PDKIM_CANON_RELAXED)
892 /* Lines with just spaces need to be buffered too */
893 uschar * cp = line.data;
898 if (c == '\r' && cp[1] == '\n') break;
899 if (c != ' ' && c != '\t') goto hash_process;
903 b->num_buffered_blanklines++;
908 /* At this point, we have a non-empty line, so release the buffered ones. */
910 while (b->num_buffered_blanklines)
912 rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
913 b->num_buffered_blanklines--;
916 rline = pdkim_update_ctx_bodyhash(b, &line, rline);
920 if (rnl) store_free(rnl);
921 if (rline) store_free(rline);
925 ctx->linebuf_offset = 0;
930 /* -------------------------------------------------------------------------- */
931 /* Callback from pdkim_feed below for processing complete headers */
932 #define DKIM_SIGNATURE_HEADERNAME "DKIM-Signature:"
935 pdkim_header_complete(pdkim_ctx * ctx)
937 if (ctx->cur_header->ptr > 1)
938 gstring_trim_trailing(ctx->cur_header, '\r');
939 (void) string_from_gstring(ctx->cur_header);
941 #ifdef EXPERIMENTAL_ARC
942 /* Feed the header line to ARC processing */
943 (void) arc_header_feed(ctx->cur_header, !(ctx->flags & PDKIM_MODE_SIGN));
946 if (++ctx->num_headers > PDKIM_MAX_HEADERS) goto BAIL;
948 /* SIGNING -------------------------------------------------------------- */
949 if (ctx->flags & PDKIM_MODE_SIGN)
950 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) /* Traverse all signatures */
952 /* Add header to the signed headers list (in reverse order) */
953 sig->headers = pdkim_prepend_stringlist(sig->headers, ctx->cur_header->s);
955 /* VERIFICATION ----------------------------------------------------------- */
956 /* DKIM-Signature: headers are added to the verification list */
960 DEBUG(D_acl) debug_printf("DKIM >> raw hdr: %.*Z\n",
961 ctx->cur_head->ptr, CUS ctx->cur_header->s);
963 if (strncasecmp(CCS ctx->cur_header->s,
964 DKIM_SIGNATURE_HEADERNAME,
965 Ustrlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
967 pdkim_signature * sig, * last_sig;
968 /* Create and chain new signature block. We could error-check for all
969 required tags here, but prefer to create the internal sig and expicitly
970 fail verification of it later. */
972 DEBUG(D_acl) debug_printf(
973 "DKIM >> Found sig, trying to parse >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
975 sig = pdkim_parse_sig_header(ctx, ctx->cur_header->s);
977 if (!(last_sig = ctx->sig))
981 while (last_sig->next) last_sig = last_sig->next;
982 last_sig->next = sig;
985 if (dkim_collect_input && --dkim_collect_input == 0)
987 ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
988 ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0';
989 return PDKIM_ERR_EXCESS_SIGS;
993 /* all headers are stored for signature verification */
994 ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
998 ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0'; /* leave buffer for reuse */
1004 /* -------------------------------------------------------------------------- */
1005 #define HEADER_BUFFER_FRAG_SIZE 256
1008 pdkim_feed(pdkim_ctx * ctx, uschar * data, int len)
1010 /* Alternate EOD signal, used in non-dotstuffing mode */
1012 pdkim_body_complete(ctx);
1014 else for (int p = 0; p < len; p++)
1019 if (ctx->flags & PDKIM_PAST_HDRS)
1021 if (c == '\n' && !(ctx->flags & PDKIM_SEEN_CR)) /* emulate the CR */
1023 ctx->linebuf[ctx->linebuf_offset++] = '\r';
1024 if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
1025 return PDKIM_ERR_LONG_LINE;
1028 /* Processing body byte */
1029 ctx->linebuf[ctx->linebuf_offset++] = c;
1031 ctx->flags |= PDKIM_SEEN_CR;
1034 ctx->flags &= ~PDKIM_SEEN_CR;
1035 pdkim_bodyline_complete(ctx);
1038 if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
1039 return PDKIM_ERR_LONG_LINE;
1043 /* Processing header byte */
1045 ctx->flags |= PDKIM_SEEN_CR;
1048 if (!(ctx->flags & PDKIM_SEEN_CR)) /* emulate the CR */
1049 ctx->cur_header = string_catn(ctx->cur_header, CUS "\r", 1);
1051 if (ctx->flags & PDKIM_SEEN_LF) /* Seen last header line */
1053 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1056 ctx->flags = (ctx->flags & ~(PDKIM_SEEN_LF|PDKIM_SEEN_CR)) | PDKIM_PAST_HDRS;
1057 DEBUG(D_acl) debug_printf(
1058 "DKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1062 ctx->flags = (ctx->flags & ~PDKIM_SEEN_CR) | PDKIM_SEEN_LF;
1064 else if (ctx->flags & PDKIM_SEEN_LF)
1066 if (!(c == '\t' || c == ' ')) /* End of header */
1067 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1069 ctx->flags &= ~PDKIM_SEEN_LF;
1072 if (!ctx->cur_header || ctx->cur_header->ptr < PDKIM_MAX_HEADER_LEN)
1073 ctx->cur_header = string_catn(ctx->cur_header, CUS &data[p], 1);
1081 /* Extend a growing header with a continuation-linebreak */
1083 pdkim_hdr_cont(gstring * str, int * col)
1086 return string_catn(str, US"\r\n\t", 3);
1092 * RFC 5322 specifies that header line length SHOULD be no more than 78
1095 * Returns gstring (not nul-terminated) appending to one supplied
1097 * col: this int holds and receives column number (octets since last '\n')
1098 * str: partial string to append to
1099 * pad: padding, split line or space after before or after eg: ";".
1100 * Only the initial charater is used.
1101 * intro: - must join to payload eg "h=", usually the tag name
1102 * payload: eg base64 data - long data can be split arbitrarily.
1104 * this code doesn't fold the header in some of the places that RFC4871
1105 * allows: As per RFC5322(2.2.3) it only folds before or after tag-value
1106 * pairs and inside long values. it also always spaces or breaks after the
1109 * No guarantees are made for output given out-of range input. like tag
1110 * names longer than 78, or bogus col. Input is assumed to be free of line breaks.
1114 pdkim_headcat(int * col, gstring * str,
1115 const uschar * pad, const uschar * intro, const uschar * payload)
1117 int len, chomp, padded = 0;
1119 /* If we can fit at least the pad at the end of current line, do it now.
1120 Otherwise, wrap if there is a pad. */
1125 str = string_catn(str, pad, 1);
1131 str = pdkim_hdr_cont(str, col);
1133 /* Special case: if the whole addition does not fit at the end of the current
1134 line, but could fit on a new line, wrap to give it its full, dedicated line. */
1136 len = (pad ? 2 : padded)
1137 + (intro ? Ustrlen(intro) : 0)
1138 + (payload ? Ustrlen(payload) : 0);
1139 if (len <= 77 && *col+len > 78)
1141 str = pdkim_hdr_cont(str, col);
1145 /* Either we already dealt with the pad or we know there is room */
1149 str = string_catn(str, pad, 1);
1150 str = string_catn(str, US" ", 1);
1153 else if (padded && *col < 78)
1155 str = string_catn(str, US" ", 1);
1159 /* Call recursively with intro as payload: it gets the same, special treatment
1160 (that is, not split if < 78). */
1163 str = pdkim_headcat(col, str, NULL, NULL, intro);
1166 for (len = Ustrlen(payload); len; len -= chomp)
1169 str = pdkim_hdr_cont(str, col);
1170 chomp = *col+len > 78 ? 78 - *col : len;
1171 str = string_catn(str, payload, chomp);
1180 /* -------------------------------------------------------------------------- */
1182 /* Signing: create signature header
1185 pdkim_create_header(pdkim_signature * sig, BOOL final)
1191 gstring * canon_all;
1193 canon_all = string_cat (NULL, pdkim_canons[sig->canon_headers]);
1194 canon_all = string_catn(canon_all, US"/", 1);
1195 canon_all = string_cat (canon_all, pdkim_canons[sig->canon_body]);
1196 (void) string_from_gstring(canon_all);
1198 hdr = string_cat(NULL, US"DKIM-Signature: v="PDKIM_SIGNATURE_VERSION);
1201 /* Required and static bits */
1202 hdr = pdkim_headcat(&col, hdr, US";", US"a=", dkim_sig_to_a_tag(sig));
1203 hdr = pdkim_headcat(&col, hdr, US";", US"q=", pdkim_querymethods[sig->querymethod]);
1204 hdr = pdkim_headcat(&col, hdr, US";", US"c=", canon_all->s);
1205 hdr = pdkim_headcat(&col, hdr, US";", US"d=", sig->domain);
1206 hdr = pdkim_headcat(&col, hdr, US";", US"s=", sig->selector);
1208 /* list of header names can be split between items. */
1210 uschar * n = string_copy(sig->headernames);
1211 uschar * i = US"h=";
1216 uschar * c = Ustrchr(n, ':');
1221 hdr = pdkim_headcat(&col, hdr, NULL, NULL, US":");
1223 hdr = pdkim_headcat(&col, hdr, s, i, n);
1234 base64_bh = pdkim_encode_base64(&sig->calc_body_hash->bh);
1235 hdr = pdkim_headcat(&col, hdr, US";", US"bh=", base64_bh);
1239 hdr = pdkim_headcat(&col, hdr, US";", US"i=", sig->identity);
1241 if (sig->created > 0)
1245 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->created);
1246 hdr = pdkim_headcat(&col, hdr, US";", US"t=", minibuf);
1249 if (sig->expires > 0)
1253 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->expires);
1254 hdr = pdkim_headcat(&col, hdr, US";", US"x=", minibuf);
1257 if (sig->bodylength >= 0)
1261 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->bodylength);
1262 hdr = pdkim_headcat(&col, hdr, US";", US"l=", minibuf);
1265 /* Preliminary or final version? */
1268 base64_b = pdkim_encode_base64(&sig->sighash);
1269 hdr = pdkim_headcat(&col, hdr, US";", US"b=", base64_b);
1271 /* add trailing semicolon: I'm not sure if this is actually needed */
1272 hdr = pdkim_headcat(&col, hdr, NULL, US";", US"");
1276 /* To satisfy the rule "all surrounding whitespace [...] deleted"
1277 ( RFC 6376 section 3.7 ) we ensure there is no whitespace here. Otherwise
1278 the headcat routine could insert a linebreak which the relaxer would reduce
1279 to a single space preceding the terminating semicolon, resulting in an
1280 incorrect header-hash. */
1281 hdr = pdkim_headcat(&col, hdr, US";", US"b=;", US"");
1284 return string_from_gstring(hdr);
1288 /* -------------------------------------------------------------------------- */
1290 /* According to draft-ietf-dcrup-dkim-crypto-07 "keys are 256 bits" (referring
1291 to DNS, hence the pubkey). Check for more than 32 bytes; if so assume the
1292 alternate possible representation (still) being discussed: a
1293 SubjectPublickeyInfo wrapped key - and drop all but the trailing 32-bytes (it
1294 should be a DER, with exactly 12 leading bytes - but we could accept a BER also,
1295 which could be any size). We still rely on the crypto library for checking for
1298 When the RFC is published this should be re-addressed. */
1301 check_bare_ed25519_pubkey(pdkim_pubkey * p)
1303 int excess = p->key.len - 32;
1307 debug_printf("DKIM: unexpected pubkey len %lu\n", (unsigned long) p->key.len);
1308 p->key.data += excess; p->key.len = 32;
1313 static pdkim_pubkey *
1314 pdkim_key_from_dns(pdkim_ctx * ctx, pdkim_signature * sig, ev_ctx * vctx,
1315 const uschar ** errstr)
1317 uschar * dns_txt_name, * dns_txt_reply;
1320 /* Fetch public key for signing domain, from DNS */
1322 dns_txt_name = string_sprintf("%s._domainkey.%s.", sig->selector, sig->domain);
1324 if ( !(dns_txt_reply = ctx->dns_txt_callback(dns_txt_name))
1325 || dns_txt_reply[0] == '\0'
1328 sig->verify_status = PDKIM_VERIFY_INVALID;
1329 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE;
1336 "DKIM >> Parsing public key record >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
1338 " Raw record: %Z\n",
1343 if ( !(p = pdkim_parse_pubkey_record(CUS dns_txt_reply))
1344 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
1347 sig->verify_status = PDKIM_VERIFY_INVALID;
1348 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD;
1353 debug_printf(" Invalid public key service type '%s'\n", p->srvtype);
1355 debug_printf(" Error while parsing public key record\n");
1357 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1362 DEBUG(D_acl) debug_printf(
1363 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1365 /* Import public key */
1367 /* Normally we use the signature a= tag to tell us the pubkey format.
1368 When signing under debug we do a test-import of the pubkey, and at that
1369 time we do not have a signature so we must interpret the pubkey k= tag
1370 instead. Assume writing on the sig is ok in that case. */
1372 if (sig->keytype < 0)
1373 if ((sig->keytype = pdkim_keyname_to_keytype(p->keytype)) < 0)
1375 DEBUG(D_acl) debug_printf("verify_init: unhandled keytype %s\n", p->keytype);
1376 sig->verify_status = PDKIM_VERIFY_INVALID;
1377 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
1381 if (sig->keytype == KEYTYPE_ED25519)
1382 check_bare_ed25519_pubkey(p);
1384 if ((*errstr = exim_dkim_verify_init(&p->key,
1385 sig->keytype == KEYTYPE_ED25519 ? KEYFMT_ED25519_BARE : KEYFMT_DER,
1386 vctx, &sig->keybits)))
1388 DEBUG(D_acl) debug_printf("verify_init: %s\n", *errstr);
1389 sig->verify_status = PDKIM_VERIFY_INVALID;
1390 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
1394 vctx->keytype = sig->keytype;
1399 /* -------------------------------------------------------------------------- */
1400 /* Sort and filter the sigs developed from the message */
1402 static pdkim_signature *
1403 sort_sig_methods(pdkim_signature * siglist)
1405 pdkim_signature * yield, ** ss;
1406 const uschar * prefs;
1410 if (!siglist) return NULL;
1412 /* first select in order of hashtypes */
1413 DEBUG(D_acl) debug_printf("DKIM: dkim_verify_hashes '%s'\n", dkim_verify_hashes);
1414 for (prefs = dkim_verify_hashes, sep = 0, yield = NULL, ss = &yield;
1415 ele = string_nextinlist(&prefs, &sep, NULL, 0); )
1417 int i = pdkim_hashname_to_hashtype(CUS ele, 0);
1418 for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
1422 if (s->hashtype == i)
1423 { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
1429 /* then in order of keytypes */
1431 DEBUG(D_acl) debug_printf("DKIM: dkim_verify_keytypes '%s'\n", dkim_verify_keytypes);
1432 for (prefs = dkim_verify_keytypes, sep = 0, yield = NULL, ss = &yield;
1433 ele = string_nextinlist(&prefs, &sep, NULL, 0); )
1435 int i = pdkim_keyname_to_keytype(CUS ele);
1436 for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
1440 if (s->keytype == i)
1441 { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
1447 DEBUG(D_acl) for (pdkim_signature * s = yield; s; s = s->next)
1448 debug_printf(" retain d=%s s=%s a=%s\n",
1449 s->domain, s->selector, dkim_sig_to_a_tag(s));
1454 /* -------------------------------------------------------------------------- */
1457 pdkim_feed_finish(pdkim_ctx * ctx, pdkim_signature ** return_signatures,
1458 const uschar ** err)
1460 BOOL verify_pass = FALSE;
1462 /* Check if we must still flush a (partial) header. If that is the
1463 case, the message has no body, and we must compute a body hash
1464 out of '<CR><LF>' */
1465 if (ctx->cur_header && ctx->cur_header->ptr > 0)
1470 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1473 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
1474 rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
1475 if (rnl) store_free(rnl);
1478 DEBUG(D_acl) debug_printf(
1479 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1481 /* Build (and/or evaluate) body hash. Do this even if no DKIM sigs, in case we
1482 have a hash to do for ARC. */
1484 pdkim_finish_bodyhash(ctx);
1486 /* Sort and filter the recived signatures */
1488 if (!(ctx->flags & PDKIM_MODE_SIGN))
1489 ctx->sig = sort_sig_methods(ctx->sig);
1493 DEBUG(D_acl) debug_printf("DKIM: no signatures\n");
1494 *return_signatures = NULL;
1498 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
1501 uschar * sig_hdr = US"";
1503 gstring * hdata = NULL;
1506 if ( !(ctx->flags & PDKIM_MODE_SIGN)
1507 && sig->verify_status == PDKIM_VERIFY_FAIL)
1510 debug_printf("DKIM: [%s] abandoning this signature\n", sig->domain);
1514 /*XXX The hash of the headers is needed for GCrypt (for which we can do RSA
1515 signing only, as it happens) and for either GnuTLS and OpenSSL when we are
1516 signing with EC (specifically, Ed25519). The former is because the GCrypt
1517 signing operation is pure (does not do its own hash) so we must hash. The
1518 latter is because we (stupidly, but this is what the IETF draft is saying)
1519 must hash with the declared hash method, then pass the result to the library
1520 hash-and-sign routine (because that's all the libraries are providing. And
1521 we're stuck with whatever that hidden hash method is, too). We may as well
1522 do this hash incrementally.
1523 We don't need the hash we're calculating here for the GnuTLS and OpenSSL
1524 cases of RSA signing, since those library routines can do hash-and-sign.
1526 Some time in the future we could easily avoid doing the hash here for those
1527 cases (which will be common for a long while. We could also change from
1528 the current copy-all-the-headers-into-one-block, then call the hash-and-sign
1529 implementation - to a proper incremental one. Unfortunately, GnuTLS just
1530 cannot do incremental - either signing or verification. Unsure about GCrypt.
1533 /*XXX The header hash is also used (so far) by the verify operation */
1535 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[sig->hashtype].exim_hashmethod))
1537 log_write(0, LOG_MAIN|LOG_PANIC,
1538 "DKIM: hash setup error, possibly nonhandled hashtype");
1542 if (ctx->flags & PDKIM_MODE_SIGN)
1543 DEBUG(D_acl) debug_printf(
1544 "DKIM >> Headers to be signed: >>>>>>>>>>>>\n"
1548 DEBUG(D_acl) debug_printf(
1549 "DKIM >> Header data for hash, canonicalized (%-7s), in sequence >>\n",
1550 pdkim_canons[sig->canon_headers]);
1553 /* SIGNING ---------------------------------------------------------------- */
1554 /* When signing, walk through our header list and add them to the hash. As we
1555 go, construct a list of the header's names to use for the h= parameter.
1556 Then append to that list any remaining header names for which there was no
1559 if (ctx->flags & PDKIM_MODE_SIGN)
1566 /* Import private key, including the keytype which we need for building
1567 the signature header */
1569 if ((*err = exim_dkim_signing_init(CUS sig->privkey, &sctx)))
1571 log_write(0, LOG_MAIN|LOG_PANIC, "signing_init: %s", *err);
1572 return PDKIM_ERR_RSA_PRIVKEY;
1574 sig->keytype = sctx.keytype;
1576 sig->headernames = NULL; /* Collected signed header names */
1577 for (pdkim_stringlist * p = sig->headers; p; p = p->next)
1579 uschar * rh = p->value;
1581 if (header_name_match(rh, sig->sign_headers) == PDKIM_OK)
1583 /* Collect header names (Note: colon presence is guaranteed here) */
1584 g = string_append_listele_n(g, ':', rh, Ustrchr(rh, ':') - rh);
1586 if (sig->canon_headers == PDKIM_CANON_RELAXED)
1587 rh = pdkim_relax_header(rh, TRUE); /* cook header for relaxed canon */
1589 /* Feed header to the hash algorithm */
1590 exim_sha_update_string(&hhash_ctx, CUS rh);
1592 /* Remember headers block for signing (when the library cannot do incremental) */
1593 /*XXX we could avoid doing this for all but the GnuTLS/RSA case */
1594 hdata = exim_dkim_data_append(hdata, rh);
1596 DEBUG(D_acl) debug_printf("%Z\n", rh);
1600 /* Any headers we wanted to sign but were not present must also be listed.
1601 Ignore elements that have been ticked-off or are marked as never-oversign. */
1603 l = sig->sign_headers;
1604 while((s = string_nextinlist(&l, &sep, NULL, 0)))
1606 if (*s == '+') /* skip oversigning marker */
1608 if (*s != '_' && *s != '=')
1609 g = string_append_listele(g, ':', s);
1611 sig->headernames = string_from_gstring(g);
1613 /* Create signature header with b= omitted */
1614 sig_hdr = pdkim_create_header(sig, FALSE);
1617 /* VERIFICATION ----------------------------------------------------------- */
1618 /* When verifying, walk through the header name list in the h= parameter and
1619 add the headers to the hash in that order. */
1622 uschar * p = sig->headernames;
1628 for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
1634 if ((q = Ustrchr(p, ':')))
1637 /*XXX walk the list of headers in same order as received. */
1638 for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
1640 && strncasecmp(CCS hdrs->value, CCS p, Ustrlen(p)) == 0
1641 && (hdrs->value)[Ustrlen(p)] == ':'
1644 /* cook header for relaxed canon, or just copy it for simple */
1646 uschar * rh = sig->canon_headers == PDKIM_CANON_RELAXED
1647 ? pdkim_relax_header(hdrs->value, TRUE)
1648 : string_copy(CUS hdrs->value);
1650 /* Feed header to the hash algorithm */
1651 exim_sha_update_string(&hhash_ctx, CUS rh);
1653 DEBUG(D_acl) debug_printf("%Z\n", rh);
1662 sig_hdr = string_copy(sig->rawsig_no_b_val);
1666 DEBUG(D_acl) debug_printf(
1667 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1672 "DKIM >> Signed DKIM-Signature header, pre-canonicalized >>>>>>>>>>>>>\n");
1673 debug_printf("%Z\n", CUS sig_hdr);
1675 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1678 /* Relax header if necessary */
1679 if (sig->canon_headers == PDKIM_CANON_RELAXED)
1680 sig_hdr = pdkim_relax_header(sig_hdr, FALSE);
1684 debug_printf("DKIM >> Signed DKIM-Signature header, canonicalized (%-7s) >>>>>>>\n",
1685 pdkim_canons[sig->canon_headers]);
1686 debug_printf("%Z\n", CUS sig_hdr);
1688 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1691 /* Finalize header hash */
1692 exim_sha_update_string(&hhash_ctx, CUS sig_hdr);
1693 exim_sha_finish(&hhash_ctx, &hhash);
1697 debug_printf("DKIM [%s] Header %s computed: ",
1698 sig->domain, pdkim_hashes[sig->hashtype].dkim_hashname);
1699 debug_printf("%.*H\n", hhash.len, hhash.data);
1702 /* Remember headers block for signing (when the signing library cannot do
1704 if (ctx->flags & PDKIM_MODE_SIGN)
1705 hdata = exim_dkim_data_append(hdata, US sig_hdr);
1707 /* SIGNING ---------------------------------------------------------------- */
1708 if (ctx->flags & PDKIM_MODE_SIGN)
1710 hashmethod hm = sig->keytype == KEYTYPE_ED25519
1711 #if defined(SIGN_OPENSSL)
1716 : pdkim_hashes[sig->hashtype].exim_hashmethod;
1718 #ifdef SIGN_HAVE_ED25519
1719 /* For GCrypt, and for EC, we pass the hash-of-headers to the signing
1720 routine. For anything else we just pass the headers. */
1722 if (sig->keytype != KEYTYPE_ED25519)
1725 hhash.data = hdata->s;
1726 hhash.len = hdata->ptr;
1729 if ((*err = exim_dkim_sign(&sctx, hm, &hhash, &sig->sighash)))
1731 log_write(0, LOG_MAIN|LOG_PANIC, "signing: %s", *err);
1732 return PDKIM_ERR_RSA_SIGNING;
1737 debug_printf( "DKIM [%s] b computed: ", sig->domain);
1738 debug_printf("%.*H\n", sig->sighash.len, sig->sighash.data);
1741 sig->signature_header = pdkim_create_header(sig, TRUE);
1744 /* VERIFICATION ----------------------------------------------------------- */
1750 /* Make sure we have all required signature tags */
1751 if (!( sig->domain && *sig->domain
1752 && sig->selector && *sig->selector
1753 && sig->headernames && *sig->headernames
1754 && sig->bodyhash.data
1755 && sig->sighash.data
1756 && sig->keytype >= 0
1757 && sig->hashtype >= 0
1761 sig->verify_status = PDKIM_VERIFY_INVALID;
1762 sig->verify_ext_status = PDKIM_VERIFY_INVALID_SIGNATURE_ERROR;
1764 DEBUG(D_acl) debug_printf(
1765 " Error in DKIM-Signature header: tags missing or invalid (%s)\n"
1766 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n",
1767 !(sig->domain && *sig->domain) ? "d="
1768 : !(sig->selector && *sig->selector) ? "s="
1769 : !(sig->headernames && *sig->headernames) ? "h="
1770 : !sig->bodyhash.data ? "bh="
1771 : !sig->sighash.data ? "b="
1772 : sig->keytype < 0 || sig->hashtype < 0 ? "a="
1778 /* Make sure sig uses supported DKIM version (only v1) */
1779 if (sig->version != 1)
1781 sig->verify_status = PDKIM_VERIFY_INVALID;
1782 sig->verify_ext_status = PDKIM_VERIFY_INVALID_DKIM_VERSION;
1784 DEBUG(D_acl) debug_printf(
1785 " Error in DKIM-Signature header: unsupported DKIM version\n"
1786 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1792 debug_printf( "DKIM [%s] b from mail: ", sig->domain);
1793 debug_printf("%.*H\n", sig->sighash.len, sig->sighash.data);
1796 if (!(sig->pubkey = pdkim_key_from_dns(ctx, sig, &vctx, err)))
1798 log_write(0, LOG_MAIN, "DKIM: %s%s %s%s [failed key import]",
1799 sig->domain ? "d=" : "", sig->domain ? sig->domain : US"",
1800 sig->selector ? "s=" : "", sig->selector ? sig->selector : US"");
1804 /* If the pubkey limits to a list of specific hashes, ignore sigs that
1805 do not have the hash part of the sig algorithm matching */
1807 if (sig->pubkey->hashes)
1809 const uschar * list = sig->pubkey->hashes, * ele;
1811 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
1812 if (Ustrcmp(ele, pdkim_hashes[sig->hashtype].dkim_hashname) == 0) break;
1815 DEBUG(D_acl) debug_printf("pubkey h=%s vs. sig a=%s_%s\n",
1816 sig->pubkey->hashes,
1817 pdkim_keytypes[sig->keytype],
1818 pdkim_hashes[sig->hashtype].dkim_hashname);
1819 sig->verify_status = PDKIM_VERIFY_FAIL;
1820 sig->verify_ext_status = PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH;
1825 hm = sig->keytype == KEYTYPE_ED25519
1826 #if defined(SIGN_OPENSSL)
1831 : pdkim_hashes[sig->hashtype].exim_hashmethod;
1833 /* Check the signature */
1835 if ((*err = exim_dkim_verify(&vctx, hm, &hhash, &sig->sighash)))
1837 DEBUG(D_acl) debug_printf("headers verify: %s\n", *err);
1838 sig->verify_status = PDKIM_VERIFY_FAIL;
1839 sig->verify_ext_status = PDKIM_VERIFY_FAIL_MESSAGE;
1842 if (*dkim_verify_min_keysizes)
1845 const uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
1846 dkim_verify_min_keysizes);
1847 if (ss && (minbits = atoi(CCS ss)) > sig->keybits)
1849 DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u Minima '%s'\n",
1850 pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes);
1851 sig->verify_status = PDKIM_VERIFY_FAIL;
1852 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE;
1857 /* We have a winner! (if bodyhash was correct earlier) */
1858 if (sig->verify_status == PDKIM_VERIFY_NONE)
1860 sig->verify_status = PDKIM_VERIFY_PASS;
1862 /*XXX We used to "break" here if dkim_verify_minimal, but that didn't
1863 stop the ACL being called. So move that test. Unfortunately, we
1864 need to eval all the sigs here only to possibly ignore some later,
1865 because we don't know what verify options might say.
1866 Could we change to a later eval of the sig?
1867 Both bits are called from receive_msg().
1868 Moving the test is also suboptimal for the case of no ACL (or no
1869 signers to check!) so keep it for that case, but after debug output */
1875 debug_printf("DKIM [%s] %s signature status: %s",
1876 sig->domain, dkim_sig_to_a_tag(sig),
1877 pdkim_verify_status_str(sig->verify_status));
1878 if (sig->verify_ext_status > 0)
1879 debug_printf(" (%s)\n",
1880 pdkim_verify_ext_status_str(sig->verify_ext_status));
1885 if ( verify_pass && dkim_verify_minimal
1886 && !(acl_smtp_dkim && dkim_verify_signers && *dkim_verify_signers))
1891 /* If requested, set return pointer to signature(s) */
1892 if (return_signatures)
1893 *return_signatures = ctx->sig;
1895 return ctx->flags & PDKIM_MODE_SIGN || verify_pass
1896 ? PDKIM_OK : PDKIM_FAIL;
1900 /* -------------------------------------------------------------------------- */
1902 DLLEXPORT pdkim_ctx *
1903 pdkim_init_verify(uschar * (*dns_txt_callback)(const uschar *), BOOL dot_stuffing)
1907 ctx = store_get(sizeof(pdkim_ctx), GET_UNTAINTED);
1908 memset(ctx, 0, sizeof(pdkim_ctx));
1910 if (dot_stuffing) ctx->flags = PDKIM_DOT_TERM;
1911 /* The line-buffer is for message data, hence tainted */
1912 ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, GET_TAINTED);
1913 ctx->dns_txt_callback = dns_txt_callback;
1914 ctx->cur_header = string_get_tainted(36, GET_TAINTED);
1920 /* -------------------------------------------------------------------------- */
1922 DLLEXPORT pdkim_signature *
1923 pdkim_init_sign(pdkim_ctx * ctx,
1924 uschar * domain, uschar * selector, uschar * privkey,
1925 uschar * hashname, const uschar ** errstr)
1928 pdkim_signature * sig;
1930 if (!domain || !selector || !privkey)
1933 /* Allocate & init one signature struct */
1935 sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
1936 memset(sig, 0, sizeof(pdkim_signature));
1938 sig->bodylength = -1;
1940 sig->domain = string_copy(US domain);
1941 sig->selector = string_copy(US selector);
1942 sig->privkey = string_copy(US privkey);
1945 for (hashtype = 0; hashtype < nelem(pdkim_hashes); hashtype++)
1946 if (Ustrcmp(hashname, pdkim_hashes[hashtype].dkim_hashname) == 0)
1947 { sig->hashtype = hashtype; break; }
1948 if (hashtype >= nelem(pdkim_hashes))
1950 log_write(0, LOG_MAIN|LOG_PANIC,
1951 "DKIM: unrecognised hashname '%s'", hashname);
1957 pdkim_signature s = *sig;
1960 debug_printf("DKIM (checking verify key)>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1961 if (!pdkim_key_from_dns(ctx, &s, &vctx, errstr))
1962 debug_printf("WARNING: bad dkim key in dns\n");
1963 debug_printf("DKIM (finished checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1969 /* -------------------------------------------------------------------------- */
1972 pdkim_set_optional(pdkim_signature * sig,
1973 char * sign_headers,
1978 unsigned long created,
1979 unsigned long expires)
1982 sig->identity = string_copy(US identity);
1984 sig->sign_headers = string_copy(sign_headers
1985 ? US sign_headers : US PDKIM_DEFAULT_SIGN_HEADERS);
1987 sig->canon_headers = canon_headers;
1988 sig->canon_body = canon_body;
1989 sig->bodylength = bodylength;
1990 sig->created = created;
1991 sig->expires = expires;
1998 /* Set up a blob for calculating the bodyhash according to the
1999 given needs. Use an existing one if possible, or create a new one.
2001 Return: hashblob pointer, or NULL on error
2004 pdkim_set_bodyhash(pdkim_ctx * ctx, int hashtype, int canon_method,
2009 if (hashtype == -1 || canon_method == -1) return NULL;
2011 for (b = ctx->bodyhash; b; b = b->next)
2012 if ( hashtype == b->hashtype
2013 && canon_method == b->canon_method
2014 && bodylength == b->bodylength)
2016 DEBUG(D_receive) debug_printf("DKIM: using existing bodyhash %s/%s/%ld\n",
2017 pdkim_hashes[hashtype].dkim_hashname, pdkim_canons[canon_method], bodylength);
2021 DEBUG(D_receive) debug_printf("DKIM: new bodyhash %s/%s/%ld\n",
2022 pdkim_hashes[hashtype].dkim_hashname, pdkim_canons[canon_method], bodylength);
2023 b = store_get(sizeof(pdkim_bodyhash), GET_UNTAINTED);
2024 b->next = ctx->bodyhash;
2025 b->hashtype = hashtype;
2026 b->canon_method = canon_method;
2027 b->bodylength = bodylength;
2028 if (!exim_sha_init(&b->body_hash_ctx, /*XXX hash method: extend for sha512 */
2029 pdkim_hashes[hashtype].exim_hashmethod))
2032 debug_printf("DKIM: hash init error, possibly nonhandled hashtype\n");
2035 b->signed_body_bytes = 0;
2036 b->num_buffered_blanklines = 0;
2042 /* Set up a blob for calculating the bodyhash according to the
2043 needs of this signature. Use an existing one if possible, or
2046 Return: hashblob pointer, or NULL on error (only used as a boolean).
2049 pdkim_set_sig_bodyhash(pdkim_ctx * ctx, pdkim_signature * sig)
2051 pdkim_bodyhash * b = pdkim_set_bodyhash(ctx,
2052 sig->hashtype, sig->canon_body, sig->bodylength);
2053 sig->calc_body_hash = b;
2058 /* -------------------------------------------------------------------------- */
2062 pdkim_init_context(pdkim_ctx * ctx, BOOL dot_stuffed,
2063 uschar * (*dns_txt_callback)(const uschar *))
2065 memset(ctx, 0, sizeof(pdkim_ctx));
2066 ctx->flags = dot_stuffed ? PDKIM_MODE_SIGN | PDKIM_DOT_TERM : PDKIM_MODE_SIGN;
2067 /* The line buffer is for message data, hence tainted */
2068 ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, GET_TAINTED);
2069 DEBUG(D_acl) ctx->dns_txt_callback = dns_txt_callback;
2081 #endif /*DISABLE_DKIM*/