2 * PDKIM - a RFC4871 (DKIM) implementation
4 * Copyright (C) 2009 - 2016 Tom Kistner <tom@duncanthrax.net>
5 * Copyright (C) 2016 - 2018 Jeremy Harris <jgh@exim.org>
7 * http://duncanthrax.net/pdkim/
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 #ifndef DISABLE_DKIM /* entire file */
30 # error Must not DISABLE_TLS, for DKIM
33 #include "crypt_ver.h"
36 # include <openssl/rsa.h>
37 # include <openssl/ssl.h>
38 # include <openssl/err.h>
39 #elif defined(SIGN_GNUTLS)
40 # include <gnutls/gnutls.h>
41 # include <gnutls/x509.h>
47 #define PDKIM_SIGNATURE_VERSION "1"
48 #define PDKIM_PUB_RECORD_VERSION US "DKIM1"
50 #define PDKIM_MAX_HEADER_LEN 65536
51 #define PDKIM_MAX_HEADERS 512
52 #define PDKIM_MAX_BODY_LINE_LEN 16384
53 #define PDKIM_DNS_TXT_MAX_NAMELEN 1024
55 /* -------------------------------------------------------------------------- */
56 struct pdkim_stringlist {
62 /* -------------------------------------------------------------------------- */
63 /* A bunch of list constants */
64 const uschar * pdkim_querymethods[] = {
68 const uschar * pdkim_canons[] = {
74 const pdkim_hashtype pdkim_hashes[] = {
75 { US"sha1", HASH_SHA1 },
76 { US"sha256", HASH_SHA2_256 },
77 { US"sha512", HASH_SHA2_512 }
80 const uschar * pdkim_keytypes[] = {
81 [KEYTYPE_RSA] = US"rsa",
82 #ifdef SIGN_HAVE_ED25519
83 [KEYTYPE_ED25519] = US"ed25519", /* Works for 3.6.0 GnuTLS, OpenSSL 1.1.1 */
86 #ifdef notyet_EC_dkim_extensions /* https://tools.ietf.org/html/draft-srose-dkim-ecc-00 */
93 typedef struct pdkim_combined_canon_entry {
97 } pdkim_combined_canon_entry;
99 pdkim_combined_canon_entry pdkim_combined_canons[] = {
100 { US"simple/simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
101 { US"simple/relaxed", PDKIM_CANON_SIMPLE, PDKIM_CANON_RELAXED },
102 { US"relaxed/simple", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
103 { US"relaxed/relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_RELAXED },
104 { US"simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
105 { US"relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
110 static blob lineending = {.data = US"\r\n", .len = 2};
112 /* -------------------------------------------------------------------------- */
114 dkim_sig_to_a_tag(const pdkim_signature * sig)
116 if ( sig->keytype < 0 || sig->keytype > nelem(pdkim_keytypes)
117 || sig->hashtype < 0 || sig->hashtype > nelem(pdkim_hashes))
119 return string_sprintf("%s-%s",
120 pdkim_keytypes[sig->keytype], pdkim_hashes[sig->hashtype].dkim_hashname);
125 pdkim_keyname_to_keytype(const uschar * s)
127 for (int i = 0; i < nelem(pdkim_keytypes); i++)
128 if (Ustrcmp(s, pdkim_keytypes[i]) == 0) return i;
133 pdkim_hashname_to_hashtype(const uschar * s, unsigned len)
135 if (!len) len = Ustrlen(s);
136 for (int i = 0; i < nelem(pdkim_hashes); i++)
137 if (Ustrncmp(s, pdkim_hashes[i].dkim_hashname, len) == 0)
143 pdkim_cstring_to_canons(const uschar * s, unsigned len,
144 int * canon_head, int * canon_body)
146 if (!len) len = Ustrlen(s);
147 for (int i = 0; pdkim_combined_canons[i].str; i++)
148 if ( Ustrncmp(s, pdkim_combined_canons[i].str, len) == 0
149 && len == Ustrlen(pdkim_combined_canons[i].str))
151 *canon_head = pdkim_combined_canons[i].canon_headers;
152 *canon_body = pdkim_combined_canons[i].canon_body;
160 pdkim_verify_status_str(int status)
164 case PDKIM_VERIFY_NONE: return "PDKIM_VERIFY_NONE";
165 case PDKIM_VERIFY_INVALID: return "PDKIM_VERIFY_INVALID";
166 case PDKIM_VERIFY_FAIL: return "PDKIM_VERIFY_FAIL";
167 case PDKIM_VERIFY_PASS: return "PDKIM_VERIFY_PASS";
168 default: return "PDKIM_VERIFY_UNKNOWN";
173 pdkim_verify_ext_status_str(int ext_status)
177 case PDKIM_VERIFY_FAIL_BODY: return "PDKIM_VERIFY_FAIL_BODY";
178 case PDKIM_VERIFY_FAIL_MESSAGE: return "PDKIM_VERIFY_FAIL_MESSAGE";
179 case PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH: return "PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH";
180 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE: return "PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE";
181 case PDKIM_VERIFY_INVALID_BUFFER_SIZE: return "PDKIM_VERIFY_INVALID_BUFFER_SIZE";
182 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD: return "PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD";
183 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return "PDKIM_VERIFY_INVALID_PUBKEY_IMPORT";
184 case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR: return "PDKIM_VERIFY_INVALID_SIGNATURE_ERROR";
185 case PDKIM_VERIFY_INVALID_DKIM_VERSION: return "PDKIM_VERIFY_INVALID_DKIM_VERSION";
186 default: return "PDKIM_VERIFY_UNKNOWN";
191 pdkim_errstr(int status)
195 case PDKIM_OK: return US"OK";
196 case PDKIM_FAIL: return US"FAIL";
197 case PDKIM_ERR_RSA_PRIVKEY: return US"PRIVKEY";
198 case PDKIM_ERR_RSA_SIGNING: return US"SIGNING";
199 case PDKIM_ERR_LONG_LINE: return US"LONG_LINE";
200 case PDKIM_ERR_BUFFER_TOO_SMALL: return US"BUFFER_TOO_SMALL";
201 case PDKIM_ERR_EXCESS_SIGS: return US"EXCESS_SIGS";
202 case PDKIM_SIGN_PRIVKEY_WRAP: return US"PRIVKEY_WRAP";
203 case PDKIM_SIGN_PRIVKEY_B64D: return US"PRIVKEY_B64D";
204 default: return US"(unknown)";
209 /* -------------------------------------------------------------------------- */
210 /* Print debugging functions */
212 pdkim_quoteprint(const uschar *data, int len)
214 for (int i = 0; i < len; i++)
216 const int c = data[i];
219 case ' ' : debug_printf("{SP}"); break;
220 case '\t': debug_printf("{TB}"); break;
221 case '\r': debug_printf("{CR}"); break;
222 case '\n': debug_printf("{LF}"); break;
223 case '{' : debug_printf("{BO}"); break;
224 case '}' : debug_printf("{BC}"); break;
226 if ( (c < 32) || (c > 127) )
227 debug_printf("{%02x}", c);
229 debug_printf("%c", c);
237 pdkim_hexprint(const uschar *data, int len)
239 if (data) for (int i = 0 ; i < len; i++) debug_printf("%02x", data[i]);
240 else debug_printf("<NULL>");
246 static pdkim_stringlist *
247 pdkim_prepend_stringlist(pdkim_stringlist * base, const uschar * str)
249 pdkim_stringlist * new_entry = store_get(sizeof(pdkim_stringlist), FALSE);
251 memset(new_entry, 0, sizeof(pdkim_stringlist));
252 new_entry->value = string_copy(str);
253 if (base) new_entry->next = base;
259 /* Trim whitespace fore & aft */
262 pdkim_strtrim(gstring * str)
267 while (*p == '\t' || *p == ' ') /* dump the leading whitespace */
268 { str->size--; str->ptr--; str->s++; }
271 && ((q = str->s + str->ptr - 1), (*q == '\t' || *q == ' '))
273 str->ptr--; /* dump trailing whitespace */
275 (void) string_from_gstring(str);
280 /* -------------------------------------------------------------------------- */
283 pdkim_free_ctx(pdkim_ctx *ctx)
288 /* -------------------------------------------------------------------------- */
289 /* Matches the name of the passed raw "header" against
290 the passed colon-separated "tick", and invalidates
291 the entry in tick. Entries can be prefixed for multi- or over-signing,
292 in which case do not invalidate.
294 Returns OK for a match, or fail-code
298 header_name_match(const uschar * header, uschar * tick)
300 const uschar * ticklist = tick;
303 uschar * hname, * p, * ele;
304 uschar * hcolon = Ustrchr(header, ':'); /* Get header name */
307 return PDKIM_FAIL; /* This isn't a header */
309 /* if we had strncmpic() we wouldn't need this copy */
310 hname = string_copyn(header, hcolon-header);
312 while (p = US ticklist, ele = string_nextinlist(&ticklist, &sep, NULL, 0))
316 case '=': case '+': multisign = TRUE; ele++; break;
317 default: multisign = FALSE; break;
320 if (strcmpic(ele, hname) == 0)
323 *p = '_'; /* Invalidate this header name instance in tick-off list */
331 /* -------------------------------------------------------------------------- */
332 /* Performs "relaxed" canonicalization of a header. */
335 pdkim_relax_header_n(const uschar * header, int len, BOOL append_crlf)
337 BOOL past_field_name = FALSE;
338 BOOL seen_wsp = FALSE;
339 uschar * relaxed = store_get(len+3, TRUE); /* tainted */
340 uschar * q = relaxed;
342 for (const uschar * p = header; p - header < len; p++)
346 if (c == '\r' || c == '\n') /* Ignore CR & LF */
348 if (c == '\t' || c == ' ')
352 c = ' '; /* Turns WSP into SP */
356 if (!past_field_name && c == ':')
358 if (seen_wsp) q--; /* This removes WSP immediately before the colon */
359 seen_wsp = TRUE; /* This removes WSP immediately after the colon */
360 past_field_name = TRUE;
365 /* Lowercase header name */
366 if (!past_field_name) c = tolower(c);
370 if (q > relaxed && q[-1] == ' ') q--; /* Squash eventual trailing SP */
372 if (append_crlf) { *q++ = '\r'; *q++ = '\n'; }
379 pdkim_relax_header(const uschar * header, BOOL append_crlf)
381 return pdkim_relax_header_n(header, Ustrlen(header), append_crlf);
385 /* -------------------------------------------------------------------------- */
386 #define PDKIM_QP_ERROR_DECODE -1
388 static const uschar *
389 pdkim_decode_qp_char(const uschar *qp_p, int *c)
391 const uschar *initial_pos = qp_p;
393 /* Advance one char */
396 /* Check for two hex digits and decode them */
397 if (isxdigit(*qp_p) && isxdigit(qp_p[1]))
399 /* Do hex conversion */
400 *c = (isdigit(*qp_p) ? *qp_p - '0' : toupper(*qp_p) - 'A' + 10) << 4;
401 *c |= isdigit(qp_p[1]) ? qp_p[1] - '0' : toupper(qp_p[1]) - 'A' + 10;
405 /* Illegal char here */
406 *c = PDKIM_QP_ERROR_DECODE;
411 /* -------------------------------------------------------------------------- */
414 pdkim_decode_qp(const uschar * str)
418 const uschar * p = str;
419 uschar * n = store_get(Ustrlen(str)+1, TRUE);
427 p = pdkim_decode_qp_char(p, &nchar);
443 /* -------------------------------------------------------------------------- */
446 pdkim_decode_base64(const uschar * str, blob * b)
448 int dlen = b64decode(str, &b->data);
449 if (dlen < 0) b->data = NULL;
454 pdkim_encode_base64(blob * b)
456 return b64encode(CUS b->data, b->len);
460 /* -------------------------------------------------------------------------- */
461 #define PDKIM_HDR_LIMBO 0
462 #define PDKIM_HDR_TAG 1
463 #define PDKIM_HDR_VALUE 2
465 static pdkim_signature *
466 pdkim_parse_sig_header(pdkim_ctx * ctx, uschar * raw_hdr)
468 pdkim_signature * sig;
470 gstring * cur_tag = NULL;
471 gstring * cur_val = NULL;
472 BOOL past_hname = FALSE;
473 BOOL in_b_val = FALSE;
474 int where = PDKIM_HDR_LIMBO;
476 sig = store_get(sizeof(pdkim_signature), FALSE);
477 memset(sig, 0, sizeof(pdkim_signature));
478 sig->bodylength = -1;
480 /* Set so invalid/missing data error display is accurate */
485 q = sig->rawsig_no_b_val = store_get(Ustrlen(raw_hdr)+1, TRUE); /* tainted */
487 for (uschar * p = raw_hdr; ; p++)
492 if (c == '\r' || c == '\n')
495 /* Fast-forward through header name */
498 if (c == ':') past_hname = TRUE;
502 if (where == PDKIM_HDR_LIMBO)
504 /* In limbo, just wait for a tag-char to appear */
505 if (!(c >= 'a' && c <= 'z'))
508 where = PDKIM_HDR_TAG;
511 if (where == PDKIM_HDR_TAG)
513 if (c >= 'a' && c <= 'z')
514 cur_tag = string_catn(cur_tag, p, 1);
518 if (Ustrcmp(string_from_gstring(cur_tag), "b") == 0)
523 where = PDKIM_HDR_VALUE;
528 if (where == PDKIM_HDR_VALUE)
530 if (c == '\r' || c == '\n' || c == ' ' || c == '\t')
533 if (c == ';' || c == '\0')
535 /* We must have both tag and value, and tags must be one char except
536 for the possibility of "bh". */
538 if ( cur_tag && cur_val
539 && (cur_tag->ptr == 1 || *cur_tag->s == 'b')
542 (void) string_from_gstring(cur_val);
543 pdkim_strtrim(cur_val);
545 DEBUG(D_acl) debug_printf(" %s=%s\n", cur_tag->s, cur_val->s);
549 case 'b': /* sig-data or body-hash */
550 switch (cur_tag->s[1])
552 case '\0': pdkim_decode_base64(cur_val->s, &sig->sighash); break;
553 case 'h': if (cur_tag->ptr == 2)
554 pdkim_decode_base64(cur_val->s, &sig->bodyhash);
559 case 'v': /* version */
560 /* We only support version 1, and that is currently the
561 only version there is. */
563 Ustrcmp(cur_val->s, PDKIM_SIGNATURE_VERSION) == 0 ? 1 : -1;
565 case 'a': /* algorithm */
567 const uschar * list = cur_val->s;
571 if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
572 sig->keytype = pdkim_keyname_to_keytype(elem);
573 if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
574 for (int i = 0; i < nelem(pdkim_hashes); i++)
575 if (Ustrcmp(elem, pdkim_hashes[i].dkim_hashname) == 0)
576 { sig->hashtype = i; break; }
579 case 'c': /* canonicalization */
580 pdkim_cstring_to_canons(cur_val->s, 0,
581 &sig->canon_headers, &sig->canon_body);
583 case 'q': /* Query method (for pubkey)*/
584 for (int i = 0; pdkim_querymethods[i]; i++)
585 if (Ustrcmp(cur_val->s, pdkim_querymethods[i]) == 0)
587 sig->querymethod = i; /* we never actually use this */
591 case 's': /* Selector */
592 sig->selector = string_copyn(cur_val->s, cur_val->ptr); break;
594 sig->domain = string_copyn(cur_val->s, cur_val->ptr); break;
596 sig->identity = pdkim_decode_qp(cur_val->s); break;
597 case 't': /* Timestamp */
598 sig->created = strtoul(CS cur_val->s, NULL, 10); break;
599 case 'x': /* Expiration */
600 sig->expires = strtoul(CS cur_val->s, NULL, 10); break;
601 case 'l': /* Body length count */
602 sig->bodylength = strtol(CS cur_val->s, NULL, 10); break;
603 case 'h': /* signed header fields */
604 sig->headernames = string_copyn(cur_val->s, cur_val->ptr); break;
605 case 'z': /* Copied headfields */
606 sig->copiedheaders = pdkim_decode_qp(cur_val->s); break;
607 /*XXX draft-ietf-dcrup-dkim-crypto-05 would need 'p' tag support
608 for rsafp signatures. But later discussion is dropping those. */
610 DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
614 cur_tag = cur_val = NULL;
616 where = PDKIM_HDR_LIMBO;
619 cur_val = string_catn(cur_val, p, 1);
630 if (sig->keytype < 0 || sig->hashtype < 0) /* Cannot verify this signature */
634 /* Chomp raw header. The final newline must not be added to the signature. */
635 while (--q > sig->rawsig_no_b_val && (*q == '\r' || *q == '\n'))
641 "DKIM >> Raw signature w/o b= tag value >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
642 pdkim_quoteprint(US sig->rawsig_no_b_val, Ustrlen(sig->rawsig_no_b_val));
644 "DKIM >> Sig size: %4u bits\n", (unsigned) sig->sighash.len*8);
646 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
649 if (!pdkim_set_sig_bodyhash(ctx, sig))
656 /* -------------------------------------------------------------------------- */
659 pdkim_parse_pubkey_record(const uschar *raw_record)
665 pub = store_get(sizeof(pdkim_pubkey), TRUE); /* tainted */
666 memset(pub, 0, sizeof(pdkim_pubkey));
668 while ((ele = string_nextinlist(&raw_record, &sep, NULL, 0)))
672 if ((val = Ustrchr(ele, '=')))
674 int taglen = val++ - ele;
676 DEBUG(D_acl) debug_printf(" %.*s=%s\n", taglen, ele, val);
679 case 'v': pub->version = val; break;
680 case 'h': pub->hashes = val; break;
681 case 'k': pub->keytype = val; break;
682 case 'g': pub->granularity = val; break;
683 case 'n': pub->notes = pdkim_decode_qp(val); break;
684 case 'p': pdkim_decode_base64(val, &pub->key); break;
685 case 's': pub->srvtype = val; break;
686 case 't': if (Ustrchr(val, 'y')) pub->testing = 1;
687 if (Ustrchr(val, 's')) pub->no_subdomaining = 1;
689 default: DEBUG(D_acl) debug_printf(" Unknown tag encountered\n"); break;
694 /* Set fallback defaults */
696 pub->version = string_copy(PDKIM_PUB_RECORD_VERSION);
697 else if (Ustrcmp(pub->version, PDKIM_PUB_RECORD_VERSION) != 0)
699 DEBUG(D_acl) debug_printf(" Bad v= field\n");
703 if (!pub->granularity) pub->granularity = US"*";
704 if (!pub->keytype ) pub->keytype = US"rsa";
705 if (!pub->srvtype ) pub->srvtype = US"*";
711 DEBUG(D_acl) debug_printf(" Missing p= field\n");
716 /* -------------------------------------------------------------------------- */
718 /* Update one bodyhash with some additional data.
719 If we have to relax the data for this sig, return our copy of it. */
722 pdkim_update_ctx_bodyhash(pdkim_bodyhash * b, blob * orig_data, blob * relaxed_data)
724 blob * canon_data = orig_data;
725 /* Defaults to simple canon (no further treatment necessary) */
727 if (b->canon_method == PDKIM_CANON_RELAXED)
729 /* Relax the line if not done already */
732 BOOL seen_wsp = FALSE;
735 /* We want to be able to free this else we allocate
736 for the entire message which could be many MB. Since
737 we don't know what allocations the SHA routines might
738 do, not safe to use store_get()/store_reset(). */
740 relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1);
741 relaxed_data->data = US (relaxed_data+1);
743 for (const uschar * p = orig_data->data, * r = p + orig_data->len; p < r; p++)
748 if (q > 0 && relaxed_data->data[q-1] == ' ')
751 else if (c == '\t' || c == ' ')
753 c = ' '; /* Turns WSP into SP */
760 relaxed_data->data[q++] = c;
762 relaxed_data->data[q] = '\0';
763 relaxed_data->len = q;
765 canon_data = relaxed_data;
768 /* Make sure we don't exceed the to-be-signed body length */
769 if ( b->bodylength >= 0
770 && b->signed_body_bytes + (unsigned long)canon_data->len > b->bodylength
772 canon_data->len = b->bodylength - b->signed_body_bytes;
774 if (canon_data->len > 0)
776 exim_sha_update(&b->body_hash_ctx, CUS canon_data->data, canon_data->len);
777 b->signed_body_bytes += canon_data->len;
778 DEBUG(D_acl) pdkim_quoteprint(canon_data->data, canon_data->len);
785 /* -------------------------------------------------------------------------- */
788 pdkim_finish_bodyhash(pdkim_ctx * ctx)
790 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next) /* Finish hashes */
792 DEBUG(D_acl) debug_printf("DKIM: finish bodyhash %d/%d/%ld len %ld\n",
793 b->hashtype, b->canon_method, b->bodylength, b->signed_body_bytes);
794 exim_sha_finish(&b->body_hash_ctx, &b->bh);
797 /* Traverse all signatures */
798 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
800 pdkim_bodyhash * b = sig->calc_body_hash;
804 debug_printf("DKIM [%s] Body bytes (%s) hashed: %lu\n"
805 "DKIM [%s] Body %s computed: ",
806 sig->domain, pdkim_canons[b->canon_method], b->signed_body_bytes,
807 sig->domain, pdkim_hashes[b->hashtype].dkim_hashname);
808 pdkim_hexprint(CUS b->bh.data, b->bh.len);
811 /* SIGNING -------------------------------------------------------------- */
812 if (ctx->flags & PDKIM_MODE_SIGN)
814 /* If bodylength limit is set, and we have received less bytes
815 than the requested amount, effectively remove the limit tag. */
816 if (b->signed_body_bytes < sig->bodylength)
817 sig->bodylength = -1;
821 /* VERIFICATION --------------------------------------------------------- */
822 /* Be careful that the header sig included a bodyash */
824 if ( sig->bodyhash.data
825 && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0)
827 DEBUG(D_acl) debug_printf("DKIM [%s] Body hash compared OK\n", sig->domain);
833 debug_printf("DKIM [%s] Body hash signature from headers: ", sig->domain);
834 pdkim_hexprint(sig->bodyhash.data, sig->bodyhash.len);
835 debug_printf("DKIM [%s] Body hash did NOT verify\n", sig->domain);
837 sig->verify_status = PDKIM_VERIFY_FAIL;
838 sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY;
846 pdkim_body_complete(pdkim_ctx * ctx)
848 /* In simple body mode, if any empty lines were buffered,
849 replace with one. rfc 4871 3.4.3 */
850 /*XXX checking the signed-body-bytes is a gross hack; I think
851 it indicates that all linebreaks should be buffered, including
852 the one terminating a text line */
854 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
855 if ( b->canon_method == PDKIM_CANON_SIMPLE
856 && b->signed_body_bytes == 0
857 && b->num_buffered_blanklines > 0
859 (void) pdkim_update_ctx_bodyhash(b, &lineending, NULL);
861 ctx->flags |= PDKIM_SEEN_EOD;
862 ctx->linebuf_offset = 0;
867 /* -------------------------------------------------------------------------- */
868 /* Call from pdkim_feed below for processing complete body lines */
869 /* NOTE: the line is not NUL-terminated; but we have a count */
872 pdkim_bodyline_complete(pdkim_ctx * ctx)
874 blob line = {.data = ctx->linebuf, .len = ctx->linebuf_offset};
878 /* Ignore extra data if we've seen the end-of-data marker */
879 if (ctx->flags & PDKIM_SEEN_EOD) goto all_skip;
881 /* We've always got one extra byte to stuff a zero ... */
882 ctx->linebuf[line.len] = '\0';
884 /* Terminate on EOD marker */
885 if (ctx->flags & PDKIM_DOT_TERM)
887 if (memcmp(line.data, ".\r\n", 3) == 0)
888 { pdkim_body_complete(ctx); return; }
891 if (memcmp(line.data, "..", 2) == 0)
892 { line.data++; line.len--; }
895 /* Empty lines need to be buffered until we find a non-empty line */
896 if (memcmp(line.data, "\r\n", 2) == 0)
898 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
899 b->num_buffered_blanklines++;
903 /* Process line for each bodyhash separately */
904 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
906 if (b->canon_method == PDKIM_CANON_RELAXED)
908 /* Lines with just spaces need to be buffered too */
909 uschar * cp = line.data;
914 if (c == '\r' && cp[1] == '\n') break;
915 if (c != ' ' && c != '\t') goto hash_process;
919 b->num_buffered_blanklines++;
924 /* At this point, we have a non-empty line, so release the buffered ones. */
926 while (b->num_buffered_blanklines)
928 rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
929 b->num_buffered_blanklines--;
932 rline = pdkim_update_ctx_bodyhash(b, &line, rline);
936 if (rnl) store_free(rnl);
937 if (rline) store_free(rline);
941 ctx->linebuf_offset = 0;
946 /* -------------------------------------------------------------------------- */
947 /* Callback from pdkim_feed below for processing complete headers */
948 #define DKIM_SIGNATURE_HEADERNAME "DKIM-Signature:"
951 pdkim_header_complete(pdkim_ctx * ctx)
953 if ( (ctx->cur_header->ptr > 1) &&
954 (ctx->cur_header->s[ctx->cur_header->ptr-1] == '\r') )
955 --ctx->cur_header->ptr;
956 (void) string_from_gstring(ctx->cur_header);
958 #ifdef EXPERIMENTAL_ARC
959 /* Feed the header line to ARC processing */
960 (void) arc_header_feed(ctx->cur_header, !(ctx->flags & PDKIM_MODE_SIGN));
963 if (++ctx->num_headers > PDKIM_MAX_HEADERS) goto BAIL;
965 /* SIGNING -------------------------------------------------------------- */
966 if (ctx->flags & PDKIM_MODE_SIGN)
967 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) /* Traverse all signatures */
969 /* Add header to the signed headers list (in reverse order) */
970 sig->headers = pdkim_prepend_stringlist(sig->headers, ctx->cur_header->s);
972 /* VERIFICATION ----------------------------------------------------------- */
973 /* DKIM-Signature: headers are added to the verification list */
979 debug_printf("DKIM >> raw hdr: ");
980 pdkim_quoteprint(CUS ctx->cur_header->s, ctx->cur_header->ptr);
983 if (strncasecmp(CCS ctx->cur_header->s,
984 DKIM_SIGNATURE_HEADERNAME,
985 Ustrlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
987 pdkim_signature * sig, * last_sig;
988 /* Create and chain new signature block. We could error-check for all
989 required tags here, but prefer to create the internal sig and expicitly
990 fail verification of it later. */
992 DEBUG(D_acl) debug_printf(
993 "DKIM >> Found sig, trying to parse >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
995 sig = pdkim_parse_sig_header(ctx, ctx->cur_header->s);
997 if (!(last_sig = ctx->sig))
1001 while (last_sig->next) last_sig = last_sig->next;
1002 last_sig->next = sig;
1005 if (--dkim_collect_input == 0)
1007 ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
1008 ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0';
1009 return PDKIM_ERR_EXCESS_SIGS;
1013 /* all headers are stored for signature verification */
1014 ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
1018 ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0'; /* leave buffer for reuse */
1024 /* -------------------------------------------------------------------------- */
1025 #define HEADER_BUFFER_FRAG_SIZE 256
1028 pdkim_feed(pdkim_ctx * ctx, uschar * data, int len)
1030 /* Alternate EOD signal, used in non-dotstuffing mode */
1032 pdkim_body_complete(ctx);
1034 else for (int p = 0; p < len; p++)
1039 if (ctx->flags & PDKIM_PAST_HDRS)
1041 if (c == '\n' && !(ctx->flags & PDKIM_SEEN_CR)) /* emulate the CR */
1043 ctx->linebuf[ctx->linebuf_offset++] = '\r';
1044 if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
1045 return PDKIM_ERR_LONG_LINE;
1048 /* Processing body byte */
1049 ctx->linebuf[ctx->linebuf_offset++] = c;
1051 ctx->flags |= PDKIM_SEEN_CR;
1054 ctx->flags &= ~PDKIM_SEEN_CR;
1055 pdkim_bodyline_complete(ctx);
1058 if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
1059 return PDKIM_ERR_LONG_LINE;
1063 /* Processing header byte */
1065 ctx->flags |= PDKIM_SEEN_CR;
1068 if (!(ctx->flags & PDKIM_SEEN_CR)) /* emulate the CR */
1069 ctx->cur_header = string_catn(ctx->cur_header, CUS "\r", 1);
1071 if (ctx->flags & PDKIM_SEEN_LF) /* Seen last header line */
1073 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1076 ctx->flags = (ctx->flags & ~(PDKIM_SEEN_LF|PDKIM_SEEN_CR)) | PDKIM_PAST_HDRS;
1077 DEBUG(D_acl) debug_printf(
1078 "DKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1082 ctx->flags = (ctx->flags & ~PDKIM_SEEN_CR) | PDKIM_SEEN_LF;
1084 else if (ctx->flags & PDKIM_SEEN_LF)
1086 if (!(c == '\t' || c == ' ')) /* End of header */
1087 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1089 ctx->flags &= ~PDKIM_SEEN_LF;
1092 if (!ctx->cur_header || ctx->cur_header->ptr < PDKIM_MAX_HEADER_LEN)
1093 ctx->cur_header = string_catn(ctx->cur_header, CUS &data[p], 1);
1101 /* Extend a growing header with a continuation-linebreak */
1103 pdkim_hdr_cont(gstring * str, int * col)
1106 return string_catn(str, US"\r\n\t", 3);
1112 * RFC 5322 specifies that header line length SHOULD be no more than 78
1116 * returns uschar * (not nul-terminated)
1118 * col: this int holds and receives column number (octets since last '\n')
1119 * str: partial string to append to
1120 * pad: padding, split line or space after before or after eg: ";"
1121 * intro: - must join to payload eg "h=", usually the tag name
1122 * payload: eg base64 data - long data can be split arbitrarily.
1124 * this code doesn't fold the header in some of the places that RFC4871
1125 * allows: As per RFC5322(2.2.3) it only folds before or after tag-value
1126 * pairs and inside long values. it also always spaces or breaks after the
1129 * no guarantees are made for output given out-of range input. like tag
1130 * names longer than 78, or bogus col. Input is assumed to be free of line breaks.
1134 pdkim_headcat(int * col, gstring * str,
1135 const uschar * pad, const uschar * intro, const uschar * payload)
1143 str = pdkim_hdr_cont(str, col);
1144 str = string_catn(str, pad, l);
1148 l = (pad?1:0) + (intro?Ustrlen(intro):0);
1151 { /*can't fit intro - start a new line to make room.*/
1152 str = pdkim_hdr_cont(str, col);
1153 l = intro?Ustrlen(intro):0;
1156 l += payload ? Ustrlen(payload):0 ;
1159 { /* this fragment will not fit on a single line */
1162 str = string_catn(str, US" ", 1);
1164 pad = NULL; /* only want this once */
1170 size_t sl = Ustrlen(intro);
1172 str = string_catn(str, intro, sl);
1175 intro = NULL; /* only want this once */
1180 size_t sl = Ustrlen(payload);
1181 size_t chomp = *col+sl < 77 ? sl : 78-*col;
1183 str = string_catn(str, payload, chomp);
1189 /* the while precondition tells us it didn't fit. */
1190 str = pdkim_hdr_cont(str, col);
1195 str = pdkim_hdr_cont(str, col);
1201 str = string_catn(str, US" ", 1);
1208 size_t sl = Ustrlen(intro);
1210 str = string_catn(str, intro, sl);
1218 size_t sl = Ustrlen(payload);
1220 str = string_catn(str, payload, sl);
1228 /* -------------------------------------------------------------------------- */
1230 /* Signing: create signature header
1233 pdkim_create_header(pdkim_signature * sig, BOOL final)
1239 gstring * canon_all;
1241 canon_all = string_cat (NULL, pdkim_canons[sig->canon_headers]);
1242 canon_all = string_catn(canon_all, US"/", 1);
1243 canon_all = string_cat (canon_all, pdkim_canons[sig->canon_body]);
1244 (void) string_from_gstring(canon_all);
1246 hdr = string_cat(NULL, US"DKIM-Signature: v="PDKIM_SIGNATURE_VERSION);
1249 /* Required and static bits */
1250 hdr = pdkim_headcat(&col, hdr, US";", US"a=", dkim_sig_to_a_tag(sig));
1251 hdr = pdkim_headcat(&col, hdr, US";", US"q=", pdkim_querymethods[sig->querymethod]);
1252 hdr = pdkim_headcat(&col, hdr, US";", US"c=", canon_all->s);
1253 hdr = pdkim_headcat(&col, hdr, US";", US"d=", sig->domain);
1254 hdr = pdkim_headcat(&col, hdr, US";", US"s=", sig->selector);
1256 /* list of header names can be split between items. */
1258 uschar * n = string_copy(sig->headernames);
1259 uschar * i = US"h=";
1264 uschar * c = Ustrchr(n, ':');
1269 hdr = pdkim_headcat(&col, hdr, NULL, NULL, US":");
1271 hdr = pdkim_headcat(&col, hdr, s, i, n);
1282 base64_bh = pdkim_encode_base64(&sig->calc_body_hash->bh);
1283 hdr = pdkim_headcat(&col, hdr, US";", US"bh=", base64_bh);
1287 hdr = pdkim_headcat(&col, hdr, US";", US"i=", sig->identity);
1289 if (sig->created > 0)
1293 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->created);
1294 hdr = pdkim_headcat(&col, hdr, US";", US"t=", minibuf);
1297 if (sig->expires > 0)
1301 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->expires);
1302 hdr = pdkim_headcat(&col, hdr, US";", US"x=", minibuf);
1305 if (sig->bodylength >= 0)
1309 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->bodylength);
1310 hdr = pdkim_headcat(&col, hdr, US";", US"l=", minibuf);
1313 /* Preliminary or final version? */
1316 base64_b = pdkim_encode_base64(&sig->sighash);
1317 hdr = pdkim_headcat(&col, hdr, US";", US"b=", base64_b);
1319 /* add trailing semicolon: I'm not sure if this is actually needed */
1320 hdr = pdkim_headcat(&col, hdr, NULL, US";", US"");
1324 /* To satisfy the rule "all surrounding whitespace [...] deleted"
1325 ( RFC 6376 section 3.7 ) we ensure there is no whitespace here. Otherwise
1326 the headcat routine could insert a linebreak which the relaxer would reduce
1327 to a single space preceding the terminating semicolon, resulting in an
1328 incorrect header-hash. */
1329 hdr = pdkim_headcat(&col, hdr, US";", US"b=;", US"");
1332 return string_from_gstring(hdr);
1336 /* -------------------------------------------------------------------------- */
1338 /* According to draft-ietf-dcrup-dkim-crypto-07 "keys are 256 bits" (referring
1339 to DNS, hence the pubkey). Check for more than 32 bytes; if so assume the
1340 alternate possible representation (still) being discussed: a
1341 SubjectPublickeyInfo wrapped key - and drop all but the trailing 32-bytes (it
1342 should be a DER, with exactly 12 leading bytes - but we could accept a BER also,
1343 which could be any size). We still rely on the crypto library for checking for
1346 When the RFC is published this should be re-addressed. */
1349 check_bare_ed25519_pubkey(pdkim_pubkey * p)
1351 int excess = p->key.len - 32;
1354 DEBUG(D_acl) debug_printf("DKIM: unexpected pubkey len %lu\n", p->key.len);
1355 p->key.data += excess; p->key.len = 32;
1360 static pdkim_pubkey *
1361 pdkim_key_from_dns(pdkim_ctx * ctx, pdkim_signature * sig, ev_ctx * vctx,
1362 const uschar ** errstr)
1364 uschar * dns_txt_name, * dns_txt_reply;
1367 /* Fetch public key for signing domain, from DNS */
1369 dns_txt_name = string_sprintf("%s._domainkey.%s.", sig->selector, sig->domain);
1371 if ( !(dns_txt_reply = ctx->dns_txt_callback(dns_txt_name))
1372 || dns_txt_reply[0] == '\0'
1375 sig->verify_status = PDKIM_VERIFY_INVALID;
1376 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE;
1383 "DKIM >> Parsing public key record >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
1387 pdkim_quoteprint(CUS dns_txt_reply, Ustrlen(dns_txt_reply));
1390 if ( !(p = pdkim_parse_pubkey_record(CUS dns_txt_reply))
1391 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
1394 sig->verify_status = PDKIM_VERIFY_INVALID;
1395 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD;
1400 debug_printf(" Invalid public key service type '%s'\n", p->srvtype);
1402 debug_printf(" Error while parsing public key record\n");
1404 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1409 DEBUG(D_acl) debug_printf(
1410 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1412 /* Import public key */
1414 /* Normally we use the signature a= tag to tell us the pubkey format.
1415 When signing under debug we do a test-import of the pubkey, and at that
1416 time we do not have a signature so we must interpret the pubkey k= tag
1417 instead. Assume writing on the sig is ok in that case. */
1419 if (sig->keytype < 0)
1420 if ((sig->keytype = pdkim_keyname_to_keytype(p->keytype)) < 0)
1422 DEBUG(D_acl) debug_printf("verify_init: unhandled keytype %s\n", p->keytype);
1423 sig->verify_status = PDKIM_VERIFY_INVALID;
1424 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
1428 if (sig->keytype == KEYTYPE_ED25519)
1429 check_bare_ed25519_pubkey(p);
1431 if ((*errstr = exim_dkim_verify_init(&p->key,
1432 sig->keytype == KEYTYPE_ED25519 ? KEYFMT_ED25519_BARE : KEYFMT_DER,
1435 DEBUG(D_acl) debug_printf("verify_init: %s\n", *errstr);
1436 sig->verify_status = PDKIM_VERIFY_INVALID;
1437 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
1441 vctx->keytype = sig->keytype;
1446 /* -------------------------------------------------------------------------- */
1447 /* Sort and filter the sigs developed from the message */
1449 static pdkim_signature *
1450 sort_sig_methods(pdkim_signature * siglist)
1452 pdkim_signature * yield, ** ss;
1453 const uschar * prefs;
1457 if (!siglist) return NULL;
1459 /* first select in order of hashtypes */
1460 DEBUG(D_acl) debug_printf("DKIM: dkim_verify_hashes '%s'\n", dkim_verify_hashes);
1461 for (prefs = dkim_verify_hashes, sep = 0, yield = NULL, ss = &yield;
1462 ele = string_nextinlist(&prefs, &sep, NULL, 0); )
1464 int i = pdkim_hashname_to_hashtype(CUS ele, 0);
1465 for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
1469 if (s->hashtype == i)
1470 { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
1476 /* then in order of keytypes */
1478 DEBUG(D_acl) debug_printf("DKIM: dkim_verify_keytypes '%s'\n", dkim_verify_keytypes);
1479 for (prefs = dkim_verify_keytypes, sep = 0, yield = NULL, ss = &yield;
1480 ele = string_nextinlist(&prefs, &sep, NULL, 0); )
1482 int i = pdkim_keyname_to_keytype(CUS ele);
1483 for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
1487 if (s->keytype == i)
1488 { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
1494 DEBUG(D_acl) for (pdkim_signature * s = yield; s; s = s->next)
1495 debug_printf(" retain d=%s s=%s a=%s\n",
1496 s->domain, s->selector, dkim_sig_to_a_tag(s));
1501 /* -------------------------------------------------------------------------- */
1504 pdkim_feed_finish(pdkim_ctx * ctx, pdkim_signature ** return_signatures,
1505 const uschar ** err)
1507 BOOL verify_pass = FALSE;
1509 /* Check if we must still flush a (partial) header. If that is the
1510 case, the message has no body, and we must compute a body hash
1511 out of '<CR><LF>' */
1512 if (ctx->cur_header && ctx->cur_header->ptr > 0)
1517 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1520 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
1521 rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
1522 if (rnl) store_free(rnl);
1525 DEBUG(D_acl) debug_printf(
1526 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1528 /* Build (and/or evaluate) body hash. Do this even if no DKIM sigs, in case we
1529 have a hash to do for ARC. */
1531 pdkim_finish_bodyhash(ctx);
1533 /* Sort and filter the recived signatures */
1535 if (!(ctx->flags & PDKIM_MODE_SIGN))
1536 ctx->sig = sort_sig_methods(ctx->sig);
1540 DEBUG(D_acl) debug_printf("DKIM: no signatures\n");
1541 *return_signatures = NULL;
1545 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
1548 uschar * sig_hdr = US"";
1550 gstring * hdata = NULL;
1553 if ( !(ctx->flags & PDKIM_MODE_SIGN)
1554 && sig->verify_status == PDKIM_VERIFY_FAIL)
1557 debug_printf("DKIM: [%s] abandoning this signature\n", sig->domain);
1561 /*XXX The hash of the headers is needed for GCrypt (for which we can do RSA
1562 signing only, as it happens) and for either GnuTLS and OpenSSL when we are
1563 signing with EC (specifically, Ed25519). The former is because the GCrypt
1564 signing operation is pure (does not do its own hash) so we must hash. The
1565 latter is because we (stupidly, but this is what the IETF draft is saying)
1566 must hash with the declared hash method, then pass the result to the library
1567 hash-and-sign routine (because that's all the libraries are providing. And
1568 we're stuck with whatever that hidden hash method is, too). We may as well
1569 do this hash incrementally.
1570 We don't need the hash we're calculating here for the GnuTLS and OpenSSL
1571 cases of RSA signing, since those library routines can do hash-and-sign.
1573 Some time in the future we could easily avoid doing the hash here for those
1574 cases (which will be common for a long while. We could also change from
1575 the current copy-all-the-headers-into-one-block, then call the hash-and-sign
1576 implementation - to a proper incremental one. Unfortunately, GnuTLS just
1577 cannot do incremental - either signing or verification. Unsure about GCrypt.
1580 /*XXX The header hash is also used (so far) by the verify operation */
1582 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[sig->hashtype].exim_hashmethod))
1584 log_write(0, LOG_MAIN|LOG_PANIC,
1585 "DKIM: hash setup error, possibly nonhandled hashtype");
1589 if (ctx->flags & PDKIM_MODE_SIGN)
1590 DEBUG(D_acl) debug_printf(
1591 "DKIM >> Headers to be signed: >>>>>>>>>>>>\n"
1595 DEBUG(D_acl) debug_printf(
1596 "DKIM >> Header data for hash, canonicalized (%-7s), in sequence >>\n",
1597 pdkim_canons[sig->canon_headers]);
1600 /* SIGNING ---------------------------------------------------------------- */
1601 /* When signing, walk through our header list and add them to the hash. As we
1602 go, construct a list of the header's names to use for the h= parameter.
1603 Then append to that list any remaining header names for which there was no
1606 if (ctx->flags & PDKIM_MODE_SIGN)
1613 /* Import private key, including the keytype which we need for building
1614 the signature header */
1616 if ((*err = exim_dkim_signing_init(CUS sig->privkey, &sctx)))
1618 log_write(0, LOG_MAIN|LOG_PANIC, "signing_init: %s", *err);
1619 return PDKIM_ERR_RSA_PRIVKEY;
1621 sig->keytype = sctx.keytype;
1623 sig->headernames = NULL; /* Collected signed header names */
1624 for (pdkim_stringlist * p = sig->headers; p; p = p->next)
1626 uschar * rh = p->value;
1628 if (header_name_match(rh, sig->sign_headers) == PDKIM_OK)
1630 /* Collect header names (Note: colon presence is guaranteed here) */
1631 g = string_append_listele_n(g, ':', rh, Ustrchr(rh, ':') - rh);
1633 if (sig->canon_headers == PDKIM_CANON_RELAXED)
1634 rh = pdkim_relax_header(rh, TRUE); /* cook header for relaxed canon */
1636 /* Feed header to the hash algorithm */
1637 exim_sha_update(&hhash_ctx, CUS rh, Ustrlen(rh));
1639 /* Remember headers block for signing (when the library cannot do incremental) */
1640 /*XXX we could avoid doing this for all but the GnuTLS/RSA case */
1641 hdata = exim_dkim_data_append(hdata, rh);
1643 DEBUG(D_acl) pdkim_quoteprint(rh, Ustrlen(rh));
1647 /* Any headers we wanted to sign but were not present must also be listed.
1648 Ignore elements that have been ticked-off or are marked as never-oversign. */
1650 l = sig->sign_headers;
1651 while((s = string_nextinlist(&l, &sep, NULL, 0)))
1653 if (*s == '+') /* skip oversigning marker */
1655 if (*s != '_' && *s != '=')
1656 g = string_append_listele(g, ':', s);
1658 sig->headernames = string_from_gstring(g);
1660 /* Create signature header with b= omitted */
1661 sig_hdr = pdkim_create_header(sig, FALSE);
1664 /* VERIFICATION ----------------------------------------------------------- */
1665 /* When verifying, walk through the header name list in the h= parameter and
1666 add the headers to the hash in that order. */
1669 uschar * p = sig->headernames;
1675 for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
1681 if ((q = Ustrchr(p, ':')))
1684 /*XXX walk the list of headers in same order as received. */
1685 for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
1687 && strncasecmp(CCS hdrs->value, CCS p, Ustrlen(p)) == 0
1688 && (hdrs->value)[Ustrlen(p)] == ':'
1691 /* cook header for relaxed canon, or just copy it for simple */
1693 uschar * rh = sig->canon_headers == PDKIM_CANON_RELAXED
1694 ? pdkim_relax_header(hdrs->value, TRUE)
1695 : string_copy(CUS hdrs->value);
1697 /* Feed header to the hash algorithm */
1698 exim_sha_update(&hhash_ctx, CUS rh, Ustrlen(rh));
1700 DEBUG(D_acl) pdkim_quoteprint(rh, Ustrlen(rh));
1709 sig_hdr = string_copy(sig->rawsig_no_b_val);
1713 DEBUG(D_acl) debug_printf(
1714 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1719 "DKIM >> Signed DKIM-Signature header, pre-canonicalized >>>>>>>>>>>>>\n");
1720 pdkim_quoteprint(CUS sig_hdr, Ustrlen(sig_hdr));
1722 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1725 /* Relax header if necessary */
1726 if (sig->canon_headers == PDKIM_CANON_RELAXED)
1727 sig_hdr = pdkim_relax_header(sig_hdr, FALSE);
1731 debug_printf("DKIM >> Signed DKIM-Signature header, canonicalized (%-7s) >>>>>>>\n",
1732 pdkim_canons[sig->canon_headers]);
1733 pdkim_quoteprint(CUS sig_hdr, Ustrlen(sig_hdr));
1735 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1738 /* Finalize header hash */
1739 exim_sha_update(&hhash_ctx, CUS sig_hdr, Ustrlen(sig_hdr));
1740 exim_sha_finish(&hhash_ctx, &hhash);
1744 debug_printf("DKIM [%s] Header %s computed: ",
1745 sig->domain, pdkim_hashes[sig->hashtype].dkim_hashname);
1746 pdkim_hexprint(hhash.data, hhash.len);
1749 /* Remember headers block for signing (when the signing library cannot do
1751 if (ctx->flags & PDKIM_MODE_SIGN)
1752 hdata = exim_dkim_data_append(hdata, US sig_hdr);
1754 /* SIGNING ---------------------------------------------------------------- */
1755 if (ctx->flags & PDKIM_MODE_SIGN)
1757 hashmethod hm = sig->keytype == KEYTYPE_ED25519
1758 #if defined(SIGN_OPENSSL)
1763 : pdkim_hashes[sig->hashtype].exim_hashmethod;
1765 #ifdef SIGN_HAVE_ED25519
1766 /* For GCrypt, and for EC, we pass the hash-of-headers to the signing
1767 routine. For anything else we just pass the headers. */
1769 if (sig->keytype != KEYTYPE_ED25519)
1772 hhash.data = hdata->s;
1773 hhash.len = hdata->ptr;
1776 if ((*err = exim_dkim_sign(&sctx, hm, &hhash, &sig->sighash)))
1778 log_write(0, LOG_MAIN|LOG_PANIC, "signing: %s", *err);
1779 return PDKIM_ERR_RSA_SIGNING;
1784 debug_printf( "DKIM [%s] b computed: ", sig->domain);
1785 pdkim_hexprint(sig->sighash.data, sig->sighash.len);
1788 sig->signature_header = pdkim_create_header(sig, TRUE);
1791 /* VERIFICATION ----------------------------------------------------------- */
1797 /* Make sure we have all required signature tags */
1798 if (!( sig->domain && *sig->domain
1799 && sig->selector && *sig->selector
1800 && sig->headernames && *sig->headernames
1801 && sig->bodyhash.data
1802 && sig->sighash.data
1803 && sig->keytype >= 0
1804 && sig->hashtype >= 0
1808 sig->verify_status = PDKIM_VERIFY_INVALID;
1809 sig->verify_ext_status = PDKIM_VERIFY_INVALID_SIGNATURE_ERROR;
1811 DEBUG(D_acl) debug_printf(
1812 " Error in DKIM-Signature header: tags missing or invalid (%s)\n"
1813 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n",
1814 !(sig->domain && *sig->domain) ? "d="
1815 : !(sig->selector && *sig->selector) ? "s="
1816 : !(sig->headernames && *sig->headernames) ? "h="
1817 : !sig->bodyhash.data ? "bh="
1818 : !sig->sighash.data ? "b="
1819 : sig->keytype < 0 || sig->hashtype < 0 ? "a="
1825 /* Make sure sig uses supported DKIM version (only v1) */
1826 if (sig->version != 1)
1828 sig->verify_status = PDKIM_VERIFY_INVALID;
1829 sig->verify_ext_status = PDKIM_VERIFY_INVALID_DKIM_VERSION;
1831 DEBUG(D_acl) debug_printf(
1832 " Error in DKIM-Signature header: unsupported DKIM version\n"
1833 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1839 debug_printf( "DKIM [%s] b from mail: ", sig->domain);
1840 pdkim_hexprint(sig->sighash.data, sig->sighash.len);
1843 if (!(sig->pubkey = pdkim_key_from_dns(ctx, sig, &vctx, err)))
1845 log_write(0, LOG_MAIN, "DKIM: %s%s %s%s [failed key import]",
1846 sig->domain ? "d=" : "", sig->domain ? sig->domain : US"",
1847 sig->selector ? "s=" : "", sig->selector ? sig->selector : US"");
1851 /* If the pubkey limits to a list of specific hashes, ignore sigs that
1852 do not have the hash part of the sig algorithm matching */
1854 if (sig->pubkey->hashes)
1856 const uschar * list = sig->pubkey->hashes, * ele;
1858 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
1859 if (Ustrcmp(ele, pdkim_hashes[sig->hashtype].dkim_hashname) == 0) break;
1862 DEBUG(D_acl) debug_printf("pubkey h=%s vs. sig a=%s_%s\n",
1863 sig->pubkey->hashes,
1864 pdkim_keytypes[sig->keytype],
1865 pdkim_hashes[sig->hashtype].dkim_hashname);
1866 sig->verify_status = PDKIM_VERIFY_FAIL;
1867 sig->verify_ext_status = PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH;
1872 hm = sig->keytype == KEYTYPE_ED25519
1873 #if defined(SIGN_OPENSSL)
1878 : pdkim_hashes[sig->hashtype].exim_hashmethod;
1880 /* Check the signature */
1882 if ((*err = exim_dkim_verify(&vctx, hm, &hhash, &sig->sighash)))
1884 DEBUG(D_acl) debug_printf("headers verify: %s\n", *err);
1885 sig->verify_status = PDKIM_VERIFY_FAIL;
1886 sig->verify_ext_status = PDKIM_VERIFY_FAIL_MESSAGE;
1891 /* We have a winner! (if bodyhash was correct earlier) */
1892 if (sig->verify_status == PDKIM_VERIFY_NONE)
1894 sig->verify_status = PDKIM_VERIFY_PASS;
1896 if (dkim_verify_minimal) break;
1903 debug_printf("DKIM [%s] %s signature status: %s",
1904 sig->domain, dkim_sig_to_a_tag(sig),
1905 pdkim_verify_status_str(sig->verify_status));
1906 if (sig->verify_ext_status > 0)
1907 debug_printf(" (%s)\n",
1908 pdkim_verify_ext_status_str(sig->verify_ext_status));
1915 /* If requested, set return pointer to signature(s) */
1916 if (return_signatures)
1917 *return_signatures = ctx->sig;
1919 return ctx->flags & PDKIM_MODE_SIGN || verify_pass
1920 ? PDKIM_OK : PDKIM_FAIL;
1924 /* -------------------------------------------------------------------------- */
1926 DLLEXPORT pdkim_ctx *
1927 pdkim_init_verify(uschar * (*dns_txt_callback)(const uschar *), BOOL dot_stuffing)
1931 ctx = store_get(sizeof(pdkim_ctx), FALSE);
1932 memset(ctx, 0, sizeof(pdkim_ctx));
1934 if (dot_stuffing) ctx->flags = PDKIM_DOT_TERM;
1935 /* The line-buffer is for message data, hence tainted */
1936 ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, TRUE);
1937 ctx->dns_txt_callback = dns_txt_callback;
1943 /* -------------------------------------------------------------------------- */
1945 DLLEXPORT pdkim_signature *
1946 pdkim_init_sign(pdkim_ctx * ctx,
1947 uschar * domain, uschar * selector, uschar * privkey,
1948 uschar * hashname, const uschar ** errstr)
1951 pdkim_signature * sig;
1953 if (!domain || !selector || !privkey)
1956 /* Allocate & init one signature struct */
1958 sig = store_get(sizeof(pdkim_signature), FALSE);
1959 memset(sig, 0, sizeof(pdkim_signature));
1961 sig->bodylength = -1;
1963 sig->domain = string_copy(US domain);
1964 sig->selector = string_copy(US selector);
1965 sig->privkey = string_copy(US privkey);
1968 for (hashtype = 0; hashtype < nelem(pdkim_hashes); hashtype++)
1969 if (Ustrcmp(hashname, pdkim_hashes[hashtype].dkim_hashname) == 0)
1970 { sig->hashtype = hashtype; break; }
1971 if (hashtype >= nelem(pdkim_hashes))
1973 log_write(0, LOG_MAIN|LOG_PANIC,
1974 "DKIM: unrecognised hashname '%s'", hashname);
1980 pdkim_signature s = *sig;
1983 debug_printf("DKIM (checking verify key)>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1984 if (!pdkim_key_from_dns(ctx, &s, &vctx, errstr))
1985 debug_printf("WARNING: bad dkim key in dns\n");
1986 debug_printf("DKIM (finished checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1992 /* -------------------------------------------------------------------------- */
1995 pdkim_set_optional(pdkim_signature * sig,
1996 char * sign_headers,
2001 unsigned long created,
2002 unsigned long expires)
2005 sig->identity = string_copy(US identity);
2007 sig->sign_headers = string_copy(sign_headers
2008 ? US sign_headers : US PDKIM_DEFAULT_SIGN_HEADERS);
2010 sig->canon_headers = canon_headers;
2011 sig->canon_body = canon_body;
2012 sig->bodylength = bodylength;
2013 sig->created = created;
2014 sig->expires = expires;
2021 /* Set up a blob for calculating the bodyhash according to the
2022 given needs. Use an existing one if possible, or create a new one.
2024 Return: hashblob pointer, or NULL on error
2027 pdkim_set_bodyhash(pdkim_ctx * ctx, int hashtype, int canon_method,
2032 if (hashtype == -1 || canon_method == -1) return NULL;
2034 for (b = ctx->bodyhash; b; b = b->next)
2035 if ( hashtype == b->hashtype
2036 && canon_method == b->canon_method
2037 && bodylength == b->bodylength)
2039 DEBUG(D_receive) debug_printf("DKIM: using existing bodyhash %d/%d/%ld\n",
2040 hashtype, canon_method, bodylength);
2044 DEBUG(D_receive) debug_printf("DKIM: new bodyhash %d/%d/%ld\n",
2045 hashtype, canon_method, bodylength);
2046 b = store_get(sizeof(pdkim_bodyhash), FALSE);
2047 b->next = ctx->bodyhash;
2048 b->hashtype = hashtype;
2049 b->canon_method = canon_method;
2050 b->bodylength = bodylength;
2051 if (!exim_sha_init(&b->body_hash_ctx, /*XXX hash method: extend for sha512 */
2052 pdkim_hashes[hashtype].exim_hashmethod))
2055 debug_printf("DKIM: hash init error, possibly nonhandled hashtype\n");
2058 b->signed_body_bytes = 0;
2059 b->num_buffered_blanklines = 0;
2065 /* Set up a blob for calculating the bodyhash according to the
2066 needs of this signature. Use an existing one if possible, or
2069 Return: hashblob pointer, or NULL on error (only used as a boolean).
2072 pdkim_set_sig_bodyhash(pdkim_ctx * ctx, pdkim_signature * sig)
2074 pdkim_bodyhash * b = pdkim_set_bodyhash(ctx,
2075 sig->hashtype, sig->canon_body, sig->bodylength);
2076 sig->calc_body_hash = b;
2081 /* -------------------------------------------------------------------------- */
2085 pdkim_init_context(pdkim_ctx * ctx, BOOL dot_stuffed,
2086 uschar * (*dns_txt_callback)(const uschar *))
2088 memset(ctx, 0, sizeof(pdkim_ctx));
2089 ctx->flags = dot_stuffed ? PDKIM_MODE_SIGN | PDKIM_DOT_TERM : PDKIM_MODE_SIGN;
2090 /* The line buffer is for message data, hence tainted */
2091 ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, TRUE);
2092 DEBUG(D_acl) ctx->dns_txt_callback = dns_txt_callback;
2104 #endif /*DISABLE_DKIM*/