2 * PDKIM - a RFC4871 (DKIM) implementation
4 * Copyright (c) The Exim Maintainers 2021 - 2022
5 * Copyright (C) 2009 - 2016 Tom Kistner <tom@duncanthrax.net>
6 * Copyright (C) 2016 - 2020 Jeremy Harris <jgh@exim.org>
7 * SPDX-License-Identifier: GPL-2.0-or-later
9 * http://duncanthrax.net/pdkim/
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 #ifndef DISABLE_DKIM /* entire file */
32 # error Must not DISABLE_TLS, for DKIM
35 #include "crypt_ver.h"
38 # include <openssl/rsa.h>
39 # include <openssl/ssl.h>
40 # include <openssl/err.h>
41 #elif defined(SIGN_GNUTLS)
42 # include <gnutls/gnutls.h>
43 # include <gnutls/x509.h>
49 #define PDKIM_SIGNATURE_VERSION "1"
50 #define PDKIM_PUB_RECORD_VERSION US "DKIM1"
52 #define PDKIM_MAX_HEADER_LEN 65536
53 #define PDKIM_MAX_HEADERS 512
54 #define PDKIM_MAX_BODY_LINE_LEN 16384
55 #define PDKIM_DNS_TXT_MAX_NAMELEN 1024
57 /* -------------------------------------------------------------------------- */
58 struct pdkim_stringlist {
64 /* -------------------------------------------------------------------------- */
65 /* A bunch of list constants */
66 const uschar * pdkim_querymethods[] = {
70 const uschar * pdkim_canons[] = {
76 const pdkim_hashtype pdkim_hashes[] = {
77 { US"sha1", HASH_SHA1 },
78 { US"sha256", HASH_SHA2_256 },
79 { US"sha512", HASH_SHA2_512 }
82 const uschar * pdkim_keytypes[] = {
83 [KEYTYPE_RSA] = US"rsa",
84 #ifdef SIGN_HAVE_ED25519
85 [KEYTYPE_ED25519] = US"ed25519", /* Works for 3.6.0 GnuTLS, OpenSSL 1.1.1 */
88 #ifdef notyet_EC_dkim_extensions /* https://tools.ietf.org/html/draft-srose-dkim-ecc-00 */
95 typedef struct pdkim_combined_canon_entry {
99 } pdkim_combined_canon_entry;
101 pdkim_combined_canon_entry pdkim_combined_canons[] = {
102 { US"simple/simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
103 { US"simple/relaxed", PDKIM_CANON_SIMPLE, PDKIM_CANON_RELAXED },
104 { US"relaxed/simple", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
105 { US"relaxed/relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_RELAXED },
106 { US"simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
107 { US"relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
112 static const blob lineending = {.data = US"\r\n", .len = 2};
114 /* -------------------------------------------------------------------------- */
116 dkim_sig_to_a_tag(const pdkim_signature * sig)
118 if ( sig->keytype < 0 || sig->keytype > nelem(pdkim_keytypes)
119 || sig->hashtype < 0 || sig->hashtype > nelem(pdkim_hashes))
121 return string_sprintf("%s-%s",
122 pdkim_keytypes[sig->keytype], pdkim_hashes[sig->hashtype].dkim_hashname);
127 pdkim_keyname_to_keytype(const uschar * s)
129 for (int i = 0; i < nelem(pdkim_keytypes); i++)
130 if (Ustrcmp(s, pdkim_keytypes[i]) == 0) return i;
135 pdkim_hashname_to_hashtype(const uschar * s, unsigned len)
137 if (!len) len = Ustrlen(s);
138 for (int i = 0; i < nelem(pdkim_hashes); i++)
139 if (Ustrncmp(s, pdkim_hashes[i].dkim_hashname, len) == 0)
145 pdkim_cstring_to_canons(const uschar * s, unsigned len,
146 int * canon_head, int * canon_body)
148 if (!len) len = Ustrlen(s);
149 for (int i = 0; pdkim_combined_canons[i].str; i++)
150 if ( Ustrncmp(s, pdkim_combined_canons[i].str, len) == 0
151 && len == Ustrlen(pdkim_combined_canons[i].str))
153 *canon_head = pdkim_combined_canons[i].canon_headers;
154 *canon_body = pdkim_combined_canons[i].canon_body;
162 pdkim_verify_status_str(int status)
166 case PDKIM_VERIFY_NONE: return "PDKIM_VERIFY_NONE";
167 case PDKIM_VERIFY_INVALID: return "PDKIM_VERIFY_INVALID";
168 case PDKIM_VERIFY_FAIL: return "PDKIM_VERIFY_FAIL";
169 case PDKIM_VERIFY_PASS: return "PDKIM_VERIFY_PASS";
170 default: return "PDKIM_VERIFY_UNKNOWN";
175 pdkim_verify_ext_status_str(int ext_status)
179 case PDKIM_VERIFY_FAIL_BODY: return "PDKIM_VERIFY_FAIL_BODY";
180 case PDKIM_VERIFY_FAIL_MESSAGE: return "PDKIM_VERIFY_FAIL_MESSAGE";
181 case PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH: return "PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH";
182 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE: return "PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE";
183 case PDKIM_VERIFY_INVALID_BUFFER_SIZE: return "PDKIM_VERIFY_INVALID_BUFFER_SIZE";
184 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD: return "PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD";
185 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return "PDKIM_VERIFY_INVALID_PUBKEY_IMPORT";
186 case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE: return "PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE";
187 case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR: return "PDKIM_VERIFY_INVALID_SIGNATURE_ERROR";
188 case PDKIM_VERIFY_INVALID_DKIM_VERSION: return "PDKIM_VERIFY_INVALID_DKIM_VERSION";
189 default: return "PDKIM_VERIFY_UNKNOWN";
194 pdkim_errstr(int status)
198 case PDKIM_OK: return US"OK";
199 case PDKIM_FAIL: return US"FAIL";
200 case PDKIM_ERR_RSA_PRIVKEY: return US"PRIVKEY";
201 case PDKIM_ERR_RSA_SIGNING: return US"SIGNING";
202 case PDKIM_ERR_LONG_LINE: return US"LONG_LINE";
203 case PDKIM_ERR_BUFFER_TOO_SMALL: return US"BUFFER_TOO_SMALL";
204 case PDKIM_ERR_EXCESS_SIGS: return US"EXCESS_SIGS";
205 case PDKIM_SIGN_PRIVKEY_WRAP: return US"PRIVKEY_WRAP";
206 case PDKIM_SIGN_PRIVKEY_B64D: return US"PRIVKEY_B64D";
207 default: return US"(unknown)";
212 /* -------------------------------------------------------------------------- */
213 /* Print debugging functions */
215 pdkim_quoteprint(const uschar *data, int len)
217 for (int i = 0; i < len; i++)
219 const int c = data[i];
222 case ' ' : debug_printf("{SP}"); break;
223 case '\t': debug_printf("{TB}"); break;
224 case '\r': debug_printf("{CR}"); break;
225 case '\n': debug_printf("{LF}"); break;
226 case '{' : debug_printf("{BO}"); break;
227 case '}' : debug_printf("{BC}"); break;
229 if ( (c < 32) || (c > 127) )
230 debug_printf("{%02x}", c);
232 debug_printf("%c", c);
240 pdkim_hexprint(const uschar *data, int len)
242 if (data) for (int i = 0 ; i < len; i++) debug_printf("%02x", data[i]);
243 else debug_printf("<NULL>");
249 static pdkim_stringlist *
250 pdkim_prepend_stringlist(pdkim_stringlist * base, const uschar * str)
252 pdkim_stringlist * new_entry = store_get(sizeof(pdkim_stringlist), GET_UNTAINTED);
254 memset(new_entry, 0, sizeof(pdkim_stringlist));
255 new_entry->value = string_copy(str);
256 if (base) new_entry->next = base;
262 /* Trim whitespace fore & aft */
265 pdkim_strtrim(gstring * str)
270 while (*p == '\t' || *p == ' ') /* dump the leading whitespace */
271 { str->size--; str->ptr--; str->s++; }
274 && ((q = str->s + str->ptr - 1), (*q == '\t' || *q == ' '))
276 str->ptr--; /* dump trailing whitespace */
278 (void) string_from_gstring(str);
283 /* -------------------------------------------------------------------------- */
286 pdkim_free_ctx(pdkim_ctx *ctx)
291 /* -------------------------------------------------------------------------- */
292 /* Matches the name of the passed raw "header" against
293 the passed colon-separated "tick", and invalidates
294 the entry in tick. Entries can be prefixed for multi- or over-signing,
295 in which case do not invalidate.
297 Returns OK for a match, or fail-code
301 header_name_match(const uschar * header, uschar * tick)
303 const uschar * ticklist = tick;
306 uschar * hname, * p, * ele;
307 uschar * hcolon = Ustrchr(header, ':'); /* Get header name */
310 return PDKIM_FAIL; /* This isn't a header */
312 /* if we had strncmpic() we wouldn't need this copy */
313 hname = string_copyn(header, hcolon-header);
315 while (p = US ticklist, ele = string_nextinlist(&ticklist, &sep, NULL, 0))
319 case '=': case '+': multisign = TRUE; ele++; break;
320 default: multisign = FALSE; break;
323 if (strcmpic(ele, hname) == 0)
326 *p = '_'; /* Invalidate this header name instance in tick-off list */
334 /* -------------------------------------------------------------------------- */
335 /* Performs "relaxed" canonicalization of a header. */
338 pdkim_relax_header_n(const uschar * header, int len, BOOL append_crlf)
340 BOOL past_field_name = FALSE;
341 BOOL seen_wsp = FALSE;
342 uschar * relaxed = store_get(len+3, GET_TAINTED);
343 uschar * q = relaxed;
345 for (const uschar * p = header; p - header < len; p++)
349 if (c == '\r' || c == '\n') /* Ignore CR & LF */
351 if (c == '\t' || c == ' ')
355 c = ' '; /* Turns WSP into SP */
359 if (!past_field_name && c == ':')
361 if (seen_wsp) q--; /* This removes WSP immediately before the colon */
362 seen_wsp = TRUE; /* This removes WSP immediately after the colon */
363 past_field_name = TRUE;
368 /* Lowercase header name */
369 if (!past_field_name) c = tolower(c);
373 if (q > relaxed && q[-1] == ' ') q--; /* Squash eventual trailing SP */
375 if (append_crlf) { *q++ = '\r'; *q++ = '\n'; }
382 pdkim_relax_header(const uschar * header, BOOL append_crlf)
384 return pdkim_relax_header_n(header, Ustrlen(header), append_crlf);
388 /* -------------------------------------------------------------------------- */
389 #define PDKIM_QP_ERROR_DECODE -1
391 static const uschar *
392 pdkim_decode_qp_char(const uschar *qp_p, int *c)
394 const uschar *initial_pos = qp_p;
396 /* Advance one char */
399 /* Check for two hex digits and decode them */
400 if (isxdigit(*qp_p) && isxdigit(qp_p[1]))
402 /* Do hex conversion */
403 *c = (isdigit(*qp_p) ? *qp_p - '0' : toupper(*qp_p) - 'A' + 10) << 4;
404 *c |= isdigit(qp_p[1]) ? qp_p[1] - '0' : toupper(qp_p[1]) - 'A' + 10;
408 /* Illegal char here */
409 *c = PDKIM_QP_ERROR_DECODE;
414 /* -------------------------------------------------------------------------- */
417 pdkim_decode_qp(const uschar * str)
421 const uschar * p = str;
422 uschar * n = store_get(Ustrlen(str)+1, GET_TAINTED);
430 p = pdkim_decode_qp_char(p, &nchar);
446 /* -------------------------------------------------------------------------- */
449 pdkim_decode_base64(const uschar * str, blob * b)
451 int dlen = b64decode(str, &b->data);
452 if (dlen < 0) b->data = NULL;
457 pdkim_encode_base64(blob * b)
459 return b64encode(CUS b->data, b->len);
463 /* -------------------------------------------------------------------------- */
464 #define PDKIM_HDR_LIMBO 0
465 #define PDKIM_HDR_TAG 1
466 #define PDKIM_HDR_VALUE 2
468 static pdkim_signature *
469 pdkim_parse_sig_header(pdkim_ctx * ctx, uschar * raw_hdr)
471 pdkim_signature * sig;
473 gstring * cur_tag = NULL;
474 gstring * cur_val = NULL;
475 BOOL past_hname = FALSE;
476 BOOL in_b_val = FALSE;
477 int where = PDKIM_HDR_LIMBO;
479 sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
480 memset(sig, 0, sizeof(pdkim_signature));
481 sig->bodylength = -1;
483 /* Set so invalid/missing data error display is accurate */
488 q = sig->rawsig_no_b_val = store_get(Ustrlen(raw_hdr)+1, GET_TAINTED);
490 for (uschar * p = raw_hdr; ; p++)
495 if (c == '\r' || c == '\n')
498 /* Fast-forward through header name */
501 if (c == ':') past_hname = TRUE;
505 if (where == PDKIM_HDR_LIMBO)
507 /* In limbo, just wait for a tag-char to appear */
508 if (!(c >= 'a' && c <= 'z'))
511 where = PDKIM_HDR_TAG;
514 if (where == PDKIM_HDR_TAG)
516 if (c >= 'a' && c <= 'z')
517 cur_tag = string_catn(cur_tag, p, 1);
521 if (Ustrcmp(string_from_gstring(cur_tag), "b") == 0)
526 where = PDKIM_HDR_VALUE;
531 if (where == PDKIM_HDR_VALUE)
533 if (c == '\r' || c == '\n' || c == ' ' || c == '\t')
536 if (c == ';' || c == '\0')
538 /* We must have both tag and value, and tags must be one char except
539 for the possibility of "bh". */
541 if ( cur_tag && cur_val
542 && (cur_tag->ptr == 1 || *cur_tag->s == 'b')
545 (void) string_from_gstring(cur_val);
546 pdkim_strtrim(cur_val);
548 DEBUG(D_acl) debug_printf(" %s=%s\n", cur_tag->s, cur_val->s);
552 case 'b': /* sig-data or body-hash */
553 switch (cur_tag->s[1])
555 case '\0': pdkim_decode_base64(cur_val->s, &sig->sighash); break;
556 case 'h': if (cur_tag->ptr == 2)
557 pdkim_decode_base64(cur_val->s, &sig->bodyhash);
562 case 'v': /* version */
563 /* We only support version 1, and that is currently the
564 only version there is. */
566 Ustrcmp(cur_val->s, PDKIM_SIGNATURE_VERSION) == 0 ? 1 : -1;
568 case 'a': /* algorithm */
570 const uschar * list = cur_val->s;
574 if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
575 sig->keytype = pdkim_keyname_to_keytype(elem);
576 if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
577 for (int i = 0; i < nelem(pdkim_hashes); i++)
578 if (Ustrcmp(elem, pdkim_hashes[i].dkim_hashname) == 0)
579 { sig->hashtype = i; break; }
582 case 'c': /* canonicalization */
583 pdkim_cstring_to_canons(cur_val->s, 0,
584 &sig->canon_headers, &sig->canon_body);
586 case 'q': /* Query method (for pubkey)*/
587 for (int i = 0; pdkim_querymethods[i]; i++)
588 if (Ustrcmp(cur_val->s, pdkim_querymethods[i]) == 0)
590 sig->querymethod = i; /* we never actually use this */
594 case 's': /* Selector */
595 sig->selector = string_copyn(cur_val->s, cur_val->ptr); break;
597 sig->domain = string_copyn(cur_val->s, cur_val->ptr); break;
599 sig->identity = pdkim_decode_qp(cur_val->s); break;
600 case 't': /* Timestamp */
601 sig->created = strtoul(CS cur_val->s, NULL, 10); break;
602 case 'x': /* Expiration */
603 sig->expires = strtoul(CS cur_val->s, NULL, 10); break;
604 case 'l': /* Body length count */
605 sig->bodylength = strtol(CS cur_val->s, NULL, 10); break;
606 case 'h': /* signed header fields */
607 sig->headernames = string_copyn(cur_val->s, cur_val->ptr); break;
608 case 'z': /* Copied headfields */
609 sig->copiedheaders = pdkim_decode_qp(cur_val->s); break;
610 /*XXX draft-ietf-dcrup-dkim-crypto-05 would need 'p' tag support
611 for rsafp signatures. But later discussion is dropping those. */
613 DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
617 cur_tag = cur_val = NULL;
619 where = PDKIM_HDR_LIMBO;
622 cur_val = string_catn(cur_val, p, 1);
633 if (sig->keytype < 0 || sig->hashtype < 0) /* Cannot verify this signature */
637 /* Chomp raw header. The final newline must not be added to the signature. */
638 while (--q > sig->rawsig_no_b_val && (*q == '\r' || *q == '\n'))
644 "DKIM >> Raw signature w/o b= tag value >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
645 pdkim_quoteprint(US sig->rawsig_no_b_val, Ustrlen(sig->rawsig_no_b_val));
647 "DKIM >> Sig size: %4u bits\n", (unsigned) sig->sighash.len*8);
649 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
652 if (!pdkim_set_sig_bodyhash(ctx, sig))
659 /* -------------------------------------------------------------------------- */
662 pdkim_parse_pubkey_record(const uschar *raw_record)
668 pub = store_get(sizeof(pdkim_pubkey), GET_TAINTED);
669 memset(pub, 0, sizeof(pdkim_pubkey));
671 while ((ele = string_nextinlist(&raw_record, &sep, NULL, 0)))
675 if ((val = Ustrchr(ele, '=')))
677 int taglen = val++ - ele;
679 DEBUG(D_acl) debug_printf(" %.*s=%s\n", taglen, ele, val);
682 case 'v': pub->version = val; break;
683 case 'h': pub->hashes = val; break;
684 case 'k': pub->keytype = val; break;
685 case 'g': pub->granularity = val; break;
686 case 'n': pub->notes = pdkim_decode_qp(val); break;
687 case 'p': pdkim_decode_base64(val, &pub->key); break;
688 case 's': pub->srvtype = val; break;
689 case 't': if (Ustrchr(val, 'y')) pub->testing = 1;
690 if (Ustrchr(val, 's')) pub->no_subdomaining = 1;
692 default: DEBUG(D_acl) debug_printf(" Unknown tag encountered\n"); break;
697 /* Set fallback defaults */
699 pub->version = string_copy(PDKIM_PUB_RECORD_VERSION);
700 else if (Ustrcmp(pub->version, PDKIM_PUB_RECORD_VERSION) != 0)
702 DEBUG(D_acl) debug_printf(" Bad v= field\n");
706 if (!pub->granularity) pub->granularity = US"*";
707 if (!pub->keytype ) pub->keytype = US"rsa";
708 if (!pub->srvtype ) pub->srvtype = US"*";
714 DEBUG(D_acl) debug_printf(" Missing p= field\n");
719 /* -------------------------------------------------------------------------- */
721 /* Update one bodyhash with some additional data.
722 If we have to relax the data for this sig, return our copy of it. */
725 pdkim_update_ctx_bodyhash(pdkim_bodyhash * b, const blob * orig_data, blob * relaxed_data)
727 const blob * canon_data = orig_data;
730 /* Defaults to simple canon (no further treatment necessary) */
732 if (b->canon_method == PDKIM_CANON_RELAXED)
734 /* Relax the line if not done already */
737 BOOL seen_wsp = FALSE;
740 /* We want to be able to free this else we allocate
741 for the entire message which could be many MB. Since
742 we don't know what allocations the SHA routines might
743 do, not safe to use store_get()/store_reset(). */
745 relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1);
746 relaxed_data->data = US (relaxed_data+1);
748 for (const uschar * p = orig_data->data, * r = p + orig_data->len; p < r; p++)
753 if (q > 0 && relaxed_data->data[q-1] == ' ')
756 else if (c == '\t' || c == ' ')
758 c = ' '; /* Turns WSP into SP */
765 relaxed_data->data[q++] = c;
767 relaxed_data->data[q] = '\0';
768 relaxed_data->len = q;
770 canon_data = relaxed_data;
773 /* Make sure we don't exceed the to-be-signed body length */
774 left = canon_data->len;
775 if ( b->bodylength >= 0
776 && left > (unsigned long)b->bodylength - b->signed_body_bytes
778 left = (unsigned long)b->bodylength - b->signed_body_bytes;
782 exim_sha_update(&b->body_hash_ctx, CUS canon_data->data, left);
783 b->signed_body_bytes += left;
784 DEBUG(D_acl) pdkim_quoteprint(canon_data->data, left);
791 /* -------------------------------------------------------------------------- */
794 pdkim_finish_bodyhash(pdkim_ctx * ctx)
796 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next) /* Finish hashes */
798 DEBUG(D_acl) debug_printf("DKIM: finish bodyhash %s/%s/%ld len %ld\n",
799 pdkim_hashes[b->hashtype].dkim_hashname, pdkim_canons[b->canon_method],
800 b->bodylength, b->signed_body_bytes);
801 exim_sha_finish(&b->body_hash_ctx, &b->bh);
804 /* Traverse all signatures */
805 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
807 pdkim_bodyhash * b = sig->calc_body_hash;
811 debug_printf("DKIM [%s]%s Body bytes (%s) hashed: %lu\n"
812 "DKIM [%s]%s Body %s computed: ",
813 sig->domain, sig->selector, pdkim_canons[b->canon_method], b->signed_body_bytes,
814 sig->domain, sig->selector, pdkim_hashes[b->hashtype].dkim_hashname);
815 pdkim_hexprint(CUS b->bh.data, b->bh.len);
818 /* SIGNING -------------------------------------------------------------- */
819 if (ctx->flags & PDKIM_MODE_SIGN)
821 /* If bodylength limit is set, and we have received less bytes
822 than the requested amount, effectively remove the limit tag. */
823 if (b->signed_body_bytes < sig->bodylength)
824 sig->bodylength = -1;
828 /* VERIFICATION --------------------------------------------------------- */
829 /* Be careful that the header sig included a bodyash */
831 if (sig->bodyhash.data && sig->bodyhash.len == b->bh.len
832 && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0)
834 DEBUG(D_acl) debug_printf("DKIM [%s] Body hash compared OK\n", sig->domain);
840 debug_printf("DKIM [%s] Body hash signature from headers: ", sig->domain);
841 pdkim_hexprint(sig->bodyhash.data, sig->bodyhash.len);
842 debug_printf("DKIM [%s] Body hash did NOT verify\n", sig->domain);
844 sig->verify_status = PDKIM_VERIFY_FAIL;
845 sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY;
853 pdkim_body_complete(pdkim_ctx * ctx)
855 /* In simple body mode, if any empty lines were buffered,
856 replace with one. rfc 4871 3.4.3 */
857 /*XXX checking the signed-body-bytes is a gross hack; I think
858 it indicates that all linebreaks should be buffered, including
859 the one terminating a text line */
861 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
862 if ( b->canon_method == PDKIM_CANON_SIMPLE
863 && b->signed_body_bytes == 0
864 && b->num_buffered_blanklines > 0
866 (void) pdkim_update_ctx_bodyhash(b, &lineending, NULL);
868 ctx->flags |= PDKIM_SEEN_EOD;
869 ctx->linebuf_offset = 0;
874 /* -------------------------------------------------------------------------- */
875 /* Call from pdkim_feed below for processing complete body lines */
876 /* NOTE: the line is not NUL-terminated; but we have a count */
879 pdkim_bodyline_complete(pdkim_ctx * ctx)
881 blob line = {.data = ctx->linebuf, .len = ctx->linebuf_offset};
885 /* Ignore extra data if we've seen the end-of-data marker */
886 if (ctx->flags & PDKIM_SEEN_EOD) goto all_skip;
888 /* We've always got one extra byte to stuff a zero ... */
889 ctx->linebuf[line.len] = '\0';
891 /* Terminate on EOD marker */
892 if (ctx->flags & PDKIM_DOT_TERM)
894 if (memcmp(line.data, ".\r\n", 3) == 0)
895 { pdkim_body_complete(ctx); return; }
898 if (memcmp(line.data, "..", 2) == 0)
899 { line.data++; line.len--; }
902 /* Empty lines need to be buffered until we find a non-empty line */
903 if (memcmp(line.data, "\r\n", 2) == 0)
905 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
906 b->num_buffered_blanklines++;
910 /* Process line for each bodyhash separately */
911 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
913 if (b->canon_method == PDKIM_CANON_RELAXED)
915 /* Lines with just spaces need to be buffered too */
916 uschar * cp = line.data;
921 if (c == '\r' && cp[1] == '\n') break;
922 if (c != ' ' && c != '\t') goto hash_process;
926 b->num_buffered_blanklines++;
931 /* At this point, we have a non-empty line, so release the buffered ones. */
933 while (b->num_buffered_blanklines)
935 rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
936 b->num_buffered_blanklines--;
939 rline = pdkim_update_ctx_bodyhash(b, &line, rline);
943 if (rnl) store_free(rnl);
944 if (rline) store_free(rline);
948 ctx->linebuf_offset = 0;
953 /* -------------------------------------------------------------------------- */
954 /* Callback from pdkim_feed below for processing complete headers */
955 #define DKIM_SIGNATURE_HEADERNAME "DKIM-Signature:"
958 pdkim_header_complete(pdkim_ctx * ctx)
960 if ( (ctx->cur_header->ptr > 1) &&
961 (ctx->cur_header->s[ctx->cur_header->ptr-1] == '\r') )
962 --ctx->cur_header->ptr;
963 (void) string_from_gstring(ctx->cur_header);
965 #ifdef EXPERIMENTAL_ARC
966 /* Feed the header line to ARC processing */
967 (void) arc_header_feed(ctx->cur_header, !(ctx->flags & PDKIM_MODE_SIGN));
970 if (++ctx->num_headers > PDKIM_MAX_HEADERS) goto BAIL;
972 /* SIGNING -------------------------------------------------------------- */
973 if (ctx->flags & PDKIM_MODE_SIGN)
974 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) /* Traverse all signatures */
976 /* Add header to the signed headers list (in reverse order) */
977 sig->headers = pdkim_prepend_stringlist(sig->headers, ctx->cur_header->s);
979 /* VERIFICATION ----------------------------------------------------------- */
980 /* DKIM-Signature: headers are added to the verification list */
986 debug_printf("DKIM >> raw hdr: ");
987 pdkim_quoteprint(CUS ctx->cur_header->s, ctx->cur_header->ptr);
990 if (strncasecmp(CCS ctx->cur_header->s,
991 DKIM_SIGNATURE_HEADERNAME,
992 Ustrlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
994 pdkim_signature * sig, * last_sig;
995 /* Create and chain new signature block. We could error-check for all
996 required tags here, but prefer to create the internal sig and expicitly
997 fail verification of it later. */
999 DEBUG(D_acl) debug_printf(
1000 "DKIM >> Found sig, trying to parse >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1002 sig = pdkim_parse_sig_header(ctx, ctx->cur_header->s);
1004 if (!(last_sig = ctx->sig))
1008 while (last_sig->next) last_sig = last_sig->next;
1009 last_sig->next = sig;
1012 if (dkim_collect_input && --dkim_collect_input == 0)
1014 ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
1015 ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0';
1016 return PDKIM_ERR_EXCESS_SIGS;
1020 /* all headers are stored for signature verification */
1021 ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
1025 ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0'; /* leave buffer for reuse */
1031 /* -------------------------------------------------------------------------- */
1032 #define HEADER_BUFFER_FRAG_SIZE 256
1035 pdkim_feed(pdkim_ctx * ctx, uschar * data, int len)
1037 /* Alternate EOD signal, used in non-dotstuffing mode */
1039 pdkim_body_complete(ctx);
1041 else for (int p = 0; p < len; p++)
1046 if (ctx->flags & PDKIM_PAST_HDRS)
1048 if (c == '\n' && !(ctx->flags & PDKIM_SEEN_CR)) /* emulate the CR */
1050 ctx->linebuf[ctx->linebuf_offset++] = '\r';
1051 if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
1052 return PDKIM_ERR_LONG_LINE;
1055 /* Processing body byte */
1056 ctx->linebuf[ctx->linebuf_offset++] = c;
1058 ctx->flags |= PDKIM_SEEN_CR;
1061 ctx->flags &= ~PDKIM_SEEN_CR;
1062 pdkim_bodyline_complete(ctx);
1065 if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
1066 return PDKIM_ERR_LONG_LINE;
1070 /* Processing header byte */
1072 ctx->flags |= PDKIM_SEEN_CR;
1075 if (!(ctx->flags & PDKIM_SEEN_CR)) /* emulate the CR */
1076 ctx->cur_header = string_catn(ctx->cur_header, CUS "\r", 1);
1078 if (ctx->flags & PDKIM_SEEN_LF) /* Seen last header line */
1080 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1083 ctx->flags = (ctx->flags & ~(PDKIM_SEEN_LF|PDKIM_SEEN_CR)) | PDKIM_PAST_HDRS;
1084 DEBUG(D_acl) debug_printf(
1085 "DKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1089 ctx->flags = (ctx->flags & ~PDKIM_SEEN_CR) | PDKIM_SEEN_LF;
1091 else if (ctx->flags & PDKIM_SEEN_LF)
1093 if (!(c == '\t' || c == ' ')) /* End of header */
1094 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1096 ctx->flags &= ~PDKIM_SEEN_LF;
1099 if (!ctx->cur_header || ctx->cur_header->ptr < PDKIM_MAX_HEADER_LEN)
1100 ctx->cur_header = string_catn(ctx->cur_header, CUS &data[p], 1);
1108 /* Extend a growing header with a continuation-linebreak */
1110 pdkim_hdr_cont(gstring * str, int * col)
1113 return string_catn(str, US"\r\n\t", 3);
1119 * RFC 5322 specifies that header line length SHOULD be no more than 78
1122 * Returns gstring (not nul-terminated) appending to one supplied
1124 * col: this int holds and receives column number (octets since last '\n')
1125 * str: partial string to append to
1126 * pad: padding, split line or space after before or after eg: ";".
1127 * Only the initial charater is used.
1128 * intro: - must join to payload eg "h=", usually the tag name
1129 * payload: eg base64 data - long data can be split arbitrarily.
1131 * this code doesn't fold the header in some of the places that RFC4871
1132 * allows: As per RFC5322(2.2.3) it only folds before or after tag-value
1133 * pairs and inside long values. it also always spaces or breaks after the
1136 * No guarantees are made for output given out-of range input. like tag
1137 * names longer than 78, or bogus col. Input is assumed to be free of line breaks.
1141 pdkim_headcat(int * col, gstring * str,
1142 const uschar * pad, const uschar * intro, const uschar * payload)
1144 int len, chomp, padded = 0;
1146 /* If we can fit at least the pad at the end of current line, do it now.
1147 Otherwise, wrap if there is a pad. */
1152 str = string_catn(str, pad, 1);
1158 str = pdkim_hdr_cont(str, col);
1160 /* Special case: if the whole addition does not fit at the end of the current
1161 line, but could fit on a new line, wrap to give it its full, dedicated line. */
1163 len = (pad ? 2 : padded)
1164 + (intro ? Ustrlen(intro) : 0)
1165 + (payload ? Ustrlen(payload) : 0);
1166 if (len <= 77 && *col+len > 78)
1168 str = pdkim_hdr_cont(str, col);
1172 /* Either we already dealt with the pad or we know there is room */
1176 str = string_catn(str, pad, 1);
1177 str = string_catn(str, US" ", 1);
1180 else if (padded && *col < 78)
1182 str = string_catn(str, US" ", 1);
1186 /* Call recursively with intro as payload: it gets the same, special treatment
1187 (that is, not split if < 78). */
1190 str = pdkim_headcat(col, str, NULL, NULL, intro);
1193 for (len = Ustrlen(payload); len; len -= chomp)
1196 str = pdkim_hdr_cont(str, col);
1197 chomp = *col+len > 78 ? 78 - *col : len;
1198 str = string_catn(str, payload, chomp);
1207 /* -------------------------------------------------------------------------- */
1209 /* Signing: create signature header
1212 pdkim_create_header(pdkim_signature * sig, BOOL final)
1218 gstring * canon_all;
1220 canon_all = string_cat (NULL, pdkim_canons[sig->canon_headers]);
1221 canon_all = string_catn(canon_all, US"/", 1);
1222 canon_all = string_cat (canon_all, pdkim_canons[sig->canon_body]);
1223 (void) string_from_gstring(canon_all);
1225 hdr = string_cat(NULL, US"DKIM-Signature: v="PDKIM_SIGNATURE_VERSION);
1228 /* Required and static bits */
1229 hdr = pdkim_headcat(&col, hdr, US";", US"a=", dkim_sig_to_a_tag(sig));
1230 hdr = pdkim_headcat(&col, hdr, US";", US"q=", pdkim_querymethods[sig->querymethod]);
1231 hdr = pdkim_headcat(&col, hdr, US";", US"c=", canon_all->s);
1232 hdr = pdkim_headcat(&col, hdr, US";", US"d=", sig->domain);
1233 hdr = pdkim_headcat(&col, hdr, US";", US"s=", sig->selector);
1235 /* list of header names can be split between items. */
1237 uschar * n = string_copy(sig->headernames);
1238 uschar * i = US"h=";
1243 uschar * c = Ustrchr(n, ':');
1248 hdr = pdkim_headcat(&col, hdr, NULL, NULL, US":");
1250 hdr = pdkim_headcat(&col, hdr, s, i, n);
1261 base64_bh = pdkim_encode_base64(&sig->calc_body_hash->bh);
1262 hdr = pdkim_headcat(&col, hdr, US";", US"bh=", base64_bh);
1266 hdr = pdkim_headcat(&col, hdr, US";", US"i=", sig->identity);
1268 if (sig->created > 0)
1272 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->created);
1273 hdr = pdkim_headcat(&col, hdr, US";", US"t=", minibuf);
1276 if (sig->expires > 0)
1280 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->expires);
1281 hdr = pdkim_headcat(&col, hdr, US";", US"x=", minibuf);
1284 if (sig->bodylength >= 0)
1288 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->bodylength);
1289 hdr = pdkim_headcat(&col, hdr, US";", US"l=", minibuf);
1292 /* Preliminary or final version? */
1295 base64_b = pdkim_encode_base64(&sig->sighash);
1296 hdr = pdkim_headcat(&col, hdr, US";", US"b=", base64_b);
1298 /* add trailing semicolon: I'm not sure if this is actually needed */
1299 hdr = pdkim_headcat(&col, hdr, NULL, US";", US"");
1303 /* To satisfy the rule "all surrounding whitespace [...] deleted"
1304 ( RFC 6376 section 3.7 ) we ensure there is no whitespace here. Otherwise
1305 the headcat routine could insert a linebreak which the relaxer would reduce
1306 to a single space preceding the terminating semicolon, resulting in an
1307 incorrect header-hash. */
1308 hdr = pdkim_headcat(&col, hdr, US";", US"b=;", US"");
1311 return string_from_gstring(hdr);
1315 /* -------------------------------------------------------------------------- */
1317 /* According to draft-ietf-dcrup-dkim-crypto-07 "keys are 256 bits" (referring
1318 to DNS, hence the pubkey). Check for more than 32 bytes; if so assume the
1319 alternate possible representation (still) being discussed: a
1320 SubjectPublickeyInfo wrapped key - and drop all but the trailing 32-bytes (it
1321 should be a DER, with exactly 12 leading bytes - but we could accept a BER also,
1322 which could be any size). We still rely on the crypto library for checking for
1325 When the RFC is published this should be re-addressed. */
1328 check_bare_ed25519_pubkey(pdkim_pubkey * p)
1330 int excess = p->key.len - 32;
1334 debug_printf("DKIM: unexpected pubkey len %lu\n", (unsigned long) p->key.len);
1335 p->key.data += excess; p->key.len = 32;
1340 static pdkim_pubkey *
1341 pdkim_key_from_dns(pdkim_ctx * ctx, pdkim_signature * sig, ev_ctx * vctx,
1342 const uschar ** errstr)
1344 uschar * dns_txt_name, * dns_txt_reply;
1347 /* Fetch public key for signing domain, from DNS */
1349 dns_txt_name = string_sprintf("%s._domainkey.%s.", sig->selector, sig->domain);
1351 if ( !(dns_txt_reply = ctx->dns_txt_callback(dns_txt_name))
1352 || dns_txt_reply[0] == '\0'
1355 sig->verify_status = PDKIM_VERIFY_INVALID;
1356 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE;
1363 "DKIM >> Parsing public key record >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
1367 pdkim_quoteprint(CUS dns_txt_reply, Ustrlen(dns_txt_reply));
1370 if ( !(p = pdkim_parse_pubkey_record(CUS dns_txt_reply))
1371 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
1374 sig->verify_status = PDKIM_VERIFY_INVALID;
1375 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD;
1380 debug_printf(" Invalid public key service type '%s'\n", p->srvtype);
1382 debug_printf(" Error while parsing public key record\n");
1384 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1389 DEBUG(D_acl) debug_printf(
1390 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1392 /* Import public key */
1394 /* Normally we use the signature a= tag to tell us the pubkey format.
1395 When signing under debug we do a test-import of the pubkey, and at that
1396 time we do not have a signature so we must interpret the pubkey k= tag
1397 instead. Assume writing on the sig is ok in that case. */
1399 if (sig->keytype < 0)
1400 if ((sig->keytype = pdkim_keyname_to_keytype(p->keytype)) < 0)
1402 DEBUG(D_acl) debug_printf("verify_init: unhandled keytype %s\n", p->keytype);
1403 sig->verify_status = PDKIM_VERIFY_INVALID;
1404 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
1408 if (sig->keytype == KEYTYPE_ED25519)
1409 check_bare_ed25519_pubkey(p);
1411 if ((*errstr = exim_dkim_verify_init(&p->key,
1412 sig->keytype == KEYTYPE_ED25519 ? KEYFMT_ED25519_BARE : KEYFMT_DER,
1413 vctx, &sig->keybits)))
1415 DEBUG(D_acl) debug_printf("verify_init: %s\n", *errstr);
1416 sig->verify_status = PDKIM_VERIFY_INVALID;
1417 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
1421 vctx->keytype = sig->keytype;
1426 /* -------------------------------------------------------------------------- */
1427 /* Sort and filter the sigs developed from the message */
1429 static pdkim_signature *
1430 sort_sig_methods(pdkim_signature * siglist)
1432 pdkim_signature * yield, ** ss;
1433 const uschar * prefs;
1437 if (!siglist) return NULL;
1439 /* first select in order of hashtypes */
1440 DEBUG(D_acl) debug_printf("DKIM: dkim_verify_hashes '%s'\n", dkim_verify_hashes);
1441 for (prefs = dkim_verify_hashes, sep = 0, yield = NULL, ss = &yield;
1442 ele = string_nextinlist(&prefs, &sep, NULL, 0); )
1444 int i = pdkim_hashname_to_hashtype(CUS ele, 0);
1445 for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
1449 if (s->hashtype == i)
1450 { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
1456 /* then in order of keytypes */
1458 DEBUG(D_acl) debug_printf("DKIM: dkim_verify_keytypes '%s'\n", dkim_verify_keytypes);
1459 for (prefs = dkim_verify_keytypes, sep = 0, yield = NULL, ss = &yield;
1460 ele = string_nextinlist(&prefs, &sep, NULL, 0); )
1462 int i = pdkim_keyname_to_keytype(CUS ele);
1463 for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
1467 if (s->keytype == i)
1468 { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
1474 DEBUG(D_acl) for (pdkim_signature * s = yield; s; s = s->next)
1475 debug_printf(" retain d=%s s=%s a=%s\n",
1476 s->domain, s->selector, dkim_sig_to_a_tag(s));
1481 /* -------------------------------------------------------------------------- */
1484 pdkim_feed_finish(pdkim_ctx * ctx, pdkim_signature ** return_signatures,
1485 const uschar ** err)
1487 BOOL verify_pass = FALSE;
1489 /* Check if we must still flush a (partial) header. If that is the
1490 case, the message has no body, and we must compute a body hash
1491 out of '<CR><LF>' */
1492 if (ctx->cur_header && ctx->cur_header->ptr > 0)
1497 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1500 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
1501 rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
1502 if (rnl) store_free(rnl);
1505 DEBUG(D_acl) debug_printf(
1506 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1508 /* Build (and/or evaluate) body hash. Do this even if no DKIM sigs, in case we
1509 have a hash to do for ARC. */
1511 pdkim_finish_bodyhash(ctx);
1513 /* Sort and filter the recived signatures */
1515 if (!(ctx->flags & PDKIM_MODE_SIGN))
1516 ctx->sig = sort_sig_methods(ctx->sig);
1520 DEBUG(D_acl) debug_printf("DKIM: no signatures\n");
1521 *return_signatures = NULL;
1525 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
1528 uschar * sig_hdr = US"";
1530 gstring * hdata = NULL;
1533 if ( !(ctx->flags & PDKIM_MODE_SIGN)
1534 && sig->verify_status == PDKIM_VERIFY_FAIL)
1537 debug_printf("DKIM: [%s] abandoning this signature\n", sig->domain);
1541 /*XXX The hash of the headers is needed for GCrypt (for which we can do RSA
1542 signing only, as it happens) and for either GnuTLS and OpenSSL when we are
1543 signing with EC (specifically, Ed25519). The former is because the GCrypt
1544 signing operation is pure (does not do its own hash) so we must hash. The
1545 latter is because we (stupidly, but this is what the IETF draft is saying)
1546 must hash with the declared hash method, then pass the result to the library
1547 hash-and-sign routine (because that's all the libraries are providing. And
1548 we're stuck with whatever that hidden hash method is, too). We may as well
1549 do this hash incrementally.
1550 We don't need the hash we're calculating here for the GnuTLS and OpenSSL
1551 cases of RSA signing, since those library routines can do hash-and-sign.
1553 Some time in the future we could easily avoid doing the hash here for those
1554 cases (which will be common for a long while. We could also change from
1555 the current copy-all-the-headers-into-one-block, then call the hash-and-sign
1556 implementation - to a proper incremental one. Unfortunately, GnuTLS just
1557 cannot do incremental - either signing or verification. Unsure about GCrypt.
1560 /*XXX The header hash is also used (so far) by the verify operation */
1562 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[sig->hashtype].exim_hashmethod))
1564 log_write(0, LOG_MAIN|LOG_PANIC,
1565 "DKIM: hash setup error, possibly nonhandled hashtype");
1569 if (ctx->flags & PDKIM_MODE_SIGN)
1570 DEBUG(D_acl) debug_printf(
1571 "DKIM >> Headers to be signed: >>>>>>>>>>>>\n"
1575 DEBUG(D_acl) debug_printf(
1576 "DKIM >> Header data for hash, canonicalized (%-7s), in sequence >>\n",
1577 pdkim_canons[sig->canon_headers]);
1580 /* SIGNING ---------------------------------------------------------------- */
1581 /* When signing, walk through our header list and add them to the hash. As we
1582 go, construct a list of the header's names to use for the h= parameter.
1583 Then append to that list any remaining header names for which there was no
1586 if (ctx->flags & PDKIM_MODE_SIGN)
1593 /* Import private key, including the keytype which we need for building
1594 the signature header */
1596 if ((*err = exim_dkim_signing_init(CUS sig->privkey, &sctx)))
1598 log_write(0, LOG_MAIN|LOG_PANIC, "signing_init: %s", *err);
1599 return PDKIM_ERR_RSA_PRIVKEY;
1601 sig->keytype = sctx.keytype;
1603 sig->headernames = NULL; /* Collected signed header names */
1604 for (pdkim_stringlist * p = sig->headers; p; p = p->next)
1606 uschar * rh = p->value;
1608 if (header_name_match(rh, sig->sign_headers) == PDKIM_OK)
1610 /* Collect header names (Note: colon presence is guaranteed here) */
1611 g = string_append_listele_n(g, ':', rh, Ustrchr(rh, ':') - rh);
1613 if (sig->canon_headers == PDKIM_CANON_RELAXED)
1614 rh = pdkim_relax_header(rh, TRUE); /* cook header for relaxed canon */
1616 /* Feed header to the hash algorithm */
1617 exim_sha_update_string(&hhash_ctx, CUS rh);
1619 /* Remember headers block for signing (when the library cannot do incremental) */
1620 /*XXX we could avoid doing this for all but the GnuTLS/RSA case */
1621 hdata = exim_dkim_data_append(hdata, rh);
1623 DEBUG(D_acl) pdkim_quoteprint(rh, Ustrlen(rh));
1627 /* Any headers we wanted to sign but were not present must also be listed.
1628 Ignore elements that have been ticked-off or are marked as never-oversign. */
1630 l = sig->sign_headers;
1631 while((s = string_nextinlist(&l, &sep, NULL, 0)))
1633 if (*s == '+') /* skip oversigning marker */
1635 if (*s != '_' && *s != '=')
1636 g = string_append_listele(g, ':', s);
1638 sig->headernames = string_from_gstring(g);
1640 /* Create signature header with b= omitted */
1641 sig_hdr = pdkim_create_header(sig, FALSE);
1644 /* VERIFICATION ----------------------------------------------------------- */
1645 /* When verifying, walk through the header name list in the h= parameter and
1646 add the headers to the hash in that order. */
1649 uschar * p = sig->headernames;
1655 for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
1661 if ((q = Ustrchr(p, ':')))
1664 /*XXX walk the list of headers in same order as received. */
1665 for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
1667 && strncasecmp(CCS hdrs->value, CCS p, Ustrlen(p)) == 0
1668 && (hdrs->value)[Ustrlen(p)] == ':'
1671 /* cook header for relaxed canon, or just copy it for simple */
1673 uschar * rh = sig->canon_headers == PDKIM_CANON_RELAXED
1674 ? pdkim_relax_header(hdrs->value, TRUE)
1675 : string_copy(CUS hdrs->value);
1677 /* Feed header to the hash algorithm */
1678 exim_sha_update_string(&hhash_ctx, CUS rh);
1680 DEBUG(D_acl) pdkim_quoteprint(rh, Ustrlen(rh));
1689 sig_hdr = string_copy(sig->rawsig_no_b_val);
1693 DEBUG(D_acl) debug_printf(
1694 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1699 "DKIM >> Signed DKIM-Signature header, pre-canonicalized >>>>>>>>>>>>>\n");
1700 pdkim_quoteprint(CUS sig_hdr, Ustrlen(sig_hdr));
1702 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1705 /* Relax header if necessary */
1706 if (sig->canon_headers == PDKIM_CANON_RELAXED)
1707 sig_hdr = pdkim_relax_header(sig_hdr, FALSE);
1711 debug_printf("DKIM >> Signed DKIM-Signature header, canonicalized (%-7s) >>>>>>>\n",
1712 pdkim_canons[sig->canon_headers]);
1713 pdkim_quoteprint(CUS sig_hdr, Ustrlen(sig_hdr));
1715 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1718 /* Finalize header hash */
1719 exim_sha_update_string(&hhash_ctx, CUS sig_hdr);
1720 exim_sha_finish(&hhash_ctx, &hhash);
1724 debug_printf("DKIM [%s] Header %s computed: ",
1725 sig->domain, pdkim_hashes[sig->hashtype].dkim_hashname);
1726 pdkim_hexprint(hhash.data, hhash.len);
1729 /* Remember headers block for signing (when the signing library cannot do
1731 if (ctx->flags & PDKIM_MODE_SIGN)
1732 hdata = exim_dkim_data_append(hdata, US sig_hdr);
1734 /* SIGNING ---------------------------------------------------------------- */
1735 if (ctx->flags & PDKIM_MODE_SIGN)
1737 hashmethod hm = sig->keytype == KEYTYPE_ED25519
1738 #if defined(SIGN_OPENSSL)
1743 : pdkim_hashes[sig->hashtype].exim_hashmethod;
1745 #ifdef SIGN_HAVE_ED25519
1746 /* For GCrypt, and for EC, we pass the hash-of-headers to the signing
1747 routine. For anything else we just pass the headers. */
1749 if (sig->keytype != KEYTYPE_ED25519)
1752 hhash.data = hdata->s;
1753 hhash.len = hdata->ptr;
1756 if ((*err = exim_dkim_sign(&sctx, hm, &hhash, &sig->sighash)))
1758 log_write(0, LOG_MAIN|LOG_PANIC, "signing: %s", *err);
1759 return PDKIM_ERR_RSA_SIGNING;
1764 debug_printf( "DKIM [%s] b computed: ", sig->domain);
1765 pdkim_hexprint(sig->sighash.data, sig->sighash.len);
1768 sig->signature_header = pdkim_create_header(sig, TRUE);
1771 /* VERIFICATION ----------------------------------------------------------- */
1777 /* Make sure we have all required signature tags */
1778 if (!( sig->domain && *sig->domain
1779 && sig->selector && *sig->selector
1780 && sig->headernames && *sig->headernames
1781 && sig->bodyhash.data
1782 && sig->sighash.data
1783 && sig->keytype >= 0
1784 && sig->hashtype >= 0
1788 sig->verify_status = PDKIM_VERIFY_INVALID;
1789 sig->verify_ext_status = PDKIM_VERIFY_INVALID_SIGNATURE_ERROR;
1791 DEBUG(D_acl) debug_printf(
1792 " Error in DKIM-Signature header: tags missing or invalid (%s)\n"
1793 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n",
1794 !(sig->domain && *sig->domain) ? "d="
1795 : !(sig->selector && *sig->selector) ? "s="
1796 : !(sig->headernames && *sig->headernames) ? "h="
1797 : !sig->bodyhash.data ? "bh="
1798 : !sig->sighash.data ? "b="
1799 : sig->keytype < 0 || sig->hashtype < 0 ? "a="
1805 /* Make sure sig uses supported DKIM version (only v1) */
1806 if (sig->version != 1)
1808 sig->verify_status = PDKIM_VERIFY_INVALID;
1809 sig->verify_ext_status = PDKIM_VERIFY_INVALID_DKIM_VERSION;
1811 DEBUG(D_acl) debug_printf(
1812 " Error in DKIM-Signature header: unsupported DKIM version\n"
1813 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1819 debug_printf( "DKIM [%s] b from mail: ", sig->domain);
1820 pdkim_hexprint(sig->sighash.data, sig->sighash.len);
1823 if (!(sig->pubkey = pdkim_key_from_dns(ctx, sig, &vctx, err)))
1825 log_write(0, LOG_MAIN, "DKIM: %s%s %s%s [failed key import]",
1826 sig->domain ? "d=" : "", sig->domain ? sig->domain : US"",
1827 sig->selector ? "s=" : "", sig->selector ? sig->selector : US"");
1831 /* If the pubkey limits to a list of specific hashes, ignore sigs that
1832 do not have the hash part of the sig algorithm matching */
1834 if (sig->pubkey->hashes)
1836 const uschar * list = sig->pubkey->hashes, * ele;
1838 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
1839 if (Ustrcmp(ele, pdkim_hashes[sig->hashtype].dkim_hashname) == 0) break;
1842 DEBUG(D_acl) debug_printf("pubkey h=%s vs. sig a=%s_%s\n",
1843 sig->pubkey->hashes,
1844 pdkim_keytypes[sig->keytype],
1845 pdkim_hashes[sig->hashtype].dkim_hashname);
1846 sig->verify_status = PDKIM_VERIFY_FAIL;
1847 sig->verify_ext_status = PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH;
1852 hm = sig->keytype == KEYTYPE_ED25519
1853 #if defined(SIGN_OPENSSL)
1858 : pdkim_hashes[sig->hashtype].exim_hashmethod;
1860 /* Check the signature */
1862 if ((*err = exim_dkim_verify(&vctx, hm, &hhash, &sig->sighash)))
1864 DEBUG(D_acl) debug_printf("headers verify: %s\n", *err);
1865 sig->verify_status = PDKIM_VERIFY_FAIL;
1866 sig->verify_ext_status = PDKIM_VERIFY_FAIL_MESSAGE;
1869 if (*dkim_verify_min_keysizes)
1872 uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
1873 dkim_verify_min_keysizes);
1874 if (ss && (minbits = atoi(CS ss)) > sig->keybits)
1876 DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u Minima '%s'\n",
1877 pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes);
1878 sig->verify_status = PDKIM_VERIFY_FAIL;
1879 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE;
1884 /* We have a winner! (if bodyhash was correct earlier) */
1885 if (sig->verify_status == PDKIM_VERIFY_NONE)
1887 sig->verify_status = PDKIM_VERIFY_PASS;
1889 if (dkim_verify_minimal) break;
1896 debug_printf("DKIM [%s] %s signature status: %s",
1897 sig->domain, dkim_sig_to_a_tag(sig),
1898 pdkim_verify_status_str(sig->verify_status));
1899 if (sig->verify_ext_status > 0)
1900 debug_printf(" (%s)\n",
1901 pdkim_verify_ext_status_str(sig->verify_ext_status));
1908 /* If requested, set return pointer to signature(s) */
1909 if (return_signatures)
1910 *return_signatures = ctx->sig;
1912 return ctx->flags & PDKIM_MODE_SIGN || verify_pass
1913 ? PDKIM_OK : PDKIM_FAIL;
1917 /* -------------------------------------------------------------------------- */
1919 DLLEXPORT pdkim_ctx *
1920 pdkim_init_verify(uschar * (*dns_txt_callback)(const uschar *), BOOL dot_stuffing)
1924 ctx = store_get(sizeof(pdkim_ctx), GET_UNTAINTED);
1925 memset(ctx, 0, sizeof(pdkim_ctx));
1927 if (dot_stuffing) ctx->flags = PDKIM_DOT_TERM;
1928 /* The line-buffer is for message data, hence tainted */
1929 ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, GET_TAINTED);
1930 ctx->dns_txt_callback = dns_txt_callback;
1931 ctx->cur_header = string_get_tainted(36, GET_TAINTED);
1937 /* -------------------------------------------------------------------------- */
1939 DLLEXPORT pdkim_signature *
1940 pdkim_init_sign(pdkim_ctx * ctx,
1941 uschar * domain, uschar * selector, uschar * privkey,
1942 uschar * hashname, const uschar ** errstr)
1945 pdkim_signature * sig;
1947 if (!domain || !selector || !privkey)
1950 /* Allocate & init one signature struct */
1952 sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
1953 memset(sig, 0, sizeof(pdkim_signature));
1955 sig->bodylength = -1;
1957 sig->domain = string_copy(US domain);
1958 sig->selector = string_copy(US selector);
1959 sig->privkey = string_copy(US privkey);
1962 for (hashtype = 0; hashtype < nelem(pdkim_hashes); hashtype++)
1963 if (Ustrcmp(hashname, pdkim_hashes[hashtype].dkim_hashname) == 0)
1964 { sig->hashtype = hashtype; break; }
1965 if (hashtype >= nelem(pdkim_hashes))
1967 log_write(0, LOG_MAIN|LOG_PANIC,
1968 "DKIM: unrecognised hashname '%s'", hashname);
1974 pdkim_signature s = *sig;
1977 debug_printf("DKIM (checking verify key)>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1978 if (!pdkim_key_from_dns(ctx, &s, &vctx, errstr))
1979 debug_printf("WARNING: bad dkim key in dns\n");
1980 debug_printf("DKIM (finished checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1986 /* -------------------------------------------------------------------------- */
1989 pdkim_set_optional(pdkim_signature * sig,
1990 char * sign_headers,
1995 unsigned long created,
1996 unsigned long expires)
1999 sig->identity = string_copy(US identity);
2001 sig->sign_headers = string_copy(sign_headers
2002 ? US sign_headers : US PDKIM_DEFAULT_SIGN_HEADERS);
2004 sig->canon_headers = canon_headers;
2005 sig->canon_body = canon_body;
2006 sig->bodylength = bodylength;
2007 sig->created = created;
2008 sig->expires = expires;
2015 /* Set up a blob for calculating the bodyhash according to the
2016 given needs. Use an existing one if possible, or create a new one.
2018 Return: hashblob pointer, or NULL on error
2021 pdkim_set_bodyhash(pdkim_ctx * ctx, int hashtype, int canon_method,
2026 if (hashtype == -1 || canon_method == -1) return NULL;
2028 for (b = ctx->bodyhash; b; b = b->next)
2029 if ( hashtype == b->hashtype
2030 && canon_method == b->canon_method
2031 && bodylength == b->bodylength)
2033 DEBUG(D_receive) debug_printf("DKIM: using existing bodyhash %s/%s/%ld\n",
2034 pdkim_hashes[hashtype].dkim_hashname, pdkim_canons[canon_method], bodylength);
2038 DEBUG(D_receive) debug_printf("DKIM: new bodyhash %s/%s/%ld\n",
2039 pdkim_hashes[hashtype].dkim_hashname, pdkim_canons[canon_method], bodylength);
2040 b = store_get(sizeof(pdkim_bodyhash), GET_UNTAINTED);
2041 b->next = ctx->bodyhash;
2042 b->hashtype = hashtype;
2043 b->canon_method = canon_method;
2044 b->bodylength = bodylength;
2045 if (!exim_sha_init(&b->body_hash_ctx, /*XXX hash method: extend for sha512 */
2046 pdkim_hashes[hashtype].exim_hashmethod))
2049 debug_printf("DKIM: hash init error, possibly nonhandled hashtype\n");
2052 b->signed_body_bytes = 0;
2053 b->num_buffered_blanklines = 0;
2059 /* Set up a blob for calculating the bodyhash according to the
2060 needs of this signature. Use an existing one if possible, or
2063 Return: hashblob pointer, or NULL on error (only used as a boolean).
2066 pdkim_set_sig_bodyhash(pdkim_ctx * ctx, pdkim_signature * sig)
2068 pdkim_bodyhash * b = pdkim_set_bodyhash(ctx,
2069 sig->hashtype, sig->canon_body, sig->bodylength);
2070 sig->calc_body_hash = b;
2075 /* -------------------------------------------------------------------------- */
2079 pdkim_init_context(pdkim_ctx * ctx, BOOL dot_stuffed,
2080 uschar * (*dns_txt_callback)(const uschar *))
2082 memset(ctx, 0, sizeof(pdkim_ctx));
2083 ctx->flags = dot_stuffed ? PDKIM_MODE_SIGN | PDKIM_DOT_TERM : PDKIM_MODE_SIGN;
2084 /* The line buffer is for message data, hence tainted */
2085 ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, GET_TAINTED);
2086 DEBUG(D_acl) ctx->dns_txt_callback = dns_txt_callback;
2098 #endif /*DISABLE_DKIM*/