2 * PDKIM - a RFC4871 (DKIM) implementation
4 * Copyright (c) The Exim Maintainers 2021 - 2024
5 * Copyright (C) 2016 - 2020 Jeremy Harris <jgh@exim.org>
6 * Copyright (C) 2009 - 2016 Tom Kistner <tom@duncanthrax.net>
7 * SPDX-License-Identifier: GPL-2.0-or-later
9 * http://duncanthrax.net/pdkim/
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 #ifndef DISABLE_DKIM /* entire file */
32 # error Must not DISABLE_TLS, for DKIM
35 #include "crypt_ver.h"
38 # include <openssl/rsa.h>
39 # include <openssl/ssl.h>
40 # include <openssl/err.h>
41 #elif defined(SIGN_GNUTLS)
42 # include <gnutls/gnutls.h>
43 # include <gnutls/x509.h>
49 #define PDKIM_SIGNATURE_VERSION "1"
50 #define PDKIM_PUB_RECORD_VERSION US "DKIM1"
52 #define PDKIM_MAX_HEADER_LEN 65536
53 #define PDKIM_MAX_HEADERS 512
54 #define PDKIM_MAX_BODY_LINE_LEN 16384
55 #define PDKIM_DNS_TXT_MAX_NAMELEN 1024
57 /* -------------------------------------------------------------------------- */
58 struct pdkim_stringlist {
64 /* -------------------------------------------------------------------------- */
65 /* A bunch of list constants */
66 const uschar * pdkim_querymethods[] = {
70 const uschar * pdkim_canons[] = {
76 const pdkim_hashtype pdkim_hashes[] = {
77 { US"sha1", HASH_SHA1 },
78 { US"sha256", HASH_SHA2_256 },
79 { US"sha512", HASH_SHA2_512 }
82 const uschar * pdkim_keytypes[] = {
83 [KEYTYPE_RSA] = US"rsa",
84 #ifdef SIGN_HAVE_ED25519
85 [KEYTYPE_ED25519] = US"ed25519", /* Works for 3.6.0 GnuTLS, OpenSSL 1.1.1 */
88 #ifdef notyet_EC_dkim_extensions /* https://tools.ietf.org/html/draft-srose-dkim-ecc-00 */
95 typedef struct pdkim_combined_canon_entry {
99 } pdkim_combined_canon_entry;
101 pdkim_combined_canon_entry pdkim_combined_canons[] = {
102 { US"simple/simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
103 { US"simple/relaxed", PDKIM_CANON_SIMPLE, PDKIM_CANON_RELAXED },
104 { US"relaxed/simple", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
105 { US"relaxed/relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_RELAXED },
106 { US"simple", PDKIM_CANON_SIMPLE, PDKIM_CANON_SIMPLE },
107 { US"relaxed", PDKIM_CANON_RELAXED, PDKIM_CANON_SIMPLE },
112 static const blob lineending = {.data = US"\r\n", .len = 2};
114 /* -------------------------------------------------------------------------- */
116 dkim_sig_to_a_tag(const pdkim_signature * sig)
118 if ( sig->keytype < 0 || sig->keytype > nelem(pdkim_keytypes)
119 || sig->hashtype < 0 || sig->hashtype > nelem(pdkim_hashes))
121 return string_sprintf("%s-%s",
122 pdkim_keytypes[sig->keytype], pdkim_hashes[sig->hashtype].dkim_hashname);
127 pdkim_keyname_to_keytype(const uschar * s)
129 for (int i = 0; i < nelem(pdkim_keytypes); i++)
130 if (Ustrcmp(s, pdkim_keytypes[i]) == 0) return i;
135 pdkim_hashname_to_hashtype(const uschar * s, unsigned len)
137 if (!len) len = Ustrlen(s);
138 for (int i = 0; i < nelem(pdkim_hashes); i++)
139 if (Ustrncmp(s, pdkim_hashes[i].dkim_hashname, len) == 0)
145 pdkim_cstring_to_canons(const uschar * s, unsigned len,
146 int * canon_head, int * canon_body)
148 if (!len) len = Ustrlen(s);
149 for (int i = 0; pdkim_combined_canons[i].str; i++)
150 if ( Ustrncmp(s, pdkim_combined_canons[i].str, len) == 0
151 && len == Ustrlen(pdkim_combined_canons[i].str))
153 *canon_head = pdkim_combined_canons[i].canon_headers;
154 *canon_body = pdkim_combined_canons[i].canon_body;
162 pdkim_verify_status_str(int status)
166 case PDKIM_VERIFY_NONE: return "PDKIM_VERIFY_NONE";
167 case PDKIM_VERIFY_INVALID: return "PDKIM_VERIFY_INVALID";
168 case PDKIM_VERIFY_FAIL: return "PDKIM_VERIFY_FAIL";
169 case PDKIM_VERIFY_PASS: return "PDKIM_VERIFY_PASS";
170 default: return "PDKIM_VERIFY_UNKNOWN";
175 pdkim_verify_ext_status_str(int ext_status)
179 case PDKIM_VERIFY_FAIL_BODY: return "PDKIM_VERIFY_FAIL_BODY";
180 case PDKIM_VERIFY_FAIL_MESSAGE: return "PDKIM_VERIFY_FAIL_MESSAGE";
181 case PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH: return "PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH";
182 case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE: return "PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE";
183 case PDKIM_VERIFY_INVALID_BUFFER_SIZE: return "PDKIM_VERIFY_INVALID_BUFFER_SIZE";
184 case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD: return "PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD";
185 case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return "PDKIM_VERIFY_INVALID_PUBKEY_IMPORT";
186 case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE: return "PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE";
187 case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR: return "PDKIM_VERIFY_INVALID_SIGNATURE_ERROR";
188 case PDKIM_VERIFY_INVALID_DKIM_VERSION: return "PDKIM_VERIFY_INVALID_DKIM_VERSION";
189 default: return "PDKIM_VERIFY_UNKNOWN";
194 pdkim_errstr(int status)
198 case PDKIM_OK: return US"OK";
199 case PDKIM_FAIL: return US"FAIL";
200 case PDKIM_ERR_RSA_PRIVKEY: return US"PRIVKEY";
201 case PDKIM_ERR_RSA_SIGNING: return US"SIGNING";
202 case PDKIM_ERR_LONG_LINE: return US"LONG_LINE";
203 case PDKIM_ERR_BUFFER_TOO_SMALL: return US"BUFFER_TOO_SMALL";
204 case PDKIM_ERR_EXCESS_SIGS: return US"EXCESS_SIGS";
205 case PDKIM_SIGN_PRIVKEY_WRAP: return US"PRIVKEY_WRAP";
206 case PDKIM_SIGN_PRIVKEY_B64D: return US"PRIVKEY_B64D";
207 default: return US"(unknown)";
212 /* -------------------------------------------------------------------------- */
215 static pdkim_stringlist *
216 pdkim_prepend_stringlist(pdkim_stringlist * base, const uschar * str)
218 pdkim_stringlist * new_entry = store_get(sizeof(pdkim_stringlist), GET_UNTAINTED);
220 memset(new_entry, 0, sizeof(pdkim_stringlist));
221 new_entry->value = string_copy(str);
222 if (base) new_entry->next = base;
228 /* Trim whitespace fore & aft */
231 pdkim_strtrim(gstring * str)
236 while (*p == '\t' || *p == ' ') /* dump the leading whitespace */
237 { str->size--; str->ptr--; str->s++; }
240 && ((q = str->s + str->ptr - 1), (*q == '\t' || *q == ' '))
242 str->ptr--; /* dump trailing whitespace */
244 (void) string_from_gstring(str);
249 /* -------------------------------------------------------------------------- */
252 pdkim_free_ctx(pdkim_ctx *ctx)
257 /* -------------------------------------------------------------------------- */
258 /* Matches the name of the passed raw "header" against
259 the passed colon-separated "tick", and invalidates
260 the entry in tick. Entries can be prefixed for multi- or over-signing,
261 in which case do not invalidate.
263 Returns OK for a match, or fail-code
267 header_name_match(const uschar * header, uschar * tick)
269 const uschar * ticklist = tick;
272 uschar * hname, * p, * ele;
273 uschar * hcolon = Ustrchr(header, ':'); /* Get header name */
276 return PDKIM_FAIL; /* This isn't a header */
278 /* if we had strncmpic() we wouldn't need this copy */
279 hname = string_copyn(header, hcolon-header);
281 while (p = US ticklist, ele = string_nextinlist(&ticklist, &sep, NULL, 0))
285 case '=': case '+': multisign = TRUE; ele++; break;
286 default: multisign = FALSE; break;
289 if (strcmpic(ele, hname) == 0)
292 *p = '_'; /* Invalidate this header name instance in tick-off list */
300 /* -------------------------------------------------------------------------- */
302 /* Performs "relaxed" canonicalization of a header. */
305 pdkim_relax_header_n(const uschar * header, int len, BOOL append_crlf)
307 BOOL past_field_name = FALSE;
308 BOOL seen_wsp = FALSE;
309 uschar * relaxed = store_get(len+3, GET_TAINTED);
310 uschar * q = relaxed;
312 for (const uschar * p = header; p - header < len; p++)
316 if (c == '\r' || c == '\n') /* Ignore CR & LF */
318 if (c == '\t' || c == ' ')
322 c = ' '; /* Turns WSP into SP */
326 if (!past_field_name && c == ':')
328 if (seen_wsp) q--; /* This removes WSP immediately before the colon */
329 seen_wsp = TRUE; /* This removes WSP immediately after the colon */
330 past_field_name = TRUE;
335 /* Lowercase header name */
336 if (!past_field_name) c = tolower(c);
340 if (q > relaxed && q[-1] == ' ') q--; /* Squash eventual trailing SP */
342 if (append_crlf) { *q++ = '\r'; *q++ = '\n'; }
349 pdkim_relax_header(const uschar * header, BOOL append_crlf)
351 return pdkim_relax_header_n(header, Ustrlen(header), append_crlf);
355 /* -------------------------------------------------------------------------- */
356 #define PDKIM_QP_ERROR_DECODE -1
358 static const uschar *
359 pdkim_decode_qp_char(const uschar *qp_p, int *c)
361 const uschar *initial_pos = qp_p;
363 /* Advance one char */
366 /* Check for two hex digits and decode them */
367 if (isxdigit(*qp_p) && isxdigit(qp_p[1]))
369 /* Do hex conversion */
370 *c = (isdigit(*qp_p) ? *qp_p - '0' : toupper(*qp_p) - 'A' + 10) << 4;
371 *c |= isdigit(qp_p[1]) ? qp_p[1] - '0' : toupper(qp_p[1]) - 'A' + 10;
375 /* Illegal char here */
376 *c = PDKIM_QP_ERROR_DECODE;
381 /* -------------------------------------------------------------------------- */
384 pdkim_decode_qp(const uschar * str)
388 const uschar * p = str;
389 uschar * n = store_get(Ustrlen(str)+1, GET_TAINTED);
397 p = pdkim_decode_qp_char(p, &nchar);
413 /* -------------------------------------------------------------------------- */
416 pdkim_decode_base64(const uschar * str, blob * b)
418 int dlen = b64decode(str, &b->data, str);
419 if (dlen < 0) b->data = NULL;
424 pdkim_encode_base64(blob * b)
426 return b64encode(b->data, b->len);
430 /* -------------------------------------------------------------------------- */
431 #define PDKIM_HDR_LIMBO 0
432 #define PDKIM_HDR_TAG 1
433 #define PDKIM_HDR_VALUE 2
435 static pdkim_signature *
436 pdkim_parse_sig_header(pdkim_ctx * ctx, uschar * raw_hdr)
438 pdkim_signature * sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
440 gstring * cur_tag = NULL, * cur_val = NULL;
441 BOOL past_hname = FALSE, in_b_val = FALSE;
442 int where = PDKIM_HDR_LIMBO;
444 memset(sig, 0, sizeof(pdkim_signature));
445 sig->bodylength = -1;
447 /* Set so invalid/missing data error display is accurate */
452 q = sig->rawsig_no_b_val = store_get(Ustrlen(raw_hdr)+1, GET_TAINTED);
454 for (uschar * p = raw_hdr; ; p++)
459 if (c == '\r' || c == '\n')
462 /* Fast-forward through header name */
465 if (c == ':') past_hname = TRUE;
469 if (where == PDKIM_HDR_LIMBO)
471 /* In limbo, just wait for a tag-char to appear */
472 if (!(c >= 'a' && c <= 'z'))
475 where = PDKIM_HDR_TAG;
478 if (where == PDKIM_HDR_TAG)
481 if (Ustrcmp(string_from_gstring(cur_tag), "b") == 0)
486 where = PDKIM_HDR_VALUE;
489 else if (!isspace(c))
490 cur_tag = string_catn(cur_tag, p, 1);
492 if (where == PDKIM_HDR_VALUE)
494 if (c == '\r' || c == '\n' || c == ' ' || c == '\t')
497 if (c == ';' || c == '\0')
499 /* We must have both tag and value, and tags must be one char except
500 for the possibility of "bh". */
502 if ( cur_tag && cur_val
503 && (cur_tag->ptr == 1 || *cur_tag->s == 'b')
506 (void) string_from_gstring(cur_val);
507 pdkim_strtrim(cur_val);
509 DEBUG(D_acl) debug_printf(" %s=%s\n", cur_tag->s, cur_val->s);
513 case 'b': /* sig-data or body-hash */
514 switch (cur_tag->s[1])
516 case '\0': pdkim_decode_base64(cur_val->s, &sig->sighash); break;
517 case 'h': if (cur_tag->ptr != 2) goto bad_tag;
518 pdkim_decode_base64(cur_val->s, &sig->bodyhash);
520 default: goto bad_tag;
523 case 'v': /* version */
524 /* We only support version 1, and that is currently the
525 only version there is. */
527 Ustrcmp(cur_val->s, PDKIM_SIGNATURE_VERSION) == 0 ? 1 : -1;
529 case 'a': /* algorithm */
531 const uschar * list = cur_val->s;
535 if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
536 sig->keytype = pdkim_keyname_to_keytype(elem);
537 if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
538 for (int i = 0; i < nelem(pdkim_hashes); i++)
539 if (Ustrcmp(elem, pdkim_hashes[i].dkim_hashname) == 0)
540 { sig->hashtype = i; break; }
544 case 'c': /* canonicalization */
545 pdkim_cstring_to_canons(cur_val->s, 0,
546 &sig->canon_headers, &sig->canon_body);
548 case 'q': /* Query method (for pubkey)*/
549 for (int i = 0; pdkim_querymethods[i]; i++)
550 if (Ustrcmp(cur_val->s, pdkim_querymethods[i]) == 0)
552 sig->querymethod = i; /* we never actually use this */
556 case 's': /* Selector */
557 sig->selector = string_copy_from_gstring(cur_val); break;
559 sig->domain = string_copy_from_gstring(cur_val); break;
561 sig->identity = pdkim_decode_qp(cur_val->s); break;
562 case 't': /* Timestamp */
563 sig->created = strtoul(CS cur_val->s, NULL, 10); break;
564 case 'x': /* Expiration */
565 sig->expires = strtoul(CS cur_val->s, NULL, 10); break;
566 case 'l': /* Body length count */
567 sig->bodylength = strtol(CS cur_val->s, NULL, 10); break;
568 case 'h': /* signed header fields */
569 sig->headernames = string_copy_from_gstring(cur_val); break;
570 case 'z': /* Copied headfields */
571 sig->copiedheaders = pdkim_decode_qp(cur_val->s); break;
572 /*XXX draft-ietf-dcrup-dkim-crypto-05 would need 'p' tag support
573 for rsafp signatures. But later discussion is dropping those. */
579 bad_tag: DEBUG(D_acl) debug_printf(" Unknown tag encountered: %Y\n", cur_tag);
581 cur_tag = cur_val = NULL;
583 where = PDKIM_HDR_LIMBO;
586 cur_val = string_catn(cur_val, p, 1);
597 if (sig->keytype < 0 || sig->hashtype < 0) /* Cannot verify this signature */
601 /* Chomp raw header. The final newline must not be added to the signature. */
602 while (--q > sig->rawsig_no_b_val && (*q == '\r' || *q == '\n'))
608 "DKIM >> Raw signature w/o b= tag value >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
609 debug_printf("%Z\n", US sig->rawsig_no_b_val);
611 "DKIM >> Sig size: %4u bits\n", (unsigned) sig->sighash.len*8);
613 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
616 if (!pdkim_set_sig_bodyhash(ctx, sig))
623 /* -------------------------------------------------------------------------- */
626 pdkim_parse_pubkey_record(const uschar * raw_record)
628 pdkim_pubkey * pub = store_get(sizeof(pdkim_pubkey), GET_TAINTED);
630 memset(pub, 0, sizeof(pdkim_pubkey));
632 for (const uschar * ele = raw_record, * tspec, * end, * val; *ele; ele = end)
634 Uskip_whitespace(&ele);
635 end = Ustrchrnul(ele, ';');
636 tspec = string_copyn(ele, end - ele);
637 if (*end) end++; /* skip the ; */
639 if ((val = Ustrchr(tspec, '=')))
641 int taglen = val++ - tspec;
643 DEBUG(D_acl) debug_printf(" %.*s=%s\n", taglen, tspec, val);
644 while (taglen > 1 && isspace(tspec[taglen-1]))
645 taglen--; /* Ignore whitespace before = */
646 Uskip_whitespace(&val); /* Ignore whitespace after = */
647 if (isspace(val[ Ustrlen(val)-1 ]))
648 { /* Ignore whitespace after value */
649 gstring * g = string_cat(NULL, val);
650 while (isspace(gstring_last_char(g)))
652 val = string_from_gstring(g);
655 if (taglen == 1) switch (tspec[0])
657 case 'v': pub->version = val; break;
658 case 'h': pub->hashes = val; break;
659 case 'k': pub->keytype = val; break;
660 case 'g': pub->granularity = val; break;
661 case 'n': pub->notes = pdkim_decode_qp(val); break;
662 case 'p': pdkim_decode_base64(val, &pub->key); break;
663 case 's': pub->srvtype = val; break;
664 case 't': if (Ustrchr(val, 'y')) pub->testing = 1;
665 if (Ustrchr(val, 's')) pub->no_subdomaining = 1;
667 default: goto bad_tag;
671 DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
675 /* Set fallback defaults */
677 pub->version = string_copy(PDKIM_PUB_RECORD_VERSION);
678 else if (Ustrcmp(pub->version, PDKIM_PUB_RECORD_VERSION) != 0)
680 DEBUG(D_acl) debug_printf(" Bad v= field\n");
684 if (!pub->granularity) pub->granularity = US"*";
685 if (!pub->keytype ) pub->keytype = US"rsa";
686 if (!pub->srvtype ) pub->srvtype = US"*";
692 DEBUG(D_acl) debug_printf(" Missing p= field\n");
697 /* -------------------------------------------------------------------------- */
699 /* Update one bodyhash with some additional data.
700 If we have to relax the data for this sig, return our copy of it. */
703 pdkim_update_ctx_bodyhash(pdkim_bodyhash * b, const blob * orig_data, blob * relaxed_data)
705 const blob * canon_data = orig_data;
708 /* Defaults to simple canon (no further treatment necessary) */
710 if (b->canon_method == PDKIM_CANON_RELAXED)
712 /* Relax the line if not done already */
715 BOOL seen_wsp = FALSE;
718 /* We want to be able to free this else we allocate
719 for the entire message which could be many MB. Since
720 we don't know what allocations the SHA routines might
721 do, not safe to use store_get()/store_reset(). */
723 relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1);
724 relaxed_data->data = US (relaxed_data+1);
726 for (const uschar * p = orig_data->data, * r = p + orig_data->len; p < r; p++)
731 if (q > 0 && relaxed_data->data[q-1] == ' ')
734 else if (c == '\t' || c == ' ')
736 c = ' '; /* Turns WSP into SP */
743 relaxed_data->data[q++] = c;
745 relaxed_data->data[q] = '\0';
746 relaxed_data->len = q;
748 canon_data = relaxed_data;
751 /* Make sure we don't exceed the to-be-signed body length */
752 left = canon_data->len;
753 if ( b->bodylength >= 0
754 && left > (unsigned long)b->bodylength - b->signed_body_bytes
756 left = (unsigned long)b->bodylength - b->signed_body_bytes;
760 exim_sha_update(&b->body_hash_ctx, CUS canon_data->data, left);
761 b->signed_body_bytes += left;
762 DEBUG(D_acl) debug_printf("%.*Z\n", left, canon_data->data);
769 /* -------------------------------------------------------------------------- */
772 pdkim_finish_bodyhash(pdkim_ctx * ctx)
774 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next) /* Finish hashes */
776 DEBUG(D_acl) debug_printf("DKIM: finish bodyhash %s/%s/%ld len %ld\n",
777 pdkim_hashes[b->hashtype].dkim_hashname, pdkim_canons[b->canon_method],
778 b->bodylength, b->signed_body_bytes);
779 exim_sha_finish(&b->body_hash_ctx, &b->bh);
782 /* Traverse all signatures */
783 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
785 pdkim_bodyhash * b = sig->calc_body_hash;
789 debug_printf("DKIM [%s]%s Body bytes (%s) hashed: %lu\n"
790 "DKIM [%s]%s Body %s computed: ",
791 sig->domain, sig->selector, pdkim_canons[b->canon_method], b->signed_body_bytes,
792 sig->domain, sig->selector, pdkim_hashes[b->hashtype].dkim_hashname);
793 debug_printf("%.*H\n", b->bh.len, CUS b->bh.data);
796 /* SIGNING -------------------------------------------------------------- */
797 if (ctx->flags & PDKIM_MODE_SIGN)
799 /* If bodylength limit is set, and we have received less bytes
800 than the requested amount, effectively remove the limit tag. */
801 if (b->signed_body_bytes < sig->bodylength)
802 sig->bodylength = -1;
806 /* VERIFICATION --------------------------------------------------------- */
807 /* Be careful that the header sig included a bodyash */
809 if (sig->bodyhash.data && sig->bodyhash.len == b->bh.len
810 && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0)
812 DEBUG(D_acl) debug_printf("DKIM [%s] Body hash compared OK\n", sig->domain);
818 debug_printf("DKIM [%s] Body hash signature from headers: ", sig->domain);
819 debug_printf("%.*H\n", sig->bodyhash.len, sig->bodyhash.data);
820 debug_printf("DKIM [%s] Body hash did NOT verify\n", sig->domain);
822 sig->verify_status = PDKIM_VERIFY_FAIL;
823 sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY;
831 pdkim_body_complete(pdkim_ctx * ctx)
833 /* In simple body mode, if any empty lines were buffered,
834 replace with one. rfc 4871 3.4.3 */
835 /*XXX checking the signed-body-bytes is a gross hack; I think
836 it indicates that all linebreaks should be buffered, including
837 the one terminating a text line */
839 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
840 if ( b->canon_method == PDKIM_CANON_SIMPLE
841 && b->signed_body_bytes == 0
842 && b->num_buffered_blanklines > 0
844 (void) pdkim_update_ctx_bodyhash(b, &lineending, NULL);
846 ctx->flags |= PDKIM_SEEN_EOD;
847 ctx->linebuf_offset = 0;
852 /* -------------------------------------------------------------------------- */
853 /* Call from pdkim_feed below for processing complete body lines */
854 /* NOTE: the line is not NUL-terminated; but we have a count */
857 pdkim_bodyline_complete(pdkim_ctx * ctx)
859 blob line = {.data = ctx->linebuf, .len = ctx->linebuf_offset};
863 /* Ignore extra data if we've seen the end-of-data marker */
864 if (ctx->flags & PDKIM_SEEN_EOD) goto all_skip;
866 /* We've always got one extra byte to stuff a zero ... */
867 ctx->linebuf[line.len] = '\0';
869 /* Terminate on EOD marker */
870 if (ctx->flags & PDKIM_DOT_TERM)
872 if (memcmp(line.data, ".\r\n", 3) == 0)
873 { pdkim_body_complete(ctx); return; }
876 if (memcmp(line.data, "..", 2) == 0)
877 { line.data++; line.len--; }
880 /* Empty lines need to be buffered until we find a non-empty line */
881 if (memcmp(line.data, "\r\n", 2) == 0)
883 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
884 b->num_buffered_blanklines++;
888 /* Process line for each bodyhash separately */
889 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
891 if (b->canon_method == PDKIM_CANON_RELAXED)
893 /* Lines with just spaces need to be buffered too */
894 uschar * cp = line.data;
899 if (c == '\r' && cp[1] == '\n') break;
900 if (c != ' ' && c != '\t') goto hash_process;
904 b->num_buffered_blanklines++;
909 /* At this point, we have a non-empty line, so release the buffered ones. */
911 while (b->num_buffered_blanklines)
913 rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
914 b->num_buffered_blanklines--;
917 rline = pdkim_update_ctx_bodyhash(b, &line, rline);
921 if (rnl) store_free(rnl);
922 if (rline) store_free(rline);
926 ctx->linebuf_offset = 0;
931 /* -------------------------------------------------------------------------- */
932 /* Callback from pdkim_feed below for processing complete headers */
933 #define DKIM_SIGNATURE_HEADERNAME "DKIM-Signature:"
936 pdkim_header_complete(pdkim_ctx * ctx)
938 if (ctx->cur_header->ptr > 1)
939 gstring_trim_trailing(ctx->cur_header, '\r');
940 (void) string_from_gstring(ctx->cur_header);
942 #ifdef EXPERIMENTAL_ARC
943 /* Feed the header line to ARC processing */
944 (void) arc_header_feed(ctx->cur_header, !(ctx->flags & PDKIM_MODE_SIGN));
947 if (++ctx->num_headers > PDKIM_MAX_HEADERS) goto BAIL;
949 /* SIGNING -------------------------------------------------------------- */
950 if (ctx->flags & PDKIM_MODE_SIGN)
951 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next) /* Traverse all signatures */
953 /* Add header to the signed headers list (in reverse order) */
954 sig->headers = pdkim_prepend_stringlist(sig->headers, ctx->cur_header->s);
956 /* VERIFICATION ----------------------------------------------------------- */
957 /* DKIM-Signature: headers are added to the verification list */
961 DEBUG(D_acl) debug_printf("DKIM >> raw hdr: %.*Z\n",
962 ctx->cur_head->ptr, CUS ctx->cur_header->s);
964 if (strncasecmp(CCS ctx->cur_header->s,
965 DKIM_SIGNATURE_HEADERNAME,
966 Ustrlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
968 pdkim_signature * sig, * last_sig;
969 /* Create and chain new signature block. We could error-check for all
970 required tags here, but prefer to create the internal sig and expicitly
971 fail verification of it later. */
973 DEBUG(D_acl) debug_printf(
974 "DKIM >> Found sig, trying to parse >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
976 sig = pdkim_parse_sig_header(ctx, ctx->cur_header->s);
978 if (!(last_sig = ctx->sig))
982 while (last_sig->next) last_sig = last_sig->next;
983 last_sig->next = sig;
986 if (dkim_collect_input && --dkim_collect_input == 0)
988 ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
989 ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0';
990 return PDKIM_ERR_EXCESS_SIGS;
994 /* all headers are stored for signature verification */
995 ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
999 ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0'; /* leave buffer for reuse */
1005 /* -------------------------------------------------------------------------- */
1006 #define HEADER_BUFFER_FRAG_SIZE 256
1009 pdkim_feed(pdkim_ctx * ctx, const uschar * data, unsigned len)
1011 /* Alternate EOD signal, used in non-dotstuffing mode */
1013 pdkim_body_complete(ctx);
1015 else for (unsigned p = 0; p < len; p++)
1020 if (ctx->flags & PDKIM_PAST_HDRS)
1022 if (c == '\n' && !(ctx->flags & PDKIM_SEEN_CR)) /* emulate the CR */
1024 ctx->linebuf[ctx->linebuf_offset++] = '\r';
1025 if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
1026 return PDKIM_ERR_LONG_LINE;
1029 /* Processing body byte */
1030 ctx->linebuf[ctx->linebuf_offset++] = c;
1032 ctx->flags |= PDKIM_SEEN_CR;
1035 ctx->flags &= ~PDKIM_SEEN_CR;
1036 pdkim_bodyline_complete(ctx);
1039 if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
1040 return PDKIM_ERR_LONG_LINE;
1044 /* Processing header byte */
1046 ctx->flags |= PDKIM_SEEN_CR;
1049 if (!(ctx->flags & PDKIM_SEEN_CR)) /* emulate the CR */
1050 ctx->cur_header = string_catn(ctx->cur_header, CUS "\r", 1);
1052 if (ctx->flags & PDKIM_SEEN_LF) /* Seen last header line */
1054 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1057 ctx->flags = (ctx->flags & ~(PDKIM_SEEN_LF|PDKIM_SEEN_CR)) | PDKIM_PAST_HDRS;
1058 DEBUG(D_acl) debug_printf(
1059 "DKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1063 ctx->flags = (ctx->flags & ~PDKIM_SEEN_CR) | PDKIM_SEEN_LF;
1065 else if (ctx->flags & PDKIM_SEEN_LF)
1067 if (!(c == '\t' || c == ' ')) /* End of header */
1068 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1070 ctx->flags &= ~PDKIM_SEEN_LF;
1073 if (!ctx->cur_header || ctx->cur_header->ptr < PDKIM_MAX_HEADER_LEN)
1074 ctx->cur_header = string_catn(ctx->cur_header, CUS &data[p], 1);
1082 /* Extend a growing header with a continuation-linebreak */
1084 pdkim_hdr_cont(gstring * str, int * col)
1087 return string_catn(str, US"\r\n\t", 3);
1093 * RFC 5322 specifies that header line length SHOULD be no more than 78
1096 * Returns gstring (not nul-terminated) appending to one supplied
1098 * col: this int holds and receives column number (octets since last '\n')
1099 * str: partial string to append to
1100 * pad: padding, split line or space after before or after eg: ";".
1101 * Only the initial charater is used.
1102 * intro: - must join to payload eg "h=", usually the tag name
1103 * payload: eg base64 data - long data can be split arbitrarily.
1105 * this code doesn't fold the header in some of the places that RFC4871
1106 * allows: As per RFC5322(2.2.3) it only folds before or after tag-value
1107 * pairs and inside long values. it also always spaces or breaks after the
1110 * No guarantees are made for output given out-of range input. like tag
1111 * names longer than 78, or bogus col. Input is assumed to be free of line breaks.
1115 pdkim_headcat(int * col, gstring * str,
1116 const uschar * pad, const uschar * intro, const uschar * payload)
1118 int len, chomp, padded = 0;
1120 /* If we can fit at least the pad at the end of current line, do it now.
1121 Otherwise, wrap if there is a pad. */
1126 str = string_catn(str, pad, 1);
1132 str = pdkim_hdr_cont(str, col);
1134 /* Special case: if the whole addition does not fit at the end of the current
1135 line, but could fit on a new line, wrap to give it its full, dedicated line. */
1137 len = (pad ? 2 : padded)
1138 + (intro ? Ustrlen(intro) : 0)
1139 + (payload ? Ustrlen(payload) : 0);
1140 if (len <= 77 && *col+len > 78)
1142 str = pdkim_hdr_cont(str, col);
1146 /* Either we already dealt with the pad or we know there is room */
1150 str = string_catn(str, pad, 1);
1151 str = string_catn(str, US" ", 1);
1154 else if (padded && *col < 78)
1156 str = string_catn(str, US" ", 1);
1160 /* Call recursively with intro as payload: it gets the same, special treatment
1161 (that is, not split if < 78). */
1164 str = pdkim_headcat(col, str, NULL, NULL, intro);
1167 for (len = Ustrlen(payload); len; len -= chomp)
1170 str = pdkim_hdr_cont(str, col);
1171 chomp = *col+len > 78 ? 78 - *col : len;
1172 str = string_catn(str, payload, chomp);
1181 /* -------------------------------------------------------------------------- */
1183 /* Signing: create signature header
1186 pdkim_create_header(pdkim_signature * sig, BOOL final)
1192 gstring * canon_all;
1194 canon_all = string_cat (NULL, pdkim_canons[sig->canon_headers]);
1195 canon_all = string_catn(canon_all, US"/", 1);
1196 canon_all = string_cat (canon_all, pdkim_canons[sig->canon_body]);
1197 (void) string_from_gstring(canon_all);
1199 hdr = string_cat(NULL, US"DKIM-Signature: v="PDKIM_SIGNATURE_VERSION);
1202 /* Required and static bits */
1203 hdr = pdkim_headcat(&col, hdr, US";", US"a=", dkim_sig_to_a_tag(sig));
1204 hdr = pdkim_headcat(&col, hdr, US";", US"q=", pdkim_querymethods[sig->querymethod]);
1205 hdr = pdkim_headcat(&col, hdr, US";", US"c=", canon_all->s);
1206 hdr = pdkim_headcat(&col, hdr, US";", US"d=", sig->domain);
1207 hdr = pdkim_headcat(&col, hdr, US";", US"s=", sig->selector);
1209 /* list of header names can be split between items. */
1211 uschar * n = string_copy(sig->headernames);
1212 uschar * i = US"h=";
1217 uschar * c = Ustrchr(n, ':');
1222 hdr = pdkim_headcat(&col, hdr, NULL, NULL, US":");
1224 hdr = pdkim_headcat(&col, hdr, s, i, n);
1235 base64_bh = pdkim_encode_base64(&sig->calc_body_hash->bh);
1236 hdr = pdkim_headcat(&col, hdr, US";", US"bh=", base64_bh);
1240 hdr = pdkim_headcat(&col, hdr, US";", US"i=", sig->identity);
1242 if (sig->created > 0)
1246 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->created);
1247 hdr = pdkim_headcat(&col, hdr, US";", US"t=", minibuf);
1250 if (sig->expires > 0)
1254 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->expires);
1255 hdr = pdkim_headcat(&col, hdr, US";", US"x=", minibuf);
1258 if (sig->bodylength >= 0)
1262 snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->bodylength);
1263 hdr = pdkim_headcat(&col, hdr, US";", US"l=", minibuf);
1266 /* Preliminary or final version? */
1269 base64_b = pdkim_encode_base64(&sig->sighash);
1270 hdr = pdkim_headcat(&col, hdr, US";", US"b=", base64_b);
1272 /* add trailing semicolon: I'm not sure if this is actually needed */
1273 hdr = pdkim_headcat(&col, hdr, NULL, US";", US"");
1277 /* To satisfy the rule "all surrounding whitespace [...] deleted"
1278 ( RFC 6376 section 3.7 ) we ensure there is no whitespace here. Otherwise
1279 the headcat routine could insert a linebreak which the relaxer would reduce
1280 to a single space preceding the terminating semicolon, resulting in an
1281 incorrect header-hash. */
1282 hdr = pdkim_headcat(&col, hdr, US";", US"b=;", US"");
1285 return string_from_gstring(hdr);
1289 /* -------------------------------------------------------------------------- */
1291 /* According to draft-ietf-dcrup-dkim-crypto-07 "keys are 256 bits" (referring
1292 to DNS, hence the pubkey). Check for more than 32 bytes; if so assume the
1293 alternate possible representation (still) being discussed: a
1294 SubjectPublickeyInfo wrapped key - and drop all but the trailing 32-bytes (it
1295 should be a DER, with exactly 12 leading bytes - but we could accept a BER also,
1296 which could be any size). We still rely on the crypto library for checking for
1299 When the RFC is published this should be re-addressed. */
1302 check_bare_ed25519_pubkey(pdkim_pubkey * p)
1304 int excess = p->key.len - 32;
1308 debug_printf("DKIM: unexpected pubkey len %lu\n", (unsigned long) p->key.len);
1309 p->key.data += excess; p->key.len = 32;
1314 static pdkim_pubkey *
1315 pdkim_key_from_dns(pdkim_ctx * ctx, pdkim_signature * sig, ev_ctx * vctx,
1316 const uschar ** errstr)
1318 uschar * dns_txt_name, * dns_txt_reply;
1321 /* Fetch public key for signing domain, from DNS */
1323 dns_txt_name = string_sprintf("%s._domainkey.%s.", sig->selector, sig->domain);
1325 if ( !(dns_txt_reply = ctx->dns_txt_callback(dns_txt_name))
1326 || dns_txt_reply[0] == '\0'
1329 sig->verify_status = PDKIM_VERIFY_INVALID;
1330 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE;
1337 "DKIM >> Parsing public key record >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
1339 " Raw record: %Z\n",
1344 if ( !(p = pdkim_parse_pubkey_record(CUS dns_txt_reply))
1345 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
1348 sig->verify_status = PDKIM_VERIFY_INVALID;
1349 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD;
1354 debug_printf(" Invalid public key service type '%s'\n", p->srvtype);
1356 debug_printf(" Error while parsing public key record\n");
1358 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1363 DEBUG(D_acl) debug_printf(
1364 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1366 /* Import public key */
1368 /* Normally we use the signature a= tag to tell us the pubkey format.
1369 When signing under debug we do a test-import of the pubkey, and at that
1370 time we do not have a signature so we must interpret the pubkey k= tag
1371 instead. Assume writing on the sig is ok in that case. */
1373 if (sig->keytype < 0)
1374 if ((sig->keytype = pdkim_keyname_to_keytype(p->keytype)) < 0)
1376 DEBUG(D_acl) debug_printf("verify_init: unhandled keytype %s\n", p->keytype);
1377 sig->verify_status = PDKIM_VERIFY_INVALID;
1378 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
1382 if (sig->keytype == KEYTYPE_ED25519)
1383 check_bare_ed25519_pubkey(p);
1385 if ((*errstr = exim_dkim_verify_init(&p->key,
1386 sig->keytype == KEYTYPE_ED25519 ? KEYFMT_ED25519_BARE : KEYFMT_DER,
1387 vctx, &sig->keybits)))
1389 DEBUG(D_acl) debug_printf("verify_init: %s\n", *errstr);
1390 sig->verify_status = PDKIM_VERIFY_INVALID;
1391 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
1395 vctx->keytype = sig->keytype;
1400 /* -------------------------------------------------------------------------- */
1401 /* Sort and filter the sigs developed from the message */
1403 static pdkim_signature *
1404 sort_sig_methods(pdkim_signature * siglist)
1406 pdkim_signature * yield, ** ss;
1407 const uschar * prefs;
1411 if (!siglist) return NULL;
1413 /* first select in order of hashtypes */
1414 DEBUG(D_acl) debug_printf("DKIM: dkim_verify_hashes '%s'\n", dkim_verify_hashes);
1415 for (prefs = dkim_verify_hashes, sep = 0, yield = NULL, ss = &yield;
1416 ele = string_nextinlist(&prefs, &sep, NULL, 0); )
1418 int i = pdkim_hashname_to_hashtype(CUS ele, 0);
1419 for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
1423 if (s->hashtype == i)
1424 { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
1430 /* then in order of keytypes */
1432 DEBUG(D_acl) debug_printf("DKIM: dkim_verify_keytypes '%s'\n", dkim_verify_keytypes);
1433 for (prefs = dkim_verify_keytypes, sep = 0, yield = NULL, ss = &yield;
1434 ele = string_nextinlist(&prefs, &sep, NULL, 0); )
1436 int i = pdkim_keyname_to_keytype(CUS ele);
1437 for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
1441 if (s->keytype == i)
1442 { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
1448 DEBUG(D_acl) for (pdkim_signature * s = yield; s; s = s->next)
1449 debug_printf(" retain d=%s s=%s a=%s\n",
1450 s->domain, s->selector, dkim_sig_to_a_tag(s));
1455 /* -------------------------------------------------------------------------- */
1458 pdkim_feed_finish(pdkim_ctx * ctx, pdkim_signature ** return_signatures,
1459 const uschar ** err)
1461 BOOL verify_pass = FALSE;
1463 /* Check if we must still flush a (partial) header. If that is the
1464 case, the message has no body, and we must compute a body hash
1465 out of '<CR><LF>' */
1466 if (ctx->cur_header && ctx->cur_header->ptr > 0)
1471 if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
1474 for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
1475 rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
1476 if (rnl) store_free(rnl);
1479 DEBUG(D_acl) debug_printf(
1480 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1482 /* Build (and/or evaluate) body hash. Do this even if no DKIM sigs, in case we
1483 have a hash to do for ARC. */
1485 pdkim_finish_bodyhash(ctx);
1487 /* Sort and filter the recived signatures */
1489 if (!(ctx->flags & PDKIM_MODE_SIGN))
1490 ctx->sig = sort_sig_methods(ctx->sig);
1494 DEBUG(D_acl) debug_printf("DKIM: no signatures\n");
1495 *return_signatures = NULL;
1499 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
1502 uschar * sig_hdr = US"";
1504 gstring * hdata = NULL;
1507 if ( !(ctx->flags & PDKIM_MODE_SIGN)
1508 && sig->verify_status == PDKIM_VERIFY_FAIL)
1511 debug_printf("DKIM: [%s] abandoning this signature\n", sig->domain);
1515 /*XXX The hash of the headers is needed for GCrypt (for which we can do RSA
1516 signing only, as it happens) and for either GnuTLS and OpenSSL when we are
1517 signing with EC (specifically, Ed25519). The former is because the GCrypt
1518 signing operation is pure (does not do its own hash) so we must hash. The
1519 latter is because we (stupidly, but this is what the IETF draft is saying)
1520 must hash with the declared hash method, then pass the result to the library
1521 hash-and-sign routine (because that's all the libraries are providing. And
1522 we're stuck with whatever that hidden hash method is, too). We may as well
1523 do this hash incrementally.
1524 We don't need the hash we're calculating here for the GnuTLS and OpenSSL
1525 cases of RSA signing, since those library routines can do hash-and-sign.
1527 Some time in the future we could easily avoid doing the hash here for those
1528 cases (which will be common for a long while. We could also change from
1529 the current copy-all-the-headers-into-one-block, then call the hash-and-sign
1530 implementation - to a proper incremental one. Unfortunately, GnuTLS just
1531 cannot do incremental - either signing or verification. Unsure about GCrypt.
1534 /*XXX The header hash is also used (so far) by the verify operation */
1536 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[sig->hashtype].exim_hashmethod))
1538 log_write(0, LOG_MAIN|LOG_PANIC,
1539 "DKIM: hash setup error, possibly nonhandled hashtype");
1543 if (ctx->flags & PDKIM_MODE_SIGN)
1544 DEBUG(D_acl) debug_printf(
1545 "DKIM >> Headers to be signed: >>>>>>>>>>>>\n"
1549 DEBUG(D_acl) debug_printf(
1550 "DKIM >> Header data for hash, canonicalized (%-7s), in sequence >>\n",
1551 pdkim_canons[sig->canon_headers]);
1554 /* SIGNING ---------------------------------------------------------------- */
1555 /* When signing, walk through our header list and add them to the hash. As we
1556 go, construct a list of the header's names to use for the h= parameter.
1557 Then append to that list any remaining header names for which there was no
1560 if (ctx->flags & PDKIM_MODE_SIGN)
1567 /* Import private key, including the keytype which we need for building
1568 the signature header */
1570 if ((*err = exim_dkim_signing_init(CUS sig->privkey, &sctx)))
1572 log_write(0, LOG_MAIN|LOG_PANIC, "signing_init: %s", *err);
1573 return PDKIM_ERR_RSA_PRIVKEY;
1575 sig->keytype = sctx.keytype;
1577 sig->headernames = NULL; /* Collected signed header names */
1578 for (pdkim_stringlist * p = sig->headers; p; p = p->next)
1580 uschar * rh = p->value;
1582 if (header_name_match(rh, sig->sign_headers) == PDKIM_OK)
1584 /* Collect header names (Note: colon presence is guaranteed here) */
1585 g = string_append_listele_n(g, ':', rh, Ustrchr(rh, ':') - rh);
1587 if (sig->canon_headers == PDKIM_CANON_RELAXED)
1588 rh = pdkim_relax_header(rh, TRUE); /* cook header for relaxed canon */
1590 /* Feed header to the hash algorithm */
1591 exim_sha_update_string(&hhash_ctx, CUS rh);
1593 /* Remember headers block for signing (when the library cannot do incremental) */
1594 /*XXX we could avoid doing this for all but the GnuTLS/RSA case */
1595 hdata = exim_dkim_data_append(hdata, rh);
1597 DEBUG(D_acl) debug_printf("%Z\n", rh);
1601 /* Any headers we wanted to sign but were not present must also be listed.
1602 Ignore elements that have been ticked-off or are marked as never-oversign. */
1604 l = sig->sign_headers;
1605 while((s = string_nextinlist(&l, &sep, NULL, 0)))
1607 if (*s == '+') /* skip oversigning marker */
1609 if (*s != '_' && *s != '=')
1610 g = string_append_listele(g, ':', s);
1612 sig->headernames = string_from_gstring(g);
1614 /* Create signature header with b= omitted */
1615 sig_hdr = pdkim_create_header(sig, FALSE);
1618 /* VERIFICATION ----------------------------------------------------------- */
1619 /* When verifying, walk through the header name list in the h= parameter and
1620 add the headers to the hash in that order. */
1623 uschar * p = sig->headernames;
1629 for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
1635 if ((q = Ustrchr(p, ':')))
1638 /*XXX walk the list of headers in same order as received. */
1639 for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
1641 && strncasecmp(CCS hdrs->value, CCS p, Ustrlen(p)) == 0
1642 && (hdrs->value)[Ustrlen(p)] == ':'
1645 /* cook header for relaxed canon, or just copy it for simple */
1647 uschar * rh = sig->canon_headers == PDKIM_CANON_RELAXED
1648 ? pdkim_relax_header(hdrs->value, TRUE)
1649 : string_copy(CUS hdrs->value);
1651 /* Feed header to the hash algorithm */
1652 exim_sha_update_string(&hhash_ctx, CUS rh);
1654 DEBUG(D_acl) debug_printf("%Z\n", rh);
1663 sig_hdr = string_copy(sig->rawsig_no_b_val);
1667 DEBUG(D_acl) debug_printf(
1668 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1673 "DKIM >> Signed DKIM-Signature header, pre-canonicalized >>>>>>>>>>>>>\n");
1674 debug_printf("%Z\n", CUS sig_hdr);
1676 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1679 /* Relax header if necessary */
1680 if (sig->canon_headers == PDKIM_CANON_RELAXED)
1681 sig_hdr = pdkim_relax_header(sig_hdr, FALSE);
1685 debug_printf("DKIM >> Signed DKIM-Signature header, canonicalized (%-7s) >>>>>>>\n",
1686 pdkim_canons[sig->canon_headers]);
1687 debug_printf("%Z\n", CUS sig_hdr);
1689 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1692 /* Finalize header hash */
1693 exim_sha_update_string(&hhash_ctx, CUS sig_hdr);
1694 exim_sha_finish(&hhash_ctx, &hhash);
1698 debug_printf("DKIM [%s] Header %s computed: ",
1699 sig->domain, pdkim_hashes[sig->hashtype].dkim_hashname);
1700 debug_printf("%.*H\n", hhash.len, hhash.data);
1703 /* Remember headers block for signing (when the signing library cannot do
1705 if (ctx->flags & PDKIM_MODE_SIGN)
1706 hdata = exim_dkim_data_append(hdata, US sig_hdr);
1708 /* SIGNING ---------------------------------------------------------------- */
1709 if (ctx->flags & PDKIM_MODE_SIGN)
1711 hashmethod hm = sig->keytype == KEYTYPE_ED25519
1712 #if defined(SIGN_OPENSSL)
1717 : pdkim_hashes[sig->hashtype].exim_hashmethod;
1719 #ifdef SIGN_HAVE_ED25519
1720 /* For GCrypt, and for EC, we pass the hash-of-headers to the signing
1721 routine. For anything else we just pass the headers. */
1723 if (sig->keytype != KEYTYPE_ED25519)
1726 hhash.data = hdata->s;
1727 hhash.len = hdata->ptr;
1730 if ((*err = exim_dkim_sign(&sctx, hm, &hhash, &sig->sighash)))
1732 log_write(0, LOG_MAIN|LOG_PANIC, "signing: %s", *err);
1733 return PDKIM_ERR_RSA_SIGNING;
1738 debug_printf( "DKIM [%s] b computed: ", sig->domain);
1739 debug_printf("%.*H\n", sig->sighash.len, sig->sighash.data);
1742 sig->signature_header = pdkim_create_header(sig, TRUE);
1745 /* VERIFICATION ----------------------------------------------------------- */
1751 /* Make sure we have all required signature tags */
1752 if (!( sig->domain && *sig->domain
1753 && sig->selector && *sig->selector
1754 && sig->headernames && *sig->headernames
1755 && sig->bodyhash.data
1756 && sig->sighash.data
1757 && sig->keytype >= 0
1758 && sig->hashtype >= 0
1762 sig->verify_status = PDKIM_VERIFY_INVALID;
1763 sig->verify_ext_status = PDKIM_VERIFY_INVALID_SIGNATURE_ERROR;
1765 DEBUG(D_acl) debug_printf(
1766 " Error in DKIM-Signature header: tags missing or invalid (%s)\n"
1767 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n",
1768 !(sig->domain && *sig->domain) ? "d="
1769 : !(sig->selector && *sig->selector) ? "s="
1770 : !(sig->headernames && *sig->headernames) ? "h="
1771 : !sig->bodyhash.data ? "bh="
1772 : !sig->sighash.data ? "b="
1773 : sig->keytype < 0 || sig->hashtype < 0 ? "a="
1779 /* Make sure sig uses supported DKIM version (only v1) */
1780 if (sig->version != 1)
1782 sig->verify_status = PDKIM_VERIFY_INVALID;
1783 sig->verify_ext_status = PDKIM_VERIFY_INVALID_DKIM_VERSION;
1785 DEBUG(D_acl) debug_printf(
1786 " Error in DKIM-Signature header: unsupported DKIM version\n"
1787 "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1793 debug_printf( "DKIM [%s] b from mail: ", sig->domain);
1794 debug_printf("%.*H\n", sig->sighash.len, sig->sighash.data);
1797 if (!(sig->pubkey = pdkim_key_from_dns(ctx, sig, &vctx, err)))
1799 log_write(0, LOG_MAIN, "DKIM: %s%s %s%s [failed key import]",
1800 sig->domain ? "d=" : "", sig->domain ? sig->domain : US"",
1801 sig->selector ? "s=" : "", sig->selector ? sig->selector : US"");
1805 /* If the pubkey limits to a list of specific hashes, ignore sigs that
1806 do not have the hash part of the sig algorithm matching */
1808 if (sig->pubkey->hashes)
1810 const uschar * list = sig->pubkey->hashes, * ele;
1812 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
1813 if (Ustrcmp(ele, pdkim_hashes[sig->hashtype].dkim_hashname) == 0) break;
1816 DEBUG(D_acl) debug_printf("pubkey h=%s vs. sig a=%s_%s\n",
1817 sig->pubkey->hashes,
1818 pdkim_keytypes[sig->keytype],
1819 pdkim_hashes[sig->hashtype].dkim_hashname);
1820 sig->verify_status = PDKIM_VERIFY_FAIL;
1821 sig->verify_ext_status = PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH;
1826 hm = sig->keytype == KEYTYPE_ED25519
1827 #if defined(SIGN_OPENSSL)
1832 : pdkim_hashes[sig->hashtype].exim_hashmethod;
1834 /* Check the signature */
1836 if ((*err = exim_dkim_verify(&vctx, hm, &hhash, &sig->sighash)))
1838 DEBUG(D_acl) debug_printf("headers verify: %s\n", *err);
1839 sig->verify_status = PDKIM_VERIFY_FAIL;
1840 sig->verify_ext_status = PDKIM_VERIFY_FAIL_MESSAGE;
1843 if (*dkim_verify_min_keysizes)
1846 const uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
1847 dkim_verify_min_keysizes);
1848 if (ss && (minbits = atoi(CCS ss)) > sig->keybits)
1850 DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u Minima '%s'\n",
1851 pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes);
1852 sig->verify_status = PDKIM_VERIFY_FAIL;
1853 sig->verify_ext_status = PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE;
1858 /* We have a winner! (if bodyhash was correct earlier) */
1859 if (sig->verify_status == PDKIM_VERIFY_NONE)
1861 sig->verify_status = PDKIM_VERIFY_PASS;
1863 /*XXX We used to "break" here if dkim_verify_minimal, but that didn't
1864 stop the ACL being called. So move that test. Unfortunately, we
1865 need to eval all the sigs here only to possibly ignore some later,
1866 because we don't know what verify options might say.
1867 Could we change to a later eval of the sig?
1868 Both bits are called from receive_msg().
1869 Moving the test is also suboptimal for the case of no ACL (or no
1870 signers to check!) so keep it for that case, but after debug output */
1876 debug_printf("DKIM [%s] %s signature status: %s",
1877 sig->domain, dkim_sig_to_a_tag(sig),
1878 pdkim_verify_status_str(sig->verify_status));
1879 if (sig->verify_ext_status > 0)
1880 debug_printf(" (%s)\n",
1881 pdkim_verify_ext_status_str(sig->verify_ext_status));
1886 if ( verify_pass && dkim_verify_minimal
1887 && !(acl_smtp_dkim && dkim_verify_signers && *dkim_verify_signers))
1892 /* If requested, set return pointer to signature(s) */
1893 if (return_signatures)
1894 *return_signatures = ctx->sig;
1896 return ctx->flags & PDKIM_MODE_SIGN || verify_pass
1897 ? PDKIM_OK : PDKIM_FAIL;
1901 /* -------------------------------------------------------------------------- */
1903 DLLEXPORT pdkim_ctx *
1904 pdkim_init_verify(uschar * (*dns_txt_callback)(const uschar *), BOOL dot_stuffing)
1908 ctx = store_get(sizeof(pdkim_ctx), GET_UNTAINTED);
1909 memset(ctx, 0, sizeof(pdkim_ctx));
1911 if (dot_stuffing) ctx->flags = PDKIM_DOT_TERM;
1912 /* The line-buffer is for message data, hence tainted */
1913 ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, GET_TAINTED);
1914 ctx->dns_txt_callback = dns_txt_callback;
1915 ctx->cur_header = string_get_tainted(36, GET_TAINTED);
1921 /* -------------------------------------------------------------------------- */
1923 DLLEXPORT pdkim_signature *
1924 pdkim_init_sign(pdkim_ctx * ctx,
1925 uschar * domain, uschar * selector, uschar * privkey,
1926 uschar * hashname, const uschar ** errstr)
1929 pdkim_signature * sig;
1931 if (!domain || !selector || !privkey)
1934 /* Allocate & init one signature struct */
1936 sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
1937 memset(sig, 0, sizeof(pdkim_signature));
1939 sig->bodylength = -1;
1941 sig->domain = string_copy(US domain);
1942 sig->selector = string_copy(US selector);
1943 sig->privkey = string_copy(US privkey);
1946 for (hashtype = 0; hashtype < nelem(pdkim_hashes); hashtype++)
1947 if (Ustrcmp(hashname, pdkim_hashes[hashtype].dkim_hashname) == 0)
1948 { sig->hashtype = hashtype; break; }
1949 if (hashtype >= nelem(pdkim_hashes))
1951 log_write(0, LOG_MAIN|LOG_PANIC,
1952 "DKIM: unrecognised hashname '%s'", hashname);
1958 pdkim_signature s = *sig;
1961 debug_printf("DKIM (checking verify key)>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1962 if (!pdkim_key_from_dns(ctx, &s, &vctx, errstr))
1963 debug_printf("WARNING: bad dkim key in dns\n");
1964 debug_printf("DKIM (finished checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
1970 /* -------------------------------------------------------------------------- */
1973 pdkim_set_optional(pdkim_signature * sig,
1974 char * sign_headers,
1979 unsigned long created,
1980 unsigned long expires)
1983 sig->identity = string_copy(US identity);
1985 sig->sign_headers = string_copy(sign_headers
1986 ? US sign_headers : US PDKIM_DEFAULT_SIGN_HEADERS);
1988 sig->canon_headers = canon_headers;
1989 sig->canon_body = canon_body;
1990 sig->bodylength = bodylength;
1991 sig->created = created;
1992 sig->expires = expires;
1999 /* Set up a blob for calculating the bodyhash according to the
2000 given needs. Use an existing one if possible, or create a new one.
2002 Return: hashblob pointer, or NULL on error
2005 pdkim_set_bodyhash(pdkim_ctx * ctx, int hashtype, int canon_method,
2010 if (hashtype == -1 || canon_method == -1) return NULL;
2014 DEBUG(D_receive) debug_printf("pdkim_set_bodyhash: null context\n");
2018 for (b = ctx->bodyhash; b; b = b->next)
2019 if ( hashtype == b->hashtype
2020 && canon_method == b->canon_method
2021 && bodylength == b->bodylength)
2023 DEBUG(D_receive) debug_printf("DKIM: using existing bodyhash %s/%s/%ld\n",
2024 pdkim_hashes[hashtype].dkim_hashname, pdkim_canons[canon_method], bodylength);
2028 DEBUG(D_receive) debug_printf("DKIM: new bodyhash %s/%s/%ld\n",
2029 pdkim_hashes[hashtype].dkim_hashname, pdkim_canons[canon_method], bodylength);
2030 b = store_get(sizeof(pdkim_bodyhash), GET_UNTAINTED);
2031 b->next = ctx->bodyhash;
2032 b->hashtype = hashtype;
2033 b->canon_method = canon_method;
2034 b->bodylength = bodylength;
2035 if (!exim_sha_init(&b->body_hash_ctx, /*XXX hash method: extend for sha512 */
2036 pdkim_hashes[hashtype].exim_hashmethod))
2039 debug_printf("DKIM: hash init error, possibly nonhandled hashtype\n");
2042 b->signed_body_bytes = 0;
2043 b->num_buffered_blanklines = 0;
2049 /* Set up a blob for calculating the bodyhash according to the
2050 needs of this signature. Use an existing one if possible, or
2053 Return: hashblob pointer, or NULL on error (only used as a boolean).
2056 pdkim_set_sig_bodyhash(pdkim_ctx * ctx, pdkim_signature * sig)
2058 pdkim_bodyhash * b = pdkim_set_bodyhash(ctx,
2059 sig->hashtype, sig->canon_body, sig->bodylength);
2060 sig->calc_body_hash = b;
2065 /* -------------------------------------------------------------------------- */
2069 pdkim_init_context(pdkim_ctx * ctx, BOOL dot_stuffed,
2070 uschar * (*dns_txt_callback)(const uschar *))
2072 memset(ctx, 0, sizeof(pdkim_ctx));
2073 ctx->flags = dot_stuffed ? PDKIM_MODE_SIGN | PDKIM_DOT_TERM : PDKIM_MODE_SIGN;
2074 /* The line buffer is for message data, hence tainted */
2075 ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, GET_TAINTED);
2076 DEBUG(D_acl) ctx->dns_txt_callback = dns_txt_callback;
2083 exim_dkim_signers_init();
2088 #endif /*DISABLE_DKIM*/
git://git.exim.org / exim.git / blob