1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4 /* Experimental ARC support for Exim
5 Copyright (c) Jeremy Harris 2018 - 2020
6 Copyright (c) The Exim Maintainers 2021 - 2022
8 SPDX-License-Identifier: GPL-2.0-only
12 #if defined EXPERIMENTAL_ARC
13 # if defined DISABLE_DKIM
14 # error DKIM must also be enabled for ARC
17 # include "functions.h"
18 # include "pdkim/pdkim.h"
19 # include "pdkim/signing.h"
21 extern pdkim_ctx * dkim_verify_ctx;
22 extern pdkim_ctx dkim_sign_ctx;
24 #define ARC_SIGN_OPT_TSTAMP BIT(0)
25 #define ARC_SIGN_OPT_EXPIRE BIT(1)
27 #define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
29 /******************************************************************************/
31 typedef struct hdr_rlist {
32 struct hdr_rlist * prev;
37 typedef struct arc_line {
38 header_line * complete; /* including the header name; nul-term */
41 /* identified tag contents */
54 /* tag content sub-portions */
61 /* modified copy of b= field in line */
65 typedef struct arc_set {
66 struct arc_set * next;
67 struct arc_set * prev;
74 const uschar * ams_verify_done;
75 BOOL ams_verify_passed;
78 typedef struct arc_ctx {
79 arc_set * arcset_chain;
80 arc_set * arcset_chain_last;
83 #define ARC_HDR_AAR US"ARC-Authentication-Results:"
84 #define ARC_HDRLEN_AAR 27
85 #define ARC_HDR_AMS US"ARC-Message-Signature:"
86 #define ARC_HDRLEN_AMS 22
87 #define ARC_HDR_AS US"ARC-Seal:"
88 #define ARC_HDRLEN_AS 9
89 #define HDR_AR US"Authentication-Results:"
94 static hdr_rlist * headers_rlist;
95 static arc_ctx arc_sign_ctx = { NULL };
96 static arc_ctx arc_verify_ctx = { NULL };
99 /******************************************************************************/
102 /* Get the instance number from the header.
105 arc_instance_from_hdr(const arc_line * al)
107 const uschar * s = al->i.data;
108 if (!s || !al->i.len) return 0;
109 return (unsigned) atoi(CCS s);
117 while (c && (c == ' ' || c == '\t' || c == '\n' || c == '\r')) c = *++s;
122 /* Locate instance struct on chain, inserting a new one if
123 needed. The chain is in increasing-instance-number order
124 by the "next" link, and we have a "prev" link also.
128 arc_find_set(arc_ctx * ctx, unsigned i)
130 arc_set ** pas, * as, * next, * prev;
132 for (pas = &ctx->arcset_chain, prev = NULL, next = ctx->arcset_chain;
133 as = *pas; pas = &as->next)
135 if (as->instance > i) break;
136 if (as->instance == i)
138 DEBUG(D_acl) debug_printf("ARC: existing instance %u\n", i);
145 DEBUG(D_acl) debug_printf("ARC: new instance %u\n", i);
146 *pas = as = store_get(sizeof(arc_set), GET_UNTAINTED);
147 memset(as, 0, sizeof(arc_set));
154 ctx->arcset_chain_last = as;
160 /* Insert a tag content into the line structure.
161 Note this is a reference to existing data, not a copy.
162 Check for already-seen tag.
163 The string-pointer is on the '=' for entry. Update it past the
164 content (to the ;) on return;
168 arc_insert_tagvalue(arc_line * al, unsigned loff, uschar ** ss)
172 blob * b = (blob *)(US al + loff);
175 /* [FWS] tag-value [FWS] */
177 if (b->data) return US"fail";
178 s = skip_fws(s); /* FWS */
181 while ((c = *s) && c != ';') { len++; s++; }
183 while (len && ((c = s[-1]) == ' ' || c == '\t' || c == '\n' || c == '\r'))
184 { s--; len--; } /* FWS */
190 /* Inspect a header line, noting known tag fields.
191 Check for duplicates. */
194 arc_parse_line(arc_line * al, header_line * h, unsigned off, BOOL instance_only)
196 uschar * s = h->text + off;
197 uschar * r = NULL; /* compiler-quietening */
204 al->rawsig_no_b_val.data = store_get(h->slen + 1, GET_TAINTED);
205 memcpy(al->rawsig_no_b_val.data, h->text, off); /* copy the header name blind */
206 r = al->rawsig_no_b_val.data + off;
207 al->rawsig_no_b_val.len = off;
210 /* tag-list = tag-spec *( ";" tag-spec ) [ ";" ] */
217 uschar * fieldstart = s;
218 uschar * bstart = NULL, * bend;
220 /* tag-spec = [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS] */
222 s = skip_fws(s); /* FWS */
224 /* debug_printf("%s: consider '%s'\n", __FUNCTION__, s); */
226 s = skip_fws(s); /* FWS */
229 if (!instance_only || tagchar == 'i') switch (tagchar)
231 case 'a': /* a= AMS algorithm */
233 if (*s != '=') return US"no 'a' value";
234 if (arc_insert_tagvalue(al, offsetof(arc_line, a), &s)) return US"a tag dup";
236 /* substructure: algo-hash (eg. rsa-sha256) */
238 t = al->a_algo.data = al->a.data;
240 if (!*t++ || ++i > al->a.len) return US"no '-' in 'a' value";
242 if (*t++ != '-') return US"no '-' in 'a' value";
244 al->a_hash.len = al->a.len - i - 1;
253 case '=': /* b= AMS signature */
254 if (al->b.data) return US"already b data";
257 /* The signature can have FWS inserted in the content;
258 make a stripped copy */
260 while ((c = *++s) && c != ';')
261 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
262 g = string_catn(g, s, 1);
263 if (!g) return US"no b= value";
264 al->b.data = string_from_gstring(g);
266 gstring_release_unused(g);
269 case 'h': /* bh= AMS body hash */
270 s = skip_fws(++s); /* FWS */
271 if (*s != '=') return US"no bh value";
272 if (al->bh.data) return US"already bh data";
274 /* The bodyhash can have FWS inserted in the content;
275 make a stripped copy */
277 while ((c = *++s) && c != ';')
278 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
279 g = string_catn(g, s, 1);
280 if (!g) return US"no bh= value";
281 al->bh.data = string_from_gstring(g);
283 gstring_release_unused(g);
293 case '=': /* c= AMS canonicalisation */
294 if (arc_insert_tagvalue(al, offsetof(arc_line, c), &s)) return US"c tag dup";
296 /* substructure: head/body (eg. relaxed/simple)) */
298 t = al->c_head.data = al->c.data;
300 if (!*t++ || ++i > al->a.len) break;
302 if (*t++ == '/') /* /body is optional */
305 al->c_body.len = al->c.len - i - 1;
309 al->c_body.data = US"simple";
313 case 'v': /* cv= AS validity */
314 if (*++s != '=') return US"cv tag val";
315 if (arc_insert_tagvalue(al, offsetof(arc_line, cv), &s)) return US"cv tag dup";
321 case 'd': /* d= AMS domain */
322 if (*s != '=') return US"d tag val";
323 if (arc_insert_tagvalue(al, offsetof(arc_line, d), &s)) return US"d tag dup";
325 case 'h': /* h= AMS headers */
326 if (*s != '=') return US"h tag val";
327 if (arc_insert_tagvalue(al, offsetof(arc_line, h), &s)) return US"h tag dup";
329 case 'i': /* i= ARC set instance */
330 if (*s != '=') return US"i tag val";
331 if (arc_insert_tagvalue(al, offsetof(arc_line, i), &s)) return US"i tag dup";
332 if (instance_only) goto done;
334 case 'l': /* l= bodylength */
335 if (*s != '=') return US"l tag val";
336 if (arc_insert_tagvalue(al, offsetof(arc_line, l), &s)) return US"l tag dup";
338 case 's': /* s= AMS selector */
339 if (*s != '=') return US"s tag val";
340 if (arc_insert_tagvalue(al, offsetof(arc_line, s), &s)) return US"s tag dup";
344 while ((c = *s) && c != ';') s++;
345 if (c) s++; /* ; after tag-spec */
347 /* for all but the b= tag, copy the field including FWS. For the b=,
348 drop the tag content. */
353 size_t n = bstart - fieldstart;
354 memcpy(r, fieldstart, n); /* FWS "b=" */
356 al->rawsig_no_b_val.len += n;
358 memcpy(r, bend, n); /* FWS ";" */
360 al->rawsig_no_b_val.len += n;
364 size_t n = s - fieldstart;
365 memcpy(r, fieldstart, n);
367 al->rawsig_no_b_val.len += n;
375 /* debug_printf("%s: finshed\n", __FUNCTION__); */
380 /* Insert one header line in the correct set of the chain,
381 adding instances as needed and checking for duplicate lines.
385 arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
386 BOOL instance_only, arc_line ** alp_ret)
390 arc_line * al = store_get(sizeof(arc_line), GET_UNTAINTED), ** alp;
393 memset(al, 0, sizeof(arc_line));
395 if ((e = arc_parse_line(al, h, off, instance_only)))
397 DEBUG(D_acl) if (e) debug_printf("ARC: %s\n", e);
398 return US"line parse";
400 if (!(i = arc_instance_from_hdr(al))) return US"instance find";
401 if (i > 50) return US"overlarge instance number";
402 if (!(as = arc_find_set(ctx, i))) return US"set find";
403 if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
406 if (alp_ret) *alp_ret = al;
413 static const uschar *
414 arc_try_header(arc_ctx * ctx, header_line * h, BOOL instance_only)
418 /*debug_printf("consider hdr '%s'\n", h->text);*/
419 if (strncmpic(ARC_HDR_AAR, h->text, ARC_HDRLEN_AAR) == 0)
425 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
427 debug_printf("ARC: found AAR: %.*s\n", len, h->text);
429 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AAR, offsetof(arc_set, hdr_aar),
432 DEBUG(D_acl) debug_printf("inserting AAR: %s\n", e);
433 return US"inserting AAR";
436 else if (strncmpic(ARC_HDR_AMS, h->text, ARC_HDRLEN_AMS) == 0)
444 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
446 debug_printf("ARC: found AMS: %.*s\n", len, h->text);
448 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AMS, offsetof(arc_set, hdr_ams),
449 instance_only, &ams)))
451 DEBUG(D_acl) debug_printf("inserting AMS: %s\n", e);
452 return US"inserting AMS";
458 ams->c_head.data = US"simple"; ams->c_head.len = 6;
459 ams->c_body = ams->c_head;
462 else if (strncmpic(ARC_HDR_AS, h->text, ARC_HDRLEN_AS) == 0)
468 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
470 debug_printf("ARC: found AS: %.*s\n", len, h->text);
472 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AS, offsetof(arc_set, hdr_as),
473 instance_only, NULL)))
475 DEBUG(D_acl) debug_printf("inserting AS: %s\n", e);
476 return US"inserting AS";
484 /* Gather the chain of arc sets from the headers.
485 Check for duplicates while that is done. Also build the
486 reverse-order headers list;
488 Return: ARC state if determined, eg. by lack of any ARC chain.
491 static const uschar *
492 arc_vfy_collect_hdrs(arc_ctx * ctx)
495 hdr_rlist * r = NULL, * rprev = NULL;
498 DEBUG(D_acl) debug_printf("ARC: collecting arc sets\n");
499 for (h = header_list; h; h = h->next)
501 r = store_get(sizeof(hdr_rlist), GET_UNTAINTED);
507 if ((e = arc_try_header(ctx, h, FALSE)))
509 arc_state_reason = string_sprintf("collecting headers: %s", e);
515 if (!ctx->arcset_chain) return US"none";
521 arc_cv_match(arc_line * al, const uschar * s)
523 return Ustrncmp(s, al->cv.data, al->cv.len) == 0;
526 /******************************************************************************/
528 /* Return the hash of headers from the message that the AMS claims it
533 arc_get_verify_hhash(arc_ctx * ctx, arc_line * ams, blob * hhash)
535 const uschar * headernames = string_copyn(ams->h.data, ams->h.len);
539 BOOL relaxed = Ustrncmp(US"relaxed", ams->c_head.data, ams->c_head.len) == 0;
540 int hashtype = pdkim_hashname_to_hashtype(
541 ams->a_hash.data, ams->a_hash.len);
547 || !exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
550 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
554 /* For each headername in the list from the AMS (walking in order)
555 walk the message headers in reverse order, adding to the hash any
556 found for the first time. For that last point, maintain used-marks
557 on the list of message headers. */
559 DEBUG(D_acl) debug_printf("ARC: AMS header data for verification:\n");
561 for (r = headers_rlist; r; r = r->prev)
563 while ((hn = string_nextinlist(&headernames, &sep, NULL, 0)))
564 for (r = headers_rlist; r; r = r->prev)
566 && strncasecmp(CCS (s = r->h->text), CCS hn, Ustrlen(hn)) == 0
569 if (relaxed) s = pdkim_relax_header_n(s, r->h->slen, TRUE);
572 DEBUG(D_acl) pdkim_quoteprint(s, len);
573 exim_sha_update_string(&hhash_ctx, s);
578 /* Finally add in the signature header (with the b= tag stripped); no CRLF */
580 s = ams->rawsig_no_b_val.data, len = ams->rawsig_no_b_val.len;
582 len = Ustrlen(s = pdkim_relax_header_n(s, len, FALSE));
583 DEBUG(D_acl) pdkim_quoteprint(s, len);
584 exim_sha_update(&hhash_ctx, s, len);
586 exim_sha_finish(&hhash_ctx, hhash);
588 { debug_printf("ARC: header hash: "); pdkim_hexprint(hhash->data, hhash->len); }
595 static pdkim_pubkey *
596 arc_line_to_pubkey(arc_line * al)
601 if (!(dns_txt = dkim_exim_query_dns_txt(string_sprintf("%.*s._domainkey.%.*s",
602 (int)al->s.len, al->s.data, (int)al->d.len, al->d.data))))
604 DEBUG(D_acl) debug_printf("pubkey dns lookup fail\n");
608 if ( !(p = pdkim_parse_pubkey_record(dns_txt))
609 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
612 DEBUG(D_acl) debug_printf("pubkey dns lookup format error\n");
616 /* If the pubkey limits use to specified hashes, reject unusable
617 signatures. XXX should we have looked for multiple dns records? */
621 const uschar * list = p->hashes, * ele;
624 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
625 if (Ustrncmp(ele, al->a_hash.data, al->a_hash.len) == 0) break;
628 DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%.*s\n",
629 p->hashes, (int)al->a.len, al->a.data);
639 static pdkim_bodyhash *
640 arc_ams_setup_vfy_bodyhash(arc_line * ams)
642 int canon_head = -1, canon_body = -1;
645 if (!ams->c.data) ams->c.data = US"simple"; /* RFC 6376 (DKIM) default */
646 pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
647 bodylen = ams->l.data
648 ? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
650 return pdkim_set_bodyhash(dkim_verify_ctx,
651 pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len),
658 /* Verify an AMS. This is a DKIM-sig header, but with an ARC i= tag
659 and without a DKIM v= tag.
662 static const uschar *
663 arc_ams_verify(arc_ctx * ctx, arc_set * as)
665 arc_line * ams = as->hdr_ams;
672 const uschar * errstr;
674 as->ams_verify_done = US"in-progress";
676 /* Check the AMS has all the required tags:
680 "d=" domain (for key lookup)
681 "h=" headers (included in signature)
682 "s=" key-selector (for key lookup)
684 if ( !ams->a.data || !ams->b.data || !ams->bh.data || !ams->d.data
685 || !ams->h.data || !ams->s.data)
687 as->ams_verify_done = arc_state_reason = US"required tag missing";
692 /* The bodyhash should have been created earlier, and the dkim code should
693 have managed calculating it during message input. Find the reference to it. */
695 if (!(b = arc_ams_setup_vfy_bodyhash(ams)))
697 as->ams_verify_done = arc_state_reason = US"internal hash setup error";
703 debug_printf("ARC i=%d AMS Body bytes hashed: %lu\n"
704 " Body %.*s computed: ",
705 as->instance, b->signed_body_bytes,
706 (int)ams->a_hash.len, ams->a_hash.data);
707 pdkim_hexprint(CUS b->bh.data, b->bh.len);
710 /* We know the bh-tag blob is of a nul-term string, so safe as a string */
713 || (pdkim_decode_base64(ams->bh.data, &sighash), sighash.len != b->bh.len)
714 || memcmp(sighash.data, b->bh.data, b->bh.len) != 0
719 debug_printf("ARC i=%d AMS Body hash from headers: ", as->instance);
720 pdkim_hexprint(sighash.data, sighash.len);
721 debug_printf("ARC i=%d AMS Body hash did NOT match\n", as->instance);
723 return as->ams_verify_done = arc_state_reason = US"AMS body hash miscompare";
726 DEBUG(D_acl) debug_printf("ARC i=%d AMS Body hash compared OK\n", as->instance);
728 /* Get the public key from DNS */
730 if (!(p = arc_line_to_pubkey(ams)))
731 return as->ams_verify_done = arc_state_reason = US"pubkey problem";
733 /* We know the b-tag blob is of a nul-term string, so safe as a string */
734 pdkim_decode_base64(ams->b.data, &sighash);
736 arc_get_verify_hhash(ctx, ams, &hhash);
738 /* Setup the interface to the signing library */
740 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx, NULL)))
742 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
743 as->ams_verify_done = arc_state_reason = US"internal sigverify init error";
747 hashtype = pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len);
750 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify bad a_hash\n", as->instance);
751 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
754 if ((errstr = exim_dkim_verify(&vctx,
755 pdkim_hashes[hashtype].exim_hashmethod, &hhash, &sighash)))
757 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify %s\n", as->instance, errstr);
758 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
761 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify pass\n", as->instance);
762 as->ams_verify_passed = TRUE;
768 /* Check the sets are instance-continuous and that all
769 members are present. Check that no arc_seals are "fail".
770 Set the highest instance number global.
771 Verify the latest AMS.
774 arc_headers_check(arc_ctx * ctx)
778 BOOL ams_fail_found = FALSE;
780 if (!(as = ctx->arcset_chain_last))
783 for(inst = as->instance; as; as = as->prev, inst--)
785 if (as->instance != inst)
786 arc_state_reason = string_sprintf("i=%d (sequence; expected %d)",
788 else if (!as->hdr_aar || !as->hdr_ams || !as->hdr_as)
789 arc_state_reason = string_sprintf("i=%d (missing header)", as->instance);
790 else if (arc_cv_match(as->hdr_as, US"fail"))
791 arc_state_reason = string_sprintf("i=%d (cv)", as->instance);
795 DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
799 /* Evaluate the oldest-pass AMS validation while we're here.
800 It does not affect the AS chain validation but is reported as
804 if (arc_ams_verify(ctx, as))
805 ams_fail_found = TRUE;
807 arc_oldest_pass = inst;
808 arc_state_reason = NULL;
812 arc_state_reason = string_sprintf("(sequence; expected i=%d)", inst);
813 DEBUG(D_acl) debug_printf("ARC chain fail %s\n", arc_state_reason);
817 arc_received = ctx->arcset_chain_last;
818 arc_received_instance = arc_received->instance;
820 /* We can skip the latest-AMS validation, if we already did it. */
822 as = ctx->arcset_chain_last;
823 if (!as->ams_verify_passed)
825 if (as->ams_verify_done)
827 arc_state_reason = as->ams_verify_done;
830 if (!!arc_ams_verify(ctx, as))
837 /******************************************************************************/
838 static const uschar *
839 arc_seal_verify(arc_ctx * ctx, arc_set * as)
841 arc_line * hdr_as = as->hdr_as;
849 const uschar * errstr;
851 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d\n", as->instance);
853 1. If the value of the "cv" tag on that seal is "fail", the
854 chain state is "fail" and the algorithm stops here. (This
855 step SHOULD be skipped if the earlier step (2.1) was
858 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
859 == "none" && i != 1)) then the chain state is "fail" and the
860 algorithm stops here (note that the ordering of the logic is
861 structured for short-circuit evaluation).
864 if ( as->instance == 1 && !arc_cv_match(hdr_as, US"none")
865 || arc_cv_match(hdr_as, US"none") && as->instance != 1
868 arc_state_reason = US"seal cv state";
873 3. Initialize a hash function corresponding to the "a" tag of
877 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
880 || !exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
883 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
884 arc_state_reason = US"seal hash setup error";
889 4. Compute the canonicalized form of the ARC header fields, in
890 the order described in Section 5.4.2, using the "relaxed"
891 header canonicalization defined in Section 3.4.2 of
892 [RFC6376]. Pass the canonicalized result to the hash
895 Headers are CRLF-separated, but the last one is not crlf-terminated.
898 DEBUG(D_acl) debug_printf("ARC: AS header data for verification:\n");
899 for (as2 = ctx->arcset_chain;
900 as2 && as2->instance <= as->instance;
908 if (!(s = al->relaxed))
909 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
910 al->complete->slen, TRUE);
912 DEBUG(D_acl) pdkim_quoteprint(s, len);
913 exim_sha_update(&hhash_ctx, s, len);
916 if (!(s = al->relaxed))
917 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
918 al->complete->slen, TRUE);
920 DEBUG(D_acl) pdkim_quoteprint(s, len);
921 exim_sha_update(&hhash_ctx, s, len);
924 if (as2->instance == as->instance)
925 s = pdkim_relax_header_n(al->rawsig_no_b_val.data,
926 al->rawsig_no_b_val.len, FALSE);
927 else if (!(s = al->relaxed))
928 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
929 al->complete->slen, TRUE);
931 DEBUG(D_acl) pdkim_quoteprint(s, len);
932 exim_sha_update(&hhash_ctx, s, len);
936 5. Retrieve the final digest from the hash function.
939 exim_sha_finish(&hhash_ctx, &hhash_computed);
942 debug_printf("ARC i=%d AS Header %.*s computed: ",
943 as->instance, (int)hdr_as->a_hash.len, hdr_as->a_hash.data);
944 pdkim_hexprint(hhash_computed.data, hhash_computed.len);
949 6. Retrieve the public key identified by the "s" and "d" tags in
950 the ARC-Seal, as described in Section 4.1.6.
953 if (!(p = arc_line_to_pubkey(hdr_as)))
954 return US"pubkey problem";
957 7. Determine whether the signature portion ("b" tag) of the ARC-
958 Seal and the digest computed above are valid according to the
959 public key. (See also Section Section 8.4 for failure case
962 8. If the signature is not valid, the chain state is "fail" and
963 the algorithm stops here.
966 /* We know the b-tag blob is of a nul-term string, so safe as a string */
967 pdkim_decode_base64(hdr_as->b.data, &sighash);
969 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx, NULL)))
971 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
975 if ((errstr = exim_dkim_verify(&vctx,
976 pdkim_hashes[hashtype].exim_hashmethod,
977 &hhash_computed, &sighash)))
980 debug_printf("ARC i=%d AS headers verify: %s\n", as->instance, errstr);
981 arc_state_reason = US"seal sigverify error";
985 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d pass\n", as->instance);
990 static const uschar *
991 arc_verify_seals(arc_ctx * ctx)
993 arc_set * as = ctx->arcset_chain_last;
998 for ( ; as; as = as->prev) if (arc_seal_verify(ctx, as)) return US"fail";
1000 DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
1003 /******************************************************************************/
1005 /* Do ARC verification. Called from DATA ACL, on a verify = arc
1006 condition. No arguments; we are checking globals.
1008 Return: The ARC state, or NULL on error.
1012 acl_verify_arc(void)
1016 memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
1018 if (!dkim_verify_ctx)
1020 DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
1024 /* AS evaluation, per
1025 https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-6
1027 /* 1. Collect all ARC sets currently on the message. If there were
1028 none, the ARC state is "none" and the algorithm stops here.
1031 if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
1034 /* 2. If the form of any ARC set is invalid (e.g., does not contain
1035 exactly one of each of the three ARC-specific header fields),
1036 then the chain state is "fail" and the algorithm stops here.
1038 1. To avoid the overhead of unnecessary computation and delay
1039 from crypto and DNS operations, the cv value for all ARC-
1040 Seal(s) MAY be checked at this point. If any of the values
1041 are "fail", then the overall state of the chain is "fail" and
1042 the algorithm stops here.
1044 3. Conduct verification of the ARC-Message-Signature header field
1045 bearing the highest instance number. If this verification fails,
1046 then the chain state is "fail" and the algorithm stops here.
1049 if ((res = arc_headers_check(&arc_verify_ctx)))
1052 /* 4. For each ARC-Seal from the "N"th instance to the first, apply the
1055 1. If the value of the "cv" tag on that seal is "fail", the
1056 chain state is "fail" and the algorithm stops here. (This
1057 step SHOULD be skipped if the earlier step (2.1) was
1060 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
1061 == "none" && i != 1)) then the chain state is "fail" and the
1062 algorithm stops here (note that the ordering of the logic is
1063 structured for short-circuit evaluation).
1065 3. Initialize a hash function corresponding to the "a" tag of
1068 4. Compute the canonicalized form of the ARC header fields, in
1069 the order described in Section 5.4.2, using the "relaxed"
1070 header canonicalization defined in Section 3.4.2 of
1071 [RFC6376]. Pass the canonicalized result to the hash
1074 5. Retrieve the final digest from the hash function.
1076 6. Retrieve the public key identified by the "s" and "d" tags in
1077 the ARC-Seal, as described in Section 4.1.6.
1079 7. Determine whether the signature portion ("b" tag) of the ARC-
1080 Seal and the digest computed above are valid according to the
1081 public key. (See also Section Section 8.4 for failure case
1084 8. If the signature is not valid, the chain state is "fail" and
1085 the algorithm stops here.
1087 5. If all seals pass validation, then the chain state is "pass", and
1088 the algorithm is complete.
1091 if ((res = arc_verify_seals(&arc_verify_ctx)))
1100 /******************************************************************************/
1102 /* Prepend the header to the rlist */
1105 arc_rlist_entry(hdr_rlist * list, const uschar * s, int len)
1107 hdr_rlist * r = store_get(sizeof(hdr_rlist) + sizeof(header_line), GET_UNTAINTED);
1108 header_line * h = r->h = (header_line *)(r+1);
1121 /* Walk the given headers strings identifying each header, and construct
1122 a reverse-order list.
1126 arc_sign_scan_headers(arc_ctx * ctx, gstring * sigheaders)
1129 hdr_rlist * rheaders = NULL;
1131 s = sigheaders ? sigheaders->s : NULL;
1134 const uschar * s2 = s;
1136 /* This works for either NL or CRLF lines; also nul-termination */
1138 if (*s2 == '\n' && s2[1] != '\t' && s2[1] != ' ') break;
1139 s2++; /* move past end of line */
1141 rheaders = arc_rlist_entry(rheaders, s, s2 - s);
1149 /* Return the A-R content, without identity, with line-ending and
1153 arc_sign_find_ar(header_line * headers, const uschar * identity, blob * ret)
1156 int ilen = Ustrlen(identity);
1159 for(h = headers; h; h = h->next)
1161 uschar * s = h->text, c;
1164 if (Ustrncmp(s, HDR_AR, HDRLEN_AR) != 0) continue;
1165 s += HDRLEN_AR, len -= HDRLEN_AR; /* header name */
1167 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1168 s++, len--; /* FWS */
1169 if (Ustrncmp(s, identity, ilen) != 0) continue;
1170 s += ilen; len -= ilen; /* identity */
1171 if (len <= 0) continue;
1172 if ((c = *s) && c == ';') s++, len--; /* identity terminator */
1174 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1175 s++, len--; /* FWS */
1176 if (len <= 0) continue;
1186 /* Append a constructed AAR including CRLF. Add it to the arc_ctx too. */
1189 arc_sign_append_aar(gstring * g, arc_ctx * ctx,
1190 const uschar * identity, int instance, blob * ar)
1192 int aar_off = gstring_length(g);
1194 store_get(sizeof(arc_set) + sizeof(arc_line) + sizeof(header_line), GET_UNTAINTED);
1195 arc_line * al = (arc_line *)(as+1);
1196 header_line * h = (header_line *)(al+1);
1198 g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
1199 g = string_fmt_append(g, " i=%d; %s;\r\n\t", instance, identity);
1200 g = string_catn(g, US ar->data, ar->len);
1202 h->slen = g->ptr - aar_off;
1203 h->text = g->s + aar_off;
1206 as->prev = ctx->arcset_chain_last;
1207 as->instance = instance;
1210 ctx->arcset_chain = as;
1212 ctx->arcset_chain_last->next = as;
1213 ctx->arcset_chain_last = as;
1215 DEBUG(D_transport) debug_printf("ARC: AAR '%.*s'\n", h->slen - 2, h->text);
1222 arc_sig_from_pseudoheader(gstring * hdata, int hashtype, const uschar * privkey,
1223 blob * sig, const uschar * why)
1225 hashmethod hm = /*sig->keytype == KEYTYPE_ED25519*/ FALSE
1226 ? HASH_SHA2_512 : pdkim_hashes[hashtype].exim_hashmethod;
1229 const uschar * errstr;
1234 debug_printf("ARC: %s header data for signing:\n", why);
1235 pdkim_quoteprint(hdata->s, hdata->ptr);
1237 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1238 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1239 exim_sha_finish(&hhash_ctx, &hhash);
1240 debug_printf("ARC: header hash: "); pdkim_hexprint(hhash.data, hhash.len);
1243 if (FALSE /*need hash for Ed25519 or GCrypt signing*/ )
1246 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1247 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1248 exim_sha_finish(&hhash_ctx, &hhash);
1252 hhash.data = hdata->s;
1253 hhash.len = hdata->ptr;
1256 if ( (errstr = exim_dkim_signing_init(privkey, &sctx))
1257 || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
1259 log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
1261 debug_printf("private key, or private-key file content, was: '%s'\n",
1271 arc_sign_append_sig(gstring * g, blob * sig)
1273 /*debug_printf("%s: raw sig ", __FUNCTION__); pdkim_hexprint(sig->data, sig->len);*/
1274 sig->data = pdkim_encode_base64(sig);
1275 sig->len = Ustrlen(sig->data);
1278 int len = MIN(sig->len, 74);
1279 g = string_catn(g, sig->data, len);
1280 if ((sig->len -= len) == 0) break;
1282 g = string_catn(g, US"\r\n\t ", 5);
1284 g = string_catn(g, US";\r\n", 3);
1285 gstring_release_unused(g);
1286 string_from_gstring(g);
1291 /* Append a constructed AMS including CRLF. Add it to the arc_ctx too. */
1294 arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
1295 const uschar * identity, const uschar * selector, blob * bodyhash,
1296 hdr_rlist * rheaders, const uschar * privkey, unsigned options)
1299 gstring * hdata = NULL;
1301 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1304 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line), GET_UNTAINTED);
1305 header_line * h = (header_line *)(al+1);
1307 /* debug_printf("%s\n", __FUNCTION__); */
1309 /* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
1312 g = string_fmt_append(g, "%s i=%d; a=rsa-sha256; c=relaxed; d=%s; s=%s",
1313 ARC_HDR_AMS, instance, identity, selector); /*XXX hardwired a= */
1314 if (options & ARC_SIGN_OPT_TSTAMP)
1315 g = string_fmt_append(g, "; t=%lu", (u_long)now);
1316 if (options & ARC_SIGN_OPT_EXPIRE)
1317 g = string_fmt_append(g, "; x=%lu", (u_long)expire);
1318 g = string_fmt_append(g, ";\r\n\tbh=%s;\r\n\th=",
1319 pdkim_encode_base64(bodyhash));
1321 for(col = 3; rheaders; rheaders = rheaders->prev)
1323 const uschar * hnames = US"DKIM-Signature:" PDKIM_DEFAULT_SIGN_HEADERS;
1324 uschar * name, * htext = rheaders->h->text;
1327 /* Spot headers of interest */
1329 while ((name = string_nextinlist(&hnames, &sep, NULL, 0)))
1331 int len = Ustrlen(name);
1332 if (strncasecmp(CCS htext, CCS name, len) == 0)
1334 /* If too long, fold line in h= field */
1336 if (col + len > 78) g = string_catn(g, US"\r\n\t ", 5), col = 3;
1338 /* Add name to h= list */
1340 g = string_catn(g, name, len);
1341 g = string_catn(g, US":", 1);
1344 /* Accumulate header for hashing/signing */
1346 hdata = string_cat(hdata,
1347 pdkim_relax_header_n(htext, rheaders->h->slen, TRUE)); /*XXX hardwired */
1353 /* Lose the last colon from the h= list */
1355 if (g->s[g->ptr - 1] == ':') g->ptr--;
1357 g = string_catn(g, US";\r\n\tb=;", 7);
1359 /* Include the pseudo-header in the accumulation */
1361 s = pdkim_relax_header_n(g->s + ams_off, g->ptr - ams_off, FALSE);
1362 hdata = string_cat(hdata, s);
1364 /* Calculate the signature from the accumulation */
1365 /*XXX does that need further relaxation? there are spaces embedded in the b= strings! */
1367 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AMS"))
1370 /* Lose the trailing semicolon from the psuedo-header, and append the signature
1371 (folded over lines) and termination to complete it. */
1374 g = arc_sign_append_sig(g, &sig);
1376 h->slen = g->ptr - ams_off;
1377 h->text = g->s + ams_off;
1379 ctx->arcset_chain_last->hdr_ams = al;
1381 DEBUG(D_transport) debug_printf("ARC: AMS '%.*s'\n", h->slen - 2, h->text);
1387 /* Look for an arc= result in an A-R header blob. We know that its data
1388 happens to be a NUL-term string. */
1391 arc_ar_cv_status(blob * ar)
1393 const uschar * resinfo = ar->data;
1395 uschar * methodspec, * s;
1397 while ((methodspec = string_nextinlist(&resinfo, &sep, NULL, 0)))
1398 if (Ustrncmp(methodspec, US"arc=", 4) == 0)
1401 for (s = methodspec += 4;
1402 (c = *s) && c != ';' && c != ' ' && c != '\r' && c != '\n'; ) s++;
1403 return string_copyn(methodspec, s - methodspec);
1410 /* Build the AS header and prepend it */
1413 arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
1414 int instance, const uschar * identity, const uschar * selector, blob * ar,
1415 const uschar * privkey, unsigned options)
1418 uschar * status = arc_ar_cv_status(ar);
1419 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line), GET_UNTAINTED);
1420 header_line * h = (header_line *)(al+1);
1421 uschar * badline_str;
1423 gstring * hdata = NULL;
1424 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1430 - no h= tag; implicit coverage
1431 - arc status from A-R
1433 - coverage is just the new ARC set
1434 including self (but with an empty b= in self)
1436 - all ARC set headers, set-number order, aar then ams then as,
1437 including self (but with an empty b= in self)
1439 DEBUG(D_transport) debug_printf("ARC: building AS for status '%s'\n", status);
1441 /* Construct the AS except for the signature */
1443 arcset = string_append(NULL, 9,
1445 US" i=", string_sprintf("%d", instance),
1447 US"; a=rsa-sha256; d=", identity, /*XXX hardwired */
1448 US"; s=", selector); /*XXX same as AMS */
1449 if (options & ARC_SIGN_OPT_TSTAMP)
1450 arcset = string_append(arcset, 2,
1451 US"; t=", string_sprintf("%lu", (u_long)now));
1452 arcset = string_cat(arcset,
1455 h->slen = arcset->ptr;
1456 h->text = arcset->s;
1458 ctx->arcset_chain_last->hdr_as = al;
1460 /* For any but "fail" chain-verify status, walk the entire chain in order by
1461 instance. For fail, only the new arc-set. Accumulate the elements walked. */
1463 for (arc_set * as = Ustrcmp(status, US"fail") == 0
1464 ? ctx->arcset_chain_last : ctx->arcset_chain;
1468 /* Accumulate AAR then AMS then AS. Relaxed canonicalisation
1469 is required per standard. */
1471 badline_str = US"aar";
1472 if (!(l = as->hdr_aar)) goto badline;
1474 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1475 badline_str = US"ams";
1476 if (!(l = as->hdr_ams)) goto badline;
1478 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1479 badline_str = US"as";
1480 if (!(l = as->hdr_as)) goto badline;
1482 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, !!as->next));
1485 /* Calculate the signature from the accumulation */
1487 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AS"))
1490 /* Lose the trailing semicolon */
1492 arcset = arc_sign_append_sig(arcset, &sig);
1493 DEBUG(D_transport) debug_printf("ARC: AS '%.*s'\n", arcset->ptr - 2, arcset->s);
1495 /* Finally, append the AMS and AAR to the new AS */
1497 return string_catn(arcset, arcset_interim->s, arcset_interim->ptr);
1501 debug_printf("ARC: while building AS, missing %s in chain\n", badline_str);
1506 /**************************************/
1508 /* Return pointer to pdkim_bodyhash for given hash method, creating new
1513 arc_ams_setup_sign_bodyhash(void)
1515 int canon_head, canon_body;
1517 DEBUG(D_transport) debug_printf("ARC: requesting bodyhash\n");
1518 pdkim_cstring_to_canons(US"relaxed", 7, &canon_head, &canon_body); /*XXX hardwired */
1519 return pdkim_set_bodyhash(&dkim_sign_ctx,
1520 pdkim_hashname_to_hashtype(US"sha256", 6), /*XXX hardwired */
1530 memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
1531 headers_rlist = NULL;
1536 /* A "normal" header line, identified by DKIM processing. These arrive before
1537 the call to arc_sign(), which carries any newly-created DKIM headers - and
1538 those go textually before the normal ones in the message.
1540 We have to take the feed from DKIM as, in the transport-filter case, the
1541 headers are not in memory at the time of the call to arc_sign().
1543 Take a copy of the header and construct a reverse-order list.
1544 Also parse ARC-chain headers and build the chain struct, retaining pointers
1548 static const uschar *
1549 arc_header_sign_feed(gstring * g)
1551 uschar * s = string_copyn(g->s, g->ptr);
1552 headers_rlist = arc_rlist_entry(headers_rlist, s, g->ptr);
1553 return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
1558 /* Per RFCs 6376, 7489 the only allowed chars in either an ADMD id
1559 or a selector are ALPHA/DIGGIT/'-'/'.'
1561 Check, to help catch misconfigurations such as a missing selector
1562 element in the arc_sign list.
1566 arc_valid_id(const uschar * s)
1568 for (uschar c; c = *s++; )
1569 if (!isalnum(c) && c != '-' && c != '.') return FALSE;
1575 /* ARC signing. Called from the smtp transport, if the arc_sign option is set.
1576 The dkim_exim_sign() function has already been called, so will have hashed the
1577 message body for us so long as we requested a hash previously.
1580 signspec Three-element colon-sep list: identity, selector, privkey.
1581 Optional fourth element: comma-sep list of options.
1583 sigheaders Any signature headers already generated, eg. by DKIM, or NULL
1587 Set of headers to prepend to the message, including the supplied sigheaders
1588 but not the plainheaders.
1592 arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
1594 const uschar * identity, * selector, * privkey, * opts, * s;
1595 unsigned options = 0;
1597 header_line * headers;
1598 hdr_rlist * rheaders;
1606 /* Parse the signing specification */
1608 if (!(identity = string_nextinlist(&signspec, &sep, NULL, 0)) || !*identity)
1609 { s = US"identity"; goto bad_arg_ret; }
1610 if (!(selector = string_nextinlist(&signspec, &sep, NULL, 0)) || !*selector)
1611 { s = US"selector"; goto bad_arg_ret; }
1612 if (!(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
1613 { s = US"privkey"; goto bad_arg_ret; }
1614 if (!arc_valid_id(identity))
1615 { s = US"identity"; goto bad_arg_ret; }
1616 if (!arc_valid_id(selector))
1617 { s = US"selector"; goto bad_arg_ret; }
1618 if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
1619 goto ret_sigheaders;
1621 if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
1624 while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
1625 if (Ustrcmp(s, "timestamps") == 0)
1627 options |= ARC_SIGN_OPT_TSTAMP;
1628 if (!now) now = time(NULL);
1630 else if (Ustrncmp(s, "expire", 6) == 0)
1632 options |= ARC_SIGN_OPT_EXPIRE;
1633 if (*(s += 6) == '=')
1636 if (!(expire = (time_t)atoi(CS ++s)))
1637 expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1638 if (!now) now = time(NULL);
1642 expire = (time_t)atol(CS s);
1645 if (!now) now = time(NULL);
1646 expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1651 DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
1653 /* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
1654 Then scan the list for an A-R header. */
1656 string_from_gstring(sigheaders);
1657 if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
1660 for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
1664 /* Finally, build a normal-order headers list */
1665 /*XXX only needed for hunt-the-AR? */
1666 /*XXX also, we really should be accepting any number of ADMD-matching ARs */
1668 header_line * hnext = NULL;
1669 for (rheaders = headers_rlist; rheaders;
1670 hnext = rheaders->h, rheaders = rheaders->prev)
1671 rheaders->h->next = hnext;
1675 if (!(arc_sign_find_ar(headers, identity, &ar)))
1677 log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
1678 goto ret_sigheaders;
1681 /* We previously built the data-struct for the existing ARC chain, if any, using a headers
1682 feed from the DKIM module. Use that to give the instance number for the ARC set we are
1686 if (arc_sign_ctx.arcset_chain_last)
1687 debug_printf("ARC: existing chain highest instance: %d\n",
1688 arc_sign_ctx.arcset_chain_last->instance);
1690 debug_printf("ARC: no existing chain\n");
1692 instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
1696 - copy the A-R; prepend i= & identity
1699 g = arc_sign_append_aar(g, &arc_sign_ctx, identity, instance, &ar);
1703 - Looks fairly like a DKIM sig
1704 - Cover all DKIM sig headers as well as the usuals
1707 - we must have requested a suitable bodyhash previously
1710 b = arc_ams_setup_sign_bodyhash();
1711 g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
1712 &b->bh, headers_rlist, privkey, options);
1717 - no h= tag; implicit coverage
1718 - arc status from A-R
1720 - coverage is just the new ARC set
1721 including self (but with an empty b= in self)
1723 - all ARC set headers, set-number order, aar then ams then as,
1724 including self (but with an empty b= in self)
1728 g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
1731 /* Finally, append the dkim headers and return the lot. */
1733 if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr);
1736 if (!g) return string_get(1);
1737 (void) string_from_gstring(g);
1738 gstring_release_unused(g);
1743 log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)", s);
1750 /******************************************************************************/
1752 /* Check to see if the line is an AMS and if so, set up to validate it.
1753 Called from the DKIM input processing. This must be done now as the message
1754 body data is hashed during input.
1756 We call the DKIM code to request a body-hash; it has the facility already
1757 and the hash parameters might be common with other requests.
1760 static const uschar *
1761 arc_header_vfy_feed(gstring * g)
1768 if (!dkim_verify_ctx) return US"no dkim context";
1770 if (strncmpic(ARC_HDR_AMS, g->s, ARC_HDRLEN_AMS) != 0) return US"not AMS";
1772 DEBUG(D_receive) debug_printf("ARC: spotted AMS header\n");
1773 /* Parse the AMS header */
1778 memset(&al, 0, sizeof(arc_line));
1779 if ((errstr = arc_parse_line(&al, &h, ARC_HDRLEN_AMS, FALSE)))
1781 DEBUG(D_acl) if (errstr) debug_printf("ARC: %s\n", errstr);
1785 if (!al.a_hash.data)
1787 DEBUG(D_acl) debug_printf("ARC: no a_hash from '%.*s'\n", h.slen, h.text);
1794 al.c_body.data = US"simple"; al.c_body.len = 6;
1795 al.c_head = al.c_body;
1798 /* Ask the dkim code to calc a bodyhash with those specs */
1800 if (!(b = arc_ams_setup_vfy_bodyhash(&al)))
1801 return US"dkim hash setup fail";
1803 /* Discard the reference; search again at verify time, knowing that one
1804 should have been created here. */
1809 return US"line parsing error";
1814 /* A header line has been identified by DKIM processing.
1818 is_vfy TRUE for verify mode or FALSE for signing mode
1821 NULL for success, or an error string (probably unused)
1825 arc_header_feed(gstring * g, BOOL is_vfy)
1827 return is_vfy ? arc_header_vfy_feed(g) : arc_header_sign_feed(g);
1832 /******************************************************************************/
1834 /* Construct the list of domains from the ARC chain after validation */
1837 fn_arc_domains(void)
1843 for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
1845 arc_line * hdr_as = as->hdr_as;
1848 blob * d = &hdr_as->d;
1850 for (; inst < as->instance; inst++)
1851 g = string_catn(g, US":", 1);
1853 g = d->data && d->len
1854 ? string_append_listele_n(g, ':', d->data, d->len)
1855 : string_catn(g, US":", 1);
1858 g = string_catn(g, US":", 1);
1860 return g ? g->s : US"";
1864 /* Construct an Authentication-Results header portion, for the ARC module */
1867 authres_arc(gstring * g)
1871 arc_line * highest_ams;
1872 int start = 0; /* Compiler quietening */
1873 DEBUG(D_acl) start = g->ptr;
1875 g = string_append(g, 2, US";\n\tarc=", arc_state);
1876 if (arc_received_instance > 0)
1878 g = string_fmt_append(g, " (i=%d)", arc_received_instance);
1879 if (arc_state_reason)
1880 g = string_append(g, 3, US"(", arc_state_reason, US")");
1881 g = string_catn(g, US" header.s=", 10);
1882 highest_ams = arc_received->hdr_ams;
1883 g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
1885 g = string_fmt_append(g, " arc.oldest-pass=%d", arc_oldest_pass);
1887 if (sender_host_address)
1888 g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
1890 else if (arc_state_reason)
1891 g = string_append(g, 3, US" (", arc_state_reason, US")");
1892 DEBUG(D_acl) debug_printf("ARC: authres '%.*s'\n",
1893 g->ptr - start - 3, g->s + start + 3);
1896 DEBUG(D_acl) debug_printf("ARC: no authres\n");
1901 # endif /* DISABLE_DKIM */
1902 #endif /* EXPERIMENTAL_ARC */