12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611 |
- /*
- * Copyright 2024 Vsevolod Stakhov
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
- #include "config.h"
- #include "rspamd.h"
- #include "message.h"
- #include "dkim.h"
- #include "dns.h"
- #include "utlist.h"
- #include "unix-std.h"
- #include "mempool_vars_internal.h"
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- #include <openssl/engine.h>
-
- /* special DNS tokens */
- #define DKIM_DNSKEYNAME "_domainkey"
-
- /* ed25519 key lengths */
- #define ED25519_B64_BYTES 45
- #define ED25519_BYTES 32
-
- /* Canonization methods */
- #define DKIM_CANON_UNKNOWN (-1) /* unknown method */
- #define DKIM_CANON_SIMPLE 0 /* as specified in DKIM spec */
- #define DKIM_CANON_RELAXED 1 /* as specified in DKIM spec */
-
- #define DKIM_CANON_DEFAULT DKIM_CANON_SIMPLE
-
- #define RSPAMD_SHORT_BH_LEN 8
-
- /* Params */
- enum rspamd_dkim_param_type {
- DKIM_PARAM_UNKNOWN = -1,
- DKIM_PARAM_SIGNATURE = 0,
- DKIM_PARAM_SIGNALG,
- DKIM_PARAM_DOMAIN,
- DKIM_PARAM_CANONALG,
- DKIM_PARAM_QUERYMETHOD,
- DKIM_PARAM_SELECTOR,
- DKIM_PARAM_HDRLIST,
- DKIM_PARAM_VERSION,
- DKIM_PARAM_IDENTITY,
- DKIM_PARAM_TIMESTAMP,
- DKIM_PARAM_EXPIRATION,
- DKIM_PARAM_COPIEDHDRS,
- DKIM_PARAM_BODYHASH,
- DKIM_PARAM_BODYLENGTH,
- DKIM_PARAM_IDX,
- DKIM_PARAM_CV,
- DKIM_PARAM_IGNORE
- };
-
- #define RSPAMD_DKIM_MAX_ARC_IDX 10
-
- #define msg_err_dkim(...) rspamd_default_log_function(G_LOG_LEVEL_CRITICAL, \
- "dkim", ctx->pool->tag.uid, \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
- #define msg_warn_dkim(...) rspamd_default_log_function(G_LOG_LEVEL_WARNING, \
- "dkim", ctx->pool->tag.uid, \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
- #define msg_info_dkim(...) rspamd_default_log_function(G_LOG_LEVEL_INFO, \
- "dkim", ctx->pool->tag.uid, \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
- #define msg_debug_dkim(...) rspamd_conditional_debug_fast(NULL, NULL, \
- rspamd_dkim_log_id, "dkim", ctx->pool->tag.uid, \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
- #define msg_debug_dkim_taskless(...) rspamd_conditional_debug_fast(NULL, NULL, \
- rspamd_dkim_log_id, "dkim", "", \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
-
- INIT_LOG_MODULE(dkim)
-
- #define RSPAMD_DKIM_FLAG_OVERSIGN (1u << 0u)
- #define RSPAMD_DKIM_FLAG_OVERSIGN_EXISTING (1u << 1u)
-
- union rspamd_dkim_header_stat {
- struct _st {
- uint16_t count;
- uint16_t flags;
- } s;
- uint32_t n;
- };
-
- struct rspamd_dkim_common_ctx {
- rspamd_mempool_t *pool;
- uint64_t sig_hash;
- gsize len;
- GPtrArray *hlist;
- GHashTable *htable; /* header -> count mapping */
- EVP_MD_CTX *headers_hash;
- EVP_MD_CTX *body_hash;
- enum rspamd_dkim_type type;
- unsigned int idx;
- int header_canon_type;
- int body_canon_type;
- unsigned int body_canonicalised;
- unsigned int headers_canonicalised;
- gboolean is_sign;
- };
-
- enum rspamd_arc_seal_cv {
- RSPAMD_ARC_UNKNOWN = 0,
- RSPAMD_ARC_NONE,
- RSPAMD_ARC_INVALID,
- RSPAMD_ARC_FAIL,
- RSPAMD_ARC_PASS
- };
-
-
- struct rspamd_dkim_context_s {
- struct rspamd_dkim_common_ctx common;
- rspamd_mempool_t *pool;
- struct rspamd_dns_resolver *resolver;
- gsize blen;
- gsize bhlen;
- int sig_alg;
- unsigned int ver;
- time_t timestamp;
- time_t expiration;
- char *domain;
- char *selector;
- int8_t *b;
- char *short_b;
- int8_t *bh;
- char *dns_key;
- enum rspamd_arc_seal_cv cv;
- const char *dkim_header;
- };
-
- #define RSPAMD_DKIM_KEY_ID_LEN 16
-
- struct rspamd_dkim_key_s {
- uint8_t *keydata;
- uint8_t *raw_key;
- gsize keylen;
- gsize decoded_len;
- char key_id[RSPAMD_DKIM_KEY_ID_LEN];
- union {
- RSA *key_rsa;
- EC_KEY *key_ecdsa;
- unsigned char *key_eddsa;
- } key;
- BIO *key_bio;
- EVP_PKEY *key_evp;
- time_t mtime;
- unsigned int ttl;
- enum rspamd_dkim_key_type type;
- ref_entry_t ref;
- };
-
- struct rspamd_dkim_sign_context_s {
- struct rspamd_dkim_common_ctx common;
- rspamd_dkim_sign_key_t *key;
- };
-
- struct rspamd_dkim_header {
- const char *name;
- int count;
- };
-
- /* Parser of dkim params */
- typedef gboolean (*dkim_parse_param_f)(rspamd_dkim_context_t *ctx,
- const char *param, gsize len, GError **err);
-
- static gboolean rspamd_dkim_parse_signature(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_signalg(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_domain(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_canonalg(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_ignore(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_selector(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_hdrlist(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_version(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_timestamp(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_expiration(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_bodyhash(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_bodylength(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_idx(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_cv(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
-
-
- static const dkim_parse_param_f parser_funcs[] = {
- [DKIM_PARAM_SIGNATURE] = rspamd_dkim_parse_signature,
- [DKIM_PARAM_SIGNALG] = rspamd_dkim_parse_signalg,
- [DKIM_PARAM_DOMAIN] = rspamd_dkim_parse_domain,
- [DKIM_PARAM_CANONALG] = rspamd_dkim_parse_canonalg,
- [DKIM_PARAM_QUERYMETHOD] = rspamd_dkim_parse_ignore,
- [DKIM_PARAM_SELECTOR] = rspamd_dkim_parse_selector,
- [DKIM_PARAM_HDRLIST] = rspamd_dkim_parse_hdrlist,
- [DKIM_PARAM_VERSION] = rspamd_dkim_parse_version,
- [DKIM_PARAM_IDENTITY] = rspamd_dkim_parse_ignore,
- [DKIM_PARAM_TIMESTAMP] = rspamd_dkim_parse_timestamp,
- [DKIM_PARAM_EXPIRATION] = rspamd_dkim_parse_expiration,
- [DKIM_PARAM_COPIEDHDRS] = rspamd_dkim_parse_ignore,
- [DKIM_PARAM_BODYHASH] = rspamd_dkim_parse_bodyhash,
- [DKIM_PARAM_BODYLENGTH] = rspamd_dkim_parse_bodylength,
- [DKIM_PARAM_IDX] = rspamd_dkim_parse_idx,
- [DKIM_PARAM_CV] = rspamd_dkim_parse_cv,
- [DKIM_PARAM_IGNORE] = rspamd_dkim_parse_ignore,
- };
-
- #define DKIM_ERROR dkim_error_quark()
- GQuark
- dkim_error_quark(void)
- {
- return g_quark_from_static_string("dkim-error-quark");
- }
-
- /* Parsers implementation */
- static gboolean
- rspamd_dkim_parse_signature(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- ctx->b = rspamd_mempool_alloc0(ctx->pool, len);
- ctx->short_b = rspamd_mempool_alloc0(ctx->pool, RSPAMD_SHORT_BH_LEN + 1);
- rspamd_strlcpy(ctx->short_b, param, MIN(len, RSPAMD_SHORT_BH_LEN + 1));
- (void) rspamd_cryptobox_base64_decode(param, len, ctx->b, &ctx->blen);
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_signalg(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- /* XXX: ugly size comparison, improve this code style some day */
- if (len == 8) {
- if (memcmp(param, "rsa-sha1", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_RSASHA1;
- return TRUE;
- }
- }
- else if (len == 10) {
- if (memcmp(param, "rsa-sha256", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_RSASHA256;
- return TRUE;
- }
- else if (memcmp(param, "rsa-sha512", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_RSASHA512;
- return TRUE;
- }
- }
- else if (len == 15) {
- if (memcmp(param, "ecdsa256-sha256", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_ECDSASHA256;
- return TRUE;
- }
- else if (memcmp(param, "ecdsa256-sha512", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_ECDSASHA512;
- return TRUE;
- }
- }
- else if (len == 14) {
- if (memcmp(param, "ed25519-sha256", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_EDDSASHA256;
- return TRUE;
- }
- }
-
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_A,
- "invalid dkim sign algorithm");
- return FALSE;
- }
-
- static gboolean
- rspamd_dkim_parse_domain(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- if (!rspamd_str_has_8bit(param, len)) {
- ctx->domain = rspamd_mempool_alloc(ctx->pool, len + 1);
- rspamd_strlcpy(ctx->domain, param, len + 1);
- }
- else {
- ctx->domain = rspamd_dns_resolver_idna_convert_utf8(ctx->resolver,
- ctx->pool, param, len, NULL);
-
- if (!ctx->domain) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_H,
- "invalid dkim domain tag %.*s: idna failed",
- (int) len, param);
-
- return FALSE;
- }
- }
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_canonalg(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- const char *p, *slash = NULL, *end = param + len;
- gsize sl = 0;
-
- p = param;
- while (p != end) {
- if (*p == '/') {
- slash = p;
- break;
- }
- p++;
- sl++;
- }
-
- if (slash == NULL) {
- /* Only check header */
- if (len == 6 && memcmp(param, "simple", len) == 0) {
- ctx->common.header_canon_type = DKIM_CANON_SIMPLE;
- return TRUE;
- }
- else if (len == 7 && memcmp(param, "relaxed", len) == 0) {
- ctx->common.header_canon_type = DKIM_CANON_RELAXED;
- return TRUE;
- }
- }
- else {
- /* First check header */
- if (sl == 6 && memcmp(param, "simple", sl) == 0) {
- ctx->common.header_canon_type = DKIM_CANON_SIMPLE;
- }
- else if (sl == 7 && memcmp(param, "relaxed", sl) == 0) {
- ctx->common.header_canon_type = DKIM_CANON_RELAXED;
- }
- else {
- goto err;
- }
- /* Check body */
- len -= sl + 1;
- slash++;
- if (len == 6 && memcmp(slash, "simple", len) == 0) {
- ctx->common.body_canon_type = DKIM_CANON_SIMPLE;
- return TRUE;
- }
- else if (len == 7 && memcmp(slash, "relaxed", len) == 0) {
- ctx->common.body_canon_type = DKIM_CANON_RELAXED;
- return TRUE;
- }
- }
-
- err:
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_A,
- "invalid dkim canonization algorithm");
- return FALSE;
- }
-
- static gboolean
- rspamd_dkim_parse_ignore(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- /* Just ignore unused params */
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_selector(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
-
- if (!rspamd_str_has_8bit(param, len)) {
- ctx->selector = rspamd_mempool_alloc(ctx->pool, len + 1);
- rspamd_strlcpy(ctx->selector, param, len + 1);
- }
- else {
- ctx->selector = rspamd_dns_resolver_idna_convert_utf8(ctx->resolver,
- ctx->pool, param, len, NULL);
-
- if (!ctx->selector) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_H,
- "invalid dkim selector tag %.*s: idna failed",
- (int) len, param);
-
- return FALSE;
- }
- }
-
- return TRUE;
- }
-
- static void
- rspamd_dkim_hlist_free(void *ud)
- {
- GPtrArray *a = ud;
-
- g_ptr_array_free(a, TRUE);
- }
-
- static gboolean
- rspamd_dkim_parse_hdrlist_common(struct rspamd_dkim_common_ctx *ctx,
- const char *param,
- gsize len,
- gboolean sign,
- GError **err)
- {
- const char *c, *p, *end = param + len;
- char *h;
- gboolean from_found = FALSE, oversign, existing;
- unsigned int count = 0;
- struct rspamd_dkim_header *new;
- gpointer found;
- union rspamd_dkim_header_stat u;
-
- p = param;
- while (p <= end) {
- if ((p == end || *p == ':')) {
- count++;
- }
- p++;
- }
-
- if (count > 0) {
- ctx->hlist = g_ptr_array_sized_new(count);
- }
- else {
- return FALSE;
- }
-
- c = param;
- p = param;
- ctx->htable = g_hash_table_new(rspamd_strcase_hash, rspamd_strcase_equal);
-
- while (p <= end) {
- if ((p == end || *p == ':') && p - c > 0) {
- oversign = FALSE;
- existing = FALSE;
- h = rspamd_mempool_alloc(ctx->pool, p - c + 1);
- rspamd_strlcpy(h, c, p - c + 1);
-
- g_strstrip(h);
-
- if (sign) {
- if (rspamd_lc_cmp(h, "(o)", 3) == 0) {
- oversign = TRUE;
- h += 3;
- msg_debug_dkim("oversign header: %s", h);
- }
- else if (rspamd_lc_cmp(h, "(x)", 3) == 0) {
- oversign = TRUE;
- existing = TRUE;
- h += 3;
- msg_debug_dkim("oversign existing header: %s", h);
- }
- }
-
- /* Check mandatory from */
- if (!from_found && g_ascii_strcasecmp(h, "from") == 0) {
- from_found = TRUE;
- }
-
- new = rspamd_mempool_alloc(ctx->pool,
- sizeof(struct rspamd_dkim_header));
- new->name = h;
- new->count = 0;
- u.n = 0;
-
- g_ptr_array_add(ctx->hlist, new);
- found = g_hash_table_lookup(ctx->htable, h);
-
- if (oversign) {
- if (found) {
- msg_err_dkim("specified oversigned header more than once: %s",
- h);
- }
-
- u.s.flags |= RSPAMD_DKIM_FLAG_OVERSIGN;
-
- if (existing) {
- u.s.flags |= RSPAMD_DKIM_FLAG_OVERSIGN_EXISTING;
- }
-
- u.s.count = 0;
- }
- else {
- if (found != NULL) {
- u.n = GPOINTER_TO_UINT(found);
- new->count = u.s.count;
- u.s.count++;
- }
- else {
- /* Insert new header order to the list */
- u.s.count = new->count + 1;
- }
- }
-
- g_hash_table_insert(ctx->htable, h, GUINT_TO_POINTER(u.n));
-
- c = p + 1;
- p++;
- }
- else {
- p++;
- }
- }
-
- if (!ctx->hlist) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_H,
- "invalid dkim header list");
- return FALSE;
- }
- else {
- if (!from_found) {
- g_ptr_array_free(ctx->hlist, TRUE);
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_H,
- "invalid dkim header list, from header is missing");
- return FALSE;
- }
-
- rspamd_mempool_add_destructor(ctx->pool,
- (rspamd_mempool_destruct_t) rspamd_dkim_hlist_free,
- ctx->hlist);
- rspamd_mempool_add_destructor(ctx->pool,
- (rspamd_mempool_destruct_t) g_hash_table_unref,
- ctx->htable);
- }
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_hdrlist(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- return rspamd_dkim_parse_hdrlist_common(&ctx->common, param, len, FALSE, err);
- }
-
- static gboolean
- rspamd_dkim_parse_version(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- if (len != 1 || *param != '1') {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_VERSION,
- "invalid dkim version");
- return FALSE;
- }
-
- ctx->ver = 1;
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_timestamp(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- gulong val;
-
- if (!rspamd_strtoul(param, len, &val)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid dkim timestamp");
- return FALSE;
- }
- ctx->timestamp = val;
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_expiration(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- gulong val;
-
- if (!rspamd_strtoul(param, len, &val)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid dkim expiration");
- return FALSE;
- }
- ctx->expiration = val;
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_bodyhash(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- ctx->bh = rspamd_mempool_alloc0(ctx->pool, len);
- (void) rspamd_cryptobox_base64_decode(param, len, ctx->bh, &ctx->bhlen);
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_bodylength(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- gulong val;
-
- if (!rspamd_strtoul(param, len, &val)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_L,
- "invalid dkim body length");
- return FALSE;
- }
- ctx->common.len = val;
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_idx(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- gulong val;
-
- if (!rspamd_strtoul(param, len, &val)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_L,
- "invalid ARC idx");
- return FALSE;
- }
- ctx->common.idx = val;
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_cv(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
-
- /* Only check header */
- if (len == 4 && memcmp(param, "fail", len) == 0) {
- ctx->cv = RSPAMD_ARC_FAIL;
- return TRUE;
- }
- else if (len == 4 && memcmp(param, "pass", len) == 0) {
- ctx->cv = RSPAMD_ARC_PASS;
- return TRUE;
- }
- else if (len == 4 && memcmp(param, "none", len) == 0) {
- ctx->cv = RSPAMD_ARC_NONE;
- return TRUE;
- }
- else if (len == 7 && memcmp(param, "invalid", len) == 0) {
- ctx->cv = RSPAMD_ARC_INVALID;
- return TRUE;
- }
-
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid arc seal verification result");
-
- return FALSE;
- }
-
-
- static void
- rspamd_dkim_add_arc_seal_headers(rspamd_mempool_t *pool,
- struct rspamd_dkim_common_ctx *ctx)
- {
- struct rspamd_dkim_header *hdr;
- int count = ctx->idx, i;
-
- ctx->hlist = g_ptr_array_sized_new(count * 3 - 1);
-
- for (i = 0; i < count; i++) {
- /* Authentication results */
- hdr = rspamd_mempool_alloc(pool, sizeof(*hdr));
- hdr->name = RSPAMD_DKIM_ARC_AUTHHEADER;
- hdr->count = -(i + 1);
- g_ptr_array_add(ctx->hlist, hdr);
-
- /* Arc signature */
- hdr = rspamd_mempool_alloc(pool, sizeof(*hdr));
- hdr->name = RSPAMD_DKIM_ARC_SIGNHEADER;
- hdr->count = -(i + 1);
- g_ptr_array_add(ctx->hlist, hdr);
-
- /* Arc seal (except last one) */
- if (i != count - 1) {
- hdr = rspamd_mempool_alloc(pool, sizeof(*hdr));
- hdr->name = RSPAMD_DKIM_ARC_SEALHEADER;
- hdr->count = -(i + 1);
- g_ptr_array_add(ctx->hlist, hdr);
- }
- }
-
- rspamd_mempool_add_destructor(ctx->pool,
- (rspamd_mempool_destruct_t) rspamd_dkim_hlist_free,
- ctx->hlist);
- }
-
- /**
- * Create new dkim context from signature
- * @param sig message's signature
- * @param pool pool to allocate memory from
- * @param err pointer to error object
- * @return new context or NULL
- */
- rspamd_dkim_context_t *
- rspamd_create_dkim_context(const char *sig,
- rspamd_mempool_t *pool,
- struct rspamd_dns_resolver *resolver,
- unsigned int time_jitter,
- enum rspamd_dkim_type type,
- GError **err)
- {
- const char *p, *c, *tag = NULL, *end;
- int taglen;
- int param = DKIM_PARAM_UNKNOWN;
- const EVP_MD *md_alg;
- time_t now;
- rspamd_dkim_context_t *ctx;
- enum {
- DKIM_STATE_TAG = 0,
- DKIM_STATE_AFTER_TAG,
- DKIM_STATE_VALUE,
- DKIM_STATE_SKIP_SPACES = 99,
- DKIM_STATE_ERROR = 100
- } state,
- next_state;
-
-
- if (sig == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_B,
- "empty signature");
- return NULL;
- }
-
- ctx = rspamd_mempool_alloc0(pool, sizeof(rspamd_dkim_context_t));
- ctx->pool = pool;
- ctx->resolver = resolver;
-
- if (type == RSPAMD_DKIM_ARC_SEAL) {
- ctx->common.header_canon_type = DKIM_CANON_RELAXED;
- ctx->common.body_canon_type = DKIM_CANON_RELAXED;
- }
- else {
- ctx->common.header_canon_type = DKIM_CANON_DEFAULT;
- ctx->common.body_canon_type = DKIM_CANON_DEFAULT;
- }
-
- ctx->sig_alg = DKIM_SIGN_UNKNOWN;
- ctx->common.pool = pool;
- ctx->common.type = type;
- /* A simple state machine of parsing tags */
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_TAG;
- taglen = 0;
- p = sig;
- c = sig;
- end = p + strlen(p);
- ctx->common.sig_hash = rspamd_cryptobox_fast_hash(sig, end - sig,
- rspamd_hash_seed());
-
- msg_debug_dkim("create dkim context sig = %L", ctx->common.sig_hash);
-
- while (p <= end) {
- switch (state) {
- case DKIM_STATE_TAG:
- if (g_ascii_isspace(*p)) {
- taglen = (int) (p - c);
- while (*p && g_ascii_isspace(*p)) {
- /* Skip spaces before '=' sign */
- p++;
- }
- if (*p != '=') {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid dkim param");
- state = DKIM_STATE_ERROR;
- }
- else {
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_AFTER_TAG;
- param = DKIM_PARAM_UNKNOWN;
- p++;
- tag = c;
- }
- }
- else if (*p == '=') {
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_AFTER_TAG;
- param = DKIM_PARAM_UNKNOWN;
- p++;
- tag = c;
- }
- else {
- taglen++;
-
- if (taglen > G_MAXINT8) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "too long dkim tag");
- state = DKIM_STATE_ERROR;
- }
- else {
- p++;
- }
- }
- break;
- case DKIM_STATE_AFTER_TAG:
- /* We got tag at tag and len at taglen */
- switch (taglen) {
- case 0:
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "zero length dkim param");
- state = DKIM_STATE_ERROR;
- break;
- case 1:
- /* 1 character tags */
- switch (*tag) {
- case 'v':
- if (type == RSPAMD_DKIM_NORMAL) {
- param = DKIM_PARAM_VERSION;
- }
- else {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid ARC v param");
- state = DKIM_STATE_ERROR;
- break;
- }
- break;
- case 'a':
- param = DKIM_PARAM_SIGNALG;
- break;
- case 'b':
- param = DKIM_PARAM_SIGNATURE;
- break;
- case 'c':
- param = DKIM_PARAM_CANONALG;
- break;
- case 'd':
- param = DKIM_PARAM_DOMAIN;
- break;
- case 'h':
- if (type == RSPAMD_DKIM_ARC_SEAL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "ARC seal must NOT have h= tag");
- state = DKIM_STATE_ERROR;
- break;
- }
- else {
- param = DKIM_PARAM_HDRLIST;
- }
- break;
- case 'i':
- if (type == RSPAMD_DKIM_NORMAL) {
- param = DKIM_PARAM_IDENTITY;
- }
- else {
- param = DKIM_PARAM_IDX;
- }
- break;
- case 'l':
- param = DKIM_PARAM_BODYLENGTH;
- break;
- case 'q':
- param = DKIM_PARAM_QUERYMETHOD;
- break;
- case 's':
- param = DKIM_PARAM_SELECTOR;
- break;
- case 't':
- param = DKIM_PARAM_TIMESTAMP;
- break;
- case 'x':
- param = DKIM_PARAM_EXPIRATION;
- break;
- case 'z':
- param = DKIM_PARAM_COPIEDHDRS;
- break;
- case 'r':
- param = DKIM_PARAM_IGNORE;
- break;
- default:
- param = DKIM_PARAM_UNKNOWN;
- msg_debug_dkim("unknown DKIM param %c, ignoring it", *tag);
- break;
- }
- break;
- case 2:
- /* Two characters tags, e.g. `bh` */
- if (tag[0] == 'b' && tag[1] == 'h') {
- if (type == RSPAMD_DKIM_ARC_SEAL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "ARC seal must NOT have bh= tag");
- state = DKIM_STATE_ERROR;
- }
- else {
- param = DKIM_PARAM_BODYHASH;
- }
- }
- else if (tag[0] == 'c' && tag[1] == 'v') {
- if (type != RSPAMD_DKIM_ARC_SEAL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "cv tag is valid for ARC-Seal only");
- state = DKIM_STATE_ERROR;
- }
- else {
- param = DKIM_PARAM_CV;
- }
- }
- else {
- param = DKIM_PARAM_UNKNOWN;
- msg_debug_dkim("unknown DKIM param %*s, ignoring it", taglen, tag);
- }
- break;
- default:
- /* Long and unknown (yet) DKIM tag */
- param = DKIM_PARAM_UNKNOWN;
- msg_debug_dkim("unknown DKIM param %*s, ignoring it", taglen, tag);
- break;
- }
-
- if (state != DKIM_STATE_ERROR) {
- /* Skip spaces */
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_VALUE;
- }
- break;
- case DKIM_STATE_VALUE:
- if (*p == ';') {
- if (p - c == 0 || c > p) {
- state = DKIM_STATE_ERROR;
- }
- else {
- /* Cut trailing spaces for value */
- int tlen = p - c;
- const char *tmp = p - 1;
-
- while (tlen > 0) {
- if (!g_ascii_isspace(*tmp)) {
- break;
- }
- tlen--;
- tmp--;
- }
-
- if (param != DKIM_PARAM_UNKNOWN) {
- if (!parser_funcs[param](ctx, c, tlen, err)) {
- state = DKIM_STATE_ERROR;
- }
- else {
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_TAG;
- p++;
- taglen = 0;
- }
- }
- else {
- /* Unknown param has been ignored */
- msg_debug_dkim("ignored unknown tag parameter value: %*s = %*s",
- taglen, tag, tlen, c);
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_TAG;
- p++;
- taglen = 0;
- }
- }
- }
- else if (p == end) {
- /* Last parameter with no `;` character */
- int tlen = p - c;
- const char *tmp = p - 1;
-
- while (tlen > 0) {
- if (!g_ascii_isspace(*tmp)) {
- break;
- }
- tlen--;
- tmp--;
- }
-
- if (param != DKIM_PARAM_UNKNOWN) {
- if (!parser_funcs[param](ctx, c, tlen, err)) {
- state = DKIM_STATE_ERROR;
- }
- }
- else {
- msg_debug_dkim("ignored unknown tag parameter value: %*s: %*s",
- taglen, tag, tlen, c);
- }
-
- if (state == DKIM_STATE_ERROR) {
- /*
- * We need to return from here as state machine won't
- * do any more steps after p == end
- */
- if (err) {
- msg_info_dkim("dkim parse failed: %e", *err);
- }
-
- return NULL;
- }
- /* Finish processing */
- p++;
- }
- else {
- p++;
- }
- break;
- case DKIM_STATE_SKIP_SPACES:
- if (g_ascii_isspace(*p)) {
- p++;
- }
- else {
- c = p;
- state = next_state;
- }
- break;
- case DKIM_STATE_ERROR:
- if (err && *err) {
- msg_info_dkim("dkim parse failed: %s", (*err)->message);
- return NULL;
- }
- else {
- msg_info_dkim("dkim parse failed: unknown error when parsing %c tag",
- tag ? *tag : '?');
- return NULL;
- }
- break;
- }
- }
-
- if (type == RSPAMD_DKIM_ARC_SEAL) {
- rspamd_dkim_add_arc_seal_headers(pool, &ctx->common);
- }
-
- /* Now check validity of signature */
- if (ctx->b == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_B,
- "b parameter missing");
- return NULL;
- }
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL && ctx->bh == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_BH,
- "bh parameter missing");
- return NULL;
- }
- if (ctx->domain == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_D,
- "domain parameter missing");
- return NULL;
- }
- if (ctx->selector == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_S,
- "selector parameter missing");
- return NULL;
- }
- if (ctx->common.type == RSPAMD_DKIM_NORMAL && ctx->ver == 0) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_V,
- "v parameter missing");
- return NULL;
- }
- if (ctx->common.hlist == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_H,
- "h parameter missing");
- return NULL;
- }
- if (ctx->sig_alg == DKIM_SIGN_UNKNOWN) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_S,
- "s parameter missing");
- return NULL;
- }
-
- if (type != RSPAMD_DKIM_ARC_SEAL) {
- if (ctx->sig_alg == DKIM_SIGN_RSASHA1) {
- /* Check bh length */
- if (ctx->bhlen != (unsigned int) EVP_MD_size(EVP_sha1())) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_BADSIG,
- "signature has incorrect length: %zu",
- ctx->bhlen);
- return NULL;
- }
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA256) {
- if (ctx->bhlen !=
- (unsigned int) EVP_MD_size(EVP_sha256())) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_BADSIG,
- "signature has incorrect length: %zu",
- ctx->bhlen);
- return NULL;
- }
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA512 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA512) {
- if (ctx->bhlen !=
- (unsigned int) EVP_MD_size(EVP_sha512())) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_BADSIG,
- "signature has incorrect length: %zu",
- ctx->bhlen);
- return NULL;
- }
- }
- }
-
- /* Check expiration */
- now = time(NULL);
- if (ctx->timestamp && now < ctx->timestamp && ctx->timestamp - now > (int) time_jitter) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_FUTURE,
- "signature was made in future, ignoring");
- return NULL;
- }
- if (ctx->expiration && ctx->expiration < now) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EXPIRED,
- "signature has expired");
- return NULL;
- }
-
- if (ctx->common.type != RSPAMD_DKIM_NORMAL && (ctx->common.idx == 0 ||
- ctx->common.idx > RSPAMD_DKIM_MAX_ARC_IDX)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "i parameter missing or invalid for ARC");
- return NULL;
- }
-
- if (ctx->common.type == RSPAMD_DKIM_ARC_SEAL) {
- if (ctx->cv == RSPAMD_ARC_UNKNOWN) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "cv parameter missing or invalid for ARC");
- return NULL;
- }
- }
-
- /* Now create dns key to request further */
- gsize dnslen = strlen(ctx->domain) + strlen(ctx->selector) +
- sizeof(DKIM_DNSKEYNAME) + 2;
- ctx->dns_key = rspamd_mempool_alloc(ctx->pool, dnslen);
- rspamd_snprintf(ctx->dns_key,
- dnslen,
- "%s.%s.%s",
- ctx->selector,
- DKIM_DNSKEYNAME,
- ctx->domain);
-
- /* Create checksums for further operations */
- if (ctx->sig_alg == DKIM_SIGN_RSASHA1) {
- md_alg = EVP_sha1();
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_EDDSASHA256) {
- md_alg = EVP_sha256();
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA512 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA512) {
- md_alg = EVP_sha512();
- }
- else {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_BADSIG,
- "signature has unsupported signature algorithm");
-
- return NULL;
- }
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- ctx->common.body_hash = EVP_MD_CTX_create();
- EVP_DigestInit_ex(ctx->common.body_hash, md_alg, NULL);
- ctx->common.headers_hash = EVP_MD_CTX_create();
- EVP_DigestInit_ex(ctx->common.headers_hash, md_alg, NULL);
- rspamd_mempool_add_destructor(pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_destroy, ctx->common.body_hash);
- rspamd_mempool_add_destructor(pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_destroy, ctx->common.headers_hash);
- #else
- ctx->common.body_hash = EVP_MD_CTX_new();
- EVP_DigestInit_ex(ctx->common.body_hash, md_alg, NULL);
- ctx->common.headers_hash = EVP_MD_CTX_new();
- EVP_DigestInit_ex(ctx->common.headers_hash, md_alg, NULL);
- rspamd_mempool_add_destructor(pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_free, ctx->common.body_hash);
- rspamd_mempool_add_destructor(pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_free, ctx->common.headers_hash);
- #endif
- ctx->dkim_header = sig;
-
- return ctx;
- }
-
- struct rspamd_dkim_key_cbdata {
- rspamd_dkim_context_t *ctx;
- dkim_key_handler_f handler;
- gpointer ud;
- };
-
- rspamd_dkim_key_t *
- rspamd_dkim_make_key(const char *keydata,
- unsigned int keylen, enum rspamd_dkim_key_type type, GError **err)
- {
- rspamd_dkim_key_t *key = NULL;
-
- if (keylen < 3) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "DKIM key is too short to be valid");
- return NULL;
- }
-
- key = g_malloc0(sizeof(rspamd_dkim_key_t));
- REF_INIT_RETAIN(key, rspamd_dkim_key_free);
- key->keydata = g_malloc0(keylen + 1);
- key->raw_key = g_malloc(keylen);
- key->decoded_len = keylen;
- key->type = type;
-
- /* Copy key skipping all spaces and newlines */
- const char *h = keydata;
- uint8_t *t = key->raw_key;
-
- while (h - keydata < keylen) {
- if (!g_ascii_isspace(*h)) {
- *t++ = *h++;
- }
- else {
- h++;
- }
- }
-
- key->keylen = t - key->raw_key;
-
- if (!rspamd_cryptobox_base64_decode(key->raw_key, key->keylen, key->keydata,
- &key->decoded_len)) {
- REF_RELEASE(key);
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "DKIM key is not a valid base64 string");
-
- return NULL;
- }
-
- /* Calculate ID -> md5 */
- EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
-
- #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
- EVP_MD_CTX_set_flags(mdctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- #endif
-
- if (EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) == 1) {
- unsigned int dlen = sizeof(key->key_id);
-
- EVP_DigestUpdate(mdctx, key->keydata, key->decoded_len);
- EVP_DigestFinal_ex(mdctx, key->key_id, &dlen);
- }
-
- EVP_MD_CTX_destroy(mdctx);
-
- if (key->type == RSPAMD_DKIM_KEY_EDDSA) {
- key->key.key_eddsa = key->keydata;
-
- if (key->decoded_len != rspamd_cryptobox_pk_sig_bytes(
- RSPAMD_CRYPTOBOX_MODE_25519)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "DKIM key is has invalid length %d for eddsa; expected %d",
- (int) key->decoded_len,
- rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519));
- REF_RELEASE(key);
-
- return NULL;
- }
- }
- else {
- key->key_bio = BIO_new_mem_buf(key->keydata, key->decoded_len);
-
- if (key->key_bio == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot make ssl bio from key");
- REF_RELEASE(key);
-
- return NULL;
- }
-
- key->key_evp = d2i_PUBKEY_bio(key->key_bio, NULL);
-
- if (key->key_evp == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot extract pubkey from bio");
- REF_RELEASE(key);
-
- return NULL;
- }
-
- if (type == RSPAMD_DKIM_KEY_RSA) {
- key->key.key_rsa = EVP_PKEY_get1_RSA(key->key_evp);
-
- if (key->key.key_rsa == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot extract rsa key from evp key");
- REF_RELEASE(key);
-
- return NULL;
- }
- }
- else {
- key->key.key_ecdsa = EVP_PKEY_get1_EC_KEY(key->key_evp);
-
- if (key->key.key_ecdsa == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot extract ecdsa key from evp key");
- REF_RELEASE(key);
-
- return NULL;
- }
- }
- }
-
- return key;
- }
-
- const unsigned char *
- rspamd_dkim_key_id(rspamd_dkim_key_t *key)
- {
- if (key) {
- return key->key_id;
- }
-
- return NULL;
- }
-
- /**
- * Free DKIM key
- * @param key
- */
- void rspamd_dkim_key_free(rspamd_dkim_key_t *key)
- {
- if (key->key_evp) {
- EVP_PKEY_free(key->key_evp);
- }
-
- if (key->type == RSPAMD_DKIM_KEY_RSA) {
- if (key->key.key_rsa) {
- RSA_free(key->key.key_rsa);
- }
- }
- else if (key->type == RSPAMD_DKIM_KEY_ECDSA) {
- if (key->key.key_ecdsa) {
- EC_KEY_free(key->key.key_ecdsa);
- }
- }
- /* Nothing in case of eddsa key */
- if (key->key_bio) {
- BIO_free(key->key_bio);
- }
-
- g_free(key->raw_key);
- g_free(key->keydata);
- g_free(key);
- }
-
- void rspamd_dkim_sign_key_free(rspamd_dkim_sign_key_t *key)
- {
- if (key->key_evp) {
- EVP_PKEY_free(key->key_evp);
- }
- if (key->type == RSPAMD_DKIM_KEY_RSA) {
- if (key->key.key_rsa) {
- RSA_free(key->key.key_rsa);
- }
- }
- if (key->key_bio) {
- BIO_free(key->key_bio);
- }
-
- if (key->type == RSPAMD_DKIM_KEY_EDDSA) {
- rspamd_explicit_memzero(key->key.key_eddsa, key->keylen);
- g_free(key->keydata);
- }
-
- g_free(key);
- }
-
- rspamd_dkim_key_t *
- rspamd_dkim_parse_key(const char *txt, gsize *keylen, GError **err)
- {
- const char *c, *p, *end, *key = NULL, *alg = "rsa";
- enum {
- read_tag = 0,
- read_tag_before_eqsign,
- read_eqsign,
- read_p_tag,
- read_k_tag,
- ignore_value,
- skip_spaces,
- } state = read_tag,
- next_state;
- char tag = '\0';
- gsize klen = 0, alglen = 0;
-
- c = txt;
- p = txt;
- end = txt + strlen(txt);
-
- while (p < end) {
- switch (state) {
- case read_tag:
- if (*p == '=') {
- state = read_eqsign;
- }
- else if (g_ascii_isspace(*p)) {
- state = skip_spaces;
-
- if (tag != '\0') {
- /* We had tag letter */
- next_state = read_tag_before_eqsign;
- }
- else {
- /* We had no tag letter, so we ignore empty tag */
- next_state = read_tag;
- }
- }
- else {
- tag = *p;
- }
- p++;
- break;
- case read_tag_before_eqsign:
- /* Input: spaces before eqsign
- * Output: either read a next tag (previous had no value), or read value
- * p is moved forward
- */
- if (*p == '=') {
- state = read_eqsign;
- }
- else {
- tag = *p;
- state = read_tag;
- }
- p++;
- break;
- case read_eqsign:
- /* Always switch to skip spaces state and do not advance p */
- state = skip_spaces;
-
- if (tag == 'p') {
- next_state = read_p_tag;
- }
- else if (tag == 'k') {
- next_state = read_k_tag;
- }
- else {
- /* Unknown tag, ignore */
- next_state = ignore_value;
- tag = '\0';
- }
- break;
- case read_p_tag:
- if (*p == ';') {
- klen = p - c;
- key = c;
- state = read_tag;
- tag = '\0';
- p++;
- }
- else {
- p++;
- }
- break;
- case read_k_tag:
- if (*p == ';') {
- alglen = p - c;
- alg = c;
- state = read_tag;
- tag = '\0';
- p++;
- }
- else if (g_ascii_isspace(*p)) {
- alglen = p - c;
- alg = c;
- state = skip_spaces;
- next_state = read_tag;
- tag = '\0';
- }
- else {
- p++;
- }
- break;
- case ignore_value:
- if (*p == ';') {
- state = read_tag;
- tag = '\0';
- p++;
- }
- else if (g_ascii_isspace(*p)) {
- state = skip_spaces;
- next_state = read_tag;
- tag = '\0';
- }
- else {
- p++;
- }
- break;
- case skip_spaces:
- /* Skip spaces and switch to the next state if needed */
- if (g_ascii_isspace(*p)) {
- p++;
- }
- else {
- c = p;
- state = next_state;
- }
- break;
- default:
- break;
- }
- }
-
- /* Leftover */
- switch (state) {
- case read_p_tag:
- klen = p - c;
- key = c;
- break;
- case read_k_tag:
- alglen = p - c;
- alg = c;
- break;
- default:
- break;
- }
-
- if (klen == 0 || key == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "key is missing");
-
- return NULL;
- }
-
- if (alglen == 0 || alg == NULL) {
- alg = "rsa"; /* Implicit */
- alglen = 3;
- }
-
- if (keylen) {
- *keylen = klen;
- }
-
- if (alglen == 8 && rspamd_lc_cmp(alg, "ecdsa256", alglen) == 0) {
- return rspamd_dkim_make_key(key, klen,
- RSPAMD_DKIM_KEY_ECDSA, err);
- }
- else if (alglen == 7 && rspamd_lc_cmp(alg, "ed25519", alglen) == 0) {
- return rspamd_dkim_make_key(key, klen,
- RSPAMD_DKIM_KEY_EDDSA, err);
- }
- else {
- /* We assume RSA default in all cases */
- return rspamd_dkim_make_key(key, klen,
- RSPAMD_DKIM_KEY_RSA, err);
- }
-
- g_assert_not_reached();
-
- return NULL;
- }
-
- /* Get TXT request data and parse it */
- static void
- rspamd_dkim_dns_cb(struct rdns_reply *reply, gpointer arg)
- {
- struct rspamd_dkim_key_cbdata *cbdata = arg;
- rspamd_dkim_key_t *key = NULL;
- GError *err = NULL;
- struct rdns_reply_entry *elt;
- gsize keylen = 0;
-
- if (reply->code != RDNS_RC_NOERROR) {
- int err_code = DKIM_SIGERROR_NOKEY;
- if (reply->code == RDNS_RC_NOREC) {
- err_code = DKIM_SIGERROR_NOREC;
- }
- else if (reply->code == RDNS_RC_NXDOMAIN) {
- err_code = DKIM_SIGERROR_NOREC;
- }
- g_set_error(&err,
- DKIM_ERROR,
- err_code,
- "dns request to %s failed: %s",
- cbdata->ctx->dns_key,
- rdns_strerror(reply->code));
- cbdata->handler(NULL, 0, cbdata->ctx, cbdata->ud, err);
- }
- else {
- LL_FOREACH(reply->entries, elt)
- {
- if (elt->type == RDNS_REQUEST_TXT) {
- if (err != NULL) {
- /* Free error as it is insignificant */
- g_error_free(err);
- err = NULL;
- }
- key = rspamd_dkim_parse_key(elt->content.txt.data,
- &keylen,
- &err);
- if (key) {
- key->ttl = elt->ttl;
- break;
- }
- }
- }
- cbdata->handler(key, keylen, cbdata->ctx, cbdata->ud, err);
- }
- }
-
- /**
- * Make DNS request for specified context and obtain and parse key
- * @param ctx dkim context from signature
- * @param resolver dns resolver object
- * @param s async session to make request
- * @return
- */
- gboolean
- rspamd_get_dkim_key(rspamd_dkim_context_t *ctx,
- struct rspamd_task *task,
- dkim_key_handler_f handler,
- gpointer ud)
- {
- struct rspamd_dkim_key_cbdata *cbdata;
-
- g_return_val_if_fail(ctx != NULL, FALSE);
- g_return_val_if_fail(ctx->dns_key != NULL, FALSE);
-
- cbdata =
- rspamd_mempool_alloc(ctx->pool,
- sizeof(struct rspamd_dkim_key_cbdata));
- cbdata->ctx = ctx;
- cbdata->handler = handler;
- cbdata->ud = ud;
-
- return rspamd_dns_resolver_request_task_forced(task,
- rspamd_dkim_dns_cb,
- cbdata,
- RDNS_REQUEST_TXT,
- ctx->dns_key);
- }
-
- static gboolean
- rspamd_dkim_relaxed_body_step(struct rspamd_dkim_common_ctx *ctx, EVP_MD_CTX *ck,
- const char **start, unsigned int size,
- gssize *remain)
- {
- const char *h;
- char *t;
- unsigned int len, inlen;
- gssize octets_remain;
- gboolean got_sp, ret = TRUE;
- char buf[1024];
-
- len = size;
- inlen = sizeof(buf) - 1;
- h = *start;
- t = buf;
- got_sp = FALSE;
- octets_remain = *remain;
-
- while (len > 0 && inlen > 0 && (octets_remain > 0)) {
-
- if (*h == '\r' || *h == '\n') {
- if (got_sp) {
- /* Ignore spaces at the end of line */
- t--;
- }
- *t++ = '\r';
- *t++ = '\n';
-
- if (len > 1 && (*h == '\r' && h[1] == '\n')) {
- h += 2;
- len -= 2;
- octets_remain -= 2;
- }
- else {
- h++;
- len--;
- if (octets_remain >= 2) {
- octets_remain -= 2; /* Input has just \n or \r so we actually add more octets */
- }
- else {
- octets_remain--;
- break;
- }
- }
- break;
- }
- else if (g_ascii_isspace(*h)) {
- if (got_sp) {
- /* Ignore multiply spaces */
- h++;
- len--;
- continue;
- }
- else {
- *t++ = ' ';
- h++;
- inlen--;
- len--;
- octets_remain--;
- got_sp = TRUE;
- continue;
- }
- }
- else {
- got_sp = FALSE;
- }
-
- *t++ = *h++;
- inlen--;
- len--;
- octets_remain--;
- }
-
- if (octets_remain < 0) {
- /* Absurdic l tag value, but we still need to rewind the t pointer back */
- while (t > buf && octets_remain < 0) {
- t--;
- octets_remain++;
- }
-
- ret = FALSE;
- }
-
- *start = h;
-
- if (t - buf > 0) {
- gsize cklen = t - buf;
-
- EVP_DigestUpdate(ck, buf, cklen);
- ctx->body_canonicalised += cklen;
- msg_debug_dkim("relaxed update signature with body buffer "
- "(%z size, %z -> %z remain)",
- cklen, *remain, octets_remain);
- *remain = octets_remain;
- }
-
- return ret && ((len > 0) && (octets_remain > 0));
- }
-
- static gboolean
- rspamd_dkim_simple_body_step(struct rspamd_dkim_common_ctx *ctx,
- EVP_MD_CTX *ck, const char **start, unsigned int size,
- gssize *remain)
- {
- const char *h;
- char *t;
- unsigned int len, inlen;
- gssize octets_remain;
- char buf[1024];
-
- len = size;
- inlen = sizeof(buf) - 1;
- h = *start;
- t = &buf[0];
- octets_remain = *remain;
-
- while (len > 0 && inlen > 0 && (octets_remain != 0)) {
- if (*h == '\r' || *h == '\n') {
- *t++ = '\r';
- *t++ = '\n';
-
- if (len > 1 && (*h == '\r' && h[1] == '\n')) {
- h += 2;
- len -= 2;
-
- if (octets_remain >= 2) {
- octets_remain -= 2; /* Input has just \n or \r so we actually add more octets */
- }
- else {
- octets_remain--;
- }
- }
- else {
- h++;
- len--;
-
- if (octets_remain >= 2) {
- octets_remain -= 2; /* Input has just \n or \r so we actually add more octets */
- }
- else {
- octets_remain--;
- }
- }
- break;
- }
-
- *t++ = *h++;
- octets_remain--;
- inlen--;
- len--;
- }
-
- *start = h;
-
- if (t - buf > 0) {
- gsize cklen = t - buf;
-
- EVP_DigestUpdate(ck, buf, cklen);
- ctx->body_canonicalised += cklen;
- msg_debug_dkim("simple update signature with body buffer "
- "(%z size, %z -> %z remain)",
- cklen, *remain, octets_remain);
- *remain = octets_remain;
- }
-
- return ((len != 0) && (octets_remain != 0));
- }
-
- static const char *
- rspamd_dkim_skip_empty_lines(const char *start, const char *end,
- unsigned int type, gboolean sign, gboolean *need_crlf)
- {
- const char *p = end - 1, *t;
- enum {
- init = 0,
- init_2,
- got_cr,
- got_lf,
- got_crlf,
- test_spaces,
- } state = init;
- unsigned int skip = 0;
-
- while (p >= start) {
- switch (state) {
- case init:
- if (*p == '\r') {
- state = got_cr;
- }
- else if (*p == '\n') {
- state = got_lf;
- }
- else if (type == DKIM_CANON_RELAXED && *p == ' ') {
- skip = 0;
- state = test_spaces;
- }
- else {
- if (sign || type != DKIM_CANON_RELAXED) {
- *need_crlf = TRUE;
- }
-
- goto end;
- }
- break;
- case init_2:
- if (*p == '\r') {
- state = got_cr;
- }
- else if (*p == '\n') {
- state = got_lf;
- }
- else if (type == DKIM_CANON_RELAXED && (*p == ' ' || *p == '\t')) {
- skip = 0;
- state = test_spaces;
- }
- else {
- goto end;
- }
- break;
- case got_cr:
- if (p >= start + 1) {
- if (*(p - 1) == '\r') {
- p--;
- state = got_cr;
- }
- else if (*(p - 1) == '\n') {
- if ((*p - 2) == '\r') {
- /* \r\n\r -> we know about one line */
- p -= 1;
- state = got_crlf;
- }
- else {
- /* \n\r -> we know about one line */
- p -= 1;
- state = got_lf;
- }
- }
- else if (type == DKIM_CANON_RELAXED && (*(p - 1) == ' ' ||
- *(p - 1) == '\t')) {
- skip = 1;
- state = test_spaces;
- }
- else {
- goto end;
- }
- }
- else {
- if (g_ascii_isspace(*(p - 1))) {
- if (type == DKIM_CANON_RELAXED) {
- p -= 1;
- }
- }
- goto end;
- }
- break;
- case got_lf:
- if (p >= start + 1) {
- if (*(p - 1) == '\r') {
- state = got_crlf;
- }
- else if (*(p - 1) == '\n') {
- /* We know about one line */
- p--;
- state = got_lf;
- }
- else if (type == DKIM_CANON_RELAXED && (*(p - 1) == ' ' ||
- *(p - 1) == '\t')) {
- skip = 1;
- state = test_spaces;
- }
- else {
- goto end;
- }
- }
- else {
- if (g_ascii_isspace(*(p - 1))) {
- if (type == DKIM_CANON_RELAXED) {
- p -= 1;
- }
- }
- goto end;
- }
- break;
- case got_crlf:
- if (p >= start + 2) {
- if (*(p - 2) == '\r') {
- p -= 2;
- state = got_cr;
- }
- else if (*(p - 2) == '\n') {
- p -= 2;
- state = got_lf;
- }
- else if (type == DKIM_CANON_RELAXED && (*(p - 2) == ' ' ||
- *(p - 2) == '\t')) {
- skip = 2;
- state = test_spaces;
- }
- else {
- goto end;
- }
- }
- else {
- if (g_ascii_isspace(*(p - 2))) {
- if (type == DKIM_CANON_RELAXED) {
- p -= 2;
- }
- }
- goto end;
- }
- break;
- case test_spaces:
- t = p - skip;
-
- while (t >= start + 2 && (*t == ' ' || *t == '\t')) {
- t--;
- }
-
- if (*t == '\r') {
- p = t;
- state = got_cr;
- }
- else if (*t == '\n') {
- p = t;
- state = got_lf;
- }
- else {
- goto end;
- }
- break;
- }
- }
-
- end:
- return p;
- }
-
- static gboolean
- rspamd_dkim_canonize_body(struct rspamd_task *task,
- struct rspamd_dkim_common_ctx *ctx,
- const char *start,
- const char *end,
- gboolean sign)
- {
- const char *p;
- gssize remain = ctx->len ? ctx->len : G_MAXSSIZE;
- unsigned int total_len = end - start;
- gboolean need_crlf = FALSE;
-
- if (start == NULL) {
- /* Empty body */
- if (ctx->body_canon_type == DKIM_CANON_SIMPLE) {
- EVP_DigestUpdate(ctx->body_hash, CRLF, sizeof(CRLF) - 1);
- ctx->body_canonicalised += sizeof(CRLF) - 1;
- }
- else {
- EVP_DigestUpdate(ctx->body_hash, "", 0);
- }
- }
- else if (end >= start) {
- /* Add sanity checks for ctx->len */
- if (ctx->body_canon_type == DKIM_CANON_SIMPLE && ctx->len > 0) {
- if (ctx->len < 2 && end - start > 2) {
- msg_info_task("DKIM l tag is invalid: %d (%d actual size)", (int) ctx->len, (int) (end - start));
- return FALSE;
- }
- if (ctx->len + 2 < (double) (end - start) * 0.9) {
- msg_info_task("DKIM l tag does not cover enough of the body: %d (%d actual size)",
- (int) ctx->len, (int) (end - start));
- return FALSE;
- }
- }
-
- /* Strip extra ending CRLF */
- p = rspamd_dkim_skip_empty_lines(start, end, ctx->body_canon_type,
- sign, &need_crlf);
- end = p + 1;
-
- if (end == start) {
- /* Empty body */
- if (ctx->body_canon_type == DKIM_CANON_SIMPLE) {
- EVP_DigestUpdate(ctx->body_hash, CRLF, sizeof(CRLF) - 1);
- ctx->body_canonicalised += sizeof(CRLF) - 1;
- }
- else {
- EVP_DigestUpdate(ctx->body_hash, "", 0);
- }
- }
- else {
- if (ctx->body_canon_type == DKIM_CANON_SIMPLE) {
- /* Simple canonization */
- while (rspamd_dkim_simple_body_step(ctx, ctx->body_hash,
- &start, end - start, &remain))
- ;
-
- /*
- * If we have l= tag then we cannot add crlf...
- */
- if (need_crlf) {
- /* l is evil... */
- if (ctx->len == 0) {
- remain = 2;
- }
- else {
- if (ctx->len <= total_len) {
- /* We don't have enough l to add \r\n */
- remain = 0;
- }
- else {
- if (ctx->len - total_len >= 2) {
- remain = 2;
- }
- else {
- remain = ctx->len - total_len;
- }
- }
- }
-
- start = "\r\n";
- end = start + 2;
-
- rspamd_dkim_simple_body_step(ctx, ctx->body_hash,
- &start, end - start, &remain);
- }
- }
- else {
- size_t orig_len = remain;
-
- while (rspamd_dkim_relaxed_body_step(ctx, ctx->body_hash,
- &start, end - start, &remain))
- ;
-
- if (ctx->len > 0 && remain > (double) orig_len * 0.1) {
- msg_info_task("DKIM l tag does not cover enough of the body: %d (%d actual size)",
- (int) ctx->len, (int) (end - start));
- return FALSE;
- }
-
- if (need_crlf) {
- start = "\r\n";
- end = start + 2;
- remain = 2;
- rspamd_dkim_relaxed_body_step(ctx, ctx->body_hash,
- &start, end - start, &remain);
- }
- }
- }
- return TRUE;
- }
-
- /* TODO: Implement relaxed algorithm */
- return FALSE;
- }
-
- /* Update hash converting all CR and LF to CRLF */
- static void
- rspamd_dkim_hash_update(EVP_MD_CTX *ck, const char *begin, gsize len)
- {
- const char *p, *c, *end;
-
- end = begin + len;
- p = begin;
- c = p;
-
- while (p < end) {
- if (*p == '\r') {
- EVP_DigestUpdate(ck, c, p - c);
- EVP_DigestUpdate(ck, CRLF, sizeof(CRLF) - 1);
- p++;
-
- if (p < end && *p == '\n') {
- p++;
- }
- c = p;
- }
- else if (*p == '\n') {
- EVP_DigestUpdate(ck, c, p - c);
- EVP_DigestUpdate(ck, CRLF, sizeof(CRLF) - 1);
- p++;
- c = p;
- }
- else {
- p++;
- }
- }
-
- if (p > c) {
- EVP_DigestUpdate(ck, c, p - c);
- }
- }
-
- /* Update hash by signature value (ignoring b= tag) */
- static void
- rspamd_dkim_signature_update(struct rspamd_dkim_common_ctx *ctx,
- const char *begin,
- unsigned int len)
- {
- const char *p, *c, *end;
- gboolean tag, skip;
-
- end = begin + len;
- p = begin;
- c = begin;
- tag = TRUE;
- skip = FALSE;
-
- while (p < end) {
- if (tag && p[0] == 'b' && p[1] == '=') {
- /* Add to signature */
- msg_debug_dkim("initial update hash with signature part: %*s",
- (int) (p - c + 2),
- c);
- ctx->headers_canonicalised += p - c + 2;
- rspamd_dkim_hash_update(ctx->headers_hash, c, p - c + 2);
- skip = TRUE;
- }
- else if (skip && (*p == ';' || p == end - 1)) {
- skip = FALSE;
- c = p;
- }
- else if (!tag && *p == ';') {
- tag = TRUE;
- }
- else if (tag && *p == '=') {
- tag = FALSE;
- }
- p++;
- }
-
- p--;
- /* Skip \r\n at the end */
- while ((*p == '\r' || *p == '\n') && p >= c) {
- p--;
- }
-
- if (p - c + 1 > 0) {
- msg_debug_dkim("final update hash with signature part: %*s",
- (int) (p - c + 1), c);
- ctx->headers_canonicalised += p - c + 1;
- rspamd_dkim_hash_update(ctx->headers_hash, c, p - c + 1);
- }
- }
-
- goffset
- rspamd_dkim_canonize_header_relaxed_str(const char *hname,
- const char *hvalue,
- char *out,
- gsize outlen)
- {
- char *t;
- const unsigned char *h;
- gboolean got_sp;
-
- /* Name part */
- t = out;
- h = hname;
-
- while (*h && t - out < outlen) {
- *t++ = lc_map[*h++];
- }
-
- if (t - out >= outlen) {
- return -1;
- }
-
- *t++ = ':';
-
- /* Value part */
- h = hvalue;
- /* Skip spaces at the beginning */
- while (g_ascii_isspace(*h)) {
- h++;
- }
-
- got_sp = FALSE;
-
- while (*h && (t - out < outlen)) {
- if (g_ascii_isspace(*h)) {
- if (got_sp) {
- h++;
- continue;
- }
- else {
- got_sp = TRUE;
- *t++ = ' ';
- h++;
- continue;
- }
- }
- else {
- got_sp = FALSE;
- }
-
- *t++ = *h++;
- }
-
- if (g_ascii_isspace(*(t - 1))) {
- t--;
- }
-
- if (t - out >= outlen - 2) {
- return -1;
- }
-
- *t++ = '\r';
- *t++ = '\n';
- *t = '\0';
-
- return t - out;
- }
-
- static gboolean
- rspamd_dkim_canonize_header_relaxed(struct rspamd_dkim_common_ctx *ctx,
- const char *header,
- const char *header_name,
- gboolean is_sign,
- unsigned int count,
- bool is_seal)
- {
- static char st_buf[8192];
- char *buf;
- unsigned int inlen;
- goffset r;
- gboolean allocated = FALSE;
-
- inlen = strlen(header) + strlen(header_name) + sizeof(":" CRLF);
-
- if (inlen > sizeof(st_buf)) {
- buf = g_malloc(inlen);
- allocated = TRUE;
- }
- else {
- /* Faster */
- buf = st_buf;
- }
-
- r = rspamd_dkim_canonize_header_relaxed_str(header_name, header, buf, inlen);
-
- g_assert(r != -1);
-
- if (!is_sign) {
- msg_debug_dkim("update %s with header (idx=%d): %s",
- is_seal ? "seal" : "signature", count, buf);
- EVP_DigestUpdate(ctx->headers_hash, buf, r);
- }
- else {
- rspamd_dkim_signature_update(ctx, buf, r);
- }
-
- if (allocated) {
- g_free(buf);
- }
-
- return TRUE;
- }
-
-
- static gboolean
- rspamd_dkim_canonize_header(struct rspamd_dkim_common_ctx *ctx,
- struct rspamd_task *task,
- const char *header_name,
- int count,
- const char *dkim_header,
- const char *dkim_domain)
- {
- struct rspamd_mime_header *rh, *cur, *sel = NULL;
- int hdr_cnt = 0;
- bool use_idx = false, is_sign = ctx->is_sign;
-
- /*
- * TODO:
- * Temporary hack to prevent linked list being misused until refactored
- */
- const unsigned int max_list_iters = 1000;
-
- if (count < 0) {
- use_idx = true;
- count = -(count); /* use i= in header content as it is arc stuff */
- }
-
- if (dkim_header == NULL) {
- rh = rspamd_message_get_header_array(task, header_name,
- is_sign);
-
- if (rh) {
- /* Check uniqueness of the header but we count from the bottom to top */
- if (!use_idx) {
- for (cur = rh->prev;; cur = cur->prev) {
- if (hdr_cnt == count) {
- sel = cur;
- }
-
- hdr_cnt++;
-
- if (cur == rh || hdr_cnt >= max_list_iters) {
- /* Cycle */
- break;
- }
- }
-
- if ((rh->flags & RSPAMD_HEADER_UNIQUE) && hdr_cnt > 1) {
- uint64_t random_cookie = ottery_rand_uint64();
-
- msg_warn_dkim("header %s is intended to be unique by"
- " email standards, but we have %d headers of this"
- " type, artificially break DKIM check",
- header_name,
- hdr_cnt);
- rspamd_dkim_hash_update(ctx->headers_hash,
- (const char *) &random_cookie,
- sizeof(random_cookie));
- ctx->headers_canonicalised += sizeof(random_cookie);
-
- return FALSE;
- }
-
- if (hdr_cnt <= count) {
- /*
- * If DKIM has less headers requested than there are in a
- * message, then it's fine, it allows adding extra headers
- */
- return TRUE;
- }
- }
- else {
- /*
- * This branch is used for ARC headers, and it orders them based on
- * i=<number> string and not their real order in the list of headers
- */
- char idx_buf[16];
- int id_len, i;
-
- id_len = rspamd_snprintf(idx_buf, sizeof(idx_buf), "i=%d;",
- count);
-
- for (cur = rh->prev, i = 0; i < max_list_iters; cur = cur->prev, i++) {
- if (cur->decoded &&
- rspamd_substring_search(cur->decoded, strlen(cur->decoded),
- idx_buf, id_len) != -1) {
- sel = cur;
- break;
- }
-
- if (cur == rh) {
- /* Cycle */
- break;
- }
- }
-
- if (sel == NULL) {
- return FALSE;
- }
- }
-
- /* Selected header must be non-null if previous condition is false */
- g_assert(sel != NULL);
-
- if (ctx->header_canon_type == DKIM_CANON_SIMPLE) {
- rspamd_dkim_hash_update(ctx->headers_hash, sel->raw_value,
- sel->raw_len);
- ctx->headers_canonicalised += sel->raw_len;
- msg_debug_dkim("update %s with header (idx=%d): %*s",
- (use_idx ? "seal" : "signature"),
- count, (int) sel->raw_len, sel->raw_value);
- }
- else {
- if (is_sign && (sel->flags & RSPAMD_HEADER_FROM)) {
- /* Special handling of the From handling when rewrite is done */
- gboolean has_rewrite = FALSE;
- unsigned int i;
- struct rspamd_email_address *addr;
-
- PTR_ARRAY_FOREACH(MESSAGE_FIELD(task, from_mime), i, addr)
- {
- if ((addr->flags & RSPAMD_EMAIL_ADDR_ORIGINAL) && !(addr->flags & RSPAMD_EMAIL_ADDR_ALIASED)) {
- has_rewrite = TRUE;
- }
- }
-
- if (has_rewrite) {
- PTR_ARRAY_FOREACH(MESSAGE_FIELD(task, from_mime), i, addr)
- {
- if (!(addr->flags & RSPAMD_EMAIL_ADDR_ORIGINAL)) {
- if (!rspamd_dkim_canonize_header_relaxed(ctx, addr->raw,
- header_name, FALSE, i, use_idx)) {
- return FALSE;
- }
-
- return TRUE;
- }
- }
- }
- }
-
- if (!rspamd_dkim_canonize_header_relaxed(ctx, sel->value,
- header_name, FALSE, count, use_idx)) {
- return FALSE;
- }
- }
- }
- }
- else {
- /* For signature check just use the saved dkim header */
- if (ctx->header_canon_type == DKIM_CANON_SIMPLE) {
- /* We need to find our own signature and use it */
- rh = rspamd_message_get_header_array(task, header_name, is_sign);
-
- if (rh) {
- /* We need to find our own signature */
- if (!dkim_domain) {
- msg_err_dkim("cannot verify dkim as we have no dkim domain!");
- return FALSE;
- }
-
- gboolean found = FALSE;
-
- DL_FOREACH(rh, cur)
- {
- uint64_t th = rspamd_cryptobox_fast_hash(cur->decoded,
- strlen(cur->decoded), rspamd_hash_seed());
-
- if (th == ctx->sig_hash) {
- rspamd_dkim_signature_update(ctx, cur->raw_value,
- cur->raw_len);
- found = TRUE;
- break;
- }
- }
- if (!found) {
- msg_err_dkim("BUGON: cannot verify dkim as we have lost our signature"
- " during simple canonicalisation, expected hash=%L",
- ctx->sig_hash);
- return FALSE;
- }
- }
- else {
- return FALSE;
- }
- }
- else {
- if (!rspamd_dkim_canonize_header_relaxed(ctx,
- dkim_header,
- header_name,
- TRUE, 0, use_idx)) {
- return FALSE;
- }
- }
- }
-
- return TRUE;
- }
-
- struct rspamd_dkim_cached_hash {
- unsigned char *digest_normal;
- unsigned char *digest_cr;
- unsigned char *digest_crlf;
- char *type;
- };
-
- static struct rspamd_dkim_cached_hash *
- rspamd_dkim_check_bh_cached(struct rspamd_dkim_common_ctx *ctx,
- struct rspamd_task *task, gsize bhlen, gboolean is_sign)
- {
- char typebuf[64];
- struct rspamd_dkim_cached_hash *res;
-
- rspamd_snprintf(typebuf, sizeof(typebuf),
- RSPAMD_MEMPOOL_DKIM_BH_CACHE "%z_%s_%d_%z",
- bhlen,
- ctx->body_canon_type == DKIM_CANON_RELAXED ? "1" : "0",
- !!is_sign,
- ctx->len);
-
- res = rspamd_mempool_get_variable(task->task_pool,
- typebuf);
-
- if (!res) {
- res = rspamd_mempool_alloc0(task->task_pool, sizeof(*res));
- res->type = rspamd_mempool_strdup(task->task_pool, typebuf);
- rspamd_mempool_set_variable(task->task_pool,
- res->type, res, NULL);
- }
-
- return res;
- }
-
- static const char *
- rspamd_dkim_type_to_string(enum rspamd_dkim_type t)
- {
- switch (t) {
- case RSPAMD_DKIM_NORMAL:
- return "dkim";
- case RSPAMD_DKIM_ARC_SIG:
- return "arc_sig";
- case RSPAMD_DKIM_ARC_SEAL:
- default:
- return "arc_seal";
- }
- }
-
- /**
- * Check task for dkim context using dkim key
- * @param ctx dkim verify context
- * @param key dkim key (from cache or from dns request)
- * @param task task to check
- * @return
- */
- struct rspamd_dkim_check_result *
- rspamd_dkim_check(rspamd_dkim_context_t *ctx,
- rspamd_dkim_key_t *key,
- struct rspamd_task *task)
- {
- const char *body_end, *body_start;
- unsigned char raw_digest[EVP_MAX_MD_SIZE];
- struct rspamd_dkim_cached_hash *cached_bh = NULL;
- EVP_MD_CTX *cpy_ctx = NULL;
- gsize dlen = 0;
- struct rspamd_dkim_check_result *res;
- unsigned int i;
- struct rspamd_dkim_header *dh;
- int nid;
-
- g_return_val_if_fail(ctx != NULL, NULL);
- g_return_val_if_fail(key != NULL, NULL);
- g_return_val_if_fail(task->msg.len > 0, NULL);
-
- /* First of all find place of body */
- body_end = task->msg.begin + task->msg.len;
-
- body_start = MESSAGE_FIELD(task, raw_headers_content).body_start;
-
- res = rspamd_mempool_alloc0(task->task_pool, sizeof(*res));
- res->ctx = ctx;
- res->selector = ctx->selector;
- res->domain = ctx->domain;
- res->fail_reason = NULL;
- res->short_b = ctx->short_b;
- res->rcode = DKIM_CONTINUE;
-
- if (!body_start) {
- res->rcode = DKIM_ERROR;
- return res;
- }
-
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL) {
- dlen = EVP_MD_CTX_size(ctx->common.body_hash);
- cached_bh = rspamd_dkim_check_bh_cached(&ctx->common, task,
- dlen, FALSE);
-
- if (!cached_bh->digest_normal) {
- /* Start canonization of body part */
- if (!rspamd_dkim_canonize_body(task, &ctx->common, body_start, body_end,
- FALSE)) {
- res->rcode = DKIM_RECORD_ERROR;
- return res;
- }
- }
- }
-
- /* Now canonize headers */
- for (i = 0; i < ctx->common.hlist->len; i++) {
- dh = g_ptr_array_index(ctx->common.hlist, i);
- rspamd_dkim_canonize_header(&ctx->common, task, dh->name, dh->count,
- NULL, NULL);
- }
-
- /* Canonize dkim signature */
- switch (ctx->common.type) {
- case RSPAMD_DKIM_NORMAL:
- rspamd_dkim_canonize_header(&ctx->common, task, RSPAMD_DKIM_SIGNHEADER, 0,
- ctx->dkim_header, ctx->domain);
- break;
- case RSPAMD_DKIM_ARC_SIG:
- rspamd_dkim_canonize_header(&ctx->common, task, RSPAMD_DKIM_ARC_SIGNHEADER, 0,
- ctx->dkim_header, ctx->domain);
- break;
- case RSPAMD_DKIM_ARC_SEAL:
- rspamd_dkim_canonize_header(&ctx->common, task, RSPAMD_DKIM_ARC_SEALHEADER, 0,
- ctx->dkim_header, ctx->domain);
- break;
- }
-
-
- /* Use cached BH for all but arc seal, if it is not NULL we are not in arc seal mode */
- if (cached_bh != NULL) {
- if (!cached_bh->digest_normal) {
- /* Copy md_ctx to deal with broken CRLF at the end */
- cpy_ctx = EVP_MD_CTX_create();
- EVP_MD_CTX_copy(cpy_ctx, ctx->common.body_hash);
- EVP_DigestFinal_ex(cpy_ctx, raw_digest, NULL);
-
- cached_bh->digest_normal = rspamd_mempool_alloc(task->task_pool,
- sizeof(raw_digest));
- memcpy(cached_bh->digest_normal, raw_digest, sizeof(raw_digest));
- }
-
- /* Check bh field */
- if (memcmp(ctx->bh, cached_bh->digest_normal, ctx->bhlen) != 0) {
- msg_debug_dkim(
- "bh value mismatch: %*xs versus %*xs, try add LF; try adding CRLF",
- (int) dlen, ctx->bh,
- (int) dlen, raw_digest);
-
- if (cpy_ctx) {
- /* Try add CRLF */
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- EVP_MD_CTX_cleanup(cpy_ctx);
- #else
- EVP_MD_CTX_reset(cpy_ctx);
- #endif
- EVP_MD_CTX_copy(cpy_ctx, ctx->common.body_hash);
- EVP_DigestUpdate(cpy_ctx, "\r\n", 2);
- EVP_DigestFinal_ex(cpy_ctx, raw_digest, NULL);
- cached_bh->digest_crlf = rspamd_mempool_alloc(task->task_pool,
- sizeof(raw_digest));
- memcpy(cached_bh->digest_crlf, raw_digest, sizeof(raw_digest));
-
- if (memcmp(ctx->bh, raw_digest, ctx->bhlen) != 0) {
- msg_debug_dkim(
- "bh value mismatch after added CRLF: %*xs versus %*xs, try add LF",
- (int) dlen, ctx->bh,
- (int) dlen, raw_digest);
-
- /* Try add LF */
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- EVP_MD_CTX_cleanup(cpy_ctx);
- #else
- EVP_MD_CTX_reset(cpy_ctx);
- #endif
- EVP_MD_CTX_copy(cpy_ctx, ctx->common.body_hash);
- EVP_DigestUpdate(cpy_ctx, "\n", 1);
- EVP_DigestFinal_ex(cpy_ctx, raw_digest, NULL);
- cached_bh->digest_cr = rspamd_mempool_alloc(task->task_pool,
- sizeof(raw_digest));
- memcpy(cached_bh->digest_cr, raw_digest, sizeof(raw_digest));
-
- if (memcmp(ctx->bh, raw_digest, ctx->bhlen) != 0) {
- msg_debug_dkim("bh value mismatch after added LF: %*xs versus %*xs",
- (int) dlen, ctx->bh,
- (int) dlen, raw_digest);
- res->fail_reason = "body hash did not verify";
- res->rcode = DKIM_REJECT;
- }
- }
- }
- else if (cached_bh->digest_crlf) {
- if (memcmp(ctx->bh, cached_bh->digest_crlf, ctx->bhlen) != 0) {
- msg_debug_dkim("bh value mismatch after added CRLF: %*xs versus %*xs",
- (int) dlen, ctx->bh,
- (int) dlen, cached_bh->digest_crlf);
-
- if (cached_bh->digest_cr) {
- if (memcmp(ctx->bh, cached_bh->digest_cr, ctx->bhlen) != 0) {
- msg_debug_dkim(
- "bh value mismatch after added LF: %*xs versus %*xs",
- (int) dlen, ctx->bh,
- (int) dlen, cached_bh->digest_cr);
-
- res->fail_reason = "body hash did not verify";
- res->rcode = DKIM_REJECT;
- }
- }
- else {
-
- res->fail_reason = "body hash did not verify";
- res->rcode = DKIM_REJECT;
- }
- }
- }
- else {
- msg_debug_dkim(
- "bh value mismatch: %*xs versus %*xs",
- (int) dlen, ctx->bh,
- (int) dlen, cached_bh->digest_normal);
- res->fail_reason = "body hash did not verify";
- res->rcode = DKIM_REJECT;
- }
- }
-
- if (cpy_ctx) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- EVP_MD_CTX_cleanup(cpy_ctx);
- #else
- EVP_MD_CTX_reset(cpy_ctx);
- #endif
- EVP_MD_CTX_destroy(cpy_ctx);
- }
-
- if (res->rcode == DKIM_REJECT) {
- msg_info_dkim(
- "%s: bh value mismatch: got %*Bs, expected %*Bs; "
- "body length %d->%d; d=%s; s=%s",
- rspamd_dkim_type_to_string(ctx->common.type),
- (int) dlen, cached_bh->digest_normal,
- (int) dlen, ctx->bh,
- (int) (body_end - body_start), ctx->common.body_canonicalised,
- ctx->domain, ctx->selector);
-
- return res;
- }
- }
-
- dlen = EVP_MD_CTX_size(ctx->common.headers_hash);
- EVP_DigestFinal_ex(ctx->common.headers_hash, raw_digest, NULL);
- /* Check headers signature */
-
- if (ctx->sig_alg == DKIM_SIGN_RSASHA1) {
- nid = NID_sha1;
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_EDDSASHA256) {
- nid = NID_sha256;
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA512 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA512) {
- nid = NID_sha512;
- }
- else {
- /* Not reached */
- nid = NID_sha1;
- }
-
- switch (key->type) {
- case RSPAMD_DKIM_KEY_RSA:
- if (RSA_verify(nid, raw_digest, dlen, ctx->b, ctx->blen,
- key->key.key_rsa) != 1) {
- msg_debug_dkim("headers rsa verify failed");
- ERR_clear_error();
- res->rcode = DKIM_REJECT;
- res->fail_reason = "headers rsa verify failed";
-
- msg_info_dkim(
- "%s: headers RSA verification failure; "
- "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
- rspamd_dkim_type_to_string(ctx->common.type),
- (int) (body_end - body_start), ctx->common.body_canonicalised,
- ctx->common.headers_canonicalised,
- ctx->domain, ctx->selector,
- RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
- ctx->dkim_header);
- }
- break;
- case RSPAMD_DKIM_KEY_ECDSA:
- if (ECDSA_verify(nid, raw_digest, dlen, ctx->b, ctx->blen,
- key->key.key_ecdsa) != 1) {
- msg_info_dkim(
- "%s: headers ECDSA verification failure; "
- "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
- rspamd_dkim_type_to_string(ctx->common.type),
- (int) (body_end - body_start), ctx->common.body_canonicalised,
- ctx->common.headers_canonicalised,
- ctx->domain, ctx->selector,
- RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
- ctx->dkim_header);
- msg_debug_dkim("headers ecdsa verify failed");
- ERR_clear_error();
- res->rcode = DKIM_REJECT;
- res->fail_reason = "headers ecdsa verify failed";
- }
- break;
- case RSPAMD_DKIM_KEY_EDDSA:
- if (!rspamd_cryptobox_verify(ctx->b, ctx->blen, raw_digest, dlen,
- key->key.key_eddsa, RSPAMD_CRYPTOBOX_MODE_25519)) {
- msg_info_dkim(
- "%s: headers EDDSA verification failure; "
- "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
- rspamd_dkim_type_to_string(ctx->common.type),
- (int) (body_end - body_start), ctx->common.body_canonicalised,
- ctx->common.headers_canonicalised,
- ctx->domain, ctx->selector,
- RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
- ctx->dkim_header);
- msg_debug_dkim("headers eddsa verify failed");
- res->rcode = DKIM_REJECT;
- res->fail_reason = "headers eddsa verify failed";
- }
- break;
- }
-
-
- if (ctx->common.type == RSPAMD_DKIM_ARC_SEAL && res->rcode == DKIM_CONTINUE) {
- switch (ctx->cv) {
- case RSPAMD_ARC_INVALID:
- msg_info_dkim("arc seal is invalid i=%d", ctx->common.idx);
- res->rcode = DKIM_PERM_ERROR;
- res->fail_reason = "arc seal is invalid";
- break;
- case RSPAMD_ARC_FAIL:
- msg_info_dkim("arc seal failed i=%d", ctx->common.idx);
- res->rcode = DKIM_REJECT;
- res->fail_reason = "arc seal failed";
- break;
- default:
- break;
- }
- }
-
- return res;
- }
-
- struct rspamd_dkim_check_result *
- rspamd_dkim_create_result(rspamd_dkim_context_t *ctx,
- enum rspamd_dkim_check_rcode rcode,
- struct rspamd_task *task)
- {
- struct rspamd_dkim_check_result *res;
-
- res = rspamd_mempool_alloc0(task->task_pool, sizeof(*res));
- res->ctx = ctx;
- res->selector = ctx->selector;
- res->domain = ctx->domain;
- res->fail_reason = NULL;
- res->short_b = ctx->short_b;
- res->rcode = rcode;
-
- return res;
- }
-
- rspamd_dkim_key_t *
- rspamd_dkim_key_ref(rspamd_dkim_key_t *k)
- {
- REF_RETAIN(k);
-
- return k;
- }
-
- void rspamd_dkim_key_unref(rspamd_dkim_key_t *k)
- {
- REF_RELEASE(k);
- }
-
- rspamd_dkim_sign_key_t *
- rspamd_dkim_sign_key_ref(rspamd_dkim_sign_key_t *k)
- {
- REF_RETAIN(k);
-
- return k;
- }
-
- void rspamd_dkim_sign_key_unref(rspamd_dkim_sign_key_t *k)
- {
- REF_RELEASE(k);
- }
-
- const char *
- rspamd_dkim_get_domain(rspamd_dkim_context_t *ctx)
- {
- if (ctx) {
- return ctx->domain;
- }
-
- return NULL;
- }
-
- const char *
- rspamd_dkim_get_selector(rspamd_dkim_context_t *ctx)
- {
- if (ctx) {
- return ctx->selector;
- }
-
- return NULL;
- }
-
- unsigned int rspamd_dkim_key_get_ttl(rspamd_dkim_key_t *k)
- {
- if (k) {
- return k->ttl;
- }
-
- return 0;
- }
-
- const char *
- rspamd_dkim_get_dns_key(rspamd_dkim_context_t *ctx)
- {
- if (ctx) {
- return ctx->dns_key;
- }
-
- return NULL;
- }
-
- #define PEM_SIG "-----BEGIN"
-
- rspamd_dkim_sign_key_t *
- rspamd_dkim_sign_key_load(const char *key, gsize len,
- enum rspamd_dkim_key_format type,
- GError **err)
- {
- unsigned char *map = NULL, *tmp = NULL;
- gsize maplen;
- rspamd_dkim_sign_key_t *nkey;
- time_t mtime = time(NULL);
-
- if (type < 0 || type > RSPAMD_DKIM_KEY_UNKNOWN || len == 0 || key == NULL) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "invalid key type to load: %d", type);
- return NULL;
- }
-
- nkey = g_malloc0(sizeof(*nkey));
- nkey->mtime = mtime;
-
- msg_debug_dkim_taskless("got public key with length %z and type %d",
- len, type);
-
- /* Load key file if needed */
- if (type == RSPAMD_DKIM_KEY_FILE) {
- struct stat st;
-
- if (stat(key, &st) != 0) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "cannot stat key file: '%s' %s", key, strerror(errno));
- g_free(nkey);
-
- return NULL;
- }
-
- nkey->mtime = st.st_mtime;
- map = rspamd_file_xmap(key, PROT_READ, &maplen, TRUE);
-
- if (map == NULL) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "cannot map key file: '%s' %s", key, strerror(errno));
- g_free(nkey);
-
- return NULL;
- }
-
- key = map;
- len = maplen;
-
- if (maplen > sizeof(PEM_SIG) &&
- strncmp(map, PEM_SIG, sizeof(PEM_SIG) - 1) == 0) {
- type = RSPAMD_DKIM_KEY_PEM;
- }
- else if (rspamd_cryptobox_base64_is_valid(map, maplen)) {
- type = RSPAMD_DKIM_KEY_BASE64;
- }
- else {
- type = RSPAMD_DKIM_KEY_RAW;
- }
- }
-
- if (type == RSPAMD_DKIM_KEY_UNKNOWN) {
- if (len > sizeof(PEM_SIG) &&
- memcmp(key, PEM_SIG, sizeof(PEM_SIG) - 1) == 0) {
- type = RSPAMD_DKIM_KEY_PEM;
- }
- else {
- type = RSPAMD_DKIM_KEY_RAW;
- }
- }
-
- if (type == RSPAMD_DKIM_KEY_BASE64) {
- type = RSPAMD_DKIM_KEY_RAW;
- tmp = g_malloc(len);
- rspamd_cryptobox_base64_decode(key, len, tmp, &len);
- key = tmp;
- }
-
- if (type == RSPAMD_DKIM_KEY_RAW && (len == 32 ||
- len == rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519))) {
- if (len == 32) {
- /* Seeded key, need scalarmult */
- unsigned char pk[32];
- nkey->type = RSPAMD_DKIM_KEY_EDDSA;
- nkey->key.key_eddsa = g_malloc(
- rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519));
- crypto_sign_ed25519_seed_keypair(pk, nkey->key.key_eddsa, key);
- nkey->keylen = rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
- }
- else {
- /* Full ed25519 key */
- unsigned klen = rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
- nkey->type = RSPAMD_DKIM_KEY_EDDSA;
- nkey->key.key_eddsa = g_malloc(klen);
- memcpy(nkey->key.key_eddsa, key, klen);
- nkey->keylen = klen;
- }
- }
- else {
- nkey->key_bio = BIO_new_mem_buf(key, len);
-
- if (type == RSPAMD_DKIM_KEY_RAW) {
- if (d2i_PrivateKey_bio(nkey->key_bio, &nkey->key_evp) == NULL) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "cannot parse raw private key: %s",
- ERR_error_string(ERR_get_error(), NULL));
-
- rspamd_dkim_sign_key_free(nkey);
- nkey = NULL;
-
- goto end;
- }
- }
- else {
- if (!PEM_read_bio_PrivateKey(nkey->key_bio, &nkey->key_evp, NULL, NULL)) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "cannot parse pem private key: %s",
- ERR_error_string(ERR_get_error(), NULL));
- rspamd_dkim_sign_key_free(nkey);
- nkey = NULL;
-
- goto end;
- }
- }
- nkey->key.key_rsa = EVP_PKEY_get1_RSA(nkey->key_evp);
- if (nkey->key.key_rsa == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot extract rsa key from evp key");
- rspamd_dkim_sign_key_free(nkey);
- nkey = NULL;
-
- goto end;
- }
- nkey->type = RSPAMD_DKIM_KEY_RSA;
- }
-
- REF_INIT_RETAIN(nkey, rspamd_dkim_sign_key_free);
-
- end:
-
- if (map != NULL) {
- munmap(map, maplen);
- }
-
- if (tmp != NULL) {
- rspamd_explicit_memzero(tmp, len);
- g_free(tmp);
- }
-
- return nkey;
- }
-
- #undef PEM_SIG
-
- gboolean
- rspamd_dkim_sign_key_maybe_invalidate(rspamd_dkim_sign_key_t *key, time_t mtime)
- {
- if (mtime > key->mtime) {
- return TRUE;
- }
- return FALSE;
- }
-
- rspamd_dkim_sign_context_t *
- rspamd_create_dkim_sign_context(struct rspamd_task *task,
- rspamd_dkim_sign_key_t *priv_key,
- int headers_canon,
- int body_canon,
- const char *headers,
- enum rspamd_dkim_type type,
- GError **err)
- {
- rspamd_dkim_sign_context_t *nctx;
-
- if (headers_canon != DKIM_CANON_SIMPLE && headers_canon != DKIM_CANON_RELAXED) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_HC,
- "bad headers canonicalisation");
-
- return NULL;
- }
- if (body_canon != DKIM_CANON_SIMPLE && body_canon != DKIM_CANON_RELAXED) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_BC,
- "bad body canonicalisation");
-
- return NULL;
- }
-
- if (!priv_key || (!priv_key->key.key_rsa && !priv_key->key.key_eddsa)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "bad key to sign");
-
- return NULL;
- }
-
- nctx = rspamd_mempool_alloc0(task->task_pool, sizeof(*nctx));
- nctx->common.pool = task->task_pool;
- nctx->common.header_canon_type = headers_canon;
- nctx->common.body_canon_type = body_canon;
- nctx->common.type = type;
- nctx->common.is_sign = TRUE;
-
- if (type != RSPAMD_DKIM_ARC_SEAL) {
- if (!rspamd_dkim_parse_hdrlist_common(&nctx->common, headers,
- strlen(headers), TRUE,
- err)) {
- return NULL;
- }
- }
- else {
- rspamd_dkim_add_arc_seal_headers(task->task_pool, &nctx->common);
- }
-
- nctx->key = rspamd_dkim_sign_key_ref(priv_key);
-
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) rspamd_dkim_sign_key_unref, priv_key);
-
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- nctx->common.body_hash = EVP_MD_CTX_create();
- EVP_DigestInit_ex(nctx->common.body_hash, EVP_sha256(), NULL);
- nctx->common.headers_hash = EVP_MD_CTX_create();
- EVP_DigestInit_ex(nctx->common.headers_hash, EVP_sha256(), NULL);
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_destroy, nctx->common.body_hash);
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_destroy, nctx->common.headers_hash);
- #else
- nctx->common.body_hash = EVP_MD_CTX_new();
- EVP_DigestInit_ex(nctx->common.body_hash, EVP_sha256(), NULL);
- nctx->common.headers_hash = EVP_MD_CTX_new();
- EVP_DigestInit_ex(nctx->common.headers_hash, EVP_sha256(), NULL);
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_free, nctx->common.body_hash);
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_free, nctx->common.headers_hash);
- #endif
-
- return nctx;
- }
-
-
- GString *
- rspamd_dkim_sign(struct rspamd_task *task, const char *selector,
- const char *domain, time_t expire, gsize len, unsigned int idx,
- const char *arc_cv, rspamd_dkim_sign_context_t *ctx)
- {
- GString *hdr;
- struct rspamd_dkim_header *dh;
- const char *body_end, *body_start, *hname;
- unsigned char raw_digest[EVP_MAX_MD_SIZE];
- struct rspamd_dkim_cached_hash *cached_bh = NULL;
- gsize dlen = 0;
- unsigned int i, j;
- char *b64_data;
- unsigned char *sig_buf;
- unsigned int sig_len;
- unsigned int headers_len = 0, cur_len = 0;
- union rspamd_dkim_header_stat hstat;
-
- g_assert(ctx != NULL);
-
- /* First of all find place of body */
- body_end = task->msg.begin + task->msg.len;
- body_start = MESSAGE_FIELD(task, raw_headers_content).body_start;
-
- if (len > 0) {
- ctx->common.len = len;
- }
-
- if (!body_start) {
- return NULL;
- }
-
- /* Start canonization of body part */
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL) {
- dlen = EVP_MD_CTX_size(ctx->common.body_hash);
- cached_bh = rspamd_dkim_check_bh_cached(&ctx->common, task,
- dlen, TRUE);
-
- if (!cached_bh->digest_normal) {
- /* Start canonization of body part */
- if (!rspamd_dkim_canonize_body(task, &ctx->common, body_start, body_end,
- TRUE)) {
- return NULL;
- }
- }
- }
-
- hdr = g_string_sized_new(255);
-
- if (ctx->common.type == RSPAMD_DKIM_NORMAL) {
- rspamd_printf_gstring(hdr, "v=1; a=%s; c=%s/%s; d=%s; s=%s; ",
- ctx->key->type == RSPAMD_DKIM_KEY_RSA ? "rsa-sha256" : "ed25519-sha256",
- ctx->common.header_canon_type == DKIM_CANON_RELAXED ? "relaxed" : "simple",
- ctx->common.body_canon_type == DKIM_CANON_RELAXED ? "relaxed" : "simple",
- domain, selector);
- }
- else if (ctx->common.type == RSPAMD_DKIM_ARC_SIG) {
- rspamd_printf_gstring(hdr, "i=%d; a=%s; c=%s/%s; d=%s; s=%s; ",
- idx,
- ctx->key->type == RSPAMD_DKIM_KEY_RSA ? "rsa-sha256" : "ed25519-sha256",
- ctx->common.header_canon_type == DKIM_CANON_RELAXED ? "relaxed" : "simple",
- ctx->common.body_canon_type == DKIM_CANON_RELAXED ? "relaxed" : "simple",
- domain, selector);
- }
- else {
- g_assert(arc_cv != NULL);
- rspamd_printf_gstring(hdr, "i=%d; a=%s; d=%s; s=%s; cv=%s; ",
- idx,
- ctx->key->type == RSPAMD_DKIM_KEY_RSA ? "rsa-sha256" : "ed25519-sha256",
- domain,
- selector,
- arc_cv);
- }
-
- if (expire > 0) {
- rspamd_printf_gstring(hdr, "x=%t; ", expire);
- }
-
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL) {
- if (len > 0) {
- rspamd_printf_gstring(hdr, "l=%z; ", len);
- }
- }
-
- rspamd_printf_gstring(hdr, "t=%t; h=", time(NULL));
-
- /* Now canonize headers */
- for (i = 0; i < ctx->common.hlist->len; i++) {
- struct rspamd_mime_header *rh, *cur;
-
- dh = g_ptr_array_index(ctx->common.hlist, i);
-
- /* We allow oversigning if dh->count > number of headers with this name */
- hstat.n = GPOINTER_TO_UINT(g_hash_table_lookup(ctx->common.htable, dh->name));
-
- if (hstat.s.flags & RSPAMD_DKIM_FLAG_OVERSIGN) {
- /* Do oversigning */
- unsigned int count = 0;
-
- rh = rspamd_message_get_header_array(task, dh->name, FALSE);
-
- if (rh) {
- DL_FOREACH(rh, cur)
- {
- /* Sign all existing headers */
- rspamd_dkim_canonize_header(&ctx->common, task, dh->name,
- count,
- NULL, NULL);
- count++;
- }
- }
-
- /* Now add one more entry to oversign */
- if (count > 0 || !(hstat.s.flags & RSPAMD_DKIM_FLAG_OVERSIGN_EXISTING)) {
- cur_len = (strlen(dh->name) + 1) * (count + 1);
- headers_len += cur_len;
-
- if (headers_len > 70 && i > 0 && i < ctx->common.hlist->len - 1) {
- rspamd_printf_gstring(hdr, " ");
- headers_len = cur_len;
- }
-
- for (j = 0; j < count + 1; j++) {
- rspamd_printf_gstring(hdr, "%s:", dh->name);
- }
- }
- }
- else {
- rh = rspamd_message_get_header_array(task, dh->name, FALSE);
-
- if (rh) {
- if (hstat.s.count > 0) {
-
- cur_len = (strlen(dh->name) + 1) * (hstat.s.count);
- headers_len += cur_len;
- if (headers_len > 70 && i > 0 && i < ctx->common.hlist->len - 1) {
- rspamd_printf_gstring(hdr, " ");
- headers_len = cur_len;
- }
-
- for (j = 0; j < hstat.s.count; j++) {
- rspamd_printf_gstring(hdr, "%s:", dh->name);
- }
- }
-
-
- rspamd_dkim_canonize_header(&ctx->common, task,
- dh->name, dh->count,
- NULL, NULL);
- }
- }
-
- g_hash_table_remove(ctx->common.htable, dh->name);
- }
-
- /* Replace the last ':' with ';' */
- hdr->str[hdr->len - 1] = ';';
-
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL) {
- if (!cached_bh->digest_normal) {
- EVP_DigestFinal_ex(ctx->common.body_hash, raw_digest, NULL);
- cached_bh->digest_normal = rspamd_mempool_alloc(task->task_pool,
- sizeof(raw_digest));
- memcpy(cached_bh->digest_normal, raw_digest, sizeof(raw_digest));
- }
-
-
- b64_data = rspamd_encode_base64(cached_bh->digest_normal, dlen, 0, NULL);
- rspamd_printf_gstring(hdr, " bh=%s; b=", b64_data);
- g_free(b64_data);
- }
- else {
- rspamd_printf_gstring(hdr, " b=");
- }
-
- switch (ctx->common.type) {
- case RSPAMD_DKIM_NORMAL:
- default:
- hname = RSPAMD_DKIM_SIGNHEADER;
- break;
- case RSPAMD_DKIM_ARC_SIG:
- hname = RSPAMD_DKIM_ARC_SIGNHEADER;
- break;
- case RSPAMD_DKIM_ARC_SEAL:
- hname = RSPAMD_DKIM_ARC_SEALHEADER;
- break;
- }
-
- if (ctx->common.header_canon_type == DKIM_CANON_RELAXED) {
- if (!rspamd_dkim_canonize_header_relaxed(&ctx->common,
- hdr->str,
- hname,
- TRUE,
- 0,
- ctx->common.type == RSPAMD_DKIM_ARC_SEAL)) {
-
- g_string_free(hdr, TRUE);
- return NULL;
- }
- }
- else {
- /* Will likely have issues with folding */
- rspamd_dkim_hash_update(ctx->common.headers_hash, hdr->str,
- hdr->len);
- ctx->common.headers_canonicalised += hdr->len;
- msg_debug_task("update signature with header: %*s",
- (int) hdr->len, hdr->str);
- }
-
- dlen = EVP_MD_CTX_size(ctx->common.headers_hash);
- EVP_DigestFinal_ex(ctx->common.headers_hash, raw_digest, NULL);
- if (ctx->key->type == RSPAMD_DKIM_KEY_RSA) {
- sig_len = RSA_size(ctx->key->key.key_rsa);
- sig_buf = g_alloca(sig_len);
-
- if (RSA_sign(NID_sha256, raw_digest, dlen, sig_buf, &sig_len,
- ctx->key->key.key_rsa) != 1) {
- g_string_free(hdr, TRUE);
- msg_err_task("rsa sign error: %s",
- ERR_error_string(ERR_get_error(), NULL));
-
- return NULL;
- }
- }
- else if (ctx->key->type == RSPAMD_DKIM_KEY_EDDSA) {
- sig_len = rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
- sig_buf = g_alloca(sig_len);
-
- rspamd_cryptobox_sign(sig_buf, NULL, raw_digest, dlen,
- ctx->key->key.key_eddsa, RSPAMD_CRYPTOBOX_MODE_25519);
- }
- else {
- g_string_free(hdr, TRUE);
- msg_err_task("unsupported key type for signing");
-
- return NULL;
- }
-
- if (task->protocol_flags & RSPAMD_TASK_PROTOCOL_FLAG_MILTER) {
- b64_data = rspamd_encode_base64_fold(sig_buf, sig_len, 70, NULL,
- RSPAMD_TASK_NEWLINES_LF);
- }
- else {
- b64_data = rspamd_encode_base64_fold(sig_buf, sig_len, 70, NULL,
- MESSAGE_FIELD(task, nlines_type));
- }
-
- rspamd_printf_gstring(hdr, "%s", b64_data);
- g_free(b64_data);
-
- return hdr;
- }
-
- gboolean
- rspamd_dkim_match_keys(rspamd_dkim_key_t *pk,
- rspamd_dkim_sign_key_t *sk,
- GError **err)
- {
- if (pk == NULL || sk == NULL) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "missing public or private key");
- return FALSE;
- }
- if (pk->type != sk->type) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "public and private key types do not match");
- return FALSE;
- }
-
- if (pk->type == RSPAMD_DKIM_KEY_EDDSA) {
- if (memcmp(sk->key.key_eddsa + 32, pk->key.key_eddsa, 32) != 0) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYHASHMISMATCH,
- "pubkey does not match private key");
- return FALSE;
- }
- }
- else if (EVP_PKEY_cmp(pk->key_evp, sk->key_evp) != 1) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYHASHMISMATCH,
- "pubkey does not match private key");
- return FALSE;
- }
-
- return TRUE;
- }
|