mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21178 Commits
28 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
rspamd/src/plugins/dkim_check.c

dkim_check.c 40KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620 
  1. /*

  2.  * Copyright 2024 Vsevolod Stakhov

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *    http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. /***MODULE:dkim

  17.  * rspamd module that checks dkim records of incoming email

  18.  *

  19.  * Allowed options:

  20.  * - symbol_allow (string): symbol to insert in case of allow (default: 'R_DKIM_ALLOW')

  21.  * - symbol_reject (string): symbol to insert (default: 'R_DKIM_REJECT')

  22.  * - symbol_tempfail (string): symbol to insert in case of temporary fail (default: 'R_DKIM_TEMPFAIL')

  23.  * - symbol_permfail (string): symbol to insert in case of permanent failure (default: 'R_DKIM_PERMFAIL')

  24.  * - symbol_na (string): symbol to insert in case of no signing (default: 'R_DKIM_NA')

  25.  * - whitelist (map): map of whitelisted networks

  26.  * - domains (map): map of domains to check

  27.  * - strict_multiplier (number): multiplier for strict domains

  28.  * - time_jitter (number): jitter in seconds to allow time diff while checking

  29.  * - trusted_only (flag): check signatures only for domains in 'domains' map

  30.  */

  31. 

  32. 

  33. #include "config.h"

  34. #include "libmime/message.h"

  35. #include "libserver/dkim.h"

  36. #include "libutil/hash.h"

  37. #include "libserver/maps/map.h"

  38. #include "libserver/maps/map_helpers.h"

  39. #include "rspamd.h"

  40. #include "utlist.h"

  41. #include "unix-std.h"

  42. #include "lua/lua_common.h"

  43. #include "libserver/mempool_vars_internal.h"

  44. 

  45. #define DEFAULT_SYMBOL_REJECT "R_DKIM_REJECT"

  46. #define DEFAULT_SYMBOL_TEMPFAIL "R_DKIM_TEMPFAIL"

  47. #define DEFAULT_SYMBOL_ALLOW "R_DKIM_ALLOW"

  48. #define DEFAULT_SYMBOL_NA "R_DKIM_NA"

  49. #define DEFAULT_SYMBOL_PERMFAIL "R_DKIM_PERMFAIL"

  50. #define DEFAULT_CACHE_SIZE 2048

  51. #define DEFAULT_TIME_JITTER 60

  52. #define DEFAULT_MAX_SIGS 5

  53. 

  54. static const char *M = "rspamd dkim plugin";

  55. 

  56. static const char default_sign_headers[] = ""

  57. 										   "(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:"

  58. 										   "(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:"

  59. 										   "resent-to:resent-cc:resent-from:resent-sender:resent-message-id:"

  60. 										   "(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:"

  61. 										   "list-unsubscribe-post:list-subscribe:list-post:(x)openpgp:(x)autocrypt";

  62. static const char default_arc_sign_headers[] = ""

  63. 											   "(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:"

  64. 											   "(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:"

  65. 											   "resent-to:resent-cc:resent-from:resent-sender:resent-message-id:"

  66. 											   "(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:"

  67. 											   "list-unsubscribe-post:list-subscribe:list-post:dkim-signature:(x)openpgp:"

  68. 											   "(x)autocrypt";

  69. 

  70. struct dkim_ctx {

  71. 	struct module_ctx ctx;

  72. 	const char *symbol_reject;

  73. 	const char *symbol_tempfail;

  74. 	const char *symbol_allow;

  75. 	const char *symbol_na;

  76. 	const char *symbol_permfail;

  77. 

  78. 	struct rspamd_radix_map_helper *whitelist_ip;

  79. 	struct rspamd_hash_map_helper *dkim_domains;

  80. 	unsigned int strict_multiplier;

  81. 	unsigned int time_jitter;

  82. 	rspamd_lru_hash_t *dkim_hash;

  83. 	rspamd_lru_hash_t *dkim_sign_hash;

  84. 	const char *sign_headers;

  85. 	const char *arc_sign_headers;

  86. 	unsigned int max_sigs;

  87. 	gboolean trusted_only;

  88. 	gboolean check_local;

  89. 	gboolean check_authed;

  90. };

  91. 

  92. struct dkim_check_result {

  93. 	rspamd_dkim_context_t *ctx;

  94. 	rspamd_dkim_key_t *key;

  95. 	struct rspamd_task *task;

  96. 	struct rspamd_dkim_check_result *res;

  97. 	double mult_allow;

  98. 	double mult_deny;

  99. 	struct rspamd_symcache_dynamic_item *item;

  100. 	struct dkim_check_result *next, *prev, *first;

  101. };

  102. 

  103. static void dkim_symbol_callback(struct rspamd_task *task,

  104. 								 struct rspamd_symcache_dynamic_item *item,

  105. 								 void *unused);

  106. 

  107. static int lua_dkim_sign_handler(lua_State *L);

  108. static int lua_dkim_verify_handler(lua_State *L);

  109. static int lua_dkim_canonicalize_handler(lua_State *L);

  110. 

  111. /* Initialization */

  112. int dkim_module_init(struct rspamd_config *cfg, struct module_ctx **ctx);

  113. int dkim_module_config(struct rspamd_config *cfg, bool validate);

  114. int dkim_module_reconfig(struct rspamd_config *cfg);

  115. 

  116. module_t dkim_module = {

  117. 	"dkim",

  118. 	dkim_module_init,

  119. 	dkim_module_config,

  120. 	dkim_module_reconfig,

  121. 	NULL,

  122. 	RSPAMD_MODULE_VER,

  123. 	(unsigned int) -1,

  124. };

  125. 

  126. static inline struct dkim_ctx *

  127. dkim_get_context(struct rspamd_config *cfg)

  128. {

  129. 	return (struct dkim_ctx *) g_ptr_array_index(cfg->c_modules,

  130. 												 dkim_module.ctx_offset);

  131. }

  132. 

  133. static void

  134. dkim_module_key_dtor(gpointer k)

  135. {

  136. 	rspamd_dkim_key_t *key = k;

  137. 

  138. 	rspamd_dkim_key_unref(key);

  139. }

  140. 

  141. static void

  142. dkim_module_free_list(gpointer k)

  143. {

  144. 	g_list_free_full((GList *) k, rspamd_gstring_free_hard);

  145. }

  146. 

  147. int dkim_module_init(struct rspamd_config *cfg, struct module_ctx **ctx)

  148. {

  149. 	struct dkim_ctx *dkim_module_ctx;

  150. 

  151. 	dkim_module_ctx = rspamd_mempool_alloc0(cfg->cfg_pool,

  152. 											sizeof(*dkim_module_ctx));

  153. 	dkim_module_ctx->sign_headers = default_sign_headers;

  154. 	dkim_module_ctx->arc_sign_headers = default_arc_sign_headers;

  155. 	dkim_module_ctx->max_sigs = DEFAULT_MAX_SIGS;

  156. 

  157. 	*ctx = (struct module_ctx *) dkim_module_ctx;

  158. 

  159. 	rspamd_rcl_add_doc_by_path(cfg,

  160. 							   NULL,

  161. 							   "DKIM check plugin",

  162. 							   "dkim",

  163. 							   UCL_OBJECT,

  164. 							   NULL,

  165. 							   0,

  166. 							   NULL,

  167. 							   0);

  168. 	rspamd_rcl_add_doc_by_path(cfg,

  169. 							   "dkim",

  170. 							   "Map of IP addresses that should be excluded from DKIM checks",

  171. 							   "whitelist",

  172. 							   UCL_STRING,

  173. 							   NULL,

  174. 							   0,

  175. 							   NULL,

  176. 							   0);

  177. 	rspamd_rcl_add_doc_by_path(cfg,

  178. 							   "dkim",

  179. 							   "Symbol that is added if DKIM check is successful",

  180. 							   "symbol_allow",

  181. 							   UCL_STRING,

  182. 							   NULL,

  183. 							   0,

  184. 							   DEFAULT_SYMBOL_ALLOW,

  185. 							   0);

  186. 	rspamd_rcl_add_doc_by_path(cfg,

  187. 							   "dkim",

  188. 							   "Symbol that is added if DKIM check is unsuccessful",

  189. 							   "symbol_reject",

  190. 							   UCL_STRING,

  191. 							   NULL,

  192. 							   0,

  193. 							   DEFAULT_SYMBOL_REJECT,

  194. 							   0);

  195. 	rspamd_rcl_add_doc_by_path(cfg,

  196. 							   "dkim",

  197. 							   "Symbol that is added if DKIM check can't be completed (e.g. DNS failure)",

  198. 							   "symbol_tempfail",

  199. 							   UCL_STRING,

  200. 							   NULL,

  201. 							   0,

  202. 							   DEFAULT_SYMBOL_TEMPFAIL,

  203. 							   0);

  204. 	rspamd_rcl_add_doc_by_path(cfg,

  205. 							   "dkim",

  206. 							   "Symbol that is added if mail is not signed",

  207. 							   "symbol_na",

  208. 							   UCL_STRING,

  209. 							   NULL,

  210. 							   0,

  211. 							   DEFAULT_SYMBOL_NA,

  212. 							   0);

  213. 	rspamd_rcl_add_doc_by_path(cfg,

  214. 							   "dkim",

  215. 							   "Symbol that is added if permanent failure encountered",

  216. 							   "symbol_permfail",

  217. 							   UCL_STRING,

  218. 							   NULL,

  219. 							   0,

  220. 							   DEFAULT_SYMBOL_PERMFAIL,

  221. 							   0);

  222. 	rspamd_rcl_add_doc_by_path(cfg,

  223. 							   "dkim",

  224. 							   "Size of DKIM keys cache",

  225. 							   "dkim_cache_size",

  226. 							   UCL_INT,

  227. 							   NULL,

  228. 							   0,

  229. 							   G_STRINGIFY(DEFAULT_CACHE_SIZE),

  230. 							   0);

  231. 	rspamd_rcl_add_doc_by_path(cfg,

  232. 							   "dkim",

  233. 							   "Allow this time difference when checking DKIM signature time validity",

  234. 							   "time_jitter",

  235. 							   UCL_TIME,

  236. 							   NULL,

  237. 							   0,

  238. 							   G_STRINGIFY(DEFAULT_TIME_JITTER),

  239. 							   0);

  240. 	rspamd_rcl_add_doc_by_path(cfg,

  241. 							   "dkim",

  242. 							   "Domains to check DKIM for (check all domains if this option is empty)",

  243. 							   "domains",

  244. 							   UCL_STRING,

  245. 							   NULL,

  246. 							   0,

  247. 							   "empty",

  248. 							   0);

  249. 	rspamd_rcl_add_doc_by_path(cfg,

  250. 							   "dkim",

  251. 							   "Map of domains that are treated as 'trusted' meaning that DKIM policy failure has more significant score",

  252. 							   "trusted_domains",

  253. 							   UCL_STRING,

  254. 							   NULL,

  255. 							   0,

  256. 							   "empty",

  257. 							   0);

  258. 	rspamd_rcl_add_doc_by_path(cfg,

  259. 							   "dkim",

  260. 							   "Multiply dkim score by this factor for trusted domains",

  261. 							   "strict_multiplier",

  262. 							   UCL_FLOAT,

  263. 							   NULL,

  264. 							   0,

  265. 							   NULL,

  266. 							   0);

  267. 	rspamd_rcl_add_doc_by_path(cfg,

  268. 							   "dkim",

  269. 							   "Check DKIM policies merely for `trusted_domains`",

  270. 							   "trusted_only",

  271. 							   UCL_BOOLEAN,

  272. 							   NULL,

  273. 							   0,

  274. 							   "false",

  275. 							   0);

  276. 	rspamd_rcl_add_doc_by_path(cfg,

  277. 							   "dkim",

  278. 							   "Lua script that tells if a message should be signed and with what params (obsoleted)",

  279. 							   "sign_condition",

  280. 							   UCL_STRING,

  281. 							   NULL,

  282. 							   0,

  283. 							   "empty",

  284. 							   0);

  285. 	rspamd_rcl_add_doc_by_path(cfg,

  286. 							   "dkim",

  287. 							   "Obsoleted: maximum number of DKIM signatures to check",

  288. 							   "max_sigs",

  289. 							   UCL_INT,

  290. 							   NULL,

  291. 							   0,

  292. 							   "n/a",

  293. 							   0);

  294. 	rspamd_rcl_add_doc_by_path(cfg,

  295. 							   "dkim",

  296. 							   "Headers used in signing",

  297. 							   "sign_headers",

  298. 							   UCL_STRING,

  299. 							   NULL,

  300. 							   0,

  301. 							   default_sign_headers,

  302. 							   0);

  303. 

  304. 	return 0;

  305. }

  306. 

  307. int dkim_module_config(struct rspamd_config *cfg, bool validate)

  308. {

  309. 	const ucl_object_t *value;

  310. 	int res = TRUE, cb_id = -1;

  311. 	unsigned int cache_size, sign_cache_size;

  312. 	gboolean got_trusted = FALSE;

  313. 	struct dkim_ctx *dkim_module_ctx = dkim_get_context(cfg);

  314. 

  315. 	/* Register global methods */

  316. 	lua_getglobal(cfg->lua_state, "rspamd_plugins");

  317. 

  318. 	if (lua_type(cfg->lua_state, -1) == LUA_TTABLE) {

  319. 		lua_pushstring(cfg->lua_state, "dkim");

  320. 		lua_createtable(cfg->lua_state, 0, 1);

  321. 		/* Set methods */

  322. 		lua_pushstring(cfg->lua_state, "sign");

  323. 		lua_pushcfunction(cfg->lua_state, lua_dkim_sign_handler);

  324. 		lua_settable(cfg->lua_state, -3);

  325. 		lua_pushstring(cfg->lua_state, "verify");

  326. 		lua_pushcfunction(cfg->lua_state, lua_dkim_verify_handler);

  327. 		lua_settable(cfg->lua_state, -3);

  328. 		lua_pushstring(cfg->lua_state, "canon_header_relaxed");

  329. 		lua_pushcfunction(cfg->lua_state, lua_dkim_canonicalize_handler);

  330. 		lua_settable(cfg->lua_state, -3);

  331. 		/* Finish dkim key */

  332. 		lua_settable(cfg->lua_state, -3);

  333. 	}

  334. 

  335. 	lua_pop(cfg->lua_state, 1); /* Remove global function */

  336. 	dkim_module_ctx->whitelist_ip = NULL;

  337. 

  338. 	value = rspamd_config_get_module_opt(cfg, "dkim", "check_local");

  339. 

  340. 	if (value == NULL) {

  341. 		value = rspamd_config_get_module_opt(cfg, "options", "check_local");

  342. 	}

  343. 

  344. 	if (value != NULL) {

  345. 		dkim_module_ctx->check_local = ucl_object_toboolean(value);

  346. 	}

  347. 	else {

  348. 		dkim_module_ctx->check_local = FALSE;

  349. 	}

  350. 

  351. 	value = rspamd_config_get_module_opt(cfg, "dkim",

  352. 										 "check_authed");

  353. 

  354. 	if (value == NULL) {

  355. 		value = rspamd_config_get_module_opt(cfg, "options",

  356. 											 "check_authed");

  357. 	}

  358. 

  359. 	if (value != NULL) {

  360. 		dkim_module_ctx->check_authed = ucl_object_toboolean(value);

  361. 	}

  362. 	else {

  363. 		dkim_module_ctx->check_authed = FALSE;

  364. 	}

  365. 	if ((value =

  366. 			 rspamd_config_get_module_opt(cfg, "dkim", "symbol_reject")) != NULL) {

  367. 		dkim_module_ctx->symbol_reject = ucl_object_tostring(value);

  368. 	}

  369. 	else {

  370. 		dkim_module_ctx->symbol_reject = DEFAULT_SYMBOL_REJECT;

  371. 	}

  372. 	if ((value =

  373. 			 rspamd_config_get_module_opt(cfg, "dkim",

  374. 										  "symbol_tempfail")) != NULL) {

  375. 		dkim_module_ctx->symbol_tempfail = ucl_object_tostring(value);

  376. 	}

  377. 	else {

  378. 		dkim_module_ctx->symbol_tempfail = DEFAULT_SYMBOL_TEMPFAIL;

  379. 	}

  380. 	if ((value =

  381. 			 rspamd_config_get_module_opt(cfg, "dkim", "symbol_allow")) != NULL) {

  382. 		dkim_module_ctx->symbol_allow = ucl_object_tostring(value);

  383. 	}

  384. 	else {

  385. 		dkim_module_ctx->symbol_allow = DEFAULT_SYMBOL_ALLOW;

  386. 	}

  387. 	if ((value =

  388. 			 rspamd_config_get_module_opt(cfg, "dkim", "symbol_na")) != NULL) {

  389. 		dkim_module_ctx->symbol_na = ucl_object_tostring(value);

  390. 	}

  391. 	else {

  392. 		dkim_module_ctx->symbol_na = DEFAULT_SYMBOL_NA;

  393. 	}

  394. 	if ((value =

  395. 			 rspamd_config_get_module_opt(cfg, "dkim", "symbol_permfail")) != NULL) {

  396. 		dkim_module_ctx->symbol_permfail = ucl_object_tostring(value);

  397. 	}

  398. 	else {

  399. 		dkim_module_ctx->symbol_permfail = DEFAULT_SYMBOL_PERMFAIL;

  400. 	}

  401. 	if ((value =

  402. 			 rspamd_config_get_module_opt(cfg, "dkim",

  403. 										  "dkim_cache_size")) != NULL) {

  404. 		cache_size = ucl_object_toint(value);

  405. 	}

  406. 	else {

  407. 		cache_size = DEFAULT_CACHE_SIZE;

  408. 	}

  409. 

  410. 	if ((value =

  411. 			 rspamd_config_get_module_opt(cfg, "dkim",

  412. 										  "sign_cache_size")) != NULL) {

  413. 		sign_cache_size = ucl_object_toint(value);

  414. 	}

  415. 	else {

  416. 		sign_cache_size = 128;

  417. 	}

  418. 

  419. 	if ((value =

  420. 			 rspamd_config_get_module_opt(cfg, "dkim", "time_jitter")) != NULL) {

  421. 		dkim_module_ctx->time_jitter = ucl_object_todouble(value);

  422. 	}

  423. 	else {

  424. 		dkim_module_ctx->time_jitter = DEFAULT_TIME_JITTER;

  425. 	}

  426. 

  427. 	if ((value =

  428. 			 rspamd_config_get_module_opt(cfg, "dkim", "max_sigs")) != NULL) {

  429. 		dkim_module_ctx->max_sigs = ucl_object_toint(value);

  430. 	}

  431. 

  432. 	if ((value =

  433. 			 rspamd_config_get_module_opt(cfg, "dkim", "whitelist")) != NULL) {

  434. 

  435. 		rspamd_config_radix_from_ucl(cfg, value, "DKIM whitelist",

  436. 									 &dkim_module_ctx->whitelist_ip, NULL, NULL, "dkim whitelist");

  437. 	}

  438. 

  439. 	if ((value =

  440. 			 rspamd_config_get_module_opt(cfg, "dkim", "domains")) != NULL) {

  441. 		if (!rspamd_map_add_from_ucl(cfg, value,

  442. 									 "DKIM domains",

  443. 									 rspamd_kv_list_read,

  444. 									 rspamd_kv_list_fin,

  445. 									 rspamd_kv_list_dtor,

  446. 									 (void **) &dkim_module_ctx->dkim_domains,

  447. 									 NULL, RSPAMD_MAP_DEFAULT)) {

  448. 			msg_warn_config("cannot load dkim domains list from %s",

  449. 							ucl_object_tostring(value));

  450. 		}

  451. 		else {

  452. 			got_trusted = TRUE;

  453. 		}

  454. 	}

  455. 

  456. 	if (!got_trusted && (value =

  457. 							 rspamd_config_get_module_opt(cfg, "dkim", "trusted_domains")) != NULL) {

  458. 		if (!rspamd_map_add_from_ucl(cfg, value,

  459. 									 "DKIM domains",

  460. 									 rspamd_kv_list_read,

  461. 									 rspamd_kv_list_fin,

  462. 									 rspamd_kv_list_dtor,

  463. 									 (void **) &dkim_module_ctx->dkim_domains,

  464. 									 NULL, RSPAMD_MAP_DEFAULT)) {

  465. 			msg_warn_config("cannot load dkim domains list from %s",

  466. 							ucl_object_tostring(value));

  467. 

  468. 			if (validate) {

  469. 				return FALSE;

  470. 			}

  471. 		}

  472. 		else {

  473. 			got_trusted = TRUE;

  474. 		}

  475. 	}

  476. 

  477. 	if ((value =

  478. 			 rspamd_config_get_module_opt(cfg, "dkim",

  479. 										  "strict_multiplier")) != NULL) {

  480. 		dkim_module_ctx->strict_multiplier = ucl_object_toint(value);

  481. 	}

  482. 	else {

  483. 		dkim_module_ctx->strict_multiplier = 1;

  484. 	}

  485. 

  486. 	if ((value =

  487. 			 rspamd_config_get_module_opt(cfg, "dkim", "trusted_only")) != NULL) {

  488. 		dkim_module_ctx->trusted_only = ucl_object_toboolean(value);

  489. 	}

  490. 	else {

  491. 		dkim_module_ctx->trusted_only = FALSE;

  492. 	}

  493. 

  494. 	if ((value =

  495. 			 rspamd_config_get_module_opt(cfg, "dkim", "sign_headers")) != NULL) {

  496. 		dkim_module_ctx->sign_headers = ucl_object_tostring(value);

  497. 	}

  498. 

  499. 	if ((value =

  500. 			 rspamd_config_get_module_opt(cfg, "arc", "sign_headers")) != NULL) {

  501. 		dkim_module_ctx->arc_sign_headers = ucl_object_tostring(value);

  502. 	}

  503. 

  504. 	if (cache_size > 0) {

  505. 		dkim_module_ctx->dkim_hash = rspamd_lru_hash_new(

  506. 			cache_size,

  507. 			g_free,

  508. 			dkim_module_key_dtor);

  509. 		rspamd_mempool_add_destructor(cfg->cfg_pool,

  510. 									  (rspamd_mempool_destruct_t) rspamd_lru_hash_destroy,

  511. 									  dkim_module_ctx->dkim_hash);

  512. 	}

  513. 

  514. 	if (sign_cache_size > 0) {

  515. 		dkim_module_ctx->dkim_sign_hash = rspamd_lru_hash_new(

  516. 			sign_cache_size,

  517. 			g_free,

  518. 			(GDestroyNotify) rspamd_dkim_sign_key_unref);

  519. 		rspamd_mempool_add_destructor(cfg->cfg_pool,

  520. 									  (rspamd_mempool_destruct_t) rspamd_lru_hash_destroy,

  521. 									  dkim_module_ctx->dkim_sign_hash);

  522. 	}

  523. 

  524. 	if (dkim_module_ctx->trusted_only && !got_trusted) {

  525. 		msg_err_config("trusted_only option is set and no trusted domains are defined");

  526. 		if (validate) {

  527. 			return FALSE;

  528. 		}

  529. 	}

  530. 	else {

  531. 		if (!rspamd_config_is_module_enabled(cfg, "dkim")) {

  532. 			return TRUE;

  533. 		}

  534. 

  535. 		cb_id = rspamd_symcache_add_symbol(cfg->cache,

  536. 										   "DKIM_CHECK",

  537. 										   0,

  538. 										   dkim_symbol_callback,

  539. 										   NULL,

  540. 										   SYMBOL_TYPE_CALLBACK,

  541. 										   -1);

  542. 		rspamd_config_add_symbol(cfg,

  543. 								 "DKIM_CHECK",

  544. 								 0.0,

  545. 								 "DKIM check callback",

  546. 								 "policies",

  547. 								 RSPAMD_SYMBOL_FLAG_IGNORE_METRIC,

  548. 								 1,

  549. 								 1);

  550. 		rspamd_config_add_symbol_group(cfg, "DKIM_CHECK", "dkim");

  551. 		rspamd_symcache_add_symbol(cfg->cache,

  552. 								   dkim_module_ctx->symbol_reject,

  553. 								   0,

  554. 								   NULL,

  555. 								   NULL,

  556. 								   SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  557. 								   cb_id);

  558. 		rspamd_symcache_add_symbol(cfg->cache,

  559. 								   dkim_module_ctx->symbol_na,

  560. 								   0,

  561. 								   NULL, NULL,

  562. 								   SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  563. 								   cb_id);

  564. 		rspamd_symcache_add_symbol(cfg->cache,

  565. 								   dkim_module_ctx->symbol_permfail,

  566. 								   0,

  567. 								   NULL, NULL,

  568. 								   SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  569. 								   cb_id);

  570. 		rspamd_symcache_add_symbol(cfg->cache,

  571. 								   dkim_module_ctx->symbol_tempfail,

  572. 								   0,

  573. 								   NULL, NULL,

  574. 								   SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  575. 								   cb_id);

  576. 		rspamd_symcache_add_symbol(cfg->cache,

  577. 								   dkim_module_ctx->symbol_allow,

  578. 								   0,

  579. 								   NULL, NULL,

  580. 								   SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  581. 								   cb_id);

  582. 

  583. 		rspamd_symcache_add_symbol(cfg->cache,

  584. 								   "DKIM_TRACE",

  585. 								   0,

  586. 								   NULL, NULL,

  587. 								   SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_NOSTAT,

  588. 								   cb_id);

  589. 		rspamd_config_add_symbol(cfg,

  590. 								 "DKIM_TRACE",

  591. 								 0.0,

  592. 								 "DKIM trace symbol",

  593. 								 "policies",

  594. 								 RSPAMD_SYMBOL_FLAG_IGNORE_METRIC,

  595. 								 1,

  596. 								 1);

  597. 		rspamd_config_add_symbol_group(cfg, "DKIM_TRACE", "dkim");

  598. 

  599. 		msg_info_config("init internal dkim module");

  600. #ifndef HAVE_OPENSSL

  601. 		msg_warn_config(

  602. 			"openssl is not found so dkim rsa check is disabled, only check body hash, it is NOT safe to trust these results");

  603. #endif

  604. 	}

  605. 

  606. 	return res;

  607. }

  608. 

  609. 

  610. /**

  611.  * Grab a private key from the cache

  612.  * or from the key content provided

  613.  */

  614. rspamd_dkim_sign_key_t *

  615. dkim_module_load_key_format(struct rspamd_task *task,

  616. 							struct dkim_ctx *dkim_module_ctx,

  617. 							const char *key, gsize keylen,

  618. 							enum rspamd_dkim_key_format key_format)

  619. 

  620. {

  621. 	unsigned char h[rspamd_cryptobox_HASHBYTES],

  622. 		hex_hash[rspamd_cryptobox_HASHBYTES * 2 + 1];

  623. 	rspamd_dkim_sign_key_t *ret = NULL;

  624. 	GError *err = NULL;

  625. 	struct stat st;

  626. 

  627. 	memset(hex_hash, 0, sizeof(hex_hash));

  628. 	rspamd_cryptobox_hash(h, key, keylen, NULL, 0);

  629. 	rspamd_encode_hex_buf(h, sizeof(h), hex_hash, sizeof(hex_hash));

  630. 

  631. 	if (dkim_module_ctx->dkim_sign_hash) {

  632. 		ret = rspamd_lru_hash_lookup(dkim_module_ctx->dkim_sign_hash,

  633. 									 hex_hash, time(NULL));

  634. 	}

  635. 

  636. 	/*

  637. 	 * This fails for paths that are also valid base64.

  638. 	 * Maybe the caller should have specified a format.

  639. 	 */

  640. 	if (key_format == RSPAMD_DKIM_KEY_UNKNOWN) {

  641. 		if (key[0] == '.' || key[0] == '/') {

  642. 			if (!rspamd_cryptobox_base64_is_valid(key, keylen)) {

  643. 				key_format = RSPAMD_DKIM_KEY_FILE;

  644. 			}

  645. 		}

  646. 		else if (rspamd_cryptobox_base64_is_valid(key, keylen)) {

  647. 			key_format = RSPAMD_DKIM_KEY_BASE64;

  648. 		}

  649. 	}

  650. 

  651. 

  652. 	if (ret != NULL && key_format == RSPAMD_DKIM_KEY_FILE) {

  653. 		msg_debug_task("checking for stale file key");

  654. 

  655. 		if (stat(key, &st) != 0) {

  656. 			msg_err_task("cannot stat key file: %s", strerror(errno));

  657. 			return NULL;

  658. 		}

  659. 

  660. 		if (rspamd_dkim_sign_key_maybe_invalidate(ret, st.st_mtime)) {

  661. 			msg_debug_task("removing stale file key");

  662. 			/*

  663. 			 * Invalidate DKIM key

  664. 			 * removal from lru cache also cleanup the key and value

  665. 			 */

  666. 			if (dkim_module_ctx->dkim_sign_hash) {

  667. 				rspamd_lru_hash_remove(dkim_module_ctx->dkim_sign_hash,

  668. 									   hex_hash);

  669. 			}

  670. 			ret = NULL;

  671. 		}

  672. 	}

  673. 

  674. 	/* found key; done */

  675. 	if (ret != NULL) {

  676. 		return ret;

  677. 	}

  678. 

  679. 	ret = rspamd_dkim_sign_key_load(key, keylen, key_format, &err);

  680. 

  681. 	if (ret == NULL) {

  682. 		msg_err_task("cannot load dkim key %s: %e",

  683. 					 key, err);

  684. 		g_error_free(err);

  685. 	}

  686. 	else if (dkim_module_ctx->dkim_sign_hash) {

  687. 		rspamd_lru_hash_insert(dkim_module_ctx->dkim_sign_hash,

  688. 							   g_strdup(hex_hash), ret, time(NULL), 0);

  689. 	}

  690. 

  691. 	return ret;

  692. }

  693. 

  694. static int

  695. lua_dkim_sign_handler(lua_State *L)

  696. {

  697. 	struct rspamd_task *task = lua_check_task(L, 1);

  698. 	int64_t arc_idx = 0, expire = 0;

  699. 	enum rspamd_dkim_type sign_type = RSPAMD_DKIM_NORMAL;

  700. 	GError *err = NULL;

  701. 	GString *hdr;

  702. 	GList *sigs = NULL;

  703. 	const char *selector = NULL, *domain = NULL, *key = NULL, *rawkey = NULL,

  704. 			   *headers = NULL, *sign_type_str = NULL, *arc_cv = NULL,

  705. 			   *pubkey = NULL;

  706. 	rspamd_dkim_sign_context_t *ctx;

  707. 	rspamd_dkim_sign_key_t *dkim_key;

  708. 	gsize rawlen = 0, keylen = 0;

  709. 	gboolean no_cache = FALSE, strict_pubkey_check = FALSE;

  710. 	struct dkim_ctx *dkim_module_ctx;

  711. 

  712. 	luaL_argcheck(L, lua_type(L, 2) == LUA_TTABLE, 2, "'table' expected");

  713. 	/*

  714. 	 * Get the following elements:

  715. 	 * - selector

  716. 	 * - domain

  717. 	 * - key

  718. 	 */

  719. 	if (!rspamd_lua_parse_table_arguments(L, 2, &err,

  720. 										  RSPAMD_LUA_PARSE_ARGUMENTS_DEFAULT,

  721. 										  "key=V;rawkey=V;*domain=S;*selector=S;no_cache=B;headers=S;"

  722. 										  "sign_type=S;arc_idx=I;arc_cv=S;expire=I;pubkey=S;"

  723. 										  "strict_pubkey_check=B",

  724. 										  &keylen, &key, &rawlen, &rawkey, &domain,

  725. 										  &selector, &no_cache, &headers,

  726. 										  &sign_type_str, &arc_idx, &arc_cv, &expire, &pubkey,

  727. 										  &strict_pubkey_check)) {

  728. 		msg_err_task("cannot parse table arguments: %e",

  729. 					 err);

  730. 		g_error_free(err);

  731. 

  732. 		lua_pushboolean(L, FALSE);

  733. 		return 1;

  734. 	}

  735. 

  736. 	dkim_module_ctx = dkim_get_context(task->cfg);

  737. 

  738. 	if (key) {

  739. 		dkim_key = dkim_module_load_key_format(task, dkim_module_ctx, key,

  740. 											   keylen, RSPAMD_DKIM_KEY_UNKNOWN);

  741. 	}

  742. 	else if (rawkey) {

  743. 		dkim_key = dkim_module_load_key_format(task, dkim_module_ctx, rawkey,

  744. 											   rawlen, RSPAMD_DKIM_KEY_UNKNOWN);

  745. 	}

  746. 	else {

  747. 		msg_err_task("neither key nor rawkey are specified");

  748. 		lua_pushboolean(L, FALSE);

  749. 

  750. 		return 1;

  751. 	}

  752. 

  753. 	if (dkim_key == NULL) {

  754. 		lua_pushboolean(L, FALSE);

  755. 		return 1;

  756. 	}

  757. 

  758. 	if (sign_type_str) {

  759. 		if (strcmp(sign_type_str, "dkim") == 0) {

  760. 			sign_type = RSPAMD_DKIM_NORMAL;

  761. 

  762. 			if (headers == NULL) {

  763. 				headers = dkim_module_ctx->sign_headers;

  764. 			}

  765. 		}

  766. 		else if (strcmp(sign_type_str, "arc-sign") == 0) {

  767. 			sign_type = RSPAMD_DKIM_ARC_SIG;

  768. 

  769. 			if (headers == NULL) {

  770. 				headers = dkim_module_ctx->arc_sign_headers;

  771. 			}

  772. 

  773. 			if (arc_idx == 0) {

  774. 				lua_settop(L, 0);

  775. 				return luaL_error(L, "no arc idx specified");

  776. 			}

  777. 		}

  778. 		else if (strcmp(sign_type_str, "arc-seal") == 0) {

  779. 			sign_type = RSPAMD_DKIM_ARC_SEAL;

  780. 			if (arc_cv == NULL) {

  781. 				lua_settop(L, 0);

  782. 				return luaL_error(L, "no arc cv specified");

  783. 			}

  784. 			if (arc_idx == 0) {

  785. 				lua_settop(L, 0);

  786. 				return luaL_error(L, "no arc idx specified");

  787. 			}

  788. 		}

  789. 		else {

  790. 			lua_settop(L, 0);

  791. 			return luaL_error(L, "unknown sign type: %s",

  792. 							  sign_type_str);

  793. 		}

  794. 	}

  795. 	else {

  796. 		/* Unspecified sign type, assume plain dkim */

  797. 		if (headers == NULL) {

  798. 			headers = dkim_module_ctx->sign_headers;

  799. 		}

  800. 	}

  801. 

  802. 	if (pubkey != NULL) {

  803. 		/* Also check if private and public keys match */

  804. 		rspamd_dkim_key_t *pk;

  805. 		keylen = strlen(pubkey);

  806. 

  807. 		pk = rspamd_dkim_parse_key(pubkey, &keylen, NULL);

  808. 

  809. 		if (pk == NULL) {

  810. 			if (strict_pubkey_check) {

  811. 				msg_err_task("cannot parse pubkey from string: %s, skip signing",

  812. 							 pubkey);

  813. 				lua_pushboolean(L, FALSE);

  814. 

  815. 				return 1;

  816. 			}

  817. 			else {

  818. 				msg_warn_task("cannot parse pubkey from string: %s",

  819. 							  pubkey);

  820. 			}

  821. 		}

  822. 		else {

  823. 			GError *te = NULL;

  824. 

  825. 			/* We have parsed the key, so try to check keys */

  826. 			if (!rspamd_dkim_match_keys(pk, dkim_key, &te)) {

  827. 				if (strict_pubkey_check) {

  828. 					msg_err_task("public key for %s/%s does not match private "

  829. 								 "key: %e, skip signing",

  830. 								 domain, selector, te);

  831. 					g_error_free(te);

  832. 					lua_pushboolean(L, FALSE);

  833. 					rspamd_dkim_key_unref(pk);

  834. 

  835. 					return 1;

  836. 				}

  837. 				else {

  838. 					msg_warn_task("public key for %s/%s does not match private "

  839. 								  "key: %e",

  840. 								  domain, selector, te);

  841. 					g_error_free(te);

  842. 				}

  843. 			}

  844. 

  845. 			rspamd_dkim_key_unref(pk);

  846. 		}

  847. 	}

  848. 

  849. 	ctx = rspamd_create_dkim_sign_context(task, dkim_key,

  850. 										  DKIM_CANON_RELAXED, DKIM_CANON_RELAXED,

  851. 										  headers, sign_type, &err);

  852. 

  853. 	if (ctx == NULL) {

  854. 		msg_err_task("cannot create sign context: %e",

  855. 					 err);

  856. 		g_error_free(err);

  857. 

  858. 		lua_pushboolean(L, FALSE);

  859. 		return 1;

  860. 	}

  861. 

  862. 	hdr = rspamd_dkim_sign(task, selector, domain, 0,

  863. 						   expire, arc_idx, arc_cv, ctx);

  864. 

  865. 	if (hdr) {

  866. 

  867. 		if (!no_cache) {

  868. 			sigs = rspamd_mempool_get_variable(task->task_pool, "dkim-signature");

  869. 

  870. 			if (sigs == NULL) {

  871. 				sigs = g_list_append(sigs, hdr);

  872. 				rspamd_mempool_set_variable(task->task_pool, "dkim-signature",

  873. 											sigs, dkim_module_free_list);

  874. 			}

  875. 			else {

  876. 				sigs = g_list_append(sigs, hdr);

  877. 				(void) sigs;

  878. 			}

  879. 		}

  880. 

  881. 		lua_pushboolean(L, TRUE);

  882. 		lua_pushlstring(L, hdr->str, hdr->len);

  883. 

  884. 		if (no_cache) {

  885. 			g_string_free(hdr, TRUE);

  886. 		}

  887. 

  888. 		return 2;

  889. 	}

  890. 

  891. 

  892. 	lua_pushboolean(L, FALSE);

  893. 	lua_pushnil(L);

  894. 

  895. 	return 2;

  896. }

  897. 

  898. int dkim_module_reconfig(struct rspamd_config *cfg)

  899. {

  900. 	return dkim_module_config(cfg, false);

  901. }

  902. 

  903. /*

  904.  * Parse strict value for domain in format: 'reject_multiplier:deny_multiplier'

  905.  */

  906. static gboolean

  907. dkim_module_parse_strict(const char *value, double *allow, double *deny)

  908. {

  909. 	const char *colon;

  910. 	char *err = NULL;

  911. 	double val;

  912. 	char numbuf[64];

  913. 

  914. 	colon = strchr(value, ':');

  915. 	if (colon) {

  916. 		rspamd_strlcpy(numbuf, value,

  917. 					   MIN(sizeof(numbuf), (colon - value) + 1));

  918. 		val = strtod(numbuf, &err);

  919. 

  920. 		if (err == NULL || *err == '\0') {

  921. 			*deny = val;

  922. 			colon++;

  923. 			rspamd_strlcpy(numbuf, colon, sizeof(numbuf));

  924. 			err = NULL;

  925. 			val = strtod(numbuf, &err);

  926. 

  927. 			if (err == NULL || *err == '\0') {

  928. 				*allow = val;

  929. 				return TRUE;

  930. 			}

  931. 		}

  932. 	}

  933. 	return FALSE;

  934. }

  935. 

  936. static void

  937. dkim_module_check(struct dkim_check_result *res)

  938. {

  939. 	gboolean all_done = TRUE;

  940. 	const char *strict_value;

  941. 	struct dkim_check_result *first, *cur = NULL;

  942. 	struct dkim_ctx *dkim_module_ctx = dkim_get_context(res->task->cfg);

  943. 	struct rspamd_task *task = res->task;

  944. 

  945. 	first = res->first;

  946. 

  947. 	DL_FOREACH(first, cur)

  948. 	{

  949. 		if (cur->ctx == NULL) {

  950. 			continue;

  951. 		}

  952. 

  953. 		if (cur->key != NULL && cur->res == NULL) {

  954. 			cur->res = rspamd_dkim_check(cur->ctx, cur->key, task);

  955. 

  956. 			if (dkim_module_ctx->dkim_domains != NULL) {

  957. 				/* Perform strict check */

  958. 				const char *domain = rspamd_dkim_get_domain(cur->ctx);

  959. 

  960. 				if ((strict_value =

  961. 						 rspamd_match_hash_map(dkim_module_ctx->dkim_domains,

  962. 											   domain,

  963. 											   strlen(domain))) != NULL) {

  964. 					if (!dkim_module_parse_strict(strict_value, &cur->mult_allow,

  965. 												  &cur->mult_deny)) {

  966. 						cur->mult_allow = dkim_module_ctx->strict_multiplier;

  967. 						cur->mult_deny = dkim_module_ctx->strict_multiplier;

  968. 					}

  969. 				}

  970. 			}

  971. 		}

  972. 	}

  973. 

  974. 	DL_FOREACH(first, cur)

  975. 	{

  976. 		if (cur->ctx == NULL) {

  977. 			continue;

  978. 		}

  979. 		if (cur->res == NULL) {

  980. 			/* Still need a key */

  981. 			all_done = FALSE;

  982. 		}

  983. 	}

  984. 

  985. 	if (all_done) {

  986. 		/* Create zero terminated array of results */

  987. 		struct rspamd_dkim_check_result **pres;

  988. 		unsigned int nres = 0, i = 0;

  989. 

  990. 		DL_FOREACH(first, cur)

  991. 		{

  992. 			if (cur->ctx == NULL || cur->res == NULL) {

  993. 				continue;

  994. 			}

  995. 

  996. 			nres++;

  997. 		}

  998. 

  999. 		pres = rspamd_mempool_alloc(task->task_pool, sizeof(*pres) * (nres + 1));

  1000. 		pres[nres] = NULL;

  1001. 

  1002. 		DL_FOREACH(first, cur)

  1003. 		{

  1004. 			const char *symbol = NULL, *trace = NULL;

  1005. 			double symbol_weight = 1.0;

  1006. 

  1007. 			if (cur->ctx == NULL || cur->res == NULL) {

  1008. 				continue;

  1009. 			}

  1010. 

  1011. 			pres[i++] = cur->res;

  1012. 

  1013. 			if (cur->res->rcode == DKIM_REJECT) {

  1014. 				symbol = dkim_module_ctx->symbol_reject;

  1015. 				trace = "-";

  1016. 				symbol_weight = cur->mult_deny * 1.0;

  1017. 			}

  1018. 			else if (cur->res->rcode == DKIM_CONTINUE) {

  1019. 				symbol = dkim_module_ctx->symbol_allow;

  1020. 				trace = "+";

  1021. 				symbol_weight = cur->mult_allow * 1.0;

  1022. 			}

  1023. 			else if (cur->res->rcode == DKIM_PERM_ERROR) {

  1024. 				trace = "~";

  1025. 				symbol = dkim_module_ctx->symbol_permfail;

  1026. 			}

  1027. 			else if (cur->res->rcode == DKIM_TRYAGAIN) {

  1028. 				trace = "?";

  1029. 				symbol = dkim_module_ctx->symbol_tempfail;

  1030. 			}

  1031. 

  1032. 			if (symbol != NULL) {

  1033. 				const char *domain = rspamd_dkim_get_domain(cur->ctx);

  1034. 				const char *selector = rspamd_dkim_get_selector(cur->ctx);

  1035. 				gsize tracelen;

  1036. 				char *tracebuf;

  1037. 

  1038. 				tracelen = strlen(domain) + strlen(selector) + 4;

  1039. 				tracebuf = rspamd_mempool_alloc(task->task_pool,

  1040. 												tracelen);

  1041. 				rspamd_snprintf(tracebuf, tracelen, "%s:%s", domain, trace);

  1042. 

  1043. 				rspamd_task_insert_result(cur->task,

  1044. 										  "DKIM_TRACE",

  1045. 										  0.0,

  1046. 										  tracebuf);

  1047. 

  1048. 				rspamd_snprintf(tracebuf, tracelen, "%s:s=%s", domain, selector);

  1049. 				rspamd_task_insert_result(task,

  1050. 										  symbol,

  1051. 										  symbol_weight,

  1052. 										  tracebuf);

  1053. 			}

  1054. 		}

  1055. 

  1056. 		rspamd_mempool_set_variable(task->task_pool,

  1057. 									RSPAMD_MEMPOOL_DKIM_CHECK_RESULTS,

  1058. 									pres, NULL);

  1059. 	}

  1060. }

  1061. 

  1062. static void

  1063. dkim_module_key_handler(rspamd_dkim_key_t *key,

  1064. 						gsize keylen,

  1065. 						rspamd_dkim_context_t *ctx,

  1066. 						gpointer ud,

  1067. 						GError *err)

  1068. {

  1069. 	struct dkim_check_result *res = ud;

  1070. 	struct rspamd_task *task;

  1071. 	struct dkim_ctx *dkim_module_ctx;

  1072. 

  1073. 	task = res->task;

  1074. 	dkim_module_ctx = dkim_get_context(task->cfg);

  1075. 

  1076. 	if (key != NULL) {

  1077. 		/* Another ref belongs to the check context */

  1078. 		res->key = rspamd_dkim_key_ref(key);

  1079. 		/*

  1080. 		 * We actually receive key with refcount = 1, so we just assume that

  1081. 		 * lru hash owns this object now

  1082. 		 */

  1083. 		/* Release key when task is processed */

  1084. 		rspamd_mempool_add_destructor(res->task->task_pool,

  1085. 									  dkim_module_key_dtor, res->key);

  1086. 

  1087. 		if (dkim_module_ctx->dkim_hash) {

  1088. 			rspamd_lru_hash_insert(dkim_module_ctx->dkim_hash,

  1089. 								   g_strdup(rspamd_dkim_get_dns_key(ctx)),

  1090. 								   key, res->task->task_timestamp, rspamd_dkim_key_get_ttl(key));

  1091. 

  1092. 			msg_info_task("stored DKIM key for %s in LRU cache for %d seconds, "

  1093. 						  "%d/%d elements in the cache",

  1094. 						  rspamd_dkim_get_dns_key(ctx),

  1095. 						  rspamd_dkim_key_get_ttl(key),

  1096. 						  rspamd_lru_hash_size(dkim_module_ctx->dkim_hash),

  1097. 						  rspamd_lru_hash_capacity(dkim_module_ctx->dkim_hash));

  1098. 		}

  1099. 	}

  1100. 	else {

  1101. 		/* Insert tempfail symbol */

  1102. 		msg_info_task("cannot get key for domain %s: %e",

  1103. 					  rspamd_dkim_get_dns_key(ctx), err);

  1104. 

  1105. 		if (err != NULL) {

  1106. 			if (err->code == DKIM_SIGERROR_NOKEY) {

  1107. 				res->res = rspamd_dkim_create_result(ctx, DKIM_TRYAGAIN, task);

  1108. 				res->res->fail_reason = "DNS error when getting key";

  1109. 			}

  1110. 			else {

  1111. 				res->res = rspamd_dkim_create_result(ctx, DKIM_PERM_ERROR, task);

  1112. 				res->res->fail_reason = "invalid DKIM record";

  1113. 			}

  1114. 		}

  1115. 	}

  1116. 

  1117. 	if (err) {

  1118. 		g_error_free(err);

  1119. 	}

  1120. 

  1121. 	dkim_module_check(res);

  1122. }

  1123. 

  1124. static void

  1125. dkim_symbol_callback(struct rspamd_task *task,

  1126. 					 struct rspamd_symcache_dynamic_item *item,

  1127. 					 void *unused)

  1128. {

  1129. 	rspamd_dkim_context_t *ctx;

  1130. 	rspamd_dkim_key_t *key;

  1131. 	GError *err = NULL;

  1132. 	struct rspamd_mime_header *rh, *rh_cur;

  1133. 	struct dkim_check_result *res = NULL, *cur;

  1134. 	unsigned int checked = 0;

  1135. 	double *dmarc_checks;

  1136. 	struct dkim_ctx *dkim_module_ctx = dkim_get_context(task->cfg);

  1137. 

  1138. 	/* Allow dmarc */

  1139. 	dmarc_checks = rspamd_mempool_get_variable(task->task_pool,

  1140. 											   RSPAMD_MEMPOOL_DMARC_CHECKS);

  1141. 

  1142. 	if (dmarc_checks) {

  1143. 		(*dmarc_checks)++;

  1144. 	}

  1145. 	else {

  1146. 		dmarc_checks = rspamd_mempool_alloc(task->task_pool,

  1147. 											sizeof(*dmarc_checks));

  1148. 		*dmarc_checks = 1;

  1149. 		rspamd_mempool_set_variable(task->task_pool,

  1150. 									RSPAMD_MEMPOOL_DMARC_CHECKS,

  1151. 									dmarc_checks, NULL);

  1152. 	}

  1153. 

  1154. 	/* First check if plugin should be enabled */

  1155. 	if ((!dkim_module_ctx->check_authed && task->auth_user != NULL) || (!dkim_module_ctx->check_local &&

  1156. 																		rspamd_ip_is_local_cfg(task->cfg, task->from_addr))) {

  1157. 		msg_info_task("skip DKIM checks for local networks and authorized users");

  1158. 		rspamd_symcache_finalize_item(task, item);

  1159. 

  1160. 		return;

  1161. 	}

  1162. 	/* Check whitelist */

  1163. 	if (rspamd_match_radix_map_addr(dkim_module_ctx->whitelist_ip,

  1164. 									task->from_addr) != NULL) {

  1165. 		msg_info_task("skip DKIM checks for whitelisted address");

  1166. 		rspamd_symcache_finalize_item(task, item);

  1167. 

  1168. 		return;

  1169. 	}

  1170. 

  1171. 	rspamd_symcache_item_async_inc(task, item, M);

  1172. 

  1173. 	/* Now check if a message has its signature */

  1174. 	rh = rspamd_message_get_header_array(task, RSPAMD_DKIM_SIGNHEADER, FALSE);

  1175. 	if (rh) {

  1176. 		msg_debug_task("dkim signature found");

  1177. 

  1178. 		DL_FOREACH(rh, rh_cur)

  1179. 		{

  1180. 			if (rh_cur->decoded == NULL || rh_cur->decoded[0] == '\0') {

  1181. 				msg_info_task("cannot load empty DKIM signature");

  1182. 				continue;

  1183. 			}

  1184. 

  1185. 			cur = rspamd_mempool_alloc0(task->task_pool, sizeof(*cur));

  1186. 			cur->first = res;

  1187. 			cur->res = NULL;

  1188. 			cur->task = task;

  1189. 			cur->mult_allow = 1.0;

  1190. 			cur->mult_deny = 1.0;

  1191. 			cur->item = item;

  1192. 

  1193. 			ctx = rspamd_create_dkim_context(rh_cur->decoded,

  1194. 											 task->task_pool,

  1195. 											 task->resolver,

  1196. 											 dkim_module_ctx->time_jitter,

  1197. 											 RSPAMD_DKIM_NORMAL,

  1198. 											 &err);

  1199. 

  1200. 			if (res == NULL) {

  1201. 				res = cur;

  1202. 				res->first = res;

  1203. 				res->prev = res;

  1204. 			}

  1205. 			else {

  1206. 				DL_APPEND(res, cur);

  1207. 			}

  1208. 

  1209. 			if (ctx == NULL) {

  1210. 				if (err != NULL) {

  1211. 					msg_info_task("cannot parse DKIM signature: %e",

  1212. 								  err);

  1213. 					g_error_free(err);

  1214. 					err = NULL;

  1215. 				}

  1216. 				else {

  1217. 					msg_info_task("cannot parse DKIM signature: "

  1218. 								  "unknown error");

  1219. 				}

  1220. 

  1221. 				continue;

  1222. 			}

  1223. 			else {

  1224. 				/* Get key */

  1225. 				cur->ctx = ctx;

  1226. 				const char *domain = rspamd_dkim_get_domain(cur->ctx);

  1227. 

  1228. 				if (dkim_module_ctx->trusted_only &&

  1229. 					(dkim_module_ctx->dkim_domains == NULL ||

  1230. 					 rspamd_match_hash_map(dkim_module_ctx->dkim_domains,

  1231. 										   domain, strlen(domain)) == NULL)) {

  1232. 					msg_debug_task("skip dkim check for %s domain",

  1233. 								   rspamd_dkim_get_domain(ctx));

  1234. 

  1235. 					continue;

  1236. 				}

  1237. 

  1238. 				if (dkim_module_ctx->dkim_hash) {

  1239. 					key = rspamd_lru_hash_lookup(dkim_module_ctx->dkim_hash,

  1240. 												 rspamd_dkim_get_dns_key(ctx),

  1241. 												 task->task_timestamp);

  1242. 				}

  1243. 				else {

  1244. 					key = NULL;

  1245. 				}

  1246. 

  1247. 				if (key != NULL) {

  1248. 					cur->key = rspamd_dkim_key_ref(key);

  1249. 					/* Release key when task is processed */

  1250. 					rspamd_mempool_add_destructor(task->task_pool,

  1251. 												  dkim_module_key_dtor, cur->key);

  1252. 				}

  1253. 				else {

  1254. 					if (!rspamd_get_dkim_key(ctx,

  1255. 											 task,

  1256. 											 dkim_module_key_handler,

  1257. 											 cur)) {

  1258. 						continue;

  1259. 					}

  1260. 				}

  1261. 			}

  1262. 

  1263. 			checked++;

  1264. 

  1265. 			if (checked > dkim_module_ctx->max_sigs) {

  1266. 				msg_info_task("message has multiple signatures but we"

  1267. 							  " stopped after %d checked signatures as limit"

  1268. 							  " is reached",

  1269. 							  checked);

  1270. 				break;

  1271. 			}

  1272. 		}

  1273. 	}

  1274. 	else {

  1275. 		rspamd_task_insert_result(task,

  1276. 								  dkim_module_ctx->symbol_na,

  1277. 								  1.0,

  1278. 								  NULL);

  1279. 	}

  1280. 

  1281. 	if (res != NULL) {

  1282. 		dkim_module_check(res);

  1283. 	}

  1284. 

  1285. 	rspamd_symcache_item_async_dec_check(task, item, M);

  1286. }

  1287. 

  1288. struct rspamd_dkim_lua_verify_cbdata {

  1289. 	rspamd_dkim_context_t *ctx;

  1290. 	struct rspamd_task *task;

  1291. 	lua_State *L;

  1292. 	rspamd_dkim_key_t *key;

  1293. 	int cbref;

  1294. };

  1295. 

  1296. static void

  1297. dkim_module_lua_push_verify_result(struct rspamd_dkim_lua_verify_cbdata *cbd,

  1298. 								   struct rspamd_dkim_check_result *res, GError *err)

  1299. {

  1300. 	struct rspamd_task **ptask, *task;

  1301. 	const char *error_str = "unknown error";

  1302. 	gboolean success = FALSE;

  1303. 

  1304. 	task = cbd->task;

  1305. 

  1306. 	switch (res->rcode) {

  1307. 	case DKIM_CONTINUE:

  1308. 		error_str = NULL;

  1309. 		success = TRUE;

  1310. 		break;

  1311. 	case DKIM_REJECT:

  1312. 		if (err) {

  1313. 			error_str = err->message;

  1314. 		}

  1315. 		else {

  1316. 			error_str = "reject";

  1317. 		}

  1318. 		break;

  1319. 	case DKIM_TRYAGAIN:

  1320. 		if (err) {

  1321. 			error_str = err->message;

  1322. 		}

  1323. 		else {

  1324. 			error_str = "tempfail";

  1325. 		}

  1326. 		break;

  1327. 	case DKIM_NOTFOUND:

  1328. 		if (err) {

  1329. 			error_str = err->message;

  1330. 		}

  1331. 		else {

  1332. 			error_str = "not found";

  1333. 		}

  1334. 		break;

  1335. 	case DKIM_RECORD_ERROR:

  1336. 		if (err) {

  1337. 			error_str = err->message;

  1338. 		}

  1339. 		else {

  1340. 			error_str = "bad record";

  1341. 		}

  1342. 		break;

  1343. 	case DKIM_PERM_ERROR:

  1344. 		if (err) {

  1345. 			error_str = err->message;

  1346. 		}

  1347. 		else {

  1348. 			error_str = "permanent error";

  1349. 		}

  1350. 		break;

  1351. 	default:

  1352. 		break;

  1353. 	}

  1354. 

  1355. 	lua_rawgeti(cbd->L, LUA_REGISTRYINDEX, cbd->cbref);

  1356. 	ptask = lua_newuserdata(cbd->L, sizeof(*ptask));

  1357. 	*ptask = task;

  1358. 	lua_pushboolean(cbd->L, success);

  1359. 

  1360. 	if (error_str) {

  1361. 		lua_pushstring(cbd->L, error_str);

  1362. 	}

  1363. 	else {

  1364. 		lua_pushnil(cbd->L);

  1365. 	}

  1366. 

  1367. 	if (cbd->ctx) {

  1368. 		if (res->domain) {

  1369. 			lua_pushstring(cbd->L, res->domain);

  1370. 		}

  1371. 		else {

  1372. 			lua_pushnil(cbd->L);

  1373. 		}

  1374. 

  1375. 		if (res->selector) {

  1376. 			lua_pushstring(cbd->L, res->selector);

  1377. 		}

  1378. 		else {

  1379. 			lua_pushnil(cbd->L);

  1380. 		}

  1381. 

  1382. 		if (res->short_b) {

  1383. 			lua_pushstring(cbd->L, res->short_b);

  1384. 		}

  1385. 		else {

  1386. 			lua_pushnil(cbd->L);

  1387. 		}

  1388. 

  1389. 		if (res->fail_reason) {

  1390. 			lua_pushstring(cbd->L, res->fail_reason);

  1391. 		}

  1392. 		else {

  1393. 			lua_pushnil(cbd->L);

  1394. 		}

  1395. 	}

  1396. 	else {

  1397. 		lua_pushnil(cbd->L);

  1398. 		lua_pushnil(cbd->L);

  1399. 		lua_pushnil(cbd->L);

  1400. 		lua_pushnil(cbd->L);

  1401. 	}

  1402. 

  1403. 	if (lua_pcall(cbd->L, 7, 0, 0) != 0) {

  1404. 		msg_err_task("call to verify callback failed: %s",

  1405. 					 lua_tostring(cbd->L, -1));

  1406. 		lua_pop(cbd->L, 1);

  1407. 	}

  1408. 

  1409. 	luaL_unref(cbd->L, LUA_REGISTRYINDEX, cbd->cbref);

  1410. }

  1411. 

  1412. static void

  1413. dkim_module_lua_on_key(rspamd_dkim_key_t *key,

  1414. 					   gsize keylen,

  1415. 					   rspamd_dkim_context_t *ctx,

  1416. 					   gpointer ud,

  1417. 					   GError *err)

  1418. {

  1419. 	struct rspamd_dkim_lua_verify_cbdata *cbd = ud;

  1420. 	struct rspamd_task *task;

  1421. 	struct rspamd_dkim_check_result *res;

  1422. 	struct dkim_ctx *dkim_module_ctx;

  1423. 

  1424. 	task = cbd->task;

  1425. 	dkim_module_ctx = dkim_get_context(task->cfg);

  1426. 

  1427. 	if (key != NULL) {

  1428. 		/* Another ref belongs to the check context */

  1429. 		cbd->key = rspamd_dkim_key_ref(key);

  1430. 		/*

  1431. 		 * We actually receive key with refcount = 1, so we just assume that

  1432. 		 * lru hash owns this object now

  1433. 		 */

  1434. 

  1435. 		if (dkim_module_ctx->dkim_hash) {

  1436. 			rspamd_lru_hash_insert(dkim_module_ctx->dkim_hash,

  1437. 								   g_strdup(rspamd_dkim_get_dns_key(ctx)),

  1438. 								   key, cbd->task->task_timestamp, rspamd_dkim_key_get_ttl(key));

  1439. 		}

  1440. 		/* Release key when task is processed */

  1441. 		rspamd_mempool_add_destructor(cbd->task->task_pool,

  1442. 									  dkim_module_key_dtor, cbd->key);

  1443. 	}

  1444. 	else {

  1445. 		/* Insert tempfail symbol */

  1446. 		msg_info_task("cannot get key for domain %s: %e",

  1447. 					  rspamd_dkim_get_dns_key(ctx), err);

  1448. 

  1449. 		if (err != NULL) {

  1450. 			if (err->code == DKIM_SIGERROR_NOKEY) {

  1451. 				res = rspamd_dkim_create_result(ctx, DKIM_TRYAGAIN, task);

  1452. 				res->fail_reason = "DNS error when getting key";

  1453. 			}

  1454. 			else {

  1455. 				res = rspamd_dkim_create_result(ctx, DKIM_PERM_ERROR, task);

  1456. 				res->fail_reason = "invalid DKIM record";

  1457. 			}

  1458. 		}

  1459. 		else {

  1460. 			res = rspamd_dkim_create_result(ctx, DKIM_TRYAGAIN, task);

  1461. 			res->fail_reason = "DNS error when getting key";

  1462. 		}

  1463. 

  1464. 		dkim_module_lua_push_verify_result(cbd, res, err);

  1465. 

  1466. 		if (err) {

  1467. 			g_error_free(err);

  1468. 		}

  1469. 

  1470. 		return;

  1471. 	}

  1472. 

  1473. 	res = rspamd_dkim_check(cbd->ctx, cbd->key, cbd->task);

  1474. 	dkim_module_lua_push_verify_result(cbd, res, NULL);

  1475. }

  1476. 

  1477. static int

  1478. lua_dkim_verify_handler(lua_State *L)

  1479. {

  1480. 	struct rspamd_task *task = lua_check_task(L, 1);

  1481. 	const char *sig = luaL_checkstring(L, 2);

  1482. 	rspamd_dkim_context_t *ctx;

  1483. 	struct rspamd_dkim_lua_verify_cbdata *cbd;

  1484. 	rspamd_dkim_key_t *key;

  1485. 	struct rspamd_dkim_check_result *ret;

  1486. 	GError *err = NULL;

  1487. 	const char *type_str = NULL;

  1488. 	enum rspamd_dkim_type type = RSPAMD_DKIM_NORMAL;

  1489. 	struct dkim_ctx *dkim_module_ctx;

  1490. 

  1491. 	if (task && sig && lua_isfunction(L, 3)) {

  1492. 		if (lua_isstring(L, 4)) {

  1493. 			type_str = lua_tostring(L, 4);

  1494. 

  1495. 			if (type_str) {

  1496. 				if (strcmp(type_str, "dkim") == 0) {

  1497. 					type = RSPAMD_DKIM_NORMAL;

  1498. 				}

  1499. 				else if (strcmp(type_str, "arc-sign") == 0) {

  1500. 					type = RSPAMD_DKIM_ARC_SIG;

  1501. 				}

  1502. 				else if (strcmp(type_str, "arc-seal") == 0) {

  1503. 					type = RSPAMD_DKIM_ARC_SEAL;

  1504. 				}

  1505. 				else {

  1506. 					lua_settop(L, 0);

  1507. 					return luaL_error(L, "unknown sign type: %s",

  1508. 									  type_str);

  1509. 				}

  1510. 			}

  1511. 		}

  1512. 

  1513. 		dkim_module_ctx = dkim_get_context(task->cfg);

  1514. 

  1515. 		ctx = rspamd_create_dkim_context(sig,

  1516. 										 task->task_pool,

  1517. 										 task->resolver,

  1518. 										 dkim_module_ctx->time_jitter,

  1519. 										 type,

  1520. 										 &err);

  1521. 

  1522. 		if (ctx == NULL) {

  1523. 			lua_pushboolean(L, false);

  1524. 

  1525. 			if (err) {

  1526. 				lua_pushstring(L, err->message);

  1527. 				g_error_free(err);

  1528. 			}

  1529. 			else {

  1530. 				lua_pushstring(L, "unknown error");

  1531. 			}

  1532. 

  1533. 			return 2;

  1534. 		}

  1535. 

  1536. 		cbd = rspamd_mempool_alloc(task->task_pool, sizeof(*cbd));

  1537. 		cbd->L = L;

  1538. 		cbd->task = task;

  1539. 		lua_pushvalue(L, 3);

  1540. 		cbd->cbref = luaL_ref(L, LUA_REGISTRYINDEX);

  1541. 		cbd->ctx = ctx;

  1542. 		cbd->key = NULL;

  1543. 

  1544. 		if (dkim_module_ctx->dkim_hash) {

  1545. 			key = rspamd_lru_hash_lookup(dkim_module_ctx->dkim_hash,

  1546. 										 rspamd_dkim_get_dns_key(ctx),

  1547. 										 task->task_timestamp);

  1548. 		}

  1549. 		else {

  1550. 			key = NULL;

  1551. 		}

  1552. 

  1553. 		if (key != NULL) {

  1554. 			cbd->key = rspamd_dkim_key_ref(key);

  1555. 			/* Release key when task is processed */

  1556. 			rspamd_mempool_add_destructor(task->task_pool,

  1557. 										  dkim_module_key_dtor, cbd->key);

  1558. 			ret = rspamd_dkim_check(cbd->ctx, cbd->key, cbd->task);

  1559. 			dkim_module_lua_push_verify_result(cbd, ret, NULL);

  1560. 		}

  1561. 		else {

  1562. 			rspamd_get_dkim_key(ctx,

  1563. 								task,

  1564. 								dkim_module_lua_on_key,

  1565. 								cbd);

  1566. 		}

  1567. 	}

  1568. 	else {

  1569. 		return luaL_error(L, "invalid arguments");

  1570. 	}

  1571. 

  1572. 	lua_pushboolean(L, TRUE);

  1573. 	lua_pushnil(L);

  1574. 

  1575. 	return 2;

  1576. }

  1577. 

  1578. static int

  1579. lua_dkim_canonicalize_handler(lua_State *L)

  1580. {

  1581. 	gsize nlen, vlen;

  1582. 	const char *hname = luaL_checklstring(L, 1, &nlen),

  1583. 			   *hvalue = luaL_checklstring(L, 2, &vlen);

  1584. 	static char st_buf[8192];

  1585. 	char *buf;

  1586. 	unsigned int inlen;

  1587. 	gboolean allocated = FALSE;

  1588. 	goffset r;

  1589. 

  1590. 	if (hname && hvalue && nlen > 0) {

  1591. 		inlen = nlen + vlen + sizeof(":" CRLF);

  1592. 

  1593. 		if (inlen > sizeof(st_buf)) {

  1594. 			buf = g_malloc(inlen);

  1595. 			allocated = TRUE;

  1596. 		}

  1597. 		else {

  1598. 			/* Faster */

  1599. 			buf = st_buf;

  1600. 		}

  1601. 

  1602. 		r = rspamd_dkim_canonize_header_relaxed_str(hname, hvalue, buf, inlen);

  1603. 

  1604. 		if (r == -1) {

  1605. 			lua_pushnil(L);

  1606. 		}

  1607. 		else {

  1608. 			lua_pushlstring(L, buf, r);

  1609. 		}

  1610. 

  1611. 		if (allocated) {

  1612. 			g_free(buf);

  1613. 		}

  1614. 	}

  1615. 	else {

  1616. 		return luaL_error(L, "invalid arguments");

  1617. 	}

  1618. 

  1619. 	return 1;

  1620. }