mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15574 Commits
28 Branches
Tree: 69f50374bb
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '69f50374bb'
${ noResults }
rspamd/src/plugins/dkim_check.c

dkim_check.c 38KB
Raw Blame History

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603 
  1. /*-

  2.  * Copyright 2016 Vsevolod Stakhov

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *   http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. /***MODULE:dkim

  17.  * rspamd module that checks dkim records of incoming email

  18.  *

  19.  * Allowed options:

  20.  * - symbol_allow (string): symbol to insert in case of allow (default: 'R_DKIM_ALLOW')

  21.  * - symbol_reject (string): symbol to insert (default: 'R_DKIM_REJECT')

  22.  * - symbol_tempfail (string): symbol to insert in case of temporary fail (default: 'R_DKIM_TEMPFAIL')

  23.  * - symbol_permfail (string): symbol to insert in case of permanent failure (default: 'R_DKIM_PERMFAIL')

  24.  * - symbol_na (string): symbol to insert in case of no signing (default: 'R_DKIM_NA')

  25.  * - whitelist (map): map of whitelisted networks

  26.  * - domains (map): map of domains to check

  27.  * - strict_multiplier (number): multiplier for strict domains

  28.  * - time_jitter (number): jitter in seconds to allow time diff while checking

  29.  * - trusted_only (flag): check signatures only for domains in 'domains' map

  30.  */

  31. 

  32. 

  33. #include "config.h"

  34. #include "libmime/message.h"

  35. #include "libserver/dkim.h"

  36. #include "libutil/hash.h"

  37. #include "libutil/map.h"

  38. #include "libutil/map_helpers.h"

  39. #include "rspamd.h"

  40. #include "utlist.h"

  41. #include "unix-std.h"

  42. #include "lua/lua_common.h"

  43. #include "libserver/mempool_vars_internal.h"

  44. 

  45. #define DEFAULT_SYMBOL_REJECT "R_DKIM_REJECT"

  46. #define DEFAULT_SYMBOL_TEMPFAIL "R_DKIM_TEMPFAIL"

  47. #define DEFAULT_SYMBOL_ALLOW "R_DKIM_ALLOW"

  48. #define DEFAULT_SYMBOL_NA "R_DKIM_NA"

  49. #define DEFAULT_SYMBOL_PERMFAIL "R_DKIM_PERMFAIL"

  50. #define DEFAULT_CACHE_SIZE 2048

  51. #define DEFAULT_TIME_JITTER 60

  52. #define DEFAULT_MAX_SIGS 5

  53. 

  54. static const gchar *M = "rspamd dkim plugin";

  55. 

  56. static const gchar default_sign_headers[] = ""

  57. 		"(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:"

  58. 		"(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:"

  59. 		"resent-to:resent-cc:resent-from:resent-sender:resent-message-id:"

  60. 		"(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:"

  61. 		"list-subscribe:list-post:(x)openpgp:(x)autocrypt";

  62. static const gchar default_arc_sign_headers[] = ""

  63. 		"(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:"

  64. 		"(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:"

  65. 		"resent-to:resent-cc:resent-from:resent-sender:resent-message-id:"

  66. 		"(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:"

  67. 		"list-subscribe:list-post:dkim-signature:(x)openpgp:(x)autocrypt";

  68. 

  69. struct dkim_ctx {

  70. 	struct module_ctx ctx;

  71. 	const gchar *symbol_reject;

  72. 	const gchar *symbol_tempfail;

  73. 	const gchar *symbol_allow;

  74. 	const gchar *symbol_na;

  75. 	const gchar *symbol_permfail;

  76. 

  77. 	struct rspamd_radix_map_helper *whitelist_ip;

  78. 	struct rspamd_hash_map_helper *dkim_domains;

  79. 	guint strict_multiplier;

  80. 	guint time_jitter;

  81. 	rspamd_lru_hash_t *dkim_hash;

  82. 	rspamd_lru_hash_t *dkim_sign_hash;

  83. 	const gchar *sign_headers;

  84. 	const gchar *arc_sign_headers;

  85. 	guint max_sigs;

  86. 	gboolean trusted_only;

  87. 	gboolean check_local;

  88. 	gboolean check_authed;

  89. };

  90. 

  91. struct dkim_check_result {

  92. 	rspamd_dkim_context_t *ctx;

  93. 	rspamd_dkim_key_t *key;

  94. 	struct rspamd_task *task;

  95. 	struct rspamd_dkim_check_result *res;

  96. 	gdouble mult_allow;

  97. 	gdouble mult_deny;

  98. 	struct rspamd_symcache_item *item;

  99. 	struct dkim_check_result *next, *prev, *first;

  100. };

  101. 

  102. static void dkim_symbol_callback (struct rspamd_task *task,

  103. 								  struct rspamd_symcache_item *item,

  104. 								  void *unused);

  105. static void dkim_sign_callback (struct rspamd_task *task,

  106. 								struct rspamd_symcache_item *item,

  107. 								void *unused);

  108. 

  109. static gint lua_dkim_sign_handler (lua_State *L);

  110. static gint lua_dkim_verify_handler (lua_State *L);

  111. static gint lua_dkim_canonicalize_handler (lua_State *L);

  112. 

  113. /* Initialization */

  114. gint dkim_module_init (struct rspamd_config *cfg, struct module_ctx **ctx);

  115. gint dkim_module_config (struct rspamd_config *cfg);

  116. gint dkim_module_reconfig (struct rspamd_config *cfg);

  117. 

  118. module_t dkim_module = {

  119. 		"dkim",

  120. 		dkim_module_init,

  121. 		dkim_module_config,

  122. 		dkim_module_reconfig,

  123. 		NULL,

  124. 		RSPAMD_MODULE_VER,

  125. 		(guint)-1,

  126. };

  127. 

  128. static inline struct dkim_ctx *

  129. dkim_get_context (struct rspamd_config *cfg)

  130. {

  131. 	return (struct dkim_ctx *)g_ptr_array_index (cfg->c_modules,

  132. 			dkim_module.ctx_offset);

  133. }

  134. 

  135. static void

  136. dkim_module_key_dtor (gpointer k)

  137. {

  138. 	rspamd_dkim_key_t *key = k;

  139. 

  140. 	rspamd_dkim_key_unref (key);

  141. }

  142. 

  143. static void

  144. dkim_module_free_list (gpointer k)

  145. {

  146. 	g_list_free_full ((GList *)k, rspamd_gstring_free_hard);

  147. }

  148. 

  149. gint

  150. dkim_module_init (struct rspamd_config *cfg, struct module_ctx **ctx)

  151. {

  152. 	struct dkim_ctx *dkim_module_ctx;

  153. 

  154. 	dkim_module_ctx = rspamd_mempool_alloc0 (cfg->cfg_pool,

  155. 			sizeof (*dkim_module_ctx));

  156. 	dkim_module_ctx->sign_headers = default_sign_headers;

  157. 	dkim_module_ctx->arc_sign_headers = default_arc_sign_headers;

  158. 	dkim_module_ctx->max_sigs = DEFAULT_MAX_SIGS;

  159. 

  160. 	*ctx = (struct module_ctx *)dkim_module_ctx;

  161. 

  162. 	rspamd_rcl_add_doc_by_path (cfg,

  163. 			NULL,

  164. 			"DKIM check plugin",

  165. 			"dkim",

  166. 			UCL_OBJECT,

  167. 			NULL,

  168. 			0,

  169. 			NULL,

  170. 			0);

  171. 	rspamd_rcl_add_doc_by_path (cfg,

  172. 			"dkim",

  173. 			"Map of IP addresses that should be excluded from DKIM checks",

  174. 			"whitelist",

  175. 			UCL_STRING,

  176. 			NULL,

  177. 			0,

  178. 			NULL,

  179. 			0);

  180. 	rspamd_rcl_add_doc_by_path (cfg,

  181. 			"dkim",

  182. 			"Symbol that is added if DKIM check is successful",

  183. 			"symbol_allow",

  184. 			UCL_STRING,

  185. 			NULL,

  186. 			0,

  187. 			DEFAULT_SYMBOL_ALLOW,

  188. 			0);

  189. 	rspamd_rcl_add_doc_by_path (cfg,

  190. 			"dkim",

  191. 			"Symbol that is added if DKIM check is unsuccessful",

  192. 			"symbol_reject",

  193. 			UCL_STRING,

  194. 			NULL,

  195. 			0,

  196. 			DEFAULT_SYMBOL_REJECT,

  197. 			0);

  198. 	rspamd_rcl_add_doc_by_path (cfg,

  199. 			"dkim",

  200. 			"Symbol that is added if DKIM check can't be completed (e.g. DNS failure)",

  201. 			"symbol_tempfail",

  202. 			UCL_STRING,

  203. 			NULL,

  204. 			0,

  205. 			DEFAULT_SYMBOL_TEMPFAIL,

  206. 			0);

  207. 	rspamd_rcl_add_doc_by_path (cfg,

  208. 			"dkim",

  209. 			"Symbol that is added if mail is not signed",

  210. 			"symbol_na",

  211. 			UCL_STRING,

  212. 			NULL,

  213. 			0,

  214. 			DEFAULT_SYMBOL_NA,

  215. 			0);

  216. 	rspamd_rcl_add_doc_by_path (cfg,

  217. 			"dkim",

  218. 			"Symbol that is added if permanent failure encountered",

  219. 			"symbol_permfail",

  220. 			UCL_STRING,

  221. 			NULL,

  222. 			0,

  223. 			DEFAULT_SYMBOL_PERMFAIL,

  224. 			0);

  225. 	rspamd_rcl_add_doc_by_path (cfg,

  226. 			"dkim",

  227. 			"Size of DKIM keys cache",

  228. 			"dkim_cache_size",

  229. 			UCL_INT,

  230. 			NULL,

  231. 			0,

  232. 			G_STRINGIFY (DEFAULT_CACHE_SIZE),

  233. 			0);

  234. 	rspamd_rcl_add_doc_by_path (cfg,

  235. 			"dkim",

  236. 			"Allow this time difference when checking DKIM signature time validity",

  237. 			"time_jitter",

  238. 			UCL_TIME,

  239. 			NULL,

  240. 			0,

  241. 			G_STRINGIFY (DEFAULT_TIME_JITTER),

  242. 			0);

  243. 	rspamd_rcl_add_doc_by_path (cfg,

  244. 			"dkim",

  245. 			"Domains to check DKIM for (check all domains if this option is empty)",

  246. 			"domains",

  247. 			UCL_STRING,

  248. 			NULL,

  249. 			0,

  250. 			"empty",

  251. 			0);

  252. 	rspamd_rcl_add_doc_by_path (cfg,

  253. 			"dkim",

  254. 			"Map of domains that are treated as 'trusted' meaning that DKIM policy failure has more significant score",

  255. 			"trusted_domains",

  256. 			UCL_STRING,

  257. 			NULL,

  258. 			0,

  259. 			"empty",

  260. 			0);

  261. 	rspamd_rcl_add_doc_by_path (cfg,

  262. 			"dkim",

  263. 			"Multiply dkim score by this factor for trusted domains",

  264. 			"strict_multiplier",

  265. 			UCL_FLOAT,

  266. 			NULL,

  267. 			0,

  268. 			NULL,

  269. 			0);

  270. 	rspamd_rcl_add_doc_by_path (cfg,

  271. 			"dkim",

  272. 			"Check DKIM policies merely for `trusted_domains`",

  273. 			"trusted_only",

  274. 			UCL_BOOLEAN,

  275. 			NULL,

  276. 			0,

  277. 			"false",

  278. 			0);

  279. 	rspamd_rcl_add_doc_by_path (cfg,

  280. 			"dkim",

  281. 			"Lua script that tells if a message should be signed and with what params (obsoleted)",

  282. 			"sign_condition",

  283. 			UCL_STRING,

  284. 			NULL,

  285. 			0,

  286. 			"empty",

  287. 			0);

  288. 	rspamd_rcl_add_doc_by_path (cfg,

  289. 			"dkim",

  290. 			"Obsoleted: maximum number of DKIM signatures to check",

  291. 			"max_sigs",

  292. 			UCL_INT,

  293. 			NULL,

  294. 			0,

  295. 			"n/a",

  296. 			0);

  297. 	rspamd_rcl_add_doc_by_path (cfg,

  298. 			"dkim",

  299. 			"Headers used in signing",

  300. 			"sign_headers",

  301. 			UCL_STRING,

  302. 			NULL,

  303. 			0,

  304. 			default_sign_headers,

  305. 			0);

  306. 

  307. 	return 0;

  308. }

  309. 

  310. gint

  311. dkim_module_config (struct rspamd_config *cfg)

  312. {

  313. 	const ucl_object_t *value;

  314. 	gint res = TRUE, cb_id = -1;

  315. 	guint cache_size, sign_cache_size;

  316. 	gboolean got_trusted = FALSE;

  317. 	struct dkim_ctx *dkim_module_ctx = dkim_get_context (cfg);

  318. 

  319. 	/* Register global methods */

  320. 	lua_getglobal (cfg->lua_state, "rspamd_plugins");

  321. 

  322. 	if (lua_type (cfg->lua_state, -1) == LUA_TTABLE) {

  323. 		lua_pushstring (cfg->lua_state, "dkim");

  324. 		lua_createtable (cfg->lua_state, 0, 1);

  325. 		/* Set methods */

  326. 		lua_pushstring (cfg->lua_state, "sign");

  327. 		lua_pushcfunction (cfg->lua_state, lua_dkim_sign_handler);

  328. 		lua_settable (cfg->lua_state, -3);

  329. 		lua_pushstring (cfg->lua_state, "verify");

  330. 		lua_pushcfunction (cfg->lua_state, lua_dkim_verify_handler);

  331. 		lua_settable (cfg->lua_state, -3);

  332. 		lua_pushstring (cfg->lua_state, "canon_header_relaxed");

  333. 		lua_pushcfunction (cfg->lua_state, lua_dkim_canonicalize_handler);

  334. 		lua_settable (cfg->lua_state, -3);

  335. 		/* Finish dkim key */

  336. 		lua_settable (cfg->lua_state, -3);

  337. 	}

  338. 

  339. 	lua_pop (cfg->lua_state, 1); /* Remove global function */

  340. 	dkim_module_ctx->whitelist_ip = NULL;

  341. 

  342. 	value = rspamd_config_get_module_opt (cfg, "dkim", "check_local");

  343. 

  344. 	if (value == NULL) {

  345. 		rspamd_config_get_module_opt (cfg, "options", "check_local");

  346. 	}

  347. 

  348. 	if (value != NULL) {

  349. 		dkim_module_ctx->check_local = ucl_object_toboolean (value);

  350. 	}

  351. 	else {

  352. 		dkim_module_ctx->check_local = FALSE;

  353. 	}

  354. 

  355. 	value = rspamd_config_get_module_opt (cfg, "dkim", "check_authed");

  356. 

  357. 	if (value == NULL) {

  358. 		rspamd_config_get_module_opt (cfg, "options", "check_authed");

  359. 	}

  360. 

  361. 	if (value != NULL) {

  362. 		dkim_module_ctx->check_authed = ucl_object_toboolean (value);

  363. 	}

  364. 	else {

  365. 		dkim_module_ctx->check_authed = FALSE;

  366. 	}

  367. 	if ((value =

  368. 		rspamd_config_get_module_opt (cfg, "dkim", "symbol_reject")) != NULL) {

  369. 		dkim_module_ctx->symbol_reject = ucl_object_tostring (value);

  370. 	}

  371. 	else {

  372. 		dkim_module_ctx->symbol_reject = DEFAULT_SYMBOL_REJECT;

  373. 	}

  374. 	if ((value =

  375. 		rspamd_config_get_module_opt (cfg, "dkim",

  376. 		"symbol_tempfail")) != NULL) {

  377. 		dkim_module_ctx->symbol_tempfail = ucl_object_tostring (value);

  378. 	}

  379. 	else {

  380. 		dkim_module_ctx->symbol_tempfail = DEFAULT_SYMBOL_TEMPFAIL;

  381. 	}

  382. 	if ((value =

  383. 		rspamd_config_get_module_opt (cfg, "dkim", "symbol_allow")) != NULL) {

  384. 		dkim_module_ctx->symbol_allow = ucl_object_tostring (value);

  385. 	}

  386. 	else {

  387. 		dkim_module_ctx->symbol_allow = DEFAULT_SYMBOL_ALLOW;

  388. 	}

  389. 	if ((value =

  390. 		rspamd_config_get_module_opt (cfg, "dkim", "symbol_na")) != NULL) {

  391. 		dkim_module_ctx->symbol_na = ucl_object_tostring (value);

  392. 	}

  393. 	else {

  394. 		dkim_module_ctx->symbol_na = DEFAULT_SYMBOL_NA;

  395. 	}

  396. 	if ((value =

  397. 		rspamd_config_get_module_opt (cfg, "dkim", "symbol_permfail")) != NULL) {

  398. 		dkim_module_ctx->symbol_permfail = ucl_object_tostring (value);

  399. 	}

  400. 	else {

  401. 		dkim_module_ctx->symbol_permfail = DEFAULT_SYMBOL_PERMFAIL;

  402. 	}

  403. 	if ((value =

  404. 		rspamd_config_get_module_opt (cfg, "dkim",

  405. 		"dkim_cache_size")) != NULL) {

  406. 		cache_size = ucl_object_toint (value);

  407. 	}

  408. 	else {

  409. 		cache_size = DEFAULT_CACHE_SIZE;

  410. 	}

  411. 

  412. 	if ((value =

  413. 			rspamd_config_get_module_opt (cfg, "dkim",

  414. 					"sign_cache_size")) != NULL) {

  415. 		sign_cache_size = ucl_object_toint (value);

  416. 	}

  417. 	else {

  418. 		sign_cache_size = 128;

  419. 	}

  420. 

  421. 	if ((value =

  422. 		rspamd_config_get_module_opt (cfg, "dkim", "time_jitter")) != NULL) {

  423. 		dkim_module_ctx->time_jitter = ucl_object_todouble (value);

  424. 	}

  425. 	else {

  426. 		dkim_module_ctx->time_jitter = DEFAULT_TIME_JITTER;

  427. 	}

  428. 

  429. 	if ((value =

  430. 			rspamd_config_get_module_opt (cfg, "dkim", "max_sigs")) != NULL) {

  431. 		dkim_module_ctx->max_sigs = ucl_object_toint (value);

  432. 	}

  433. 

  434. 	if ((value =

  435. 		rspamd_config_get_module_opt (cfg, "dkim", "whitelist")) != NULL) {

  436. 

  437. 		rspamd_config_radix_from_ucl (cfg, value, "DKIM whitelist",

  438. 				&dkim_module_ctx->whitelist_ip, NULL);

  439. 	}

  440. 

  441. 	if ((value =

  442. 		rspamd_config_get_module_opt (cfg, "dkim", "domains")) != NULL) {

  443. 		if (!rspamd_map_add_from_ucl (cfg, value,

  444. 				"DKIM domains",

  445. 				rspamd_kv_list_read,

  446. 				rspamd_kv_list_fin,

  447. 				rspamd_kv_list_dtor,

  448. 				(void **)&dkim_module_ctx->dkim_domains)) {

  449. 			msg_warn_config ("cannot load dkim domains list from %s",

  450. 				ucl_object_tostring (value));

  451. 		}

  452. 		else {

  453. 			got_trusted = TRUE;

  454. 		}

  455. 	}

  456. 

  457. 	if (!got_trusted && (value =

  458. 			rspamd_config_get_module_opt (cfg, "dkim", "trusted_domains")) != NULL) {

  459. 		if (!rspamd_map_add_from_ucl (cfg, value,

  460. 				"DKIM domains",

  461. 				rspamd_kv_list_read,

  462. 				rspamd_kv_list_fin,

  463. 				rspamd_kv_list_dtor,

  464. 				(void **)&dkim_module_ctx->dkim_domains)) {

  465. 			msg_warn_config ("cannot load dkim domains list from %s",

  466. 					ucl_object_tostring (value));

  467. 		}

  468. 		else {

  469. 			got_trusted = TRUE;

  470. 		}

  471. 	}

  472. 

  473. 	if ((value =

  474. 		rspamd_config_get_module_opt (cfg, "dkim",

  475. 		"strict_multiplier")) != NULL) {

  476. 		dkim_module_ctx->strict_multiplier = ucl_object_toint (value);

  477. 	}

  478. 	else {

  479. 		dkim_module_ctx->strict_multiplier = 1;

  480. 	}

  481. 

  482. 	if ((value =

  483. 		rspamd_config_get_module_opt (cfg, "dkim", "trusted_only")) != NULL) {

  484. 		dkim_module_ctx->trusted_only = ucl_object_toboolean (value);

  485. 	}

  486. 	else {

  487. 		dkim_module_ctx->trusted_only = FALSE;

  488. 	}

  489. 

  490. 	if ((value =

  491. 			rspamd_config_get_module_opt (cfg, "dkim", "sign_headers")) != NULL) {

  492. 		dkim_module_ctx->sign_headers = ucl_object_tostring (value);

  493. 	}

  494. 

  495. 	if ((value =

  496. 				 rspamd_config_get_module_opt (cfg, "arc", "sign_headers")) != NULL) {

  497. 		dkim_module_ctx->arc_sign_headers = ucl_object_tostring (value);

  498. 	}

  499. 

  500. 	if (cache_size > 0) {

  501. 		dkim_module_ctx->dkim_hash = rspamd_lru_hash_new (

  502. 				cache_size,

  503. 				g_free,

  504. 				dkim_module_key_dtor);

  505. 		rspamd_mempool_add_destructor (cfg->cfg_pool,

  506. 				(rspamd_mempool_destruct_t)rspamd_lru_hash_destroy,

  507. 				dkim_module_ctx->dkim_hash);

  508. 	}

  509. 

  510. 	if (sign_cache_size > 0) {

  511. 		dkim_module_ctx->dkim_sign_hash = rspamd_lru_hash_new (

  512. 				sign_cache_size,

  513. 				g_free,

  514. 				(GDestroyNotify) rspamd_dkim_sign_key_unref);

  515. 		rspamd_mempool_add_destructor (cfg->cfg_pool,

  516. 				(rspamd_mempool_destruct_t)rspamd_lru_hash_destroy,

  517. 				dkim_module_ctx->dkim_sign_hash);

  518. 	}

  519. 

  520. 	if (dkim_module_ctx->trusted_only && !got_trusted) {

  521. 		msg_err_config (

  522. 			"trusted_only option is set and no trusted domains are defined; disabling dkim module completely as it is useless in this case");

  523. 	}

  524. 	else {

  525. 		if (!rspamd_config_is_module_enabled (cfg, "dkim")) {

  526. 			return TRUE;

  527. 		}

  528. 

  529. 		cb_id = rspamd_symcache_add_symbol (cfg->cache,

  530. 				"DKIM_CHECK",

  531. 				0,

  532. 				dkim_symbol_callback,

  533. 				NULL,

  534. 				SYMBOL_TYPE_CALLBACK,

  535. 				-1);

  536. 		rspamd_config_add_symbol (cfg,

  537. 				"DKIM_CHECK",

  538. 				0.0,

  539. 				"DKIM check callback",

  540. 				"policies",

  541. 				RSPAMD_SYMBOL_FLAG_IGNORE,

  542. 				1,

  543. 				1);

  544. 		rspamd_config_add_symbol_group (cfg, "DKIM_CHECK", "dkim");

  545. 		rspamd_symcache_add_symbol (cfg->cache,

  546. 				dkim_module_ctx->symbol_reject,

  547. 				0,

  548. 				NULL,

  549. 				NULL,

  550. 				SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  551. 				cb_id);

  552. 		rspamd_symcache_add_symbol (cfg->cache,

  553. 				dkim_module_ctx->symbol_na,

  554. 				0,

  555. 				NULL, NULL,

  556. 				SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  557. 				cb_id);

  558. 		rspamd_symcache_add_symbol (cfg->cache,

  559. 				dkim_module_ctx->symbol_permfail,

  560. 				0,

  561. 				NULL, NULL,

  562. 				SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  563. 				cb_id);

  564. 		rspamd_symcache_add_symbol (cfg->cache,

  565. 				dkim_module_ctx->symbol_tempfail,

  566. 				0,

  567. 				NULL, NULL,

  568. 				SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  569. 				cb_id);

  570. 		rspamd_symcache_add_symbol (cfg->cache,

  571. 				dkim_module_ctx->symbol_allow,

  572. 				0,

  573. 				NULL, NULL,

  574. 				SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE,

  575. 				cb_id);

  576. 

  577. 		rspamd_symcache_add_symbol (cfg->cache,

  578. 				"DKIM_TRACE",

  579. 				0,

  580. 				NULL, NULL,

  581. 				SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_NOSTAT,

  582. 				cb_id);

  583. 		rspamd_config_add_symbol (cfg,

  584. 				"DKIM_TRACE",

  585. 				0.0,

  586. 				"DKIM trace symbol",

  587. 				"policies",

  588. 				RSPAMD_SYMBOL_FLAG_IGNORE,

  589. 				1,

  590. 				1);

  591. 		rspamd_config_add_symbol_group (cfg, "DKIM_TRACE", "dkim");

  592. 

  593. 		msg_info_config ("init internal dkim module");

  594. #ifndef HAVE_OPENSSL

  595. 		msg_warn_config (

  596. 			"openssl is not found so dkim rsa check is disabled, only check body hash, it is NOT safe to trust these results");

  597. #endif

  598. 	}

  599. 

  600. 	return res;

  601. }

  602. 

  603. 

  604. /**

  605.  * Grab a private key from the cache

  606.  * or from the key content provided

  607.  */

  608. rspamd_dkim_sign_key_t *

  609. dkim_module_load_key_format (struct rspamd_task *task,

  610. 							 struct dkim_ctx *dkim_module_ctx,

  611. 							 const gchar *key, gsize keylen,

  612. 							 enum rspamd_dkim_key_format key_format)

  613. 

  614. {

  615. 	guchar h[rspamd_cryptobox_HASHBYTES],

  616. 			hex_hash[rspamd_cryptobox_HASHBYTES * 2 + 1];

  617. 	rspamd_dkim_sign_key_t *ret = NULL;

  618. 	GError *err = NULL;

  619. 	struct stat st;

  620. 

  621. 	memset (hex_hash, 0, sizeof (hex_hash));

  622. 	rspamd_cryptobox_hash (h, key, keylen, NULL, 0);

  623. 	rspamd_encode_hex_buf (h, sizeof (h), hex_hash, sizeof (hex_hash));

  624. 

  625. 	if (dkim_module_ctx->dkim_sign_hash) {

  626. 		ret = rspamd_lru_hash_lookup (dkim_module_ctx->dkim_sign_hash,

  627. 				hex_hash, time (NULL));

  628. 	}

  629. 

  630. 	/*

  631. 	 * This fails for paths that are also valid base64.

  632. 	 * Maybe the caller should have specified a format.

  633. 	 */

  634. 	if (key_format == RSPAMD_DKIM_KEY_UNKNOWN) {

  635. 		if (key[0] == '.' || key[0] == '/') {

  636. 			if (!rspamd_cryptobox_base64_is_valid (key, keylen)) {

  637. 				key_format = RSPAMD_DKIM_KEY_FILE;

  638. 			}

  639. 		}

  640. 		else if (rspamd_cryptobox_base64_is_valid (key, keylen)) {

  641. 			key_format = RSPAMD_DKIM_KEY_BASE64;

  642. 		}

  643. 	}

  644. 

  645. 

  646. 	if (ret != NULL && key_format == RSPAMD_DKIM_KEY_FILE) {

  647. 		msg_debug_task("checking for stale file key");

  648. 

  649. 		if (stat (key, &st) != 0) {

  650. 			msg_err_task("cannot stat key file: %s", strerror (errno));

  651. 			return NULL;

  652. 		}

  653. 

  654. 		if (rspamd_dkim_sign_key_maybe_invalidate (ret, st.st_mtime)) {

  655. 			msg_debug_task("removing stale file key");

  656. 			/*

  657. 			 * Invalidate DKIM key

  658. 			 * removal from lru cache also cleanup the key and value

  659. 			 */

  660. 			if (dkim_module_ctx->dkim_sign_hash) {

  661. 				rspamd_lru_hash_remove (dkim_module_ctx->dkim_sign_hash,

  662. 						hex_hash);

  663. 			}

  664. 			ret = NULL;

  665. 		}

  666. 	}

  667. 

  668. 	/* found key; done */

  669. 	if (ret != NULL) {

  670. 		return ret;

  671. 	}

  672. 

  673. 	ret = rspamd_dkim_sign_key_load (key, keylen, key_format, &err);

  674. 

  675. 	if (ret == NULL) {

  676. 		msg_err_task ("cannot load dkim key %s: %e",

  677. 				key, err);

  678. 		g_error_free (err);

  679. 	}

  680. 	else if (dkim_module_ctx->dkim_sign_hash) {

  681. 		rspamd_lru_hash_insert (dkim_module_ctx->dkim_sign_hash,

  682. 				g_strdup (hex_hash), ret, time (NULL), 0);

  683. 	}

  684. 

  685. 	return ret;

  686. }

  687. 

  688. static gint

  689. lua_dkim_sign_handler (lua_State *L)

  690. {

  691. 	struct rspamd_task *task = lua_check_task (L, 1);

  692. 	gint64 arc_idx = 0, expire = 0;

  693. 	enum rspamd_dkim_type sign_type = RSPAMD_DKIM_NORMAL;

  694. 	GError *err = NULL;

  695. 	GString *hdr;

  696. 	GList *sigs = NULL;

  697. 	const gchar *selector = NULL, *domain = NULL, *key = NULL, *rawkey = NULL,

  698. 			*headers = NULL, *sign_type_str = NULL, *arc_cv = NULL,

  699. 			*pubkey = NULL;

  700. 	rspamd_dkim_sign_context_t *ctx;

  701. 	rspamd_dkim_sign_key_t *dkim_key;

  702. 	gsize rawlen = 0, keylen = 0;

  703. 	gboolean no_cache = FALSE, strict_pubkey_check = FALSE;

  704. 	struct dkim_ctx *dkim_module_ctx;

  705. 

  706. 	luaL_argcheck (L, lua_type (L, 2) == LUA_TTABLE, 2, "'table' expected");

  707. 	/*

  708. 	 * Get the following elements:

  709. 	 * - selector

  710. 	 * - domain

  711. 	 * - key

  712. 	 */

  713. 	if (!rspamd_lua_parse_table_arguments (L, 2, &err,

  714. 			RSPAMD_LUA_PARSE_ARGUMENTS_DEFAULT,

  715. 			"key=V;rawkey=V;*domain=S;*selector=S;no_cache=B;headers=S;"

  716. 			"sign_type=S;arc_idx=I;arc_cv=S;expire=I;pubkey=S;"

  717. 			"strict_pubkey_check=B",

  718. 			&keylen, &key, &rawlen, &rawkey, &domain,

  719. 			&selector, &no_cache, &headers,

  720. 			&sign_type_str, &arc_idx, &arc_cv, &expire, &pubkey,

  721. 			&strict_pubkey_check)) {

  722. 		msg_err_task ("cannot parse table arguments: %e",

  723. 				err);

  724. 		g_error_free (err);

  725. 

  726. 		lua_pushboolean (L, FALSE);

  727. 		return 1;

  728. 	}

  729. 

  730. 	dkim_module_ctx = dkim_get_context (task->cfg);

  731. 

  732. 	if (key) {

  733. 		dkim_key = dkim_module_load_key_format (task, dkim_module_ctx, key,

  734. 				keylen, RSPAMD_DKIM_KEY_UNKNOWN);

  735. 	}

  736. 	else if (rawkey) {

  737. 		dkim_key = dkim_module_load_key_format (task, dkim_module_ctx, rawkey,

  738. 				rawlen, RSPAMD_DKIM_KEY_UNKNOWN);

  739. 	}

  740. 	else {

  741. 		msg_err_task ("neither key nor rawkey are specified");

  742. 		lua_pushboolean (L, FALSE);

  743. 

  744. 		return 1;

  745. 	}

  746. 

  747. 	if (dkim_key == NULL) {

  748. 		lua_pushboolean (L, FALSE);

  749. 		return 1;

  750. 	}

  751. 

  752. 	if (sign_type_str) {

  753. 		if (strcmp (sign_type_str, "dkim") == 0) {

  754. 			sign_type = RSPAMD_DKIM_NORMAL;

  755. 

  756. 			if (headers == NULL) {

  757. 				headers = dkim_module_ctx->sign_headers;

  758. 			}

  759. 		}

  760. 		else if (strcmp (sign_type_str, "arc-sign") == 0) {

  761. 			sign_type = RSPAMD_DKIM_ARC_SIG;

  762. 

  763. 			if (headers == NULL) {

  764. 				headers = dkim_module_ctx->arc_sign_headers;

  765. 			}

  766. 

  767. 			if (arc_idx == 0) {

  768. 				lua_settop (L, 0);

  769. 				return luaL_error (L, "no arc idx specified");

  770. 			}

  771. 		}

  772. 		else if (strcmp (sign_type_str, "arc-seal") == 0) {

  773. 			sign_type = RSPAMD_DKIM_ARC_SEAL;

  774. 			if (arc_cv == NULL) {

  775. 				lua_settop (L, 0);

  776. 				return luaL_error (L, "no arc cv specified");

  777. 			}

  778. 			if (arc_idx == 0) {

  779. 				lua_settop (L, 0);

  780. 				return luaL_error (L, "no arc idx specified");

  781. 			}

  782. 		}

  783. 		else {

  784. 			lua_settop (L, 0);

  785. 			return luaL_error (L, "unknown sign type: %s",

  786. 					sign_type_str);

  787. 		}

  788. 	}

  789. 	else {

  790. 		/* Unspecified sign type, assume plain dkim */

  791. 		if (headers == NULL) {

  792. 			headers = dkim_module_ctx->sign_headers;

  793. 		}

  794. 	}

  795. 

  796. 	if (pubkey != NULL) {

  797. 		/* Also check if private and public keys match */

  798. 		rspamd_dkim_key_t *pk;

  799. 		keylen = strlen (pubkey);

  800. 

  801. 		pk = rspamd_dkim_parse_key (pubkey, &keylen, NULL);

  802. 

  803. 		if (pk == NULL) {

  804. 			if (strict_pubkey_check) {

  805. 				msg_err_task ("cannot parse pubkey from string: %s, skip signing",

  806. 						pubkey);

  807. 				lua_pushboolean (L, FALSE);

  808. 

  809. 				return 1;

  810. 			}

  811. 			else {

  812. 				msg_warn_task ("cannot parse pubkey from string: %s",

  813. 						pubkey);

  814. 			}

  815. 		}

  816. 		else {

  817. 			GError *te = NULL;

  818. 

  819. 			/* We have parsed the key, so try to check keys */

  820. 			if (!rspamd_dkim_match_keys (pk, dkim_key, &te)) {

  821. 				if (strict_pubkey_check) {

  822. 					msg_err_task ("public key for %s/%s does not match private "

  823. 								  "key: %e, skip signing",

  824. 							domain, selector, te);

  825. 					g_error_free (te);

  826. 					lua_pushboolean (L, FALSE);

  827. 					rspamd_dkim_key_unref (pk);

  828. 

  829. 					return 1;

  830. 				}

  831. 				else {

  832. 					msg_warn_task ("public key for %s/%s does not match private "

  833. 								   "key: %e",

  834. 							domain, selector, te);

  835. 					g_error_free (te);

  836. 				}

  837. 			}

  838. 

  839. 			rspamd_dkim_key_unref (pk);

  840. 		}

  841. 	}

  842. 

  843. 	ctx = rspamd_create_dkim_sign_context (task, dkim_key,

  844. 			DKIM_CANON_RELAXED, DKIM_CANON_RELAXED,

  845. 			headers, sign_type, &err);

  846. 

  847. 	if (ctx == NULL) {

  848. 		msg_err_task ("cannot create sign context: %e",

  849. 				err);

  850. 		g_error_free (err);

  851. 

  852. 		lua_pushboolean (L, FALSE);

  853. 		return 1;

  854. 	}

  855. 

  856. 	hdr = rspamd_dkim_sign (task, selector, domain, 0,

  857. 			expire, arc_idx, arc_cv, ctx);

  858. 

  859. 	if (hdr) {

  860. 

  861. 		if (!no_cache) {

  862. 			sigs = rspamd_mempool_get_variable (task->task_pool, "dkim-signature");

  863. 

  864. 			if (sigs == NULL) {

  865. 				sigs = g_list_append (sigs, hdr);

  866. 				rspamd_mempool_set_variable (task->task_pool, "dkim-signature",

  867. 						sigs, dkim_module_free_list);

  868. 			} else {

  869. 				(void) g_list_append (sigs, hdr);

  870. 			}

  871. 		}

  872. 

  873. 		lua_pushboolean (L, TRUE);

  874. 		lua_pushlstring (L, hdr->str, hdr->len);

  875. 

  876. 		if (no_cache) {

  877. 			g_string_free (hdr, TRUE);

  878. 		}

  879. 

  880. 		return 2;

  881. 	}

  882. 

  883. 

  884. 	lua_pushboolean (L, FALSE);

  885. 	lua_pushnil (L);

  886. 

  887. 	return 2;

  888. }

  889. 

  890. gint

  891. dkim_module_reconfig (struct rspamd_config *cfg)

  892. {

  893. 	return dkim_module_config (cfg);

  894. }

  895. 

  896. /*

  897.  * Parse strict value for domain in format: 'reject_multiplier:deny_multiplier'

  898.  */

  899. static gboolean

  900. dkim_module_parse_strict (const gchar *value, gdouble *allow, gdouble *deny)

  901. {

  902. 	const gchar *colon;

  903. 	gchar *err = NULL;

  904. 	gdouble val;

  905. 	gchar numbuf[64];

  906. 

  907. 	colon = strchr (value, ':');

  908. 	if (colon) {

  909. 		rspamd_strlcpy (numbuf, value,

  910. 				MIN (sizeof (numbuf), (colon - value) + 1));

  911. 		val = strtod (numbuf, &err);

  912. 

  913. 		if (err == NULL || *err == '\0') {

  914. 			*deny = val;

  915. 			colon++;

  916. 			rspamd_strlcpy (numbuf, colon, sizeof (numbuf));

  917. 			err = NULL;

  918. 			val = strtod (numbuf, &err);

  919. 

  920. 			if (err == NULL || *err == '\0') {

  921. 				*allow = val;

  922. 				return TRUE;

  923. 			}

  924. 		}

  925. 	}

  926. 	return FALSE;

  927. }

  928. 

  929. static void

  930. dkim_module_check (struct dkim_check_result *res)

  931. {

  932. 	gboolean all_done = TRUE;

  933. 	const gchar *strict_value;

  934. 	struct dkim_check_result *first, *cur = NULL;

  935. 	struct dkim_ctx *dkim_module_ctx = dkim_get_context (res->task->cfg);

  936. 	struct rspamd_task *task = res->task;

  937. 

  938. 	first = res->first;

  939. 

  940. 	DL_FOREACH (first, cur) {

  941. 		if (cur->ctx == NULL) {

  942. 			continue;

  943. 		}

  944. 

  945. 		if (cur->key != NULL && cur->res == NULL) {

  946. 			cur->res = rspamd_dkim_check (cur->ctx, cur->key, task);

  947. 

  948. 			if (dkim_module_ctx->dkim_domains != NULL) {

  949. 				/* Perform strict check */

  950. 				if ((strict_value =

  951. 						rspamd_match_hash_map (dkim_module_ctx->dkim_domains,

  952. 								rspamd_dkim_get_domain (cur->ctx))) != NULL) {

  953. 					if (!dkim_module_parse_strict (strict_value, &cur->mult_allow,

  954. 							&cur->mult_deny)) {

  955. 						cur->mult_allow = dkim_module_ctx->strict_multiplier;

  956. 						cur->mult_deny = dkim_module_ctx->strict_multiplier;

  957. 					}

  958. 				}

  959. 			}

  960. 		}

  961. 	}

  962. 

  963. 	DL_FOREACH (first, cur) {

  964. 		if (cur->ctx == NULL) {

  965. 			continue;

  966. 		}

  967. 		if (cur->res == NULL) {

  968. 			/* Still need a key */

  969. 			all_done = FALSE;

  970. 		}

  971. 	}

  972. 

  973. 	if (all_done) {

  974. 		/* Create zero terminated array of results */

  975. 		struct rspamd_dkim_check_result **pres;

  976. 		guint nres = 0, i = 0;

  977. 

  978. 		DL_FOREACH (first, cur) {

  979. 			if (cur->ctx == NULL || cur->res == NULL) {

  980. 				continue;

  981. 			}

  982. 

  983. 			nres ++;

  984. 		}

  985. 

  986. 		pres = rspamd_mempool_alloc (task->task_pool, sizeof (*pres) * (nres + 1));

  987. 		pres[nres] = NULL;

  988. 

  989. 		DL_FOREACH (first, cur) {

  990. 			const gchar *symbol = NULL, *trace = NULL;

  991. 			gdouble symbol_weight = 1.0;

  992. 

  993. 			if (cur->ctx == NULL || cur->res == NULL) {

  994. 				continue;

  995. 			}

  996. 

  997. 			pres[i++] = cur->res;

  998. 

  999. 			if (cur->res->rcode == DKIM_REJECT) {

  1000. 				symbol = dkim_module_ctx->symbol_reject;

  1001. 				trace = "-";

  1002. 				symbol_weight = cur->mult_deny * 1.0;

  1003. 			}

  1004. 			else if (cur->res->rcode == DKIM_CONTINUE) {

  1005. 				symbol = dkim_module_ctx->symbol_allow;

  1006. 				trace = "+";

  1007. 				symbol_weight = cur->mult_allow * 1.0;

  1008. 			}

  1009. 			else if (cur->res->rcode == DKIM_PERM_ERROR) {

  1010. 				trace = "~";

  1011. 				symbol = dkim_module_ctx->symbol_permfail;

  1012. 			}

  1013. 			else if (cur->res->rcode == DKIM_TRYAGAIN) {

  1014. 				trace = "?";

  1015. 				symbol = dkim_module_ctx->symbol_tempfail;

  1016. 			}

  1017. 

  1018. 			if (symbol != NULL) {

  1019. 				const gchar *domain = rspamd_dkim_get_domain (cur->ctx);

  1020. 				const gchar *selector = rspamd_dkim_get_selector (cur->ctx);

  1021. 				gsize tracelen;

  1022. 				gchar *tracebuf;

  1023. 

  1024. 				tracelen = strlen (domain) + strlen (selector) + 4;

  1025. 				tracebuf = rspamd_mempool_alloc (task->task_pool,

  1026. 						tracelen);

  1027. 				rspamd_snprintf (tracebuf, tracelen, "%s:%s", domain, trace);

  1028. 

  1029. 				rspamd_task_insert_result (cur->task,

  1030. 						"DKIM_TRACE",

  1031. 						0.0,

  1032. 						tracebuf);

  1033. 

  1034. 				rspamd_snprintf (tracebuf, tracelen, "%s:s=%s", domain, selector);

  1035. 				rspamd_task_insert_result (task,

  1036. 						symbol,

  1037. 						symbol_weight,

  1038. 						tracebuf);

  1039. 			}

  1040. 

  1041. 		}

  1042. 

  1043. 		rspamd_mempool_set_variable (task->task_pool,

  1044. 				RSPAMD_MEMPOOL_DKIM_CHECK_RESULTS,

  1045. 				pres, NULL);

  1046. 	}

  1047. }

  1048. 

  1049. static void

  1050. dkim_module_key_handler (rspamd_dkim_key_t *key,

  1051. 	gsize keylen,

  1052. 	rspamd_dkim_context_t *ctx,

  1053. 	gpointer ud,

  1054. 	GError *err)

  1055. {

  1056. 	struct dkim_check_result *res = ud;

  1057. 	struct rspamd_task *task;

  1058. 	struct dkim_ctx *dkim_module_ctx;

  1059. 

  1060. 	task = res->task;

  1061. 	dkim_module_ctx = dkim_get_context (task->cfg);

  1062. 

  1063. 	if (key != NULL) {

  1064. 		/* Another ref belongs to the check context */

  1065. 		res->key = rspamd_dkim_key_ref (key);

  1066. 		/*

  1067. 		 * We actually receive key with refcount = 1, so we just assume that

  1068. 		 * lru hash owns this object now

  1069. 		 */

  1070. 		/* Release key when task is processed */

  1071. 		rspamd_mempool_add_destructor (res->task->task_pool,

  1072. 				dkim_module_key_dtor, res->key);

  1073. 

  1074. 		if (dkim_module_ctx->dkim_hash) {

  1075. 			rspamd_lru_hash_insert (dkim_module_ctx->dkim_hash,

  1076. 					g_strdup (rspamd_dkim_get_dns_key (ctx)),

  1077. 					key, res->task->task_timestamp, rspamd_dkim_key_get_ttl (key));

  1078. 

  1079. 			msg_info_task ("stored DKIM key for %s in LRU cache for %d seconds, "

  1080. 						   "%d/%d elements in the cache",

  1081. 					rspamd_dkim_get_dns_key (ctx),

  1082. 					rspamd_dkim_key_get_ttl (key),

  1083. 					rspamd_lru_hash_size (dkim_module_ctx->dkim_hash),

  1084. 					rspamd_lru_hash_capacity (dkim_module_ctx->dkim_hash));

  1085. 		}

  1086. 	}

  1087. 	else {

  1088. 		/* Insert tempfail symbol */

  1089. 		msg_info_task ("cannot get key for domain %s: %e",

  1090. 				rspamd_dkim_get_dns_key (ctx), err);

  1091. 

  1092. 		if (err != NULL) {

  1093. 			if (err->code == DKIM_SIGERROR_NOKEY) {

  1094. 				res->res = rspamd_dkim_create_result (ctx, DKIM_TRYAGAIN, task);

  1095. 				res->res->fail_reason = "DNS error when getting key";

  1096. 			}

  1097. 			else {

  1098. 				res->res = rspamd_dkim_create_result (ctx, DKIM_PERM_ERROR, task);

  1099. 				res->res->fail_reason = "invalid DKIM record";

  1100. 			}

  1101. 		}

  1102. 	}

  1103. 

  1104. 	if (err) {

  1105. 		g_error_free (err);

  1106. 	}

  1107. 

  1108. 	dkim_module_check (res);

  1109. }

  1110. 

  1111. static void

  1112. dkim_symbol_callback (struct rspamd_task *task,

  1113. 		struct rspamd_symcache_item *item,

  1114. 		void *unused)

  1115. {

  1116. 	rspamd_dkim_context_t *ctx;

  1117. 	rspamd_dkim_key_t *key;

  1118. 	GError *err = NULL;

  1119. 	struct rspamd_mime_header *rh, *rh_cur;

  1120. 	struct dkim_check_result *res = NULL, *cur;

  1121. 	guint checked = 0, *dmarc_checks;

  1122. 	struct dkim_ctx *dkim_module_ctx = dkim_get_context (task->cfg);

  1123. 

  1124. 	/* Allow dmarc */

  1125. 	dmarc_checks = rspamd_mempool_get_variable (task->task_pool,

  1126. 			RSPAMD_MEMPOOL_DMARC_CHECKS);

  1127. 

  1128. 	if (dmarc_checks) {

  1129. 		(*dmarc_checks) ++;

  1130. 	}

  1131. 	else {

  1132. 		dmarc_checks = rspamd_mempool_alloc (task->task_pool,

  1133. 				sizeof (*dmarc_checks));

  1134. 		*dmarc_checks = 1;

  1135. 		rspamd_mempool_set_variable (task->task_pool,

  1136. 				RSPAMD_MEMPOOL_DMARC_CHECKS,

  1137. 				dmarc_checks, NULL);

  1138. 	}

  1139. 

  1140. 	/* First check if plugin should be enabled */

  1141. 	if ((!dkim_module_ctx->check_authed && task->user != NULL)

  1142. 			|| (!dkim_module_ctx->check_local &&

  1143. 					rspamd_inet_address_is_local (task->from_addr, TRUE))) {

  1144. 		msg_info_task ("skip DKIM checks for local networks and authorized users");

  1145. 		rspamd_symcache_finalize_item (task, item);

  1146. 

  1147. 		return;

  1148. 	}

  1149. 	/* Check whitelist */

  1150. 	if (rspamd_match_radix_map_addr (dkim_module_ctx->whitelist_ip,

  1151. 			task->from_addr) != NULL) {

  1152. 		msg_info_task ("skip DKIM checks for whitelisted address");

  1153. 		rspamd_symcache_finalize_item (task, item);

  1154. 

  1155. 		return;

  1156. 	}

  1157. 

  1158. 	rspamd_symcache_item_async_inc (task, item, M);

  1159. 

  1160. 	/* Now check if a message has its signature */

  1161. 	rh = rspamd_message_get_header_array (task, RSPAMD_DKIM_SIGNHEADER);

  1162. 	if (rh) {

  1163. 		msg_debug_task ("dkim signature found");

  1164. 

  1165. 		DL_FOREACH (rh, rh_cur) {

  1166. 			if (rh_cur->decoded == NULL || rh_cur->decoded[0] == '\0') {

  1167. 				msg_info_task ("cannot load empty DKIM signature");

  1168. 				continue;

  1169. 			}

  1170. 

  1171. 			cur = rspamd_mempool_alloc0 (task->task_pool, sizeof (*cur));

  1172. 			cur->first = res;

  1173. 			cur->res = NULL;

  1174. 			cur->task = task;

  1175. 			cur->mult_allow = 1.0;

  1176. 			cur->mult_deny = 1.0;

  1177. 			cur->item = item;

  1178. 

  1179. 			ctx = rspamd_create_dkim_context (rh_cur->decoded,

  1180. 					task->task_pool,

  1181. 					dkim_module_ctx->time_jitter,

  1182. 					RSPAMD_DKIM_NORMAL,

  1183. 					&err);

  1184. 

  1185. 			if (res == NULL) {

  1186. 				res = cur;

  1187. 				res->first = res;

  1188. 				res->prev = res;

  1189. 			}

  1190. 			else {

  1191. 				DL_APPEND (res, cur);

  1192. 			}

  1193. 

  1194. 			if (ctx == NULL) {

  1195. 				if (err != NULL) {

  1196. 					msg_info_task ("cannot parse DKIM signature: %e",

  1197. 							err);

  1198. 					g_error_free (err);

  1199. 					err = NULL;

  1200. 				}

  1201. 				else {

  1202. 					msg_info_task ("cannot parse DKIM signature: "

  1203. 							"unknown error");

  1204. 				}

  1205. 

  1206. 				continue;

  1207. 			}

  1208. 			else {

  1209. 				/* Get key */

  1210. 				cur->ctx = ctx;

  1211. 

  1212. 				if (dkim_module_ctx->trusted_only &&

  1213. 						(dkim_module_ctx->dkim_domains == NULL ||

  1214. 								rspamd_match_hash_map (dkim_module_ctx->dkim_domains,

  1215. 										rspamd_dkim_get_domain (ctx)) == NULL)) {

  1216. 					msg_debug_task ("skip dkim check for %s domain",

  1217. 							rspamd_dkim_get_domain (ctx));

  1218. 

  1219. 					continue;

  1220. 				}

  1221. 

  1222. 				if (dkim_module_ctx->dkim_hash) {

  1223. 					key = rspamd_lru_hash_lookup (dkim_module_ctx->dkim_hash,

  1224. 							rspamd_dkim_get_dns_key (ctx),

  1225. 							task->task_timestamp);

  1226. 				}

  1227. 				else {

  1228. 					key = NULL;

  1229. 				}

  1230. 

  1231. 				if (key != NULL) {

  1232. 					cur->key = rspamd_dkim_key_ref (key);

  1233. 					/* Release key when task is processed */

  1234. 					rspamd_mempool_add_destructor (task->task_pool,

  1235. 							dkim_module_key_dtor, cur->key);

  1236. 				}

  1237. 				else {

  1238. 					if (!rspamd_get_dkim_key (ctx,

  1239. 							task,

  1240. 							dkim_module_key_handler,

  1241. 							cur)) {

  1242. 						continue;

  1243. 					}

  1244. 				}

  1245. 			}

  1246. 

  1247. 			checked ++;

  1248. 

  1249. 			if (checked > dkim_module_ctx->max_sigs) {

  1250. 				msg_info_task ("message has multiple signatures but we"

  1251. 						" stopped after %d checked signatures as limit"

  1252. 						" is reached", checked);

  1253. 				break;

  1254. 			}

  1255. 		}

  1256. 	}

  1257. 	else {

  1258. 		rspamd_task_insert_result (task,

  1259. 				dkim_module_ctx->symbol_na,

  1260. 				1.0,

  1261. 				NULL);

  1262. 	}

  1263. 

  1264. 	if (res != NULL) {

  1265. 		dkim_module_check (res);

  1266. 	}

  1267. 

  1268. 	rspamd_symcache_item_async_dec_check (task, item, M);

  1269. }

  1270. 

  1271. struct rspamd_dkim_lua_verify_cbdata {

  1272. 	rspamd_dkim_context_t *ctx;

  1273. 	struct rspamd_task *task;

  1274. 	lua_State *L;

  1275. 	rspamd_dkim_key_t *key;

  1276. 	gint cbref;

  1277. };

  1278. 

  1279. static void

  1280. dkim_module_lua_push_verify_result (struct rspamd_dkim_lua_verify_cbdata *cbd,

  1281. 		struct rspamd_dkim_check_result *res, GError *err)

  1282. {

  1283. 	struct rspamd_task **ptask, *task;

  1284. 	const gchar *error_str = "unknown error";

  1285. 	gboolean success = FALSE;

  1286. 

  1287. 	task = cbd->task;

  1288. 

  1289. 	switch (res->rcode) {

  1290. 	case DKIM_CONTINUE:

  1291. 		error_str = NULL;

  1292. 		success = TRUE;

  1293. 		break;

  1294. 	case DKIM_REJECT:

  1295. 		if (err) {

  1296. 			error_str = err->message;

  1297. 		}

  1298. 		else {

  1299. 			error_str = "reject";

  1300. 		}

  1301. 		break;

  1302. 	case DKIM_TRYAGAIN:

  1303. 		if (err) {

  1304. 			error_str = err->message;

  1305. 		}

  1306. 		else {

  1307. 			error_str = "tempfail";

  1308. 		}

  1309. 		break;

  1310. 	case DKIM_NOTFOUND:

  1311. 		if (err) {

  1312. 			error_str = err->message;

  1313. 		}

  1314. 		else {

  1315. 			error_str = "not found";

  1316. 		}

  1317. 		break;

  1318. 	case DKIM_RECORD_ERROR:

  1319. 		if (err) {

  1320. 			error_str = err->message;

  1321. 		}

  1322. 		else {

  1323. 			error_str = "bad record";

  1324. 		}

  1325. 		break;

  1326. 	case DKIM_PERM_ERROR:

  1327. 		if (err) {

  1328. 			error_str = err->message;

  1329. 		}

  1330. 		else {

  1331. 			error_str = "permanent error";

  1332. 		}

  1333. 		break;

  1334. 	default:

  1335. 		break;

  1336. 	}

  1337. 

  1338. 	lua_rawgeti (cbd->L, LUA_REGISTRYINDEX, cbd->cbref);

  1339. 	ptask = lua_newuserdata (cbd->L, sizeof (*ptask));

  1340. 	*ptask = task;

  1341. 	lua_pushboolean (cbd->L, success);

  1342. 

  1343. 	if (error_str) {

  1344. 		lua_pushstring (cbd->L, error_str);

  1345. 	}

  1346. 	else {

  1347. 		lua_pushnil (cbd->L);

  1348. 	}

  1349. 

  1350. 	if (cbd->ctx) {

  1351. 		if (res->domain) {

  1352. 			lua_pushstring (cbd->L, res->domain);

  1353. 		}

  1354. 		else {

  1355. 			lua_pushnil (cbd->L);

  1356. 		}

  1357. 

  1358. 		if (res->selector) {

  1359. 			lua_pushstring (cbd->L, res->selector);

  1360. 		}

  1361. 		else {

  1362. 			lua_pushnil (cbd->L);

  1363. 		}

  1364. 

  1365. 		if (res->short_b) {

  1366. 			lua_pushstring (cbd->L, res->short_b);

  1367. 		}

  1368. 		else {

  1369. 			lua_pushnil (cbd->L);

  1370. 		}

  1371. 

  1372. 		if (res->fail_reason) {

  1373. 			lua_pushstring (cbd->L, res->fail_reason);

  1374. 		}

  1375. 		else {

  1376. 			lua_pushnil (cbd->L);

  1377. 		}

  1378. 	}

  1379. 	else {

  1380. 		lua_pushnil (cbd->L);

  1381. 		lua_pushnil (cbd->L);

  1382. 		lua_pushnil (cbd->L);

  1383. 		lua_pushnil (cbd->L);

  1384. 	}

  1385. 

  1386. 	if (lua_pcall (cbd->L, 7, 0, 0) != 0) {

  1387. 		msg_err_task ("call to verify callback failed: %s",

  1388. 				lua_tostring (cbd->L, -1));

  1389. 		lua_pop (cbd->L, 1);

  1390. 	}

  1391. 

  1392. 	luaL_unref (cbd->L, LUA_REGISTRYINDEX, cbd->cbref);

  1393. }

  1394. 

  1395. static void

  1396. dkim_module_lua_on_key (rspamd_dkim_key_t *key,

  1397. 						gsize keylen,

  1398. 						rspamd_dkim_context_t *ctx,

  1399. 						gpointer ud,

  1400. 						GError *err)

  1401. {

  1402. 	struct rspamd_dkim_lua_verify_cbdata *cbd = ud;

  1403. 	struct rspamd_task *task;

  1404. 	struct rspamd_dkim_check_result *res;

  1405. 	struct dkim_ctx *dkim_module_ctx;

  1406. 

  1407. 	task = cbd->task;

  1408. 	dkim_module_ctx = dkim_get_context (task->cfg);

  1409. 

  1410. 	if (key != NULL) {

  1411. 		/* Another ref belongs to the check context */

  1412. 		cbd->key = rspamd_dkim_key_ref (key);

  1413. 		/*

  1414. 		 * We actually receive key with refcount = 1, so we just assume that

  1415. 		 * lru hash owns this object now

  1416. 		 */

  1417. 

  1418. 		if (dkim_module_ctx->dkim_hash) {

  1419. 			rspamd_lru_hash_insert (dkim_module_ctx->dkim_hash,

  1420. 					g_strdup (rspamd_dkim_get_dns_key (ctx)),

  1421. 					key, cbd->task->task_timestamp, rspamd_dkim_key_get_ttl (key));

  1422. 		}

  1423. 		/* Release key when task is processed */

  1424. 		rspamd_mempool_add_destructor (cbd->task->task_pool,

  1425. 				dkim_module_key_dtor, cbd->key);

  1426. 	}

  1427. 	else {

  1428. 		/* Insert tempfail symbol */

  1429. 		msg_info_task ("cannot get key for domain %s: %e",

  1430. 				rspamd_dkim_get_dns_key (ctx), err);

  1431. 

  1432. 		if (err != NULL) {

  1433. 			if (err->code == DKIM_SIGERROR_NOKEY) {

  1434. 				res = rspamd_dkim_create_result (ctx, DKIM_TRYAGAIN, task);

  1435. 				res->fail_reason = "DNS error when getting key";

  1436. 

  1437. 			}

  1438. 			else {

  1439. 				res = rspamd_dkim_create_result (ctx, DKIM_PERM_ERROR, task);

  1440. 				res->fail_reason = "invalid DKIM record";

  1441. 			}

  1442. 		}

  1443. 		else {

  1444. 			res = rspamd_dkim_create_result (ctx, DKIM_TRYAGAIN, task);

  1445. 			res->fail_reason = "DNS error when getting key";

  1446. 		}

  1447. 

  1448. 		dkim_module_lua_push_verify_result (cbd, res, err);

  1449. 

  1450. 		if (err) {

  1451. 			g_error_free (err);

  1452. 		}

  1453. 

  1454. 		return;

  1455. 	}

  1456. 

  1457. 	res = rspamd_dkim_check (cbd->ctx, cbd->key, cbd->task);

  1458. 	dkim_module_lua_push_verify_result (cbd, res, NULL);

  1459. }

  1460. 

  1461. static gint

  1462. lua_dkim_verify_handler (lua_State *L)

  1463. {

  1464. 	struct rspamd_task *task = lua_check_task (L, 1);

  1465. 	const gchar *sig = luaL_checkstring (L, 2);

  1466. 	rspamd_dkim_context_t *ctx;

  1467. 	struct rspamd_dkim_lua_verify_cbdata *cbd;

  1468. 	rspamd_dkim_key_t *key;

  1469. 	struct rspamd_dkim_check_result *ret;

  1470. 	GError *err = NULL;

  1471. 	const gchar *type_str = NULL;

  1472. 	enum rspamd_dkim_type type = RSPAMD_DKIM_NORMAL;

  1473. 	struct dkim_ctx *dkim_module_ctx;

  1474. 

  1475. 	if (task && sig && lua_isfunction (L, 3)) {

  1476. 		if (lua_isstring (L, 4)) {

  1477. 			type_str = lua_tostring (L, 4);

  1478. 

  1479. 			if (type_str) {

  1480. 				if (strcmp (type_str, "dkim") == 0) {

  1481. 					type = RSPAMD_DKIM_NORMAL;

  1482. 				}

  1483. 				else if (strcmp (type_str, "arc-sign") == 0) {

  1484. 					type = RSPAMD_DKIM_ARC_SIG;

  1485. 				}

  1486. 				else if (strcmp (type_str, "arc-seal") == 0) {

  1487. 					type = RSPAMD_DKIM_ARC_SEAL;

  1488. 				}

  1489. 				else {

  1490. 					lua_settop (L, 0);

  1491. 					return luaL_error (L, "unknown sign type: %s",

  1492. 							type_str);

  1493. 				}

  1494. 			}

  1495. 		}

  1496. 

  1497. 		dkim_module_ctx = dkim_get_context (task->cfg);

  1498. 

  1499. 		ctx = rspamd_create_dkim_context (sig,

  1500. 				task->task_pool,

  1501. 				dkim_module_ctx->time_jitter,

  1502. 				type,

  1503. 				&err);

  1504. 

  1505. 		if (ctx == NULL) {

  1506. 			lua_pushboolean (L, false);

  1507. 

  1508. 			if (err) {

  1509. 				lua_pushstring (L, err->message);

  1510. 				g_error_free (err);

  1511. 			}

  1512. 			else {

  1513. 				lua_pushstring (L, "unknown error");

  1514. 			}

  1515. 

  1516. 			return 2;

  1517. 		}

  1518. 

  1519. 		cbd = rspamd_mempool_alloc (task->task_pool, sizeof (*cbd));

  1520. 		cbd->L = L;

  1521. 		cbd->task = task;

  1522. 		lua_pushvalue (L, 3);

  1523. 		cbd->cbref = luaL_ref (L, LUA_REGISTRYINDEX);

  1524. 		cbd->ctx = ctx;

  1525. 		cbd->key = NULL;

  1526. 

  1527. 		if (dkim_module_ctx->dkim_hash) {

  1528. 			key = rspamd_lru_hash_lookup (dkim_module_ctx->dkim_hash,

  1529. 					rspamd_dkim_get_dns_key (ctx),

  1530. 					task->task_timestamp);

  1531. 		}

  1532. 		else {

  1533. 			key = NULL;

  1534. 		}

  1535. 

  1536. 		if (key != NULL) {

  1537. 			cbd->key = rspamd_dkim_key_ref (key);

  1538. 			/* Release key when task is processed */

  1539. 			rspamd_mempool_add_destructor (task->task_pool,

  1540. 					dkim_module_key_dtor, cbd->key);

  1541. 			ret = rspamd_dkim_check (cbd->ctx, cbd->key, cbd->task);

  1542. 			dkim_module_lua_push_verify_result (cbd, ret, NULL);

  1543. 		}

  1544. 		else {

  1545. 			rspamd_get_dkim_key (ctx,

  1546. 					task,

  1547. 					dkim_module_lua_on_key,

  1548. 					cbd);

  1549. 		}

  1550. 	}

  1551. 	else {

  1552. 		return luaL_error (L, "invalid arguments");

  1553. 	}

  1554. 

  1555. 	lua_pushboolean (L, TRUE);

  1556. 	lua_pushnil (L);

  1557. 

  1558. 	return 2;

  1559. }

  1560. 

  1561. static gint

  1562. lua_dkim_canonicalize_handler (lua_State *L)

  1563. {

  1564. 	gsize nlen, vlen;

  1565. 	const gchar *hname = luaL_checklstring (L, 1, &nlen),

  1566. 		*hvalue = luaL_checklstring (L, 2, &vlen);

  1567. 	static gchar st_buf[8192];

  1568. 	gchar *buf;

  1569. 	guint inlen;

  1570. 	gboolean allocated = FALSE;

  1571. 	goffset r;

  1572. 

  1573. 	if (hname && hvalue && nlen > 0) {

  1574. 		inlen = nlen + vlen + sizeof (":" CRLF);

  1575. 

  1576. 		if (inlen > sizeof (st_buf)) {

  1577. 			buf = g_malloc (inlen);

  1578. 			allocated = TRUE;

  1579. 		}

  1580. 		else {

  1581. 			/* Faster */

  1582. 			buf = st_buf;

  1583. 		}

  1584. 

  1585. 		r = rspamd_dkim_canonize_header_relaxed_str (hname, hvalue, buf, inlen);

  1586. 

  1587. 		if (r == -1) {

  1588. 			lua_pushnil (L);

  1589. 		}

  1590. 		else {

  1591. 			lua_pushlstring (L, buf, r);

  1592. 		}

  1593. 

  1594. 		if (allocated) {

  1595. 			g_free (buf);

  1596. 		}

  1597. 	}

  1598. 	else {

  1599. 		return luaL_error (L, "invalid arguments");

  1600. 	}

  1601. 

  1602. 	return 1;

  1603. }