123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588 |
- /*
- * Copyright 2024 Vsevolod Stakhov
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
- #include "config.h"
- #include "rspamd.h"
- #include "message.h"
- #include "dkim.h"
- #include "dns.h"
- #include "utlist.h"
- #include "unix-std.h"
- #include "mempool_vars_internal.h"
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- #include <openssl/engine.h>
-
- /* special DNS tokens */
- #define DKIM_DNSKEYNAME "_domainkey"
-
- /* ed25519 key lengths */
- #define ED25519_B64_BYTES 45
- #define ED25519_BYTES 32
-
- /* Canonization methods */
- #define DKIM_CANON_UNKNOWN (-1) /* unknown method */
- #define DKIM_CANON_SIMPLE 0 /* as specified in DKIM spec */
- #define DKIM_CANON_RELAXED 1 /* as specified in DKIM spec */
-
- #define DKIM_CANON_DEFAULT DKIM_CANON_SIMPLE
-
- #define RSPAMD_SHORT_BH_LEN 8
-
- /* Params */
- enum rspamd_dkim_param_type {
- DKIM_PARAM_UNKNOWN = -1,
- DKIM_PARAM_SIGNATURE = 0,
- DKIM_PARAM_SIGNALG,
- DKIM_PARAM_DOMAIN,
- DKIM_PARAM_CANONALG,
- DKIM_PARAM_QUERYMETHOD,
- DKIM_PARAM_SELECTOR,
- DKIM_PARAM_HDRLIST,
- DKIM_PARAM_VERSION,
- DKIM_PARAM_IDENTITY,
- DKIM_PARAM_TIMESTAMP,
- DKIM_PARAM_EXPIRATION,
- DKIM_PARAM_COPIEDHDRS,
- DKIM_PARAM_BODYHASH,
- DKIM_PARAM_BODYLENGTH,
- DKIM_PARAM_IDX,
- DKIM_PARAM_CV,
- DKIM_PARAM_IGNORE
- };
-
- #define RSPAMD_DKIM_MAX_ARC_IDX 10
-
- #define msg_err_dkim(...) rspamd_default_log_function(G_LOG_LEVEL_CRITICAL, \
- "dkim", ctx->pool->tag.uid, \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
- #define msg_warn_dkim(...) rspamd_default_log_function(G_LOG_LEVEL_WARNING, \
- "dkim", ctx->pool->tag.uid, \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
- #define msg_info_dkim(...) rspamd_default_log_function(G_LOG_LEVEL_INFO, \
- "dkim", ctx->pool->tag.uid, \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
- #define msg_debug_dkim(...) rspamd_conditional_debug_fast(NULL, NULL, \
- rspamd_dkim_log_id, "dkim", ctx->pool->tag.uid, \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
- #define msg_debug_dkim_taskless(...) rspamd_conditional_debug_fast(NULL, NULL, \
- rspamd_dkim_log_id, "dkim", "", \
- RSPAMD_LOG_FUNC, \
- __VA_ARGS__)
-
- INIT_LOG_MODULE(dkim)
-
- #define RSPAMD_DKIM_FLAG_OVERSIGN (1u << 0u)
- #define RSPAMD_DKIM_FLAG_OVERSIGN_EXISTING (1u << 1u)
-
- union rspamd_dkim_header_stat {
- struct _st {
- uint16_t count;
- uint16_t flags;
- } s;
- uint32_t n;
- };
-
- struct rspamd_dkim_common_ctx {
- rspamd_mempool_t *pool;
- uint64_t sig_hash;
- gsize len;
- GPtrArray *hlist;
- GHashTable *htable; /* header -> count mapping */
- EVP_MD_CTX *headers_hash;
- EVP_MD_CTX *body_hash;
- enum rspamd_dkim_type type;
- unsigned int idx;
- int header_canon_type;
- int body_canon_type;
- unsigned int body_canonicalised;
- unsigned int headers_canonicalised;
- gboolean is_sign;
- };
-
- enum rspamd_arc_seal_cv {
- RSPAMD_ARC_UNKNOWN = 0,
- RSPAMD_ARC_NONE,
- RSPAMD_ARC_INVALID,
- RSPAMD_ARC_FAIL,
- RSPAMD_ARC_PASS
- };
-
-
- struct rspamd_dkim_context_s {
- struct rspamd_dkim_common_ctx common;
- rspamd_mempool_t *pool;
- struct rspamd_dns_resolver *resolver;
- gsize blen;
- gsize bhlen;
- int sig_alg;
- unsigned int ver;
- time_t timestamp;
- time_t expiration;
- char *domain;
- char *selector;
- int8_t *b;
- char *short_b;
- int8_t *bh;
- char *dns_key;
- enum rspamd_arc_seal_cv cv;
- const char *dkim_header;
- };
-
- #define RSPAMD_DKIM_KEY_ID_LEN 16
-
- struct rspamd_dkim_key_s {
- uint8_t *keydata;
- uint8_t *raw_key;
- gsize keylen;
- gsize decoded_len;
- char key_id[RSPAMD_DKIM_KEY_ID_LEN];
- union {
- RSA *key_rsa;
- EC_KEY *key_ecdsa;
- unsigned char *key_eddsa;
- } key;
- BIO *key_bio;
- EVP_PKEY *key_evp;
- time_t mtime;
- unsigned int ttl;
- enum rspamd_dkim_key_type type;
- ref_entry_t ref;
- };
-
- struct rspamd_dkim_sign_context_s {
- struct rspamd_dkim_common_ctx common;
- rspamd_dkim_sign_key_t *key;
- };
-
- struct rspamd_dkim_header {
- const char *name;
- int count;
- };
-
- /* Parser of dkim params */
- typedef gboolean (*dkim_parse_param_f)(rspamd_dkim_context_t *ctx,
- const char *param, gsize len, GError **err);
-
- static gboolean rspamd_dkim_parse_signature(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_signalg(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_domain(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_canonalg(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_ignore(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_selector(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_hdrlist(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_version(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_timestamp(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_expiration(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_bodyhash(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_bodylength(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_idx(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
- static gboolean rspamd_dkim_parse_cv(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err);
-
-
- static const dkim_parse_param_f parser_funcs[] = {
- [DKIM_PARAM_SIGNATURE] = rspamd_dkim_parse_signature,
- [DKIM_PARAM_SIGNALG] = rspamd_dkim_parse_signalg,
- [DKIM_PARAM_DOMAIN] = rspamd_dkim_parse_domain,
- [DKIM_PARAM_CANONALG] = rspamd_dkim_parse_canonalg,
- [DKIM_PARAM_QUERYMETHOD] = rspamd_dkim_parse_ignore,
- [DKIM_PARAM_SELECTOR] = rspamd_dkim_parse_selector,
- [DKIM_PARAM_HDRLIST] = rspamd_dkim_parse_hdrlist,
- [DKIM_PARAM_VERSION] = rspamd_dkim_parse_version,
- [DKIM_PARAM_IDENTITY] = rspamd_dkim_parse_ignore,
- [DKIM_PARAM_TIMESTAMP] = rspamd_dkim_parse_timestamp,
- [DKIM_PARAM_EXPIRATION] = rspamd_dkim_parse_expiration,
- [DKIM_PARAM_COPIEDHDRS] = rspamd_dkim_parse_ignore,
- [DKIM_PARAM_BODYHASH] = rspamd_dkim_parse_bodyhash,
- [DKIM_PARAM_BODYLENGTH] = rspamd_dkim_parse_bodylength,
- [DKIM_PARAM_IDX] = rspamd_dkim_parse_idx,
- [DKIM_PARAM_CV] = rspamd_dkim_parse_cv,
- [DKIM_PARAM_IGNORE] = rspamd_dkim_parse_ignore,
- };
-
- #define DKIM_ERROR dkim_error_quark()
- GQuark
- dkim_error_quark(void)
- {
- return g_quark_from_static_string("dkim-error-quark");
- }
-
- /* Parsers implementation */
- static gboolean
- rspamd_dkim_parse_signature(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- ctx->b = rspamd_mempool_alloc0(ctx->pool, len);
- ctx->short_b = rspamd_mempool_alloc0(ctx->pool, RSPAMD_SHORT_BH_LEN + 1);
- rspamd_strlcpy(ctx->short_b, param, MIN(len, RSPAMD_SHORT_BH_LEN + 1));
- (void) rspamd_cryptobox_base64_decode(param, len, ctx->b, &ctx->blen);
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_signalg(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- /* XXX: ugly size comparison, improve this code style some day */
- if (len == 8) {
- if (memcmp(param, "rsa-sha1", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_RSASHA1;
- return TRUE;
- }
- }
- else if (len == 10) {
- if (memcmp(param, "rsa-sha256", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_RSASHA256;
- return TRUE;
- }
- else if (memcmp(param, "rsa-sha512", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_RSASHA512;
- return TRUE;
- }
- }
- else if (len == 15) {
- if (memcmp(param, "ecdsa256-sha256", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_ECDSASHA256;
- return TRUE;
- }
- else if (memcmp(param, "ecdsa256-sha512", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_ECDSASHA512;
- return TRUE;
- }
- }
- else if (len == 14) {
- if (memcmp(param, "ed25519-sha256", len) == 0) {
- ctx->sig_alg = DKIM_SIGN_EDDSASHA256;
- return TRUE;
- }
- }
-
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_A,
- "invalid dkim sign algorithm");
- return FALSE;
- }
-
- static gboolean
- rspamd_dkim_parse_domain(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- if (!rspamd_str_has_8bit(param, len)) {
- ctx->domain = rspamd_mempool_alloc(ctx->pool, len + 1);
- rspamd_strlcpy(ctx->domain, param, len + 1);
- }
- else {
- ctx->domain = rspamd_dns_resolver_idna_convert_utf8(ctx->resolver,
- ctx->pool, param, len, NULL);
-
- if (!ctx->domain) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_H,
- "invalid dkim domain tag %.*s: idna failed",
- (int) len, param);
-
- return FALSE;
- }
- }
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_canonalg(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- const char *p, *slash = NULL, *end = param + len;
- gsize sl = 0;
-
- p = param;
- while (p != end) {
- if (*p == '/') {
- slash = p;
- break;
- }
- p++;
- sl++;
- }
-
- if (slash == NULL) {
- /* Only check header */
- if (len == 6 && memcmp(param, "simple", len) == 0) {
- ctx->common.header_canon_type = DKIM_CANON_SIMPLE;
- return TRUE;
- }
- else if (len == 7 && memcmp(param, "relaxed", len) == 0) {
- ctx->common.header_canon_type = DKIM_CANON_RELAXED;
- return TRUE;
- }
- }
- else {
- /* First check header */
- if (sl == 6 && memcmp(param, "simple", sl) == 0) {
- ctx->common.header_canon_type = DKIM_CANON_SIMPLE;
- }
- else if (sl == 7 && memcmp(param, "relaxed", sl) == 0) {
- ctx->common.header_canon_type = DKIM_CANON_RELAXED;
- }
- else {
- goto err;
- }
- /* Check body */
- len -= sl + 1;
- slash++;
- if (len == 6 && memcmp(slash, "simple", len) == 0) {
- ctx->common.body_canon_type = DKIM_CANON_SIMPLE;
- return TRUE;
- }
- else if (len == 7 && memcmp(slash, "relaxed", len) == 0) {
- ctx->common.body_canon_type = DKIM_CANON_RELAXED;
- return TRUE;
- }
- }
-
- err:
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_A,
- "invalid dkim canonization algorithm");
- return FALSE;
- }
-
- static gboolean
- rspamd_dkim_parse_ignore(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- /* Just ignore unused params */
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_selector(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
-
- if (!rspamd_str_has_8bit(param, len)) {
- ctx->selector = rspamd_mempool_alloc(ctx->pool, len + 1);
- rspamd_strlcpy(ctx->selector, param, len + 1);
- }
- else {
- ctx->selector = rspamd_dns_resolver_idna_convert_utf8(ctx->resolver,
- ctx->pool, param, len, NULL);
-
- if (!ctx->selector) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_H,
- "invalid dkim selector tag %.*s: idna failed",
- (int) len, param);
-
- return FALSE;
- }
- }
-
- return TRUE;
- }
-
- static void
- rspamd_dkim_hlist_free(void *ud)
- {
- GPtrArray *a = ud;
-
- g_ptr_array_free(a, TRUE);
- }
-
- static gboolean
- rspamd_dkim_parse_hdrlist_common(struct rspamd_dkim_common_ctx *ctx,
- const char *param,
- gsize len,
- gboolean sign,
- GError **err)
- {
- const char *c, *p, *end = param + len;
- char *h;
- gboolean from_found = FALSE, oversign, existing;
- unsigned int count = 0;
- struct rspamd_dkim_header *new;
- gpointer found;
- union rspamd_dkim_header_stat u;
-
- p = param;
- while (p <= end) {
- if ((p == end || *p == ':')) {
- count++;
- }
- p++;
- }
-
- if (count > 0) {
- ctx->hlist = g_ptr_array_sized_new(count);
- }
- else {
- return FALSE;
- }
-
- c = param;
- p = param;
- ctx->htable = g_hash_table_new(rspamd_strcase_hash, rspamd_strcase_equal);
-
- while (p <= end) {
- if ((p == end || *p == ':') && p - c > 0) {
- oversign = FALSE;
- existing = FALSE;
- h = rspamd_mempool_alloc(ctx->pool, p - c + 1);
- rspamd_strlcpy(h, c, p - c + 1);
-
- g_strstrip(h);
-
- if (sign) {
- if (rspamd_lc_cmp(h, "(o)", 3) == 0) {
- oversign = TRUE;
- h += 3;
- msg_debug_dkim("oversign header: %s", h);
- }
- else if (rspamd_lc_cmp(h, "(x)", 3) == 0) {
- oversign = TRUE;
- existing = TRUE;
- h += 3;
- msg_debug_dkim("oversign existing header: %s", h);
- }
- }
-
- /* Check mandatory from */
- if (!from_found && g_ascii_strcasecmp(h, "from") == 0) {
- from_found = TRUE;
- }
-
- new = rspamd_mempool_alloc(ctx->pool,
- sizeof(struct rspamd_dkim_header));
- new->name = h;
- new->count = 0;
- u.n = 0;
-
- g_ptr_array_add(ctx->hlist, new);
- found = g_hash_table_lookup(ctx->htable, h);
-
- if (oversign) {
- if (found) {
- msg_err_dkim("specified oversigned header more than once: %s",
- h);
- }
-
- u.s.flags |= RSPAMD_DKIM_FLAG_OVERSIGN;
-
- if (existing) {
- u.s.flags |= RSPAMD_DKIM_FLAG_OVERSIGN_EXISTING;
- }
-
- u.s.count = 0;
- }
- else {
- if (found != NULL) {
- u.n = GPOINTER_TO_UINT(found);
- new->count = u.s.count;
- u.s.count++;
- }
- else {
- /* Insert new header order to the list */
- u.s.count = new->count + 1;
- }
- }
-
- g_hash_table_insert(ctx->htable, h, GUINT_TO_POINTER(u.n));
-
- c = p + 1;
- p++;
- }
- else {
- p++;
- }
- }
-
- if (!ctx->hlist) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_H,
- "invalid dkim header list");
- return FALSE;
- }
- else {
- if (!from_found) {
- g_ptr_array_free(ctx->hlist, TRUE);
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_H,
- "invalid dkim header list, from header is missing");
- return FALSE;
- }
-
- rspamd_mempool_add_destructor(ctx->pool,
- (rspamd_mempool_destruct_t) rspamd_dkim_hlist_free,
- ctx->hlist);
- rspamd_mempool_add_destructor(ctx->pool,
- (rspamd_mempool_destruct_t) g_hash_table_unref,
- ctx->htable);
- }
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_hdrlist(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- return rspamd_dkim_parse_hdrlist_common(&ctx->common, param, len, FALSE, err);
- }
-
- static gboolean
- rspamd_dkim_parse_version(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- if (len != 1 || *param != '1') {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_VERSION,
- "invalid dkim version");
- return FALSE;
- }
-
- ctx->ver = 1;
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_timestamp(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- gulong val;
-
- if (!rspamd_strtoul(param, len, &val)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid dkim timestamp");
- return FALSE;
- }
- ctx->timestamp = val;
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_expiration(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- gulong val;
-
- if (!rspamd_strtoul(param, len, &val)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid dkim expiration");
- return FALSE;
- }
- ctx->expiration = val;
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_bodyhash(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- ctx->bh = rspamd_mempool_alloc0(ctx->pool, len);
- (void) rspamd_cryptobox_base64_decode(param, len, ctx->bh, &ctx->bhlen);
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_bodylength(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- gulong val;
-
- if (!rspamd_strtoul(param, len, &val)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_L,
- "invalid dkim body length");
- return FALSE;
- }
- ctx->common.len = val;
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_idx(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
- gulong val;
-
- if (!rspamd_strtoul(param, len, &val)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_L,
- "invalid ARC idx");
- return FALSE;
- }
- ctx->common.idx = val;
-
- return TRUE;
- }
-
- static gboolean
- rspamd_dkim_parse_cv(rspamd_dkim_context_t *ctx,
- const char *param,
- gsize len,
- GError **err)
- {
-
- /* Only check header */
- if (len == 4 && memcmp(param, "fail", len) == 0) {
- ctx->cv = RSPAMD_ARC_FAIL;
- return TRUE;
- }
- else if (len == 4 && memcmp(param, "pass", len) == 0) {
- ctx->cv = RSPAMD_ARC_PASS;
- return TRUE;
- }
- else if (len == 4 && memcmp(param, "none", len) == 0) {
- ctx->cv = RSPAMD_ARC_NONE;
- return TRUE;
- }
- else if (len == 7 && memcmp(param, "invalid", len) == 0) {
- ctx->cv = RSPAMD_ARC_INVALID;
- return TRUE;
- }
-
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid arc seal verification result");
-
- return FALSE;
- }
-
-
- static void
- rspamd_dkim_add_arc_seal_headers(rspamd_mempool_t *pool,
- struct rspamd_dkim_common_ctx *ctx)
- {
- struct rspamd_dkim_header *hdr;
- int count = ctx->idx, i;
-
- ctx->hlist = g_ptr_array_sized_new(count * 3 - 1);
-
- for (i = 0; i < count; i++) {
- /* Authentication results */
- hdr = rspamd_mempool_alloc(pool, sizeof(*hdr));
- hdr->name = RSPAMD_DKIM_ARC_AUTHHEADER;
- hdr->count = -(i + 1);
- g_ptr_array_add(ctx->hlist, hdr);
-
- /* Arc signature */
- hdr = rspamd_mempool_alloc(pool, sizeof(*hdr));
- hdr->name = RSPAMD_DKIM_ARC_SIGNHEADER;
- hdr->count = -(i + 1);
- g_ptr_array_add(ctx->hlist, hdr);
-
- /* Arc seal (except last one) */
- if (i != count - 1) {
- hdr = rspamd_mempool_alloc(pool, sizeof(*hdr));
- hdr->name = RSPAMD_DKIM_ARC_SEALHEADER;
- hdr->count = -(i + 1);
- g_ptr_array_add(ctx->hlist, hdr);
- }
- }
-
- rspamd_mempool_add_destructor(ctx->pool,
- (rspamd_mempool_destruct_t) rspamd_dkim_hlist_free,
- ctx->hlist);
- }
-
- /**
- * Create new dkim context from signature
- * @param sig message's signature
- * @param pool pool to allocate memory from
- * @param err pointer to error object
- * @return new context or NULL
- */
- rspamd_dkim_context_t *
- rspamd_create_dkim_context(const char *sig,
- rspamd_mempool_t *pool,
- struct rspamd_dns_resolver *resolver,
- unsigned int time_jitter,
- enum rspamd_dkim_type type,
- GError **err)
- {
- const char *p, *c, *tag = NULL, *end;
- int taglen;
- int param = DKIM_PARAM_UNKNOWN;
- const EVP_MD *md_alg;
- time_t now;
- rspamd_dkim_context_t *ctx;
- enum {
- DKIM_STATE_TAG = 0,
- DKIM_STATE_AFTER_TAG,
- DKIM_STATE_VALUE,
- DKIM_STATE_SKIP_SPACES = 99,
- DKIM_STATE_ERROR = 100
- } state,
- next_state;
-
-
- if (sig == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_B,
- "empty signature");
- return NULL;
- }
-
- ctx = rspamd_mempool_alloc0(pool, sizeof(rspamd_dkim_context_t));
- ctx->pool = pool;
- ctx->resolver = resolver;
-
- if (type == RSPAMD_DKIM_ARC_SEAL) {
- ctx->common.header_canon_type = DKIM_CANON_RELAXED;
- ctx->common.body_canon_type = DKIM_CANON_RELAXED;
- }
- else {
- ctx->common.header_canon_type = DKIM_CANON_DEFAULT;
- ctx->common.body_canon_type = DKIM_CANON_DEFAULT;
- }
-
- ctx->sig_alg = DKIM_SIGN_UNKNOWN;
- ctx->common.pool = pool;
- ctx->common.type = type;
- /* A simple state machine of parsing tags */
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_TAG;
- taglen = 0;
- p = sig;
- c = sig;
- end = p + strlen(p);
- ctx->common.sig_hash = rspamd_cryptobox_fast_hash(sig, end - sig,
- rspamd_hash_seed());
-
- msg_debug_dkim("create dkim context sig = %L", ctx->common.sig_hash);
-
- while (p <= end) {
- switch (state) {
- case DKIM_STATE_TAG:
- if (g_ascii_isspace(*p)) {
- taglen = (int) (p - c);
- while (*p && g_ascii_isspace(*p)) {
- /* Skip spaces before '=' sign */
- p++;
- }
- if (*p != '=') {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid dkim param");
- state = DKIM_STATE_ERROR;
- }
- else {
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_AFTER_TAG;
- param = DKIM_PARAM_UNKNOWN;
- p++;
- tag = c;
- }
- }
- else if (*p == '=') {
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_AFTER_TAG;
- param = DKIM_PARAM_UNKNOWN;
- p++;
- tag = c;
- }
- else {
- taglen++;
-
- if (taglen > G_MAXINT8) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "too long dkim tag");
- state = DKIM_STATE_ERROR;
- }
- else {
- p++;
- }
- }
- break;
- case DKIM_STATE_AFTER_TAG:
- /* We got tag at tag and len at taglen */
- switch (taglen) {
- case 0:
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "zero length dkim param");
- state = DKIM_STATE_ERROR;
- break;
- case 1:
- /* 1 character tags */
- switch (*tag) {
- case 'v':
- if (type == RSPAMD_DKIM_NORMAL) {
- param = DKIM_PARAM_VERSION;
- }
- else {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "invalid ARC v param");
- state = DKIM_STATE_ERROR;
- break;
- }
- break;
- case 'a':
- param = DKIM_PARAM_SIGNALG;
- break;
- case 'b':
- param = DKIM_PARAM_SIGNATURE;
- break;
- case 'c':
- param = DKIM_PARAM_CANONALG;
- break;
- case 'd':
- param = DKIM_PARAM_DOMAIN;
- break;
- case 'h':
- if (type == RSPAMD_DKIM_ARC_SEAL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "ARC seal must NOT have h= tag");
- state = DKIM_STATE_ERROR;
- break;
- }
- else {
- param = DKIM_PARAM_HDRLIST;
- }
- break;
- case 'i':
- if (type == RSPAMD_DKIM_NORMAL) {
- param = DKIM_PARAM_IDENTITY;
- }
- else {
- param = DKIM_PARAM_IDX;
- }
- break;
- case 'l':
- param = DKIM_PARAM_BODYLENGTH;
- break;
- case 'q':
- param = DKIM_PARAM_QUERYMETHOD;
- break;
- case 's':
- param = DKIM_PARAM_SELECTOR;
- break;
- case 't':
- param = DKIM_PARAM_TIMESTAMP;
- break;
- case 'x':
- param = DKIM_PARAM_EXPIRATION;
- break;
- case 'z':
- param = DKIM_PARAM_COPIEDHDRS;
- break;
- case 'r':
- param = DKIM_PARAM_IGNORE;
- break;
- default:
- param = DKIM_PARAM_UNKNOWN;
- msg_debug_dkim("unknown DKIM param %c, ignoring it", *tag);
- break;
- }
- break;
- case 2:
- /* Two characters tags, e.g. `bh` */
- if (tag[0] == 'b' && tag[1] == 'h') {
- if (type == RSPAMD_DKIM_ARC_SEAL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "ARC seal must NOT have bh= tag");
- state = DKIM_STATE_ERROR;
- }
- else {
- param = DKIM_PARAM_BODYHASH;
- }
- }
- else if (tag[0] == 'c' && tag[1] == 'v') {
- if (type != RSPAMD_DKIM_ARC_SEAL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "cv tag is valid for ARC-Seal only");
- state = DKIM_STATE_ERROR;
- }
- else {
- param = DKIM_PARAM_CV;
- }
- }
- else {
- param = DKIM_PARAM_UNKNOWN;
- msg_debug_dkim("unknown DKIM param %*s, ignoring it", taglen, tag);
- }
- break;
- default:
- /* Long and unknown (yet) DKIM tag */
- param = DKIM_PARAM_UNKNOWN;
- msg_debug_dkim("unknown DKIM param %*s, ignoring it", taglen, tag);
- break;
- }
-
- if (state != DKIM_STATE_ERROR) {
- /* Skip spaces */
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_VALUE;
- }
- break;
- case DKIM_STATE_VALUE:
- if (*p == ';') {
- if (p - c == 0 || c > p) {
- state = DKIM_STATE_ERROR;
- }
- else {
- /* Cut trailing spaces for value */
- int tlen = p - c;
- const char *tmp = p - 1;
-
- while (tlen > 0) {
- if (!g_ascii_isspace(*tmp)) {
- break;
- }
- tlen--;
- tmp--;
- }
-
- if (param != DKIM_PARAM_UNKNOWN) {
- if (!parser_funcs[param](ctx, c, tlen, err)) {
- state = DKIM_STATE_ERROR;
- }
- else {
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_TAG;
- p++;
- taglen = 0;
- }
- }
- else {
- /* Unknown param has been ignored */
- msg_debug_dkim("ignored unknown tag parameter value: %*s = %*s",
- taglen, tag, tlen, c);
- state = DKIM_STATE_SKIP_SPACES;
- next_state = DKIM_STATE_TAG;
- p++;
- taglen = 0;
- }
- }
- }
- else if (p == end) {
- /* Last parameter with no `;` character */
- int tlen = p - c;
- const char *tmp = p - 1;
-
- while (tlen > 0) {
- if (!g_ascii_isspace(*tmp)) {
- break;
- }
- tlen--;
- tmp--;
- }
-
- if (param != DKIM_PARAM_UNKNOWN) {
- if (!parser_funcs[param](ctx, c, tlen, err)) {
- state = DKIM_STATE_ERROR;
- }
- }
- else {
- msg_debug_dkim("ignored unknown tag parameter value: %*s: %*s",
- taglen, tag, tlen, c);
- }
-
- if (state == DKIM_STATE_ERROR) {
- /*
- * We need to return from here as state machine won't
- * do any more steps after p == end
- */
- if (err) {
- msg_info_dkim("dkim parse failed: %e", *err);
- }
-
- return NULL;
- }
- /* Finish processing */
- p++;
- }
- else {
- p++;
- }
- break;
- case DKIM_STATE_SKIP_SPACES:
- if (g_ascii_isspace(*p)) {
- p++;
- }
- else {
- c = p;
- state = next_state;
- }
- break;
- case DKIM_STATE_ERROR:
- if (err && *err) {
- msg_info_dkim("dkim parse failed: %s", (*err)->message);
- return NULL;
- }
- else {
- msg_info_dkim("dkim parse failed: unknown error when parsing %c tag",
- tag ? *tag : '?');
- return NULL;
- }
- break;
- }
- }
-
- if (type == RSPAMD_DKIM_ARC_SEAL) {
- rspamd_dkim_add_arc_seal_headers(pool, &ctx->common);
- }
-
- /* Now check validity of signature */
- if (ctx->b == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_B,
- "b parameter missing");
- return NULL;
- }
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL && ctx->bh == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_BH,
- "bh parameter missing");
- return NULL;
- }
- if (ctx->domain == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_D,
- "domain parameter missing");
- return NULL;
- }
- if (ctx->selector == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_S,
- "selector parameter missing");
- return NULL;
- }
- if (ctx->common.type == RSPAMD_DKIM_NORMAL && ctx->ver == 0) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_V,
- "v parameter missing");
- return NULL;
- }
- if (ctx->common.hlist == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_H,
- "h parameter missing");
- return NULL;
- }
- if (ctx->sig_alg == DKIM_SIGN_UNKNOWN) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EMPTY_S,
- "s parameter missing");
- return NULL;
- }
-
- if (type != RSPAMD_DKIM_ARC_SEAL) {
- if (ctx->sig_alg == DKIM_SIGN_RSASHA1) {
- /* Check bh length */
- if (ctx->bhlen != (unsigned int) EVP_MD_size(EVP_sha1())) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_BADSIG,
- "signature has incorrect length: %zu",
- ctx->bhlen);
- return NULL;
- }
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA256) {
- if (ctx->bhlen !=
- (unsigned int) EVP_MD_size(EVP_sha256())) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_BADSIG,
- "signature has incorrect length: %zu",
- ctx->bhlen);
- return NULL;
- }
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA512 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA512) {
- if (ctx->bhlen !=
- (unsigned int) EVP_MD_size(EVP_sha512())) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_BADSIG,
- "signature has incorrect length: %zu",
- ctx->bhlen);
- return NULL;
- }
- }
- }
-
- /* Check expiration */
- now = time(NULL);
- if (ctx->timestamp && now < ctx->timestamp && ctx->timestamp - now > (int) time_jitter) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_FUTURE,
- "signature was made in future, ignoring");
- return NULL;
- }
- if (ctx->expiration && ctx->expiration < now) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_EXPIRED,
- "signature has expired");
- return NULL;
- }
-
- if (ctx->common.type != RSPAMD_DKIM_NORMAL && (ctx->common.idx == 0 ||
- ctx->common.idx > RSPAMD_DKIM_MAX_ARC_IDX)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "i parameter missing or invalid for ARC");
- return NULL;
- }
-
- if (ctx->common.type == RSPAMD_DKIM_ARC_SEAL) {
- if (ctx->cv == RSPAMD_ARC_UNKNOWN) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_UNKNOWN,
- "cv parameter missing or invalid for ARC");
- return NULL;
- }
- }
-
- /* Now create dns key to request further */
- gsize dnslen = strlen(ctx->domain) + strlen(ctx->selector) +
- sizeof(DKIM_DNSKEYNAME) + 2;
- ctx->dns_key = rspamd_mempool_alloc(ctx->pool, dnslen);
- rspamd_snprintf(ctx->dns_key,
- dnslen,
- "%s.%s.%s",
- ctx->selector,
- DKIM_DNSKEYNAME,
- ctx->domain);
-
- /* Create checksums for further operations */
- if (ctx->sig_alg == DKIM_SIGN_RSASHA1) {
- md_alg = EVP_sha1();
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_EDDSASHA256) {
- md_alg = EVP_sha256();
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA512 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA512) {
- md_alg = EVP_sha512();
- }
- else {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_BADSIG,
- "signature has unsupported signature algorithm");
-
- return NULL;
- }
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- ctx->common.body_hash = EVP_MD_CTX_create();
- EVP_DigestInit_ex(ctx->common.body_hash, md_alg, NULL);
- ctx->common.headers_hash = EVP_MD_CTX_create();
- EVP_DigestInit_ex(ctx->common.headers_hash, md_alg, NULL);
- rspamd_mempool_add_destructor(pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_destroy, ctx->common.body_hash);
- rspamd_mempool_add_destructor(pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_destroy, ctx->common.headers_hash);
- #else
- ctx->common.body_hash = EVP_MD_CTX_new();
- EVP_DigestInit_ex(ctx->common.body_hash, md_alg, NULL);
- ctx->common.headers_hash = EVP_MD_CTX_new();
- EVP_DigestInit_ex(ctx->common.headers_hash, md_alg, NULL);
- rspamd_mempool_add_destructor(pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_free, ctx->common.body_hash);
- rspamd_mempool_add_destructor(pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_free, ctx->common.headers_hash);
- #endif
- ctx->dkim_header = sig;
-
- return ctx;
- }
-
- struct rspamd_dkim_key_cbdata {
- rspamd_dkim_context_t *ctx;
- dkim_key_handler_f handler;
- gpointer ud;
- };
-
- rspamd_dkim_key_t *
- rspamd_dkim_make_key(const char *keydata,
- unsigned int keylen, enum rspamd_dkim_key_type type, GError **err)
- {
- rspamd_dkim_key_t *key = NULL;
-
- if (keylen < 3) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "DKIM key is too short to be valid");
- return NULL;
- }
-
- key = g_malloc0(sizeof(rspamd_dkim_key_t));
- REF_INIT_RETAIN(key, rspamd_dkim_key_free);
- key->keydata = g_malloc0(keylen + 1);
- key->raw_key = g_malloc(keylen);
- key->decoded_len = keylen;
- key->type = type;
-
- /* Copy key skipping all spaces and newlines */
- const char *h = keydata;
- uint8_t *t = key->raw_key;
-
- while (h - keydata < keylen) {
- if (!g_ascii_isspace(*h)) {
- *t++ = *h++;
- }
- else {
- h++;
- }
- }
-
- key->keylen = t - key->raw_key;
-
- if (!rspamd_cryptobox_base64_decode(key->raw_key, key->keylen, key->keydata,
- &key->decoded_len)) {
- REF_RELEASE(key);
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "DKIM key is not a valid base64 string");
-
- return NULL;
- }
-
- /* Calculate ID -> md5 */
- EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
-
- #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
- EVP_MD_CTX_set_flags(mdctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- #endif
-
- if (EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) == 1) {
- unsigned int dlen = sizeof(key->key_id);
-
- EVP_DigestUpdate(mdctx, key->keydata, key->decoded_len);
- EVP_DigestFinal_ex(mdctx, key->key_id, &dlen);
- }
-
- EVP_MD_CTX_destroy(mdctx);
-
- if (key->type == RSPAMD_DKIM_KEY_EDDSA) {
- key->key.key_eddsa = key->keydata;
-
- if (key->decoded_len != rspamd_cryptobox_pk_sig_bytes(
- RSPAMD_CRYPTOBOX_MODE_25519)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "DKIM key is has invalid length %d for eddsa; expected %d",
- (int) key->decoded_len,
- rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519));
- REF_RELEASE(key);
-
- return NULL;
- }
- }
- else {
- key->key_bio = BIO_new_mem_buf(key->keydata, key->decoded_len);
-
- if (key->key_bio == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot make ssl bio from key");
- REF_RELEASE(key);
-
- return NULL;
- }
-
- key->key_evp = d2i_PUBKEY_bio(key->key_bio, NULL);
-
- if (key->key_evp == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot extract pubkey from bio");
- REF_RELEASE(key);
-
- return NULL;
- }
-
- if (type == RSPAMD_DKIM_KEY_RSA) {
- key->key.key_rsa = EVP_PKEY_get1_RSA(key->key_evp);
-
- if (key->key.key_rsa == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot extract rsa key from evp key");
- REF_RELEASE(key);
-
- return NULL;
- }
- }
- else {
- key->key.key_ecdsa = EVP_PKEY_get1_EC_KEY(key->key_evp);
-
- if (key->key.key_ecdsa == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot extract ecdsa key from evp key");
- REF_RELEASE(key);
-
- return NULL;
- }
- }
- }
-
- return key;
- }
-
- const unsigned char *
- rspamd_dkim_key_id(rspamd_dkim_key_t *key)
- {
- if (key) {
- return key->key_id;
- }
-
- return NULL;
- }
-
- /**
- * Free DKIM key
- * @param key
- */
- void rspamd_dkim_key_free(rspamd_dkim_key_t *key)
- {
- if (key->key_evp) {
- EVP_PKEY_free(key->key_evp);
- }
-
- if (key->type == RSPAMD_DKIM_KEY_RSA) {
- if (key->key.key_rsa) {
- RSA_free(key->key.key_rsa);
- }
- }
- else if (key->type == RSPAMD_DKIM_KEY_ECDSA) {
- if (key->key.key_ecdsa) {
- EC_KEY_free(key->key.key_ecdsa);
- }
- }
- /* Nothing in case of eddsa key */
- if (key->key_bio) {
- BIO_free(key->key_bio);
- }
-
- g_free(key->raw_key);
- g_free(key->keydata);
- g_free(key);
- }
-
- void rspamd_dkim_sign_key_free(rspamd_dkim_sign_key_t *key)
- {
- if (key->key_evp) {
- EVP_PKEY_free(key->key_evp);
- }
- if (key->type == RSPAMD_DKIM_KEY_RSA) {
- if (key->key.key_rsa) {
- RSA_free(key->key.key_rsa);
- }
- }
- if (key->key_bio) {
- BIO_free(key->key_bio);
- }
-
- if (key->type == RSPAMD_DKIM_KEY_EDDSA) {
- rspamd_explicit_memzero(key->key.key_eddsa, key->keylen);
- g_free(key->keydata);
- }
-
- g_free(key);
- }
-
- rspamd_dkim_key_t *
- rspamd_dkim_parse_key(const char *txt, gsize *keylen, GError **err)
- {
- const char *c, *p, *end, *key = NULL, *alg = "rsa";
- enum {
- read_tag = 0,
- read_tag_before_eqsign,
- read_eqsign,
- read_p_tag,
- read_k_tag,
- ignore_value,
- skip_spaces,
- } state = read_tag,
- next_state;
- char tag = '\0';
- gsize klen = 0, alglen = 0;
-
- c = txt;
- p = txt;
- end = txt + strlen(txt);
-
- while (p < end) {
- switch (state) {
- case read_tag:
- if (*p == '=') {
- state = read_eqsign;
- }
- else if (g_ascii_isspace(*p)) {
- state = skip_spaces;
-
- if (tag != '\0') {
- /* We had tag letter */
- next_state = read_tag_before_eqsign;
- }
- else {
- /* We had no tag letter, so we ignore empty tag */
- next_state = read_tag;
- }
- }
- else {
- tag = *p;
- }
- p++;
- break;
- case read_tag_before_eqsign:
- /* Input: spaces before eqsign
- * Output: either read a next tag (previous had no value), or read value
- * p is moved forward
- */
- if (*p == '=') {
- state = read_eqsign;
- }
- else {
- tag = *p;
- state = read_tag;
- }
- p++;
- break;
- case read_eqsign:
- /* Always switch to skip spaces state and do not advance p */
- state = skip_spaces;
-
- if (tag == 'p') {
- next_state = read_p_tag;
- }
- else if (tag == 'k') {
- next_state = read_k_tag;
- }
- else {
- /* Unknown tag, ignore */
- next_state = ignore_value;
- tag = '\0';
- }
- break;
- case read_p_tag:
- if (*p == ';') {
- klen = p - c;
- key = c;
- state = read_tag;
- tag = '\0';
- p++;
- }
- else {
- p++;
- }
- break;
- case read_k_tag:
- if (*p == ';') {
- alglen = p - c;
- alg = c;
- state = read_tag;
- tag = '\0';
- p++;
- }
- else if (g_ascii_isspace(*p)) {
- alglen = p - c;
- alg = c;
- state = skip_spaces;
- next_state = read_tag;
- tag = '\0';
- }
- else {
- p++;
- }
- break;
- case ignore_value:
- if (*p == ';') {
- state = read_tag;
- tag = '\0';
- p++;
- }
- else if (g_ascii_isspace(*p)) {
- state = skip_spaces;
- next_state = read_tag;
- tag = '\0';
- }
- else {
- p++;
- }
- break;
- case skip_spaces:
- /* Skip spaces and switch to the next state if needed */
- if (g_ascii_isspace(*p)) {
- p++;
- }
- else {
- c = p;
- state = next_state;
- }
- break;
- default:
- break;
- }
- }
-
- /* Leftover */
- switch (state) {
- case read_p_tag:
- klen = p - c;
- key = c;
- break;
- case read_k_tag:
- alglen = p - c;
- alg = c;
- break;
- default:
- break;
- }
-
- if (klen == 0 || key == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "key is missing");
-
- return NULL;
- }
-
- if (alglen == 0 || alg == NULL) {
- alg = "rsa"; /* Implicit */
- alglen = 3;
- }
-
- if (keylen) {
- *keylen = klen;
- }
-
- if (alglen == 8 && rspamd_lc_cmp(alg, "ecdsa256", alglen) == 0) {
- return rspamd_dkim_make_key(key, klen,
- RSPAMD_DKIM_KEY_ECDSA, err);
- }
- else if (alglen == 7 && rspamd_lc_cmp(alg, "ed25519", alglen) == 0) {
- return rspamd_dkim_make_key(key, klen,
- RSPAMD_DKIM_KEY_EDDSA, err);
- }
- else {
- /* We assume RSA default in all cases */
- return rspamd_dkim_make_key(key, klen,
- RSPAMD_DKIM_KEY_RSA, err);
- }
-
- g_assert_not_reached();
-
- return NULL;
- }
-
- /* Get TXT request data and parse it */
- static void
- rspamd_dkim_dns_cb(struct rdns_reply *reply, gpointer arg)
- {
- struct rspamd_dkim_key_cbdata *cbdata = arg;
- rspamd_dkim_key_t *key = NULL;
- GError *err = NULL;
- struct rdns_reply_entry *elt;
- gsize keylen = 0;
-
- if (reply->code != RDNS_RC_NOERROR) {
- int err_code = DKIM_SIGERROR_NOKEY;
- if (reply->code == RDNS_RC_NOREC) {
- err_code = DKIM_SIGERROR_NOREC;
- }
- else if (reply->code == RDNS_RC_NXDOMAIN) {
- err_code = DKIM_SIGERROR_NOREC;
- }
- g_set_error(&err,
- DKIM_ERROR,
- err_code,
- "dns request to %s failed: %s",
- cbdata->ctx->dns_key,
- rdns_strerror(reply->code));
- cbdata->handler(NULL, 0, cbdata->ctx, cbdata->ud, err);
- }
- else {
- LL_FOREACH(reply->entries, elt)
- {
- if (elt->type == RDNS_REQUEST_TXT) {
- if (err != NULL) {
- /* Free error as it is insignificant */
- g_error_free(err);
- err = NULL;
- }
- key = rspamd_dkim_parse_key(elt->content.txt.data,
- &keylen,
- &err);
- if (key) {
- key->ttl = elt->ttl;
- break;
- }
- }
- }
- cbdata->handler(key, keylen, cbdata->ctx, cbdata->ud, err);
- }
- }
-
- /**
- * Make DNS request for specified context and obtain and parse key
- * @param ctx dkim context from signature
- * @param resolver dns resolver object
- * @param s async session to make request
- * @return
- */
- gboolean
- rspamd_get_dkim_key(rspamd_dkim_context_t *ctx,
- struct rspamd_task *task,
- dkim_key_handler_f handler,
- gpointer ud)
- {
- struct rspamd_dkim_key_cbdata *cbdata;
-
- g_return_val_if_fail(ctx != NULL, FALSE);
- g_return_val_if_fail(ctx->dns_key != NULL, FALSE);
-
- cbdata =
- rspamd_mempool_alloc(ctx->pool,
- sizeof(struct rspamd_dkim_key_cbdata));
- cbdata->ctx = ctx;
- cbdata->handler = handler;
- cbdata->ud = ud;
-
- return rspamd_dns_resolver_request_task_forced(task,
- rspamd_dkim_dns_cb,
- cbdata,
- RDNS_REQUEST_TXT,
- ctx->dns_key);
- }
-
- static gboolean
- rspamd_dkim_relaxed_body_step(struct rspamd_dkim_common_ctx *ctx, EVP_MD_CTX *ck,
- const char **start, unsigned int size,
- gssize *remain)
- {
- const char *h;
- char *t;
- unsigned int len, inlen;
- gssize octets_remain;
- gboolean got_sp, ret = TRUE;
- char buf[1024];
-
- len = size;
- inlen = sizeof(buf) - 1;
- h = *start;
- t = buf;
- got_sp = FALSE;
- octets_remain = *remain;
-
- while (len > 0 && inlen > 0 && (octets_remain > 0)) {
-
- if (*h == '\r' || *h == '\n') {
- if (got_sp) {
- /* Ignore spaces at the end of line */
- t--;
- }
- *t++ = '\r';
- *t++ = '\n';
-
- if (len > 1 && (*h == '\r' && h[1] == '\n')) {
- h += 2;
- len -= 2;
- octets_remain -= 2;
- }
- else {
- h++;
- len--;
- if (octets_remain >= 2) {
- octets_remain -= 2; /* Input has just \n or \r so we actually add more octets */
- }
- else {
- octets_remain--;
- break;
- }
- }
- break;
- }
- else if (g_ascii_isspace(*h)) {
- if (got_sp) {
- /* Ignore multiply spaces */
- h++;
- len--;
- continue;
- }
- else {
- *t++ = ' ';
- h++;
- inlen--;
- len--;
- octets_remain--;
- got_sp = TRUE;
- continue;
- }
- }
- else {
- got_sp = FALSE;
- }
-
- *t++ = *h++;
- inlen--;
- len--;
- octets_remain--;
- }
-
- if (octets_remain < 0) {
- /* Absurdic l tag value, but we still need to rewind the t pointer back */
- while (t > buf && octets_remain < 0) {
- t--;
- octets_remain++;
- }
-
- ret = FALSE;
- }
-
- *start = h;
-
- if (t - buf > 0) {
- gsize cklen = t - buf;
-
- EVP_DigestUpdate(ck, buf, cklen);
- ctx->body_canonicalised += cklen;
- msg_debug_dkim("relaxed update signature with body buffer "
- "(%z size, %z -> %z remain)",
- cklen, *remain, octets_remain);
- *remain = octets_remain;
- }
-
- return ret && ((len > 0) && (octets_remain > 0));
- }
-
- static gboolean
- rspamd_dkim_simple_body_step(struct rspamd_dkim_common_ctx *ctx,
- EVP_MD_CTX *ck, const char **start, unsigned int size,
- gssize *remain)
- {
- const char *h;
- char *t;
- unsigned int len, inlen;
- gssize octets_remain;
- char buf[1024];
-
- len = size;
- inlen = sizeof(buf) - 1;
- h = *start;
- t = &buf[0];
- octets_remain = *remain;
-
- while (len > 0 && inlen > 0 && (octets_remain != 0)) {
- if (*h == '\r' || *h == '\n') {
- *t++ = '\r';
- *t++ = '\n';
-
- if (len > 1 && (*h == '\r' && h[1] == '\n')) {
- h += 2;
- len -= 2;
-
- if (octets_remain >= 2) {
- octets_remain -= 2; /* Input has just \n or \r so we actually add more octets */
- }
- else {
- octets_remain--;
- }
- }
- else {
- h++;
- len--;
-
- if (octets_remain >= 2) {
- octets_remain -= 2; /* Input has just \n or \r so we actually add more octets */
- }
- else {
- octets_remain--;
- }
- }
- break;
- }
-
- *t++ = *h++;
- octets_remain--;
- inlen--;
- len--;
- }
-
- *start = h;
-
- if (t - buf > 0) {
- gsize cklen = t - buf;
-
- EVP_DigestUpdate(ck, buf, cklen);
- ctx->body_canonicalised += cklen;
- msg_debug_dkim("simple update signature with body buffer "
- "(%z size, %z -> %z remain)",
- cklen, *remain, octets_remain);
- *remain = octets_remain;
- }
-
- return ((len != 0) && (octets_remain != 0));
- }
-
- static const char *
- rspamd_dkim_skip_empty_lines(const char *start, const char *end,
- unsigned int type, gboolean sign, gboolean *need_crlf)
- {
- const char *p = end - 1, *t;
- enum {
- init = 0,
- init_2,
- got_cr,
- got_lf,
- got_crlf,
- test_spaces,
- } state = init;
- unsigned int skip = 0;
-
- while (p >= start) {
- switch (state) {
- case init:
- if (*p == '\r') {
- state = got_cr;
- }
- else if (*p == '\n') {
- state = got_lf;
- }
- else if (type == DKIM_CANON_RELAXED && *p == ' ') {
- skip = 0;
- state = test_spaces;
- }
- else {
- if (sign || type != DKIM_CANON_RELAXED) {
- *need_crlf = TRUE;
- }
-
- goto end;
- }
- break;
- case init_2:
- if (*p == '\r') {
- state = got_cr;
- }
- else if (*p == '\n') {
- state = got_lf;
- }
- else if (type == DKIM_CANON_RELAXED && (*p == ' ' || *p == '\t')) {
- skip = 0;
- state = test_spaces;
- }
- else {
- goto end;
- }
- break;
- case got_cr:
- if (p >= start + 1) {
- if (*(p - 1) == '\r') {
- p--;
- state = got_cr;
- }
- else if (*(p - 1) == '\n') {
- if ((*p - 2) == '\r') {
- /* \r\n\r -> we know about one line */
- p -= 1;
- state = got_crlf;
- }
- else {
- /* \n\r -> we know about one line */
- p -= 1;
- state = got_lf;
- }
- }
- else if (type == DKIM_CANON_RELAXED && (*(p - 1) == ' ' ||
- *(p - 1) == '\t')) {
- skip = 1;
- state = test_spaces;
- }
- else {
- goto end;
- }
- }
- else {
- if (g_ascii_isspace(*(p - 1))) {
- if (type == DKIM_CANON_RELAXED) {
- p -= 1;
- }
- }
- goto end;
- }
- break;
- case got_lf:
- if (p >= start + 1) {
- if (*(p - 1) == '\r') {
- state = got_crlf;
- }
- else if (*(p - 1) == '\n') {
- /* We know about one line */
- p--;
- state = got_lf;
- }
- else if (type == DKIM_CANON_RELAXED && (*(p - 1) == ' ' ||
- *(p - 1) == '\t')) {
- skip = 1;
- state = test_spaces;
- }
- else {
- goto end;
- }
- }
- else {
- if (g_ascii_isspace(*(p - 1))) {
- if (type == DKIM_CANON_RELAXED) {
- p -= 1;
- }
- }
- goto end;
- }
- break;
- case got_crlf:
- if (p >= start + 2) {
- if (*(p - 2) == '\r') {
- p -= 2;
- state = got_cr;
- }
- else if (*(p - 2) == '\n') {
- p -= 2;
- state = got_lf;
- }
- else if (type == DKIM_CANON_RELAXED && (*(p - 2) == ' ' ||
- *(p - 2) == '\t')) {
- skip = 2;
- state = test_spaces;
- }
- else {
- goto end;
- }
- }
- else {
- if (g_ascii_isspace(*(p - 2))) {
- if (type == DKIM_CANON_RELAXED) {
- p -= 2;
- }
- }
- goto end;
- }
- break;
- case test_spaces:
- t = p - skip;
-
- while (t >= start + 2 && (*t == ' ' || *t == '\t')) {
- t--;
- }
-
- if (*t == '\r') {
- p = t;
- state = got_cr;
- }
- else if (*t == '\n') {
- p = t;
- state = got_lf;
- }
- else {
- goto end;
- }
- break;
- }
- }
-
- end:
- return p;
- }
-
- static gboolean
- rspamd_dkim_canonize_body(struct rspamd_dkim_common_ctx *ctx,
- const char *start,
- const char *end,
- gboolean sign)
- {
- const char *p;
- gssize remain = ctx->len ? ctx->len : G_MAXSSIZE;
- unsigned int total_len = end - start;
- gboolean need_crlf = FALSE;
-
- if (start == NULL) {
- /* Empty body */
- if (ctx->body_canon_type == DKIM_CANON_SIMPLE) {
- EVP_DigestUpdate(ctx->body_hash, CRLF, sizeof(CRLF) - 1);
- ctx->body_canonicalised += sizeof(CRLF) - 1;
- }
- else {
- EVP_DigestUpdate(ctx->body_hash, "", 0);
- }
- }
- else {
- /* Strip extra ending CRLF */
- p = rspamd_dkim_skip_empty_lines(start, end, ctx->body_canon_type,
- sign, &need_crlf);
- end = p + 1;
-
- if (end == start) {
- /* Empty body */
- if (ctx->body_canon_type == DKIM_CANON_SIMPLE) {
- EVP_DigestUpdate(ctx->body_hash, CRLF, sizeof(CRLF) - 1);
- ctx->body_canonicalised += sizeof(CRLF) - 1;
- }
- else {
- EVP_DigestUpdate(ctx->body_hash, "", 0);
- }
- }
- else {
- if (ctx->body_canon_type == DKIM_CANON_SIMPLE) {
- /* Simple canonization */
- while (rspamd_dkim_simple_body_step(ctx, ctx->body_hash,
- &start, end - start, &remain))
- ;
-
- /*
- * If we have l= tag then we cannot add crlf...
- */
- if (need_crlf) {
- /* l is evil... */
- if (ctx->len == 0) {
- remain = 2;
- }
- else {
- if (ctx->len <= total_len) {
- /* We don't have enough l to add \r\n */
- remain = 0;
- }
- else {
- if (ctx->len - total_len >= 2) {
- remain = 2;
- }
- else {
- remain = ctx->len - total_len;
- }
- }
- }
-
- start = "\r\n";
- end = start + 2;
-
- rspamd_dkim_simple_body_step(ctx, ctx->body_hash,
- &start, end - start, &remain);
- }
- }
- else {
- while (rspamd_dkim_relaxed_body_step(ctx, ctx->body_hash,
- &start, end - start, &remain))
- ;
- if (need_crlf) {
- start = "\r\n";
- end = start + 2;
- remain = 2;
- rspamd_dkim_relaxed_body_step(ctx, ctx->body_hash,
- &start, end - start, &remain);
- }
- }
- }
- return TRUE;
- }
-
- /* TODO: Implement relaxed algorithm */
- return FALSE;
- }
-
- /* Update hash converting all CR and LF to CRLF */
- static void
- rspamd_dkim_hash_update(EVP_MD_CTX *ck, const char *begin, gsize len)
- {
- const char *p, *c, *end;
-
- end = begin + len;
- p = begin;
- c = p;
-
- while (p < end) {
- if (*p == '\r') {
- EVP_DigestUpdate(ck, c, p - c);
- EVP_DigestUpdate(ck, CRLF, sizeof(CRLF) - 1);
- p++;
-
- if (p < end && *p == '\n') {
- p++;
- }
- c = p;
- }
- else if (*p == '\n') {
- EVP_DigestUpdate(ck, c, p - c);
- EVP_DigestUpdate(ck, CRLF, sizeof(CRLF) - 1);
- p++;
- c = p;
- }
- else {
- p++;
- }
- }
-
- if (p > c) {
- EVP_DigestUpdate(ck, c, p - c);
- }
- }
-
- /* Update hash by signature value (ignoring b= tag) */
- static void
- rspamd_dkim_signature_update(struct rspamd_dkim_common_ctx *ctx,
- const char *begin,
- unsigned int len)
- {
- const char *p, *c, *end;
- gboolean tag, skip;
-
- end = begin + len;
- p = begin;
- c = begin;
- tag = TRUE;
- skip = FALSE;
-
- while (p < end) {
- if (tag && p[0] == 'b' && p[1] == '=') {
- /* Add to signature */
- msg_debug_dkim("initial update hash with signature part: %*s",
- (int) (p - c + 2),
- c);
- ctx->headers_canonicalised += p - c + 2;
- rspamd_dkim_hash_update(ctx->headers_hash, c, p - c + 2);
- skip = TRUE;
- }
- else if (skip && (*p == ';' || p == end - 1)) {
- skip = FALSE;
- c = p;
- }
- else if (!tag && *p == ';') {
- tag = TRUE;
- }
- else if (tag && *p == '=') {
- tag = FALSE;
- }
- p++;
- }
-
- p--;
- /* Skip \r\n at the end */
- while ((*p == '\r' || *p == '\n') && p >= c) {
- p--;
- }
-
- if (p - c + 1 > 0) {
- msg_debug_dkim("final update hash with signature part: %*s",
- (int) (p - c + 1), c);
- ctx->headers_canonicalised += p - c + 1;
- rspamd_dkim_hash_update(ctx->headers_hash, c, p - c + 1);
- }
- }
-
- goffset
- rspamd_dkim_canonize_header_relaxed_str(const char *hname,
- const char *hvalue,
- char *out,
- gsize outlen)
- {
- char *t;
- const unsigned char *h;
- gboolean got_sp;
-
- /* Name part */
- t = out;
- h = hname;
-
- while (*h && t - out < outlen) {
- *t++ = lc_map[*h++];
- }
-
- if (t - out >= outlen) {
- return -1;
- }
-
- *t++ = ':';
-
- /* Value part */
- h = hvalue;
- /* Skip spaces at the beginning */
- while (g_ascii_isspace(*h)) {
- h++;
- }
-
- got_sp = FALSE;
-
- while (*h && (t - out < outlen)) {
- if (g_ascii_isspace(*h)) {
- if (got_sp) {
- h++;
- continue;
- }
- else {
- got_sp = TRUE;
- *t++ = ' ';
- h++;
- continue;
- }
- }
- else {
- got_sp = FALSE;
- }
-
- *t++ = *h++;
- }
-
- if (g_ascii_isspace(*(t - 1))) {
- t--;
- }
-
- if (t - out >= outlen - 2) {
- return -1;
- }
-
- *t++ = '\r';
- *t++ = '\n';
- *t = '\0';
-
- return t - out;
- }
-
- static gboolean
- rspamd_dkim_canonize_header_relaxed(struct rspamd_dkim_common_ctx *ctx,
- const char *header,
- const char *header_name,
- gboolean is_sign,
- unsigned int count,
- bool is_seal)
- {
- static char st_buf[8192];
- char *buf;
- unsigned int inlen;
- goffset r;
- gboolean allocated = FALSE;
-
- inlen = strlen(header) + strlen(header_name) + sizeof(":" CRLF);
-
- if (inlen > sizeof(st_buf)) {
- buf = g_malloc(inlen);
- allocated = TRUE;
- }
- else {
- /* Faster */
- buf = st_buf;
- }
-
- r = rspamd_dkim_canonize_header_relaxed_str(header_name, header, buf, inlen);
-
- g_assert(r != -1);
-
- if (!is_sign) {
- msg_debug_dkim("update %s with header (idx=%d): %s",
- is_seal ? "seal" : "signature", count, buf);
- EVP_DigestUpdate(ctx->headers_hash, buf, r);
- }
- else {
- rspamd_dkim_signature_update(ctx, buf, r);
- }
-
- if (allocated) {
- g_free(buf);
- }
-
- return TRUE;
- }
-
-
- static gboolean
- rspamd_dkim_canonize_header(struct rspamd_dkim_common_ctx *ctx,
- struct rspamd_task *task,
- const char *header_name,
- int count,
- const char *dkim_header,
- const char *dkim_domain)
- {
- struct rspamd_mime_header *rh, *cur, *sel = NULL;
- int hdr_cnt = 0;
- bool use_idx = false, is_sign = ctx->is_sign;
-
- /*
- * TODO:
- * Temporary hack to prevent linked list being misused until refactored
- */
- const unsigned int max_list_iters = 1000;
-
- if (count < 0) {
- use_idx = true;
- count = -(count); /* use i= in header content as it is arc stuff */
- }
-
- if (dkim_header == NULL) {
- rh = rspamd_message_get_header_array(task, header_name,
- is_sign);
-
- if (rh) {
- /* Check uniqueness of the header but we count from the bottom to top */
- if (!use_idx) {
- for (cur = rh->prev;; cur = cur->prev) {
- if (hdr_cnt == count) {
- sel = cur;
- }
-
- hdr_cnt++;
-
- if (cur == rh || hdr_cnt >= max_list_iters) {
- /* Cycle */
- break;
- }
- }
-
- if ((rh->flags & RSPAMD_HEADER_UNIQUE) && hdr_cnt > 1) {
- uint64_t random_cookie = ottery_rand_uint64();
-
- msg_warn_dkim("header %s is intended to be unique by"
- " email standards, but we have %d headers of this"
- " type, artificially break DKIM check",
- header_name,
- hdr_cnt);
- rspamd_dkim_hash_update(ctx->headers_hash,
- (const char *) &random_cookie,
- sizeof(random_cookie));
- ctx->headers_canonicalised += sizeof(random_cookie);
-
- return FALSE;
- }
-
- if (hdr_cnt <= count) {
- /*
- * If DKIM has less headers requested than there are in a
- * message, then it's fine, it allows adding extra headers
- */
- return TRUE;
- }
- }
- else {
- /*
- * This branch is used for ARC headers, and it orders them based on
- * i=<number> string and not their real order in the list of headers
- */
- char idx_buf[16];
- int id_len, i;
-
- id_len = rspamd_snprintf(idx_buf, sizeof(idx_buf), "i=%d;",
- count);
-
- for (cur = rh->prev, i = 0; i < max_list_iters; cur = cur->prev, i++) {
- if (cur->decoded &&
- rspamd_substring_search(cur->decoded, strlen(cur->decoded),
- idx_buf, id_len) != -1) {
- sel = cur;
- break;
- }
-
- if (cur == rh) {
- /* Cycle */
- break;
- }
- }
-
- if (sel == NULL) {
- return FALSE;
- }
- }
-
- /* Selected header must be non-null if previous condition is false */
- g_assert(sel != NULL);
-
- if (ctx->header_canon_type == DKIM_CANON_SIMPLE) {
- rspamd_dkim_hash_update(ctx->headers_hash, sel->raw_value,
- sel->raw_len);
- ctx->headers_canonicalised += sel->raw_len;
- msg_debug_dkim("update %s with header (idx=%d): %*s",
- (use_idx ? "seal" : "signature"),
- count, (int) sel->raw_len, sel->raw_value);
- }
- else {
- if (is_sign && (sel->flags & RSPAMD_HEADER_FROM)) {
- /* Special handling of the From handling when rewrite is done */
- gboolean has_rewrite = FALSE;
- unsigned int i;
- struct rspamd_email_address *addr;
-
- PTR_ARRAY_FOREACH(MESSAGE_FIELD(task, from_mime), i, addr)
- {
- if ((addr->flags & RSPAMD_EMAIL_ADDR_ORIGINAL) && !(addr->flags & RSPAMD_EMAIL_ADDR_ALIASED)) {
- has_rewrite = TRUE;
- }
- }
-
- if (has_rewrite) {
- PTR_ARRAY_FOREACH(MESSAGE_FIELD(task, from_mime), i, addr)
- {
- if (!(addr->flags & RSPAMD_EMAIL_ADDR_ORIGINAL)) {
- if (!rspamd_dkim_canonize_header_relaxed(ctx, addr->raw,
- header_name, FALSE, i, use_idx)) {
- return FALSE;
- }
-
- return TRUE;
- }
- }
- }
- }
-
- if (!rspamd_dkim_canonize_header_relaxed(ctx, sel->value,
- header_name, FALSE, count, use_idx)) {
- return FALSE;
- }
- }
- }
- }
- else {
- /* For signature check just use the saved dkim header */
- if (ctx->header_canon_type == DKIM_CANON_SIMPLE) {
- /* We need to find our own signature and use it */
- rh = rspamd_message_get_header_array(task, header_name, is_sign);
-
- if (rh) {
- /* We need to find our own signature */
- if (!dkim_domain) {
- msg_err_dkim("cannot verify dkim as we have no dkim domain!");
- return FALSE;
- }
-
- gboolean found = FALSE;
-
- DL_FOREACH(rh, cur)
- {
- uint64_t th = rspamd_cryptobox_fast_hash(cur->decoded,
- strlen(cur->decoded), rspamd_hash_seed());
-
- if (th == ctx->sig_hash) {
- rspamd_dkim_signature_update(ctx, cur->raw_value,
- cur->raw_len);
- found = TRUE;
- break;
- }
- }
- if (!found) {
- msg_err_dkim("BUGON: cannot verify dkim as we have lost our signature"
- " during simple canonicalisation, expected hash=%L",
- ctx->sig_hash);
- return FALSE;
- }
- }
- else {
- return FALSE;
- }
- }
- else {
- if (!rspamd_dkim_canonize_header_relaxed(ctx,
- dkim_header,
- header_name,
- TRUE, 0, use_idx)) {
- return FALSE;
- }
- }
- }
-
- return TRUE;
- }
-
- struct rspamd_dkim_cached_hash {
- unsigned char *digest_normal;
- unsigned char *digest_cr;
- unsigned char *digest_crlf;
- char *type;
- };
-
- static struct rspamd_dkim_cached_hash *
- rspamd_dkim_check_bh_cached(struct rspamd_dkim_common_ctx *ctx,
- struct rspamd_task *task, gsize bhlen, gboolean is_sign)
- {
- char typebuf[64];
- struct rspamd_dkim_cached_hash *res;
-
- rspamd_snprintf(typebuf, sizeof(typebuf),
- RSPAMD_MEMPOOL_DKIM_BH_CACHE "%z_%s_%d_%z",
- bhlen,
- ctx->body_canon_type == DKIM_CANON_RELAXED ? "1" : "0",
- !!is_sign,
- ctx->len);
-
- res = rspamd_mempool_get_variable(task->task_pool,
- typebuf);
-
- if (!res) {
- res = rspamd_mempool_alloc0(task->task_pool, sizeof(*res));
- res->type = rspamd_mempool_strdup(task->task_pool, typebuf);
- rspamd_mempool_set_variable(task->task_pool,
- res->type, res, NULL);
- }
-
- return res;
- }
-
- static const char *
- rspamd_dkim_type_to_string(enum rspamd_dkim_type t)
- {
- switch (t) {
- case RSPAMD_DKIM_NORMAL:
- return "dkim";
- case RSPAMD_DKIM_ARC_SIG:
- return "arc_sig";
- case RSPAMD_DKIM_ARC_SEAL:
- default:
- return "arc_seal";
- }
- }
-
- /**
- * Check task for dkim context using dkim key
- * @param ctx dkim verify context
- * @param key dkim key (from cache or from dns request)
- * @param task task to check
- * @return
- */
- struct rspamd_dkim_check_result *
- rspamd_dkim_check(rspamd_dkim_context_t *ctx,
- rspamd_dkim_key_t *key,
- struct rspamd_task *task)
- {
- const char *body_end, *body_start;
- unsigned char raw_digest[EVP_MAX_MD_SIZE];
- struct rspamd_dkim_cached_hash *cached_bh = NULL;
- EVP_MD_CTX *cpy_ctx = NULL;
- gsize dlen = 0;
- struct rspamd_dkim_check_result *res;
- unsigned int i;
- struct rspamd_dkim_header *dh;
- int nid;
-
- g_return_val_if_fail(ctx != NULL, NULL);
- g_return_val_if_fail(key != NULL, NULL);
- g_return_val_if_fail(task->msg.len > 0, NULL);
-
- /* First of all find place of body */
- body_end = task->msg.begin + task->msg.len;
-
- body_start = MESSAGE_FIELD(task, raw_headers_content).body_start;
-
- res = rspamd_mempool_alloc0(task->task_pool, sizeof(*res));
- res->ctx = ctx;
- res->selector = ctx->selector;
- res->domain = ctx->domain;
- res->fail_reason = NULL;
- res->short_b = ctx->short_b;
- res->rcode = DKIM_CONTINUE;
-
- if (!body_start) {
- res->rcode = DKIM_ERROR;
- return res;
- }
-
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL) {
- dlen = EVP_MD_CTX_size(ctx->common.body_hash);
- cached_bh = rspamd_dkim_check_bh_cached(&ctx->common, task,
- dlen, FALSE);
-
- if (!cached_bh->digest_normal) {
- /* Start canonization of body part */
- if (!rspamd_dkim_canonize_body(&ctx->common, body_start, body_end,
- FALSE)) {
- res->rcode = DKIM_RECORD_ERROR;
- return res;
- }
- }
- }
-
- /* Now canonize headers */
- for (i = 0; i < ctx->common.hlist->len; i++) {
- dh = g_ptr_array_index(ctx->common.hlist, i);
- rspamd_dkim_canonize_header(&ctx->common, task, dh->name, dh->count,
- NULL, NULL);
- }
-
- /* Canonize dkim signature */
- switch (ctx->common.type) {
- case RSPAMD_DKIM_NORMAL:
- rspamd_dkim_canonize_header(&ctx->common, task, RSPAMD_DKIM_SIGNHEADER, 0,
- ctx->dkim_header, ctx->domain);
- break;
- case RSPAMD_DKIM_ARC_SIG:
- rspamd_dkim_canonize_header(&ctx->common, task, RSPAMD_DKIM_ARC_SIGNHEADER, 0,
- ctx->dkim_header, ctx->domain);
- break;
- case RSPAMD_DKIM_ARC_SEAL:
- rspamd_dkim_canonize_header(&ctx->common, task, RSPAMD_DKIM_ARC_SEALHEADER, 0,
- ctx->dkim_header, ctx->domain);
- break;
- }
-
-
- /* Use cached BH for all but arc seal, if it is not NULL we are not in arc seal mode */
- if (cached_bh != NULL) {
- if (!cached_bh->digest_normal) {
- /* Copy md_ctx to deal with broken CRLF at the end */
- cpy_ctx = EVP_MD_CTX_create();
- EVP_MD_CTX_copy(cpy_ctx, ctx->common.body_hash);
- EVP_DigestFinal_ex(cpy_ctx, raw_digest, NULL);
-
- cached_bh->digest_normal = rspamd_mempool_alloc(task->task_pool,
- sizeof(raw_digest));
- memcpy(cached_bh->digest_normal, raw_digest, sizeof(raw_digest));
- }
-
- /* Check bh field */
- if (memcmp(ctx->bh, cached_bh->digest_normal, ctx->bhlen) != 0) {
- msg_debug_dkim(
- "bh value mismatch: %*xs versus %*xs, try add LF; try adding CRLF",
- (int) dlen, ctx->bh,
- (int) dlen, raw_digest);
-
- if (cpy_ctx) {
- /* Try add CRLF */
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- EVP_MD_CTX_cleanup(cpy_ctx);
- #else
- EVP_MD_CTX_reset(cpy_ctx);
- #endif
- EVP_MD_CTX_copy(cpy_ctx, ctx->common.body_hash);
- EVP_DigestUpdate(cpy_ctx, "\r\n", 2);
- EVP_DigestFinal_ex(cpy_ctx, raw_digest, NULL);
- cached_bh->digest_crlf = rspamd_mempool_alloc(task->task_pool,
- sizeof(raw_digest));
- memcpy(cached_bh->digest_crlf, raw_digest, sizeof(raw_digest));
-
- if (memcmp(ctx->bh, raw_digest, ctx->bhlen) != 0) {
- msg_debug_dkim(
- "bh value mismatch after added CRLF: %*xs versus %*xs, try add LF",
- (int) dlen, ctx->bh,
- (int) dlen, raw_digest);
-
- /* Try add LF */
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- EVP_MD_CTX_cleanup(cpy_ctx);
- #else
- EVP_MD_CTX_reset(cpy_ctx);
- #endif
- EVP_MD_CTX_copy(cpy_ctx, ctx->common.body_hash);
- EVP_DigestUpdate(cpy_ctx, "\n", 1);
- EVP_DigestFinal_ex(cpy_ctx, raw_digest, NULL);
- cached_bh->digest_cr = rspamd_mempool_alloc(task->task_pool,
- sizeof(raw_digest));
- memcpy(cached_bh->digest_cr, raw_digest, sizeof(raw_digest));
-
- if (memcmp(ctx->bh, raw_digest, ctx->bhlen) != 0) {
- msg_debug_dkim("bh value mismatch after added LF: %*xs versus %*xs",
- (int) dlen, ctx->bh,
- (int) dlen, raw_digest);
- res->fail_reason = "body hash did not verify";
- res->rcode = DKIM_REJECT;
- }
- }
- }
- else if (cached_bh->digest_crlf) {
- if (memcmp(ctx->bh, cached_bh->digest_crlf, ctx->bhlen) != 0) {
- msg_debug_dkim("bh value mismatch after added CRLF: %*xs versus %*xs",
- (int) dlen, ctx->bh,
- (int) dlen, cached_bh->digest_crlf);
-
- if (cached_bh->digest_cr) {
- if (memcmp(ctx->bh, cached_bh->digest_cr, ctx->bhlen) != 0) {
- msg_debug_dkim(
- "bh value mismatch after added LF: %*xs versus %*xs",
- (int) dlen, ctx->bh,
- (int) dlen, cached_bh->digest_cr);
-
- res->fail_reason = "body hash did not verify";
- res->rcode = DKIM_REJECT;
- }
- }
- else {
-
- res->fail_reason = "body hash did not verify";
- res->rcode = DKIM_REJECT;
- }
- }
- }
- else {
- msg_debug_dkim(
- "bh value mismatch: %*xs versus %*xs",
- (int) dlen, ctx->bh,
- (int) dlen, cached_bh->digest_normal);
- res->fail_reason = "body hash did not verify";
- res->rcode = DKIM_REJECT;
- }
- }
-
- if (cpy_ctx) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- EVP_MD_CTX_cleanup(cpy_ctx);
- #else
- EVP_MD_CTX_reset(cpy_ctx);
- #endif
- EVP_MD_CTX_destroy(cpy_ctx);
- }
-
- if (res->rcode == DKIM_REJECT) {
- msg_info_dkim(
- "%s: bh value mismatch: got %*Bs, expected %*Bs; "
- "body length %d->%d; d=%s; s=%s",
- rspamd_dkim_type_to_string(ctx->common.type),
- (int) dlen, cached_bh->digest_normal,
- (int) dlen, ctx->bh,
- (int) (body_end - body_start), ctx->common.body_canonicalised,
- ctx->domain, ctx->selector);
-
- return res;
- }
- }
-
- dlen = EVP_MD_CTX_size(ctx->common.headers_hash);
- EVP_DigestFinal_ex(ctx->common.headers_hash, raw_digest, NULL);
- /* Check headers signature */
-
- if (ctx->sig_alg == DKIM_SIGN_RSASHA1) {
- nid = NID_sha1;
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA256 ||
- ctx->sig_alg == DKIM_SIGN_EDDSASHA256) {
- nid = NID_sha256;
- }
- else if (ctx->sig_alg == DKIM_SIGN_RSASHA512 ||
- ctx->sig_alg == DKIM_SIGN_ECDSASHA512) {
- nid = NID_sha512;
- }
- else {
- /* Not reached */
- nid = NID_sha1;
- }
-
- switch (key->type) {
- case RSPAMD_DKIM_KEY_RSA:
- if (RSA_verify(nid, raw_digest, dlen, ctx->b, ctx->blen,
- key->key.key_rsa) != 1) {
- msg_debug_dkim("headers rsa verify failed");
- ERR_clear_error();
- res->rcode = DKIM_REJECT;
- res->fail_reason = "headers rsa verify failed";
-
- msg_info_dkim(
- "%s: headers RSA verification failure; "
- "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
- rspamd_dkim_type_to_string(ctx->common.type),
- (int) (body_end - body_start), ctx->common.body_canonicalised,
- ctx->common.headers_canonicalised,
- ctx->domain, ctx->selector,
- RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
- ctx->dkim_header);
- }
- break;
- case RSPAMD_DKIM_KEY_ECDSA:
- if (ECDSA_verify(nid, raw_digest, dlen, ctx->b, ctx->blen,
- key->key.key_ecdsa) != 1) {
- msg_info_dkim(
- "%s: headers ECDSA verification failure; "
- "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
- rspamd_dkim_type_to_string(ctx->common.type),
- (int) (body_end - body_start), ctx->common.body_canonicalised,
- ctx->common.headers_canonicalised,
- ctx->domain, ctx->selector,
- RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
- ctx->dkim_header);
- msg_debug_dkim("headers ecdsa verify failed");
- ERR_clear_error();
- res->rcode = DKIM_REJECT;
- res->fail_reason = "headers ecdsa verify failed";
- }
- break;
- case RSPAMD_DKIM_KEY_EDDSA:
- if (!rspamd_cryptobox_verify(ctx->b, ctx->blen, raw_digest, dlen,
- key->key.key_eddsa, RSPAMD_CRYPTOBOX_MODE_25519)) {
- msg_info_dkim(
- "%s: headers EDDSA verification failure; "
- "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
- rspamd_dkim_type_to_string(ctx->common.type),
- (int) (body_end - body_start), ctx->common.body_canonicalised,
- ctx->common.headers_canonicalised,
- ctx->domain, ctx->selector,
- RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
- ctx->dkim_header);
- msg_debug_dkim("headers eddsa verify failed");
- res->rcode = DKIM_REJECT;
- res->fail_reason = "headers eddsa verify failed";
- }
- break;
- }
-
-
- if (ctx->common.type == RSPAMD_DKIM_ARC_SEAL && res->rcode == DKIM_CONTINUE) {
- switch (ctx->cv) {
- case RSPAMD_ARC_INVALID:
- msg_info_dkim("arc seal is invalid i=%d", ctx->common.idx);
- res->rcode = DKIM_PERM_ERROR;
- res->fail_reason = "arc seal is invalid";
- break;
- case RSPAMD_ARC_FAIL:
- msg_info_dkim("arc seal failed i=%d", ctx->common.idx);
- res->rcode = DKIM_REJECT;
- res->fail_reason = "arc seal failed";
- break;
- default:
- break;
- }
- }
-
- return res;
- }
-
- struct rspamd_dkim_check_result *
- rspamd_dkim_create_result(rspamd_dkim_context_t *ctx,
- enum rspamd_dkim_check_rcode rcode,
- struct rspamd_task *task)
- {
- struct rspamd_dkim_check_result *res;
-
- res = rspamd_mempool_alloc0(task->task_pool, sizeof(*res));
- res->ctx = ctx;
- res->selector = ctx->selector;
- res->domain = ctx->domain;
- res->fail_reason = NULL;
- res->short_b = ctx->short_b;
- res->rcode = rcode;
-
- return res;
- }
-
- rspamd_dkim_key_t *
- rspamd_dkim_key_ref(rspamd_dkim_key_t *k)
- {
- REF_RETAIN(k);
-
- return k;
- }
-
- void rspamd_dkim_key_unref(rspamd_dkim_key_t *k)
- {
- REF_RELEASE(k);
- }
-
- rspamd_dkim_sign_key_t *
- rspamd_dkim_sign_key_ref(rspamd_dkim_sign_key_t *k)
- {
- REF_RETAIN(k);
-
- return k;
- }
-
- void rspamd_dkim_sign_key_unref(rspamd_dkim_sign_key_t *k)
- {
- REF_RELEASE(k);
- }
-
- const char *
- rspamd_dkim_get_domain(rspamd_dkim_context_t *ctx)
- {
- if (ctx) {
- return ctx->domain;
- }
-
- return NULL;
- }
-
- const char *
- rspamd_dkim_get_selector(rspamd_dkim_context_t *ctx)
- {
- if (ctx) {
- return ctx->selector;
- }
-
- return NULL;
- }
-
- unsigned int rspamd_dkim_key_get_ttl(rspamd_dkim_key_t *k)
- {
- if (k) {
- return k->ttl;
- }
-
- return 0;
- }
-
- const char *
- rspamd_dkim_get_dns_key(rspamd_dkim_context_t *ctx)
- {
- if (ctx) {
- return ctx->dns_key;
- }
-
- return NULL;
- }
-
- #define PEM_SIG "-----BEGIN"
-
- rspamd_dkim_sign_key_t *
- rspamd_dkim_sign_key_load(const char *key, gsize len,
- enum rspamd_dkim_key_format type,
- GError **err)
- {
- unsigned char *map = NULL, *tmp = NULL;
- gsize maplen;
- rspamd_dkim_sign_key_t *nkey;
- time_t mtime = time(NULL);
-
- if (type < 0 || type > RSPAMD_DKIM_KEY_UNKNOWN || len == 0 || key == NULL) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "invalid key type to load: %d", type);
- return NULL;
- }
-
- nkey = g_malloc0(sizeof(*nkey));
- nkey->mtime = mtime;
-
- msg_debug_dkim_taskless("got public key with length %z and type %d",
- len, type);
-
- /* Load key file if needed */
- if (type == RSPAMD_DKIM_KEY_FILE) {
- struct stat st;
-
- if (stat(key, &st) != 0) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "cannot stat key file: '%s' %s", key, strerror(errno));
- g_free(nkey);
-
- return NULL;
- }
-
- nkey->mtime = st.st_mtime;
- map = rspamd_file_xmap(key, PROT_READ, &maplen, TRUE);
-
- if (map == NULL) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "cannot map key file: '%s' %s", key, strerror(errno));
- g_free(nkey);
-
- return NULL;
- }
-
- key = map;
- len = maplen;
-
- if (maplen > sizeof(PEM_SIG) &&
- strncmp(map, PEM_SIG, sizeof(PEM_SIG) - 1) == 0) {
- type = RSPAMD_DKIM_KEY_PEM;
- }
- else if (rspamd_cryptobox_base64_is_valid(map, maplen)) {
- type = RSPAMD_DKIM_KEY_BASE64;
- }
- else {
- type = RSPAMD_DKIM_KEY_RAW;
- }
- }
-
- if (type == RSPAMD_DKIM_KEY_UNKNOWN) {
- if (len > sizeof(PEM_SIG) &&
- memcmp(key, PEM_SIG, sizeof(PEM_SIG) - 1) == 0) {
- type = RSPAMD_DKIM_KEY_PEM;
- }
- else {
- type = RSPAMD_DKIM_KEY_RAW;
- }
- }
-
- if (type == RSPAMD_DKIM_KEY_BASE64) {
- type = RSPAMD_DKIM_KEY_RAW;
- tmp = g_malloc(len);
- rspamd_cryptobox_base64_decode(key, len, tmp, &len);
- key = tmp;
- }
-
- if (type == RSPAMD_DKIM_KEY_RAW && (len == 32 ||
- len == rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519))) {
- if (len == 32) {
- /* Seeded key, need scalarmult */
- unsigned char pk[32];
- nkey->type = RSPAMD_DKIM_KEY_EDDSA;
- nkey->key.key_eddsa = g_malloc(
- rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519));
- crypto_sign_ed25519_seed_keypair(pk, nkey->key.key_eddsa, key);
- nkey->keylen = rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
- }
- else {
- /* Full ed25519 key */
- unsigned klen = rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
- nkey->type = RSPAMD_DKIM_KEY_EDDSA;
- nkey->key.key_eddsa = g_malloc(klen);
- memcpy(nkey->key.key_eddsa, key, klen);
- nkey->keylen = klen;
- }
- }
- else {
- nkey->key_bio = BIO_new_mem_buf(key, len);
-
- if (type == RSPAMD_DKIM_KEY_RAW) {
- if (d2i_PrivateKey_bio(nkey->key_bio, &nkey->key_evp) == NULL) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "cannot parse raw private key: %s",
- ERR_error_string(ERR_get_error(), NULL));
-
- rspamd_dkim_sign_key_free(nkey);
- nkey = NULL;
-
- goto end;
- }
- }
- else {
- if (!PEM_read_bio_PrivateKey(nkey->key_bio, &nkey->key_evp, NULL, NULL)) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "cannot parse pem private key: %s",
- ERR_error_string(ERR_get_error(), NULL));
- rspamd_dkim_sign_key_free(nkey);
- nkey = NULL;
-
- goto end;
- }
- }
- nkey->key.key_rsa = EVP_PKEY_get1_RSA(nkey->key_evp);
- if (nkey->key.key_rsa == NULL) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot extract rsa key from evp key");
- rspamd_dkim_sign_key_free(nkey);
- nkey = NULL;
-
- goto end;
- }
- nkey->type = RSPAMD_DKIM_KEY_RSA;
- }
-
- REF_INIT_RETAIN(nkey, rspamd_dkim_sign_key_free);
-
- end:
-
- if (map != NULL) {
- munmap(map, maplen);
- }
-
- if (tmp != NULL) {
- rspamd_explicit_memzero(tmp, len);
- g_free(tmp);
- }
-
- return nkey;
- }
-
- #undef PEM_SIG
-
- gboolean
- rspamd_dkim_sign_key_maybe_invalidate(rspamd_dkim_sign_key_t *key, time_t mtime)
- {
- if (mtime > key->mtime) {
- return TRUE;
- }
- return FALSE;
- }
-
- rspamd_dkim_sign_context_t *
- rspamd_create_dkim_sign_context(struct rspamd_task *task,
- rspamd_dkim_sign_key_t *priv_key,
- int headers_canon,
- int body_canon,
- const char *headers,
- enum rspamd_dkim_type type,
- GError **err)
- {
- rspamd_dkim_sign_context_t *nctx;
-
- if (headers_canon != DKIM_CANON_SIMPLE && headers_canon != DKIM_CANON_RELAXED) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_HC,
- "bad headers canonicalisation");
-
- return NULL;
- }
- if (body_canon != DKIM_CANON_SIMPLE && body_canon != DKIM_CANON_RELAXED) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_INVALID_BC,
- "bad body canonicalisation");
-
- return NULL;
- }
-
- if (!priv_key || (!priv_key->key.key_rsa && !priv_key->key.key_eddsa)) {
- g_set_error(err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "bad key to sign");
-
- return NULL;
- }
-
- nctx = rspamd_mempool_alloc0(task->task_pool, sizeof(*nctx));
- nctx->common.pool = task->task_pool;
- nctx->common.header_canon_type = headers_canon;
- nctx->common.body_canon_type = body_canon;
- nctx->common.type = type;
- nctx->common.is_sign = TRUE;
-
- if (type != RSPAMD_DKIM_ARC_SEAL) {
- if (!rspamd_dkim_parse_hdrlist_common(&nctx->common, headers,
- strlen(headers), TRUE,
- err)) {
- return NULL;
- }
- }
- else {
- rspamd_dkim_add_arc_seal_headers(task->task_pool, &nctx->common);
- }
-
- nctx->key = rspamd_dkim_sign_key_ref(priv_key);
-
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) rspamd_dkim_sign_key_unref, priv_key);
-
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- nctx->common.body_hash = EVP_MD_CTX_create();
- EVP_DigestInit_ex(nctx->common.body_hash, EVP_sha256(), NULL);
- nctx->common.headers_hash = EVP_MD_CTX_create();
- EVP_DigestInit_ex(nctx->common.headers_hash, EVP_sha256(), NULL);
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_destroy, nctx->common.body_hash);
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_destroy, nctx->common.headers_hash);
- #else
- nctx->common.body_hash = EVP_MD_CTX_new();
- EVP_DigestInit_ex(nctx->common.body_hash, EVP_sha256(), NULL);
- nctx->common.headers_hash = EVP_MD_CTX_new();
- EVP_DigestInit_ex(nctx->common.headers_hash, EVP_sha256(), NULL);
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_free, nctx->common.body_hash);
- rspamd_mempool_add_destructor(task->task_pool,
- (rspamd_mempool_destruct_t) EVP_MD_CTX_free, nctx->common.headers_hash);
- #endif
-
- return nctx;
- }
-
-
- GString *
- rspamd_dkim_sign(struct rspamd_task *task, const char *selector,
- const char *domain, time_t expire, gsize len, unsigned int idx,
- const char *arc_cv, rspamd_dkim_sign_context_t *ctx)
- {
- GString *hdr;
- struct rspamd_dkim_header *dh;
- const char *body_end, *body_start, *hname;
- unsigned char raw_digest[EVP_MAX_MD_SIZE];
- struct rspamd_dkim_cached_hash *cached_bh = NULL;
- gsize dlen = 0;
- unsigned int i, j;
- char *b64_data;
- unsigned char *sig_buf;
- unsigned int sig_len;
- unsigned int headers_len = 0, cur_len = 0;
- union rspamd_dkim_header_stat hstat;
-
- g_assert(ctx != NULL);
-
- /* First of all find place of body */
- body_end = task->msg.begin + task->msg.len;
- body_start = MESSAGE_FIELD(task, raw_headers_content).body_start;
-
- if (len > 0) {
- ctx->common.len = len;
- }
-
- if (!body_start) {
- return NULL;
- }
-
- /* Start canonization of body part */
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL) {
- dlen = EVP_MD_CTX_size(ctx->common.body_hash);
- cached_bh = rspamd_dkim_check_bh_cached(&ctx->common, task,
- dlen, TRUE);
-
- if (!cached_bh->digest_normal) {
- /* Start canonization of body part */
- if (!rspamd_dkim_canonize_body(&ctx->common, body_start, body_end,
- TRUE)) {
- return NULL;
- }
- }
- }
-
- hdr = g_string_sized_new(255);
-
- if (ctx->common.type == RSPAMD_DKIM_NORMAL) {
- rspamd_printf_gstring(hdr, "v=1; a=%s; c=%s/%s; d=%s; s=%s; ",
- ctx->key->type == RSPAMD_DKIM_KEY_RSA ? "rsa-sha256" : "ed25519-sha256",
- ctx->common.header_canon_type == DKIM_CANON_RELAXED ? "relaxed" : "simple",
- ctx->common.body_canon_type == DKIM_CANON_RELAXED ? "relaxed" : "simple",
- domain, selector);
- }
- else if (ctx->common.type == RSPAMD_DKIM_ARC_SIG) {
- rspamd_printf_gstring(hdr, "i=%d; a=%s; c=%s/%s; d=%s; s=%s; ",
- idx,
- ctx->key->type == RSPAMD_DKIM_KEY_RSA ? "rsa-sha256" : "ed25519-sha256",
- ctx->common.header_canon_type == DKIM_CANON_RELAXED ? "relaxed" : "simple",
- ctx->common.body_canon_type == DKIM_CANON_RELAXED ? "relaxed" : "simple",
- domain, selector);
- }
- else {
- g_assert(arc_cv != NULL);
- rspamd_printf_gstring(hdr, "i=%d; a=%s; d=%s; s=%s; cv=%s; ",
- idx,
- ctx->key->type == RSPAMD_DKIM_KEY_RSA ? "rsa-sha256" : "ed25519-sha256",
- domain,
- selector,
- arc_cv);
- }
-
- if (expire > 0) {
- rspamd_printf_gstring(hdr, "x=%t; ", expire);
- }
-
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL) {
- if (len > 0) {
- rspamd_printf_gstring(hdr, "l=%z; ", len);
- }
- }
-
- rspamd_printf_gstring(hdr, "t=%t; h=", time(NULL));
-
- /* Now canonize headers */
- for (i = 0; i < ctx->common.hlist->len; i++) {
- struct rspamd_mime_header *rh, *cur;
-
- dh = g_ptr_array_index(ctx->common.hlist, i);
-
- /* We allow oversigning if dh->count > number of headers with this name */
- hstat.n = GPOINTER_TO_UINT(g_hash_table_lookup(ctx->common.htable, dh->name));
-
- if (hstat.s.flags & RSPAMD_DKIM_FLAG_OVERSIGN) {
- /* Do oversigning */
- unsigned int count = 0;
-
- rh = rspamd_message_get_header_array(task, dh->name, FALSE);
-
- if (rh) {
- DL_FOREACH(rh, cur)
- {
- /* Sign all existing headers */
- rspamd_dkim_canonize_header(&ctx->common, task, dh->name,
- count,
- NULL, NULL);
- count++;
- }
- }
-
- /* Now add one more entry to oversign */
- if (count > 0 || !(hstat.s.flags & RSPAMD_DKIM_FLAG_OVERSIGN_EXISTING)) {
- cur_len = (strlen(dh->name) + 1) * (count + 1);
- headers_len += cur_len;
-
- if (headers_len > 70 && i > 0 && i < ctx->common.hlist->len - 1) {
- rspamd_printf_gstring(hdr, " ");
- headers_len = cur_len;
- }
-
- for (j = 0; j < count + 1; j++) {
- rspamd_printf_gstring(hdr, "%s:", dh->name);
- }
- }
- }
- else {
- rh = rspamd_message_get_header_array(task, dh->name, FALSE);
-
- if (rh) {
- if (hstat.s.count > 0) {
-
- cur_len = (strlen(dh->name) + 1) * (hstat.s.count);
- headers_len += cur_len;
- if (headers_len > 70 && i > 0 && i < ctx->common.hlist->len - 1) {
- rspamd_printf_gstring(hdr, " ");
- headers_len = cur_len;
- }
-
- for (j = 0; j < hstat.s.count; j++) {
- rspamd_printf_gstring(hdr, "%s:", dh->name);
- }
- }
-
-
- rspamd_dkim_canonize_header(&ctx->common, task,
- dh->name, dh->count,
- NULL, NULL);
- }
- }
-
- g_hash_table_remove(ctx->common.htable, dh->name);
- }
-
- /* Replace the last ':' with ';' */
- hdr->str[hdr->len - 1] = ';';
-
- if (ctx->common.type != RSPAMD_DKIM_ARC_SEAL) {
- if (!cached_bh->digest_normal) {
- EVP_DigestFinal_ex(ctx->common.body_hash, raw_digest, NULL);
- cached_bh->digest_normal = rspamd_mempool_alloc(task->task_pool,
- sizeof(raw_digest));
- memcpy(cached_bh->digest_normal, raw_digest, sizeof(raw_digest));
- }
-
-
- b64_data = rspamd_encode_base64(cached_bh->digest_normal, dlen, 0, NULL);
- rspamd_printf_gstring(hdr, " bh=%s; b=", b64_data);
- g_free(b64_data);
- }
- else {
- rspamd_printf_gstring(hdr, " b=");
- }
-
- switch (ctx->common.type) {
- case RSPAMD_DKIM_NORMAL:
- default:
- hname = RSPAMD_DKIM_SIGNHEADER;
- break;
- case RSPAMD_DKIM_ARC_SIG:
- hname = RSPAMD_DKIM_ARC_SIGNHEADER;
- break;
- case RSPAMD_DKIM_ARC_SEAL:
- hname = RSPAMD_DKIM_ARC_SEALHEADER;
- break;
- }
-
- if (ctx->common.header_canon_type == DKIM_CANON_RELAXED) {
- if (!rspamd_dkim_canonize_header_relaxed(&ctx->common,
- hdr->str,
- hname,
- TRUE,
- 0,
- ctx->common.type == RSPAMD_DKIM_ARC_SEAL)) {
-
- g_string_free(hdr, TRUE);
- return NULL;
- }
- }
- else {
- /* Will likely have issues with folding */
- rspamd_dkim_hash_update(ctx->common.headers_hash, hdr->str,
- hdr->len);
- ctx->common.headers_canonicalised += hdr->len;
- msg_debug_task("update signature with header: %*s",
- (int) hdr->len, hdr->str);
- }
-
- dlen = EVP_MD_CTX_size(ctx->common.headers_hash);
- EVP_DigestFinal_ex(ctx->common.headers_hash, raw_digest, NULL);
- if (ctx->key->type == RSPAMD_DKIM_KEY_RSA) {
- sig_len = RSA_size(ctx->key->key.key_rsa);
- sig_buf = g_alloca(sig_len);
-
- if (RSA_sign(NID_sha256, raw_digest, dlen, sig_buf, &sig_len,
- ctx->key->key.key_rsa) != 1) {
- g_string_free(hdr, TRUE);
- msg_err_task("rsa sign error: %s",
- ERR_error_string(ERR_get_error(), NULL));
-
- return NULL;
- }
- }
- else if (ctx->key->type == RSPAMD_DKIM_KEY_EDDSA) {
- sig_len = rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
- sig_buf = g_alloca(sig_len);
-
- rspamd_cryptobox_sign(sig_buf, NULL, raw_digest, dlen,
- ctx->key->key.key_eddsa, RSPAMD_CRYPTOBOX_MODE_25519);
- }
- else {
- g_string_free(hdr, TRUE);
- msg_err_task("unsupported key type for signing");
-
- return NULL;
- }
-
- if (task->protocol_flags & RSPAMD_TASK_PROTOCOL_FLAG_MILTER) {
- b64_data = rspamd_encode_base64_fold(sig_buf, sig_len, 70, NULL,
- RSPAMD_TASK_NEWLINES_LF);
- }
- else {
- b64_data = rspamd_encode_base64_fold(sig_buf, sig_len, 70, NULL,
- MESSAGE_FIELD(task, nlines_type));
- }
-
- rspamd_printf_gstring(hdr, "%s", b64_data);
- g_free(b64_data);
-
- return hdr;
- }
-
- gboolean
- rspamd_dkim_match_keys(rspamd_dkim_key_t *pk,
- rspamd_dkim_sign_key_t *sk,
- GError **err)
- {
- if (pk == NULL || sk == NULL) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "missing public or private key");
- return FALSE;
- }
- if (pk->type != sk->type) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYFAIL,
- "public and private key types do not match");
- return FALSE;
- }
-
- if (pk->type == RSPAMD_DKIM_KEY_EDDSA) {
- if (memcmp(sk->key.key_eddsa + 32, pk->key.key_eddsa, 32) != 0) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYHASHMISMATCH,
- "pubkey does not match private key");
- return FALSE;
- }
- }
- else if (EVP_PKEY_cmp(pk->key_evp, sk->key_evp) != 1) {
- g_set_error(err, dkim_error_quark(), DKIM_SIGERROR_KEYHASHMISMATCH,
- "pubkey does not match private key");
- return FALSE;
- }
-
- return TRUE;
- }
|