[Fix] Fix DKIM forgeries via multiple headers

MFH: rspamd-1.6 URL: http://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
author: Vsevolod Stakhov <vsevolod@highsecure.ru> 2017-10-02 20:49:25 +0100
committer: Vsevolod Stakhov <vsevolod@highsecure.ru> 2017-10-02 20:49:25 +0100
commit: 56ef361fe2a1a3b8d12f4cc2ef404c29b39b7c48 (patch)
tree: 13afa5b4274f5c51162ec1653b7944a617e30d2c
parent: c9b0a2a75706bf5ef82aa0318419b3655af56513 (diff)
download: rspamd-56ef361fe2a1a3b8d12f4cc2ef404c29b39b7c48.tar.gz
rspamd-56ef361fe2a1a3b8d12f4cc2ef404c29b39b7c48.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c
index 29cb30fb9..2a2e7a7a7 100644
--- a/src/libserver/dkim.c
+++ b/src/libserver/dkim.c
@@ -2062,6 +2062,22 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx,
 		ar = g_hash_table_lookup (task->raw_headers, header_name);
 
 		if (ar) {
+			/* Check uniqueness of the header */
+			rh = g_ptr_array_index (ar, 0);
+			if ((rh->type & RSPAMD_HEADER_UNIQUE) && ar->len > 1) {
+				guint64 random_cookie = ottery_rand_uint64 ();
+
+				msg_warn_dkim ("header %s is intended to be unique by"
+						" email standards, but we have %d headers of this"
+						" type, artificially break DKIM check", header_name,
+						ar->len);
+				rspamd_dkim_hash_update (ctx->headers_hash,
+						(const gchar *)&random_cookie,
+						sizeof (random_cookie));
+
+				return FALSE;
+			}
+
 			if (ar->len > count) {
 				/* Set skip count */
 				rh_num = ar->len - count - 1;
author	Vsevolod Stakhov <vsevolod@highsecure.ru>	2017-10-02 20:49:25 +0100
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>	2017-10-02 20:49:25 +0100
commit	56ef361fe2a1a3b8d12f4cc2ef404c29b39b7c48 (patch)
tree	13afa5b4274f5c51162ec1653b7944a617e30d2c
parent	c9b0a2a75706bf5ef82aa0318419b3655af56513 (diff)
download	rspamd-56ef361fe2a1a3b8d12f4cc2ef404c29b39b7c48.tar.gz rspamd-56ef361fe2a1a3b8d12f4cc2ef404c29b39b7c48.zip