[Fix] Fix DKIM forgeries via multiple headers

MFH: rspamd-1.6 URL: http://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
author: Vsevolod Stakhov <vsevolod@highsecure.ru> 2017-10-02 20:49:25 +0100
committer: Andrew Lewis <nerf@judo.za.org> 2017-10-18 00:26:15 +0200
commit: 9e9697ecc562a22ff6b5cb82af9d43852cbe5108 (patch)
tree: 5ac8a335e6225fd6579da7d0a59600802234c675
parent: 9f10976fcacba74e7787a00ab4d82ddae6df1cab (diff)
download: rspamd-9e9697ecc562a22ff6b5cb82af9d43852cbe5108.tar.gz
rspamd-9e9697ecc562a22ff6b5cb82af9d43852cbe5108.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c
index 72cc7232f..2b5357145 100644
--- a/src/libserver/dkim.c
+++ b/src/libserver/dkim.c
@@ -1938,6 +1938,22 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx,
 		ar = g_hash_table_lookup (task->raw_headers, header_name);
 
 		if (ar) {
+			/* Check uniqueness of the header */
+			rh = g_ptr_array_index (ar, 0);
+			if ((rh->type & RSPAMD_HEADER_UNIQUE) && ar->len > 1) {
+				guint64 random_cookie = ottery_rand_uint64 ();
+
+				msg_warn_dkim ("header %s is intended to be unique by"
+						" email standards, but we have %d headers of this"
+						" type, artificially break DKIM check", header_name,
+						ar->len);
+				rspamd_dkim_hash_update (ctx->headers_hash,
+						(const gchar *)&random_cookie,
+						sizeof (random_cookie));
+
+				return FALSE;
+			}
+
 			if (ar->len > count) {
 				/* Set skip count */
 				rh_num = ar->len - count - 1;
author	Vsevolod Stakhov <vsevolod@highsecure.ru>	2017-10-02 20:49:25 +0100
committer	Andrew Lewis <nerf@judo.za.org>	2017-10-18 00:26:15 +0200
commit	9e9697ecc562a22ff6b5cb82af9d43852cbe5108 (patch)
tree	5ac8a335e6225fd6579da7d0a59600802234c675
parent	9f10976fcacba74e7787a00ab4d82ddae6df1cab (diff)
download	rspamd-9e9697ecc562a22ff6b5cb82af9d43852cbe5108.tar.gz rspamd-9e9697ecc562a22ff6b5cb82af9d43852cbe5108.zip