projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ARC: support $arc_domains also for verify fails
[exim.git] / src / src / arc.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4 /* Experimental ARC support for Exim
5 Copyright (c) Jeremy Harris 2018
6 License: GPL
7 */
8
9 #include "exim.h"
10 #ifdef EXPERIMENTAL_ARC
11 # if !defined SUPPORT_SPF
12 # error SPF must also be enabled for ARC
13 # elif defined DISABLE_DKIM
14 # error DKIM must also be enabled for ARC
15 # else
16
17 # include "functions.h"
18 # include "pdkim/pdkim.h"
19 # include "pdkim/signing.h"
20
21 extern pdkim_ctx * dkim_verify_ctx;
22 extern pdkim_ctx dkim_sign_ctx;
23
24 #define ARC_SIGN_OPT_TSTAMP BIT(0)
25 #define ARC_SIGN_OPT_EXPIRE BIT(1)
26
27 #define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
28
29 /******************************************************************************/
30
31 typedef struct hdr_rlist {
32 struct hdr_rlist * prev;
33 BOOL used;
34 header_line * h;
35 } hdr_rlist;
36
37 typedef struct arc_line {
38 header_line * complete; /* including the header name; nul-term */
39 uschar * relaxed;
40
41 /* identified tag contents */
42 /*XXX t= for AS? */
43 blob i;
44 blob cv;
45 blob a;
46 blob b;
47 blob bh;
48 blob d;
49 blob h;
50 blob s;
51 blob c;
52 blob l;
53
54 /* tag content sub-portions */
55 blob a_algo;
56 blob a_hash;
57
58 blob c_head;
59 blob c_body;
60
61 /* modified copy of b= field in line */
62 blob rawsig_no_b_val;
63 } arc_line;
64
65 typedef struct arc_set {
66 struct arc_set * next;
67 struct arc_set * prev;
68
69 unsigned instance;
70 arc_line * hdr_aar;
71 arc_line * hdr_ams;
72 arc_line * hdr_as;
73
74 const uschar * ams_verify_done;
75 BOOL ams_verify_passed;
76 } arc_set;
77
78 typedef struct arc_ctx {
79 arc_set * arcset_chain;
80 arc_set * arcset_chain_last;
81 } arc_ctx;
82
83 #define ARC_HDR_AAR US"ARC-Authentication-Results:"
84 #define ARC_HDRLEN_AAR 27
85 #define ARC_HDR_AMS US"ARC-Message-Signature:"
86 #define ARC_HDRLEN_AMS 22
87 #define ARC_HDR_AS US"ARC-Seal:"
88 #define ARC_HDRLEN_AS 9
89 #define HDR_AR US"Authentication-Results:"
90 #define HDRLEN_AR 23
91
92 static time_t now;
93 static time_t expire;
94 static hdr_rlist * headers_rlist;
95 static arc_ctx arc_sign_ctx = { NULL };
96 static arc_ctx arc_verify_ctx = { NULL };
97
98
99 /******************************************************************************/
100
101
102 /* Get the instance number from the header.
103 Return 0 on error */
104 static unsigned
105 arc_instance_from_hdr(const arc_line * al)
106 {
107 const uschar * s = al->i.data;
108 if (!s || !al->i.len) return 0;
109 return (unsigned) atoi(CCS s);
110 }
111
112
113 static uschar *
114 skip_fws(uschar * s)
115 {
116 uschar c = *s;
117 while (c && (c == ' ' || c == '\t' || c == '\n' || c == '\r')) c = *++s;
118 return s;
119 }
120
121
122 /* Locate instance struct on chain, inserting a new one if
123 needed. The chain is in increasing-instance-number order
124 by the "next" link, and we have a "prev" link also.
125 */
126
127 static arc_set *
128 arc_find_set(arc_ctx * ctx, unsigned i)
129 {
130 arc_set ** pas, * as, * next, * prev;
131
132 for (pas = &ctx->arcset_chain, prev = NULL, next = ctx->arcset_chain;
133 as = *pas; pas = &as->next)
134 {
135 if (as->instance > i) break;
136 if (as->instance == i)
137 {
138 DEBUG(D_acl) debug_printf("ARC: existing instance %u\n", i);
139 return as;
140 }
141 next = as->next;
142 prev = as;
143 }
144
145 DEBUG(D_acl) debug_printf("ARC: new instance %u\n", i);
146 *pas = as = store_get(sizeof(arc_set));
147 memset(as, 0, sizeof(arc_set));
148 as->next = next;
149 as->prev = prev;
150 as->instance = i;
151 if (next)
152 next->prev = as;
153 else
154 ctx->arcset_chain_last = as;
155 return as;
156 }
157
158
159
160 /* Insert a tag content into the line structure.
161 Note this is a reference to existing data, not a copy.
162 Check for already-seen tag.
163 The string-pointer is on the '=' for entry. Update it past the
164 content (to the ;) on return;
165 */
166
167 static uschar *
168 arc_insert_tagvalue(arc_line * al, unsigned loff, uschar ** ss)
169 {
170 uschar * s = *ss;
171 uschar c = *++s;
172 blob * b = (blob *)(US al + loff);
173 size_t len = 0;
174
175 /* [FWS] tag-value [FWS] */
176
177 if (b->data) return US"fail";
178 s = skip_fws(s); /* FWS */
179
180 b->data = s;
181 while ((c = *s) && c != ';') { len++; s++; }
182 *ss = s;
183 while (len && ((c = s[-1]) == ' ' || c == '\t' || c == '\n' || c == '\r'))
184 { s--; len--; } /* FWS */
185 b->len = len;
186 return NULL;
187 }
188
189
190 /* Inspect a header line, noting known tag fields.
191 Check for duplicates. */
192
193 static uschar *
194 arc_parse_line(arc_line * al, header_line * h, unsigned off, BOOL instance_only)
195 {
196 uschar * s = h->text + off;
197 uschar * r = NULL; /* compiler-quietening */
198 uschar c;
199
200 al->complete = h;
201
202 if (!instance_only)
203 {
204 al->rawsig_no_b_val.data = store_get(h->slen + 1);
205 memcpy(al->rawsig_no_b_val.data, h->text, off); /* copy the header name blind */
206 r = al->rawsig_no_b_val.data + off;
207 al->rawsig_no_b_val.len = off;
208 }
209
210 /* tag-list = tag-spec *( ";" tag-spec ) [ ";" ] */
211
212 while ((c = *s))
213 {
214 char tagchar;
215 uschar * t;
216 unsigned i = 0;
217 uschar * fieldstart = s;
218 uschar * bstart = NULL, * bend;
219
220 /* tag-spec = [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS] */
221
222 s = skip_fws(s); /* FWS */
223 if (!*s) break;
224 /* debug_printf("%s: consider '%s'\n", __FUNCTION__, s); */
225 tagchar = *s++;
226 s = skip_fws(s); /* FWS */
227 if (!*s) break;
228
229 if (!instance_only || tagchar == 'i') switch (tagchar)
230 {
231 case 'a': /* a= AMS algorithm */
232 {
233 if (*s != '=') return US"no 'a' value";
234 if (arc_insert_tagvalue(al, offsetof(arc_line, a), &s)) return US"a tag dup";
235
236 /* substructure: algo-hash (eg. rsa-sha256) */
237
238 t = al->a_algo.data = al->a.data;
239 while (*t != '-')
240 if (!*t++ || ++i > al->a.len) return US"no '-' in 'a' value";
241 al->a_algo.len = i;
242 if (*t++ != '-') return US"no '-' in 'a' value";
243 al->a_hash.data = t;
244 al->a_hash.len = al->a.len - i - 1;
245 }
246 break;
247 case 'b':
248 {
249 gstring * g = NULL;
250
251 switch (*s)
252 {
253 case '=': /* b= AMS signature */
254 if (al->b.data) return US"already b data";
255 bstart = s+1;
256
257 /* The signature can have FWS inserted in the content;
258 make a stripped copy */
259
260 while ((c = *++s) && c != ';')
261 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
262 g = string_catn(g, s, 1);
263 al->b.data = string_from_gstring(g);
264 al->b.len = g->ptr;
265 gstring_reset_unused(g);
266 bend = s;
267 break;
268 case 'h': /* bh= AMS body hash */
269 s = skip_fws(++s); /* FWS */
270 if (*s != '=') return US"no bh value";
271 if (al->bh.data) return US"already bh data";
272
273 /* The bodyhash can have FWS inserted in the content;
274 make a stripped copy */
275
276 while ((c = *++s) && c != ';')
277 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
278 g = string_catn(g, s, 1);
279 al->bh.data = string_from_gstring(g);
280 al->bh.len = g->ptr;
281 gstring_reset_unused(g);
282 break;
283 default:
284 return US"b? tag";
285 }
286 }
287 break;
288 case 'c':
289 switch (*s)
290 {
291 case '=': /* c= AMS canonicalisation */
292 if (arc_insert_tagvalue(al, offsetof(arc_line, c), &s)) return US"c tag dup";
293
294 /* substructure: head/body (eg. relaxed/simple)) */
295
296 t = al->c_head.data = al->c.data;
297 while (isalpha(*t))
298 if (!*t++ || ++i > al->a.len) break;
299 al->c_head.len = i;
300 if (*t++ == '/') /* /body is optional */
301 {
302 al->c_body.data = t;
303 al->c_body.len = al->c.len - i - 1;
304 }
305 else
306 {
307 al->c_body.data = US"simple";
308 al->c_body.len = 6;
309 }
310 break;
311 case 'v': /* cv= AS validity */
312 if (*++s != '=') return US"cv tag val";
313 if (arc_insert_tagvalue(al, offsetof(arc_line, cv), &s)) return US"cv tag dup";
314 break;
315 default:
316 return US"c? tag";
317 }
318 break;
319 case 'd': /* d= AMS domain */
320 if (*s != '=') return US"d tag val";
321 if (arc_insert_tagvalue(al, offsetof(arc_line, d), &s)) return US"d tag dup";
322 break;
323 case 'h': /* h= AMS headers */
324 if (*s != '=') return US"h tag val";
325 if (arc_insert_tagvalue(al, offsetof(arc_line, h), &s)) return US"h tag dup";
326 break;
327 case 'i': /* i= ARC set instance */
328 if (*s != '=') return US"i tag val";
329 if (arc_insert_tagvalue(al, offsetof(arc_line, i), &s)) return US"i tag dup";
330 if (instance_only) goto done;
331 break;
332 case 'l': /* l= bodylength */
333 if (*s != '=') return US"l tag val";
334 if (arc_insert_tagvalue(al, offsetof(arc_line, l), &s)) return US"l tag dup";
335 break;
336 case 's': /* s= AMS selector */
337 if (*s != '=') return US"s tag val";
338 if (arc_insert_tagvalue(al, offsetof(arc_line, s), &s)) return US"s tag dup";
339 break;
340 }
341
342 while ((c = *s) && c != ';') s++;
343 if (c) s++; /* ; after tag-spec */
344
345 /* for all but the b= tag, copy the field including FWS. For the b=,
346 drop the tag content. */
347
348 if (!instance_only)
349 if (bstart)
350 {
351 size_t n = bstart - fieldstart;
352 memcpy(r, fieldstart, n); /* FWS "b=" */
353 r += n;
354 al->rawsig_no_b_val.len += n;
355 n = s - bend;
356 memcpy(r, bend, n); /* FWS ";" */
357 r += n;
358 al->rawsig_no_b_val.len += n;
359 }
360 else
361 {
362 size_t n = s - fieldstart;
363 memcpy(r, fieldstart, n);
364 r += n;
365 al->rawsig_no_b_val.len += n;
366 }
367 }
368
369 if (!instance_only)
370 *r = '\0';
371
372 done:
373 /* debug_printf("%s: finshed\n", __FUNCTION__); */
374 return NULL;
375 }
376
377
378 /* Insert one header line in the correct set of the chain,
379 adding instances as needed and checking for duplicate lines.
380 */
381
382 static uschar *
383 arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
384 BOOL instance_only)
385 {
386 unsigned i;
387 arc_set * as;
388 arc_line * al = store_get(sizeof(arc_line)), ** alp;
389 uschar * e;
390
391 memset(al, 0, sizeof(arc_line));
392
393 if ((e = arc_parse_line(al, h, off, instance_only)))
394 {
395 DEBUG(D_acl) if (e) debug_printf("ARC: %s\n", e);
396 return US"line parse";
397 }
398 if (!(i = arc_instance_from_hdr(al))) return US"instance find";
399 if (i > 50) return US"overlarge instance number";
400 if (!(as = arc_find_set(ctx, i))) return US"set find";
401 if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
402
403 *alp = al;
404 return NULL;
405 }
406
407
408
409
410 static const uschar *
411 arc_try_header(arc_ctx * ctx, header_line * h, BOOL instance_only)
412 {
413 const uschar * e;
414
415 /*debug_printf("consider hdr '%s'\n", h->text);*/
416 if (strncmpic(ARC_HDR_AAR, h->text, ARC_HDRLEN_AAR) == 0)
417 {
418 DEBUG(D_acl)
419 {
420 int len = h->slen;
421 uschar * s;
422 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
423 s--, len--;
424 debug_printf("ARC: found AAR: %.*s\n", len, h->text);
425 }
426 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AAR, offsetof(arc_set, hdr_aar),
427 TRUE)))
428 {
429 DEBUG(D_acl) debug_printf("inserting AAR: %s\n", e);
430 return US"inserting AAR";
431 }
432 }
433 else if (strncmpic(ARC_HDR_AMS, h->text, ARC_HDRLEN_AMS) == 0)
434 {
435 arc_line * ams;
436
437 DEBUG(D_acl)
438 {
439 int len = h->slen;
440 uschar * s;
441 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
442 s--, len--;
443 debug_printf("ARC: found AMS: %.*s\n", len, h->text);
444 }
445 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AMS, offsetof(arc_set, hdr_ams),
446 instance_only)))
447 {
448 DEBUG(D_acl) debug_printf("inserting AMS: %s\n", e);
449 return US"inserting AMS";
450 }
451
452 /* defaults */
453 /*XXX dubious selection of ams here */
454 ams = ctx->arcset_chain->hdr_ams;
455 if (!ams->c.data)
456 {
457 ams->c_head.data = US"simple"; ams->c_head.len = 6;
458 ams->c_body = ams->c_head;
459 }
460 }
461 else if (strncmpic(ARC_HDR_AS, h->text, ARC_HDRLEN_AS) == 0)
462 {
463 DEBUG(D_acl)
464 {
465 int len = h->slen;
466 uschar * s;
467 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
468 s--, len--;
469 debug_printf("ARC: found AS: %.*s\n", len, h->text);
470 }
471 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AS, offsetof(arc_set, hdr_as),
472 instance_only)))
473 {
474 DEBUG(D_acl) debug_printf("inserting AS: %s\n", e);
475 return US"inserting AS";
476 }
477 }
478 return NULL;
479 }
480
481
482
483 /* Gather the chain of arc sets from the headers.
484 Check for duplicates while that is done. Also build the
485 reverse-order headers list;
486
487 Return: ARC state if determined, eg. by lack of any ARC chain.
488 */
489
490 static const uschar *
491 arc_vfy_collect_hdrs(arc_ctx * ctx)
492 {
493 header_line * h;
494 hdr_rlist * r = NULL, * rprev = NULL;
495 const uschar * e;
496
497 DEBUG(D_acl) debug_printf("ARC: collecting arc sets\n");
498 for (h = header_list; h; h = h->next)
499 {
500 r = store_get(sizeof(hdr_rlist));
501 r->prev = rprev;
502 r->used = FALSE;
503 r->h = h;
504 rprev = r;
505
506 if ((e = arc_try_header(ctx, h, FALSE)))
507 {
508 arc_state_reason = string_sprintf("collecting headers: %s", e);
509 return US"fail";
510 }
511 }
512 headers_rlist = r;
513
514 if (!ctx->arcset_chain) return US"none";
515 return NULL;
516 }
517
518
519 static BOOL
520 arc_cv_match(arc_line * al, const uschar * s)
521 {
522 return Ustrncmp(s, al->cv.data, al->cv.len) == 0;
523 }
524
525 /******************************************************************************/
526
527 /* Return the hash of headers from the message that the AMS claims it
528 signed.
529 */
530
531 static void
532 arc_get_verify_hhash(arc_ctx * ctx, arc_line * ams, blob * hhash)
533 {
534 const uschar * headernames = string_copyn(ams->h.data, ams->h.len);
535 const uschar * hn;
536 int sep = ':';
537 hdr_rlist * r;
538 BOOL relaxed = Ustrncmp(US"relaxed", ams->c_head.data, ams->c_head.len) == 0;
539 int hashtype = pdkim_hashname_to_hashtype(
540 ams->a_hash.data, ams->a_hash.len);
541 hctx hhash_ctx;
542 const uschar * s;
543 int len;
544
545 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
546 {
547 DEBUG(D_acl)
548 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
549 return;
550 }
551
552 /* For each headername in the list from the AMS (walking in order)
553 walk the message headers in reverse order, adding to the hash any
554 found for the first time. For that last point, maintain used-marks
555 on the list of message headers. */
556
557 DEBUG(D_acl) debug_printf("ARC: AMS header data for verification:\n");
558
559 for (r = headers_rlist; r; r = r->prev)
560 r->used = FALSE;
561 while ((hn = string_nextinlist(&headernames, &sep, NULL, 0)))
562 for (r = headers_rlist; r; r = r->prev)
563 if ( !r->used
564 && strncasecmp(CCS (s = r->h->text), CCS hn, Ustrlen(hn)) == 0
565 )
566 {
567 if (relaxed) s = pdkim_relax_header_n(s, r->h->slen, TRUE);
568
569 len = Ustrlen(s);
570 DEBUG(D_acl) pdkim_quoteprint(s, len);
571 exim_sha_update(&hhash_ctx, s, Ustrlen(s));
572 r->used = TRUE;
573 break;
574 }
575
576 /* Finally add in the signature header (with the b= tag stripped); no CRLF */
577
578 s = ams->rawsig_no_b_val.data, len = ams->rawsig_no_b_val.len;
579 if (relaxed)
580 len = Ustrlen(s = pdkim_relax_header_n(s, len, FALSE));
581 DEBUG(D_acl) pdkim_quoteprint(s, len);
582 exim_sha_update(&hhash_ctx, s, len);
583
584 exim_sha_finish(&hhash_ctx, hhash);
585 DEBUG(D_acl)
586 { debug_printf("ARC: header hash: "); pdkim_hexprint(hhash->data, hhash->len); }
587 return;
588 }
589
590
591
592
593 static pdkim_pubkey *
594 arc_line_to_pubkey(arc_line * al)
595 {
596 uschar * dns_txt;
597 pdkim_pubkey * p;
598
599 if (!(dns_txt = dkim_exim_query_dns_txt(string_sprintf("%.*s._domainkey.%.*s",
600 al->s.len, al->s.data, al->d.len, al->d.data))))
601 {
602 DEBUG(D_acl) debug_printf("pubkey dns lookup fail\n");
603 return NULL;
604 }
605
606 if ( !(p = pdkim_parse_pubkey_record(dns_txt))
607 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
608 )
609 {
610 DEBUG(D_acl) debug_printf("pubkey dns lookup format error\n");
611 return NULL;
612 }
613
614 /* If the pubkey limits use to specified hashes, reject unusable
615 signatures. XXX should we have looked for multiple dns records? */
616
617 if (p->hashes)
618 {
619 const uschar * list = p->hashes, * ele;
620 int sep = ':';
621
622 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
623 if (Ustrncmp(ele, al->a_hash.data, al->a_hash.len) == 0) break;
624 if (!ele)
625 {
626 DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%.*s\n",
627 p->hashes, (int)al->a.len, al->a.data);
628 return NULL;
629 }
630 }
631 return p;
632 }
633
634
635
636
637 static pdkim_bodyhash *
638 arc_ams_setup_vfy_bodyhash(arc_line * ams)
639 {
640 int canon_head, canon_body;
641 long bodylen;
642
643 if (!ams->c.data) ams->c.data = US"simple"; /* RFC 6376 (DKIM) default */
644 pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
645 bodylen = ams->l.data
646 ? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
647
648 return pdkim_set_bodyhash(dkim_verify_ctx,
649 pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len),
650 canon_body,
651 bodylen);
652 }
653
654
655
656 /* Verify an AMS. This is a DKIM-sig header, but with an ARC i= tag
657 and without a DKIM v= tag.
658 */
659
660 static const uschar *
661 arc_ams_verify(arc_ctx * ctx, arc_set * as)
662 {
663 arc_line * ams = as->hdr_ams;
664 pdkim_bodyhash * b;
665 pdkim_pubkey * p;
666 blob sighash;
667 blob hhash;
668 ev_ctx vctx;
669 int hashtype;
670 const uschar * errstr;
671
672 as->ams_verify_done = US"in-progress";
673
674 /* Check the AMS has all the required tags:
675 "a=" algorithm
676 "b=" signature
677 "bh=" body hash
678 "d=" domain (for key lookup)
679 "h=" headers (included in signature)
680 "s=" key-selector (for key lookup)
681 */
682 if ( !ams->a.data || !ams->b.data || !ams->bh.data || !ams->d.data
683 || !ams->h.data || !ams->s.data)
684 {
685 as->ams_verify_done = arc_state_reason = US"required tag missing";
686 return US"fail";
687 }
688
689
690 /* The bodyhash should have been created earlier, and the dkim code should
691 have managed calculating it during message input. Find the reference to it. */
692
693 if (!(b = arc_ams_setup_vfy_bodyhash(ams)))
694 {
695 as->ams_verify_done = arc_state_reason = US"internal hash setup error";
696 return US"fail";
697 }
698
699 DEBUG(D_acl)
700 {
701 debug_printf("ARC i=%d AMS Body bytes hashed: %lu\n"
702 " Body %.*s computed: ",
703 as->instance, b->signed_body_bytes,
704 (int)ams->a_hash.len, ams->a_hash.data);
705 pdkim_hexprint(CUS b->bh.data, b->bh.len);
706 }
707
708 /* We know the bh-tag blob is of a nul-term string, so safe as a string */
709
710 if ( !ams->bh.data
711 || (pdkim_decode_base64(ams->bh.data, &sighash), sighash.len != b->bh.len)
712 || memcmp(sighash.data, b->bh.data, b->bh.len) != 0
713 )
714 {
715 DEBUG(D_acl)
716 {
717 debug_printf("ARC i=%d AMS Body hash from headers: ", as->instance);
718 pdkim_hexprint(sighash.data, sighash.len);
719 debug_printf("ARC i=%d AMS Body hash did NOT match\n", as->instance);
720 }
721 return as->ams_verify_done = arc_state_reason = US"AMS body hash miscompare";
722 }
723
724 DEBUG(D_acl) debug_printf("ARC i=%d AMS Body hash compared OK\n", as->instance);
725
726 /* Get the public key from DNS */
727
728 if (!(p = arc_line_to_pubkey(ams)))
729 return as->ams_verify_done = arc_state_reason = US"pubkey problem";
730
731 /* We know the b-tag blob is of a nul-term string, so safe as a string */
732 pdkim_decode_base64(ams->b.data, &sighash);
733
734 arc_get_verify_hhash(ctx, ams, &hhash);
735
736 /* Setup the interface to the signing library */
737
738 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
739 {
740 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
741 as->ams_verify_done = arc_state_reason = US"internal sigverify init error";
742 return US"fail";
743 }
744
745 hashtype = pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len);
746
747 if ((errstr = exim_dkim_verify(&vctx,
748 pdkim_hashes[hashtype].exim_hashmethod, &hhash, &sighash)))
749 {
750 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify %s\n", as->instance, errstr);
751 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
752 }
753
754 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify pass\n", as->instance);
755 as->ams_verify_passed = TRUE;
756 return NULL;
757 }
758
759
760
761 /* Check the sets are instance-continuous and that all
762 members are present. Check that no arc_seals are "fail".
763 Set the highest instance number global.
764 Verify the latest AMS.
765 */
766 static uschar *
767 arc_headers_check(arc_ctx * ctx)
768 {
769 arc_set * as;
770 int inst;
771 BOOL ams_fail_found = FALSE;
772
773 if (!(as = ctx->arcset_chain))
774 return US"none";
775
776 for(inst = 0; as; as = as->next)
777 {
778 if ( as->instance != ++inst
779 || !as->hdr_aar || !as->hdr_ams || !as->hdr_as
780 || arc_cv_match(as->hdr_as, US"fail")
781 )
782 {
783 arc_state_reason = string_sprintf("i=%d"
784 " (cv, sequence or missing header)", as->instance);
785 DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
786 return US"fail";
787 }
788
789 /* Evaluate the oldest-pass AMS validation while we're here.
790 It does not affect the AS chain validation but is reported as
791 auxilary info. */
792
793 if (!ams_fail_found)
794 if (arc_ams_verify(ctx, as))
795 ams_fail_found = TRUE;
796 else
797 arc_oldest_pass = inst;
798 arc_state_reason = NULL;
799 }
800
801 arc_received = ctx->arcset_chain_last;
802 arc_received_instance = inst;
803
804 /* We can skip the latest-AMS validation, if we already did it. */
805
806 as = ctx->arcset_chain_last;
807 if (!as->ams_verify_passed)
808 {
809 if (as->ams_verify_done)
810 {
811 arc_state_reason = as->ams_verify_done;
812 return US"fail";
813 }
814 if (!!arc_ams_verify(ctx, as))
815 return US"fail";
816 }
817 return NULL;
818 }
819
820
821 /******************************************************************************/
822 static const uschar *
823 arc_seal_verify(arc_ctx * ctx, arc_set * as)
824 {
825 arc_line * hdr_as = as->hdr_as;
826 arc_set * as2;
827 int hashtype;
828 hctx hhash_ctx;
829 blob hhash_computed;
830 blob sighash;
831 ev_ctx vctx;
832 pdkim_pubkey * p;
833 const uschar * errstr;
834
835 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d\n", as->instance);
836 /*
837 1. If the value of the "cv" tag on that seal is "fail", the
838 chain state is "fail" and the algorithm stops here. (This
839 step SHOULD be skipped if the earlier step (2.1) was
840 performed) [it was]
841
842 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
843 == "none" && i != 1)) then the chain state is "fail" and the
844 algorithm stops here (note that the ordering of the logic is
845 structured for short-circuit evaluation).
846 */
847
848 if ( as->instance == 1 && !arc_cv_match(hdr_as, US"none")
849 || arc_cv_match(hdr_as, US"none") && as->instance != 1
850 )
851 {
852 arc_state_reason = US"seal cv state";
853 return US"fail";
854 }
855
856 /*
857 3. Initialize a hash function corresponding to the "a" tag of
858 the ARC-Seal.
859 */
860
861 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
862
863 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
864 {
865 DEBUG(D_acl)
866 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
867 arc_state_reason = US"seal hash setup error";
868 return US"fail";
869 }
870
871 /*
872 4. Compute the canonicalized form of the ARC header fields, in
873 the order described in Section 5.4.2, using the "relaxed"
874 header canonicalization defined in Section 3.4.2 of
875 [RFC6376]. Pass the canonicalized result to the hash
876 function.
877
878 Headers are CRLF-separated, but the last one is not crlf-terminated.
879 */
880
881 DEBUG(D_acl) debug_printf("ARC: AS header data for verification:\n");
882 for (as2 = ctx->arcset_chain;
883 as2 && as2->instance <= as->instance;
884 as2 = as2->next)
885 {
886 arc_line * al;
887 uschar * s;
888 int len;
889
890 al = as2->hdr_aar;
891 if (!(s = al->relaxed))
892 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
893 al->complete->slen, TRUE);
894 len = Ustrlen(s);
895 DEBUG(D_acl) pdkim_quoteprint(s, len);
896 exim_sha_update(&hhash_ctx, s, len);
897
898 al = as2->hdr_ams;
899 if (!(s = al->relaxed))
900 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
901 al->complete->slen, TRUE);
902 len = Ustrlen(s);
903 DEBUG(D_acl) pdkim_quoteprint(s, len);
904 exim_sha_update(&hhash_ctx, s, len);
905
906 al = as2->hdr_as;
907 if (as2->instance == as->instance)
908 s = pdkim_relax_header_n(al->rawsig_no_b_val.data,
909 al->rawsig_no_b_val.len, FALSE);
910 else if (!(s = al->relaxed))
911 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
912 al->complete->slen, TRUE);
913 len = Ustrlen(s);
914 DEBUG(D_acl) pdkim_quoteprint(s, len);
915 exim_sha_update(&hhash_ctx, s, len);
916 }
917
918 /*
919 5. Retrieve the final digest from the hash function.
920 */
921
922 exim_sha_finish(&hhash_ctx, &hhash_computed);
923 DEBUG(D_acl)
924 {
925 debug_printf("ARC i=%d AS Header %.*s computed: ",
926 as->instance, (int)hdr_as->a_hash.len, hdr_as->a_hash.data);
927 pdkim_hexprint(hhash_computed.data, hhash_computed.len);
928 }
929
930
931 /*
932 6. Retrieve the public key identified by the "s" and "d" tags in
933 the ARC-Seal, as described in Section 4.1.6.
934 */
935
936 if (!(p = arc_line_to_pubkey(hdr_as)))
937 return US"pubkey problem";
938
939 /*
940 7. Determine whether the signature portion ("b" tag) of the ARC-
941 Seal and the digest computed above are valid according to the
942 public key. (See also Section Section 8.4 for failure case
943 handling)
944
945 8. If the signature is not valid, the chain state is "fail" and
946 the algorithm stops here.
947 */
948
949 /* We know the b-tag blob is of a nul-term string, so safe as a string */
950 pdkim_decode_base64(hdr_as->b.data, &sighash);
951
952 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
953 {
954 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
955 return US"fail";
956 }
957
958 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
959
960 if ((errstr = exim_dkim_verify(&vctx,
961 pdkim_hashes[hashtype].exim_hashmethod,
962 &hhash_computed, &sighash)))
963 {
964 DEBUG(D_acl)
965 debug_printf("ARC i=%d AS headers verify: %s\n", as->instance, errstr);
966 arc_state_reason = US"seal sigverify error";
967 return US"fail";
968 }
969
970 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d pass\n", as->instance);
971 return NULL;
972 }
973
974
975 static const uschar *
976 arc_verify_seals(arc_ctx * ctx)
977 {
978 arc_set * as = ctx->arcset_chain;
979
980 if (!as)
981 return US"none";
982
983 while (as)
984 {
985 if (arc_seal_verify(ctx, as)) return US"fail";
986 as = as->next;
987 }
988 DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
989 return NULL;
990 }
991 /******************************************************************************/
992
993 /* Do ARC verification. Called from DATA ACL, on a verify = arc
994 condition. No arguments; we are checking globals.
995
996 Return: The ARC state, or NULL on error.
997 */
998
999 const uschar *
1000 acl_verify_arc(void)
1001 {
1002 const uschar * res;
1003
1004 memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
1005
1006 if (!dkim_verify_ctx)
1007 {
1008 DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
1009 return NULL;
1010 }
1011
1012 /* AS evaluation, per
1013 https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-6
1014 */
1015 /* 1. Collect all ARC sets currently on the message. If there were
1016 none, the ARC state is "none" and the algorithm stops here.
1017 */
1018
1019 if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
1020 goto out;
1021
1022 /* 2. If the form of any ARC set is invalid (e.g., does not contain
1023 exactly one of each of the three ARC-specific header fields),
1024 then the chain state is "fail" and the algorithm stops here.
1025
1026 1. To avoid the overhead of unnecessary computation and delay
1027 from crypto and DNS operations, the cv value for all ARC-
1028 Seal(s) MAY be checked at this point. If any of the values
1029 are "fail", then the overall state of the chain is "fail" and
1030 the algorithm stops here.
1031
1032 3. Conduct verification of the ARC-Message-Signature header field
1033 bearing the highest instance number. If this verification fails,
1034 then the chain state is "fail" and the algorithm stops here.
1035 */
1036
1037 if ((res = arc_headers_check(&arc_verify_ctx)))
1038 goto out;
1039
1040 /* 4. For each ARC-Seal from the "N"th instance to the first, apply the
1041 following logic:
1042
1043 1. If the value of the "cv" tag on that seal is "fail", the
1044 chain state is "fail" and the algorithm stops here. (This
1045 step SHOULD be skipped if the earlier step (2.1) was
1046 performed)
1047
1048 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
1049 == "none" && i != 1)) then the chain state is "fail" and the
1050 algorithm stops here (note that the ordering of the logic is
1051 structured for short-circuit evaluation).
1052
1053 3. Initialize a hash function corresponding to the "a" tag of
1054 the ARC-Seal.
1055
1056 4. Compute the canonicalized form of the ARC header fields, in
1057 the order described in Section 5.4.2, using the "relaxed"
1058 header canonicalization defined in Section 3.4.2 of
1059 [RFC6376]. Pass the canonicalized result to the hash
1060 function.
1061
1062 5. Retrieve the final digest from the hash function.
1063
1064 6. Retrieve the public key identified by the "s" and "d" tags in
1065 the ARC-Seal, as described in Section 4.1.6.
1066
1067 7. Determine whether the signature portion ("b" tag) of the ARC-
1068 Seal and the digest computed above are valid according to the
1069 public key. (See also Section Section 8.4 for failure case
1070 handling)
1071
1072 8. If the signature is not valid, the chain state is "fail" and
1073 the algorithm stops here.
1074
1075 5. If all seals pass validation, then the chain state is "pass", and
1076 the algorithm is complete.
1077 */
1078
1079 if ((res = arc_verify_seals(&arc_verify_ctx)))
1080 goto out;
1081
1082 res = US"pass";
1083
1084 out:
1085 return res;
1086 }
1087
1088 /******************************************************************************/
1089
1090 /* Prepend the header to the rlist */
1091
1092 static hdr_rlist *
1093 arc_rlist_entry(hdr_rlist * list, const uschar * s, int len)
1094 {
1095 hdr_rlist * r = store_get(sizeof(hdr_rlist) + sizeof(header_line));
1096 header_line * h = r->h = (header_line *)(r+1);
1097
1098 r->prev = list;
1099 r->used = FALSE;
1100 h->next = NULL;
1101 h->type = 0;
1102 h->slen = len;
1103 h->text = US s;
1104
1105 /* This works for either NL or CRLF lines; also nul-termination */
1106 while (*++s)
1107 if (*s == '\n' && s[1] != '\t' && s[1] != ' ') break;
1108 s++; /* move past end of line */
1109
1110 return r;
1111 }
1112
1113
1114 /* Walk the given headers strings identifying each header, and construct
1115 a reverse-order list.
1116 */
1117
1118 static hdr_rlist *
1119 arc_sign_scan_headers(arc_ctx * ctx, gstring * sigheaders)
1120 {
1121 const uschar * s;
1122 hdr_rlist * rheaders = NULL;
1123
1124 s = sigheaders ? sigheaders->s : NULL;
1125 if (s) while (*s)
1126 {
1127 const uschar * s2 = s;
1128
1129 /* This works for either NL or CRLF lines; also nul-termination */
1130 while (*++s2)
1131 if (*s2 == '\n' && s2[1] != '\t' && s2[1] != ' ') break;
1132 s2++; /* move past end of line */
1133
1134 rheaders = arc_rlist_entry(rheaders, s, s2 - s);
1135 s = s2;
1136 }
1137 return rheaders;
1138 }
1139
1140
1141
1142 /* Return the A-R content, without identity, with line-ending and
1143 NUL termination. */
1144
1145 static BOOL
1146 arc_sign_find_ar(header_line * headers, const uschar * identity, blob * ret)
1147 {
1148 header_line * h;
1149 int ilen = Ustrlen(identity);
1150
1151 ret->data = NULL;
1152 for(h = headers; h; h = h->next)
1153 {
1154 uschar * s = h->text, c;
1155 int len = h->slen;
1156
1157 if (Ustrncmp(s, HDR_AR, HDRLEN_AR) != 0) continue;
1158 s += HDRLEN_AR, len -= HDRLEN_AR; /* header name */
1159 while ( len > 0
1160 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1161 s++, len--; /* FWS */
1162 if (Ustrncmp(s, identity, ilen) != 0) continue;
1163 s += ilen; len -= ilen; /* identity */
1164 if (len <= 0) continue;
1165 if ((c = *s) && c == ';') s++, len--; /* identity terminator */
1166 while ( len > 0
1167 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1168 s++, len--; /* FWS */
1169 if (len <= 0) continue;
1170 ret->data = s;
1171 ret->len = len;
1172 return TRUE;
1173 }
1174 return FALSE;
1175 }
1176
1177
1178
1179 /* Append a constructed AAR including CRLF. Add it to the arc_ctx too. */
1180
1181 static gstring *
1182 arc_sign_append_aar(gstring * g, arc_ctx * ctx,
1183 const uschar * identity, int instance, blob * ar)
1184 {
1185 int aar_off = g ? g->ptr : 0;
1186 arc_set * as = store_get(sizeof(arc_set) + sizeof(arc_line) + sizeof(header_line));
1187 arc_line * al = (arc_line *)(as+1);
1188 header_line * h = (header_line *)(al+1);
1189
1190 g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
1191 g = string_cat(g, string_sprintf(" i=%d; %s;\r\n\t", instance, identity));
1192 g = string_catn(g, US ar->data, ar->len);
1193
1194 h->slen = g->ptr - aar_off;
1195 h->text = g->s + aar_off;
1196 al->complete = h;
1197 as->next = NULL;
1198 as->prev = ctx->arcset_chain_last;
1199 as->instance = instance;
1200 as->hdr_aar = al;
1201 if (instance == 1)
1202 ctx->arcset_chain = as;
1203 else
1204 ctx->arcset_chain_last->next = as;
1205 ctx->arcset_chain_last = as;
1206
1207 DEBUG(D_transport) debug_printf("ARC: AAR '%.*s'\n", h->slen - 2, h->text);
1208 return g;
1209 }
1210
1211
1212
1213 static BOOL
1214 arc_sig_from_pseudoheader(gstring * hdata, int hashtype, const uschar * privkey,
1215 blob * sig, const uschar * why)
1216 {
1217 hashmethod hm = /*sig->keytype == KEYTYPE_ED25519*/ FALSE
1218 ? HASH_SHA2_512 : pdkim_hashes[hashtype].exim_hashmethod;
1219 blob hhash;
1220 es_ctx sctx;
1221 const uschar * errstr;
1222
1223 DEBUG(D_transport)
1224 {
1225 hctx hhash_ctx;
1226 debug_printf("ARC: %s header data for signing:\n", why);
1227 pdkim_quoteprint(hdata->s, hdata->ptr);
1228
1229 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1230 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1231 exim_sha_finish(&hhash_ctx, &hhash);
1232 debug_printf("ARC: header hash: "); pdkim_hexprint(hhash.data, hhash.len);
1233 }
1234
1235 if (FALSE /*need hash for Ed25519 or GCrypt signing*/ )
1236 {
1237 hctx hhash_ctx;
1238 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1239 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1240 exim_sha_finish(&hhash_ctx, &hhash);
1241 }
1242 else
1243 {
1244 hhash.data = hdata->s;
1245 hhash.len = hdata->ptr;
1246 }
1247
1248 if ( (errstr = exim_dkim_signing_init(privkey, &sctx))
1249 || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
1250 {
1251 log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
1252 return FALSE;
1253 }
1254 return TRUE;
1255 }
1256
1257
1258
1259 static gstring *
1260 arc_sign_append_sig(gstring * g, blob * sig)
1261 {
1262 /*debug_printf("%s: raw sig ", __FUNCTION__); pdkim_hexprint(sig->data, sig->len);*/
1263 sig->data = pdkim_encode_base64(sig);
1264 sig->len = Ustrlen(sig->data);
1265 for (;;)
1266 {
1267 int len = MIN(sig->len, 74);
1268 g = string_catn(g, sig->data, len);
1269 if ((sig->len -= len) == 0) break;
1270 sig->data += len;
1271 g = string_catn(g, US"\r\n\t ", 5);
1272 }
1273 g = string_catn(g, US";\r\n", 3);
1274 gstring_reset_unused(g);
1275 string_from_gstring(g);
1276 return g;
1277 }
1278
1279
1280 /* Append a constructed AMS including CRLF. Add it to the arc_ctx too. */
1281
1282 static gstring *
1283 arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
1284 const uschar * identity, const uschar * selector, blob * bodyhash,
1285 hdr_rlist * rheaders, const uschar * privkey, unsigned options)
1286 {
1287 uschar * s;
1288 gstring * hdata = NULL;
1289 int col;
1290 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1291 blob sig;
1292 int ams_off;
1293 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1294 header_line * h = (header_line *)(al+1);
1295
1296 /* debug_printf("%s\n", __FUNCTION__); */
1297
1298 /* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
1299
1300 ams_off = g->ptr;
1301 g = string_append(g, 7,
1302 ARC_HDR_AMS,
1303 US" i=", string_sprintf("%d", instance),
1304 US"; a=rsa-sha256; c=relaxed; d=", identity, /*XXX hardwired */
1305 US"; s=", selector);
1306 if (options & ARC_SIGN_OPT_TSTAMP)
1307 g = string_append(g, 2,
1308 US"; t=", string_sprintf("%lu", (u_long)now));
1309 if (options & ARC_SIGN_OPT_EXPIRE)
1310 g = string_append(g, 2,
1311 US"; x=", string_sprintf("%lu", (u_long)expire));
1312 g = string_append(g, 3,
1313 US";\r\n\tbh=", pdkim_encode_base64(bodyhash),
1314 US";\r\n\th=");
1315
1316 for(col = 3; rheaders; rheaders = rheaders->prev)
1317 {
1318 const uschar * hnames = US"DKIM-Signature:" PDKIM_DEFAULT_SIGN_HEADERS;
1319 uschar * name, * htext = rheaders->h->text;
1320 int sep = ':';
1321
1322 /* Spot headers of interest */
1323
1324 while ((name = string_nextinlist(&hnames, &sep, NULL, 0)))
1325 {
1326 int len = Ustrlen(name);
1327 if (strncasecmp(CCS htext, CCS name, len) == 0)
1328 {
1329 /* If too long, fold line in h= field */
1330
1331 if (col + len > 78) g = string_catn(g, US"\r\n\t ", 5), col = 3;
1332
1333 /* Add name to h= list */
1334
1335 g = string_catn(g, name, len);
1336 g = string_catn(g, US":", 1);
1337 col += len + 1;
1338
1339 /* Accumulate header for hashing/signing */
1340
1341 hdata = string_cat(hdata,
1342 pdkim_relax_header_n(htext, rheaders->h->slen, TRUE)); /*XXX hardwired */
1343 break;
1344 }
1345 }
1346 }
1347
1348 /* Lose the last colon from the h= list */
1349
1350 if (g->s[g->ptr - 1] == ':') g->ptr--;
1351
1352 g = string_catn(g, US";\r\n\tb=;", 7);
1353
1354 /* Include the pseudo-header in the accumulation */
1355
1356 s = pdkim_relax_header_n(g->s + ams_off, g->ptr - ams_off, FALSE);
1357 hdata = string_cat(hdata, s);
1358
1359 /* Calculate the signature from the accumulation */
1360 /*XXX does that need further relaxation? there are spaces embedded in the b= strings! */
1361
1362 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AMS"))
1363 return NULL;
1364
1365 /* Lose the trailing semicolon from the psuedo-header, and append the signature
1366 (folded over lines) and termination to complete it. */
1367
1368 g->ptr--;
1369 g = arc_sign_append_sig(g, &sig);
1370
1371 h->slen = g->ptr - ams_off;
1372 h->text = g->s + ams_off;
1373 al->complete = h;
1374 ctx->arcset_chain_last->hdr_ams = al;
1375
1376 DEBUG(D_transport) debug_printf("ARC: AMS '%.*s'\n", h->slen - 2, h->text);
1377 return g;
1378 }
1379
1380
1381
1382 /* Look for an arc= result in an A-R header blob. We know that its data
1383 happens to be a NUL-term string. */
1384
1385 static uschar *
1386 arc_ar_cv_status(blob * ar)
1387 {
1388 const uschar * resinfo = ar->data;
1389 int sep = ';';
1390 uschar * methodspec, * s;
1391
1392 while ((methodspec = string_nextinlist(&resinfo, &sep, NULL, 0)))
1393 if (Ustrncmp(methodspec, US"arc=", 4) == 0)
1394 {
1395 uschar c;
1396 for (s = methodspec += 4;
1397 (c = *s) && c != ';' && c != ' ' && c != '\r' && c != '\n'; ) s++;
1398 return string_copyn(methodspec, s - methodspec);
1399 }
1400 return US"none";
1401 }
1402
1403
1404
1405 /* Build the AS header and prepend it */
1406
1407 static gstring *
1408 arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
1409 int instance, const uschar * identity, const uschar * selector, blob * ar,
1410 const uschar * privkey, unsigned options)
1411 {
1412 gstring * arcset;
1413 arc_set * as;
1414 uschar * status = arc_ar_cv_status(ar);
1415 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1416 header_line * h = (header_line *)(al+1);
1417
1418 gstring * hdata = NULL;
1419 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1420 blob sig;
1421
1422 /*
1423 - Generate AS
1424 - no body coverage
1425 - no h= tag; implicit coverage
1426 - arc status from A-R
1427 - if fail:
1428 - coverage is just the new ARC set
1429 including self (but with an empty b= in self)
1430 - if non-fail:
1431 - all ARC set headers, set-number order, aar then ams then as,
1432 including self (but with an empty b= in self)
1433 */
1434
1435 /* Construct the AS except for the signature */
1436
1437 arcset = string_append(NULL, 9,
1438 ARC_HDR_AS,
1439 US" i=", string_sprintf("%d", instance),
1440 US"; cv=", status,
1441 US"; a=rsa-sha256; d=", identity, /*XXX hardwired */
1442 US"; s=", selector); /*XXX same as AMS */
1443 if (options & ARC_SIGN_OPT_TSTAMP)
1444 arcset = string_append(arcset, 2,
1445 US"; t=", string_sprintf("%lu", (u_long)now));
1446 arcset = string_cat(arcset,
1447 US";\r\n\t b=;");
1448
1449 h->slen = arcset->ptr;
1450 h->text = arcset->s;
1451 al->complete = h;
1452 ctx->arcset_chain_last->hdr_as = al;
1453
1454 /* For any but "fail" chain-verify status, walk the entire chain in order by
1455 instance. For fail, only the new arc-set. Accumulate the elements walked. */
1456
1457 for (as = Ustrcmp(status, US"fail") == 0
1458 ? ctx->arcset_chain_last : ctx->arcset_chain;
1459 as; as = as->next)
1460 {
1461 /* Accumulate AAR then AMS then AS. Relaxed canonicalisation
1462 is required per standard. */
1463
1464 h = as->hdr_aar->complete;
1465 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1466 h = as->hdr_ams->complete;
1467 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1468 h = as->hdr_as->complete;
1469 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, !!as->next));
1470 }
1471
1472 /* Calculate the signature from the accumulation */
1473
1474 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AS"))
1475 return NULL;
1476
1477 /* Lose the trailing semicolon */
1478 arcset->ptr--;
1479 arcset = arc_sign_append_sig(arcset, &sig);
1480 DEBUG(D_transport) debug_printf("ARC: AS '%.*s'\n", arcset->ptr - 2, arcset->s);
1481
1482 /* Finally, append the AMS and AAR to the new AS */
1483
1484 return string_catn(arcset, arcset_interim->s, arcset_interim->ptr);
1485 }
1486
1487
1488 /**************************************/
1489
1490 /* Return pointer to pdkim_bodyhash for given hash method, creating new
1491 method if needed.
1492 */
1493
1494 void *
1495 arc_ams_setup_sign_bodyhash(void)
1496 {
1497 int canon_head, canon_body;
1498
1499 DEBUG(D_transport) debug_printf("ARC: requesting bodyhash\n");
1500 pdkim_cstring_to_canons(US"relaxed", 7, &canon_head, &canon_body); /*XXX hardwired */
1501 return pdkim_set_bodyhash(&dkim_sign_ctx,
1502 pdkim_hashname_to_hashtype(US"sha256", 6), /*XXX hardwired */
1503 canon_body,
1504 -1);
1505 }
1506
1507
1508
1509 void
1510 arc_sign_init(void)
1511 {
1512 memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
1513 }
1514
1515
1516
1517 /* A "normal" header line, identified by DKIM processing. These arrive before
1518 the call to arc_sign(), which carries any newly-created DKIM headers - and
1519 those go textually before the normal ones in the message.
1520
1521 We have to take the feed from DKIM as, in the transport-filter case, the
1522 headers are not in memory at the time of the call to arc_sign().
1523
1524 Take a copy of the header and construct a reverse-order list.
1525 Also parse ARC-chain headers and build the chain struct, retaining pointers
1526 into the copies.
1527 */
1528
1529 static const uschar *
1530 arc_header_sign_feed(gstring * g)
1531 {
1532 uschar * s = string_copyn(g->s, g->ptr);
1533 headers_rlist = arc_rlist_entry(headers_rlist, s, g->ptr);
1534 return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
1535 }
1536
1537
1538
1539 /* ARC signing. Called from the smtp transport, if the arc_sign option is set.
1540 The dkim_exim_sign() function has already been called, so will have hashed the
1541 message body for us so long as we requested a hash previously.
1542
1543 Arguments:
1544 signspec Three-element colon-sep list: identity, selector, privkey.
1545 Optional fourth element: comma-sep list of options.
1546 Already expanded
1547 sigheaders Any signature headers already generated, eg. by DKIM, or NULL
1548 errstr Error string
1549
1550 Return value
1551 Set of headers to prepend to the message, including the supplied sigheaders
1552 but not the plainheaders.
1553 */
1554
1555 gstring *
1556 arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
1557 {
1558 const uschar * identity, * selector, * privkey, * opts, * s;
1559 unsigned options = 0;
1560 int sep = 0;
1561 header_line * headers;
1562 hdr_rlist * rheaders;
1563 blob ar;
1564 int instance;
1565 gstring * g = NULL;
1566 pdkim_bodyhash * b;
1567
1568 expire = now = 0;
1569
1570 /* Parse the signing specification */
1571
1572 identity = string_nextinlist(&signspec, &sep, NULL, 0);
1573 selector = string_nextinlist(&signspec, &sep, NULL, 0);
1574 if ( !*identity || !*selector
1575 || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
1576 {
1577 log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
1578 !*identity ? "identity" : !*selector ? "selector" : "private-key");
1579 return sigheaders ? sigheaders : string_get(0);
1580 }
1581 if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
1582 return sigheaders ? sigheaders : string_get(0);
1583
1584 if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
1585 {
1586 int osep = ',';
1587 while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
1588 if (Ustrcmp(s, "timestamps") == 0)
1589 {
1590 options |= ARC_SIGN_OPT_TSTAMP;
1591 if (!now) now = time(NULL);
1592 }
1593 else if (Ustrncmp(s, "expire", 6) == 0)
1594 {
1595 options |= ARC_SIGN_OPT_EXPIRE;
1596 if (*(s += 6) == '=')
1597 if (*++s == '+')
1598 {
1599 if (!(expire = (time_t)atoi(++s)))
1600 expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1601 if (!now) now = time(NULL);
1602 expire += now;
1603 }
1604 else
1605 expire = (time_t)atol(s);
1606 else
1607 {
1608 if (!now) now = time(NULL);
1609 expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1610 }
1611 }
1612 }
1613
1614 DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
1615
1616 /* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
1617 Then scan the list for an A-R header. */
1618
1619 string_from_gstring(sigheaders);
1620 if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
1621 {
1622 hdr_rlist ** rp;
1623 for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
1624 *rp = rheaders;
1625 }
1626
1627 /* Finally, build a normal-order headers list */
1628 /*XXX only needed for hunt-the-AR? */
1629 /*XXX also, we really should be accepting any number of ADMD-matching ARs */
1630 {
1631 header_line * hnext = NULL;
1632 for (rheaders = headers_rlist; rheaders;
1633 hnext = rheaders->h, rheaders = rheaders->prev)
1634 rheaders->h->next = hnext;
1635 headers = hnext;
1636 }
1637
1638 if (!(arc_sign_find_ar(headers, identity, &ar)))
1639 {
1640 log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
1641 return sigheaders ? sigheaders : string_get(0);
1642 }
1643
1644 /* We previously built the data-struct for the existing ARC chain, if any, using a headers
1645 feed from the DKIM module. Use that to give the instance number for the ARC set we are
1646 about to build. */
1647
1648 DEBUG(D_transport)
1649 if (arc_sign_ctx.arcset_chain_last)
1650 debug_printf("ARC: existing chain highest instance: %d\n",
1651 arc_sign_ctx.arcset_chain_last->instance);
1652 else
1653 debug_printf("ARC: no existing chain\n");
1654
1655 instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
1656
1657 /*
1658 - Generate AAR
1659 - copy the A-R; prepend i= & identity
1660 */
1661
1662 g = arc_sign_append_aar(g, &arc_sign_ctx, identity, instance, &ar);
1663
1664 /*
1665 - Generate AMS
1666 - Looks fairly like a DKIM sig
1667 - Cover all DKIM sig headers as well as the usuals
1668 - ? oversigning?
1669 - Covers the data
1670 - we must have requested a suitable bodyhash previously
1671 */
1672
1673 b = arc_ams_setup_sign_bodyhash();
1674 g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
1675 &b->bh, headers_rlist, privkey, options);
1676
1677 /*
1678 - Generate AS
1679 - no body coverage
1680 - no h= tag; implicit coverage
1681 - arc status from A-R
1682 - if fail:
1683 - coverage is just the new ARC set
1684 including self (but with an empty b= in self)
1685 - if non-fail:
1686 - all ARC set headers, set-number order, aar then ams then as,
1687 including self (but with an empty b= in self)
1688 */
1689
1690 g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
1691 privkey, options);
1692
1693 /* Finally, append the dkim headers and return the lot. */
1694
1695 g = string_catn(g, sigheaders->s, sigheaders->ptr);
1696 (void) string_from_gstring(g);
1697 gstring_reset_unused(g);
1698 return g;
1699 }
1700
1701
1702 /******************************************************************************/
1703
1704 /* Check to see if the line is an AMS and if so, set up to validate it.
1705 Called from the DKIM input processing. This must be done now as the message
1706 body data is hashed during input.
1707
1708 We call the DKIM code to request a body-hash; it has the facility already
1709 and the hash parameters might be common with other requests.
1710 */
1711
1712 static const uschar *
1713 arc_header_vfy_feed(gstring * g)
1714 {
1715 header_line h;
1716 arc_line al;
1717 pdkim_bodyhash * b;
1718 uschar * errstr;
1719
1720 if (!dkim_verify_ctx) return US"no dkim context";
1721
1722 if (strncmpic(ARC_HDR_AMS, g->s, ARC_HDRLEN_AMS) != 0) return US"not AMS";
1723
1724 DEBUG(D_receive) debug_printf("ARC: spotted AMS header\n");
1725 /* Parse the AMS header */
1726
1727 h.next = NULL;
1728 h.slen = g->size;
1729 h.text = g->s;
1730 memset(&al, 0, sizeof(arc_line));
1731 if ((errstr = arc_parse_line(&al, &h, ARC_HDRLEN_AMS, FALSE)))
1732 {
1733 DEBUG(D_acl) if (errstr) debug_printf("ARC: %s\n", errstr);
1734 return US"line parsing error";
1735 }
1736
1737 /* defaults */
1738 if (!al.c.data)
1739 {
1740 al.c_body.data = US"simple"; al.c_body.len = 6;
1741 al.c_head = al.c_body;
1742 }
1743
1744 /* Ask the dkim code to calc a bodyhash with those specs */
1745
1746 if (!(b = arc_ams_setup_vfy_bodyhash(&al)))
1747 return US"dkim hash setup fail";
1748
1749 /* Discard the reference; search again at verify time, knowing that one
1750 should have been created here. */
1751
1752 return NULL;
1753 }
1754
1755
1756
1757 /* A header line has been identified by DKIM processing.
1758
1759 Arguments:
1760 g Header line
1761 is_vfy TRUE for verify mode or FALSE for signing mode
1762
1763 Return:
1764 NULL for success, or an error string (probably unused)
1765 */
1766
1767 const uschar *
1768 arc_header_feed(gstring * g, BOOL is_vfy)
1769 {
1770 return is_vfy ? arc_header_vfy_feed(g) : arc_header_sign_feed(g);
1771 }
1772
1773
1774
1775 /******************************************************************************/
1776
1777 /* Construct the list of domains from the ARC chain after validation */
1778
1779 uschar *
1780 fn_arc_domains(void)
1781 {
1782 arc_set * as;
1783 unsigned inst;
1784 gstring * g = NULL;
1785
1786 for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
1787 {
1788 arc_line * hdr_as = as->hdr_as;
1789 if (hdr_as)
1790 {
1791 blob * d = &hdr_as->d;
1792
1793 for (; inst < as->instance; inst++)
1794 g = string_catn(g, ":", 1);
1795
1796 g = d->data && d->len
1797 ? string_append_listele_n(g, ':', d->data, d->len)
1798 : string_catn(g, ":", 1);
1799 }
1800 else
1801 g = string_catn(g, ":", 1);
1802 }
1803 return g ? g->s : US"";
1804 }
1805
1806
1807 /* Construct an Authenticate-Results header portion, for the ARC module */
1808
1809 gstring *
1810 authres_arc(gstring * g)
1811 {
1812 if (arc_state)
1813 {
1814 arc_line * highest_ams;
1815 int start = 0; /* Compiler quietening */
1816 DEBUG(D_acl) start = g->ptr;
1817
1818 g = string_append(g, 2, US";\n\tarc=", arc_state);
1819 if (arc_received_instance > 0)
1820 {
1821 g = string_append(g, 3, US" (i=",
1822 string_sprintf("%d", arc_received_instance), US")");
1823 if (arc_state_reason)
1824 g = string_append(g, 3, US"(", arc_state_reason, US")");
1825 g = string_catn(g, US" header.s=", 10);
1826 highest_ams = arc_received->hdr_ams;
1827 g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
1828
1829 g = string_append(g, 2,
1830 US" arc.oldest-pass=", string_sprintf("%d", arc_oldest_pass));
1831
1832 if (sender_host_address)
1833 g = string_append(g, 2, US" smtp.client-ip=", sender_host_address);
1834 }
1835 else if (arc_state_reason)
1836 g = string_append(g, 3, US" (", arc_state_reason, US")");
1837 DEBUG(D_acl) debug_printf("ARC: authres '%.*s'\n",
1838 g->ptr - start - 3, g->s + start + 3);
1839 }
1840 else
1841 DEBUG(D_acl) debug_printf("ARC: no authres\n");
1842 return g;
1843 }
1844
1845
1846 # endif /* SUPPORT_SPF */
1847 #endif /* EXPERIMENTAL_ARC */
1848 /* vi: aw ai sw=2
1849 */
Unnamed repository; edit this file 'description' to name the repository.