int canon_head, canon_body;
long bodylen;
+if (!ams->c.data) ams->c.data = US"simple"; /* RFC 6376 (DKIM) default */
pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
bodylen = ams->l.data
? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
|| arc_cv_match(as->hdr_as, US"fail")
)
{
- arc_state_reason = string_sprintf("i=%d fail"
+ arc_state_reason = string_sprintf("i=%d"
" (cv, sequence or missing header)", as->instance);
- DEBUG(D_acl) debug_printf("ARC %s\n", arc_state_reason);
- ret = US"fail";
+ DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
+ return US"fail";
}
/* Evaluate the oldest-pass AMS validation while we're here.
/* Walk the given headers strings identifying each header, and construct
-a reverse-order list. Also parse ARC-chain headers and build the chain
-struct, retaining pointers into the string.
+a reverse-order list.
*/
static hdr_rlist *
+void
+arc_sign_init(void)
+{
+memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
+}
+
+
+
/* A "normal" header line, identified by DKIM processing. These arrive before
the call to arc_sign(), which carries any newly-created DKIM headers - and
those go textually before the normal ones in the message.
DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
-/*
-- scan headers for existing ARC chain & A-R (with matching system-identfier)
- - paniclog & skip on problems (no A-R)
-*/
-
-/* Make an rlist of any new DKIM headers, then add the "normals" rlist to it */
+/* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
+Then scan the list for an A-R header. */
string_from_gstring(sigheaders);
if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
}
else
rheaders = headers_rlist;
+
/* Finally, build a normal-order headers list */
/*XXX only needed for hunt-the-AR? */
-{
-header_line * hnext = NULL;
-for (; rheaders; hnext = rheaders->h, rheaders = rheaders->prev)
- rheaders->h->next = hnext;
-headers = hnext;
-}
-
-instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
+ {
+ header_line * hnext = NULL;
+ for (; rheaders; hnext = rheaders->h, rheaders = rheaders->prev)
+ rheaders->h->next = hnext;
+ headers = hnext;
+ }
if (!(arc_sign_find_ar(headers, identity, &ar)))
{
return sigheaders ? sigheaders : string_get(0);
}
+/* We previously built the data-struct for the existing ARC chain, if any, using a headers
+feed from the DKIM module. Use that to give the instance number for the ARC set we are
+about to build. */
+
+DEBUG(D_transport)
+ if (arc_sign_ctx.arcset_chain_last)
+ debug_printf("ARC: existing chain highest instance: %d\n",
+ arc_sign_ctx.arcset_chain_last->instance);
+ else
+ debug_printf("ARC: no existing chain\n");
+
+instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
+
/*
- Generate AAR
- copy the A-R; prepend i= & identity
if (sender_host_address)
g = string_append(g, 2, US" smtp.client-ip=", sender_host_address);
}
+ else if (arc_state_reason)
+ g = string_append(g, 3, US" (", arc_state_reason, US")");
DEBUG(D_acl) debug_printf("ARC: authres '%.*s'\n",
g->ptr - start - 3, g->s + start + 3);
}
/* Get signatures for headers plus spool data file */
-dkim->dot_stuffed = !!(save_options & topt_end_dot);
+#ifdef EXPERIMENTAL_ARC
+arc_sign_init();
+#endif
+dkim->dot_stuffed = !!(save_options & topt_end_dot);
if (!(dkim_signature = dkim_exim_sign(deliver_datafile, SPOOL_DATA_START_OFFSET,
hdrs, dkim, &errstr)))
if (!(rc = dkt_sign_fail(dkim, &errno)))
goto CLEANUP;
}
+#ifdef EXPERIMENTAL_ARC
+arc_sign_init();
+#endif
+
/* Feed the file to the goats^W DKIM lib */
dkim->dot_stuffed = !!(options & topt_end_dot);
extern void *arc_ams_setup_sign_bodyhash(void);
extern const uschar *arc_header_feed(gstring *, BOOL);
extern gstring *arc_sign(const uschar *, gstring *, uschar **);
+extern void arc_sign_init(void);
extern const uschar *acl_verify_arc(void);
#endif
--- /dev/null
+4560
\ No newline at end of file
1999-03-02 09:44:33 End queue run: pid=pppp
1999-03-02 09:44:33 Start queue run: pid=pppp
1999-03-02 09:44:33 10HmbL-0005vi-00 arc_state: <fail>
+1999-03-02 09:44:33 10HmbL-0005vi-00 reason: <i=3 (cv, sequence or missing header)>
1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@bloggs.com H=localhost (test.ex) [127.0.0.1] P=esmtp S=sss for a@test.ex
1999-03-02 09:44:33 10HmbK-0005vi-00 => a@test.ex <za@test.ex> R=fwd T=tsmtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbL-0005vi-00"
1999-03-02 09:44:33 10HmbK-0005vi-00 Completed
1999-03-02 09:44:33 10HmbQ-0005vi-00 DKIM: d=dmarc.org s=clochette c=simple/simple a=rsa-sha256 b=1024 t=1517535263 [verification succeeded]
1999-03-02 09:44:33 10HmbQ-0005vi-00 DKIM: d=convivian.com s=default c=simple/simple a=rsa-sha256 b=1024 t=1517535248 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmbQ-0005vi-00 arc_state: <fail>
+1999-03-02 09:44:33 10HmbQ-0005vi-00 reason: <i=2 (cv, sequence or missing header)>
1999-03-02 09:44:33 10HmbQ-0005vi-00 <= CALLER@bloggs.com H=localhost (test.ex) [127.0.0.1] P=esmtp S=sss DKIM=dmarc.org id=1426665656.110316.1517535248039.JavaMail.zimbra@convivian.com for a@test.ex
1999-03-02 09:44:33 10HmbP-0005vi-00 => a@test.ex <za@test.ex> R=fwd T=tsmtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbQ-0005vi-00"
1999-03-02 09:44:33 10HmbP-0005vi-00 Completed
From CALLER@bloggs.com Tue Mar 02 09:44:33 1999
Authentication-Results: test.ex;
iprev=pass (localhost);
- arc=fail (i=3) header.s=sel arc.oldest-pass=0 smtp.client-ip=127.0.0.1
+ arc=fail (i=3 (cv, sequence or missing header))
Received: from localhost ([127.0.0.1] helo=test.ex)
by test.ex with esmtp (Exim x.yz)
(envelope-from <CALLER@bloggs.com>)
dkim=pass header.d=dmarc.org header.s=clochette header.a=rsa-sha256;
dkim=fail (body hash mismatch; body probably modified in transit)
header.d=convivian.com header.s=default header.a=rsa-sha256;
- arc=fail (i=2) header.s=sel arc.oldest-pass=0 smtp.client-ip=127.0.0.1
+ arc=fail (i=2 (cv, sequence or missing header))
Received: from localhost ([127.0.0.1] helo=test.ex)
by test.ex with esmtp (Exim x.yz)
(envelope-from <CALLER@bloggs.com>)
--- /dev/null
+# ARC verify, bad chain
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+#
+# This should fail verify (not a complete chain).
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@bloggs.com>
+??? 250
+RCPT TO:<a@test.ex>
+??? 250
+DATA
+??? 354
+ARC-Seal: i=2; cv=none; a=rsa-sha256; d=test.ex; s=r201803;
+ b=HxjMzNcj7OX+I9Vr1Xr14AGgAci/CI8JxspaeoNT7TBsiOAtZ+YDBBSqXe6fqX3mHQEwpnXrdz
+ PCMIU1SF3ZiBtqWaLBPhStfuNQl5cw+TWXC60rOwCD2bxuBqubM/3AZLMPzIpm62MUYUUGaxwi
+ +LssT4F237WN88Lu4g5vqi8=;
+ARC-Authentication-Results: i=2; test.ex;
+ iprev=fail;
+ auth=pass (PLAIN) smtp.auth=fred@test.ex
+ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed; d=test.ex; s=r201803;
+ bh=52LTOZoDLUGP5RZMMrrjLkwTKuJ59wx4n3rL9RKBtgg=;
+ h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Subject:
+ From:To:Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:
+ Subject:From:To;
+ b=LYAs/k3m790qXfftAVQxqHFCUkqcavgcpKnbEje3MgCmpCiYzeeusloVSjyFx6Mdo0XkN0GSZb
+ HXOCRGaJVnpU9V1QzdIqvz/I7DAyWl53XsKxl9YhsuaeuMMgPpqWpYkp0mOIo3Mtg+VdbF2DKd
+ O8BRJnqfkZkGUqMUJzdaYMU=;
+Authentication-Results: test.ex;
+ iprev=fail;
+ auth=pass (PLAIN) smtp.auth=fred@test.ex
+Received: from [127.0.0.1]
+To: a@test.ex
+From: Jeremy Harris <b@test.ex>
+Subject: another test
+Message-ID: <3885245d-3bae-66a2-7a1e-0dbceae2fb50@test.ex>
+Date: Mon, 26 Mar 2018 10:55:18 +0100
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+exim -DSERVER=server -DNOTDAEMON -q
+****
+#
+#
+#
+#
+#
+killdaemon
+no_stdout_check
+no_msglog_check
projects / exim.git / commitdiff