projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
ARC: support $arc_domains also for verify fails
[exim.git] / src / src / arc.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4/* Experimental ARC support for Exim
5 Copyright (c) Jeremy Harris 2018
6 License: GPL
7*/
8
9#include "exim.h"
10#ifdef EXPERIMENTAL_ARC
11# if !defined SUPPORT_SPF
12# error SPF must also be enabled for ARC
13# elif defined DISABLE_DKIM
14# error DKIM must also be enabled for ARC
15# else
16
17# include "functions.h"
18# include "pdkim/pdkim.h"
19# include "pdkim/signing.h"
20
21extern pdkim_ctx * dkim_verify_ctx;
22extern pdkim_ctx dkim_sign_ctx;
23
24#define ARC_SIGN_OPT_TSTAMP BIT(0)
25#define ARC_SIGN_OPT_EXPIRE BIT(1)
26
27#define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
28
29/******************************************************************************/
30
31typedef struct hdr_rlist {
32 struct hdr_rlist * prev;
33 BOOL used;
34 header_line * h;
35} hdr_rlist;
36
37typedef struct arc_line {
38 header_line * complete; /* including the header name; nul-term */
39 uschar * relaxed;
40
41 /* identified tag contents */
42 /*XXX t= for AS? */
43 blob i;
44 blob cv;
45 blob a;
46 blob b;
47 blob bh;
48 blob d;
49 blob h;
50 blob s;
51 blob c;
52 blob l;
53
54 /* tag content sub-portions */
55 blob a_algo;
56 blob a_hash;
57
58 blob c_head;
59 blob c_body;
60
61 /* modified copy of b= field in line */
62 blob rawsig_no_b_val;
63} arc_line;
64
65typedef struct arc_set {
66 struct arc_set * next;
67 struct arc_set * prev;
68
69 unsigned instance;
70 arc_line * hdr_aar;
71 arc_line * hdr_ams;
72 arc_line * hdr_as;
73
74 const uschar * ams_verify_done;
75 BOOL ams_verify_passed;
76} arc_set;
77
78typedef struct arc_ctx {
79 arc_set * arcset_chain;
80 arc_set * arcset_chain_last;
81} arc_ctx;
82
83#define ARC_HDR_AAR US"ARC-Authentication-Results:"
84#define ARC_HDRLEN_AAR 27
85#define ARC_HDR_AMS US"ARC-Message-Signature:"
86#define ARC_HDRLEN_AMS 22
87#define ARC_HDR_AS US"ARC-Seal:"
88#define ARC_HDRLEN_AS 9
89#define HDR_AR US"Authentication-Results:"
90#define HDRLEN_AR 23
91
92static time_t now;
93static time_t expire;
94static hdr_rlist * headers_rlist;
95static arc_ctx arc_sign_ctx = { NULL };
96static arc_ctx arc_verify_ctx = { NULL };
97
98
99/******************************************************************************/
100
101
102/* Get the instance number from the header.
103Return 0 on error */
104static unsigned
105arc_instance_from_hdr(const arc_line * al)
106{
107const uschar * s = al->i.data;
108if (!s || !al->i.len) return 0;
109return (unsigned) atoi(CCS s);
110}
111
112
113static uschar *
114skip_fws(uschar * s)
115{
116uschar c = *s;
117while (c && (c == ' ' || c == '\t' || c == '\n' || c == '\r')) c = *++s;
118return s;
119}
120
121
122/* Locate instance struct on chain, inserting a new one if
123needed. The chain is in increasing-instance-number order
124by the "next" link, and we have a "prev" link also.
125*/
126
127static arc_set *
128arc_find_set(arc_ctx * ctx, unsigned i)
129{
130arc_set ** pas, * as, * next, * prev;
131
132for (pas = &ctx->arcset_chain, prev = NULL, next = ctx->arcset_chain;
133 as = *pas; pas = &as->next)
134 {
135 if (as->instance > i) break;
136 if (as->instance == i)
137 {
138 DEBUG(D_acl) debug_printf("ARC: existing instance %u\n", i);
139 return as;
140 }
141 next = as->next;
142 prev = as;
143 }
144
145DEBUG(D_acl) debug_printf("ARC: new instance %u\n", i);
146*pas = as = store_get(sizeof(arc_set));
147memset(as, 0, sizeof(arc_set));
148as->next = next;
149as->prev = prev;
150as->instance = i;
151if (next)
152 next->prev = as;
153else
154 ctx->arcset_chain_last = as;
155return as;
156}
157
158
159
160/* Insert a tag content into the line structure.
161Note this is a reference to existing data, not a copy.
162Check for already-seen tag.
163The string-pointer is on the '=' for entry. Update it past the
164content (to the ;) on return;
165*/
166
167static uschar *
168arc_insert_tagvalue(arc_line * al, unsigned loff, uschar ** ss)
169{
170uschar * s = *ss;
171uschar c = *++s;
172blob * b = (blob *)(US al + loff);
173size_t len = 0;
174
175/* [FWS] tag-value [FWS] */
176
177if (b->data) return US"fail";
178s = skip_fws(s); /* FWS */
179
180b->data = s;
181while ((c = *s) && c != ';') { len++; s++; }
182*ss = s;
183while (len && ((c = s[-1]) == ' ' || c == '\t' || c == '\n' || c == '\r'))
184 { s--; len--; } /* FWS */
185b->len = len;
186return NULL;
187}
188
189
190/* Inspect a header line, noting known tag fields.
191Check for duplicates. */
192
193static uschar *
194arc_parse_line(arc_line * al, header_line * h, unsigned off, BOOL instance_only)
195{
196uschar * s = h->text + off;
197uschar * r = NULL; /* compiler-quietening */
198uschar c;
199
200al->complete = h;
201
202if (!instance_only)
203 {
204 al->rawsig_no_b_val.data = store_get(h->slen + 1);
205 memcpy(al->rawsig_no_b_val.data, h->text, off); /* copy the header name blind */
206 r = al->rawsig_no_b_val.data + off;
207 al->rawsig_no_b_val.len = off;
208 }
209
210/* tag-list = tag-spec *( ";" tag-spec ) [ ";" ] */
211
212while ((c = *s))
213 {
214 char tagchar;
215 uschar * t;
216 unsigned i = 0;
217 uschar * fieldstart = s;
218 uschar * bstart = NULL, * bend;
219
220 /* tag-spec = [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS] */
221
222 s = skip_fws(s); /* FWS */
223 if (!*s) break;
224/* debug_printf("%s: consider '%s'\n", __FUNCTION__, s); */
225 tagchar = *s++;
226 s = skip_fws(s); /* FWS */
227 if (!*s) break;
228
229 if (!instance_only || tagchar == 'i') switch (tagchar)
230 {
231 case 'a': /* a= AMS algorithm */
232 {
233 if (*s != '=') return US"no 'a' value";
234 if (arc_insert_tagvalue(al, offsetof(arc_line, a), &s)) return US"a tag dup";
235
236 /* substructure: algo-hash (eg. rsa-sha256) */
237
238 t = al->a_algo.data = al->a.data;
239 while (*t != '-')
240 if (!*t++ || ++i > al->a.len) return US"no '-' in 'a' value";
241 al->a_algo.len = i;
242 if (*t++ != '-') return US"no '-' in 'a' value";
243 al->a_hash.data = t;
244 al->a_hash.len = al->a.len - i - 1;
245 }
246 break;
247 case 'b':
248 {
249 gstring * g = NULL;
250
251 switch (*s)
252 {
253 case '=': /* b= AMS signature */
254 if (al->b.data) return US"already b data";
255 bstart = s+1;
256
257 /* The signature can have FWS inserted in the content;
258 make a stripped copy */
259
260 while ((c = *++s) && c != ';')
261 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
262 g = string_catn(g, s, 1);
263 al->b.data = string_from_gstring(g);
264 al->b.len = g->ptr;
265 gstring_reset_unused(g);
266 bend = s;
267 break;
268 case 'h': /* bh= AMS body hash */
269 s = skip_fws(++s); /* FWS */
270 if (*s != '=') return US"no bh value";
271 if (al->bh.data) return US"already bh data";
272
273 /* The bodyhash can have FWS inserted in the content;
274 make a stripped copy */
275
276 while ((c = *++s) && c != ';')
277 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
278 g = string_catn(g, s, 1);
279 al->bh.data = string_from_gstring(g);
280 al->bh.len = g->ptr;
281 gstring_reset_unused(g);
282 break;
283 default:
284 return US"b? tag";
285 }
286 }
287 break;
288 case 'c':
289 switch (*s)
290 {
291 case '=': /* c= AMS canonicalisation */
292 if (arc_insert_tagvalue(al, offsetof(arc_line, c), &s)) return US"c tag dup";
293
294 /* substructure: head/body (eg. relaxed/simple)) */
295
296 t = al->c_head.data = al->c.data;
297 while (isalpha(*t))
298 if (!*t++ || ++i > al->a.len) break;
299 al->c_head.len = i;
300 if (*t++ == '/') /* /body is optional */
301 {
302 al->c_body.data = t;
303 al->c_body.len = al->c.len - i - 1;
304 }
305 else
306 {
307 al->c_body.data = US"simple";
308 al->c_body.len = 6;
309 }
310 break;
311 case 'v': /* cv= AS validity */
312 if (*++s != '=') return US"cv tag val";
313 if (arc_insert_tagvalue(al, offsetof(arc_line, cv), &s)) return US"cv tag dup";
314 break;
315 default:
316 return US"c? tag";
317 }
318 break;
319 case 'd': /* d= AMS domain */
320 if (*s != '=') return US"d tag val";
321 if (arc_insert_tagvalue(al, offsetof(arc_line, d), &s)) return US"d tag dup";
322 break;
323 case 'h': /* h= AMS headers */
324 if (*s != '=') return US"h tag val";
325 if (arc_insert_tagvalue(al, offsetof(arc_line, h), &s)) return US"h tag dup";
326 break;
327 case 'i': /* i= ARC set instance */
328 if (*s != '=') return US"i tag val";
329 if (arc_insert_tagvalue(al, offsetof(arc_line, i), &s)) return US"i tag dup";
330 if (instance_only) goto done;
331 break;
332 case 'l': /* l= bodylength */
333 if (*s != '=') return US"l tag val";
334 if (arc_insert_tagvalue(al, offsetof(arc_line, l), &s)) return US"l tag dup";
335 break;
336 case 's': /* s= AMS selector */
337 if (*s != '=') return US"s tag val";
338 if (arc_insert_tagvalue(al, offsetof(arc_line, s), &s)) return US"s tag dup";
339 break;
340 }
341
342 while ((c = *s) && c != ';') s++;
343 if (c) s++; /* ; after tag-spec */
344
345 /* for all but the b= tag, copy the field including FWS. For the b=,
346 drop the tag content. */
347
348 if (!instance_only)
349 if (bstart)
350 {
351 size_t n = bstart - fieldstart;
352 memcpy(r, fieldstart, n); /* FWS "b=" */
353 r += n;
354 al->rawsig_no_b_val.len += n;
355 n = s - bend;
356 memcpy(r, bend, n); /* FWS ";" */
357 r += n;
358 al->rawsig_no_b_val.len += n;
359 }
360 else
361 {
362 size_t n = s - fieldstart;
363 memcpy(r, fieldstart, n);
364 r += n;
365 al->rawsig_no_b_val.len += n;
366 }
367 }
368
369if (!instance_only)
370 *r = '\0';
371
372done:
373/* debug_printf("%s: finshed\n", __FUNCTION__); */
374return NULL;
375}
376
377
378/* Insert one header line in the correct set of the chain,
379adding instances as needed and checking for duplicate lines.
380*/
381
382static uschar *
383arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
384 BOOL instance_only)
385{
386unsigned i;
387arc_set * as;
388arc_line * al = store_get(sizeof(arc_line)), ** alp;
389uschar * e;
390
391memset(al, 0, sizeof(arc_line));
392
393if ((e = arc_parse_line(al, h, off, instance_only)))
394 {
395 DEBUG(D_acl) if (e) debug_printf("ARC: %s\n", e);
396 return US"line parse";
397 }
398if (!(i = arc_instance_from_hdr(al))) return US"instance find";
399if (i > 50) return US"overlarge instance number";
400if (!(as = arc_find_set(ctx, i))) return US"set find";
401if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
402
403*alp = al;
404return NULL;
405}
406
407
408
409
410static const uschar *
411arc_try_header(arc_ctx * ctx, header_line * h, BOOL instance_only)
412{
413const uschar * e;
414
415/*debug_printf("consider hdr '%s'\n", h->text);*/
416if (strncmpic(ARC_HDR_AAR, h->text, ARC_HDRLEN_AAR) == 0)
417 {
418 DEBUG(D_acl)
419 {
420 int len = h->slen;
421 uschar * s;
422 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
423 s--, len--;
424 debug_printf("ARC: found AAR: %.*s\n", len, h->text);
425 }
426 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AAR, offsetof(arc_set, hdr_aar),
427 TRUE)))
428 {
429 DEBUG(D_acl) debug_printf("inserting AAR: %s\n", e);
430 return US"inserting AAR";
431 }
432 }
433else if (strncmpic(ARC_HDR_AMS, h->text, ARC_HDRLEN_AMS) == 0)
434 {
435 arc_line * ams;
436
437 DEBUG(D_acl)
438 {
439 int len = h->slen;
440 uschar * s;
441 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
442 s--, len--;
443 debug_printf("ARC: found AMS: %.*s\n", len, h->text);
444 }
445 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AMS, offsetof(arc_set, hdr_ams),
446 instance_only)))
447 {
448 DEBUG(D_acl) debug_printf("inserting AMS: %s\n", e);
449 return US"inserting AMS";
450 }
451
452 /* defaults */
453 /*XXX dubious selection of ams here */
454 ams = ctx->arcset_chain->hdr_ams;
455 if (!ams->c.data)
456 {
457 ams->c_head.data = US"simple"; ams->c_head.len = 6;
458 ams->c_body = ams->c_head;
459 }
460 }
461else if (strncmpic(ARC_HDR_AS, h->text, ARC_HDRLEN_AS) == 0)
462 {
463 DEBUG(D_acl)
464 {
465 int len = h->slen;
466 uschar * s;
467 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
468 s--, len--;
469 debug_printf("ARC: found AS: %.*s\n", len, h->text);
470 }
471 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AS, offsetof(arc_set, hdr_as),
472 instance_only)))
473 {
474 DEBUG(D_acl) debug_printf("inserting AS: %s\n", e);
475 return US"inserting AS";
476 }
477 }
478return NULL;
479}
480
481
482
483/* Gather the chain of arc sets from the headers.
484Check for duplicates while that is done. Also build the
485reverse-order headers list;
486
487Return: ARC state if determined, eg. by lack of any ARC chain.
488*/
489
490static const uschar *
491arc_vfy_collect_hdrs(arc_ctx * ctx)
492{
493header_line * h;
494hdr_rlist * r = NULL, * rprev = NULL;
495const uschar * e;
496
497DEBUG(D_acl) debug_printf("ARC: collecting arc sets\n");
498for (h = header_list; h; h = h->next)
499 {
500 r = store_get(sizeof(hdr_rlist));
501 r->prev = rprev;
502 r->used = FALSE;
503 r->h = h;
504 rprev = r;
505
506 if ((e = arc_try_header(ctx, h, FALSE)))
507 {
508 arc_state_reason = string_sprintf("collecting headers: %s", e);
509 return US"fail";
510 }
511 }
512headers_rlist = r;
513
514if (!ctx->arcset_chain) return US"none";
515return NULL;
516}
517
518
519static BOOL
520arc_cv_match(arc_line * al, const uschar * s)
521{
522return Ustrncmp(s, al->cv.data, al->cv.len) == 0;
523}
524
525/******************************************************************************/
526
527/* Return the hash of headers from the message that the AMS claims it
528signed.
529*/
530
531static void
532arc_get_verify_hhash(arc_ctx * ctx, arc_line * ams, blob * hhash)
533{
534const uschar * headernames = string_copyn(ams->h.data, ams->h.len);
535const uschar * hn;
536int sep = ':';
537hdr_rlist * r;
538BOOL relaxed = Ustrncmp(US"relaxed", ams->c_head.data, ams->c_head.len) == 0;
539int hashtype = pdkim_hashname_to_hashtype(
540 ams->a_hash.data, ams->a_hash.len);
541hctx hhash_ctx;
542const uschar * s;
543int len;
544
545if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
546 {
547 DEBUG(D_acl)
548 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
549 return;
550 }
551
552/* For each headername in the list from the AMS (walking in order)
553walk the message headers in reverse order, adding to the hash any
554found for the first time. For that last point, maintain used-marks
555on the list of message headers. */
556
557DEBUG(D_acl) debug_printf("ARC: AMS header data for verification:\n");
558
559for (r = headers_rlist; r; r = r->prev)
560 r->used = FALSE;
561while ((hn = string_nextinlist(&headernames, &sep, NULL, 0)))
562 for (r = headers_rlist; r; r = r->prev)
563 if ( !r->used
564 && strncasecmp(CCS (s = r->h->text), CCS hn, Ustrlen(hn)) == 0
565 )
566 {
567 if (relaxed) s = pdkim_relax_header_n(s, r->h->slen, TRUE);
568
569 len = Ustrlen(s);
570 DEBUG(D_acl) pdkim_quoteprint(s, len);
571 exim_sha_update(&hhash_ctx, s, Ustrlen(s));
572 r->used = TRUE;
573 break;
574 }
575
576/* Finally add in the signature header (with the b= tag stripped); no CRLF */
577
578s = ams->rawsig_no_b_val.data, len = ams->rawsig_no_b_val.len;
579if (relaxed)
580 len = Ustrlen(s = pdkim_relax_header_n(s, len, FALSE));
581DEBUG(D_acl) pdkim_quoteprint(s, len);
582exim_sha_update(&hhash_ctx, s, len);
583
584exim_sha_finish(&hhash_ctx, hhash);
585DEBUG(D_acl)
586 { debug_printf("ARC: header hash: "); pdkim_hexprint(hhash->data, hhash->len); }
587return;
588}
589
590
591
592
593static pdkim_pubkey *
594arc_line_to_pubkey(arc_line * al)
595{
596uschar * dns_txt;
597pdkim_pubkey * p;
598
599if (!(dns_txt = dkim_exim_query_dns_txt(string_sprintf("%.*s._domainkey.%.*s",
600 al->s.len, al->s.data, al->d.len, al->d.data))))
601 {
602 DEBUG(D_acl) debug_printf("pubkey dns lookup fail\n");
603 return NULL;
604 }
605
606if ( !(p = pdkim_parse_pubkey_record(dns_txt))
607 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
608 )
609 {
610 DEBUG(D_acl) debug_printf("pubkey dns lookup format error\n");
611 return NULL;
612 }
613
614/* If the pubkey limits use to specified hashes, reject unusable
615signatures. XXX should we have looked for multiple dns records? */
616
617if (p->hashes)
618 {
619 const uschar * list = p->hashes, * ele;
620 int sep = ':';
621
622 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
623 if (Ustrncmp(ele, al->a_hash.data, al->a_hash.len) == 0) break;
624 if (!ele)
625 {
626 DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%.*s\n",
627 p->hashes, (int)al->a.len, al->a.data);
628 return NULL;
629 }
630 }
631return p;
632}
633
634
635
636
637static pdkim_bodyhash *
638arc_ams_setup_vfy_bodyhash(arc_line * ams)
639{
640int canon_head, canon_body;
641long bodylen;
642
643if (!ams->c.data) ams->c.data = US"simple"; /* RFC 6376 (DKIM) default */
644pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
645bodylen = ams->l.data
646 ? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
647
648return pdkim_set_bodyhash(dkim_verify_ctx,
649 pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len),
650 canon_body,
651 bodylen);
652}
653
654
655
656/* Verify an AMS. This is a DKIM-sig header, but with an ARC i= tag
657and without a DKIM v= tag.
658*/
659
660static const uschar *
661arc_ams_verify(arc_ctx * ctx, arc_set * as)
662{
663arc_line * ams = as->hdr_ams;
664pdkim_bodyhash * b;
665pdkim_pubkey * p;
666blob sighash;
667blob hhash;
668ev_ctx vctx;
669int hashtype;
670const uschar * errstr;
671
672as->ams_verify_done = US"in-progress";
673
674/* Check the AMS has all the required tags:
675 "a=" algorithm
676 "b=" signature
677 "bh=" body hash
678 "d=" domain (for key lookup)
679 "h=" headers (included in signature)
680 "s=" key-selector (for key lookup)
681*/
682if ( !ams->a.data || !ams->b.data || !ams->bh.data || !ams->d.data
683 || !ams->h.data || !ams->s.data)
684 {
685 as->ams_verify_done = arc_state_reason = US"required tag missing";
686 return US"fail";
687 }
688
689
690/* The bodyhash should have been created earlier, and the dkim code should
691have managed calculating it during message input. Find the reference to it. */
692
693if (!(b = arc_ams_setup_vfy_bodyhash(ams)))
694 {
695 as->ams_verify_done = arc_state_reason = US"internal hash setup error";
696 return US"fail";
697 }
698
699DEBUG(D_acl)
700 {
701 debug_printf("ARC i=%d AMS Body bytes hashed: %lu\n"
702 " Body %.*s computed: ",
703 as->instance, b->signed_body_bytes,
704 (int)ams->a_hash.len, ams->a_hash.data);
705 pdkim_hexprint(CUS b->bh.data, b->bh.len);
706 }
707
708/* We know the bh-tag blob is of a nul-term string, so safe as a string */
709
710if ( !ams->bh.data
711 || (pdkim_decode_base64(ams->bh.data, &sighash), sighash.len != b->bh.len)
712 || memcmp(sighash.data, b->bh.data, b->bh.len) != 0
713 )
714 {
715 DEBUG(D_acl)
716 {
717 debug_printf("ARC i=%d AMS Body hash from headers: ", as->instance);
718 pdkim_hexprint(sighash.data, sighash.len);
719 debug_printf("ARC i=%d AMS Body hash did NOT match\n", as->instance);
720 }
721 return as->ams_verify_done = arc_state_reason = US"AMS body hash miscompare";
722 }
723
724DEBUG(D_acl) debug_printf("ARC i=%d AMS Body hash compared OK\n", as->instance);
725
726/* Get the public key from DNS */
727
728if (!(p = arc_line_to_pubkey(ams)))
729 return as->ams_verify_done = arc_state_reason = US"pubkey problem";
730
731/* We know the b-tag blob is of a nul-term string, so safe as a string */
732pdkim_decode_base64(ams->b.data, &sighash);
733
734arc_get_verify_hhash(ctx, ams, &hhash);
735
736/* Setup the interface to the signing library */
737
738if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
739 {
740 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
741 as->ams_verify_done = arc_state_reason = US"internal sigverify init error";
742 return US"fail";
743 }
744
745hashtype = pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len);
746
747if ((errstr = exim_dkim_verify(&vctx,
748 pdkim_hashes[hashtype].exim_hashmethod, &hhash, &sighash)))
749 {
750 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify %s\n", as->instance, errstr);
751 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
752 }
753
754DEBUG(D_acl) debug_printf("ARC i=%d AMS verify pass\n", as->instance);
755as->ams_verify_passed = TRUE;
756return NULL;
757}
758
759
760
761/* Check the sets are instance-continuous and that all
762members are present. Check that no arc_seals are "fail".
763Set the highest instance number global.
764Verify the latest AMS.
765*/
766static uschar *
767arc_headers_check(arc_ctx * ctx)
768{
769arc_set * as;
770int inst;
771BOOL ams_fail_found = FALSE;
772
773if (!(as = ctx->arcset_chain))
774 return US"none";
775
776for(inst = 0; as; as = as->next)
777 {
778 if ( as->instance != ++inst
779 || !as->hdr_aar || !as->hdr_ams || !as->hdr_as
780 || arc_cv_match(as->hdr_as, US"fail")
781 )
782 {
783 arc_state_reason = string_sprintf("i=%d"
784 " (cv, sequence or missing header)", as->instance);
785 DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
786 return US"fail";
787 }
788
789 /* Evaluate the oldest-pass AMS validation while we're here.
790 It does not affect the AS chain validation but is reported as
791 auxilary info. */
792
793 if (!ams_fail_found)
794 if (arc_ams_verify(ctx, as))
795 ams_fail_found = TRUE;
796 else
797 arc_oldest_pass = inst;
798 arc_state_reason = NULL;
799 }
800
801arc_received = ctx->arcset_chain_last;
802arc_received_instance = inst;
803
804/* We can skip the latest-AMS validation, if we already did it. */
805
806as = ctx->arcset_chain_last;
807if (!as->ams_verify_passed)
808 {
809 if (as->ams_verify_done)
810 {
811 arc_state_reason = as->ams_verify_done;
812 return US"fail";
813 }
814 if (!!arc_ams_verify(ctx, as))
815 return US"fail";
816 }
817return NULL;
818}
819
820
821/******************************************************************************/
822static const uschar *
823arc_seal_verify(arc_ctx * ctx, arc_set * as)
824{
825arc_line * hdr_as = as->hdr_as;
826arc_set * as2;
827int hashtype;
828hctx hhash_ctx;
829blob hhash_computed;
830blob sighash;
831ev_ctx vctx;
832pdkim_pubkey * p;
833const uschar * errstr;
834
835DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d\n", as->instance);
836/*
837 1. If the value of the "cv" tag on that seal is "fail", the
838 chain state is "fail" and the algorithm stops here. (This
839 step SHOULD be skipped if the earlier step (2.1) was
840 performed) [it was]
841
842 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
843 == "none" && i != 1)) then the chain state is "fail" and the
844 algorithm stops here (note that the ordering of the logic is
845 structured for short-circuit evaluation).
846*/
847
848if ( as->instance == 1 && !arc_cv_match(hdr_as, US"none")
849 || arc_cv_match(hdr_as, US"none") && as->instance != 1
850 )
851 {
852 arc_state_reason = US"seal cv state";
853 return US"fail";
854 }
855
856/*
857 3. Initialize a hash function corresponding to the "a" tag of
858 the ARC-Seal.
859*/
860
861hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
862
863if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
864 {
865 DEBUG(D_acl)
866 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
867 arc_state_reason = US"seal hash setup error";
868 return US"fail";
869 }
870
871/*
872 4. Compute the canonicalized form of the ARC header fields, in
873 the order described in Section 5.4.2, using the "relaxed"
874 header canonicalization defined in Section 3.4.2 of
875 [RFC6376]. Pass the canonicalized result to the hash
876 function.
877
878Headers are CRLF-separated, but the last one is not crlf-terminated.
879*/
880
881DEBUG(D_acl) debug_printf("ARC: AS header data for verification:\n");
882for (as2 = ctx->arcset_chain;
883 as2 && as2->instance <= as->instance;
884 as2 = as2->next)
885 {
886 arc_line * al;
887 uschar * s;
888 int len;
889
890 al = as2->hdr_aar;
891 if (!(s = al->relaxed))
892 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
893 al->complete->slen, TRUE);
894 len = Ustrlen(s);
895 DEBUG(D_acl) pdkim_quoteprint(s, len);
896 exim_sha_update(&hhash_ctx, s, len);
897
898 al = as2->hdr_ams;
899 if (!(s = al->relaxed))
900 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
901 al->complete->slen, TRUE);
902 len = Ustrlen(s);
903 DEBUG(D_acl) pdkim_quoteprint(s, len);
904 exim_sha_update(&hhash_ctx, s, len);
905
906 al = as2->hdr_as;
907 if (as2->instance == as->instance)
908 s = pdkim_relax_header_n(al->rawsig_no_b_val.data,
909 al->rawsig_no_b_val.len, FALSE);
910 else if (!(s = al->relaxed))
911 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
912 al->complete->slen, TRUE);
913 len = Ustrlen(s);
914 DEBUG(D_acl) pdkim_quoteprint(s, len);
915 exim_sha_update(&hhash_ctx, s, len);
916 }
917
918/*
919 5. Retrieve the final digest from the hash function.
920*/
921
922exim_sha_finish(&hhash_ctx, &hhash_computed);
923DEBUG(D_acl)
924 {
925 debug_printf("ARC i=%d AS Header %.*s computed: ",
926 as->instance, (int)hdr_as->a_hash.len, hdr_as->a_hash.data);
927 pdkim_hexprint(hhash_computed.data, hhash_computed.len);
928 }
929
930
931/*
932 6. Retrieve the public key identified by the "s" and "d" tags in
933 the ARC-Seal, as described in Section 4.1.6.
934*/
935
936if (!(p = arc_line_to_pubkey(hdr_as)))
937 return US"pubkey problem";
938
939/*
940 7. Determine whether the signature portion ("b" tag) of the ARC-
941 Seal and the digest computed above are valid according to the
942 public key. (See also Section Section 8.4 for failure case
943 handling)
944
945 8. If the signature is not valid, the chain state is "fail" and
946 the algorithm stops here.
947*/
948
949/* We know the b-tag blob is of a nul-term string, so safe as a string */
950pdkim_decode_base64(hdr_as->b.data, &sighash);
951
952if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
953 {
954 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
955 return US"fail";
956 }
957
958hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
959
960if ((errstr = exim_dkim_verify(&vctx,
961 pdkim_hashes[hashtype].exim_hashmethod,
962 &hhash_computed, &sighash)))
963 {
964 DEBUG(D_acl)
965 debug_printf("ARC i=%d AS headers verify: %s\n", as->instance, errstr);
966 arc_state_reason = US"seal sigverify error";
967 return US"fail";
968 }
969
970DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d pass\n", as->instance);
971return NULL;
972}
973
974
975static const uschar *
976arc_verify_seals(arc_ctx * ctx)
977{
978arc_set * as = ctx->arcset_chain;
979
980if (!as)
981 return US"none";
982
983while (as)
984 {
985 if (arc_seal_verify(ctx, as)) return US"fail";
986 as = as->next;
987 }
988DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
989return NULL;
990}
991/******************************************************************************/
992
993/* Do ARC verification. Called from DATA ACL, on a verify = arc
994condition. No arguments; we are checking globals.
995
996Return: The ARC state, or NULL on error.
997*/
998
999const uschar *
1000acl_verify_arc(void)
1001{
1002const uschar * res;
1003
1004memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
1005
1006if (!dkim_verify_ctx)
1007 {
1008 DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
1009 return NULL;
1010 }
1011
1012/* AS evaluation, per
1013https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-6
1014*/
1015/* 1. Collect all ARC sets currently on the message. If there were
1016 none, the ARC state is "none" and the algorithm stops here.
1017*/
1018
1019if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
1020 goto out;
1021
1022/* 2. If the form of any ARC set is invalid (e.g., does not contain
1023 exactly one of each of the three ARC-specific header fields),
1024 then the chain state is "fail" and the algorithm stops here.
1025
1026 1. To avoid the overhead of unnecessary computation and delay
1027 from crypto and DNS operations, the cv value for all ARC-
1028 Seal(s) MAY be checked at this point. If any of the values
1029 are "fail", then the overall state of the chain is "fail" and
1030 the algorithm stops here.
1031
1032 3. Conduct verification of the ARC-Message-Signature header field
1033 bearing the highest instance number. If this verification fails,
1034 then the chain state is "fail" and the algorithm stops here.
1035*/
1036
1037if ((res = arc_headers_check(&arc_verify_ctx)))
1038 goto out;
1039
1040/* 4. For each ARC-Seal from the "N"th instance to the first, apply the
1041 following logic:
1042
1043 1. If the value of the "cv" tag on that seal is "fail", the
1044 chain state is "fail" and the algorithm stops here. (This
1045 step SHOULD be skipped if the earlier step (2.1) was
1046 performed)
1047
1048 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
1049 == "none" && i != 1)) then the chain state is "fail" and the
1050 algorithm stops here (note that the ordering of the logic is
1051 structured for short-circuit evaluation).
1052
1053 3. Initialize a hash function corresponding to the "a" tag of
1054 the ARC-Seal.
1055
1056 4. Compute the canonicalized form of the ARC header fields, in
1057 the order described in Section 5.4.2, using the "relaxed"
1058 header canonicalization defined in Section 3.4.2 of
1059 [RFC6376]. Pass the canonicalized result to the hash
1060 function.
1061
1062 5. Retrieve the final digest from the hash function.
1063
1064 6. Retrieve the public key identified by the "s" and "d" tags in
1065 the ARC-Seal, as described in Section 4.1.6.
1066
1067 7. Determine whether the signature portion ("b" tag) of the ARC-
1068 Seal and the digest computed above are valid according to the
1069 public key. (See also Section Section 8.4 for failure case
1070 handling)
1071
1072 8. If the signature is not valid, the chain state is "fail" and
1073 the algorithm stops here.
1074
1075 5. If all seals pass validation, then the chain state is "pass", and
1076 the algorithm is complete.
1077*/
1078
1079if ((res = arc_verify_seals(&arc_verify_ctx)))
1080 goto out;
1081
1082res = US"pass";
1083
1084out:
1085 return res;
1086}
1087
1088/******************************************************************************/
1089
1090/* Prepend the header to the rlist */
1091
1092static hdr_rlist *
1093arc_rlist_entry(hdr_rlist * list, const uschar * s, int len)
1094{
1095hdr_rlist * r = store_get(sizeof(hdr_rlist) + sizeof(header_line));
1096header_line * h = r->h = (header_line *)(r+1);
1097
1098r->prev = list;
1099r->used = FALSE;
1100h->next = NULL;
1101h->type = 0;
1102h->slen = len;
1103h->text = US s;
1104
1105/* This works for either NL or CRLF lines; also nul-termination */
1106while (*++s)
1107 if (*s == '\n' && s[1] != '\t' && s[1] != ' ') break;
1108s++; /* move past end of line */
1109
1110return r;
1111}
1112
1113
1114/* Walk the given headers strings identifying each header, and construct
1115a reverse-order list.
1116*/
1117
1118static hdr_rlist *
1119arc_sign_scan_headers(arc_ctx * ctx, gstring * sigheaders)
1120{
1121const uschar * s;
1122hdr_rlist * rheaders = NULL;
1123
1124s = sigheaders ? sigheaders->s : NULL;
1125if (s) while (*s)
1126 {
1127 const uschar * s2 = s;
1128
1129 /* This works for either NL or CRLF lines; also nul-termination */
1130 while (*++s2)
1131 if (*s2 == '\n' && s2[1] != '\t' && s2[1] != ' ') break;
1132 s2++; /* move past end of line */
1133
1134 rheaders = arc_rlist_entry(rheaders, s, s2 - s);
1135 s = s2;
1136 }
1137return rheaders;
1138}
1139
1140
1141
1142/* Return the A-R content, without identity, with line-ending and
1143NUL termination. */
1144
1145static BOOL
1146arc_sign_find_ar(header_line * headers, const uschar * identity, blob * ret)
1147{
1148header_line * h;
1149int ilen = Ustrlen(identity);
1150
1151ret->data = NULL;
1152for(h = headers; h; h = h->next)
1153 {
1154 uschar * s = h->text, c;
1155 int len = h->slen;
1156
1157 if (Ustrncmp(s, HDR_AR, HDRLEN_AR) != 0) continue;
1158 s += HDRLEN_AR, len -= HDRLEN_AR; /* header name */
1159 while ( len > 0
1160 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1161 s++, len--; /* FWS */
1162 if (Ustrncmp(s, identity, ilen) != 0) continue;
1163 s += ilen; len -= ilen; /* identity */
1164 if (len <= 0) continue;
1165 if ((c = *s) && c == ';') s++, len--; /* identity terminator */
1166 while ( len > 0
1167 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1168 s++, len--; /* FWS */
1169 if (len <= 0) continue;
1170 ret->data = s;
1171 ret->len = len;
1172 return TRUE;
1173 }
1174return FALSE;
1175}
1176
1177
1178
1179/* Append a constructed AAR including CRLF. Add it to the arc_ctx too. */
1180
1181static gstring *
1182arc_sign_append_aar(gstring * g, arc_ctx * ctx,
1183 const uschar * identity, int instance, blob * ar)
1184{
1185int aar_off = g ? g->ptr : 0;
1186arc_set * as = store_get(sizeof(arc_set) + sizeof(arc_line) + sizeof(header_line));
1187arc_line * al = (arc_line *)(as+1);
1188header_line * h = (header_line *)(al+1);
1189
1190g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
1191g = string_cat(g, string_sprintf(" i=%d; %s;\r\n\t", instance, identity));
1192g = string_catn(g, US ar->data, ar->len);
1193
1194h->slen = g->ptr - aar_off;
1195h->text = g->s + aar_off;
1196al->complete = h;
1197as->next = NULL;
1198as->prev = ctx->arcset_chain_last;
1199as->instance = instance;
1200as->hdr_aar = al;
1201if (instance == 1)
1202 ctx->arcset_chain = as;
1203else
1204 ctx->arcset_chain_last->next = as;
1205ctx->arcset_chain_last = as;
1206
1207DEBUG(D_transport) debug_printf("ARC: AAR '%.*s'\n", h->slen - 2, h->text);
1208return g;
1209}
1210
1211
1212
1213static BOOL
1214arc_sig_from_pseudoheader(gstring * hdata, int hashtype, const uschar * privkey,
1215 blob * sig, const uschar * why)
1216{
1217hashmethod hm = /*sig->keytype == KEYTYPE_ED25519*/ FALSE
1218 ? HASH_SHA2_512 : pdkim_hashes[hashtype].exim_hashmethod;
1219blob hhash;
1220es_ctx sctx;
1221const uschar * errstr;
1222
1223DEBUG(D_transport)
1224 {
1225 hctx hhash_ctx;
1226 debug_printf("ARC: %s header data for signing:\n", why);
1227 pdkim_quoteprint(hdata->s, hdata->ptr);
1228
1229 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1230 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1231 exim_sha_finish(&hhash_ctx, &hhash);
1232 debug_printf("ARC: header hash: "); pdkim_hexprint(hhash.data, hhash.len);
1233 }
1234
1235if (FALSE /*need hash for Ed25519 or GCrypt signing*/ )
1236 {
1237 hctx hhash_ctx;
1238 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1239 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1240 exim_sha_finish(&hhash_ctx, &hhash);
1241 }
1242else
1243 {
1244 hhash.data = hdata->s;
1245 hhash.len = hdata->ptr;
1246 }
1247
1248if ( (errstr = exim_dkim_signing_init(privkey, &sctx))
1249 || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
1250 {
1251 log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
1252 return FALSE;
1253 }
1254return TRUE;
1255}
1256
1257
1258
1259static gstring *
1260arc_sign_append_sig(gstring * g, blob * sig)
1261{
1262/*debug_printf("%s: raw sig ", __FUNCTION__); pdkim_hexprint(sig->data, sig->len);*/
1263sig->data = pdkim_encode_base64(sig);
1264sig->len = Ustrlen(sig->data);
1265for (;;)
1266 {
1267 int len = MIN(sig->len, 74);
1268 g = string_catn(g, sig->data, len);
1269 if ((sig->len -= len) == 0) break;
1270 sig->data += len;
1271 g = string_catn(g, US"\r\n\t ", 5);
1272 }
1273g = string_catn(g, US";\r\n", 3);
1274gstring_reset_unused(g);
1275string_from_gstring(g);
1276return g;
1277}
1278
1279
1280/* Append a constructed AMS including CRLF. Add it to the arc_ctx too. */
1281
1282static gstring *
1283arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
1284 const uschar * identity, const uschar * selector, blob * bodyhash,
1285 hdr_rlist * rheaders, const uschar * privkey, unsigned options)
1286{
1287uschar * s;
1288gstring * hdata = NULL;
1289int col;
1290int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1291blob sig;
1292int ams_off;
1293arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1294header_line * h = (header_line *)(al+1);
1295
1296/* debug_printf("%s\n", __FUNCTION__); */
1297
1298/* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
1299
1300ams_off = g->ptr;
1301g = string_append(g, 7,
1302 ARC_HDR_AMS,
1303 US" i=", string_sprintf("%d", instance),
1304 US"; a=rsa-sha256; c=relaxed; d=", identity, /*XXX hardwired */
1305 US"; s=", selector);
1306if (options & ARC_SIGN_OPT_TSTAMP)
1307 g = string_append(g, 2,
1308 US"; t=", string_sprintf("%lu", (u_long)now));
1309if (options & ARC_SIGN_OPT_EXPIRE)
1310 g = string_append(g, 2,
1311 US"; x=", string_sprintf("%lu", (u_long)expire));
1312g = string_append(g, 3,
1313 US";\r\n\tbh=", pdkim_encode_base64(bodyhash),
1314 US";\r\n\th=");
1315
1316for(col = 3; rheaders; rheaders = rheaders->prev)
1317 {
1318 const uschar * hnames = US"DKIM-Signature:" PDKIM_DEFAULT_SIGN_HEADERS;
1319 uschar * name, * htext = rheaders->h->text;
1320 int sep = ':';
1321
1322 /* Spot headers of interest */
1323
1324 while ((name = string_nextinlist(&hnames, &sep, NULL, 0)))
1325 {
1326 int len = Ustrlen(name);
1327 if (strncasecmp(CCS htext, CCS name, len) == 0)
1328 {
1329 /* If too long, fold line in h= field */
1330
1331 if (col + len > 78) g = string_catn(g, US"\r\n\t ", 5), col = 3;
1332
1333 /* Add name to h= list */
1334
1335 g = string_catn(g, name, len);
1336 g = string_catn(g, US":", 1);
1337 col += len + 1;
1338
1339 /* Accumulate header for hashing/signing */
1340
1341 hdata = string_cat(hdata,
1342 pdkim_relax_header_n(htext, rheaders->h->slen, TRUE)); /*XXX hardwired */
1343 break;
1344 }
1345 }
1346 }
1347
1348/* Lose the last colon from the h= list */
1349
1350if (g->s[g->ptr - 1] == ':') g->ptr--;
1351
1352g = string_catn(g, US";\r\n\tb=;", 7);
1353
1354/* Include the pseudo-header in the accumulation */
1355
1356s = pdkim_relax_header_n(g->s + ams_off, g->ptr - ams_off, FALSE);
1357hdata = string_cat(hdata, s);
1358
1359/* Calculate the signature from the accumulation */
1360/*XXX does that need further relaxation? there are spaces embedded in the b= strings! */
1361
1362if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AMS"))
1363 return NULL;
1364
1365/* Lose the trailing semicolon from the psuedo-header, and append the signature
1366(folded over lines) and termination to complete it. */
1367
1368g->ptr--;
1369g = arc_sign_append_sig(g, &sig);
1370
1371h->slen = g->ptr - ams_off;
1372h->text = g->s + ams_off;
1373al->complete = h;
1374ctx->arcset_chain_last->hdr_ams = al;
1375
1376DEBUG(D_transport) debug_printf("ARC: AMS '%.*s'\n", h->slen - 2, h->text);
1377return g;
1378}
1379
1380
1381
1382/* Look for an arc= result in an A-R header blob. We know that its data
1383happens to be a NUL-term string. */
1384
1385static uschar *
1386arc_ar_cv_status(blob * ar)
1387{
1388const uschar * resinfo = ar->data;
1389int sep = ';';
1390uschar * methodspec, * s;
1391
1392while ((methodspec = string_nextinlist(&resinfo, &sep, NULL, 0)))
1393 if (Ustrncmp(methodspec, US"arc=", 4) == 0)
1394 {
1395 uschar c;
1396 for (s = methodspec += 4;
1397 (c = *s) && c != ';' && c != ' ' && c != '\r' && c != '\n'; ) s++;
1398 return string_copyn(methodspec, s - methodspec);
1399 }
1400return US"none";
1401}
1402
1403
1404
1405/* Build the AS header and prepend it */
1406
1407static gstring *
1408arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
1409 int instance, const uschar * identity, const uschar * selector, blob * ar,
1410 const uschar * privkey, unsigned options)
1411{
1412gstring * arcset;
1413arc_set * as;
1414uschar * status = arc_ar_cv_status(ar);
1415arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1416header_line * h = (header_line *)(al+1);
1417
1418gstring * hdata = NULL;
1419int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1420blob sig;
1421
1422/*
1423- Generate AS
1424 - no body coverage
1425 - no h= tag; implicit coverage
1426 - arc status from A-R
1427 - if fail:
1428 - coverage is just the new ARC set
1429 including self (but with an empty b= in self)
1430 - if non-fail:
1431 - all ARC set headers, set-number order, aar then ams then as,
1432 including self (but with an empty b= in self)
1433*/
1434
1435/* Construct the AS except for the signature */
1436
1437arcset = string_append(NULL, 9,
1438 ARC_HDR_AS,
1439 US" i=", string_sprintf("%d", instance),
1440 US"; cv=", status,
1441 US"; a=rsa-sha256; d=", identity, /*XXX hardwired */
1442 US"; s=", selector); /*XXX same as AMS */
1443if (options & ARC_SIGN_OPT_TSTAMP)
1444 arcset = string_append(arcset, 2,
1445 US"; t=", string_sprintf("%lu", (u_long)now));
1446arcset = string_cat(arcset,
1447 US";\r\n\t b=;");
1448
1449h->slen = arcset->ptr;
1450h->text = arcset->s;
1451al->complete = h;
1452ctx->arcset_chain_last->hdr_as = al;
1453
1454/* For any but "fail" chain-verify status, walk the entire chain in order by
1455instance. For fail, only the new arc-set. Accumulate the elements walked. */
1456
1457for (as = Ustrcmp(status, US"fail") == 0
1458 ? ctx->arcset_chain_last : ctx->arcset_chain;
1459 as; as = as->next)
1460 {
1461 /* Accumulate AAR then AMS then AS. Relaxed canonicalisation
1462 is required per standard. */
1463
1464 h = as->hdr_aar->complete;
1465 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1466 h = as->hdr_ams->complete;
1467 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1468 h = as->hdr_as->complete;
1469 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, !!as->next));
1470 }
1471
1472/* Calculate the signature from the accumulation */
1473
1474if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AS"))
1475 return NULL;
1476
1477/* Lose the trailing semicolon */
1478arcset->ptr--;
1479arcset = arc_sign_append_sig(arcset, &sig);
1480DEBUG(D_transport) debug_printf("ARC: AS '%.*s'\n", arcset->ptr - 2, arcset->s);
1481
1482/* Finally, append the AMS and AAR to the new AS */
1483
1484return string_catn(arcset, arcset_interim->s, arcset_interim->ptr);
1485}
1486
1487
1488/**************************************/
1489
1490/* Return pointer to pdkim_bodyhash for given hash method, creating new
1491method if needed.
1492*/
1493
1494void *
1495arc_ams_setup_sign_bodyhash(void)
1496{
1497int canon_head, canon_body;
1498
1499DEBUG(D_transport) debug_printf("ARC: requesting bodyhash\n");
1500pdkim_cstring_to_canons(US"relaxed", 7, &canon_head, &canon_body); /*XXX hardwired */
1501return pdkim_set_bodyhash(&dkim_sign_ctx,
1502 pdkim_hashname_to_hashtype(US"sha256", 6), /*XXX hardwired */
1503 canon_body,
1504 -1);
1505}
1506
1507
1508
1509void
1510arc_sign_init(void)
1511{
1512memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
1513}
1514
1515
1516
1517/* A "normal" header line, identified by DKIM processing. These arrive before
1518the call to arc_sign(), which carries any newly-created DKIM headers - and
1519those go textually before the normal ones in the message.
1520
1521We have to take the feed from DKIM as, in the transport-filter case, the
1522headers are not in memory at the time of the call to arc_sign().
1523
1524Take a copy of the header and construct a reverse-order list.
1525Also parse ARC-chain headers and build the chain struct, retaining pointers
1526into the copies.
1527*/
1528
1529static const uschar *
1530arc_header_sign_feed(gstring * g)
1531{
1532uschar * s = string_copyn(g->s, g->ptr);
1533headers_rlist = arc_rlist_entry(headers_rlist, s, g->ptr);
1534return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
1535}
1536
1537
1538
1539/* ARC signing. Called from the smtp transport, if the arc_sign option is set.
1540The dkim_exim_sign() function has already been called, so will have hashed the
1541message body for us so long as we requested a hash previously.
1542
1543Arguments:
1544 signspec Three-element colon-sep list: identity, selector, privkey.
1545 Optional fourth element: comma-sep list of options.
1546 Already expanded
1547 sigheaders Any signature headers already generated, eg. by DKIM, or NULL
1548 errstr Error string
1549
1550Return value
1551 Set of headers to prepend to the message, including the supplied sigheaders
1552 but not the plainheaders.
1553*/
1554
1555gstring *
1556arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
1557{
1558const uschar * identity, * selector, * privkey, * opts, * s;
1559unsigned options = 0;
1560int sep = 0;
1561header_line * headers;
1562hdr_rlist * rheaders;
1563blob ar;
1564int instance;
1565gstring * g = NULL;
1566pdkim_bodyhash * b;
1567
1568expire = now = 0;
1569
1570/* Parse the signing specification */
1571
1572identity = string_nextinlist(&signspec, &sep, NULL, 0);
1573selector = string_nextinlist(&signspec, &sep, NULL, 0);
1574if ( !*identity || !*selector
1575 || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
1576 {
1577 log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
1578 !*identity ? "identity" : !*selector ? "selector" : "private-key");
1579 return sigheaders ? sigheaders : string_get(0);
1580 }
1581if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
1582 return sigheaders ? sigheaders : string_get(0);
1583
1584if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
1585 {
1586 int osep = ',';
1587 while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
1588 if (Ustrcmp(s, "timestamps") == 0)
1589 {
1590 options |= ARC_SIGN_OPT_TSTAMP;
1591 if (!now) now = time(NULL);
1592 }
1593 else if (Ustrncmp(s, "expire", 6) == 0)
1594 {
1595 options |= ARC_SIGN_OPT_EXPIRE;
1596 if (*(s += 6) == '=')
1597 if (*++s == '+')
1598 {
1599 if (!(expire = (time_t)atoi(++s)))
1600 expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1601 if (!now) now = time(NULL);
1602 expire += now;
1603 }
1604 else
1605 expire = (time_t)atol(s);
1606 else
1607 {
1608 if (!now) now = time(NULL);
1609 expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1610 }
1611 }
1612 }
1613
1614DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
1615
1616/* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
1617Then scan the list for an A-R header. */
1618
1619string_from_gstring(sigheaders);
1620if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
1621 {
1622 hdr_rlist ** rp;
1623 for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
1624 *rp = rheaders;
1625 }
1626
1627/* Finally, build a normal-order headers list */
1628/*XXX only needed for hunt-the-AR? */
1629/*XXX also, we really should be accepting any number of ADMD-matching ARs */
1630 {
1631 header_line * hnext = NULL;
1632 for (rheaders = headers_rlist; rheaders;
1633 hnext = rheaders->h, rheaders = rheaders->prev)
1634 rheaders->h->next = hnext;
1635 headers = hnext;
1636 }
1637
1638if (!(arc_sign_find_ar(headers, identity, &ar)))
1639 {
1640 log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
1641 return sigheaders ? sigheaders : string_get(0);
1642 }
1643
1644/* We previously built the data-struct for the existing ARC chain, if any, using a headers
1645feed from the DKIM module. Use that to give the instance number for the ARC set we are
1646about to build. */
1647
1648DEBUG(D_transport)
1649 if (arc_sign_ctx.arcset_chain_last)
1650 debug_printf("ARC: existing chain highest instance: %d\n",
1651 arc_sign_ctx.arcset_chain_last->instance);
1652 else
1653 debug_printf("ARC: no existing chain\n");
1654
1655instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
1656
1657/*
1658- Generate AAR
1659 - copy the A-R; prepend i= & identity
1660*/
1661
1662g = arc_sign_append_aar(g, &arc_sign_ctx, identity, instance, &ar);
1663
1664/*
1665- Generate AMS
1666 - Looks fairly like a DKIM sig
1667 - Cover all DKIM sig headers as well as the usuals
1668 - ? oversigning?
1669 - Covers the data
1670 - we must have requested a suitable bodyhash previously
1671*/
1672
1673b = arc_ams_setup_sign_bodyhash();
1674g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
1675 &b->bh, headers_rlist, privkey, options);
1676
1677/*
1678- Generate AS
1679 - no body coverage
1680 - no h= tag; implicit coverage
1681 - arc status from A-R
1682 - if fail:
1683 - coverage is just the new ARC set
1684 including self (but with an empty b= in self)
1685 - if non-fail:
1686 - all ARC set headers, set-number order, aar then ams then as,
1687 including self (but with an empty b= in self)
1688*/
1689
1690g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
1691 privkey, options);
1692
1693/* Finally, append the dkim headers and return the lot. */
1694
1695g = string_catn(g, sigheaders->s, sigheaders->ptr);
1696(void) string_from_gstring(g);
1697gstring_reset_unused(g);
1698return g;
1699}
1700
1701
1702/******************************************************************************/
1703
1704/* Check to see if the line is an AMS and if so, set up to validate it.
1705Called from the DKIM input processing. This must be done now as the message
1706body data is hashed during input.
1707
1708We call the DKIM code to request a body-hash; it has the facility already
1709and the hash parameters might be common with other requests.
1710*/
1711
1712static const uschar *
1713arc_header_vfy_feed(gstring * g)
1714{
1715header_line h;
1716arc_line al;
1717pdkim_bodyhash * b;
1718uschar * errstr;
1719
1720if (!dkim_verify_ctx) return US"no dkim context";
1721
1722if (strncmpic(ARC_HDR_AMS, g->s, ARC_HDRLEN_AMS) != 0) return US"not AMS";
1723
1724DEBUG(D_receive) debug_printf("ARC: spotted AMS header\n");
1725/* Parse the AMS header */
1726
1727h.next = NULL;
1728h.slen = g->size;
1729h.text = g->s;
1730memset(&al, 0, sizeof(arc_line));
1731if ((errstr = arc_parse_line(&al, &h, ARC_HDRLEN_AMS, FALSE)))
1732 {
1733 DEBUG(D_acl) if (errstr) debug_printf("ARC: %s\n", errstr);
1734 return US"line parsing error";
1735 }
1736
1737/* defaults */
1738if (!al.c.data)
1739 {
1740 al.c_body.data = US"simple"; al.c_body.len = 6;
1741 al.c_head = al.c_body;
1742 }
1743
1744/* Ask the dkim code to calc a bodyhash with those specs */
1745
1746if (!(b = arc_ams_setup_vfy_bodyhash(&al)))
1747 return US"dkim hash setup fail";
1748
1749/* Discard the reference; search again at verify time, knowing that one
1750should have been created here. */
1751
1752return NULL;
1753}
1754
1755
1756
1757/* A header line has been identified by DKIM processing.
1758
1759Arguments:
1760 g Header line
1761 is_vfy TRUE for verify mode or FALSE for signing mode
1762
1763Return:
1764 NULL for success, or an error string (probably unused)
1765*/
1766
1767const uschar *
1768arc_header_feed(gstring * g, BOOL is_vfy)
1769{
1770return is_vfy ? arc_header_vfy_feed(g) : arc_header_sign_feed(g);
1771}
1772
1773
1774
1775/******************************************************************************/
1776
1777/* Construct the list of domains from the ARC chain after validation */
1778
1779uschar *
1780fn_arc_domains(void)
1781{
1782arc_set * as;
1783unsigned inst;
1784gstring * g = NULL;
1785
1786for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
1787 {
1788 arc_line * hdr_as = as->hdr_as;
1789 if (hdr_as)
1790 {
1791 blob * d = &hdr_as->d;
1792
1793 for (; inst < as->instance; inst++)
1794 g = string_catn(g, ":", 1);
1795
1796 g = d->data && d->len
1797 ? string_append_listele_n(g, ':', d->data, d->len)
1798 : string_catn(g, ":", 1);
1799 }
1800 else
1801 g = string_catn(g, ":", 1);
1802 }
1803return g ? g->s : US"";
1804}
1805
1806
1807/* Construct an Authenticate-Results header portion, for the ARC module */
1808
1809gstring *
1810authres_arc(gstring * g)
1811{
1812if (arc_state)
1813 {
1814 arc_line * highest_ams;
1815 int start = 0; /* Compiler quietening */
1816 DEBUG(D_acl) start = g->ptr;
1817
1818 g = string_append(g, 2, US";\n\tarc=", arc_state);
1819 if (arc_received_instance > 0)
1820 {
1821 g = string_append(g, 3, US" (i=",
1822 string_sprintf("%d", arc_received_instance), US")");
1823 if (arc_state_reason)
1824 g = string_append(g, 3, US"(", arc_state_reason, US")");
1825 g = string_catn(g, US" header.s=", 10);
1826 highest_ams = arc_received->hdr_ams;
1827 g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
1828
1829 g = string_append(g, 2,
1830 US" arc.oldest-pass=", string_sprintf("%d", arc_oldest_pass));
1831
1832 if (sender_host_address)
1833 g = string_append(g, 2, US" smtp.client-ip=", sender_host_address);
1834 }
1835 else if (arc_state_reason)
1836 g = string_append(g, 3, US" (", arc_state_reason, US")");
1837 DEBUG(D_acl) debug_printf("ARC: authres '%.*s'\n",
1838 g->ptr - start - 3, g->s + start + 3);
1839 }
1840else
1841 DEBUG(D_acl) debug_printf("ARC: no authres\n");
1842return g;
1843}
1844
1845
1846# endif /* SUPPORT_SPF */
1847#endif /* EXPERIMENTAL_ARC */
1848/* vi: aw ai sw=2
1849 */
Unnamed repository; edit this file 'description' to name the repository.