projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ARC: fix crash on signing with missing key file
[exim.git] / src / src / arc.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4 /* Experimental ARC support for Exim
5 Copyright (c) Jeremy Harris 2018
6 License: GPL
7 */
8
9 #include "exim.h"
10 #ifdef EXPERIMENTAL_ARC
11 # if !defined SUPPORT_SPF
12 # error SPF must also be enabled for ARC
13 # elif defined DISABLE_DKIM
14 # error DKIM must also be enabled for ARC
15 # else
16
17 # include "functions.h"
18 # include "pdkim/pdkim.h"
19 # include "pdkim/signing.h"
20
21 extern pdkim_ctx * dkim_verify_ctx;
22 extern pdkim_ctx dkim_sign_ctx;
23
24 #define ARC_SIGN_OPT_TSTAMP BIT(0)
25 #define ARC_SIGN_OPT_EXPIRE BIT(1)
26
27 #define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
28
29 /******************************************************************************/
30
31 typedef struct hdr_rlist {
32 struct hdr_rlist * prev;
33 BOOL used;
34 header_line * h;
35 } hdr_rlist;
36
37 typedef struct arc_line {
38 header_line * complete; /* including the header name; nul-term */
39 uschar * relaxed;
40
41 /* identified tag contents */
42 /*XXX t= for AS? */
43 blob i;
44 blob cv;
45 blob a;
46 blob b;
47 blob bh;
48 blob d;
49 blob h;
50 blob s;
51 blob c;
52 blob l;
53
54 /* tag content sub-portions */
55 blob a_algo;
56 blob a_hash;
57
58 blob c_head;
59 blob c_body;
60
61 /* modified copy of b= field in line */
62 blob rawsig_no_b_val;
63 } arc_line;
64
65 typedef struct arc_set {
66 struct arc_set * next;
67 struct arc_set * prev;
68
69 unsigned instance;
70 arc_line * hdr_aar;
71 arc_line * hdr_ams;
72 arc_line * hdr_as;
73
74 const uschar * ams_verify_done;
75 BOOL ams_verify_passed;
76 } arc_set;
77
78 typedef struct arc_ctx {
79 arc_set * arcset_chain;
80 arc_set * arcset_chain_last;
81 } arc_ctx;
82
83 #define ARC_HDR_AAR US"ARC-Authentication-Results:"
84 #define ARC_HDRLEN_AAR 27
85 #define ARC_HDR_AMS US"ARC-Message-Signature:"
86 #define ARC_HDRLEN_AMS 22
87 #define ARC_HDR_AS US"ARC-Seal:"
88 #define ARC_HDRLEN_AS 9
89 #define HDR_AR US"Authentication-Results:"
90 #define HDRLEN_AR 23
91
92 static time_t now;
93 static time_t expire;
94 static hdr_rlist * headers_rlist;
95 static arc_ctx arc_sign_ctx = { NULL };
96 static arc_ctx arc_verify_ctx = { NULL };
97
98
99 /******************************************************************************/
100
101
102 /* Get the instance number from the header.
103 Return 0 on error */
104 static unsigned
105 arc_instance_from_hdr(const arc_line * al)
106 {
107 const uschar * s = al->i.data;
108 if (!s || !al->i.len) return 0;
109 return (unsigned) atoi(CCS s);
110 }
111
112
113 static uschar *
114 skip_fws(uschar * s)
115 {
116 uschar c = *s;
117 while (c && (c == ' ' || c == '\t' || c == '\n' || c == '\r')) c = *++s;
118 return s;
119 }
120
121
122 /* Locate instance struct on chain, inserting a new one if
123 needed. The chain is in increasing-instance-number order
124 by the "next" link, and we have a "prev" link also.
125 */
126
127 static arc_set *
128 arc_find_set(arc_ctx * ctx, unsigned i)
129 {
130 arc_set ** pas, * as, * next, * prev;
131
132 for (pas = &ctx->arcset_chain, prev = NULL, next = ctx->arcset_chain;
133 as = *pas; pas = &as->next)
134 {
135 if (as->instance > i) break;
136 if (as->instance == i)
137 {
138 DEBUG(D_acl) debug_printf("ARC: existing instance %u\n", i);
139 return as;
140 }
141 next = as->next;
142 prev = as;
143 }
144
145 DEBUG(D_acl) debug_printf("ARC: new instance %u\n", i);
146 *pas = as = store_get(sizeof(arc_set));
147 memset(as, 0, sizeof(arc_set));
148 as->next = next;
149 as->prev = prev;
150 as->instance = i;
151 if (next)
152 next->prev = as;
153 else
154 ctx->arcset_chain_last = as;
155 return as;
156 }
157
158
159
160 /* Insert a tag content into the line structure.
161 Note this is a reference to existing data, not a copy.
162 Check for already-seen tag.
163 The string-pointer is on the '=' for entry. Update it past the
164 content (to the ;) on return;
165 */
166
167 static uschar *
168 arc_insert_tagvalue(arc_line * al, unsigned loff, uschar ** ss)
169 {
170 uschar * s = *ss;
171 uschar c = *++s;
172 blob * b = (blob *)(US al + loff);
173 size_t len = 0;
174
175 /* [FWS] tag-value [FWS] */
176
177 if (b->data) return US"fail";
178 s = skip_fws(s); /* FWS */
179
180 b->data = s;
181 while ((c = *s) && c != ';') { len++; s++; }
182 *ss = s;
183 while (len && ((c = s[-1]) == ' ' || c == '\t' || c == '\n' || c == '\r'))
184 { s--; len--; } /* FWS */
185 b->len = len;
186 return NULL;
187 }
188
189
190 /* Inspect a header line, noting known tag fields.
191 Check for duplicates. */
192
193 static uschar *
194 arc_parse_line(arc_line * al, header_line * h, unsigned off, BOOL instance_only)
195 {
196 uschar * s = h->text + off;
197 uschar * r = NULL; /* compiler-quietening */
198 uschar c;
199
200 al->complete = h;
201
202 if (!instance_only)
203 {
204 al->rawsig_no_b_val.data = store_get(h->slen + 1);
205 memcpy(al->rawsig_no_b_val.data, h->text, off); /* copy the header name blind */
206 r = al->rawsig_no_b_val.data + off;
207 al->rawsig_no_b_val.len = off;
208 }
209
210 /* tag-list = tag-spec *( ";" tag-spec ) [ ";" ] */
211
212 while ((c = *s))
213 {
214 char tagchar;
215 uschar * t;
216 unsigned i = 0;
217 uschar * fieldstart = s;
218 uschar * bstart = NULL, * bend;
219
220 /* tag-spec = [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS] */
221
222 s = skip_fws(s); /* FWS */
223 if (!*s) break;
224 /* debug_printf("%s: consider '%s'\n", __FUNCTION__, s); */
225 tagchar = *s++;
226 s = skip_fws(s); /* FWS */
227 if (!*s) break;
228
229 if (!instance_only || tagchar == 'i') switch (tagchar)
230 {
231 case 'a': /* a= AMS algorithm */
232 {
233 if (*s != '=') return US"no 'a' value";
234 if (arc_insert_tagvalue(al, offsetof(arc_line, a), &s)) return US"a tag dup";
235
236 /* substructure: algo-hash (eg. rsa-sha256) */
237
238 t = al->a_algo.data = al->a.data;
239 while (*t != '-')
240 if (!*t++ || ++i > al->a.len) return US"no '-' in 'a' value";
241 al->a_algo.len = i;
242 if (*t++ != '-') return US"no '-' in 'a' value";
243 al->a_hash.data = t;
244 al->a_hash.len = al->a.len - i - 1;
245 }
246 break;
247 case 'b':
248 {
249 gstring * g = NULL;
250
251 switch (*s)
252 {
253 case '=': /* b= AMS signature */
254 if (al->b.data) return US"already b data";
255 bstart = s+1;
256
257 /* The signature can have FWS inserted in the content;
258 make a stripped copy */
259
260 while ((c = *++s) && c != ';')
261 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
262 g = string_catn(g, s, 1);
263 al->b.data = string_from_gstring(g);
264 al->b.len = g->ptr;
265 gstring_reset_unused(g);
266 bend = s;
267 break;
268 case 'h': /* bh= AMS body hash */
269 s = skip_fws(++s); /* FWS */
270 if (*s != '=') return US"no bh value";
271 if (al->bh.data) return US"already bh data";
272
273 /* The bodyhash can have FWS inserted in the content;
274 make a stripped copy */
275
276 while ((c = *++s) && c != ';')
277 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
278 g = string_catn(g, s, 1);
279 al->bh.data = string_from_gstring(g);
280 al->bh.len = g->ptr;
281 gstring_reset_unused(g);
282 break;
283 default:
284 return US"b? tag";
285 }
286 }
287 break;
288 case 'c':
289 switch (*s)
290 {
291 case '=': /* c= AMS canonicalisation */
292 if (arc_insert_tagvalue(al, offsetof(arc_line, c), &s)) return US"c tag dup";
293
294 /* substructure: head/body (eg. relaxed/simple)) */
295
296 t = al->c_head.data = al->c.data;
297 while (isalpha(*t))
298 if (!*t++ || ++i > al->a.len) break;
299 al->c_head.len = i;
300 if (*t++ == '/') /* /body is optional */
301 {
302 al->c_body.data = t;
303 al->c_body.len = al->c.len - i - 1;
304 }
305 else
306 {
307 al->c_body.data = US"simple";
308 al->c_body.len = 6;
309 }
310 break;
311 case 'v': /* cv= AS validity */
312 if (*++s != '=') return US"cv tag val";
313 if (arc_insert_tagvalue(al, offsetof(arc_line, cv), &s)) return US"cv tag dup";
314 break;
315 default:
316 return US"c? tag";
317 }
318 break;
319 case 'd': /* d= AMS domain */
320 if (*s != '=') return US"d tag val";
321 if (arc_insert_tagvalue(al, offsetof(arc_line, d), &s)) return US"d tag dup";
322 break;
323 case 'h': /* h= AMS headers */
324 if (*s != '=') return US"h tag val";
325 if (arc_insert_tagvalue(al, offsetof(arc_line, h), &s)) return US"h tag dup";
326 break;
327 case 'i': /* i= ARC set instance */
328 if (*s != '=') return US"i tag val";
329 if (arc_insert_tagvalue(al, offsetof(arc_line, i), &s)) return US"i tag dup";
330 if (instance_only) goto done;
331 break;
332 case 'l': /* l= bodylength */
333 if (*s != '=') return US"l tag val";
334 if (arc_insert_tagvalue(al, offsetof(arc_line, l), &s)) return US"l tag dup";
335 break;
336 case 's': /* s= AMS selector */
337 if (*s != '=') return US"s tag val";
338 if (arc_insert_tagvalue(al, offsetof(arc_line, s), &s)) return US"s tag dup";
339 break;
340 }
341
342 while ((c = *s) && c != ';') s++;
343 if (c) s++; /* ; after tag-spec */
344
345 /* for all but the b= tag, copy the field including FWS. For the b=,
346 drop the tag content. */
347
348 if (!instance_only)
349 if (bstart)
350 {
351 size_t n = bstart - fieldstart;
352 memcpy(r, fieldstart, n); /* FWS "b=" */
353 r += n;
354 al->rawsig_no_b_val.len += n;
355 n = s - bend;
356 memcpy(r, bend, n); /* FWS ";" */
357 r += n;
358 al->rawsig_no_b_val.len += n;
359 }
360 else
361 {
362 size_t n = s - fieldstart;
363 memcpy(r, fieldstart, n);
364 r += n;
365 al->rawsig_no_b_val.len += n;
366 }
367 }
368
369 if (!instance_only)
370 *r = '\0';
371
372 done:
373 /* debug_printf("%s: finshed\n", __FUNCTION__); */
374 return NULL;
375 }
376
377
378 /* Insert one header line in the correct set of the chain,
379 adding instances as needed and checking for duplicate lines.
380 */
381
382 static uschar *
383 arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
384 BOOL instance_only)
385 {
386 unsigned i;
387 arc_set * as;
388 arc_line * al = store_get(sizeof(arc_line)), ** alp;
389 uschar * e;
390
391 memset(al, 0, sizeof(arc_line));
392
393 if ((e = arc_parse_line(al, h, off, instance_only)))
394 {
395 DEBUG(D_acl) if (e) debug_printf("ARC: %s\n", e);
396 return US"line parse";
397 }
398 if (!(i = arc_instance_from_hdr(al))) return US"instance find";
399 if (i > 50) return US"overlarge instance number";
400 if (!(as = arc_find_set(ctx, i))) return US"set find";
401 if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
402
403 *alp = al;
404 return NULL;
405 }
406
407
408
409
410 static const uschar *
411 arc_try_header(arc_ctx * ctx, header_line * h, BOOL instance_only)
412 {
413 const uschar * e;
414
415 /*debug_printf("consider hdr '%s'\n", h->text);*/
416 if (strncmpic(ARC_HDR_AAR, h->text, ARC_HDRLEN_AAR) == 0)
417 {
418 DEBUG(D_acl)
419 {
420 int len = h->slen;
421 uschar * s;
422 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
423 s--, len--;
424 debug_printf("ARC: found AAR: %.*s\n", len, h->text);
425 }
426 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AAR, offsetof(arc_set, hdr_aar),
427 TRUE)))
428 {
429 DEBUG(D_acl) debug_printf("inserting AAR: %s\n", e);
430 return US"inserting AAR";
431 }
432 }
433 else if (strncmpic(ARC_HDR_AMS, h->text, ARC_HDRLEN_AMS) == 0)
434 {
435 arc_line * ams;
436
437 DEBUG(D_acl)
438 {
439 int len = h->slen;
440 uschar * s;
441 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
442 s--, len--;
443 debug_printf("ARC: found AMS: %.*s\n", len, h->text);
444 }
445 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AMS, offsetof(arc_set, hdr_ams),
446 instance_only)))
447 {
448 DEBUG(D_acl) debug_printf("inserting AMS: %s\n", e);
449 return US"inserting AMS";
450 }
451
452 /* defaults */
453 /*XXX dubious selection of ams here */
454 ams = ctx->arcset_chain->hdr_ams;
455 if (!ams->c.data)
456 {
457 ams->c_head.data = US"simple"; ams->c_head.len = 6;
458 ams->c_body = ams->c_head;
459 }
460 }
461 else if (strncmpic(ARC_HDR_AS, h->text, ARC_HDRLEN_AS) == 0)
462 {
463 DEBUG(D_acl)
464 {
465 int len = h->slen;
466 uschar * s;
467 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
468 s--, len--;
469 debug_printf("ARC: found AS: %.*s\n", len, h->text);
470 }
471 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AS, offsetof(arc_set, hdr_as),
472 instance_only)))
473 {
474 DEBUG(D_acl) debug_printf("inserting AS: %s\n", e);
475 return US"inserting AS";
476 }
477 }
478 return NULL;
479 }
480
481
482
483 /* Gather the chain of arc sets from the headers.
484 Check for duplicates while that is done. Also build the
485 reverse-order headers list;
486
487 Return: ARC state if determined, eg. by lack of any ARC chain.
488 */
489
490 static const uschar *
491 arc_vfy_collect_hdrs(arc_ctx * ctx)
492 {
493 header_line * h;
494 hdr_rlist * r = NULL, * rprev = NULL;
495 const uschar * e;
496
497 DEBUG(D_acl) debug_printf("ARC: collecting arc sets\n");
498 for (h = header_list; h; h = h->next)
499 {
500 r = store_get(sizeof(hdr_rlist));
501 r->prev = rprev;
502 r->used = FALSE;
503 r->h = h;
504 rprev = r;
505
506 if ((e = arc_try_header(ctx, h, FALSE)))
507 {
508 arc_state_reason = string_sprintf("collecting headers: %s", e);
509 return US"fail";
510 }
511 }
512 headers_rlist = r;
513
514 if (!ctx->arcset_chain) return US"none";
515 return NULL;
516 }
517
518
519 static BOOL
520 arc_cv_match(arc_line * al, const uschar * s)
521 {
522 return Ustrncmp(s, al->cv.data, al->cv.len) == 0;
523 }
524
525 /******************************************************************************/
526
527 /* Return the hash of headers from the message that the AMS claims it
528 signed.
529 */
530
531 static void
532 arc_get_verify_hhash(arc_ctx * ctx, arc_line * ams, blob * hhash)
533 {
534 const uschar * headernames = string_copyn(ams->h.data, ams->h.len);
535 const uschar * hn;
536 int sep = ':';
537 hdr_rlist * r;
538 BOOL relaxed = Ustrncmp(US"relaxed", ams->c_head.data, ams->c_head.len) == 0;
539 int hashtype = pdkim_hashname_to_hashtype(
540 ams->a_hash.data, ams->a_hash.len);
541 hctx hhash_ctx;
542 const uschar * s;
543 int len;
544
545 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
546 {
547 DEBUG(D_acl)
548 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
549 return;
550 }
551
552 /* For each headername in the list from the AMS (walking in order)
553 walk the message headers in reverse order, adding to the hash any
554 found for the first time. For that last point, maintain used-marks
555 on the list of message headers. */
556
557 DEBUG(D_acl) debug_printf("ARC: AMS header data for verification:\n");
558
559 for (r = headers_rlist; r; r = r->prev)
560 r->used = FALSE;
561 while ((hn = string_nextinlist(&headernames, &sep, NULL, 0)))
562 for (r = headers_rlist; r; r = r->prev)
563 if ( !r->used
564 && strncasecmp(CCS (s = r->h->text), CCS hn, Ustrlen(hn)) == 0
565 )
566 {
567 if (relaxed) s = pdkim_relax_header_n(s, r->h->slen, TRUE);
568
569 len = Ustrlen(s);
570 DEBUG(D_acl) pdkim_quoteprint(s, len);
571 exim_sha_update(&hhash_ctx, s, Ustrlen(s));
572 r->used = TRUE;
573 break;
574 }
575
576 /* Finally add in the signature header (with the b= tag stripped); no CRLF */
577
578 s = ams->rawsig_no_b_val.data, len = ams->rawsig_no_b_val.len;
579 if (relaxed)
580 len = Ustrlen(s = pdkim_relax_header_n(s, len, FALSE));
581 DEBUG(D_acl) pdkim_quoteprint(s, len);
582 exim_sha_update(&hhash_ctx, s, len);
583
584 exim_sha_finish(&hhash_ctx, hhash);
585 DEBUG(D_acl)
586 { debug_printf("ARC: header hash: "); pdkim_hexprint(hhash->data, hhash->len); }
587 return;
588 }
589
590
591
592
593 static pdkim_pubkey *
594 arc_line_to_pubkey(arc_line * al)
595 {
596 uschar * dns_txt;
597 pdkim_pubkey * p;
598
599 if (!(dns_txt = dkim_exim_query_dns_txt(string_sprintf("%.*s._domainkey.%.*s",
600 al->s.len, al->s.data, al->d.len, al->d.data))))
601 {
602 DEBUG(D_acl) debug_printf("pubkey dns lookup fail\n");
603 return NULL;
604 }
605
606 if ( !(p = pdkim_parse_pubkey_record(dns_txt))
607 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
608 )
609 {
610 DEBUG(D_acl) debug_printf("pubkey dns lookup format error\n");
611 return NULL;
612 }
613
614 /* If the pubkey limits use to specified hashes, reject unusable
615 signatures. XXX should we have looked for multiple dns records? */
616
617 if (p->hashes)
618 {
619 const uschar * list = p->hashes, * ele;
620 int sep = ':';
621
622 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
623 if (Ustrncmp(ele, al->a_hash.data, al->a_hash.len) == 0) break;
624 if (!ele)
625 {
626 DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%.*s\n",
627 p->hashes, (int)al->a.len, al->a.data);
628 return NULL;
629 }
630 }
631 return p;
632 }
633
634
635
636
637 static pdkim_bodyhash *
638 arc_ams_setup_vfy_bodyhash(arc_line * ams)
639 {
640 int canon_head, canon_body;
641 long bodylen;
642
643 if (!ams->c.data) ams->c.data = US"simple"; /* RFC 6376 (DKIM) default */
644 pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
645 bodylen = ams->l.data
646 ? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
647
648 return pdkim_set_bodyhash(dkim_verify_ctx,
649 pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len),
650 canon_body,
651 bodylen);
652 }
653
654
655
656 /* Verify an AMS. This is a DKIM-sig header, but with an ARC i= tag
657 and without a DKIM v= tag.
658 */
659
660 static const uschar *
661 arc_ams_verify(arc_ctx * ctx, arc_set * as)
662 {
663 arc_line * ams = as->hdr_ams;
664 pdkim_bodyhash * b;
665 pdkim_pubkey * p;
666 blob sighash;
667 blob hhash;
668 ev_ctx vctx;
669 int hashtype;
670 const uschar * errstr;
671
672 as->ams_verify_done = US"in-progress";
673
674 /* Check the AMS has all the required tags:
675 "a=" algorithm
676 "b=" signature
677 "bh=" body hash
678 "d=" domain (for key lookup)
679 "h=" headers (included in signature)
680 "s=" key-selector (for key lookup)
681 */
682 if ( !ams->a.data || !ams->b.data || !ams->bh.data || !ams->d.data
683 || !ams->h.data || !ams->s.data)
684 {
685 as->ams_verify_done = arc_state_reason = US"required tag missing";
686 return US"fail";
687 }
688
689
690 /* The bodyhash should have been created earlier, and the dkim code should
691 have managed calculating it during message input. Find the reference to it. */
692
693 if (!(b = arc_ams_setup_vfy_bodyhash(ams)))
694 {
695 as->ams_verify_done = arc_state_reason = US"internal hash setup error";
696 return US"fail";
697 }
698
699 DEBUG(D_acl)
700 {
701 debug_printf("ARC i=%d AMS Body bytes hashed: %lu\n"
702 " Body %.*s computed: ",
703 as->instance, b->signed_body_bytes,
704 (int)ams->a_hash.len, ams->a_hash.data);
705 pdkim_hexprint(CUS b->bh.data, b->bh.len);
706 }
707
708 /* We know the bh-tag blob is of a nul-term string, so safe as a string */
709
710 if ( !ams->bh.data
711 || (pdkim_decode_base64(ams->bh.data, &sighash), sighash.len != b->bh.len)
712 || memcmp(sighash.data, b->bh.data, b->bh.len) != 0
713 )
714 {
715 DEBUG(D_acl)
716 {
717 debug_printf("ARC i=%d AMS Body hash from headers: ", as->instance);
718 pdkim_hexprint(sighash.data, sighash.len);
719 debug_printf("ARC i=%d AMS Body hash did NOT match\n", as->instance);
720 }
721 return as->ams_verify_done = arc_state_reason = US"AMS body hash miscompare";
722 }
723
724 DEBUG(D_acl) debug_printf("ARC i=%d AMS Body hash compared OK\n", as->instance);
725
726 /* Get the public key from DNS */
727
728 if (!(p = arc_line_to_pubkey(ams)))
729 return as->ams_verify_done = arc_state_reason = US"pubkey problem";
730
731 /* We know the b-tag blob is of a nul-term string, so safe as a string */
732 pdkim_decode_base64(ams->b.data, &sighash);
733
734 arc_get_verify_hhash(ctx, ams, &hhash);
735
736 /* Setup the interface to the signing library */
737
738 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
739 {
740 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
741 as->ams_verify_done = arc_state_reason = US"internal sigverify init error";
742 return US"fail";
743 }
744
745 hashtype = pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len);
746
747 if ((errstr = exim_dkim_verify(&vctx,
748 pdkim_hashes[hashtype].exim_hashmethod, &hhash, &sighash)))
749 {
750 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify %s\n", as->instance, errstr);
751 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
752 }
753
754 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify pass\n", as->instance);
755 as->ams_verify_passed = TRUE;
756 return NULL;
757 }
758
759
760
761 /* Check the sets are instance-continuous and that all
762 members are present. Check that no arc_seals are "fail".
763 Set the highest instance number global.
764 Verify the latest AMS.
765 */
766 static uschar *
767 arc_headers_check(arc_ctx * ctx)
768 {
769 arc_set * as;
770 int inst;
771 BOOL ams_fail_found = FALSE;
772
773 if (!(as = ctx->arcset_chain_last))
774 return US"none";
775
776 for(inst = as->instance; as; as = as->prev, inst--)
777 {
778 if (as->instance != inst)
779 arc_state_reason = string_sprintf("i=%d (sequence; expected %d)",
780 as->instance, inst);
781 else if (!as->hdr_aar || !as->hdr_ams || !as->hdr_as)
782 arc_state_reason = string_sprintf("i=%d (missing header)", as->instance);
783 else if (arc_cv_match(as->hdr_as, US"fail"))
784 arc_state_reason = string_sprintf("i=%d (cv)", as->instance);
785 else
786 goto good;
787
788 DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
789 return US"fail";
790
791 good:
792 /* Evaluate the oldest-pass AMS validation while we're here.
793 It does not affect the AS chain validation but is reported as
794 auxilary info. */
795
796 if (!ams_fail_found)
797 if (arc_ams_verify(ctx, as))
798 ams_fail_found = TRUE;
799 else
800 arc_oldest_pass = inst;
801 arc_state_reason = NULL;
802 }
803 if (inst != 0)
804 {
805 arc_state_reason = string_sprintf("(sequence; expected i=%d)", inst);
806 DEBUG(D_acl) debug_printf("ARC chain fail %s\n", arc_state_reason);
807 return US"fail";
808 }
809
810 arc_received = ctx->arcset_chain_last;
811 arc_received_instance = arc_received->instance;
812
813 /* We can skip the latest-AMS validation, if we already did it. */
814
815 as = ctx->arcset_chain_last;
816 if (!as->ams_verify_passed)
817 {
818 if (as->ams_verify_done)
819 {
820 arc_state_reason = as->ams_verify_done;
821 return US"fail";
822 }
823 if (!!arc_ams_verify(ctx, as))
824 return US"fail";
825 }
826 return NULL;
827 }
828
829
830 /******************************************************************************/
831 static const uschar *
832 arc_seal_verify(arc_ctx * ctx, arc_set * as)
833 {
834 arc_line * hdr_as = as->hdr_as;
835 arc_set * as2;
836 int hashtype;
837 hctx hhash_ctx;
838 blob hhash_computed;
839 blob sighash;
840 ev_ctx vctx;
841 pdkim_pubkey * p;
842 const uschar * errstr;
843
844 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d\n", as->instance);
845 /*
846 1. If the value of the "cv" tag on that seal is "fail", the
847 chain state is "fail" and the algorithm stops here. (This
848 step SHOULD be skipped if the earlier step (2.1) was
849 performed) [it was]
850
851 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
852 == "none" && i != 1)) then the chain state is "fail" and the
853 algorithm stops here (note that the ordering of the logic is
854 structured for short-circuit evaluation).
855 */
856
857 if ( as->instance == 1 && !arc_cv_match(hdr_as, US"none")
858 || arc_cv_match(hdr_as, US"none") && as->instance != 1
859 )
860 {
861 arc_state_reason = US"seal cv state";
862 return US"fail";
863 }
864
865 /*
866 3. Initialize a hash function corresponding to the "a" tag of
867 the ARC-Seal.
868 */
869
870 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
871
872 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
873 {
874 DEBUG(D_acl)
875 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
876 arc_state_reason = US"seal hash setup error";
877 return US"fail";
878 }
879
880 /*
881 4. Compute the canonicalized form of the ARC header fields, in
882 the order described in Section 5.4.2, using the "relaxed"
883 header canonicalization defined in Section 3.4.2 of
884 [RFC6376]. Pass the canonicalized result to the hash
885 function.
886
887 Headers are CRLF-separated, but the last one is not crlf-terminated.
888 */
889
890 DEBUG(D_acl) debug_printf("ARC: AS header data for verification:\n");
891 for (as2 = ctx->arcset_chain;
892 as2 && as2->instance <= as->instance;
893 as2 = as2->next)
894 {
895 arc_line * al;
896 uschar * s;
897 int len;
898
899 al = as2->hdr_aar;
900 if (!(s = al->relaxed))
901 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
902 al->complete->slen, TRUE);
903 len = Ustrlen(s);
904 DEBUG(D_acl) pdkim_quoteprint(s, len);
905 exim_sha_update(&hhash_ctx, s, len);
906
907 al = as2->hdr_ams;
908 if (!(s = al->relaxed))
909 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
910 al->complete->slen, TRUE);
911 len = Ustrlen(s);
912 DEBUG(D_acl) pdkim_quoteprint(s, len);
913 exim_sha_update(&hhash_ctx, s, len);
914
915 al = as2->hdr_as;
916 if (as2->instance == as->instance)
917 s = pdkim_relax_header_n(al->rawsig_no_b_val.data,
918 al->rawsig_no_b_val.len, FALSE);
919 else if (!(s = al->relaxed))
920 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
921 al->complete->slen, TRUE);
922 len = Ustrlen(s);
923 DEBUG(D_acl) pdkim_quoteprint(s, len);
924 exim_sha_update(&hhash_ctx, s, len);
925 }
926
927 /*
928 5. Retrieve the final digest from the hash function.
929 */
930
931 exim_sha_finish(&hhash_ctx, &hhash_computed);
932 DEBUG(D_acl)
933 {
934 debug_printf("ARC i=%d AS Header %.*s computed: ",
935 as->instance, (int)hdr_as->a_hash.len, hdr_as->a_hash.data);
936 pdkim_hexprint(hhash_computed.data, hhash_computed.len);
937 }
938
939
940 /*
941 6. Retrieve the public key identified by the "s" and "d" tags in
942 the ARC-Seal, as described in Section 4.1.6.
943 */
944
945 if (!(p = arc_line_to_pubkey(hdr_as)))
946 return US"pubkey problem";
947
948 /*
949 7. Determine whether the signature portion ("b" tag) of the ARC-
950 Seal and the digest computed above are valid according to the
951 public key. (See also Section Section 8.4 for failure case
952 handling)
953
954 8. If the signature is not valid, the chain state is "fail" and
955 the algorithm stops here.
956 */
957
958 /* We know the b-tag blob is of a nul-term string, so safe as a string */
959 pdkim_decode_base64(hdr_as->b.data, &sighash);
960
961 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
962 {
963 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
964 return US"fail";
965 }
966
967 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
968
969 if ((errstr = exim_dkim_verify(&vctx,
970 pdkim_hashes[hashtype].exim_hashmethod,
971 &hhash_computed, &sighash)))
972 {
973 DEBUG(D_acl)
974 debug_printf("ARC i=%d AS headers verify: %s\n", as->instance, errstr);
975 arc_state_reason = US"seal sigverify error";
976 return US"fail";
977 }
978
979 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d pass\n", as->instance);
980 return NULL;
981 }
982
983
984 static const uschar *
985 arc_verify_seals(arc_ctx * ctx)
986 {
987 arc_set * as = ctx->arcset_chain;
988
989 if (!as)
990 return US"none";
991
992 while (as)
993 {
994 if (arc_seal_verify(ctx, as)) return US"fail";
995 as = as->next;
996 }
997 DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
998 return NULL;
999 }
1000 /******************************************************************************/
1001
1002 /* Do ARC verification. Called from DATA ACL, on a verify = arc
1003 condition. No arguments; we are checking globals.
1004
1005 Return: The ARC state, or NULL on error.
1006 */
1007
1008 const uschar *
1009 acl_verify_arc(void)
1010 {
1011 const uschar * res;
1012
1013 memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
1014
1015 if (!dkim_verify_ctx)
1016 {
1017 DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
1018 return NULL;
1019 }
1020
1021 /* AS evaluation, per
1022 https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-6
1023 */
1024 /* 1. Collect all ARC sets currently on the message. If there were
1025 none, the ARC state is "none" and the algorithm stops here.
1026 */
1027
1028 if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
1029 goto out;
1030
1031 /* 2. If the form of any ARC set is invalid (e.g., does not contain
1032 exactly one of each of the three ARC-specific header fields),
1033 then the chain state is "fail" and the algorithm stops here.
1034
1035 1. To avoid the overhead of unnecessary computation and delay
1036 from crypto and DNS operations, the cv value for all ARC-
1037 Seal(s) MAY be checked at this point. If any of the values
1038 are "fail", then the overall state of the chain is "fail" and
1039 the algorithm stops here.
1040
1041 3. Conduct verification of the ARC-Message-Signature header field
1042 bearing the highest instance number. If this verification fails,
1043 then the chain state is "fail" and the algorithm stops here.
1044 */
1045
1046 if ((res = arc_headers_check(&arc_verify_ctx)))
1047 goto out;
1048
1049 /* 4. For each ARC-Seal from the "N"th instance to the first, apply the
1050 following logic:
1051
1052 1. If the value of the "cv" tag on that seal is "fail", the
1053 chain state is "fail" and the algorithm stops here. (This
1054 step SHOULD be skipped if the earlier step (2.1) was
1055 performed)
1056
1057 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
1058 == "none" && i != 1)) then the chain state is "fail" and the
1059 algorithm stops here (note that the ordering of the logic is
1060 structured for short-circuit evaluation).
1061
1062 3. Initialize a hash function corresponding to the "a" tag of
1063 the ARC-Seal.
1064
1065 4. Compute the canonicalized form of the ARC header fields, in
1066 the order described in Section 5.4.2, using the "relaxed"
1067 header canonicalization defined in Section 3.4.2 of
1068 [RFC6376]. Pass the canonicalized result to the hash
1069 function.
1070
1071 5. Retrieve the final digest from the hash function.
1072
1073 6. Retrieve the public key identified by the "s" and "d" tags in
1074 the ARC-Seal, as described in Section 4.1.6.
1075
1076 7. Determine whether the signature portion ("b" tag) of the ARC-
1077 Seal and the digest computed above are valid according to the
1078 public key. (See also Section Section 8.4 for failure case
1079 handling)
1080
1081 8. If the signature is not valid, the chain state is "fail" and
1082 the algorithm stops here.
1083
1084 5. If all seals pass validation, then the chain state is "pass", and
1085 the algorithm is complete.
1086 */
1087
1088 if ((res = arc_verify_seals(&arc_verify_ctx)))
1089 goto out;
1090
1091 res = US"pass";
1092
1093 out:
1094 return res;
1095 }
1096
1097 /******************************************************************************/
1098
1099 /* Prepend the header to the rlist */
1100
1101 static hdr_rlist *
1102 arc_rlist_entry(hdr_rlist * list, const uschar * s, int len)
1103 {
1104 hdr_rlist * r = store_get(sizeof(hdr_rlist) + sizeof(header_line));
1105 header_line * h = r->h = (header_line *)(r+1);
1106
1107 r->prev = list;
1108 r->used = FALSE;
1109 h->next = NULL;
1110 h->type = 0;
1111 h->slen = len;
1112 h->text = US s;
1113
1114 /* This works for either NL or CRLF lines; also nul-termination */
1115 while (*++s)
1116 if (*s == '\n' && s[1] != '\t' && s[1] != ' ') break;
1117 s++; /* move past end of line */
1118
1119 return r;
1120 }
1121
1122
1123 /* Walk the given headers strings identifying each header, and construct
1124 a reverse-order list.
1125 */
1126
1127 static hdr_rlist *
1128 arc_sign_scan_headers(arc_ctx * ctx, gstring * sigheaders)
1129 {
1130 const uschar * s;
1131 hdr_rlist * rheaders = NULL;
1132
1133 s = sigheaders ? sigheaders->s : NULL;
1134 if (s) while (*s)
1135 {
1136 const uschar * s2 = s;
1137
1138 /* This works for either NL or CRLF lines; also nul-termination */
1139 while (*++s2)
1140 if (*s2 == '\n' && s2[1] != '\t' && s2[1] != ' ') break;
1141 s2++; /* move past end of line */
1142
1143 rheaders = arc_rlist_entry(rheaders, s, s2 - s);
1144 s = s2;
1145 }
1146 return rheaders;
1147 }
1148
1149
1150
1151 /* Return the A-R content, without identity, with line-ending and
1152 NUL termination. */
1153
1154 static BOOL
1155 arc_sign_find_ar(header_line * headers, const uschar * identity, blob * ret)
1156 {
1157 header_line * h;
1158 int ilen = Ustrlen(identity);
1159
1160 ret->data = NULL;
1161 for(h = headers; h; h = h->next)
1162 {
1163 uschar * s = h->text, c;
1164 int len = h->slen;
1165
1166 if (Ustrncmp(s, HDR_AR, HDRLEN_AR) != 0) continue;
1167 s += HDRLEN_AR, len -= HDRLEN_AR; /* header name */
1168 while ( len > 0
1169 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1170 s++, len--; /* FWS */
1171 if (Ustrncmp(s, identity, ilen) != 0) continue;
1172 s += ilen; len -= ilen; /* identity */
1173 if (len <= 0) continue;
1174 if ((c = *s) && c == ';') s++, len--; /* identity terminator */
1175 while ( len > 0
1176 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1177 s++, len--; /* FWS */
1178 if (len <= 0) continue;
1179 ret->data = s;
1180 ret->len = len;
1181 return TRUE;
1182 }
1183 return FALSE;
1184 }
1185
1186
1187
1188 /* Append a constructed AAR including CRLF. Add it to the arc_ctx too. */
1189
1190 static gstring *
1191 arc_sign_append_aar(gstring * g, arc_ctx * ctx,
1192 const uschar * identity, int instance, blob * ar)
1193 {
1194 int aar_off = g ? g->ptr : 0;
1195 arc_set * as = store_get(sizeof(arc_set) + sizeof(arc_line) + sizeof(header_line));
1196 arc_line * al = (arc_line *)(as+1);
1197 header_line * h = (header_line *)(al+1);
1198
1199 g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
1200 g = string_cat(g, string_sprintf(" i=%d; %s;\r\n\t", instance, identity));
1201 g = string_catn(g, US ar->data, ar->len);
1202
1203 h->slen = g->ptr - aar_off;
1204 h->text = g->s + aar_off;
1205 al->complete = h;
1206 as->next = NULL;
1207 as->prev = ctx->arcset_chain_last;
1208 as->instance = instance;
1209 as->hdr_aar = al;
1210 if (instance == 1)
1211 ctx->arcset_chain = as;
1212 else
1213 ctx->arcset_chain_last->next = as;
1214 ctx->arcset_chain_last = as;
1215
1216 DEBUG(D_transport) debug_printf("ARC: AAR '%.*s'\n", h->slen - 2, h->text);
1217 return g;
1218 }
1219
1220
1221
1222 static BOOL
1223 arc_sig_from_pseudoheader(gstring * hdata, int hashtype, const uschar * privkey,
1224 blob * sig, const uschar * why)
1225 {
1226 hashmethod hm = /*sig->keytype == KEYTYPE_ED25519*/ FALSE
1227 ? HASH_SHA2_512 : pdkim_hashes[hashtype].exim_hashmethod;
1228 blob hhash;
1229 es_ctx sctx;
1230 const uschar * errstr;
1231
1232 DEBUG(D_transport)
1233 {
1234 hctx hhash_ctx;
1235 debug_printf("ARC: %s header data for signing:\n", why);
1236 pdkim_quoteprint(hdata->s, hdata->ptr);
1237
1238 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1239 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1240 exim_sha_finish(&hhash_ctx, &hhash);
1241 debug_printf("ARC: header hash: "); pdkim_hexprint(hhash.data, hhash.len);
1242 }
1243
1244 if (FALSE /*need hash for Ed25519 or GCrypt signing*/ )
1245 {
1246 hctx hhash_ctx;
1247 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1248 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1249 exim_sha_finish(&hhash_ctx, &hhash);
1250 }
1251 else
1252 {
1253 hhash.data = hdata->s;
1254 hhash.len = hdata->ptr;
1255 }
1256
1257 if ( (errstr = exim_dkim_signing_init(privkey, &sctx))
1258 || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
1259 {
1260 log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
1261 return FALSE;
1262 }
1263 return TRUE;
1264 }
1265
1266
1267
1268 static gstring *
1269 arc_sign_append_sig(gstring * g, blob * sig)
1270 {
1271 /*debug_printf("%s: raw sig ", __FUNCTION__); pdkim_hexprint(sig->data, sig->len);*/
1272 sig->data = pdkim_encode_base64(sig);
1273 sig->len = Ustrlen(sig->data);
1274 for (;;)
1275 {
1276 int len = MIN(sig->len, 74);
1277 g = string_catn(g, sig->data, len);
1278 if ((sig->len -= len) == 0) break;
1279 sig->data += len;
1280 g = string_catn(g, US"\r\n\t ", 5);
1281 }
1282 g = string_catn(g, US";\r\n", 3);
1283 gstring_reset_unused(g);
1284 string_from_gstring(g);
1285 return g;
1286 }
1287
1288
1289 /* Append a constructed AMS including CRLF. Add it to the arc_ctx too. */
1290
1291 static gstring *
1292 arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
1293 const uschar * identity, const uschar * selector, blob * bodyhash,
1294 hdr_rlist * rheaders, const uschar * privkey, unsigned options)
1295 {
1296 uschar * s;
1297 gstring * hdata = NULL;
1298 int col;
1299 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1300 blob sig;
1301 int ams_off;
1302 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1303 header_line * h = (header_line *)(al+1);
1304
1305 /* debug_printf("%s\n", __FUNCTION__); */
1306
1307 /* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
1308
1309 ams_off = g->ptr;
1310 g = string_append(g, 7,
1311 ARC_HDR_AMS,
1312 US" i=", string_sprintf("%d", instance),
1313 US"; a=rsa-sha256; c=relaxed; d=", identity, /*XXX hardwired */
1314 US"; s=", selector);
1315 if (options & ARC_SIGN_OPT_TSTAMP)
1316 g = string_append(g, 2,
1317 US"; t=", string_sprintf("%lu", (u_long)now));
1318 if (options & ARC_SIGN_OPT_EXPIRE)
1319 g = string_append(g, 2,
1320 US"; x=", string_sprintf("%lu", (u_long)expire));
1321 g = string_append(g, 3,
1322 US";\r\n\tbh=", pdkim_encode_base64(bodyhash),
1323 US";\r\n\th=");
1324
1325 for(col = 3; rheaders; rheaders = rheaders->prev)
1326 {
1327 const uschar * hnames = US"DKIM-Signature:" PDKIM_DEFAULT_SIGN_HEADERS;
1328 uschar * name, * htext = rheaders->h->text;
1329 int sep = ':';
1330
1331 /* Spot headers of interest */
1332
1333 while ((name = string_nextinlist(&hnames, &sep, NULL, 0)))
1334 {
1335 int len = Ustrlen(name);
1336 if (strncasecmp(CCS htext, CCS name, len) == 0)
1337 {
1338 /* If too long, fold line in h= field */
1339
1340 if (col + len > 78) g = string_catn(g, US"\r\n\t ", 5), col = 3;
1341
1342 /* Add name to h= list */
1343
1344 g = string_catn(g, name, len);
1345 g = string_catn(g, US":", 1);
1346 col += len + 1;
1347
1348 /* Accumulate header for hashing/signing */
1349
1350 hdata = string_cat(hdata,
1351 pdkim_relax_header_n(htext, rheaders->h->slen, TRUE)); /*XXX hardwired */
1352 break;
1353 }
1354 }
1355 }
1356
1357 /* Lose the last colon from the h= list */
1358
1359 if (g->s[g->ptr - 1] == ':') g->ptr--;
1360
1361 g = string_catn(g, US";\r\n\tb=;", 7);
1362
1363 /* Include the pseudo-header in the accumulation */
1364
1365 s = pdkim_relax_header_n(g->s + ams_off, g->ptr - ams_off, FALSE);
1366 hdata = string_cat(hdata, s);
1367
1368 /* Calculate the signature from the accumulation */
1369 /*XXX does that need further relaxation? there are spaces embedded in the b= strings! */
1370
1371 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AMS"))
1372 return NULL;
1373
1374 /* Lose the trailing semicolon from the psuedo-header, and append the signature
1375 (folded over lines) and termination to complete it. */
1376
1377 g->ptr--;
1378 g = arc_sign_append_sig(g, &sig);
1379
1380 h->slen = g->ptr - ams_off;
1381 h->text = g->s + ams_off;
1382 al->complete = h;
1383 ctx->arcset_chain_last->hdr_ams = al;
1384
1385 DEBUG(D_transport) debug_printf("ARC: AMS '%.*s'\n", h->slen - 2, h->text);
1386 return g;
1387 }
1388
1389
1390
1391 /* Look for an arc= result in an A-R header blob. We know that its data
1392 happens to be a NUL-term string. */
1393
1394 static uschar *
1395 arc_ar_cv_status(blob * ar)
1396 {
1397 const uschar * resinfo = ar->data;
1398 int sep = ';';
1399 uschar * methodspec, * s;
1400
1401 while ((methodspec = string_nextinlist(&resinfo, &sep, NULL, 0)))
1402 if (Ustrncmp(methodspec, US"arc=", 4) == 0)
1403 {
1404 uschar c;
1405 for (s = methodspec += 4;
1406 (c = *s) && c != ';' && c != ' ' && c != '\r' && c != '\n'; ) s++;
1407 return string_copyn(methodspec, s - methodspec);
1408 }
1409 return US"none";
1410 }
1411
1412
1413
1414 /* Build the AS header and prepend it */
1415
1416 static gstring *
1417 arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
1418 int instance, const uschar * identity, const uschar * selector, blob * ar,
1419 const uschar * privkey, unsigned options)
1420 {
1421 gstring * arcset;
1422 arc_set * as;
1423 uschar * status = arc_ar_cv_status(ar);
1424 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1425 header_line * h = (header_line *)(al+1);
1426
1427 gstring * hdata = NULL;
1428 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1429 blob sig;
1430
1431 /*
1432 - Generate AS
1433 - no body coverage
1434 - no h= tag; implicit coverage
1435 - arc status from A-R
1436 - if fail:
1437 - coverage is just the new ARC set
1438 including self (but with an empty b= in self)
1439 - if non-fail:
1440 - all ARC set headers, set-number order, aar then ams then as,
1441 including self (but with an empty b= in self)
1442 */
1443
1444 /* Construct the AS except for the signature */
1445
1446 arcset = string_append(NULL, 9,
1447 ARC_HDR_AS,
1448 US" i=", string_sprintf("%d", instance),
1449 US"; cv=", status,
1450 US"; a=rsa-sha256; d=", identity, /*XXX hardwired */
1451 US"; s=", selector); /*XXX same as AMS */
1452 if (options & ARC_SIGN_OPT_TSTAMP)
1453 arcset = string_append(arcset, 2,
1454 US"; t=", string_sprintf("%lu", (u_long)now));
1455 arcset = string_cat(arcset,
1456 US";\r\n\t b=;");
1457
1458 h->slen = arcset->ptr;
1459 h->text = arcset->s;
1460 al->complete = h;
1461 ctx->arcset_chain_last->hdr_as = al;
1462
1463 /* For any but "fail" chain-verify status, walk the entire chain in order by
1464 instance. For fail, only the new arc-set. Accumulate the elements walked. */
1465
1466 for (as = Ustrcmp(status, US"fail") == 0
1467 ? ctx->arcset_chain_last : ctx->arcset_chain;
1468 as; as = as->next)
1469 {
1470 /* Accumulate AAR then AMS then AS. Relaxed canonicalisation
1471 is required per standard. */
1472
1473 h = as->hdr_aar->complete;
1474 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1475 h = as->hdr_ams->complete;
1476 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1477 h = as->hdr_as->complete;
1478 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, !!as->next));
1479 }
1480
1481 /* Calculate the signature from the accumulation */
1482
1483 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AS"))
1484 return NULL;
1485
1486 /* Lose the trailing semicolon */
1487 arcset->ptr--;
1488 arcset = arc_sign_append_sig(arcset, &sig);
1489 DEBUG(D_transport) debug_printf("ARC: AS '%.*s'\n", arcset->ptr - 2, arcset->s);
1490
1491 /* Finally, append the AMS and AAR to the new AS */
1492
1493 return string_catn(arcset, arcset_interim->s, arcset_interim->ptr);
1494 }
1495
1496
1497 /**************************************/
1498
1499 /* Return pointer to pdkim_bodyhash for given hash method, creating new
1500 method if needed.
1501 */
1502
1503 void *
1504 arc_ams_setup_sign_bodyhash(void)
1505 {
1506 int canon_head, canon_body;
1507
1508 DEBUG(D_transport) debug_printf("ARC: requesting bodyhash\n");
1509 pdkim_cstring_to_canons(US"relaxed", 7, &canon_head, &canon_body); /*XXX hardwired */
1510 return pdkim_set_bodyhash(&dkim_sign_ctx,
1511 pdkim_hashname_to_hashtype(US"sha256", 6), /*XXX hardwired */
1512 canon_body,
1513 -1);
1514 }
1515
1516
1517
1518 void
1519 arc_sign_init(void)
1520 {
1521 memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
1522 }
1523
1524
1525
1526 /* A "normal" header line, identified by DKIM processing. These arrive before
1527 the call to arc_sign(), which carries any newly-created DKIM headers - and
1528 those go textually before the normal ones in the message.
1529
1530 We have to take the feed from DKIM as, in the transport-filter case, the
1531 headers are not in memory at the time of the call to arc_sign().
1532
1533 Take a copy of the header and construct a reverse-order list.
1534 Also parse ARC-chain headers and build the chain struct, retaining pointers
1535 into the copies.
1536 */
1537
1538 static const uschar *
1539 arc_header_sign_feed(gstring * g)
1540 {
1541 uschar * s = string_copyn(g->s, g->ptr);
1542 headers_rlist = arc_rlist_entry(headers_rlist, s, g->ptr);
1543 return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
1544 }
1545
1546
1547
1548 /* ARC signing. Called from the smtp transport, if the arc_sign option is set.
1549 The dkim_exim_sign() function has already been called, so will have hashed the
1550 message body for us so long as we requested a hash previously.
1551
1552 Arguments:
1553 signspec Three-element colon-sep list: identity, selector, privkey.
1554 Optional fourth element: comma-sep list of options.
1555 Already expanded
1556 sigheaders Any signature headers already generated, eg. by DKIM, or NULL
1557 errstr Error string
1558
1559 Return value
1560 Set of headers to prepend to the message, including the supplied sigheaders
1561 but not the plainheaders.
1562 */
1563
1564 gstring *
1565 arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
1566 {
1567 const uschar * identity, * selector, * privkey, * opts, * s;
1568 unsigned options = 0;
1569 int sep = 0;
1570 header_line * headers;
1571 hdr_rlist * rheaders;
1572 blob ar;
1573 int instance;
1574 gstring * g = NULL;
1575 pdkim_bodyhash * b;
1576
1577 expire = now = 0;
1578
1579 /* Parse the signing specification */
1580
1581 identity = string_nextinlist(&signspec, &sep, NULL, 0);
1582 selector = string_nextinlist(&signspec, &sep, NULL, 0);
1583 if ( !*identity || !*selector
1584 || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
1585 {
1586 log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
1587 !*identity ? "identity" : !*selector ? "selector" : "private-key");
1588 return sigheaders ? sigheaders : string_get(0);
1589 }
1590 if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
1591 return sigheaders ? sigheaders : string_get(0);
1592
1593 if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
1594 {
1595 int osep = ',';
1596 while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
1597 if (Ustrcmp(s, "timestamps") == 0)
1598 {
1599 options |= ARC_SIGN_OPT_TSTAMP;
1600 if (!now) now = time(NULL);
1601 }
1602 else if (Ustrncmp(s, "expire", 6) == 0)
1603 {
1604 options |= ARC_SIGN_OPT_EXPIRE;
1605 if (*(s += 6) == '=')
1606 if (*++s == '+')
1607 {
1608 if (!(expire = (time_t)atoi(++s)))
1609 expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1610 if (!now) now = time(NULL);
1611 expire += now;
1612 }
1613 else
1614 expire = (time_t)atol(s);
1615 else
1616 {
1617 if (!now) now = time(NULL);
1618 expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1619 }
1620 }
1621 }
1622
1623 DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
1624
1625 /* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
1626 Then scan the list for an A-R header. */
1627
1628 string_from_gstring(sigheaders);
1629 if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
1630 {
1631 hdr_rlist ** rp;
1632 for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
1633 *rp = rheaders;
1634 }
1635
1636 /* Finally, build a normal-order headers list */
1637 /*XXX only needed for hunt-the-AR? */
1638 /*XXX also, we really should be accepting any number of ADMD-matching ARs */
1639 {
1640 header_line * hnext = NULL;
1641 for (rheaders = headers_rlist; rheaders;
1642 hnext = rheaders->h, rheaders = rheaders->prev)
1643 rheaders->h->next = hnext;
1644 headers = hnext;
1645 }
1646
1647 if (!(arc_sign_find_ar(headers, identity, &ar)))
1648 {
1649 log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
1650 return sigheaders ? sigheaders : string_get(0);
1651 }
1652
1653 /* We previously built the data-struct for the existing ARC chain, if any, using a headers
1654 feed from the DKIM module. Use that to give the instance number for the ARC set we are
1655 about to build. */
1656
1657 DEBUG(D_transport)
1658 if (arc_sign_ctx.arcset_chain_last)
1659 debug_printf("ARC: existing chain highest instance: %d\n",
1660 arc_sign_ctx.arcset_chain_last->instance);
1661 else
1662 debug_printf("ARC: no existing chain\n");
1663
1664 instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
1665
1666 /*
1667 - Generate AAR
1668 - copy the A-R; prepend i= & identity
1669 */
1670
1671 g = arc_sign_append_aar(g, &arc_sign_ctx, identity, instance, &ar);
1672
1673 /*
1674 - Generate AMS
1675 - Looks fairly like a DKIM sig
1676 - Cover all DKIM sig headers as well as the usuals
1677 - ? oversigning?
1678 - Covers the data
1679 - we must have requested a suitable bodyhash previously
1680 */
1681
1682 b = arc_ams_setup_sign_bodyhash();
1683 g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
1684 &b->bh, headers_rlist, privkey, options);
1685
1686 /*
1687 - Generate AS
1688 - no body coverage
1689 - no h= tag; implicit coverage
1690 - arc status from A-R
1691 - if fail:
1692 - coverage is just the new ARC set
1693 including self (but with an empty b= in self)
1694 - if non-fail:
1695 - all ARC set headers, set-number order, aar then ams then as,
1696 including self (but with an empty b= in self)
1697 */
1698
1699 if (g)
1700 g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
1701 privkey, options);
1702
1703 /* Finally, append the dkim headers and return the lot. */
1704
1705 g = string_catn(g, sigheaders->s, sigheaders->ptr);
1706 (void) string_from_gstring(g);
1707 gstring_reset_unused(g);
1708 return g;
1709 }
1710
1711
1712 /******************************************************************************/
1713
1714 /* Check to see if the line is an AMS and if so, set up to validate it.
1715 Called from the DKIM input processing. This must be done now as the message
1716 body data is hashed during input.
1717
1718 We call the DKIM code to request a body-hash; it has the facility already
1719 and the hash parameters might be common with other requests.
1720 */
1721
1722 static const uschar *
1723 arc_header_vfy_feed(gstring * g)
1724 {
1725 header_line h;
1726 arc_line al;
1727 pdkim_bodyhash * b;
1728 uschar * errstr;
1729
1730 if (!dkim_verify_ctx) return US"no dkim context";
1731
1732 if (strncmpic(ARC_HDR_AMS, g->s, ARC_HDRLEN_AMS) != 0) return US"not AMS";
1733
1734 DEBUG(D_receive) debug_printf("ARC: spotted AMS header\n");
1735 /* Parse the AMS header */
1736
1737 h.next = NULL;
1738 h.slen = g->size;
1739 h.text = g->s;
1740 memset(&al, 0, sizeof(arc_line));
1741 if ((errstr = arc_parse_line(&al, &h, ARC_HDRLEN_AMS, FALSE)))
1742 {
1743 DEBUG(D_acl) if (errstr) debug_printf("ARC: %s\n", errstr);
1744 return US"line parsing error";
1745 }
1746
1747 /* defaults */
1748 if (!al.c.data)
1749 {
1750 al.c_body.data = US"simple"; al.c_body.len = 6;
1751 al.c_head = al.c_body;
1752 }
1753
1754 /* Ask the dkim code to calc a bodyhash with those specs */
1755
1756 if (!(b = arc_ams_setup_vfy_bodyhash(&al)))
1757 return US"dkim hash setup fail";
1758
1759 /* Discard the reference; search again at verify time, knowing that one
1760 should have been created here. */
1761
1762 return NULL;
1763 }
1764
1765
1766
1767 /* A header line has been identified by DKIM processing.
1768
1769 Arguments:
1770 g Header line
1771 is_vfy TRUE for verify mode or FALSE for signing mode
1772
1773 Return:
1774 NULL for success, or an error string (probably unused)
1775 */
1776
1777 const uschar *
1778 arc_header_feed(gstring * g, BOOL is_vfy)
1779 {
1780 return is_vfy ? arc_header_vfy_feed(g) : arc_header_sign_feed(g);
1781 }
1782
1783
1784
1785 /******************************************************************************/
1786
1787 /* Construct the list of domains from the ARC chain after validation */
1788
1789 uschar *
1790 fn_arc_domains(void)
1791 {
1792 arc_set * as;
1793 unsigned inst;
1794 gstring * g = NULL;
1795
1796 for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
1797 {
1798 arc_line * hdr_as = as->hdr_as;
1799 if (hdr_as)
1800 {
1801 blob * d = &hdr_as->d;
1802
1803 for (; inst < as->instance; inst++)
1804 g = string_catn(g, US":", 1);
1805
1806 g = d->data && d->len
1807 ? string_append_listele_n(g, ':', d->data, d->len)
1808 : string_catn(g, US":", 1);
1809 }
1810 else
1811 g = string_catn(g, US":", 1);
1812 }
1813 return g ? g->s : US"";
1814 }
1815
1816
1817 /* Construct an Authentication-Results header portion, for the ARC module */
1818
1819 gstring *
1820 authres_arc(gstring * g)
1821 {
1822 if (arc_state)
1823 {
1824 arc_line * highest_ams;
1825 int start = 0; /* Compiler quietening */
1826 DEBUG(D_acl) start = g->ptr;
1827
1828 g = string_append(g, 2, US";\n\tarc=", arc_state);
1829 if (arc_received_instance > 0)
1830 {
1831 g = string_append(g, 3, US" (i=",
1832 string_sprintf("%d", arc_received_instance), US")");
1833 if (arc_state_reason)
1834 g = string_append(g, 3, US"(", arc_state_reason, US")");
1835 g = string_catn(g, US" header.s=", 10);
1836 highest_ams = arc_received->hdr_ams;
1837 g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
1838
1839 g = string_append(g, 2,
1840 US" arc.oldest-pass=", string_sprintf("%d", arc_oldest_pass));
1841
1842 if (sender_host_address)
1843 g = string_append(g, 2, US" smtp.client-ip=", sender_host_address);
1844 }
1845 else if (arc_state_reason)
1846 g = string_append(g, 3, US" (", arc_state_reason, US")");
1847 DEBUG(D_acl) debug_printf("ARC: authres '%.*s'\n",
1848 g->ptr - start - 3, g->s + start + 3);
1849 }
1850 else
1851 DEBUG(D_acl) debug_printf("ARC: no authres\n");
1852 return g;
1853 }
1854
1855
1856 # endif /* SUPPORT_SPF */
1857 #endif /* EXPERIMENTAL_ARC */
1858 /* vi: aw ai sw=2
1859 */
Unnamed repository; edit this file 'description' to name the repository.