projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix macOS build
[exim.git] / src / src / arc.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4 /* Experimental ARC support for Exim
5 Copyright (c) Jeremy Harris 2018
6 License: GPL
7 */
8
9 #include "exim.h"
10 #ifdef EXPERIMENTAL_ARC
11 # if !defined SUPPORT_SPF
12 # error SPF must also be enabled for ARC
13 # elif defined DISABLE_DKIM
14 # error DKIM must also be enabled for ARC
15 # else
16
17 # include "functions.h"
18 # include "pdkim/pdkim.h"
19 # include "pdkim/signing.h"
20
21 extern pdkim_ctx * dkim_verify_ctx;
22 extern pdkim_ctx dkim_sign_ctx;
23
24 #define ARC_SIGN_OPT_TSTAMP BIT(0)
25 #define ARC_SIGN_OPT_EXPIRE BIT(1)
26
27 #define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
28
29 /******************************************************************************/
30
31 typedef struct hdr_rlist {
32 struct hdr_rlist * prev;
33 BOOL used;
34 header_line * h;
35 } hdr_rlist;
36
37 typedef struct arc_line {
38 header_line * complete; /* including the header name; nul-term */
39 uschar * relaxed;
40
41 /* identified tag contents */
42 /*XXX t= for AS? */
43 blob i;
44 blob cv;
45 blob a;
46 blob b;
47 blob bh;
48 blob d;
49 blob h;
50 blob s;
51 blob c;
52 blob l;
53
54 /* tag content sub-portions */
55 blob a_algo;
56 blob a_hash;
57
58 blob c_head;
59 blob c_body;
60
61 /* modified copy of b= field in line */
62 blob rawsig_no_b_val;
63 } arc_line;
64
65 typedef struct arc_set {
66 struct arc_set * next;
67 struct arc_set * prev;
68
69 unsigned instance;
70 arc_line * hdr_aar;
71 arc_line * hdr_ams;
72 arc_line * hdr_as;
73
74 const uschar * ams_verify_done;
75 BOOL ams_verify_passed;
76 } arc_set;
77
78 typedef struct arc_ctx {
79 arc_set * arcset_chain;
80 arc_set * arcset_chain_last;
81 } arc_ctx;
82
83 #define ARC_HDR_AAR US"ARC-Authentication-Results:"
84 #define ARC_HDRLEN_AAR 27
85 #define ARC_HDR_AMS US"ARC-Message-Signature:"
86 #define ARC_HDRLEN_AMS 22
87 #define ARC_HDR_AS US"ARC-Seal:"
88 #define ARC_HDRLEN_AS 9
89 #define HDR_AR US"Authentication-Results:"
90 #define HDRLEN_AR 23
91
92 static time_t now;
93 static time_t expire;
94 static hdr_rlist * headers_rlist;
95 static arc_ctx arc_sign_ctx = { NULL };
96 static arc_ctx arc_verify_ctx = { NULL };
97
98
99 /******************************************************************************/
100
101
102 /* Get the instance number from the header.
103 Return 0 on error */
104 static unsigned
105 arc_instance_from_hdr(const arc_line * al)
106 {
107 const uschar * s = al->i.data;
108 if (!s || !al->i.len) return 0;
109 return (unsigned) atoi(CCS s);
110 }
111
112
113 static uschar *
114 skip_fws(uschar * s)
115 {
116 uschar c = *s;
117 while (c && (c == ' ' || c == '\t' || c == '\n' || c == '\r')) c = *++s;
118 return s;
119 }
120
121
122 /* Locate instance struct on chain, inserting a new one if
123 needed. The chain is in increasing-instance-number order
124 by the "next" link, and we have a "prev" link also.
125 */
126
127 static arc_set *
128 arc_find_set(arc_ctx * ctx, unsigned i)
129 {
130 arc_set ** pas, * as, * next, * prev;
131
132 for (pas = &ctx->arcset_chain, prev = NULL, next = ctx->arcset_chain;
133 as = *pas; pas = &as->next)
134 {
135 if (as->instance > i) break;
136 if (as->instance == i)
137 {
138 DEBUG(D_acl) debug_printf("ARC: existing instance %u\n", i);
139 return as;
140 }
141 next = as->next;
142 prev = as;
143 }
144
145 DEBUG(D_acl) debug_printf("ARC: new instance %u\n", i);
146 *pas = as = store_get(sizeof(arc_set), FALSE);
147 memset(as, 0, sizeof(arc_set));
148 as->next = next;
149 as->prev = prev;
150 as->instance = i;
151 if (next)
152 next->prev = as;
153 else
154 ctx->arcset_chain_last = as;
155 return as;
156 }
157
158
159
160 /* Insert a tag content into the line structure.
161 Note this is a reference to existing data, not a copy.
162 Check for already-seen tag.
163 The string-pointer is on the '=' for entry. Update it past the
164 content (to the ;) on return;
165 */
166
167 static uschar *
168 arc_insert_tagvalue(arc_line * al, unsigned loff, uschar ** ss)
169 {
170 uschar * s = *ss;
171 uschar c = *++s;
172 blob * b = (blob *)(US al + loff);
173 size_t len = 0;
174
175 /* [FWS] tag-value [FWS] */
176
177 if (b->data) return US"fail";
178 s = skip_fws(s); /* FWS */
179
180 b->data = s;
181 while ((c = *s) && c != ';') { len++; s++; }
182 *ss = s;
183 while (len && ((c = s[-1]) == ' ' || c == '\t' || c == '\n' || c == '\r'))
184 { s--; len--; } /* FWS */
185 b->len = len;
186 return NULL;
187 }
188
189
190 /* Inspect a header line, noting known tag fields.
191 Check for duplicates. */
192
193 static uschar *
194 arc_parse_line(arc_line * al, header_line * h, unsigned off, BOOL instance_only)
195 {
196 uschar * s = h->text + off;
197 uschar * r = NULL; /* compiler-quietening */
198 uschar c;
199
200 al->complete = h;
201
202 if (!instance_only)
203 {
204 al->rawsig_no_b_val.data = store_get(h->slen + 1, TRUE); /* tainted */
205 memcpy(al->rawsig_no_b_val.data, h->text, off); /* copy the header name blind */
206 r = al->rawsig_no_b_val.data + off;
207 al->rawsig_no_b_val.len = off;
208 }
209
210 /* tag-list = tag-spec *( ";" tag-spec ) [ ";" ] */
211
212 while ((c = *s))
213 {
214 char tagchar;
215 uschar * t;
216 unsigned i = 0;
217 uschar * fieldstart = s;
218 uschar * bstart = NULL, * bend;
219
220 /* tag-spec = [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS] */
221
222 s = skip_fws(s); /* FWS */
223 if (!*s) break;
224 /* debug_printf("%s: consider '%s'\n", __FUNCTION__, s); */
225 tagchar = *s++;
226 s = skip_fws(s); /* FWS */
227 if (!*s) break;
228
229 if (!instance_only || tagchar == 'i') switch (tagchar)
230 {
231 case 'a': /* a= AMS algorithm */
232 {
233 if (*s != '=') return US"no 'a' value";
234 if (arc_insert_tagvalue(al, offsetof(arc_line, a), &s)) return US"a tag dup";
235
236 /* substructure: algo-hash (eg. rsa-sha256) */
237
238 t = al->a_algo.data = al->a.data;
239 while (*t != '-')
240 if (!*t++ || ++i > al->a.len) return US"no '-' in 'a' value";
241 al->a_algo.len = i;
242 if (*t++ != '-') return US"no '-' in 'a' value";
243 al->a_hash.data = t;
244 al->a_hash.len = al->a.len - i - 1;
245 }
246 break;
247 case 'b':
248 {
249 gstring * g = NULL;
250
251 switch (*s)
252 {
253 case '=': /* b= AMS signature */
254 if (al->b.data) return US"already b data";
255 bstart = s+1;
256
257 /* The signature can have FWS inserted in the content;
258 make a stripped copy */
259
260 while ((c = *++s) && c != ';')
261 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
262 g = string_catn(g, s, 1);
263 if (!g) return US"no b= value";
264 al->b.data = string_from_gstring(g);
265 al->b.len = g->ptr;
266 gstring_release_unused(g);
267 bend = s;
268 break;
269 case 'h': /* bh= AMS body hash */
270 s = skip_fws(++s); /* FWS */
271 if (*s != '=') return US"no bh value";
272 if (al->bh.data) return US"already bh data";
273
274 /* The bodyhash can have FWS inserted in the content;
275 make a stripped copy */
276
277 while ((c = *++s) && c != ';')
278 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
279 g = string_catn(g, s, 1);
280 if (!g) return US"no bh= value";
281 al->bh.data = string_from_gstring(g);
282 al->bh.len = g->ptr;
283 gstring_release_unused(g);
284 break;
285 default:
286 return US"b? tag";
287 }
288 }
289 break;
290 case 'c':
291 switch (*s)
292 {
293 case '=': /* c= AMS canonicalisation */
294 if (arc_insert_tagvalue(al, offsetof(arc_line, c), &s)) return US"c tag dup";
295
296 /* substructure: head/body (eg. relaxed/simple)) */
297
298 t = al->c_head.data = al->c.data;
299 while (isalpha(*t))
300 if (!*t++ || ++i > al->a.len) break;
301 al->c_head.len = i;
302 if (*t++ == '/') /* /body is optional */
303 {
304 al->c_body.data = t;
305 al->c_body.len = al->c.len - i - 1;
306 }
307 else
308 {
309 al->c_body.data = US"simple";
310 al->c_body.len = 6;
311 }
312 break;
313 case 'v': /* cv= AS validity */
314 if (*++s != '=') return US"cv tag val";
315 if (arc_insert_tagvalue(al, offsetof(arc_line, cv), &s)) return US"cv tag dup";
316 break;
317 default:
318 return US"c? tag";
319 }
320 break;
321 case 'd': /* d= AMS domain */
322 if (*s != '=') return US"d tag val";
323 if (arc_insert_tagvalue(al, offsetof(arc_line, d), &s)) return US"d tag dup";
324 break;
325 case 'h': /* h= AMS headers */
326 if (*s != '=') return US"h tag val";
327 if (arc_insert_tagvalue(al, offsetof(arc_line, h), &s)) return US"h tag dup";
328 break;
329 case 'i': /* i= ARC set instance */
330 if (*s != '=') return US"i tag val";
331 if (arc_insert_tagvalue(al, offsetof(arc_line, i), &s)) return US"i tag dup";
332 if (instance_only) goto done;
333 break;
334 case 'l': /* l= bodylength */
335 if (*s != '=') return US"l tag val";
336 if (arc_insert_tagvalue(al, offsetof(arc_line, l), &s)) return US"l tag dup";
337 break;
338 case 's': /* s= AMS selector */
339 if (*s != '=') return US"s tag val";
340 if (arc_insert_tagvalue(al, offsetof(arc_line, s), &s)) return US"s tag dup";
341 break;
342 }
343
344 while ((c = *s) && c != ';') s++;
345 if (c) s++; /* ; after tag-spec */
346
347 /* for all but the b= tag, copy the field including FWS. For the b=,
348 drop the tag content. */
349
350 if (!instance_only)
351 if (bstart)
352 {
353 size_t n = bstart - fieldstart;
354 memcpy(r, fieldstart, n); /* FWS "b=" */
355 r += n;
356 al->rawsig_no_b_val.len += n;
357 n = s - bend;
358 memcpy(r, bend, n); /* FWS ";" */
359 r += n;
360 al->rawsig_no_b_val.len += n;
361 }
362 else
363 {
364 size_t n = s - fieldstart;
365 memcpy(r, fieldstart, n);
366 r += n;
367 al->rawsig_no_b_val.len += n;
368 }
369 }
370
371 if (!instance_only)
372 *r = '\0';
373
374 done:
375 /* debug_printf("%s: finshed\n", __FUNCTION__); */
376 return NULL;
377 }
378
379
380 /* Insert one header line in the correct set of the chain,
381 adding instances as needed and checking for duplicate lines.
382 */
383
384 static uschar *
385 arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
386 BOOL instance_only)
387 {
388 unsigned i;
389 arc_set * as;
390 arc_line * al = store_get(sizeof(arc_line), FALSE), ** alp;
391 uschar * e;
392
393 memset(al, 0, sizeof(arc_line));
394
395 if ((e = arc_parse_line(al, h, off, instance_only)))
396 {
397 DEBUG(D_acl) if (e) debug_printf("ARC: %s\n", e);
398 return US"line parse";
399 }
400 if (!(i = arc_instance_from_hdr(al))) return US"instance find";
401 if (i > 50) return US"overlarge instance number";
402 if (!(as = arc_find_set(ctx, i))) return US"set find";
403 if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
404
405 *alp = al;
406 return NULL;
407 }
408
409
410
411
412 static const uschar *
413 arc_try_header(arc_ctx * ctx, header_line * h, BOOL instance_only)
414 {
415 const uschar * e;
416
417 /*debug_printf("consider hdr '%s'\n", h->text);*/
418 if (strncmpic(ARC_HDR_AAR, h->text, ARC_HDRLEN_AAR) == 0)
419 {
420 DEBUG(D_acl)
421 {
422 int len = h->slen;
423 uschar * s;
424 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
425 s--, len--;
426 debug_printf("ARC: found AAR: %.*s\n", len, h->text);
427 }
428 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AAR, offsetof(arc_set, hdr_aar),
429 TRUE)))
430 {
431 DEBUG(D_acl) debug_printf("inserting AAR: %s\n", e);
432 return US"inserting AAR";
433 }
434 }
435 else if (strncmpic(ARC_HDR_AMS, h->text, ARC_HDRLEN_AMS) == 0)
436 {
437 arc_line * ams;
438
439 DEBUG(D_acl)
440 {
441 int len = h->slen;
442 uschar * s;
443 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
444 s--, len--;
445 debug_printf("ARC: found AMS: %.*s\n", len, h->text);
446 }
447 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AMS, offsetof(arc_set, hdr_ams),
448 instance_only)))
449 {
450 DEBUG(D_acl) debug_printf("inserting AMS: %s\n", e);
451 return US"inserting AMS";
452 }
453
454 /* defaults */
455 /*XXX dubious selection of ams here */
456 ams = ctx->arcset_chain->hdr_ams;
457 if (!ams->c.data)
458 {
459 ams->c_head.data = US"simple"; ams->c_head.len = 6;
460 ams->c_body = ams->c_head;
461 }
462 }
463 else if (strncmpic(ARC_HDR_AS, h->text, ARC_HDRLEN_AS) == 0)
464 {
465 DEBUG(D_acl)
466 {
467 int len = h->slen;
468 uschar * s;
469 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
470 s--, len--;
471 debug_printf("ARC: found AS: %.*s\n", len, h->text);
472 }
473 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AS, offsetof(arc_set, hdr_as),
474 instance_only)))
475 {
476 DEBUG(D_acl) debug_printf("inserting AS: %s\n", e);
477 return US"inserting AS";
478 }
479 }
480 return NULL;
481 }
482
483
484
485 /* Gather the chain of arc sets from the headers.
486 Check for duplicates while that is done. Also build the
487 reverse-order headers list;
488
489 Return: ARC state if determined, eg. by lack of any ARC chain.
490 */
491
492 static const uschar *
493 arc_vfy_collect_hdrs(arc_ctx * ctx)
494 {
495 header_line * h;
496 hdr_rlist * r = NULL, * rprev = NULL;
497 const uschar * e;
498
499 DEBUG(D_acl) debug_printf("ARC: collecting arc sets\n");
500 for (h = header_list; h; h = h->next)
501 {
502 r = store_get(sizeof(hdr_rlist), FALSE);
503 r->prev = rprev;
504 r->used = FALSE;
505 r->h = h;
506 rprev = r;
507
508 if ((e = arc_try_header(ctx, h, FALSE)))
509 {
510 arc_state_reason = string_sprintf("collecting headers: %s", e);
511 return US"fail";
512 }
513 }
514 headers_rlist = r;
515
516 if (!ctx->arcset_chain) return US"none";
517 return NULL;
518 }
519
520
521 static BOOL
522 arc_cv_match(arc_line * al, const uschar * s)
523 {
524 return Ustrncmp(s, al->cv.data, al->cv.len) == 0;
525 }
526
527 /******************************************************************************/
528
529 /* Return the hash of headers from the message that the AMS claims it
530 signed.
531 */
532
533 static void
534 arc_get_verify_hhash(arc_ctx * ctx, arc_line * ams, blob * hhash)
535 {
536 const uschar * headernames = string_copyn(ams->h.data, ams->h.len);
537 const uschar * hn;
538 int sep = ':';
539 hdr_rlist * r;
540 BOOL relaxed = Ustrncmp(US"relaxed", ams->c_head.data, ams->c_head.len) == 0;
541 int hashtype = pdkim_hashname_to_hashtype(
542 ams->a_hash.data, ams->a_hash.len);
543 hctx hhash_ctx;
544 const uschar * s;
545 int len;
546
547 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
548 {
549 DEBUG(D_acl)
550 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
551 return;
552 }
553
554 /* For each headername in the list from the AMS (walking in order)
555 walk the message headers in reverse order, adding to the hash any
556 found for the first time. For that last point, maintain used-marks
557 on the list of message headers. */
558
559 DEBUG(D_acl) debug_printf("ARC: AMS header data for verification:\n");
560
561 for (r = headers_rlist; r; r = r->prev)
562 r->used = FALSE;
563 while ((hn = string_nextinlist(&headernames, &sep, NULL, 0)))
564 for (r = headers_rlist; r; r = r->prev)
565 if ( !r->used
566 && strncasecmp(CCS (s = r->h->text), CCS hn, Ustrlen(hn)) == 0
567 )
568 {
569 if (relaxed) s = pdkim_relax_header_n(s, r->h->slen, TRUE);
570
571 len = Ustrlen(s);
572 DEBUG(D_acl) pdkim_quoteprint(s, len);
573 exim_sha_update(&hhash_ctx, s, Ustrlen(s));
574 r->used = TRUE;
575 break;
576 }
577
578 /* Finally add in the signature header (with the b= tag stripped); no CRLF */
579
580 s = ams->rawsig_no_b_val.data, len = ams->rawsig_no_b_val.len;
581 if (relaxed)
582 len = Ustrlen(s = pdkim_relax_header_n(s, len, FALSE));
583 DEBUG(D_acl) pdkim_quoteprint(s, len);
584 exim_sha_update(&hhash_ctx, s, len);
585
586 exim_sha_finish(&hhash_ctx, hhash);
587 DEBUG(D_acl)
588 { debug_printf("ARC: header hash: "); pdkim_hexprint(hhash->data, hhash->len); }
589 return;
590 }
591
592
593
594
595 static pdkim_pubkey *
596 arc_line_to_pubkey(arc_line * al)
597 {
598 uschar * dns_txt;
599 pdkim_pubkey * p;
600
601 if (!(dns_txt = dkim_exim_query_dns_txt(string_sprintf("%.*s._domainkey.%.*s",
602 (int)al->s.len, al->s.data, (int)al->d.len, al->d.data))))
603 {
604 DEBUG(D_acl) debug_printf("pubkey dns lookup fail\n");
605 return NULL;
606 }
607
608 if ( !(p = pdkim_parse_pubkey_record(dns_txt))
609 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
610 )
611 {
612 DEBUG(D_acl) debug_printf("pubkey dns lookup format error\n");
613 return NULL;
614 }
615
616 /* If the pubkey limits use to specified hashes, reject unusable
617 signatures. XXX should we have looked for multiple dns records? */
618
619 if (p->hashes)
620 {
621 const uschar * list = p->hashes, * ele;
622 int sep = ':';
623
624 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
625 if (Ustrncmp(ele, al->a_hash.data, al->a_hash.len) == 0) break;
626 if (!ele)
627 {
628 DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%.*s\n",
629 p->hashes, (int)al->a.len, al->a.data);
630 return NULL;
631 }
632 }
633 return p;
634 }
635
636
637
638
639 static pdkim_bodyhash *
640 arc_ams_setup_vfy_bodyhash(arc_line * ams)
641 {
642 int canon_head, canon_body;
643 long bodylen;
644
645 if (!ams->c.data) ams->c.data = US"simple"; /* RFC 6376 (DKIM) default */
646 pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
647 bodylen = ams->l.data
648 ? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
649
650 return pdkim_set_bodyhash(dkim_verify_ctx,
651 pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len),
652 canon_body,
653 bodylen);
654 }
655
656
657
658 /* Verify an AMS. This is a DKIM-sig header, but with an ARC i= tag
659 and without a DKIM v= tag.
660 */
661
662 static const uschar *
663 arc_ams_verify(arc_ctx * ctx, arc_set * as)
664 {
665 arc_line * ams = as->hdr_ams;
666 pdkim_bodyhash * b;
667 pdkim_pubkey * p;
668 blob sighash;
669 blob hhash;
670 ev_ctx vctx;
671 int hashtype;
672 const uschar * errstr;
673
674 as->ams_verify_done = US"in-progress";
675
676 /* Check the AMS has all the required tags:
677 "a=" algorithm
678 "b=" signature
679 "bh=" body hash
680 "d=" domain (for key lookup)
681 "h=" headers (included in signature)
682 "s=" key-selector (for key lookup)
683 */
684 if ( !ams->a.data || !ams->b.data || !ams->bh.data || !ams->d.data
685 || !ams->h.data || !ams->s.data)
686 {
687 as->ams_verify_done = arc_state_reason = US"required tag missing";
688 return US"fail";
689 }
690
691
692 /* The bodyhash should have been created earlier, and the dkim code should
693 have managed calculating it during message input. Find the reference to it. */
694
695 if (!(b = arc_ams_setup_vfy_bodyhash(ams)))
696 {
697 as->ams_verify_done = arc_state_reason = US"internal hash setup error";
698 return US"fail";
699 }
700
701 DEBUG(D_acl)
702 {
703 debug_printf("ARC i=%d AMS Body bytes hashed: %lu\n"
704 " Body %.*s computed: ",
705 as->instance, b->signed_body_bytes,
706 (int)ams->a_hash.len, ams->a_hash.data);
707 pdkim_hexprint(CUS b->bh.data, b->bh.len);
708 }
709
710 /* We know the bh-tag blob is of a nul-term string, so safe as a string */
711
712 if ( !ams->bh.data
713 || (pdkim_decode_base64(ams->bh.data, &sighash), sighash.len != b->bh.len)
714 || memcmp(sighash.data, b->bh.data, b->bh.len) != 0
715 )
716 {
717 DEBUG(D_acl)
718 {
719 debug_printf("ARC i=%d AMS Body hash from headers: ", as->instance);
720 pdkim_hexprint(sighash.data, sighash.len);
721 debug_printf("ARC i=%d AMS Body hash did NOT match\n", as->instance);
722 }
723 return as->ams_verify_done = arc_state_reason = US"AMS body hash miscompare";
724 }
725
726 DEBUG(D_acl) debug_printf("ARC i=%d AMS Body hash compared OK\n", as->instance);
727
728 /* Get the public key from DNS */
729
730 if (!(p = arc_line_to_pubkey(ams)))
731 return as->ams_verify_done = arc_state_reason = US"pubkey problem";
732
733 /* We know the b-tag blob is of a nul-term string, so safe as a string */
734 pdkim_decode_base64(ams->b.data, &sighash);
735
736 arc_get_verify_hhash(ctx, ams, &hhash);
737
738 /* Setup the interface to the signing library */
739
740 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
741 {
742 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
743 as->ams_verify_done = arc_state_reason = US"internal sigverify init error";
744 return US"fail";
745 }
746
747 hashtype = pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len);
748
749 if ((errstr = exim_dkim_verify(&vctx,
750 pdkim_hashes[hashtype].exim_hashmethod, &hhash, &sighash)))
751 {
752 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify %s\n", as->instance, errstr);
753 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
754 }
755
756 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify pass\n", as->instance);
757 as->ams_verify_passed = TRUE;
758 return NULL;
759 }
760
761
762
763 /* Check the sets are instance-continuous and that all
764 members are present. Check that no arc_seals are "fail".
765 Set the highest instance number global.
766 Verify the latest AMS.
767 */
768 static uschar *
769 arc_headers_check(arc_ctx * ctx)
770 {
771 arc_set * as;
772 int inst;
773 BOOL ams_fail_found = FALSE;
774
775 if (!(as = ctx->arcset_chain_last))
776 return US"none";
777
778 for(inst = as->instance; as; as = as->prev, inst--)
779 {
780 if (as->instance != inst)
781 arc_state_reason = string_sprintf("i=%d (sequence; expected %d)",
782 as->instance, inst);
783 else if (!as->hdr_aar || !as->hdr_ams || !as->hdr_as)
784 arc_state_reason = string_sprintf("i=%d (missing header)", as->instance);
785 else if (arc_cv_match(as->hdr_as, US"fail"))
786 arc_state_reason = string_sprintf("i=%d (cv)", as->instance);
787 else
788 goto good;
789
790 DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
791 return US"fail";
792
793 good:
794 /* Evaluate the oldest-pass AMS validation while we're here.
795 It does not affect the AS chain validation but is reported as
796 auxilary info. */
797
798 if (!ams_fail_found)
799 if (arc_ams_verify(ctx, as))
800 ams_fail_found = TRUE;
801 else
802 arc_oldest_pass = inst;
803 arc_state_reason = NULL;
804 }
805 if (inst != 0)
806 {
807 arc_state_reason = string_sprintf("(sequence; expected i=%d)", inst);
808 DEBUG(D_acl) debug_printf("ARC chain fail %s\n", arc_state_reason);
809 return US"fail";
810 }
811
812 arc_received = ctx->arcset_chain_last;
813 arc_received_instance = arc_received->instance;
814
815 /* We can skip the latest-AMS validation, if we already did it. */
816
817 as = ctx->arcset_chain_last;
818 if (!as->ams_verify_passed)
819 {
820 if (as->ams_verify_done)
821 {
822 arc_state_reason = as->ams_verify_done;
823 return US"fail";
824 }
825 if (!!arc_ams_verify(ctx, as))
826 return US"fail";
827 }
828 return NULL;
829 }
830
831
832 /******************************************************************************/
833 static const uschar *
834 arc_seal_verify(arc_ctx * ctx, arc_set * as)
835 {
836 arc_line * hdr_as = as->hdr_as;
837 arc_set * as2;
838 int hashtype;
839 hctx hhash_ctx;
840 blob hhash_computed;
841 blob sighash;
842 ev_ctx vctx;
843 pdkim_pubkey * p;
844 const uschar * errstr;
845
846 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d\n", as->instance);
847 /*
848 1. If the value of the "cv" tag on that seal is "fail", the
849 chain state is "fail" and the algorithm stops here. (This
850 step SHOULD be skipped if the earlier step (2.1) was
851 performed) [it was]
852
853 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
854 == "none" && i != 1)) then the chain state is "fail" and the
855 algorithm stops here (note that the ordering of the logic is
856 structured for short-circuit evaluation).
857 */
858
859 if ( as->instance == 1 && !arc_cv_match(hdr_as, US"none")
860 || arc_cv_match(hdr_as, US"none") && as->instance != 1
861 )
862 {
863 arc_state_reason = US"seal cv state";
864 return US"fail";
865 }
866
867 /*
868 3. Initialize a hash function corresponding to the "a" tag of
869 the ARC-Seal.
870 */
871
872 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
873
874 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
875 {
876 DEBUG(D_acl)
877 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
878 arc_state_reason = US"seal hash setup error";
879 return US"fail";
880 }
881
882 /*
883 4. Compute the canonicalized form of the ARC header fields, in
884 the order described in Section 5.4.2, using the "relaxed"
885 header canonicalization defined in Section 3.4.2 of
886 [RFC6376]. Pass the canonicalized result to the hash
887 function.
888
889 Headers are CRLF-separated, but the last one is not crlf-terminated.
890 */
891
892 DEBUG(D_acl) debug_printf("ARC: AS header data for verification:\n");
893 for (as2 = ctx->arcset_chain;
894 as2 && as2->instance <= as->instance;
895 as2 = as2->next)
896 {
897 arc_line * al;
898 uschar * s;
899 int len;
900
901 al = as2->hdr_aar;
902 if (!(s = al->relaxed))
903 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
904 al->complete->slen, TRUE);
905 len = Ustrlen(s);
906 DEBUG(D_acl) pdkim_quoteprint(s, len);
907 exim_sha_update(&hhash_ctx, s, len);
908
909 al = as2->hdr_ams;
910 if (!(s = al->relaxed))
911 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
912 al->complete->slen, TRUE);
913 len = Ustrlen(s);
914 DEBUG(D_acl) pdkim_quoteprint(s, len);
915 exim_sha_update(&hhash_ctx, s, len);
916
917 al = as2->hdr_as;
918 if (as2->instance == as->instance)
919 s = pdkim_relax_header_n(al->rawsig_no_b_val.data,
920 al->rawsig_no_b_val.len, FALSE);
921 else if (!(s = al->relaxed))
922 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
923 al->complete->slen, TRUE);
924 len = Ustrlen(s);
925 DEBUG(D_acl) pdkim_quoteprint(s, len);
926 exim_sha_update(&hhash_ctx, s, len);
927 }
928
929 /*
930 5. Retrieve the final digest from the hash function.
931 */
932
933 exim_sha_finish(&hhash_ctx, &hhash_computed);
934 DEBUG(D_acl)
935 {
936 debug_printf("ARC i=%d AS Header %.*s computed: ",
937 as->instance, (int)hdr_as->a_hash.len, hdr_as->a_hash.data);
938 pdkim_hexprint(hhash_computed.data, hhash_computed.len);
939 }
940
941
942 /*
943 6. Retrieve the public key identified by the "s" and "d" tags in
944 the ARC-Seal, as described in Section 4.1.6.
945 */
946
947 if (!(p = arc_line_to_pubkey(hdr_as)))
948 return US"pubkey problem";
949
950 /*
951 7. Determine whether the signature portion ("b" tag) of the ARC-
952 Seal and the digest computed above are valid according to the
953 public key. (See also Section Section 8.4 for failure case
954 handling)
955
956 8. If the signature is not valid, the chain state is "fail" and
957 the algorithm stops here.
958 */
959
960 /* We know the b-tag blob is of a nul-term string, so safe as a string */
961 pdkim_decode_base64(hdr_as->b.data, &sighash);
962
963 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
964 {
965 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
966 return US"fail";
967 }
968
969 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
970
971 if ((errstr = exim_dkim_verify(&vctx,
972 pdkim_hashes[hashtype].exim_hashmethod,
973 &hhash_computed, &sighash)))
974 {
975 DEBUG(D_acl)
976 debug_printf("ARC i=%d AS headers verify: %s\n", as->instance, errstr);
977 arc_state_reason = US"seal sigverify error";
978 return US"fail";
979 }
980
981 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d pass\n", as->instance);
982 return NULL;
983 }
984
985
986 static const uschar *
987 arc_verify_seals(arc_ctx * ctx)
988 {
989 arc_set * as = ctx->arcset_chain_last;
990
991 if (!as)
992 return US"none";
993
994 for ( ; as; as = as->prev) if (arc_seal_verify(ctx, as)) return US"fail";
995
996 DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
997 return NULL;
998 }
999 /******************************************************************************/
1000
1001 /* Do ARC verification. Called from DATA ACL, on a verify = arc
1002 condition. No arguments; we are checking globals.
1003
1004 Return: The ARC state, or NULL on error.
1005 */
1006
1007 const uschar *
1008 acl_verify_arc(void)
1009 {
1010 const uschar * res;
1011
1012 memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
1013
1014 if (!dkim_verify_ctx)
1015 {
1016 DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
1017 return NULL;
1018 }
1019
1020 /* AS evaluation, per
1021 https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-6
1022 */
1023 /* 1. Collect all ARC sets currently on the message. If there were
1024 none, the ARC state is "none" and the algorithm stops here.
1025 */
1026
1027 if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
1028 goto out;
1029
1030 /* 2. If the form of any ARC set is invalid (e.g., does not contain
1031 exactly one of each of the three ARC-specific header fields),
1032 then the chain state is "fail" and the algorithm stops here.
1033
1034 1. To avoid the overhead of unnecessary computation and delay
1035 from crypto and DNS operations, the cv value for all ARC-
1036 Seal(s) MAY be checked at this point. If any of the values
1037 are "fail", then the overall state of the chain is "fail" and
1038 the algorithm stops here.
1039
1040 3. Conduct verification of the ARC-Message-Signature header field
1041 bearing the highest instance number. If this verification fails,
1042 then the chain state is "fail" and the algorithm stops here.
1043 */
1044
1045 if ((res = arc_headers_check(&arc_verify_ctx)))
1046 goto out;
1047
1048 /* 4. For each ARC-Seal from the "N"th instance to the first, apply the
1049 following logic:
1050
1051 1. If the value of the "cv" tag on that seal is "fail", the
1052 chain state is "fail" and the algorithm stops here. (This
1053 step SHOULD be skipped if the earlier step (2.1) was
1054 performed)
1055
1056 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
1057 == "none" && i != 1)) then the chain state is "fail" and the
1058 algorithm stops here (note that the ordering of the logic is
1059 structured for short-circuit evaluation).
1060
1061 3. Initialize a hash function corresponding to the "a" tag of
1062 the ARC-Seal.
1063
1064 4. Compute the canonicalized form of the ARC header fields, in
1065 the order described in Section 5.4.2, using the "relaxed"
1066 header canonicalization defined in Section 3.4.2 of
1067 [RFC6376]. Pass the canonicalized result to the hash
1068 function.
1069
1070 5. Retrieve the final digest from the hash function.
1071
1072 6. Retrieve the public key identified by the "s" and "d" tags in
1073 the ARC-Seal, as described in Section 4.1.6.
1074
1075 7. Determine whether the signature portion ("b" tag) of the ARC-
1076 Seal and the digest computed above are valid according to the
1077 public key. (See also Section Section 8.4 for failure case
1078 handling)
1079
1080 8. If the signature is not valid, the chain state is "fail" and
1081 the algorithm stops here.
1082
1083 5. If all seals pass validation, then the chain state is "pass", and
1084 the algorithm is complete.
1085 */
1086
1087 if ((res = arc_verify_seals(&arc_verify_ctx)))
1088 goto out;
1089
1090 res = US"pass";
1091
1092 out:
1093 return res;
1094 }
1095
1096 /******************************************************************************/
1097
1098 /* Prepend the header to the rlist */
1099
1100 static hdr_rlist *
1101 arc_rlist_entry(hdr_rlist * list, const uschar * s, int len)
1102 {
1103 hdr_rlist * r = store_get(sizeof(hdr_rlist) + sizeof(header_line), FALSE);
1104 header_line * h = r->h = (header_line *)(r+1);
1105
1106 r->prev = list;
1107 r->used = FALSE;
1108 h->next = NULL;
1109 h->type = 0;
1110 h->slen = len;
1111 h->text = US s;
1112
1113 /* This works for either NL or CRLF lines; also nul-termination */
1114 while (*++s)
1115 if (*s == '\n' && s[1] != '\t' && s[1] != ' ') break;
1116 s++; /* move past end of line */
1117
1118 return r;
1119 }
1120
1121
1122 /* Walk the given headers strings identifying each header, and construct
1123 a reverse-order list.
1124 */
1125
1126 static hdr_rlist *
1127 arc_sign_scan_headers(arc_ctx * ctx, gstring * sigheaders)
1128 {
1129 const uschar * s;
1130 hdr_rlist * rheaders = NULL;
1131
1132 s = sigheaders ? sigheaders->s : NULL;
1133 if (s) while (*s)
1134 {
1135 const uschar * s2 = s;
1136
1137 /* This works for either NL or CRLF lines; also nul-termination */
1138 while (*++s2)
1139 if (*s2 == '\n' && s2[1] != '\t' && s2[1] != ' ') break;
1140 s2++; /* move past end of line */
1141
1142 rheaders = arc_rlist_entry(rheaders, s, s2 - s);
1143 s = s2;
1144 }
1145 return rheaders;
1146 }
1147
1148
1149
1150 /* Return the A-R content, without identity, with line-ending and
1151 NUL termination. */
1152
1153 static BOOL
1154 arc_sign_find_ar(header_line * headers, const uschar * identity, blob * ret)
1155 {
1156 header_line * h;
1157 int ilen = Ustrlen(identity);
1158
1159 ret->data = NULL;
1160 for(h = headers; h; h = h->next)
1161 {
1162 uschar * s = h->text, c;
1163 int len = h->slen;
1164
1165 if (Ustrncmp(s, HDR_AR, HDRLEN_AR) != 0) continue;
1166 s += HDRLEN_AR, len -= HDRLEN_AR; /* header name */
1167 while ( len > 0
1168 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1169 s++, len--; /* FWS */
1170 if (Ustrncmp(s, identity, ilen) != 0) continue;
1171 s += ilen; len -= ilen; /* identity */
1172 if (len <= 0) continue;
1173 if ((c = *s) && c == ';') s++, len--; /* identity terminator */
1174 while ( len > 0
1175 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1176 s++, len--; /* FWS */
1177 if (len <= 0) continue;
1178 ret->data = s;
1179 ret->len = len;
1180 return TRUE;
1181 }
1182 return FALSE;
1183 }
1184
1185
1186
1187 /* Append a constructed AAR including CRLF. Add it to the arc_ctx too. */
1188
1189 static gstring *
1190 arc_sign_append_aar(gstring * g, arc_ctx * ctx,
1191 const uschar * identity, int instance, blob * ar)
1192 {
1193 int aar_off = g ? g->ptr : 0;
1194 arc_set * as =
1195 store_get(sizeof(arc_set) + sizeof(arc_line) + sizeof(header_line), FALSE);
1196 arc_line * al = (arc_line *)(as+1);
1197 header_line * h = (header_line *)(al+1);
1198
1199 g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
1200 g = string_fmt_append(g, " i=%d; %s;\r\n\t", instance, identity);
1201 g = string_catn(g, US ar->data, ar->len);
1202
1203 h->slen = g->ptr - aar_off;
1204 h->text = g->s + aar_off;
1205 al->complete = h;
1206 as->next = NULL;
1207 as->prev = ctx->arcset_chain_last;
1208 as->instance = instance;
1209 as->hdr_aar = al;
1210 if (instance == 1)
1211 ctx->arcset_chain = as;
1212 else
1213 ctx->arcset_chain_last->next = as;
1214 ctx->arcset_chain_last = as;
1215
1216 DEBUG(D_transport) debug_printf("ARC: AAR '%.*s'\n", h->slen - 2, h->text);
1217 return g;
1218 }
1219
1220
1221
1222 static BOOL
1223 arc_sig_from_pseudoheader(gstring * hdata, int hashtype, const uschar * privkey,
1224 blob * sig, const uschar * why)
1225 {
1226 hashmethod hm = /*sig->keytype == KEYTYPE_ED25519*/ FALSE
1227 ? HASH_SHA2_512 : pdkim_hashes[hashtype].exim_hashmethod;
1228 blob hhash;
1229 es_ctx sctx;
1230 const uschar * errstr;
1231
1232 DEBUG(D_transport)
1233 {
1234 hctx hhash_ctx;
1235 debug_printf("ARC: %s header data for signing:\n", why);
1236 pdkim_quoteprint(hdata->s, hdata->ptr);
1237
1238 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1239 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1240 exim_sha_finish(&hhash_ctx, &hhash);
1241 debug_printf("ARC: header hash: "); pdkim_hexprint(hhash.data, hhash.len);
1242 }
1243
1244 if (FALSE /*need hash for Ed25519 or GCrypt signing*/ )
1245 {
1246 hctx hhash_ctx;
1247 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1248 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1249 exim_sha_finish(&hhash_ctx, &hhash);
1250 }
1251 else
1252 {
1253 hhash.data = hdata->s;
1254 hhash.len = hdata->ptr;
1255 }
1256
1257 if ( (errstr = exim_dkim_signing_init(privkey, &sctx))
1258 || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
1259 {
1260 log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
1261 DEBUG(D_transport)
1262 debug_printf("private key, or private-key file content, was: '%s'\n",
1263 privkey);
1264 return FALSE;
1265 }
1266 return TRUE;
1267 }
1268
1269
1270
1271 static gstring *
1272 arc_sign_append_sig(gstring * g, blob * sig)
1273 {
1274 /*debug_printf("%s: raw sig ", __FUNCTION__); pdkim_hexprint(sig->data, sig->len);*/
1275 sig->data = pdkim_encode_base64(sig);
1276 sig->len = Ustrlen(sig->data);
1277 for (;;)
1278 {
1279 int len = MIN(sig->len, 74);
1280 g = string_catn(g, sig->data, len);
1281 if ((sig->len -= len) == 0) break;
1282 sig->data += len;
1283 g = string_catn(g, US"\r\n\t ", 5);
1284 }
1285 g = string_catn(g, US";\r\n", 3);
1286 gstring_release_unused(g);
1287 string_from_gstring(g);
1288 return g;
1289 }
1290
1291
1292 /* Append a constructed AMS including CRLF. Add it to the arc_ctx too. */
1293
1294 static gstring *
1295 arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
1296 const uschar * identity, const uschar * selector, blob * bodyhash,
1297 hdr_rlist * rheaders, const uschar * privkey, unsigned options)
1298 {
1299 uschar * s;
1300 gstring * hdata = NULL;
1301 int col;
1302 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1303 blob sig;
1304 int ams_off;
1305 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line), FALSE);
1306 header_line * h = (header_line *)(al+1);
1307
1308 /* debug_printf("%s\n", __FUNCTION__); */
1309
1310 /* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
1311
1312 ams_off = g->ptr;
1313 g = string_fmt_append(g, "%s i=%d; a=rsa-sha256; c=relaxed; d=%s; s=%s",
1314 ARC_HDR_AMS, instance, identity, selector); /*XXX hardwired a= */
1315 if (options & ARC_SIGN_OPT_TSTAMP)
1316 g = string_fmt_append(g, "; t=%lu", (u_long)now);
1317 if (options & ARC_SIGN_OPT_EXPIRE)
1318 g = string_fmt_append(g, "; x=%lu", (u_long)expire);
1319 g = string_fmt_append(g, ";\r\n\tbh=%s;\r\n\th=",
1320 pdkim_encode_base64(bodyhash));
1321
1322 for(col = 3; rheaders; rheaders = rheaders->prev)
1323 {
1324 const uschar * hnames = US"DKIM-Signature:" PDKIM_DEFAULT_SIGN_HEADERS;
1325 uschar * name, * htext = rheaders->h->text;
1326 int sep = ':';
1327
1328 /* Spot headers of interest */
1329
1330 while ((name = string_nextinlist(&hnames, &sep, NULL, 0)))
1331 {
1332 int len = Ustrlen(name);
1333 if (strncasecmp(CCS htext, CCS name, len) == 0)
1334 {
1335 /* If too long, fold line in h= field */
1336
1337 if (col + len > 78) g = string_catn(g, US"\r\n\t ", 5), col = 3;
1338
1339 /* Add name to h= list */
1340
1341 g = string_catn(g, name, len);
1342 g = string_catn(g, US":", 1);
1343 col += len + 1;
1344
1345 /* Accumulate header for hashing/signing */
1346
1347 hdata = string_cat(hdata,
1348 pdkim_relax_header_n(htext, rheaders->h->slen, TRUE)); /*XXX hardwired */
1349 break;
1350 }
1351 }
1352 }
1353
1354 /* Lose the last colon from the h= list */
1355
1356 if (g->s[g->ptr - 1] == ':') g->ptr--;
1357
1358 g = string_catn(g, US";\r\n\tb=;", 7);
1359
1360 /* Include the pseudo-header in the accumulation */
1361
1362 s = pdkim_relax_header_n(g->s + ams_off, g->ptr - ams_off, FALSE);
1363 hdata = string_cat(hdata, s);
1364
1365 /* Calculate the signature from the accumulation */
1366 /*XXX does that need further relaxation? there are spaces embedded in the b= strings! */
1367
1368 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AMS"))
1369 return NULL;
1370
1371 /* Lose the trailing semicolon from the psuedo-header, and append the signature
1372 (folded over lines) and termination to complete it. */
1373
1374 g->ptr--;
1375 g = arc_sign_append_sig(g, &sig);
1376
1377 h->slen = g->ptr - ams_off;
1378 h->text = g->s + ams_off;
1379 al->complete = h;
1380 ctx->arcset_chain_last->hdr_ams = al;
1381
1382 DEBUG(D_transport) debug_printf("ARC: AMS '%.*s'\n", h->slen - 2, h->text);
1383 return g;
1384 }
1385
1386
1387
1388 /* Look for an arc= result in an A-R header blob. We know that its data
1389 happens to be a NUL-term string. */
1390
1391 static uschar *
1392 arc_ar_cv_status(blob * ar)
1393 {
1394 const uschar * resinfo = ar->data;
1395 int sep = ';';
1396 uschar * methodspec, * s;
1397
1398 while ((methodspec = string_nextinlist(&resinfo, &sep, NULL, 0)))
1399 if (Ustrncmp(methodspec, US"arc=", 4) == 0)
1400 {
1401 uschar c;
1402 for (s = methodspec += 4;
1403 (c = *s) && c != ';' && c != ' ' && c != '\r' && c != '\n'; ) s++;
1404 return string_copyn(methodspec, s - methodspec);
1405 }
1406 return US"none";
1407 }
1408
1409
1410
1411 /* Build the AS header and prepend it */
1412
1413 static gstring *
1414 arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
1415 int instance, const uschar * identity, const uschar * selector, blob * ar,
1416 const uschar * privkey, unsigned options)
1417 {
1418 gstring * arcset;
1419 arc_set * as;
1420 uschar * status = arc_ar_cv_status(ar);
1421 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line), FALSE);
1422 header_line * h = (header_line *)(al+1);
1423
1424 gstring * hdata = NULL;
1425 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1426 blob sig;
1427
1428 /*
1429 - Generate AS
1430 - no body coverage
1431 - no h= tag; implicit coverage
1432 - arc status from A-R
1433 - if fail:
1434 - coverage is just the new ARC set
1435 including self (but with an empty b= in self)
1436 - if non-fail:
1437 - all ARC set headers, set-number order, aar then ams then as,
1438 including self (but with an empty b= in self)
1439 */
1440
1441 /* Construct the AS except for the signature */
1442
1443 arcset = string_append(NULL, 9,
1444 ARC_HDR_AS,
1445 US" i=", string_sprintf("%d", instance),
1446 US"; cv=", status,
1447 US"; a=rsa-sha256; d=", identity, /*XXX hardwired */
1448 US"; s=", selector); /*XXX same as AMS */
1449 if (options & ARC_SIGN_OPT_TSTAMP)
1450 arcset = string_append(arcset, 2,
1451 US"; t=", string_sprintf("%lu", (u_long)now));
1452 arcset = string_cat(arcset,
1453 US";\r\n\t b=;");
1454
1455 h->slen = arcset->ptr;
1456 h->text = arcset->s;
1457 al->complete = h;
1458 ctx->arcset_chain_last->hdr_as = al;
1459
1460 /* For any but "fail" chain-verify status, walk the entire chain in order by
1461 instance. For fail, only the new arc-set. Accumulate the elements walked. */
1462
1463 for (as = Ustrcmp(status, US"fail") == 0
1464 ? ctx->arcset_chain_last : ctx->arcset_chain;
1465 as; as = as->next)
1466 {
1467 /* Accumulate AAR then AMS then AS. Relaxed canonicalisation
1468 is required per standard. */
1469
1470 h = as->hdr_aar->complete;
1471 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1472 h = as->hdr_ams->complete;
1473 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1474 h = as->hdr_as->complete;
1475 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, !!as->next));
1476 }
1477
1478 /* Calculate the signature from the accumulation */
1479
1480 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AS"))
1481 return NULL;
1482
1483 /* Lose the trailing semicolon */
1484 arcset->ptr--;
1485 arcset = arc_sign_append_sig(arcset, &sig);
1486 DEBUG(D_transport) debug_printf("ARC: AS '%.*s'\n", arcset->ptr - 2, arcset->s);
1487
1488 /* Finally, append the AMS and AAR to the new AS */
1489
1490 return string_catn(arcset, arcset_interim->s, arcset_interim->ptr);
1491 }
1492
1493
1494 /**************************************/
1495
1496 /* Return pointer to pdkim_bodyhash for given hash method, creating new
1497 method if needed.
1498 */
1499
1500 void *
1501 arc_ams_setup_sign_bodyhash(void)
1502 {
1503 int canon_head, canon_body;
1504
1505 DEBUG(D_transport) debug_printf("ARC: requesting bodyhash\n");
1506 pdkim_cstring_to_canons(US"relaxed", 7, &canon_head, &canon_body); /*XXX hardwired */
1507 return pdkim_set_bodyhash(&dkim_sign_ctx,
1508 pdkim_hashname_to_hashtype(US"sha256", 6), /*XXX hardwired */
1509 canon_body,
1510 -1);
1511 }
1512
1513
1514
1515 void
1516 arc_sign_init(void)
1517 {
1518 memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
1519 }
1520
1521
1522
1523 /* A "normal" header line, identified by DKIM processing. These arrive before
1524 the call to arc_sign(), which carries any newly-created DKIM headers - and
1525 those go textually before the normal ones in the message.
1526
1527 We have to take the feed from DKIM as, in the transport-filter case, the
1528 headers are not in memory at the time of the call to arc_sign().
1529
1530 Take a copy of the header and construct a reverse-order list.
1531 Also parse ARC-chain headers and build the chain struct, retaining pointers
1532 into the copies.
1533 */
1534
1535 static const uschar *
1536 arc_header_sign_feed(gstring * g)
1537 {
1538 uschar * s = string_copyn(g->s, g->ptr);
1539 headers_rlist = arc_rlist_entry(headers_rlist, s, g->ptr);
1540 return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
1541 }
1542
1543
1544
1545 /* ARC signing. Called from the smtp transport, if the arc_sign option is set.
1546 The dkim_exim_sign() function has already been called, so will have hashed the
1547 message body for us so long as we requested a hash previously.
1548
1549 Arguments:
1550 signspec Three-element colon-sep list: identity, selector, privkey.
1551 Optional fourth element: comma-sep list of options.
1552 Already expanded
1553 sigheaders Any signature headers already generated, eg. by DKIM, or NULL
1554 errstr Error string
1555
1556 Return value
1557 Set of headers to prepend to the message, including the supplied sigheaders
1558 but not the plainheaders.
1559 */
1560
1561 gstring *
1562 arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
1563 {
1564 const uschar * identity, * selector, * privkey, * opts, * s;
1565 unsigned options = 0;
1566 int sep = 0;
1567 header_line * headers;
1568 hdr_rlist * rheaders;
1569 blob ar;
1570 int instance;
1571 gstring * g = NULL;
1572 pdkim_bodyhash * b;
1573
1574 expire = now = 0;
1575
1576 /* Parse the signing specification */
1577
1578 identity = string_nextinlist(&signspec, &sep, NULL, 0);
1579 selector = string_nextinlist(&signspec, &sep, NULL, 0);
1580 if ( !*identity || !*selector
1581 || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
1582 {
1583 log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
1584 !*identity ? "identity" : !*selector ? "selector" : "private-key");
1585 return sigheaders ? sigheaders : string_get(0);
1586 }
1587 if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
1588 return sigheaders ? sigheaders : string_get(0);
1589
1590 if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
1591 {
1592 int osep = ',';
1593 while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
1594 if (Ustrcmp(s, "timestamps") == 0)
1595 {
1596 options |= ARC_SIGN_OPT_TSTAMP;
1597 if (!now) now = time(NULL);
1598 }
1599 else if (Ustrncmp(s, "expire", 6) == 0)
1600 {
1601 options |= ARC_SIGN_OPT_EXPIRE;
1602 if (*(s += 6) == '=')
1603 if (*++s == '+')
1604 {
1605 if (!(expire = (time_t)atoi(CS ++s)))
1606 expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1607 if (!now) now = time(NULL);
1608 expire += now;
1609 }
1610 else
1611 expire = (time_t)atol(CS s);
1612 else
1613 {
1614 if (!now) now = time(NULL);
1615 expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1616 }
1617 }
1618 }
1619
1620 DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
1621
1622 /* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
1623 Then scan the list for an A-R header. */
1624
1625 string_from_gstring(sigheaders);
1626 if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
1627 {
1628 hdr_rlist ** rp;
1629 for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
1630 *rp = rheaders;
1631 }
1632
1633 /* Finally, build a normal-order headers list */
1634 /*XXX only needed for hunt-the-AR? */
1635 /*XXX also, we really should be accepting any number of ADMD-matching ARs */
1636 {
1637 header_line * hnext = NULL;
1638 for (rheaders = headers_rlist; rheaders;
1639 hnext = rheaders->h, rheaders = rheaders->prev)
1640 rheaders->h->next = hnext;
1641 headers = hnext;
1642 }
1643
1644 if (!(arc_sign_find_ar(headers, identity, &ar)))
1645 {
1646 log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
1647 return sigheaders ? sigheaders : string_get(0);
1648 }
1649
1650 /* We previously built the data-struct for the existing ARC chain, if any, using a headers
1651 feed from the DKIM module. Use that to give the instance number for the ARC set we are
1652 about to build. */
1653
1654 DEBUG(D_transport)
1655 if (arc_sign_ctx.arcset_chain_last)
1656 debug_printf("ARC: existing chain highest instance: %d\n",
1657 arc_sign_ctx.arcset_chain_last->instance);
1658 else
1659 debug_printf("ARC: no existing chain\n");
1660
1661 instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
1662
1663 /*
1664 - Generate AAR
1665 - copy the A-R; prepend i= & identity
1666 */
1667
1668 g = arc_sign_append_aar(g, &arc_sign_ctx, identity, instance, &ar);
1669
1670 /*
1671 - Generate AMS
1672 - Looks fairly like a DKIM sig
1673 - Cover all DKIM sig headers as well as the usuals
1674 - ? oversigning?
1675 - Covers the data
1676 - we must have requested a suitable bodyhash previously
1677 */
1678
1679 b = arc_ams_setup_sign_bodyhash();
1680 g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
1681 &b->bh, headers_rlist, privkey, options);
1682
1683 /*
1684 - Generate AS
1685 - no body coverage
1686 - no h= tag; implicit coverage
1687 - arc status from A-R
1688 - if fail:
1689 - coverage is just the new ARC set
1690 including self (but with an empty b= in self)
1691 - if non-fail:
1692 - all ARC set headers, set-number order, aar then ams then as,
1693 including self (but with an empty b= in self)
1694 */
1695
1696 if (g)
1697 g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
1698 privkey, options);
1699
1700 /* Finally, append the dkim headers and return the lot. */
1701
1702 if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr);
1703 (void) string_from_gstring(g);
1704 gstring_release_unused(g);
1705 return g;
1706 }
1707
1708
1709 /******************************************************************************/
1710
1711 /* Check to see if the line is an AMS and if so, set up to validate it.
1712 Called from the DKIM input processing. This must be done now as the message
1713 body data is hashed during input.
1714
1715 We call the DKIM code to request a body-hash; it has the facility already
1716 and the hash parameters might be common with other requests.
1717 */
1718
1719 static const uschar *
1720 arc_header_vfy_feed(gstring * g)
1721 {
1722 header_line h;
1723 arc_line al;
1724 pdkim_bodyhash * b;
1725 uschar * errstr;
1726
1727 if (!dkim_verify_ctx) return US"no dkim context";
1728
1729 if (strncmpic(ARC_HDR_AMS, g->s, ARC_HDRLEN_AMS) != 0) return US"not AMS";
1730
1731 DEBUG(D_receive) debug_printf("ARC: spotted AMS header\n");
1732 /* Parse the AMS header */
1733
1734 h.next = NULL;
1735 h.slen = g->size;
1736 h.text = g->s;
1737 memset(&al, 0, sizeof(arc_line));
1738 if ((errstr = arc_parse_line(&al, &h, ARC_HDRLEN_AMS, FALSE)))
1739 {
1740 DEBUG(D_acl) if (errstr) debug_printf("ARC: %s\n", errstr);
1741 return US"line parsing error";
1742 }
1743
1744 /* defaults */
1745 if (!al.c.data)
1746 {
1747 al.c_body.data = US"simple"; al.c_body.len = 6;
1748 al.c_head = al.c_body;
1749 }
1750
1751 /* Ask the dkim code to calc a bodyhash with those specs */
1752
1753 if (!(b = arc_ams_setup_vfy_bodyhash(&al)))
1754 return US"dkim hash setup fail";
1755
1756 /* Discard the reference; search again at verify time, knowing that one
1757 should have been created here. */
1758
1759 return NULL;
1760 }
1761
1762
1763
1764 /* A header line has been identified by DKIM processing.
1765
1766 Arguments:
1767 g Header line
1768 is_vfy TRUE for verify mode or FALSE for signing mode
1769
1770 Return:
1771 NULL for success, or an error string (probably unused)
1772 */
1773
1774 const uschar *
1775 arc_header_feed(gstring * g, BOOL is_vfy)
1776 {
1777 return is_vfy ? arc_header_vfy_feed(g) : arc_header_sign_feed(g);
1778 }
1779
1780
1781
1782 /******************************************************************************/
1783
1784 /* Construct the list of domains from the ARC chain after validation */
1785
1786 uschar *
1787 fn_arc_domains(void)
1788 {
1789 arc_set * as;
1790 unsigned inst;
1791 gstring * g = NULL;
1792
1793 for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
1794 {
1795 arc_line * hdr_as = as->hdr_as;
1796 if (hdr_as)
1797 {
1798 blob * d = &hdr_as->d;
1799
1800 for (; inst < as->instance; inst++)
1801 g = string_catn(g, US":", 1);
1802
1803 g = d->data && d->len
1804 ? string_append_listele_n(g, ':', d->data, d->len)
1805 : string_catn(g, US":", 1);
1806 }
1807 else
1808 g = string_catn(g, US":", 1);
1809 }
1810 return g ? g->s : US"";
1811 }
1812
1813
1814 /* Construct an Authentication-Results header portion, for the ARC module */
1815
1816 gstring *
1817 authres_arc(gstring * g)
1818 {
1819 if (arc_state)
1820 {
1821 arc_line * highest_ams;
1822 int start = 0; /* Compiler quietening */
1823 DEBUG(D_acl) start = g->ptr;
1824
1825 g = string_append(g, 2, US";\n\tarc=", arc_state);
1826 if (arc_received_instance > 0)
1827 {
1828 g = string_fmt_append(g, " (i=%d)", arc_received_instance);
1829 if (arc_state_reason)
1830 g = string_append(g, 3, US"(", arc_state_reason, US")");
1831 g = string_catn(g, US" header.s=", 10);
1832 highest_ams = arc_received->hdr_ams;
1833 g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
1834
1835 g = string_fmt_append(g, " arc.oldest-pass=%d", arc_oldest_pass);
1836
1837 if (sender_host_address)
1838 g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
1839 }
1840 else if (arc_state_reason)
1841 g = string_append(g, 3, US" (", arc_state_reason, US")");
1842 DEBUG(D_acl) debug_printf("ARC: authres '%.*s'\n",
1843 g->ptr - start - 3, g->s + start + 3);
1844 }
1845 else
1846 DEBUG(D_acl) debug_printf("ARC: no authres\n");
1847 return g;
1848 }
1849
1850
1851 # endif /* SUPPORT_SPF */
1852 #endif /* EXPERIMENTAL_ARC */
1853 /* vi: aw ai sw=2
1854 */
Unnamed repository; edit this file 'description' to name the repository.