projects / exim.git / blob
? search:


7bdf4bfbbc7bc46eb0dec7c291f7f81625526ecc
[exim.git] / src / src / arc.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4 /* Experimental ARC support for Exim
5 Copyright (c) Jeremy Harris 2018
6 License: GPL
7 */
8
9 #include "exim.h"
10 #ifdef EXPERIMENTAL_ARC
11 # if !defined SUPPORT_SPF
12 # error SPF must also be enabled for ARC
13 # elif defined DISABLE_DKIM
14 # error DKIM must also be enabled for ARC
15 # else
16
17 # include "functions.h"
18 # include "pdkim/pdkim.h"
19 # include "pdkim/signing.h"
20
21 extern pdkim_ctx * dkim_verify_ctx;
22 extern pdkim_ctx dkim_sign_ctx;
23
24 #define ARC_SIGN_OPT_TSTAMP BIT(0)
25 #define ARC_SIGN_OPT_EXPIRE BIT(1)
26
27 #define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
28
29 /******************************************************************************/
30
31 typedef struct hdr_rlist {
32 struct hdr_rlist * prev;
33 BOOL used;
34 header_line * h;
35 } hdr_rlist;
36
37 typedef struct arc_line {
38 header_line * complete; /* including the header name; nul-term */
39 uschar * relaxed;
40
41 /* identified tag contents */
42 /*XXX t= for AS? */
43 blob i;
44 blob cv;
45 blob a;
46 blob b;
47 blob bh;
48 blob d;
49 blob h;
50 blob s;
51 blob c;
52 blob l;
53
54 /* tag content sub-portions */
55 blob a_algo;
56 blob a_hash;
57
58 blob c_head;
59 blob c_body;
60
61 /* modified copy of b= field in line */
62 blob rawsig_no_b_val;
63 } arc_line;
64
65 typedef struct arc_set {
66 struct arc_set * next;
67 struct arc_set * prev;
68
69 unsigned instance;
70 arc_line * hdr_aar;
71 arc_line * hdr_ams;
72 arc_line * hdr_as;
73
74 const uschar * ams_verify_done;
75 BOOL ams_verify_passed;
76 } arc_set;
77
78 typedef struct arc_ctx {
79 arc_set * arcset_chain;
80 arc_set * arcset_chain_last;
81 } arc_ctx;
82
83 #define ARC_HDR_AAR US"ARC-Authentication-Results:"
84 #define ARC_HDRLEN_AAR 27
85 #define ARC_HDR_AMS US"ARC-Message-Signature:"
86 #define ARC_HDRLEN_AMS 22
87 #define ARC_HDR_AS US"ARC-Seal:"
88 #define ARC_HDRLEN_AS 9
89 #define HDR_AR US"Authentication-Results:"
90 #define HDRLEN_AR 23
91
92 static time_t now;
93 static time_t expire;
94 static hdr_rlist * headers_rlist;
95 static arc_ctx arc_sign_ctx = { NULL };
96 static arc_ctx arc_verify_ctx = { NULL };
97
98
99 /******************************************************************************/
100
101
102 /* Get the instance number from the header.
103 Return 0 on error */
104 static unsigned
105 arc_instance_from_hdr(const arc_line * al)
106 {
107 const uschar * s = al->i.data;
108 if (!s || !al->i.len) return 0;
109 return (unsigned) atoi(CCS s);
110 }
111
112
113 static uschar *
114 skip_fws(uschar * s)
115 {
116 uschar c = *s;
117 while (c && (c == ' ' || c == '\t' || c == '\n' || c == '\r')) c = *++s;
118 return s;
119 }
120
121
122 /* Locate instance struct on chain, inserting a new one if
123 needed. The chain is in increasing-instance-number order
124 by the "next" link, and we have a "prev" link also.
125 */
126
127 static arc_set *
128 arc_find_set(arc_ctx * ctx, unsigned i)
129 {
130 arc_set ** pas, * as, * next, * prev;
131
132 for (pas = &ctx->arcset_chain, prev = NULL, next = ctx->arcset_chain;
133 as = *pas; pas = &as->next)
134 {
135 if (as->instance > i) break;
136 if (as->instance == i)
137 {
138 DEBUG(D_acl) debug_printf("ARC: existing instance %u\n", i);
139 return as;
140 }
141 next = as->next;
142 prev = as;
143 }
144
145 DEBUG(D_acl) debug_printf("ARC: new instance %u\n", i);
146 *pas = as = store_get(sizeof(arc_set));
147 memset(as, 0, sizeof(arc_set));
148 as->next = next;
149 as->prev = prev;
150 as->instance = i;
151 if (next)
152 next->prev = as;
153 else
154 ctx->arcset_chain_last = as;
155 return as;
156 }
157
158
159
160 /* Insert a tag content into the line structure.
161 Note this is a reference to existing data, not a copy.
162 Check for already-seen tag.
163 The string-pointer is on the '=' for entry. Update it past the
164 content (to the ;) on return;
165 */
166
167 static uschar *
168 arc_insert_tagvalue(arc_line * al, unsigned loff, uschar ** ss)
169 {
170 uschar * s = *ss;
171 uschar c = *++s;
172 blob * b = (blob *)(US al + loff);
173 size_t len = 0;
174
175 /* [FWS] tag-value [FWS] */
176
177 if (b->data) return US"fail";
178 s = skip_fws(s); /* FWS */
179
180 b->data = s;
181 while ((c = *s) && c != ';') { len++; s++; }
182 *ss = s;
183 while (len && ((c = s[-1]) == ' ' || c == '\t' || c == '\n' || c == '\r'))
184 { s--; len--; } /* FWS */
185 b->len = len;
186 return NULL;
187 }
188
189
190 /* Inspect a header line, noting known tag fields.
191 Check for duplicates. */
192
193 static uschar *
194 arc_parse_line(arc_line * al, header_line * h, unsigned off, BOOL instance_only)
195 {
196 uschar * s = h->text + off;
197 uschar * r = NULL; /* compiler-quietening */
198 uschar c;
199
200 al->complete = h;
201
202 if (!instance_only)
203 {
204 al->rawsig_no_b_val.data = store_get(h->slen + 1);
205 memcpy(al->rawsig_no_b_val.data, h->text, off); /* copy the header name blind */
206 r = al->rawsig_no_b_val.data + off;
207 al->rawsig_no_b_val.len = off;
208 }
209
210 /* tag-list = tag-spec *( ";" tag-spec ) [ ";" ] */
211
212 while ((c = *s))
213 {
214 char tagchar;
215 uschar * t;
216 unsigned i = 0;
217 uschar * fieldstart = s;
218 uschar * bstart = NULL, * bend;
219
220 /* tag-spec = [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS] */
221
222 s = skip_fws(s); /* FWS */
223 if (!*s) break;
224 /* debug_printf("%s: consider '%s'\n", __FUNCTION__, s); */
225 tagchar = *s++;
226 s = skip_fws(s); /* FWS */
227 if (!*s) break;
228
229 if (!instance_only || tagchar == 'i') switch (tagchar)
230 {
231 case 'a': /* a= AMS algorithm */
232 {
233 if (*s != '=') return US"no 'a' value";
234 if (arc_insert_tagvalue(al, offsetof(arc_line, a), &s)) return US"a tag dup";
235
236 /* substructure: algo-hash (eg. rsa-sha256) */
237
238 t = al->a_algo.data = al->a.data;
239 while (*t != '-')
240 if (!*t++ || ++i > al->a.len) return US"no '-' in 'a' value";
241 al->a_algo.len = i;
242 if (*t++ != '-') return US"no '-' in 'a' value";
243 al->a_hash.data = t;
244 al->a_hash.len = al->a.len - i - 1;
245 }
246 break;
247 case 'b':
248 {
249 gstring * g = NULL;
250
251 switch (*s)
252 {
253 case '=': /* b= AMS signature */
254 if (al->b.data) return US"already b data";
255 bstart = s+1;
256
257 /* The signature can have FWS inserted in the content;
258 make a stripped copy */
259
260 while ((c = *++s) && c != ';')
261 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
262 g = string_catn(g, s, 1);
263 if (!g) return US"no b= value";
264 al->b.data = string_from_gstring(g);
265 al->b.len = g->ptr;
266 gstring_release_unused(g);
267 bend = s;
268 break;
269 case 'h': /* bh= AMS body hash */
270 s = skip_fws(++s); /* FWS */
271 if (*s != '=') return US"no bh value";
272 if (al->bh.data) return US"already bh data";
273
274 /* The bodyhash can have FWS inserted in the content;
275 make a stripped copy */
276
277 while ((c = *++s) && c != ';')
278 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
279 g = string_catn(g, s, 1);
280 if (!g) return US"no bh= value";
281 al->bh.data = string_from_gstring(g);
282 al->bh.len = g->ptr;
283 gstring_release_unused(g);
284 break;
285 default:
286 return US"b? tag";
287 }
288 }
289 break;
290 case 'c':
291 switch (*s)
292 {
293 case '=': /* c= AMS canonicalisation */
294 if (arc_insert_tagvalue(al, offsetof(arc_line, c), &s)) return US"c tag dup";
295
296 /* substructure: head/body (eg. relaxed/simple)) */
297
298 t = al->c_head.data = al->c.data;
299 while (isalpha(*t))
300 if (!*t++ || ++i > al->a.len) break;
301 al->c_head.len = i;
302 if (*t++ == '/') /* /body is optional */
303 {
304 al->c_body.data = t;
305 al->c_body.len = al->c.len - i - 1;
306 }
307 else
308 {
309 al->c_body.data = US"simple";
310 al->c_body.len = 6;
311 }
312 break;
313 case 'v': /* cv= AS validity */
314 if (*++s != '=') return US"cv tag val";
315 if (arc_insert_tagvalue(al, offsetof(arc_line, cv), &s)) return US"cv tag dup";
316 break;
317 default:
318 return US"c? tag";
319 }
320 break;
321 case 'd': /* d= AMS domain */
322 if (*s != '=') return US"d tag val";
323 if (arc_insert_tagvalue(al, offsetof(arc_line, d), &s)) return US"d tag dup";
324 break;
325 case 'h': /* h= AMS headers */
326 if (*s != '=') return US"h tag val";
327 if (arc_insert_tagvalue(al, offsetof(arc_line, h), &s)) return US"h tag dup";
328 break;
329 case 'i': /* i= ARC set instance */
330 if (*s != '=') return US"i tag val";
331 if (arc_insert_tagvalue(al, offsetof(arc_line, i), &s)) return US"i tag dup";
332 if (instance_only) goto done;
333 break;
334 case 'l': /* l= bodylength */
335 if (*s != '=') return US"l tag val";
336 if (arc_insert_tagvalue(al, offsetof(arc_line, l), &s)) return US"l tag dup";
337 break;
338 case 's': /* s= AMS selector */
339 if (*s != '=') return US"s tag val";
340 if (arc_insert_tagvalue(al, offsetof(arc_line, s), &s)) return US"s tag dup";
341 break;
342 }
343
344 while ((c = *s) && c != ';') s++;
345 if (c) s++; /* ; after tag-spec */
346
347 /* for all but the b= tag, copy the field including FWS. For the b=,
348 drop the tag content. */
349
350 if (!instance_only)
351 if (bstart)
352 {
353 size_t n = bstart - fieldstart;
354 memcpy(r, fieldstart, n); /* FWS "b=" */
355 r += n;
356 al->rawsig_no_b_val.len += n;
357 n = s - bend;
358 memcpy(r, bend, n); /* FWS ";" */
359 r += n;
360 al->rawsig_no_b_val.len += n;
361 }
362 else
363 {
364 size_t n = s - fieldstart;
365 memcpy(r, fieldstart, n);
366 r += n;
367 al->rawsig_no_b_val.len += n;
368 }
369 }
370
371 if (!instance_only)
372 *r = '\0';
373
374 done:
375 /* debug_printf("%s: finshed\n", __FUNCTION__); */
376 return NULL;
377 }
378
379
380 /* Insert one header line in the correct set of the chain,
381 adding instances as needed and checking for duplicate lines.
382 */
383
384 static uschar *
385 arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
386 BOOL instance_only)
387 {
388 unsigned i;
389 arc_set * as;
390 arc_line * al = store_get(sizeof(arc_line)), ** alp;
391 uschar * e;
392
393 memset(al, 0, sizeof(arc_line));
394
395 if ((e = arc_parse_line(al, h, off, instance_only)))
396 {
397 DEBUG(D_acl) if (e) debug_printf("ARC: %s\n", e);
398 return US"line parse";
399 }
400 if (!(i = arc_instance_from_hdr(al))) return US"instance find";
401 if (i > 50) return US"overlarge instance number";
402 if (!(as = arc_find_set(ctx, i))) return US"set find";
403 if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
404
405 *alp = al;
406 return NULL;
407 }
408
409
410
411
412 static const uschar *
413 arc_try_header(arc_ctx * ctx, header_line * h, BOOL instance_only)
414 {
415 const uschar * e;
416
417 /*debug_printf("consider hdr '%s'\n", h->text);*/
418 if (strncmpic(ARC_HDR_AAR, h->text, ARC_HDRLEN_AAR) == 0)
419 {
420 DEBUG(D_acl)
421 {
422 int len = h->slen;
423 uschar * s;
424 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
425 s--, len--;
426 debug_printf("ARC: found AAR: %.*s\n", len, h->text);
427 }
428 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AAR, offsetof(arc_set, hdr_aar),
429 TRUE)))
430 {
431 DEBUG(D_acl) debug_printf("inserting AAR: %s\n", e);
432 return US"inserting AAR";
433 }
434 }
435 else if (strncmpic(ARC_HDR_AMS, h->text, ARC_HDRLEN_AMS) == 0)
436 {
437 arc_line * ams;
438
439 DEBUG(D_acl)
440 {
441 int len = h->slen;
442 uschar * s;
443 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
444 s--, len--;
445 debug_printf("ARC: found AMS: %.*s\n", len, h->text);
446 }
447 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AMS, offsetof(arc_set, hdr_ams),
448 instance_only)))
449 {
450 DEBUG(D_acl) debug_printf("inserting AMS: %s\n", e);
451 return US"inserting AMS";
452 }
453
454 /* defaults */
455 /*XXX dubious selection of ams here */
456 ams = ctx->arcset_chain->hdr_ams;
457 if (!ams->c.data)
458 {
459 ams->c_head.data = US"simple"; ams->c_head.len = 6;
460 ams->c_body = ams->c_head;
461 }
462 }
463 else if (strncmpic(ARC_HDR_AS, h->text, ARC_HDRLEN_AS) == 0)
464 {
465 DEBUG(D_acl)
466 {
467 int len = h->slen;
468 uschar * s;
469 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
470 s--, len--;
471 debug_printf("ARC: found AS: %.*s\n", len, h->text);
472 }
473 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AS, offsetof(arc_set, hdr_as),
474 instance_only)))
475 {
476 DEBUG(D_acl) debug_printf("inserting AS: %s\n", e);
477 return US"inserting AS";
478 }
479 }
480 return NULL;
481 }
482
483
484
485 /* Gather the chain of arc sets from the headers.
486 Check for duplicates while that is done. Also build the
487 reverse-order headers list;
488
489 Return: ARC state if determined, eg. by lack of any ARC chain.
490 */
491
492 static const uschar *
493 arc_vfy_collect_hdrs(arc_ctx * ctx)
494 {
495 header_line * h;
496 hdr_rlist * r = NULL, * rprev = NULL;
497 const uschar * e;
498
499 DEBUG(D_acl) debug_printf("ARC: collecting arc sets\n");
500 for (h = header_list; h; h = h->next)
501 {
502 r = store_get(sizeof(hdr_rlist));
503 r->prev = rprev;
504 r->used = FALSE;
505 r->h = h;
506 rprev = r;
507
508 if ((e = arc_try_header(ctx, h, FALSE)))
509 {
510 arc_state_reason = string_sprintf("collecting headers: %s", e);
511 return US"fail";
512 }
513 }
514 headers_rlist = r;
515
516 if (!ctx->arcset_chain) return US"none";
517 return NULL;
518 }
519
520
521 static BOOL
522 arc_cv_match(arc_line * al, const uschar * s)
523 {
524 return Ustrncmp(s, al->cv.data, al->cv.len) == 0;
525 }
526
527 /******************************************************************************/
528
529 /* Return the hash of headers from the message that the AMS claims it
530 signed.
531 */
532
533 static void
534 arc_get_verify_hhash(arc_ctx * ctx, arc_line * ams, blob * hhash)
535 {
536 const uschar * headernames = string_copyn(ams->h.data, ams->h.len);
537 const uschar * hn;
538 int sep = ':';
539 hdr_rlist * r;
540 BOOL relaxed = Ustrncmp(US"relaxed", ams->c_head.data, ams->c_head.len) == 0;
541 int hashtype = pdkim_hashname_to_hashtype(
542 ams->a_hash.data, ams->a_hash.len);
543 hctx hhash_ctx;
544 const uschar * s;
545 int len;
546
547 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
548 {
549 DEBUG(D_acl)
550 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
551 return;
552 }
553
554 /* For each headername in the list from the AMS (walking in order)
555 walk the message headers in reverse order, adding to the hash any
556 found for the first time. For that last point, maintain used-marks
557 on the list of message headers. */
558
559 DEBUG(D_acl) debug_printf("ARC: AMS header data for verification:\n");
560
561 for (r = headers_rlist; r; r = r->prev)
562 r->used = FALSE;
563 while ((hn = string_nextinlist(&headernames, &sep, NULL, 0)))
564 for (r = headers_rlist; r; r = r->prev)
565 if ( !r->used
566 && strncasecmp(CCS (s = r->h->text), CCS hn, Ustrlen(hn)) == 0
567 )
568 {
569 if (relaxed) s = pdkim_relax_header_n(s, r->h->slen, TRUE);
570
571 len = Ustrlen(s);
572 DEBUG(D_acl) pdkim_quoteprint(s, len);
573 exim_sha_update(&hhash_ctx, s, Ustrlen(s));
574 r->used = TRUE;
575 break;
576 }
577
578 /* Finally add in the signature header (with the b= tag stripped); no CRLF */
579
580 s = ams->rawsig_no_b_val.data, len = ams->rawsig_no_b_val.len;
581 if (relaxed)
582 len = Ustrlen(s = pdkim_relax_header_n(s, len, FALSE));
583 DEBUG(D_acl) pdkim_quoteprint(s, len);
584 exim_sha_update(&hhash_ctx, s, len);
585
586 exim_sha_finish(&hhash_ctx, hhash);
587 DEBUG(D_acl)
588 { debug_printf("ARC: header hash: "); pdkim_hexprint(hhash->data, hhash->len); }
589 return;
590 }
591
592
593
594
595 static pdkim_pubkey *
596 arc_line_to_pubkey(arc_line * al)
597 {
598 uschar * dns_txt;
599 pdkim_pubkey * p;
600
601 if (!(dns_txt = dkim_exim_query_dns_txt(string_sprintf("%.*s._domainkey.%.*s",
602 al->s.len, al->s.data, al->d.len, al->d.data))))
603 {
604 DEBUG(D_acl) debug_printf("pubkey dns lookup fail\n");
605 return NULL;
606 }
607
608 if ( !(p = pdkim_parse_pubkey_record(dns_txt))
609 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
610 )
611 {
612 DEBUG(D_acl) debug_printf("pubkey dns lookup format error\n");
613 return NULL;
614 }
615
616 /* If the pubkey limits use to specified hashes, reject unusable
617 signatures. XXX should we have looked for multiple dns records? */
618
619 if (p->hashes)
620 {
621 const uschar * list = p->hashes, * ele;
622 int sep = ':';
623
624 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
625 if (Ustrncmp(ele, al->a_hash.data, al->a_hash.len) == 0) break;
626 if (!ele)
627 {
628 DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%.*s\n",
629 p->hashes, (int)al->a.len, al->a.data);
630 return NULL;
631 }
632 }
633 return p;
634 }
635
636
637
638
639 static pdkim_bodyhash *
640 arc_ams_setup_vfy_bodyhash(arc_line * ams)
641 {
642 int canon_head, canon_body;
643 long bodylen;
644
645 if (!ams->c.data) ams->c.data = US"simple"; /* RFC 6376 (DKIM) default */
646 pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
647 bodylen = ams->l.data
648 ? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
649
650 return pdkim_set_bodyhash(dkim_verify_ctx,
651 pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len),
652 canon_body,
653 bodylen);
654 }
655
656
657
658 /* Verify an AMS. This is a DKIM-sig header, but with an ARC i= tag
659 and without a DKIM v= tag.
660 */
661
662 static const uschar *
663 arc_ams_verify(arc_ctx * ctx, arc_set * as)
664 {
665 arc_line * ams = as->hdr_ams;
666 pdkim_bodyhash * b;
667 pdkim_pubkey * p;
668 blob sighash;
669 blob hhash;
670 ev_ctx vctx;
671 int hashtype;
672 const uschar * errstr;
673
674 as->ams_verify_done = US"in-progress";
675
676 /* Check the AMS has all the required tags:
677 "a=" algorithm
678 "b=" signature
679 "bh=" body hash
680 "d=" domain (for key lookup)
681 "h=" headers (included in signature)
682 "s=" key-selector (for key lookup)
683 */
684 if ( !ams->a.data || !ams->b.data || !ams->bh.data || !ams->d.data
685 || !ams->h.data || !ams->s.data)
686 {
687 as->ams_verify_done = arc_state_reason = US"required tag missing";
688 return US"fail";
689 }
690
691
692 /* The bodyhash should have been created earlier, and the dkim code should
693 have managed calculating it during message input. Find the reference to it. */
694
695 if (!(b = arc_ams_setup_vfy_bodyhash(ams)))
696 {
697 as->ams_verify_done = arc_state_reason = US"internal hash setup error";
698 return US"fail";
699 }
700
701 DEBUG(D_acl)
702 {
703 debug_printf("ARC i=%d AMS Body bytes hashed: %lu\n"
704 " Body %.*s computed: ",
705 as->instance, b->signed_body_bytes,
706 (int)ams->a_hash.len, ams->a_hash.data);
707 pdkim_hexprint(CUS b->bh.data, b->bh.len);
708 }
709
710 /* We know the bh-tag blob is of a nul-term string, so safe as a string */
711
712 if ( !ams->bh.data
713 || (pdkim_decode_base64(ams->bh.data, &sighash), sighash.len != b->bh.len)
714 || memcmp(sighash.data, b->bh.data, b->bh.len) != 0
715 )
716 {
717 DEBUG(D_acl)
718 {
719 debug_printf("ARC i=%d AMS Body hash from headers: ", as->instance);
720 pdkim_hexprint(sighash.data, sighash.len);
721 debug_printf("ARC i=%d AMS Body hash did NOT match\n", as->instance);
722 }
723 return as->ams_verify_done = arc_state_reason = US"AMS body hash miscompare";
724 }
725
726 DEBUG(D_acl) debug_printf("ARC i=%d AMS Body hash compared OK\n", as->instance);
727
728 /* Get the public key from DNS */
729
730 if (!(p = arc_line_to_pubkey(ams)))
731 return as->ams_verify_done = arc_state_reason = US"pubkey problem";
732
733 /* We know the b-tag blob is of a nul-term string, so safe as a string */
734 pdkim_decode_base64(ams->b.data, &sighash);
735
736 arc_get_verify_hhash(ctx, ams, &hhash);
737
738 /* Setup the interface to the signing library */
739
740 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
741 {
742 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
743 as->ams_verify_done = arc_state_reason = US"internal sigverify init error";
744 return US"fail";
745 }
746
747 hashtype = pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len);
748
749 if ((errstr = exim_dkim_verify(&vctx,
750 pdkim_hashes[hashtype].exim_hashmethod, &hhash, &sighash)))
751 {
752 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify %s\n", as->instance, errstr);
753 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
754 }
755
756 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify pass\n", as->instance);
757 as->ams_verify_passed = TRUE;
758 return NULL;
759 }
760
761
762
763 /* Check the sets are instance-continuous and that all
764 members are present. Check that no arc_seals are "fail".
765 Set the highest instance number global.
766 Verify the latest AMS.
767 */
768 static uschar *
769 arc_headers_check(arc_ctx * ctx)
770 {
771 arc_set * as;
772 int inst;
773 BOOL ams_fail_found = FALSE;
774
775 if (!(as = ctx->arcset_chain_last))
776 return US"none";
777
778 for(inst = as->instance; as; as = as->prev, inst--)
779 {
780 if (as->instance != inst)
781 arc_state_reason = string_sprintf("i=%d (sequence; expected %d)",
782 as->instance, inst);
783 else if (!as->hdr_aar || !as->hdr_ams || !as->hdr_as)
784 arc_state_reason = string_sprintf("i=%d (missing header)", as->instance);
785 else if (arc_cv_match(as->hdr_as, US"fail"))
786 arc_state_reason = string_sprintf("i=%d (cv)", as->instance);
787 else
788 goto good;
789
790 DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
791 return US"fail";
792
793 good:
794 /* Evaluate the oldest-pass AMS validation while we're here.
795 It does not affect the AS chain validation but is reported as
796 auxilary info. */
797
798 if (!ams_fail_found)
799 if (arc_ams_verify(ctx, as))
800 ams_fail_found = TRUE;
801 else
802 arc_oldest_pass = inst;
803 arc_state_reason = NULL;
804 }
805 if (inst != 0)
806 {
807 arc_state_reason = string_sprintf("(sequence; expected i=%d)", inst);
808 DEBUG(D_acl) debug_printf("ARC chain fail %s\n", arc_state_reason);
809 return US"fail";
810 }
811
812 arc_received = ctx->arcset_chain_last;
813 arc_received_instance = arc_received->instance;
814
815 /* We can skip the latest-AMS validation, if we already did it. */
816
817 as = ctx->arcset_chain_last;
818 if (!as->ams_verify_passed)
819 {
820 if (as->ams_verify_done)
821 {
822 arc_state_reason = as->ams_verify_done;
823 return US"fail";
824 }
825 if (!!arc_ams_verify(ctx, as))
826 return US"fail";
827 }
828 return NULL;
829 }
830
831
832 /******************************************************************************/
833 static const uschar *
834 arc_seal_verify(arc_ctx * ctx, arc_set * as)
835 {
836 arc_line * hdr_as = as->hdr_as;
837 arc_set * as2;
838 int hashtype;
839 hctx hhash_ctx;
840 blob hhash_computed;
841 blob sighash;
842 ev_ctx vctx;
843 pdkim_pubkey * p;
844 const uschar * errstr;
845
846 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d\n", as->instance);
847 /*
848 1. If the value of the "cv" tag on that seal is "fail", the
849 chain state is "fail" and the algorithm stops here. (This
850 step SHOULD be skipped if the earlier step (2.1) was
851 performed) [it was]
852
853 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
854 == "none" && i != 1)) then the chain state is "fail" and the
855 algorithm stops here (note that the ordering of the logic is
856 structured for short-circuit evaluation).
857 */
858
859 if ( as->instance == 1 && !arc_cv_match(hdr_as, US"none")
860 || arc_cv_match(hdr_as, US"none") && as->instance != 1
861 )
862 {
863 arc_state_reason = US"seal cv state";
864 return US"fail";
865 }
866
867 /*
868 3. Initialize a hash function corresponding to the "a" tag of
869 the ARC-Seal.
870 */
871
872 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
873
874 if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
875 {
876 DEBUG(D_acl)
877 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
878 arc_state_reason = US"seal hash setup error";
879 return US"fail";
880 }
881
882 /*
883 4. Compute the canonicalized form of the ARC header fields, in
884 the order described in Section 5.4.2, using the "relaxed"
885 header canonicalization defined in Section 3.4.2 of
886 [RFC6376]. Pass the canonicalized result to the hash
887 function.
888
889 Headers are CRLF-separated, but the last one is not crlf-terminated.
890 */
891
892 DEBUG(D_acl) debug_printf("ARC: AS header data for verification:\n");
893 for (as2 = ctx->arcset_chain;
894 as2 && as2->instance <= as->instance;
895 as2 = as2->next)
896 {
897 arc_line * al;
898 uschar * s;
899 int len;
900
901 al = as2->hdr_aar;
902 if (!(s = al->relaxed))
903 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
904 al->complete->slen, TRUE);
905 len = Ustrlen(s);
906 DEBUG(D_acl) pdkim_quoteprint(s, len);
907 exim_sha_update(&hhash_ctx, s, len);
908
909 al = as2->hdr_ams;
910 if (!(s = al->relaxed))
911 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
912 al->complete->slen, TRUE);
913 len = Ustrlen(s);
914 DEBUG(D_acl) pdkim_quoteprint(s, len);
915 exim_sha_update(&hhash_ctx, s, len);
916
917 al = as2->hdr_as;
918 if (as2->instance == as->instance)
919 s = pdkim_relax_header_n(al->rawsig_no_b_val.data,
920 al->rawsig_no_b_val.len, FALSE);
921 else if (!(s = al->relaxed))
922 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
923 al->complete->slen, TRUE);
924 len = Ustrlen(s);
925 DEBUG(D_acl) pdkim_quoteprint(s, len);
926 exim_sha_update(&hhash_ctx, s, len);
927 }
928
929 /*
930 5. Retrieve the final digest from the hash function.
931 */
932
933 exim_sha_finish(&hhash_ctx, &hhash_computed);
934 DEBUG(D_acl)
935 {
936 debug_printf("ARC i=%d AS Header %.*s computed: ",
937 as->instance, (int)hdr_as->a_hash.len, hdr_as->a_hash.data);
938 pdkim_hexprint(hhash_computed.data, hhash_computed.len);
939 }
940
941
942 /*
943 6. Retrieve the public key identified by the "s" and "d" tags in
944 the ARC-Seal, as described in Section 4.1.6.
945 */
946
947 if (!(p = arc_line_to_pubkey(hdr_as)))
948 return US"pubkey problem";
949
950 /*
951 7. Determine whether the signature portion ("b" tag) of the ARC-
952 Seal and the digest computed above are valid according to the
953 public key. (See also Section Section 8.4 for failure case
954 handling)
955
956 8. If the signature is not valid, the chain state is "fail" and
957 the algorithm stops here.
958 */
959
960 /* We know the b-tag blob is of a nul-term string, so safe as a string */
961 pdkim_decode_base64(hdr_as->b.data, &sighash);
962
963 if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
964 {
965 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
966 return US"fail";
967 }
968
969 hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
970
971 if ((errstr = exim_dkim_verify(&vctx,
972 pdkim_hashes[hashtype].exim_hashmethod,
973 &hhash_computed, &sighash)))
974 {
975 DEBUG(D_acl)
976 debug_printf("ARC i=%d AS headers verify: %s\n", as->instance, errstr);
977 arc_state_reason = US"seal sigverify error";
978 return US"fail";
979 }
980
981 DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d pass\n", as->instance);
982 return NULL;
983 }
984
985
986 static const uschar *
987 arc_verify_seals(arc_ctx * ctx)
988 {
989 arc_set * as = ctx->arcset_chain_last;
990
991 if (!as)
992 return US"none";
993
994 for ( ; as; as = as->prev) if (arc_seal_verify(ctx, as)) return US"fail";
995
996 DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
997 return NULL;
998 }
999 /******************************************************************************/
1000
1001 /* Do ARC verification. Called from DATA ACL, on a verify = arc
1002 condition. No arguments; we are checking globals.
1003
1004 Return: The ARC state, or NULL on error.
1005 */
1006
1007 const uschar *
1008 acl_verify_arc(void)
1009 {
1010 const uschar * res;
1011
1012 memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
1013
1014 if (!dkim_verify_ctx)
1015 {
1016 DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
1017 return NULL;
1018 }
1019
1020 /* AS evaluation, per
1021 https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-6
1022 */
1023 /* 1. Collect all ARC sets currently on the message. If there were
1024 none, the ARC state is "none" and the algorithm stops here.
1025 */
1026
1027 if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
1028 goto out;
1029
1030 /* 2. If the form of any ARC set is invalid (e.g., does not contain
1031 exactly one of each of the three ARC-specific header fields),
1032 then the chain state is "fail" and the algorithm stops here.
1033
1034 1. To avoid the overhead of unnecessary computation and delay
1035 from crypto and DNS operations, the cv value for all ARC-
1036 Seal(s) MAY be checked at this point. If any of the values
1037 are "fail", then the overall state of the chain is "fail" and
1038 the algorithm stops here.
1039
1040 3. Conduct verification of the ARC-Message-Signature header field
1041 bearing the highest instance number. If this verification fails,
1042 then the chain state is "fail" and the algorithm stops here.
1043 */
1044
1045 if ((res = arc_headers_check(&arc_verify_ctx)))
1046 goto out;
1047
1048 /* 4. For each ARC-Seal from the "N"th instance to the first, apply the
1049 following logic:
1050
1051 1. If the value of the "cv" tag on that seal is "fail", the
1052 chain state is "fail" and the algorithm stops here. (This
1053 step SHOULD be skipped if the earlier step (2.1) was
1054 performed)
1055
1056 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
1057 == "none" && i != 1)) then the chain state is "fail" and the
1058 algorithm stops here (note that the ordering of the logic is
1059 structured for short-circuit evaluation).
1060
1061 3. Initialize a hash function corresponding to the "a" tag of
1062 the ARC-Seal.
1063
1064 4. Compute the canonicalized form of the ARC header fields, in
1065 the order described in Section 5.4.2, using the "relaxed"
1066 header canonicalization defined in Section 3.4.2 of
1067 [RFC6376]. Pass the canonicalized result to the hash
1068 function.
1069
1070 5. Retrieve the final digest from the hash function.
1071
1072 6. Retrieve the public key identified by the "s" and "d" tags in
1073 the ARC-Seal, as described in Section 4.1.6.
1074
1075 7. Determine whether the signature portion ("b" tag) of the ARC-
1076 Seal and the digest computed above are valid according to the
1077 public key. (See also Section Section 8.4 for failure case
1078 handling)
1079
1080 8. If the signature is not valid, the chain state is "fail" and
1081 the algorithm stops here.
1082
1083 5. If all seals pass validation, then the chain state is "pass", and
1084 the algorithm is complete.
1085 */
1086
1087 if ((res = arc_verify_seals(&arc_verify_ctx)))
1088 goto out;
1089
1090 res = US"pass";
1091
1092 out:
1093 return res;
1094 }
1095
1096 /******************************************************************************/
1097
1098 /* Prepend the header to the rlist */
1099
1100 static hdr_rlist *
1101 arc_rlist_entry(hdr_rlist * list, const uschar * s, int len)
1102 {
1103 hdr_rlist * r = store_get(sizeof(hdr_rlist) + sizeof(header_line));
1104 header_line * h = r->h = (header_line *)(r+1);
1105
1106 r->prev = list;
1107 r->used = FALSE;
1108 h->next = NULL;
1109 h->type = 0;
1110 h->slen = len;
1111 h->text = US s;
1112
1113 /* This works for either NL or CRLF lines; also nul-termination */
1114 while (*++s)
1115 if (*s == '\n' && s[1] != '\t' && s[1] != ' ') break;
1116 s++; /* move past end of line */
1117
1118 return r;
1119 }
1120
1121
1122 /* Walk the given headers strings identifying each header, and construct
1123 a reverse-order list.
1124 */
1125
1126 static hdr_rlist *
1127 arc_sign_scan_headers(arc_ctx * ctx, gstring * sigheaders)
1128 {
1129 const uschar * s;
1130 hdr_rlist * rheaders = NULL;
1131
1132 s = sigheaders ? sigheaders->s : NULL;
1133 if (s) while (*s)
1134 {
1135 const uschar * s2 = s;
1136
1137 /* This works for either NL or CRLF lines; also nul-termination */
1138 while (*++s2)
1139 if (*s2 == '\n' && s2[1] != '\t' && s2[1] != ' ') break;
1140 s2++; /* move past end of line */
1141
1142 rheaders = arc_rlist_entry(rheaders, s, s2 - s);
1143 s = s2;
1144 }
1145 return rheaders;
1146 }
1147
1148
1149
1150 /* Return the A-R content, without identity, with line-ending and
1151 NUL termination. */
1152
1153 static BOOL
1154 arc_sign_find_ar(header_line * headers, const uschar * identity, blob * ret)
1155 {
1156 header_line * h;
1157 int ilen = Ustrlen(identity);
1158
1159 ret->data = NULL;
1160 for(h = headers; h; h = h->next)
1161 {
1162 uschar * s = h->text, c;
1163 int len = h->slen;
1164
1165 if (Ustrncmp(s, HDR_AR, HDRLEN_AR) != 0) continue;
1166 s += HDRLEN_AR, len -= HDRLEN_AR; /* header name */
1167 while ( len > 0
1168 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1169 s++, len--; /* FWS */
1170 if (Ustrncmp(s, identity, ilen) != 0) continue;
1171 s += ilen; len -= ilen; /* identity */
1172 if (len <= 0) continue;
1173 if ((c = *s) && c == ';') s++, len--; /* identity terminator */
1174 while ( len > 0
1175 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1176 s++, len--; /* FWS */
1177 if (len <= 0) continue;
1178 ret->data = s;
1179 ret->len = len;
1180 return TRUE;
1181 }
1182 return FALSE;
1183 }
1184
1185
1186
1187 /* Append a constructed AAR including CRLF. Add it to the arc_ctx too. */
1188
1189 static gstring *
1190 arc_sign_append_aar(gstring * g, arc_ctx * ctx,
1191 const uschar * identity, int instance, blob * ar)
1192 {
1193 int aar_off = g ? g->ptr : 0;
1194 arc_set * as = store_get(sizeof(arc_set) + sizeof(arc_line) + sizeof(header_line));
1195 arc_line * al = (arc_line *)(as+1);
1196 header_line * h = (header_line *)(al+1);
1197
1198 g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
1199 g = string_fmt_append(g, " i=%d; %s;\r\n\t", instance, identity);
1200 g = string_catn(g, US ar->data, ar->len);
1201
1202 h->slen = g->ptr - aar_off;
1203 h->text = g->s + aar_off;
1204 al->complete = h;
1205 as->next = NULL;
1206 as->prev = ctx->arcset_chain_last;
1207 as->instance = instance;
1208 as->hdr_aar = al;
1209 if (instance == 1)
1210 ctx->arcset_chain = as;
1211 else
1212 ctx->arcset_chain_last->next = as;
1213 ctx->arcset_chain_last = as;
1214
1215 DEBUG(D_transport) debug_printf("ARC: AAR '%.*s'\n", h->slen - 2, h->text);
1216 return g;
1217 }
1218
1219
1220
1221 static BOOL
1222 arc_sig_from_pseudoheader(gstring * hdata, int hashtype, const uschar * privkey,
1223 blob * sig, const uschar * why)
1224 {
1225 hashmethod hm = /*sig->keytype == KEYTYPE_ED25519*/ FALSE
1226 ? HASH_SHA2_512 : pdkim_hashes[hashtype].exim_hashmethod;
1227 blob hhash;
1228 es_ctx sctx;
1229 const uschar * errstr;
1230
1231 DEBUG(D_transport)
1232 {
1233 hctx hhash_ctx;
1234 debug_printf("ARC: %s header data for signing:\n", why);
1235 pdkim_quoteprint(hdata->s, hdata->ptr);
1236
1237 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1238 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1239 exim_sha_finish(&hhash_ctx, &hhash);
1240 debug_printf("ARC: header hash: "); pdkim_hexprint(hhash.data, hhash.len);
1241 }
1242
1243 if (FALSE /*need hash for Ed25519 or GCrypt signing*/ )
1244 {
1245 hctx hhash_ctx;
1246 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1247 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1248 exim_sha_finish(&hhash_ctx, &hhash);
1249 }
1250 else
1251 {
1252 hhash.data = hdata->s;
1253 hhash.len = hdata->ptr;
1254 }
1255
1256 if ( (errstr = exim_dkim_signing_init(privkey, &sctx))
1257 || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
1258 {
1259 log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
1260 DEBUG(D_transport)
1261 debug_printf("private key, or private-key file content, was: '%s'\n",
1262 privkey);
1263 return FALSE;
1264 }
1265 return TRUE;
1266 }
1267
1268
1269
1270 static gstring *
1271 arc_sign_append_sig(gstring * g, blob * sig)
1272 {
1273 /*debug_printf("%s: raw sig ", __FUNCTION__); pdkim_hexprint(sig->data, sig->len);*/
1274 sig->data = pdkim_encode_base64(sig);
1275 sig->len = Ustrlen(sig->data);
1276 for (;;)
1277 {
1278 int len = MIN(sig->len, 74);
1279 g = string_catn(g, sig->data, len);
1280 if ((sig->len -= len) == 0) break;
1281 sig->data += len;
1282 g = string_catn(g, US"\r\n\t ", 5);
1283 }
1284 g = string_catn(g, US";\r\n", 3);
1285 gstring_release_unused(g);
1286 string_from_gstring(g);
1287 return g;
1288 }
1289
1290
1291 /* Append a constructed AMS including CRLF. Add it to the arc_ctx too. */
1292
1293 static gstring *
1294 arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
1295 const uschar * identity, const uschar * selector, blob * bodyhash,
1296 hdr_rlist * rheaders, const uschar * privkey, unsigned options)
1297 {
1298 uschar * s;
1299 gstring * hdata = NULL;
1300 int col;
1301 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1302 blob sig;
1303 int ams_off;
1304 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1305 header_line * h = (header_line *)(al+1);
1306
1307 /* debug_printf("%s\n", __FUNCTION__); */
1308
1309 /* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
1310
1311 ams_off = g->ptr;
1312 g = string_fmt_append(g, "%s i=%d; a=rsa-sha256; c=relaxed; d=%s; s=%s",
1313 ARC_HDR_AMS, instance, identity, selector); /*XXX hardwired a= */
1314 if (options & ARC_SIGN_OPT_TSTAMP)
1315 g = string_fmt_append(g, "; t=%lu", (u_long)now);
1316 if (options & ARC_SIGN_OPT_EXPIRE)
1317 g = string_fmt_append(g, "; x=%lu", (u_long)expire);
1318 g = string_fmt_append(g, ";\r\n\tbh=%s;\r\n\th=",
1319 pdkim_encode_base64(bodyhash));
1320
1321 for(col = 3; rheaders; rheaders = rheaders->prev)
1322 {
1323 const uschar * hnames = US"DKIM-Signature:" PDKIM_DEFAULT_SIGN_HEADERS;
1324 uschar * name, * htext = rheaders->h->text;
1325 int sep = ':';
1326
1327 /* Spot headers of interest */
1328
1329 while ((name = string_nextinlist(&hnames, &sep, NULL, 0)))
1330 {
1331 int len = Ustrlen(name);
1332 if (strncasecmp(CCS htext, CCS name, len) == 0)
1333 {
1334 /* If too long, fold line in h= field */
1335
1336 if (col + len > 78) g = string_catn(g, US"\r\n\t ", 5), col = 3;
1337
1338 /* Add name to h= list */
1339
1340 g = string_catn(g, name, len);
1341 g = string_catn(g, US":", 1);
1342 col += len + 1;
1343
1344 /* Accumulate header for hashing/signing */
1345
1346 hdata = string_cat(hdata,
1347 pdkim_relax_header_n(htext, rheaders->h->slen, TRUE)); /*XXX hardwired */
1348 break;
1349 }
1350 }
1351 }
1352
1353 /* Lose the last colon from the h= list */
1354
1355 if (g->s[g->ptr - 1] == ':') g->ptr--;
1356
1357 g = string_catn(g, US";\r\n\tb=;", 7);
1358
1359 /* Include the pseudo-header in the accumulation */
1360
1361 s = pdkim_relax_header_n(g->s + ams_off, g->ptr - ams_off, FALSE);
1362 hdata = string_cat(hdata, s);
1363
1364 /* Calculate the signature from the accumulation */
1365 /*XXX does that need further relaxation? there are spaces embedded in the b= strings! */
1366
1367 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AMS"))
1368 return NULL;
1369
1370 /* Lose the trailing semicolon from the psuedo-header, and append the signature
1371 (folded over lines) and termination to complete it. */
1372
1373 g->ptr--;
1374 g = arc_sign_append_sig(g, &sig);
1375
1376 h->slen = g->ptr - ams_off;
1377 h->text = g->s + ams_off;
1378 al->complete = h;
1379 ctx->arcset_chain_last->hdr_ams = al;
1380
1381 DEBUG(D_transport) debug_printf("ARC: AMS '%.*s'\n", h->slen - 2, h->text);
1382 return g;
1383 }
1384
1385
1386
1387 /* Look for an arc= result in an A-R header blob. We know that its data
1388 happens to be a NUL-term string. */
1389
1390 static uschar *
1391 arc_ar_cv_status(blob * ar)
1392 {
1393 const uschar * resinfo = ar->data;
1394 int sep = ';';
1395 uschar * methodspec, * s;
1396
1397 while ((methodspec = string_nextinlist(&resinfo, &sep, NULL, 0)))
1398 if (Ustrncmp(methodspec, US"arc=", 4) == 0)
1399 {
1400 uschar c;
1401 for (s = methodspec += 4;
1402 (c = *s) && c != ';' && c != ' ' && c != '\r' && c != '\n'; ) s++;
1403 return string_copyn(methodspec, s - methodspec);
1404 }
1405 return US"none";
1406 }
1407
1408
1409
1410 /* Build the AS header and prepend it */
1411
1412 static gstring *
1413 arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
1414 int instance, const uschar * identity, const uschar * selector, blob * ar,
1415 const uschar * privkey, unsigned options)
1416 {
1417 gstring * arcset;
1418 arc_set * as;
1419 uschar * status = arc_ar_cv_status(ar);
1420 arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1421 header_line * h = (header_line *)(al+1);
1422
1423 gstring * hdata = NULL;
1424 int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1425 blob sig;
1426
1427 /*
1428 - Generate AS
1429 - no body coverage
1430 - no h= tag; implicit coverage
1431 - arc status from A-R
1432 - if fail:
1433 - coverage is just the new ARC set
1434 including self (but with an empty b= in self)
1435 - if non-fail:
1436 - all ARC set headers, set-number order, aar then ams then as,
1437 including self (but with an empty b= in self)
1438 */
1439
1440 /* Construct the AS except for the signature */
1441
1442 arcset = string_append(NULL, 9,
1443 ARC_HDR_AS,
1444 US" i=", string_sprintf("%d", instance),
1445 US"; cv=", status,
1446 US"; a=rsa-sha256; d=", identity, /*XXX hardwired */
1447 US"; s=", selector); /*XXX same as AMS */
1448 if (options & ARC_SIGN_OPT_TSTAMP)
1449 arcset = string_append(arcset, 2,
1450 US"; t=", string_sprintf("%lu", (u_long)now));
1451 arcset = string_cat(arcset,
1452 US";\r\n\t b=;");
1453
1454 h->slen = arcset->ptr;
1455 h->text = arcset->s;
1456 al->complete = h;
1457 ctx->arcset_chain_last->hdr_as = al;
1458
1459 /* For any but "fail" chain-verify status, walk the entire chain in order by
1460 instance. For fail, only the new arc-set. Accumulate the elements walked. */
1461
1462 for (as = Ustrcmp(status, US"fail") == 0
1463 ? ctx->arcset_chain_last : ctx->arcset_chain;
1464 as; as = as->next)
1465 {
1466 /* Accumulate AAR then AMS then AS. Relaxed canonicalisation
1467 is required per standard. */
1468
1469 h = as->hdr_aar->complete;
1470 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1471 h = as->hdr_ams->complete;
1472 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1473 h = as->hdr_as->complete;
1474 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, !!as->next));
1475 }
1476
1477 /* Calculate the signature from the accumulation */
1478
1479 if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AS"))
1480 return NULL;
1481
1482 /* Lose the trailing semicolon */
1483 arcset->ptr--;
1484 arcset = arc_sign_append_sig(arcset, &sig);
1485 DEBUG(D_transport) debug_printf("ARC: AS '%.*s'\n", arcset->ptr - 2, arcset->s);
1486
1487 /* Finally, append the AMS and AAR to the new AS */
1488
1489 return string_catn(arcset, arcset_interim->s, arcset_interim->ptr);
1490 }
1491
1492
1493 /**************************************/
1494
1495 /* Return pointer to pdkim_bodyhash for given hash method, creating new
1496 method if needed.
1497 */
1498
1499 void *
1500 arc_ams_setup_sign_bodyhash(void)
1501 {
1502 int canon_head, canon_body;
1503
1504 DEBUG(D_transport) debug_printf("ARC: requesting bodyhash\n");
1505 pdkim_cstring_to_canons(US"relaxed", 7, &canon_head, &canon_body); /*XXX hardwired */
1506 return pdkim_set_bodyhash(&dkim_sign_ctx,
1507 pdkim_hashname_to_hashtype(US"sha256", 6), /*XXX hardwired */
1508 canon_body,
1509 -1);
1510 }
1511
1512
1513
1514 void
1515 arc_sign_init(void)
1516 {
1517 memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
1518 }
1519
1520
1521
1522 /* A "normal" header line, identified by DKIM processing. These arrive before
1523 the call to arc_sign(), which carries any newly-created DKIM headers - and
1524 those go textually before the normal ones in the message.
1525
1526 We have to take the feed from DKIM as, in the transport-filter case, the
1527 headers are not in memory at the time of the call to arc_sign().
1528
1529 Take a copy of the header and construct a reverse-order list.
1530 Also parse ARC-chain headers and build the chain struct, retaining pointers
1531 into the copies.
1532 */
1533
1534 static const uschar *
1535 arc_header_sign_feed(gstring * g)
1536 {
1537 uschar * s = string_copyn(g->s, g->ptr);
1538 headers_rlist = arc_rlist_entry(headers_rlist, s, g->ptr);
1539 return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
1540 }
1541
1542
1543
1544 /* ARC signing. Called from the smtp transport, if the arc_sign option is set.
1545 The dkim_exim_sign() function has already been called, so will have hashed the
1546 message body for us so long as we requested a hash previously.
1547
1548 Arguments:
1549 signspec Three-element colon-sep list: identity, selector, privkey.
1550 Optional fourth element: comma-sep list of options.
1551 Already expanded
1552 sigheaders Any signature headers already generated, eg. by DKIM, or NULL
1553 errstr Error string
1554
1555 Return value
1556 Set of headers to prepend to the message, including the supplied sigheaders
1557 but not the plainheaders.
1558 */
1559
1560 gstring *
1561 arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
1562 {
1563 const uschar * identity, * selector, * privkey, * opts, * s;
1564 unsigned options = 0;
1565 int sep = 0;
1566 header_line * headers;
1567 hdr_rlist * rheaders;
1568 blob ar;
1569 int instance;
1570 gstring * g = NULL;
1571 pdkim_bodyhash * b;
1572
1573 expire = now = 0;
1574
1575 /* Parse the signing specification */
1576
1577 identity = string_nextinlist(&signspec, &sep, NULL, 0);
1578 selector = string_nextinlist(&signspec, &sep, NULL, 0);
1579 if ( !*identity || !*selector
1580 || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
1581 {
1582 log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
1583 !*identity ? "identity" : !*selector ? "selector" : "private-key");
1584 return sigheaders ? sigheaders : string_get(0);
1585 }
1586 if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
1587 return sigheaders ? sigheaders : string_get(0);
1588
1589 if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
1590 {
1591 int osep = ',';
1592 while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
1593 if (Ustrcmp(s, "timestamps") == 0)
1594 {
1595 options |= ARC_SIGN_OPT_TSTAMP;
1596 if (!now) now = time(NULL);
1597 }
1598 else if (Ustrncmp(s, "expire", 6) == 0)
1599 {
1600 options |= ARC_SIGN_OPT_EXPIRE;
1601 if (*(s += 6) == '=')
1602 if (*++s == '+')
1603 {
1604 if (!(expire = (time_t)atoi(CS ++s)))
1605 expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1606 if (!now) now = time(NULL);
1607 expire += now;
1608 }
1609 else
1610 expire = (time_t)atol(CS s);
1611 else
1612 {
1613 if (!now) now = time(NULL);
1614 expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1615 }
1616 }
1617 }
1618
1619 DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
1620
1621 /* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
1622 Then scan the list for an A-R header. */
1623
1624 string_from_gstring(sigheaders);
1625 if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
1626 {
1627 hdr_rlist ** rp;
1628 for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
1629 *rp = rheaders;
1630 }
1631
1632 /* Finally, build a normal-order headers list */
1633 /*XXX only needed for hunt-the-AR? */
1634 /*XXX also, we really should be accepting any number of ADMD-matching ARs */
1635 {
1636 header_line * hnext = NULL;
1637 for (rheaders = headers_rlist; rheaders;
1638 hnext = rheaders->h, rheaders = rheaders->prev)
1639 rheaders->h->next = hnext;
1640 headers = hnext;
1641 }
1642
1643 if (!(arc_sign_find_ar(headers, identity, &ar)))
1644 {
1645 log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
1646 return sigheaders ? sigheaders : string_get(0);
1647 }
1648
1649 /* We previously built the data-struct for the existing ARC chain, if any, using a headers
1650 feed from the DKIM module. Use that to give the instance number for the ARC set we are
1651 about to build. */
1652
1653 DEBUG(D_transport)
1654 if (arc_sign_ctx.arcset_chain_last)
1655 debug_printf("ARC: existing chain highest instance: %d\n",
1656 arc_sign_ctx.arcset_chain_last->instance);
1657 else
1658 debug_printf("ARC: no existing chain\n");
1659
1660 instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
1661
1662 /*
1663 - Generate AAR
1664 - copy the A-R; prepend i= & identity
1665 */
1666
1667 g = arc_sign_append_aar(g, &arc_sign_ctx, identity, instance, &ar);
1668
1669 /*
1670 - Generate AMS
1671 - Looks fairly like a DKIM sig
1672 - Cover all DKIM sig headers as well as the usuals
1673 - ? oversigning?
1674 - Covers the data
1675 - we must have requested a suitable bodyhash previously
1676 */
1677
1678 b = arc_ams_setup_sign_bodyhash();
1679 g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
1680 &b->bh, headers_rlist, privkey, options);
1681
1682 /*
1683 - Generate AS
1684 - no body coverage
1685 - no h= tag; implicit coverage
1686 - arc status from A-R
1687 - if fail:
1688 - coverage is just the new ARC set
1689 including self (but with an empty b= in self)
1690 - if non-fail:
1691 - all ARC set headers, set-number order, aar then ams then as,
1692 including self (but with an empty b= in self)
1693 */
1694
1695 if (g)
1696 g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
1697 privkey, options);
1698
1699 /* Finally, append the dkim headers and return the lot. */
1700
1701 if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr);
1702 (void) string_from_gstring(g);
1703 gstring_release_unused(g);
1704 return g;
1705 }
1706
1707
1708 /******************************************************************************/
1709
1710 /* Check to see if the line is an AMS and if so, set up to validate it.
1711 Called from the DKIM input processing. This must be done now as the message
1712 body data is hashed during input.
1713
1714 We call the DKIM code to request a body-hash; it has the facility already
1715 and the hash parameters might be common with other requests.
1716 */
1717
1718 static const uschar *
1719 arc_header_vfy_feed(gstring * g)
1720 {
1721 header_line h;
1722 arc_line al;
1723 pdkim_bodyhash * b;
1724 uschar * errstr;
1725
1726 if (!dkim_verify_ctx) return US"no dkim context";
1727
1728 if (strncmpic(ARC_HDR_AMS, g->s, ARC_HDRLEN_AMS) != 0) return US"not AMS";
1729
1730 DEBUG(D_receive) debug_printf("ARC: spotted AMS header\n");
1731 /* Parse the AMS header */
1732
1733 h.next = NULL;
1734 h.slen = g->size;
1735 h.text = g->s;
1736 memset(&al, 0, sizeof(arc_line));
1737 if ((errstr = arc_parse_line(&al, &h, ARC_HDRLEN_AMS, FALSE)))
1738 {
1739 DEBUG(D_acl) if (errstr) debug_printf("ARC: %s\n", errstr);
1740 return US"line parsing error";
1741 }
1742
1743 /* defaults */
1744 if (!al.c.data)
1745 {
1746 al.c_body.data = US"simple"; al.c_body.len = 6;
1747 al.c_head = al.c_body;
1748 }
1749
1750 /* Ask the dkim code to calc a bodyhash with those specs */
1751
1752 if (!(b = arc_ams_setup_vfy_bodyhash(&al)))
1753 return US"dkim hash setup fail";
1754
1755 /* Discard the reference; search again at verify time, knowing that one
1756 should have been created here. */
1757
1758 return NULL;
1759 }
1760
1761
1762
1763 /* A header line has been identified by DKIM processing.
1764
1765 Arguments:
1766 g Header line
1767 is_vfy TRUE for verify mode or FALSE for signing mode
1768
1769 Return:
1770 NULL for success, or an error string (probably unused)
1771 */
1772
1773 const uschar *
1774 arc_header_feed(gstring * g, BOOL is_vfy)
1775 {
1776 return is_vfy ? arc_header_vfy_feed(g) : arc_header_sign_feed(g);
1777 }
1778
1779
1780
1781 /******************************************************************************/
1782
1783 /* Construct the list of domains from the ARC chain after validation */
1784
1785 uschar *
1786 fn_arc_domains(void)
1787 {
1788 arc_set * as;
1789 unsigned inst;
1790 gstring * g = NULL;
1791
1792 for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
1793 {
1794 arc_line * hdr_as = as->hdr_as;
1795 if (hdr_as)
1796 {
1797 blob * d = &hdr_as->d;
1798
1799 for (; inst < as->instance; inst++)
1800 g = string_catn(g, US":", 1);
1801
1802 g = d->data && d->len
1803 ? string_append_listele_n(g, ':', d->data, d->len)
1804 : string_catn(g, US":", 1);
1805 }
1806 else
1807 g = string_catn(g, US":", 1);
1808 }
1809 return g ? g->s : US"";
1810 }
1811
1812
1813 /* Construct an Authentication-Results header portion, for the ARC module */
1814
1815 gstring *
1816 authres_arc(gstring * g)
1817 {
1818 if (arc_state)
1819 {
1820 arc_line * highest_ams;
1821 int start = 0; /* Compiler quietening */
1822 DEBUG(D_acl) start = g->ptr;
1823
1824 g = string_append(g, 2, US";\n\tarc=", arc_state);
1825 if (arc_received_instance > 0)
1826 {
1827 g = string_fmt_append(g, " (i=%d)", arc_received_instance);
1828 if (arc_state_reason)
1829 g = string_append(g, 3, US"(", arc_state_reason, US")");
1830 g = string_catn(g, US" header.s=", 10);
1831 highest_ams = arc_received->hdr_ams;
1832 g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
1833
1834 g = string_fmt_append(g, " arc.oldest-pass=%d", arc_oldest_pass);
1835
1836 if (sender_host_address)
1837 g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
1838 }
1839 else if (arc_state_reason)
1840 g = string_append(g, 3, US" (", arc_state_reason, US")");
1841 DEBUG(D_acl) debug_printf("ARC: authres '%.*s'\n",
1842 g->ptr - start - 3, g->s + start + 3);
1843 }
1844 else
1845 DEBUG(D_acl) debug_printf("ARC: no authres\n");
1846 return g;
1847 }
1848
1849
1850 # endif /* SUPPORT_SPF */
1851 #endif /* EXPERIMENTAL_ARC */
1852 /* vi: aw ai sw=2
1853 */
Unnamed repository; edit this file 'description' to name the repository.