extern pdkim_ctx dkim_sign_ctx;
#define ARC_SIGN_OPT_TSTAMP BIT(0)
+#define ARC_SIGN_OPT_EXPIRE BIT(1)
+
+#define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
/******************************************************************************/
#define HDR_AR US"Authentication-Results:"
#define HDRLEN_AR 23
+static time_t now;
+static time_t expire;
static hdr_rlist * headers_rlist;
static arc_ctx arc_sign_ctx = { NULL };
+static arc_ctx arc_verify_ctx = { NULL };
/******************************************************************************/
arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
BOOL instance_only)
{
-int i;
+unsigned i;
arc_set * as;
arc_line * al = store_get(sizeof(arc_line)), ** alp;
uschar * e;
return US"line parse";
}
if (!(i = arc_instance_from_hdr(al))) return US"instance find";
+if (i > 50) return US"overlarge instance number";
if (!(as = arc_find_set(ctx, i))) return US"set find";
if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
int inst;
BOOL ams_fail_found = FALSE;
-if (!(as = ctx->arcset_chain))
+if (!(as = ctx->arcset_chain_last))
return US"none";
-for(inst = 0; as; as = as->next)
+for(inst = as->instance; as; as = as->prev, inst--)
{
- if ( as->instance != ++inst
- || !as->hdr_aar || !as->hdr_ams || !as->hdr_as
- || arc_cv_match(as->hdr_as, US"fail")
- )
- {
- arc_state_reason = string_sprintf("i=%d"
- " (cv, sequence or missing header)", as->instance);
- DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
- return US"fail";
- }
+ if (as->instance != inst)
+ arc_state_reason = string_sprintf("i=%d (sequence; expected %d)",
+ as->instance, inst);
+ else if (!as->hdr_aar || !as->hdr_ams || !as->hdr_as)
+ arc_state_reason = string_sprintf("i=%d (missing header)", as->instance);
+ else if (arc_cv_match(as->hdr_as, US"fail"))
+ arc_state_reason = string_sprintf("i=%d (cv)", as->instance);
+ else
+ goto good;
+ DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
+ return US"fail";
+
+ good:
/* Evaluate the oldest-pass AMS validation while we're here.
It does not affect the AS chain validation but is reported as
auxilary info. */
arc_oldest_pass = inst;
arc_state_reason = NULL;
}
+if (inst != 0)
+ {
+ arc_state_reason = string_sprintf("(sequence; expected i=%d)", inst);
+ DEBUG(D_acl) debug_printf("ARC chain fail %s\n", arc_state_reason);
+ return US"fail";
+ }
arc_received = ctx->arcset_chain_last;
-arc_received_instance = inst;
+arc_received_instance = arc_received->instance;
/* We can skip the latest-AMS validation, if we already did it. */
const uschar *
acl_verify_arc(void)
{
-arc_ctx ctx = { NULL };
const uschar * res;
+memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
+
if (!dkim_verify_ctx)
{
DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
none, the ARC state is "none" and the algorithm stops here.
*/
-if ((res = arc_vfy_collect_hdrs(&ctx)))
+if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
goto out;
/* 2. If the form of any ARC set is invalid (e.g., does not contain
then the chain state is "fail" and the algorithm stops here.
*/
-if ((res = arc_headers_check(&ctx)))
+if ((res = arc_headers_check(&arc_verify_ctx)))
goto out;
/* 4. For each ARC-Seal from the "N"th instance to the first, apply the
the algorithm is complete.
*/
-if ((res = arc_verify_seals(&ctx)))
+if ((res = arc_verify_seals(&arc_verify_ctx)))
goto out;
res = US"pass";
US"; s=", selector);
if (options & ARC_SIGN_OPT_TSTAMP)
g = string_append(g, 2,
- US"; t=", string_sprintf("%lu", (u_long)time(NULL)));
+ US"; t=", string_sprintf("%lu", (u_long)now));
+if (options & ARC_SIGN_OPT_EXPIRE)
+ g = string_append(g, 2,
+ US"; x=", string_sprintf("%lu", (u_long)expire));
g = string_append(g, 3,
US";\r\n\tbh=", pdkim_encode_base64(bodyhash),
US";\r\n\th=");
US"; s=", selector); /*XXX same as AMS */
if (options & ARC_SIGN_OPT_TSTAMP)
arcset = string_append(arcset, 2,
- US"; t=", string_sprintf("%lu", (u_long)time(NULL)));
+ US"; t=", string_sprintf("%lu", (u_long)now));
arcset = string_cat(arcset,
US";\r\n\t b=;");
gstring * g = NULL;
pdkim_bodyhash * b;
+expire = now = 0;
+
/* Parse the signing specification */
identity = string_nextinlist(&signspec, &sep, NULL, 0);
selector = string_nextinlist(&signspec, &sep, NULL, 0);
-if ( !*identity | !*selector
+if ( !*identity || !*selector
|| !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
{
log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
int osep = ',';
while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
if (Ustrcmp(s, "timestamps") == 0)
+ {
options |= ARC_SIGN_OPT_TSTAMP;
+ if (!now) now = time(NULL);
+ }
+ else if (Ustrncmp(s, "expire", 6) == 0)
+ {
+ options |= ARC_SIGN_OPT_EXPIRE;
+ if (*(s += 6) == '=')
+ if (*++s == '+')
+ {
+ if (!(expire = (time_t)atoi(++s)))
+ expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
+ if (!now) now = time(NULL);
+ expire += now;
+ }
+ else
+ expire = (time_t)atol(s);
+ else
+ {
+ if (!now) now = time(NULL);
+ expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
+ }
+ }
}
DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
/******************************************************************************/
+/* Construct the list of domains from the ARC chain after validation */
+
+uschar *
+fn_arc_domains(void)
+{
+arc_set * as;
+unsigned inst;
+gstring * g = NULL;
+
+for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
+ {
+ arc_line * hdr_as = as->hdr_as;
+ if (hdr_as)
+ {
+ blob * d = &hdr_as->d;
+
+ for (; inst < as->instance; inst++)
+ g = string_catn(g, ":", 1);
+
+ g = d->data && d->len
+ ? string_append_listele_n(g, ':', d->data, d->len)
+ : string_catn(g, ":", 1);
+ }
+ else
+ g = string_catn(g, ":", 1);
+ }
+return g ? g->s : US"";
+}
+
+
/* Construct an Authenticate-Results header portion, for the ARC module */
gstring *
projects / exim.git / blobdiff