extern pdkim_ctx * dkim_verify_ctx;
extern pdkim_ctx dkim_sign_ctx;
+#define ARC_SIGN_OPT_TSTAMP BIT(0)
+#define ARC_SIGN_OPT_EXPIRE BIT(1)
+
+#define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
+
/******************************************************************************/
typedef struct hdr_rlist {
#define HDR_AR US"Authentication-Results:"
#define HDRLEN_AR 23
+static time_t now;
+static time_t expire;
static hdr_rlist * headers_rlist;
static arc_ctx arc_sign_ctx = { NULL };
arc_set * as;
int inst;
BOOL ams_fail_found = FALSE;
-uschar * ret = NULL;
if (!(as = ctx->arcset_chain))
return US"none";
arc_received = ctx->arcset_chain_last;
arc_received_instance = inst;
-if (ret)
- return ret;
/* We can skip the latest-AMS validation, if we already did it. */
as = ctx->arcset_chain_last;
-if (as->ams_verify_done && !as->ams_verify_passed)
+if (!as->ams_verify_passed)
{
- arc_state_reason = as->ams_verify_done;
- return US"fail";
+ if (as->ams_verify_done)
+ {
+ arc_state_reason = as->ams_verify_done;
+ return US"fail";
+ }
+ if (!!arc_ams_verify(ctx, as))
+ return US"fail";
}
-if (!!arc_ams_verify(ctx, as))
- return US"fail";
-
return NULL;
}
if ( (errstr = exim_dkim_signing_init(privkey, &sctx))
|| (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
{
- log_write(0, LOG_MAIN|LOG_PANIC, "ARC: %s signing: %s\n", why, errstr);
+ log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
return FALSE;
}
return TRUE;
static gstring *
arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
const uschar * identity, const uschar * selector, blob * bodyhash,
- hdr_rlist * rheaders, const uschar * privkey)
+ hdr_rlist * rheaders, const uschar * privkey, unsigned options)
{
uschar * s;
gstring * hdata = NULL;
/* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
ams_off = g->ptr;
-g = string_append(g, 10,
+g = string_append(g, 7,
ARC_HDR_AMS,
US" i=", string_sprintf("%d", instance),
US"; a=rsa-sha256; c=relaxed; d=", identity, /*XXX hardwired */
- US"; s=", selector,
+ US"; s=", selector);
+if (options & ARC_SIGN_OPT_TSTAMP)
+ g = string_append(g, 2,
+ US"; t=", string_sprintf("%lu", (u_long)now));
+if (options & ARC_SIGN_OPT_EXPIRE)
+ g = string_append(g, 2,
+ US"; x=", string_sprintf("%lu", (u_long)expire));
+g = string_append(g, 3,
US";\r\n\tbh=", pdkim_encode_base64(bodyhash),
US";\r\n\th=");
static gstring *
arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
int instance, const uschar * identity, const uschar * selector, blob * ar,
- const uschar * privkey)
+ const uschar * privkey, unsigned options)
{
gstring * arcset;
arc_set * as;
/* Construct the AS except for the signature */
-arcset = string_append(NULL, 10,
+arcset = string_append(NULL, 9,
ARC_HDR_AS,
US" i=", string_sprintf("%d", instance),
US"; cv=", status,
US"; a=rsa-sha256; d=", identity, /*XXX hardwired */
- US"; s=", selector, /*XXX same as AMS */
+ US"; s=", selector); /*XXX same as AMS */
+if (options & ARC_SIGN_OPT_TSTAMP)
+ arcset = string_append(arcset, 2,
+ US"; t=", string_sprintf("%lu", (u_long)now));
+arcset = string_cat(arcset,
US";\r\n\t b=;");
h->slen = arcset->ptr;
message body for us so long as we requested a hash previously.
Arguments:
- signspec Three-element colon-sep list: identity, selector, privkey
+ signspec Three-element colon-sep list: identity, selector, privkey.
+ Optional fourth element: comma-sep list of options.
Already expanded
sigheaders Any signature headers already generated, eg. by DKIM, or NULL
errstr Error string
gstring *
arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
{
-const uschar * identity, * selector, * privkey;
+const uschar * identity, * selector, * privkey, * opts, * s;
+unsigned options = 0;
int sep = 0;
header_line * headers;
hdr_rlist * rheaders;
gstring * g = NULL;
pdkim_bodyhash * b;
+expire = now = 0;
+
/* Parse the signing specification */
identity = string_nextinlist(&signspec, &sep, NULL, 0);
selector = string_nextinlist(&signspec, &sep, NULL, 0);
-if ( !*identity | !*selector
+if ( !*identity || !*selector
|| !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
{
- log_write(0, LOG_MAIN|LOG_PANIC, "ARC: bad signing-specification (%s)",
+ log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
!*identity ? "identity" : !*selector ? "selector" : "private-key");
- return NULL;
+ return sigheaders ? sigheaders : string_get(0);
}
if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
- return NULL;
+ return sigheaders ? sigheaders : string_get(0);
+
+if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
+ {
+ int osep = ',';
+ while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
+ if (Ustrcmp(s, "timestamps") == 0)
+ {
+ options |= ARC_SIGN_OPT_TSTAMP;
+ if (!now) now = time(NULL);
+ }
+ else if (Ustrncmp(s, "expire", 6) == 0)
+ {
+ options |= ARC_SIGN_OPT_EXPIRE;
+ if (*(s += 6) == '=')
+ if (*++s == '+')
+ {
+ if (!(expire = (time_t)atoi(++s)))
+ expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
+ if (!now) now = time(NULL);
+ expire += now;
+ }
+ else
+ expire = (time_t)atol(s);
+ else
+ {
+ if (!now) now = time(NULL);
+ expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
+ }
+ }
+ }
DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
{
hdr_rlist ** rp;
- for (rp = &rheaders; *rp; ) rp = &(*rp)->prev;
- *rp = headers_rlist;
- headers_rlist = rheaders;
+ for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
+ *rp = rheaders;
}
-else
- rheaders = headers_rlist;
/* Finally, build a normal-order headers list */
/*XXX only needed for hunt-the-AR? */
+/*XXX also, we really should be accepting any number of ADMD-matching ARs */
{
header_line * hnext = NULL;
- for (; rheaders; hnext = rheaders->h, rheaders = rheaders->prev)
+ for (rheaders = headers_rlist; rheaders;
+ hnext = rheaders->h, rheaders = rheaders->prev)
rheaders->h->next = hnext;
headers = hnext;
}
if (!(arc_sign_find_ar(headers, identity, &ar)))
{
- log_write(0, LOG_MAIN|LOG_PANIC, "ARC: no Authentication-Results header for signing");
+ log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
return sigheaders ? sigheaders : string_get(0);
}
b = arc_ams_setup_sign_bodyhash();
g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
- &b->bh, headers_rlist, privkey);
+ &b->bh, headers_rlist, privkey, options);
/*
- Generate AS
including self (but with an empty b= in self)
*/
-g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar, privkey);
+g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
+ privkey, options);
/* Finally, append the dkim headers and return the lot. */
projects / exim.git / blobdiff