HCoop / hcoop / debian / exim4.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Import Debian changes 4.92-8+deb10u3
[hcoop/debian/exim4.git] / src / arc.c
CommitLineData
2ea97746
CE		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4/* Experimental ARC support for Exim
5 Copyright (c) Jeremy Harris 2018
6 License: GPL
7*/
8
9#include "exim.h"
10#ifdef EXPERIMENTAL_ARC
11# if !defined SUPPORT_SPF
12# error SPF must also be enabled for ARC
13# elif defined DISABLE_DKIM
14# error DKIM must also be enabled for ARC
15# else
16
17# include "functions.h"
18# include "pdkim/pdkim.h"
19# include "pdkim/signing.h"
20
21extern pdkim_ctx * dkim_verify_ctx;
22extern pdkim_ctx dkim_sign_ctx;
23
24#define ARC_SIGN_OPT_TSTAMP BIT(0)
25#define ARC_SIGN_OPT_EXPIRE BIT(1)
26
27#define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30) /* one month */
28
29/******************************************************************************/
30
31typedef struct hdr_rlist {
32 struct hdr_rlist * prev;
33 BOOL used;
34 header_line * h;
35} hdr_rlist;
36
37typedef struct arc_line {
38 header_line * complete; /* including the header name; nul-term */
39 uschar * relaxed;
40
41 /* identified tag contents */
42 /*XXX t= for AS? */
43 blob i;
44 blob cv;
45 blob a;
46 blob b;
47 blob bh;
48 blob d;
49 blob h;
50 blob s;
51 blob c;
52 blob l;
53
54 /* tag content sub-portions */
55 blob a_algo;
56 blob a_hash;
57
58 blob c_head;
59 blob c_body;
60
61 /* modified copy of b= field in line */
62 blob rawsig_no_b_val;
63} arc_line;
64
65typedef struct arc_set {
66 struct arc_set * next;
67 struct arc_set * prev;
68
69 unsigned instance;
70 arc_line * hdr_aar;
71 arc_line * hdr_ams;
72 arc_line * hdr_as;
73
74 const uschar * ams_verify_done;
75 BOOL ams_verify_passed;
76} arc_set;
77
78typedef struct arc_ctx {
79 arc_set * arcset_chain;
80 arc_set * arcset_chain_last;
81} arc_ctx;
82
83#define ARC_HDR_AAR US"ARC-Authentication-Results:"
84#define ARC_HDRLEN_AAR 27
85#define ARC_HDR_AMS US"ARC-Message-Signature:"
86#define ARC_HDRLEN_AMS 22
87#define ARC_HDR_AS US"ARC-Seal:"
88#define ARC_HDRLEN_AS 9
89#define HDR_AR US"Authentication-Results:"
90#define HDRLEN_AR 23
91
92static time_t now;
93static time_t expire;
94static hdr_rlist * headers_rlist;
95static arc_ctx arc_sign_ctx = { NULL };
96static arc_ctx arc_verify_ctx = { NULL };
97
98
99/******************************************************************************/
100
101
102/* Get the instance number from the header.
103Return 0 on error */
104static unsigned
105arc_instance_from_hdr(const arc_line * al)
106{
107const uschar * s = al->i.data;
108if (!s || !al->i.len) return 0;
109return (unsigned) atoi(CCS s);
110}
111
112
113static uschar *
114skip_fws(uschar * s)
115{
116uschar c = *s;
117while (c && (c == ' ' || c == '\t' || c == '\n' || c == '\r')) c = *++s;
118return s;
119}
120
121
122/* Locate instance struct on chain, inserting a new one if
123needed. The chain is in increasing-instance-number order
124by the "next" link, and we have a "prev" link also.
125*/
126
127static arc_set *
128arc_find_set(arc_ctx * ctx, unsigned i)
129{
130arc_set ** pas, * as, * next, * prev;
131
132for (pas = &ctx->arcset_chain, prev = NULL, next = ctx->arcset_chain;
133 as = *pas; pas = &as->next)
134 {
135 if (as->instance > i) break;
136 if (as->instance == i)
137 {
138 DEBUG(D_acl) debug_printf("ARC: existing instance %u\n", i);
139 return as;
140 }
141 next = as->next;
142 prev = as;
143 }
144
145DEBUG(D_acl) debug_printf("ARC: new instance %u\n", i);
146*pas = as = store_get(sizeof(arc_set));
147memset(as, 0, sizeof(arc_set));
148as->next = next;
149as->prev = prev;
150as->instance = i;
151if (next)
152 next->prev = as;
153else
154 ctx->arcset_chain_last = as;
155return as;
156}
157
158
159
160/* Insert a tag content into the line structure.
161Note this is a reference to existing data, not a copy.
162Check for already-seen tag.
163The string-pointer is on the '=' for entry. Update it past the
164content (to the ;) on return;
165*/
166
167static uschar *
168arc_insert_tagvalue(arc_line * al, unsigned loff, uschar ** ss)
169{
170uschar * s = *ss;
171uschar c = *++s;
172blob * b = (blob *)(US al + loff);
173size_t len = 0;
174
175/* [FWS] tag-value [FWS] */
176
177if (b->data) return US"fail";
178s = skip_fws(s); /* FWS */
179
180b->data = s;
181while ((c = *s) && c != ';') { len++; s++; }
182*ss = s;
183while (len && ((c = s[-1]) == ' ' || c == '\t' || c == '\n' || c == '\r'))
184 { s--; len--; } /* FWS */
185b->len = len;
186return NULL;
187}
188
189
190/* Inspect a header line, noting known tag fields.
191Check for duplicates. */
192
193static uschar *
194arc_parse_line(arc_line * al, header_line * h, unsigned off, BOOL instance_only)
195{
196uschar * s = h->text + off;
197uschar * r = NULL; /* compiler-quietening */
198uschar c;
199
200al->complete = h;
201
202if (!instance_only)
203 {
204 al->rawsig_no_b_val.data = store_get(h->slen + 1);
205 memcpy(al->rawsig_no_b_val.data, h->text, off); /* copy the header name blind */
206 r = al->rawsig_no_b_val.data + off;
207 al->rawsig_no_b_val.len = off;
208 }
209
210/* tag-list = tag-spec *( ";" tag-spec ) [ ";" ] */
211
212while ((c = *s))
213 {
214 char tagchar;
215 uschar * t;
216 unsigned i = 0;
217 uschar * fieldstart = s;
218 uschar * bstart = NULL, * bend;
219
220 /* tag-spec = [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS] */
221
222 s = skip_fws(s); /* FWS */
223 if (!*s) break;
224/* debug_printf("%s: consider '%s'\n", __FUNCTION__, s); */
225 tagchar = *s++;
226 s = skip_fws(s); /* FWS */
227 if (!*s) break;
228
229 if (!instance_only || tagchar == 'i') switch (tagchar)
230 {
231 case 'a': /* a= AMS algorithm */
232 {
233 if (*s != '=') return US"no 'a' value";
234 if (arc_insert_tagvalue(al, offsetof(arc_line, a), &s)) return US"a tag dup";
235
236 /* substructure: algo-hash (eg. rsa-sha256) */
237
238 t = al->a_algo.data = al->a.data;
239 while (*t != '-')
240 if (!*t++ || ++i > al->a.len) return US"no '-' in 'a' value";
241 al->a_algo.len = i;
242 if (*t++ != '-') return US"no '-' in 'a' value";
243 al->a_hash.data = t;
244 al->a_hash.len = al->a.len - i - 1;
245 }
246 break;
247 case 'b':
248 {
249 gstring * g = NULL;
250
251 switch (*s)
252 {
253 case '=': /* b= AMS signature */
254 if (al->b.data) return US"already b data";
255 bstart = s+1;
256
257 /* The signature can have FWS inserted in the content;
258 make a stripped copy */
259
260 while ((c = *++s) && c != ';')
261 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
262 g = string_catn(g, s, 1);
263 al->b.data = string_from_gstring(g);
264 al->b.len = g->ptr;
265 gstring_reset_unused(g);
266 bend = s;
267 break;
268 case 'h': /* bh= AMS body hash */
269 s = skip_fws(++s); /* FWS */
270 if (*s != '=') return US"no bh value";
271 if (al->bh.data) return US"already bh data";
272
273 /* The bodyhash can have FWS inserted in the content;
274 make a stripped copy */
275
276 while ((c = *++s) && c != ';')
277 if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
278 g = string_catn(g, s, 1);
279 al->bh.data = string_from_gstring(g);
280 al->bh.len = g->ptr;
281 gstring_reset_unused(g);
282 break;
283 default:
284 return US"b? tag";
285 }
286 }
287 break;
288 case 'c':
289 switch (*s)
290 {
291 case '=': /* c= AMS canonicalisation */
292 if (arc_insert_tagvalue(al, offsetof(arc_line, c), &s)) return US"c tag dup";
293
294 /* substructure: head/body (eg. relaxed/simple)) */
295
296 t = al->c_head.data = al->c.data;
297 while (isalpha(*t))
298 if (!*t++ || ++i > al->a.len) break;
299 al->c_head.len = i;
300 if (*t++ == '/') /* /body is optional */
301 {
302 al->c_body.data = t;
303 al->c_body.len = al->c.len - i - 1;
304 }
305 else
306 {
307 al->c_body.data = US"simple";
308 al->c_body.len = 6;
309 }
310 break;
311 case 'v': /* cv= AS validity */
312 if (*++s != '=') return US"cv tag val";
313 if (arc_insert_tagvalue(al, offsetof(arc_line, cv), &s)) return US"cv tag dup";
314 break;
315 default:
316 return US"c? tag";
317 }
318 break;
319 case 'd': /* d= AMS domain */
320 if (*s != '=') return US"d tag val";
321 if (arc_insert_tagvalue(al, offsetof(arc_line, d), &s)) return US"d tag dup";
322 break;
323 case 'h': /* h= AMS headers */
324 if (*s != '=') return US"h tag val";
325 if (arc_insert_tagvalue(al, offsetof(arc_line, h), &s)) return US"h tag dup";
326 break;
327 case 'i': /* i= ARC set instance */
328 if (*s != '=') return US"i tag val";
329 if (arc_insert_tagvalue(al, offsetof(arc_line, i), &s)) return US"i tag dup";
330 if (instance_only) goto done;
331 break;
332 case 'l': /* l= bodylength */
333 if (*s != '=') return US"l tag val";
334 if (arc_insert_tagvalue(al, offsetof(arc_line, l), &s)) return US"l tag dup";
335 break;
336 case 's': /* s= AMS selector */
337 if (*s != '=') return US"s tag val";
338 if (arc_insert_tagvalue(al, offsetof(arc_line, s), &s)) return US"s tag dup";
339 break;
340 }
341
342 while ((c = *s) && c != ';') s++;
343 if (c) s++; /* ; after tag-spec */
344
345 /* for all but the b= tag, copy the field including FWS. For the b=,
346 drop the tag content. */
347
348 if (!instance_only)
349 if (bstart)
350 {
351 size_t n = bstart - fieldstart;
352 memcpy(r, fieldstart, n); /* FWS "b=" */
353 r += n;
354 al->rawsig_no_b_val.len += n;
355 n = s - bend;
356 memcpy(r, bend, n); /* FWS ";" */
357 r += n;
358 al->rawsig_no_b_val.len += n;
359 }
360 else
361 {
362 size_t n = s - fieldstart;
363 memcpy(r, fieldstart, n);
364 r += n;
365 al->rawsig_no_b_val.len += n;
366 }
367 }
368
369if (!instance_only)
370 *r = '\0';
371
372done:
373/* debug_printf("%s: finshed\n", __FUNCTION__); */
374return NULL;
375}
376
377
378/* Insert one header line in the correct set of the chain,
379adding instances as needed and checking for duplicate lines.
380*/
381
382static uschar *
383arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
384 BOOL instance_only)
385{
386unsigned i;
387arc_set * as;
388arc_line * al = store_get(sizeof(arc_line)), ** alp;
389uschar * e;
390
391memset(al, 0, sizeof(arc_line));
392
393if ((e = arc_parse_line(al, h, off, instance_only)))
394 {
395 DEBUG(D_acl) if (e) debug_printf("ARC: %s\n", e);
396 return US"line parse";
397 }
398if (!(i = arc_instance_from_hdr(al))) return US"instance find";
399if (i > 50) return US"overlarge instance number";
400if (!(as = arc_find_set(ctx, i))) return US"set find";
401if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
402
403*alp = al;
404return NULL;
405}
406
407
408
409
410static const uschar *
411arc_try_header(arc_ctx * ctx, header_line * h, BOOL instance_only)
412{
413const uschar * e;
414
415/*debug_printf("consider hdr '%s'\n", h->text);*/
416if (strncmpic(ARC_HDR_AAR, h->text, ARC_HDRLEN_AAR) == 0)
417 {
418 DEBUG(D_acl)
419 {
420 int len = h->slen;
421 uschar * s;
422 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
423 s--, len--;
424 debug_printf("ARC: found AAR: %.*s\n", len, h->text);
425 }
426 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AAR, offsetof(arc_set, hdr_aar),
427 TRUE)))
428 {
429 DEBUG(D_acl) debug_printf("inserting AAR: %s\n", e);
430 return US"inserting AAR";
431 }
432 }
433else if (strncmpic(ARC_HDR_AMS, h->text, ARC_HDRLEN_AMS) == 0)
434 {
435 arc_line * ams;
436
437 DEBUG(D_acl)
438 {
439 int len = h->slen;
440 uschar * s;
441 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
442 s--, len--;
443 debug_printf("ARC: found AMS: %.*s\n", len, h->text);
444 }
445 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AMS, offsetof(arc_set, hdr_ams),
446 instance_only)))
447 {
448 DEBUG(D_acl) debug_printf("inserting AMS: %s\n", e);
449 return US"inserting AMS";
450 }
451
452 /* defaults */
453 /*XXX dubious selection of ams here */
454 ams = ctx->arcset_chain->hdr_ams;
455 if (!ams->c.data)
456 {
457 ams->c_head.data = US"simple"; ams->c_head.len = 6;
458 ams->c_body = ams->c_head;
459 }
460 }
461else if (strncmpic(ARC_HDR_AS, h->text, ARC_HDRLEN_AS) == 0)
462 {
463 DEBUG(D_acl)
464 {
465 int len = h->slen;
466 uschar * s;
467 for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
468 s--, len--;
469 debug_printf("ARC: found AS: %.*s\n", len, h->text);
470 }
471 if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AS, offsetof(arc_set, hdr_as),
472 instance_only)))
473 {
474 DEBUG(D_acl) debug_printf("inserting AS: %s\n", e);
475 return US"inserting AS";
476 }
477 }
478return NULL;
479}
480
481
482
483/* Gather the chain of arc sets from the headers.
484Check for duplicates while that is done. Also build the
485reverse-order headers list;
486
487Return: ARC state if determined, eg. by lack of any ARC chain.
488*/
489
490static const uschar *
491arc_vfy_collect_hdrs(arc_ctx * ctx)
492{
493header_line * h;
494hdr_rlist * r = NULL, * rprev = NULL;
495const uschar * e;
496
497DEBUG(D_acl) debug_printf("ARC: collecting arc sets\n");
498for (h = header_list; h; h = h->next)
499 {
500 r = store_get(sizeof(hdr_rlist));
501 r->prev = rprev;
502 r->used = FALSE;
503 r->h = h;
504 rprev = r;
505
506 if ((e = arc_try_header(ctx, h, FALSE)))
507 {
508 arc_state_reason = string_sprintf("collecting headers: %s", e);
509 return US"fail";
510 }
511 }
512headers_rlist = r;
513
514if (!ctx->arcset_chain) return US"none";
515return NULL;
516}
517
518
519static BOOL
520arc_cv_match(arc_line * al, const uschar * s)
521{
522return Ustrncmp(s, al->cv.data, al->cv.len) == 0;
523}
524
525/******************************************************************************/
526
527/* Return the hash of headers from the message that the AMS claims it
528signed.
529*/
530
531static void
532arc_get_verify_hhash(arc_ctx * ctx, arc_line * ams, blob * hhash)
533{
534const uschar * headernames = string_copyn(ams->h.data, ams->h.len);
535const uschar * hn;
536int sep = ':';
537hdr_rlist * r;
538BOOL relaxed = Ustrncmp(US"relaxed", ams->c_head.data, ams->c_head.len) == 0;
539int hashtype = pdkim_hashname_to_hashtype(
540 ams->a_hash.data, ams->a_hash.len);
541hctx hhash_ctx;
542const uschar * s;
543int len;
544
545if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
546 {
547 DEBUG(D_acl)
548 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
549 return;
550 }
551
552/* For each headername in the list from the AMS (walking in order)
553walk the message headers in reverse order, adding to the hash any
554found for the first time. For that last point, maintain used-marks
555on the list of message headers. */
556
557DEBUG(D_acl) debug_printf("ARC: AMS header data for verification:\n");
558
559for (r = headers_rlist; r; r = r->prev)
560 r->used = FALSE;
561while ((hn = string_nextinlist(&headernames, &sep, NULL, 0)))
562 for (r = headers_rlist; r; r = r->prev)
563 if ( !r->used
564 && strncasecmp(CCS (s = r->h->text), CCS hn, Ustrlen(hn)) == 0
565 )
566 {
567 if (relaxed) s = pdkim_relax_header_n(s, r->h->slen, TRUE);
568
569 len = Ustrlen(s);
570 DEBUG(D_acl) pdkim_quoteprint(s, len);
571 exim_sha_update(&hhash_ctx, s, Ustrlen(s));
572 r->used = TRUE;
573 break;
574 }
575
576/* Finally add in the signature header (with the b= tag stripped); no CRLF */
577
578s = ams->rawsig_no_b_val.data, len = ams->rawsig_no_b_val.len;
579if (relaxed)
580 len = Ustrlen(s = pdkim_relax_header_n(s, len, FALSE));
581DEBUG(D_acl) pdkim_quoteprint(s, len);
582exim_sha_update(&hhash_ctx, s, len);
583
584exim_sha_finish(&hhash_ctx, hhash);
585DEBUG(D_acl)
586 { debug_printf("ARC: header hash: "); pdkim_hexprint(hhash->data, hhash->len); }
587return;
588}
589
590
591
592
593static pdkim_pubkey *
594arc_line_to_pubkey(arc_line * al)
595{
596uschar * dns_txt;
597pdkim_pubkey * p;
598
599if (!(dns_txt = dkim_exim_query_dns_txt(string_sprintf("%.*s._domainkey.%.*s",
600 al->s.len, al->s.data, al->d.len, al->d.data))))
601 {
602 DEBUG(D_acl) debug_printf("pubkey dns lookup fail\n");
603 return NULL;
604 }
605
606if ( !(p = pdkim_parse_pubkey_record(dns_txt))
607 || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
608 )
609 {
610 DEBUG(D_acl) debug_printf("pubkey dns lookup format error\n");
611 return NULL;
612 }
613
614/* If the pubkey limits use to specified hashes, reject unusable
615signatures. XXX should we have looked for multiple dns records? */
616
617if (p->hashes)
618 {
619 const uschar * list = p->hashes, * ele;
620 int sep = ':';
621
622 while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
623 if (Ustrncmp(ele, al->a_hash.data, al->a_hash.len) == 0) break;
624 if (!ele)
625 {
626 DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%.*s\n",
627 p->hashes, (int)al->a.len, al->a.data);
628 return NULL;
629 }
630 }
631return p;
632}
633
634
635
636
637static pdkim_bodyhash *
638arc_ams_setup_vfy_bodyhash(arc_line * ams)
639{
640int canon_head, canon_body;
641long bodylen;
642
643if (!ams->c.data) ams->c.data = US"simple"; /* RFC 6376 (DKIM) default */
644pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
645bodylen = ams->l.data
646 ? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
647
648return pdkim_set_bodyhash(dkim_verify_ctx,
649 pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len),
650 canon_body,
651 bodylen);
652}
653
654
655
656/* Verify an AMS. This is a DKIM-sig header, but with an ARC i= tag
657and without a DKIM v= tag.
658*/
659
660static const uschar *
661arc_ams_verify(arc_ctx * ctx, arc_set * as)
662{
663arc_line * ams = as->hdr_ams;
664pdkim_bodyhash * b;
665pdkim_pubkey * p;
666blob sighash;
667blob hhash;
668ev_ctx vctx;
669int hashtype;
670const uschar * errstr;
671
672as->ams_verify_done = US"in-progress";
673
674/* Check the AMS has all the required tags:
675 "a=" algorithm
676 "b=" signature
677 "bh=" body hash
678 "d=" domain (for key lookup)
679 "h=" headers (included in signature)
680 "s=" key-selector (for key lookup)
681*/
682if ( !ams->a.data || !ams->b.data || !ams->bh.data || !ams->d.data
683 || !ams->h.data || !ams->s.data)
684 {
685 as->ams_verify_done = arc_state_reason = US"required tag missing";
686 return US"fail";
687 }
688
689
690/* The bodyhash should have been created earlier, and the dkim code should
691have managed calculating it during message input. Find the reference to it. */
692
693if (!(b = arc_ams_setup_vfy_bodyhash(ams)))
694 {
695 as->ams_verify_done = arc_state_reason = US"internal hash setup error";
696 return US"fail";
697 }
698
699DEBUG(D_acl)
700 {
701 debug_printf("ARC i=%d AMS Body bytes hashed: %lu\n"
702 " Body %.*s computed: ",
703 as->instance, b->signed_body_bytes,
704 (int)ams->a_hash.len, ams->a_hash.data);
705 pdkim_hexprint(CUS b->bh.data, b->bh.len);
706 }
707
708/* We know the bh-tag blob is of a nul-term string, so safe as a string */
709
710if ( !ams->bh.data
711 || (pdkim_decode_base64(ams->bh.data, &sighash), sighash.len != b->bh.len)
712 || memcmp(sighash.data, b->bh.data, b->bh.len) != 0
713 )
714 {
715 DEBUG(D_acl)
716 {
717 debug_printf("ARC i=%d AMS Body hash from headers: ", as->instance);
718 pdkim_hexprint(sighash.data, sighash.len);
719 debug_printf("ARC i=%d AMS Body hash did NOT match\n", as->instance);
720 }
721 return as->ams_verify_done = arc_state_reason = US"AMS body hash miscompare";
722 }
723
724DEBUG(D_acl) debug_printf("ARC i=%d AMS Body hash compared OK\n", as->instance);
725
726/* Get the public key from DNS */
727
728if (!(p = arc_line_to_pubkey(ams)))
729 return as->ams_verify_done = arc_state_reason = US"pubkey problem";
730
731/* We know the b-tag blob is of a nul-term string, so safe as a string */
732pdkim_decode_base64(ams->b.data, &sighash);
733
734arc_get_verify_hhash(ctx, ams, &hhash);
735
736/* Setup the interface to the signing library */
737
738if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
739 {
740 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
741 as->ams_verify_done = arc_state_reason = US"internal sigverify init error";
742 return US"fail";
743 }
744
745hashtype = pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len);
746
747if ((errstr = exim_dkim_verify(&vctx,
748 pdkim_hashes[hashtype].exim_hashmethod, &hhash, &sighash)))
749 {
750 DEBUG(D_acl) debug_printf("ARC i=%d AMS verify %s\n", as->instance, errstr);
751 return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
752 }
753
754DEBUG(D_acl) debug_printf("ARC i=%d AMS verify pass\n", as->instance);
755as->ams_verify_passed = TRUE;
756return NULL;
757}
758
759
760
761/* Check the sets are instance-continuous and that all
762members are present. Check that no arc_seals are "fail".
763Set the highest instance number global.
764Verify the latest AMS.
765*/
766static uschar *
767arc_headers_check(arc_ctx * ctx)
768{
769arc_set * as;
770int inst;
771BOOL ams_fail_found = FALSE;
772
773if (!(as = ctx->arcset_chain_last))
774 return US"none";
775
776for(inst = as->instance; as; as = as->prev, inst--)
777 {
778 if (as->instance != inst)
779 arc_state_reason = string_sprintf("i=%d (sequence; expected %d)",
780 as->instance, inst);
781 else if (!as->hdr_aar || !as->hdr_ams || !as->hdr_as)
782 arc_state_reason = string_sprintf("i=%d (missing header)", as->instance);
783 else if (arc_cv_match(as->hdr_as, US"fail"))
784 arc_state_reason = string_sprintf("i=%d (cv)", as->instance);
785 else
786 goto good;
787
788 DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
789 return US"fail";
790
791 good:
792 /* Evaluate the oldest-pass AMS validation while we're here.
793 It does not affect the AS chain validation but is reported as
794 auxilary info. */
795
796 if (!ams_fail_found)
797 if (arc_ams_verify(ctx, as))
798 ams_fail_found = TRUE;
799 else
800 arc_oldest_pass = inst;
801 arc_state_reason = NULL;
802 }
803if (inst != 0)
804 {
805 arc_state_reason = string_sprintf("(sequence; expected i=%d)", inst);
806 DEBUG(D_acl) debug_printf("ARC chain fail %s\n", arc_state_reason);
807 return US"fail";
808 }
809
810arc_received = ctx->arcset_chain_last;
811arc_received_instance = arc_received->instance;
812
813/* We can skip the latest-AMS validation, if we already did it. */
814
815as = ctx->arcset_chain_last;
816if (!as->ams_verify_passed)
817 {
818 if (as->ams_verify_done)
819 {
820 arc_state_reason = as->ams_verify_done;
821 return US"fail";
822 }
823 if (!!arc_ams_verify(ctx, as))
824 return US"fail";
825 }
826return NULL;
827}
828
829
830/******************************************************************************/
831static const uschar *
832arc_seal_verify(arc_ctx * ctx, arc_set * as)
833{
834arc_line * hdr_as = as->hdr_as;
835arc_set * as2;
836int hashtype;
837hctx hhash_ctx;
838blob hhash_computed;
839blob sighash;
840ev_ctx vctx;
841pdkim_pubkey * p;
842const uschar * errstr;
843
844DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d\n", as->instance);
845/*
846 1. If the value of the "cv" tag on that seal is "fail", the
847 chain state is "fail" and the algorithm stops here. (This
848 step SHOULD be skipped if the earlier step (2.1) was
849 performed) [it was]
850
851 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
852 == "none" && i != 1)) then the chain state is "fail" and the
853 algorithm stops here (note that the ordering of the logic is
854 structured for short-circuit evaluation).
855*/
856
857if ( as->instance == 1 && !arc_cv_match(hdr_as, US"none")
858 || arc_cv_match(hdr_as, US"none") && as->instance != 1
859 )
860 {
861 arc_state_reason = US"seal cv state";
862 return US"fail";
863 }
864
865/*
866 3. Initialize a hash function corresponding to the "a" tag of
867 the ARC-Seal.
868*/
869
870hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
871
872if (!exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
873 {
874 DEBUG(D_acl)
875 debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
876 arc_state_reason = US"seal hash setup error";
877 return US"fail";
878 }
879
880/*
881 4. Compute the canonicalized form of the ARC header fields, in
882 the order described in Section 5.4.2, using the "relaxed"
883 header canonicalization defined in Section 3.4.2 of
884 [RFC6376]. Pass the canonicalized result to the hash
885 function.
886
887Headers are CRLF-separated, but the last one is not crlf-terminated.
888*/
889
890DEBUG(D_acl) debug_printf("ARC: AS header data for verification:\n");
891for (as2 = ctx->arcset_chain;
892 as2 && as2->instance <= as->instance;
893 as2 = as2->next)
894 {
895 arc_line * al;
896 uschar * s;
897 int len;
898
899 al = as2->hdr_aar;
900 if (!(s = al->relaxed))
901 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
902 al->complete->slen, TRUE);
903 len = Ustrlen(s);
904 DEBUG(D_acl) pdkim_quoteprint(s, len);
905 exim_sha_update(&hhash_ctx, s, len);
906
907 al = as2->hdr_ams;
908 if (!(s = al->relaxed))
909 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
910 al->complete->slen, TRUE);
911 len = Ustrlen(s);
912 DEBUG(D_acl) pdkim_quoteprint(s, len);
913 exim_sha_update(&hhash_ctx, s, len);
914
915 al = as2->hdr_as;
916 if (as2->instance == as->instance)
917 s = pdkim_relax_header_n(al->rawsig_no_b_val.data,
918 al->rawsig_no_b_val.len, FALSE);
919 else if (!(s = al->relaxed))
920 al->relaxed = s = pdkim_relax_header_n(al->complete->text,
921 al->complete->slen, TRUE);
922 len = Ustrlen(s);
923 DEBUG(D_acl) pdkim_quoteprint(s, len);
924 exim_sha_update(&hhash_ctx, s, len);
925 }
926
927/*
928 5. Retrieve the final digest from the hash function.
929*/
930
931exim_sha_finish(&hhash_ctx, &hhash_computed);
932DEBUG(D_acl)
933 {
934 debug_printf("ARC i=%d AS Header %.*s computed: ",
935 as->instance, (int)hdr_as->a_hash.len, hdr_as->a_hash.data);
936 pdkim_hexprint(hhash_computed.data, hhash_computed.len);
937 }
938
939
940/*
941 6. Retrieve the public key identified by the "s" and "d" tags in
942 the ARC-Seal, as described in Section 4.1.6.
943*/
944
945if (!(p = arc_line_to_pubkey(hdr_as)))
946 return US"pubkey problem";
947
948/*
949 7. Determine whether the signature portion ("b" tag) of the ARC-
950 Seal and the digest computed above are valid according to the
951 public key. (See also Section Section 8.4 for failure case
952 handling)
953
954 8. If the signature is not valid, the chain state is "fail" and
955 the algorithm stops here.
956*/
957
958/* We know the b-tag blob is of a nul-term string, so safe as a string */
959pdkim_decode_base64(hdr_as->b.data, &sighash);
960
961if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx)))
962 {
963 DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
964 return US"fail";
965 }
966
967hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
968
969if ((errstr = exim_dkim_verify(&vctx,
970 pdkim_hashes[hashtype].exim_hashmethod,
971 &hhash_computed, &sighash)))
972 {
973 DEBUG(D_acl)
974 debug_printf("ARC i=%d AS headers verify: %s\n", as->instance, errstr);
975 arc_state_reason = US"seal sigverify error";
976 return US"fail";
977 }
978
979DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d pass\n", as->instance);
980return NULL;
981}
982
983
984static const uschar *
985arc_verify_seals(arc_ctx * ctx)
986{
987arc_set * as = ctx->arcset_chain_last;
988
989if (!as)
990 return US"none";
991
992for ( ; as; as = as->prev) if (arc_seal_verify(ctx, as)) return US"fail";
993
994DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
995return NULL;
996}
997/******************************************************************************/
998
999/* Do ARC verification. Called from DATA ACL, on a verify = arc
1000condition. No arguments; we are checking globals.
1001
1002Return: The ARC state, or NULL on error.
1003*/
1004
1005const uschar *
1006acl_verify_arc(void)
1007{
1008const uschar * res;
1009
1010memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
1011
1012if (!dkim_verify_ctx)
1013 {
1014 DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
1015 return NULL;
1016 }
1017
1018/* AS evaluation, per
1019https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-6
1020*/
1021/* 1. Collect all ARC sets currently on the message. If there were
1022 none, the ARC state is "none" and the algorithm stops here.
1023*/
1024
1025if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
1026 goto out;
1027
1028/* 2. If the form of any ARC set is invalid (e.g., does not contain
1029 exactly one of each of the three ARC-specific header fields),
1030 then the chain state is "fail" and the algorithm stops here.
1031
1032 1. To avoid the overhead of unnecessary computation and delay
1033 from crypto and DNS operations, the cv value for all ARC-
1034 Seal(s) MAY be checked at this point. If any of the values
1035 are "fail", then the overall state of the chain is "fail" and
1036 the algorithm stops here.
1037
1038 3. Conduct verification of the ARC-Message-Signature header field
1039 bearing the highest instance number. If this verification fails,
1040 then the chain state is "fail" and the algorithm stops here.
1041*/
1042
1043if ((res = arc_headers_check(&arc_verify_ctx)))
1044 goto out;
1045
1046/* 4. For each ARC-Seal from the "N"th instance to the first, apply the
1047 following logic:
1048
1049 1. If the value of the "cv" tag on that seal is "fail", the
1050 chain state is "fail" and the algorithm stops here. (This
1051 step SHOULD be skipped if the earlier step (2.1) was
1052 performed)
1053
1054 2. In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
1055 == "none" && i != 1)) then the chain state is "fail" and the
1056 algorithm stops here (note that the ordering of the logic is
1057 structured for short-circuit evaluation).
1058
1059 3. Initialize a hash function corresponding to the "a" tag of
1060 the ARC-Seal.
1061
1062 4. Compute the canonicalized form of the ARC header fields, in
1063 the order described in Section 5.4.2, using the "relaxed"
1064 header canonicalization defined in Section 3.4.2 of
1065 [RFC6376]. Pass the canonicalized result to the hash
1066 function.
1067
1068 5. Retrieve the final digest from the hash function.
1069
1070 6. Retrieve the public key identified by the "s" and "d" tags in
1071 the ARC-Seal, as described in Section 4.1.6.
1072
1073 7. Determine whether the signature portion ("b" tag) of the ARC-
1074 Seal and the digest computed above are valid according to the
1075 public key. (See also Section Section 8.4 for failure case
1076 handling)
1077
1078 8. If the signature is not valid, the chain state is "fail" and
1079 the algorithm stops here.
1080
1081 5. If all seals pass validation, then the chain state is "pass", and
1082 the algorithm is complete.
1083*/
1084
1085if ((res = arc_verify_seals(&arc_verify_ctx)))
1086 goto out;
1087
1088res = US"pass";
1089
1090out:
1091 return res;
1092}
1093
1094/******************************************************************************/
1095
1096/* Prepend the header to the rlist */
1097
1098static hdr_rlist *
1099arc_rlist_entry(hdr_rlist * list, const uschar * s, int len)
1100{
1101hdr_rlist * r = store_get(sizeof(hdr_rlist) + sizeof(header_line));
1102header_line * h = r->h = (header_line *)(r+1);
1103
1104r->prev = list;
1105r->used = FALSE;
1106h->next = NULL;
1107h->type = 0;
1108h->slen = len;
1109h->text = US s;
1110
1111/* This works for either NL or CRLF lines; also nul-termination */
1112while (*++s)
1113 if (*s == '\n' && s[1] != '\t' && s[1] != ' ') break;
1114s++; /* move past end of line */
1115
1116return r;
1117}
1118
1119
1120/* Walk the given headers strings identifying each header, and construct
1121a reverse-order list.
1122*/
1123
1124static hdr_rlist *
1125arc_sign_scan_headers(arc_ctx * ctx, gstring * sigheaders)
1126{
1127const uschar * s;
1128hdr_rlist * rheaders = NULL;
1129
1130s = sigheaders ? sigheaders->s : NULL;
1131if (s) while (*s)
1132 {
1133 const uschar * s2 = s;
1134
1135 /* This works for either NL or CRLF lines; also nul-termination */
1136 while (*++s2)
1137 if (*s2 == '\n' && s2[1] != '\t' && s2[1] != ' ') break;
1138 s2++; /* move past end of line */
1139
1140 rheaders = arc_rlist_entry(rheaders, s, s2 - s);
1141 s = s2;
1142 }
1143return rheaders;
1144}
1145
1146
1147
1148/* Return the A-R content, without identity, with line-ending and
1149NUL termination. */
1150
1151static BOOL
1152arc_sign_find_ar(header_line * headers, const uschar * identity, blob * ret)
1153{
1154header_line * h;
1155int ilen = Ustrlen(identity);
1156
1157ret->data = NULL;
1158for(h = headers; h; h = h->next)
1159 {
1160 uschar * s = h->text, c;
1161 int len = h->slen;
1162
1163 if (Ustrncmp(s, HDR_AR, HDRLEN_AR) != 0) continue;
1164 s += HDRLEN_AR, len -= HDRLEN_AR; /* header name */
1165 while ( len > 0
1166 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1167 s++, len--; /* FWS */
1168 if (Ustrncmp(s, identity, ilen) != 0) continue;
1169 s += ilen; len -= ilen; /* identity */
1170 if (len <= 0) continue;
1171 if ((c = *s) && c == ';') s++, len--; /* identity terminator */
1172 while ( len > 0
1173 && (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
1174 s++, len--; /* FWS */
1175 if (len <= 0) continue;
1176 ret->data = s;
1177 ret->len = len;
1178 return TRUE;
1179 }
1180return FALSE;
1181}
1182
1183
1184
1185/* Append a constructed AAR including CRLF. Add it to the arc_ctx too. */
1186
1187static gstring *
1188arc_sign_append_aar(gstring * g, arc_ctx * ctx,
1189 const uschar * identity, int instance, blob * ar)
1190{
1191int aar_off = g ? g->ptr : 0;
1192arc_set * as = store_get(sizeof(arc_set) + sizeof(arc_line) + sizeof(header_line));
1193arc_line * al = (arc_line *)(as+1);
1194header_line * h = (header_line *)(al+1);
1195
1196g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
1197g = string_fmt_append(g, " i=%d; %s;\r\n\t", instance, identity);
1198g = string_catn(g, US ar->data, ar->len);
1199
1200h->slen = g->ptr - aar_off;
1201h->text = g->s + aar_off;
1202al->complete = h;
1203as->next = NULL;
1204as->prev = ctx->arcset_chain_last;
1205as->instance = instance;
1206as->hdr_aar = al;
1207if (instance == 1)
1208 ctx->arcset_chain = as;
1209else
1210 ctx->arcset_chain_last->next = as;
1211ctx->arcset_chain_last = as;
1212
1213DEBUG(D_transport) debug_printf("ARC: AAR '%.*s'\n", h->slen - 2, h->text);
1214return g;
1215}
1216
1217
1218
1219static BOOL
1220arc_sig_from_pseudoheader(gstring * hdata, int hashtype, const uschar * privkey,
1221 blob * sig, const uschar * why)
1222{
1223hashmethod hm = /*sig->keytype == KEYTYPE_ED25519*/ FALSE
1224 ? HASH_SHA2_512 : pdkim_hashes[hashtype].exim_hashmethod;
1225blob hhash;
1226es_ctx sctx;
1227const uschar * errstr;
1228
1229DEBUG(D_transport)
1230 {
1231 hctx hhash_ctx;
1232 debug_printf("ARC: %s header data for signing:\n", why);
1233 pdkim_quoteprint(hdata->s, hdata->ptr);
1234
1235 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1236 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1237 exim_sha_finish(&hhash_ctx, &hhash);
1238 debug_printf("ARC: header hash: "); pdkim_hexprint(hhash.data, hhash.len);
1239 }
1240
1241if (FALSE /*need hash for Ed25519 or GCrypt signing*/ )
1242 {
1243 hctx hhash_ctx;
1244 (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
1245 exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
1246 exim_sha_finish(&hhash_ctx, &hhash);
1247 }
1248else
1249 {
1250 hhash.data = hdata->s;
1251 hhash.len = hdata->ptr;
1252 }
1253
1254if ( (errstr = exim_dkim_signing_init(privkey, &sctx))
1255 || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
1256 {
1257 log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
1258 DEBUG(D_transport)
1259 debug_printf("private key, or private-key file content, was: '%s'\n",
1260 privkey);
1261 return FALSE;
1262 }
1263return TRUE;
1264}
1265
1266
1267
1268static gstring *
1269arc_sign_append_sig(gstring * g, blob * sig)
1270{
1271/*debug_printf("%s: raw sig ", __FUNCTION__); pdkim_hexprint(sig->data, sig->len);*/
1272sig->data = pdkim_encode_base64(sig);
1273sig->len = Ustrlen(sig->data);
1274for (;;)
1275 {
1276 int len = MIN(sig->len, 74);
1277 g = string_catn(g, sig->data, len);
1278 if ((sig->len -= len) == 0) break;
1279 sig->data += len;
1280 g = string_catn(g, US"\r\n\t ", 5);
1281 }
1282g = string_catn(g, US";\r\n", 3);
1283gstring_reset_unused(g);
1284string_from_gstring(g);
1285return g;
1286}
1287
1288
1289/* Append a constructed AMS including CRLF. Add it to the arc_ctx too. */
1290
1291static gstring *
1292arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
1293 const uschar * identity, const uschar * selector, blob * bodyhash,
1294 hdr_rlist * rheaders, const uschar * privkey, unsigned options)
1295{
1296uschar * s;
1297gstring * hdata = NULL;
1298int col;
1299int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1300blob sig;
1301int ams_off;
1302arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1303header_line * h = (header_line *)(al+1);
1304
1305/* debug_printf("%s\n", __FUNCTION__); */
1306
1307/* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
1308
1309ams_off = g->ptr;
1310g = string_fmt_append(g, "%s i=%d; a=rsa-sha256; c=relaxed; d=%s; s=%s",
1311 ARC_HDR_AMS, instance, identity, selector); /*XXX hardwired a= */
1312if (options & ARC_SIGN_OPT_TSTAMP)
1313 g = string_fmt_append(g, "; t=%lu", (u_long)now);
1314if (options & ARC_SIGN_OPT_EXPIRE)
1315 g = string_fmt_append(g, "; x=%lu", (u_long)expire);
1316g = string_fmt_append(g, ";\r\n\tbh=%s;\r\n\th=",
1317 pdkim_encode_base64(bodyhash));
1318
1319for(col = 3; rheaders; rheaders = rheaders->prev)
1320 {
1321 const uschar * hnames = US"DKIM-Signature:" PDKIM_DEFAULT_SIGN_HEADERS;
1322 uschar * name, * htext = rheaders->h->text;
1323 int sep = ':';
1324
1325 /* Spot headers of interest */
1326
1327 while ((name = string_nextinlist(&hnames, &sep, NULL, 0)))
1328 {
1329 int len = Ustrlen(name);
1330 if (strncasecmp(CCS htext, CCS name, len) == 0)
1331 {
1332 /* If too long, fold line in h= field */
1333
1334 if (col + len > 78) g = string_catn(g, US"\r\n\t ", 5), col = 3;
1335
1336 /* Add name to h= list */
1337
1338 g = string_catn(g, name, len);
1339 g = string_catn(g, US":", 1);
1340 col += len + 1;
1341
1342 /* Accumulate header for hashing/signing */
1343
1344 hdata = string_cat(hdata,
1345 pdkim_relax_header_n(htext, rheaders->h->slen, TRUE)); /*XXX hardwired */
1346 break;
1347 }
1348 }
1349 }
1350
1351/* Lose the last colon from the h= list */
1352
1353if (g->s[g->ptr - 1] == ':') g->ptr--;
1354
1355g = string_catn(g, US";\r\n\tb=;", 7);
1356
1357/* Include the pseudo-header in the accumulation */
1358
1359s = pdkim_relax_header_n(g->s + ams_off, g->ptr - ams_off, FALSE);
1360hdata = string_cat(hdata, s);
1361
1362/* Calculate the signature from the accumulation */
1363/*XXX does that need further relaxation? there are spaces embedded in the b= strings! */
1364
1365if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AMS"))
1366 return NULL;
1367
1368/* Lose the trailing semicolon from the psuedo-header, and append the signature
1369(folded over lines) and termination to complete it. */
1370
1371g->ptr--;
1372g = arc_sign_append_sig(g, &sig);
1373
1374h->slen = g->ptr - ams_off;
1375h->text = g->s + ams_off;
1376al->complete = h;
1377ctx->arcset_chain_last->hdr_ams = al;
1378
1379DEBUG(D_transport) debug_printf("ARC: AMS '%.*s'\n", h->slen - 2, h->text);
1380return g;
1381}
1382
1383
1384
1385/* Look for an arc= result in an A-R header blob. We know that its data
1386happens to be a NUL-term string. */
1387
1388static uschar *
1389arc_ar_cv_status(blob * ar)
1390{
1391const uschar * resinfo = ar->data;
1392int sep = ';';
1393uschar * methodspec, * s;
1394
1395while ((methodspec = string_nextinlist(&resinfo, &sep, NULL, 0)))
1396 if (Ustrncmp(methodspec, US"arc=", 4) == 0)
1397 {
1398 uschar c;
1399 for (s = methodspec += 4;
1400 (c = *s) && c != ';' && c != ' ' && c != '\r' && c != '\n'; ) s++;
1401 return string_copyn(methodspec, s - methodspec);
1402 }
1403return US"none";
1404}
1405
1406
1407
1408/* Build the AS header and prepend it */
1409
1410static gstring *
1411arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
1412 int instance, const uschar * identity, const uschar * selector, blob * ar,
1413 const uschar * privkey, unsigned options)
1414{
1415gstring * arcset;
1416arc_set * as;
1417uschar * status = arc_ar_cv_status(ar);
1418arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line));
1419header_line * h = (header_line *)(al+1);
1420
1421gstring * hdata = NULL;
1422int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6); /*XXX hardwired */
1423blob sig;
1424
1425/*
1426- Generate AS
1427 - no body coverage
1428 - no h= tag; implicit coverage
1429 - arc status from A-R
1430 - if fail:
1431 - coverage is just the new ARC set
1432 including self (but with an empty b= in self)
1433 - if non-fail:
1434 - all ARC set headers, set-number order, aar then ams then as,
1435 including self (but with an empty b= in self)
1436*/
1437
1438/* Construct the AS except for the signature */
1439
1440arcset = string_append(NULL, 9,
1441 ARC_HDR_AS,
1442 US" i=", string_sprintf("%d", instance),
1443 US"; cv=", status,
1444 US"; a=rsa-sha256; d=", identity, /*XXX hardwired */
1445 US"; s=", selector); /*XXX same as AMS */
1446if (options & ARC_SIGN_OPT_TSTAMP)
1447 arcset = string_append(arcset, 2,
1448 US"; t=", string_sprintf("%lu", (u_long)now));
1449arcset = string_cat(arcset,
1450 US";\r\n\t b=;");
1451
1452h->slen = arcset->ptr;
1453h->text = arcset->s;
1454al->complete = h;
1455ctx->arcset_chain_last->hdr_as = al;
1456
1457/* For any but "fail" chain-verify status, walk the entire chain in order by
1458instance. For fail, only the new arc-set. Accumulate the elements walked. */
1459
1460for (as = Ustrcmp(status, US"fail") == 0
1461 ? ctx->arcset_chain_last : ctx->arcset_chain;
1462 as; as = as->next)
1463 {
1464 /* Accumulate AAR then AMS then AS. Relaxed canonicalisation
1465 is required per standard. */
1466
1467 h = as->hdr_aar->complete;
1468 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1469 h = as->hdr_ams->complete;
1470 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
1471 h = as->hdr_as->complete;
1472 hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, !!as->next));
1473 }
1474
1475/* Calculate the signature from the accumulation */
1476
1477if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AS"))
1478 return NULL;
1479
1480/* Lose the trailing semicolon */
1481arcset->ptr--;
1482arcset = arc_sign_append_sig(arcset, &sig);
1483DEBUG(D_transport) debug_printf("ARC: AS '%.*s'\n", arcset->ptr - 2, arcset->s);
1484
1485/* Finally, append the AMS and AAR to the new AS */
1486
1487return string_catn(arcset, arcset_interim->s, arcset_interim->ptr);
1488}
1489
1490
1491/**************************************/
1492
1493/* Return pointer to pdkim_bodyhash for given hash method, creating new
1494method if needed.
1495*/
1496
1497void *
1498arc_ams_setup_sign_bodyhash(void)
1499{
1500int canon_head, canon_body;
1501
1502DEBUG(D_transport) debug_printf("ARC: requesting bodyhash\n");
1503pdkim_cstring_to_canons(US"relaxed", 7, &canon_head, &canon_body); /*XXX hardwired */
1504return pdkim_set_bodyhash(&dkim_sign_ctx,
1505 pdkim_hashname_to_hashtype(US"sha256", 6), /*XXX hardwired */
1506 canon_body,
1507 -1);
1508}
1509
1510
1511
1512void
1513arc_sign_init(void)
1514{
1515memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
1516}
1517
1518
1519
1520/* A "normal" header line, identified by DKIM processing. These arrive before
1521the call to arc_sign(), which carries any newly-created DKIM headers - and
1522those go textually before the normal ones in the message.
1523
1524We have to take the feed from DKIM as, in the transport-filter case, the
1525headers are not in memory at the time of the call to arc_sign().
1526
1527Take a copy of the header and construct a reverse-order list.
1528Also parse ARC-chain headers and build the chain struct, retaining pointers
1529into the copies.
1530*/
1531
1532static const uschar *
1533arc_header_sign_feed(gstring * g)
1534{
1535uschar * s = string_copyn(g->s, g->ptr);
1536headers_rlist = arc_rlist_entry(headers_rlist, s, g->ptr);
1537return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
1538}
1539
1540
1541
1542/* ARC signing. Called from the smtp transport, if the arc_sign option is set.
1543The dkim_exim_sign() function has already been called, so will have hashed the
1544message body for us so long as we requested a hash previously.
1545
1546Arguments:
1547 signspec Three-element colon-sep list: identity, selector, privkey.
1548 Optional fourth element: comma-sep list of options.
1549 Already expanded
1550 sigheaders Any signature headers already generated, eg. by DKIM, or NULL
1551 errstr Error string
1552
1553Return value
1554 Set of headers to prepend to the message, including the supplied sigheaders
1555 but not the plainheaders.
1556*/
1557
1558gstring *
1559arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
1560{
1561const uschar * identity, * selector, * privkey, * opts, * s;
1562unsigned options = 0;
1563int sep = 0;
1564header_line * headers;
1565hdr_rlist * rheaders;
1566blob ar;
1567int instance;
1568gstring * g = NULL;
1569pdkim_bodyhash * b;
1570
1571expire = now = 0;
1572
1573/* Parse the signing specification */
1574
1575identity = string_nextinlist(&signspec, &sep, NULL, 0);
1576selector = string_nextinlist(&signspec, &sep, NULL, 0);
1577if ( !*identity || !*selector
1578 || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
1579 {
1580 log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
1581 !*identity ? "identity" : !*selector ? "selector" : "private-key");
1582 return sigheaders ? sigheaders : string_get(0);
1583 }
1584if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
1585 return sigheaders ? sigheaders : string_get(0);
1586
1587if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
1588 {
1589 int osep = ',';
1590 while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
1591 if (Ustrcmp(s, "timestamps") == 0)
1592 {
1593 options |= ARC_SIGN_OPT_TSTAMP;
1594 if (!now) now = time(NULL);
1595 }
1596 else if (Ustrncmp(s, "expire", 6) == 0)
1597 {
1598 options |= ARC_SIGN_OPT_EXPIRE;
1599 if (*(s += 6) == '=')
1600 if (*++s == '+')
1601 {
1602 if (!(expire = (time_t)atoi(CS ++s)))
1603 expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1604 if (!now) now = time(NULL);
1605 expire += now;
1606 }
1607 else
1608 expire = (time_t)atol(CS s);
1609 else
1610 {
1611 if (!now) now = time(NULL);
1612 expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
1613 }
1614 }
1615 }
1616
1617DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
1618
1619/* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
1620Then scan the list for an A-R header. */
1621
1622string_from_gstring(sigheaders);
1623if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
1624 {
1625 hdr_rlist ** rp;
1626 for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
1627 *rp = rheaders;
1628 }
1629
1630/* Finally, build a normal-order headers list */
1631/*XXX only needed for hunt-the-AR? */
1632/*XXX also, we really should be accepting any number of ADMD-matching ARs */
1633 {
1634 header_line * hnext = NULL;
1635 for (rheaders = headers_rlist; rheaders;
1636 hnext = rheaders->h, rheaders = rheaders->prev)
1637 rheaders->h->next = hnext;
1638 headers = hnext;
1639 }
1640
1641if (!(arc_sign_find_ar(headers, identity, &ar)))
1642 {
1643 log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
1644 return sigheaders ? sigheaders : string_get(0);
1645 }
1646
1647/* We previously built the data-struct for the existing ARC chain, if any, using a headers
1648feed from the DKIM module. Use that to give the instance number for the ARC set we are
1649about to build. */
1650
1651DEBUG(D_transport)
1652 if (arc_sign_ctx.arcset_chain_last)
1653 debug_printf("ARC: existing chain highest instance: %d\n",
1654 arc_sign_ctx.arcset_chain_last->instance);
1655 else
1656 debug_printf("ARC: no existing chain\n");
1657
1658instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
1659
1660/*
1661- Generate AAR
1662 - copy the A-R; prepend i= & identity
1663*/
1664
1665g = arc_sign_append_aar(g, &arc_sign_ctx, identity, instance, &ar);
1666
1667/*
1668- Generate AMS
1669 - Looks fairly like a DKIM sig
1670 - Cover all DKIM sig headers as well as the usuals
1671 - ? oversigning?
1672 - Covers the data
1673 - we must have requested a suitable bodyhash previously
1674*/
1675
1676b = arc_ams_setup_sign_bodyhash();
1677g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
1678 &b->bh, headers_rlist, privkey, options);
1679
1680/*
1681- Generate AS
1682 - no body coverage
1683 - no h= tag; implicit coverage
1684 - arc status from A-R
1685 - if fail:
1686 - coverage is just the new ARC set
1687 including self (but with an empty b= in self)
1688 - if non-fail:
1689 - all ARC set headers, set-number order, aar then ams then as,
1690 including self (but with an empty b= in self)
1691*/
1692
1693if (g)
1694 g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
1695 privkey, options);
1696
1697/* Finally, append the dkim headers and return the lot. */
1698
1699if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr);
1700(void) string_from_gstring(g);
1701gstring_reset_unused(g);
1702return g;
1703}
1704
1705
1706/******************************************************************************/
1707
1708/* Check to see if the line is an AMS and if so, set up to validate it.
1709Called from the DKIM input processing. This must be done now as the message
1710body data is hashed during input.
1711
1712We call the DKIM code to request a body-hash; it has the facility already
1713and the hash parameters might be common with other requests.
1714*/
1715
1716static const uschar *
1717arc_header_vfy_feed(gstring * g)
1718{
1719header_line h;
1720arc_line al;
1721pdkim_bodyhash * b;
1722uschar * errstr;
1723
1724if (!dkim_verify_ctx) return US"no dkim context";
1725
1726if (strncmpic(ARC_HDR_AMS, g->s, ARC_HDRLEN_AMS) != 0) return US"not AMS";
1727
1728DEBUG(D_receive) debug_printf("ARC: spotted AMS header\n");
1729/* Parse the AMS header */
1730
1731h.next = NULL;
1732h.slen = g->size;
1733h.text = g->s;
1734memset(&al, 0, sizeof(arc_line));
1735if ((errstr = arc_parse_line(&al, &h, ARC_HDRLEN_AMS, FALSE)))
1736 {
1737 DEBUG(D_acl) if (errstr) debug_printf("ARC: %s\n", errstr);
1738 return US"line parsing error";
1739 }
1740
1741/* defaults */
1742if (!al.c.data)
1743 {
1744 al.c_body.data = US"simple"; al.c_body.len = 6;
1745 al.c_head = al.c_body;
1746 }
1747
1748/* Ask the dkim code to calc a bodyhash with those specs */
1749
1750if (!(b = arc_ams_setup_vfy_bodyhash(&al)))
1751 return US"dkim hash setup fail";
1752
1753/* Discard the reference; search again at verify time, knowing that one
1754should have been created here. */
1755
1756return NULL;
1757}
1758
1759
1760
1761/* A header line has been identified by DKIM processing.
1762
1763Arguments:
1764 g Header line
1765 is_vfy TRUE for verify mode or FALSE for signing mode
1766
1767Return:
1768 NULL for success, or an error string (probably unused)
1769*/
1770
1771const uschar *
1772arc_header_feed(gstring * g, BOOL is_vfy)
1773{
1774return is_vfy ? arc_header_vfy_feed(g) : arc_header_sign_feed(g);
1775}
1776
1777
1778
1779/******************************************************************************/
1780
1781/* Construct the list of domains from the ARC chain after validation */
1782
1783uschar *
1784fn_arc_domains(void)
1785{
1786arc_set * as;
1787unsigned inst;
1788gstring * g = NULL;
1789
1790for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
1791 {
1792 arc_line * hdr_as = as->hdr_as;
1793 if (hdr_as)
1794 {
1795 blob * d = &hdr_as->d;
1796
1797 for (; inst < as->instance; inst++)
1798 g = string_catn(g, US":", 1);
1799
1800 g = d->data && d->len
1801 ? string_append_listele_n(g, ':', d->data, d->len)
1802 : string_catn(g, US":", 1);
1803 }
1804 else
1805 g = string_catn(g, US":", 1);
1806 }
1807return g ? g->s : US"";
1808}
1809
1810
1811/* Construct an Authentication-Results header portion, for the ARC module */
1812
1813gstring *
1814authres_arc(gstring * g)
1815{
1816if (arc_state)
1817 {
1818 arc_line * highest_ams;
1819 int start = 0; /* Compiler quietening */
1820 DEBUG(D_acl) start = g->ptr;
1821
1822 g = string_append(g, 2, US";\n\tarc=", arc_state);
1823 if (arc_received_instance > 0)
1824 {
1825 g = string_fmt_append(g, " (i=%d)", arc_received_instance);
1826 if (arc_state_reason)
1827 g = string_append(g, 3, US"(", arc_state_reason, US")");
1828 g = string_catn(g, US" header.s=", 10);
1829 highest_ams = arc_received->hdr_ams;
1830 g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
1831
1832 g = string_fmt_append(g, " arc.oldest-pass=%d", arc_oldest_pass);
1833
1834 if (sender_host_address)
1835 g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
1836 }
1837 else if (arc_state_reason)
1838 g = string_append(g, 3, US" (", arc_state_reason, US")");
1839 DEBUG(D_acl) debug_printf("ARC: authres '%.*s'\n",
1840 g->ptr - start - 3, g->s + start + 3);
1841 }
1842else
1843 DEBUG(D_acl) debug_printf("ARC: no authres\n");
1844return g;
1845}
1846
1847
1848# endif /* SUPPORT_SPF */
1849#endif /* EXPERIMENTAL_ARC */
1850/* vi: aw ai sw=2
1851 */
exim4 packaging