From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Fri, 23 Oct 2020 11:18:57 +0000 (+0100)
Subject: [CritFix] Dkim: Fix simple canonicalisation if multiple signatures are presented
X-Git-Tag: 2.7~210
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=84603e8f3197652b18d5bc4ca20f5580ce33d6af;p=thirdparty%2Frspamd.git

[CritFix] Dkim: Fix simple canonicalisation if multiple signatures are presented
---

diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c
index 27db77c266..a8db8fe56d 100644
--- a/src/libserver/dkim.c
+++ b/src/libserver/dkim.c
@@ -849,6 +849,8 @@ rspamd_create_dkim_context (const gchar *sig,
 	ctx->common.sig_hash = rspamd_cryptobox_fast_hash (sig, end - sig,
 			rspamd_hash_seed ());
 
+	msg_debug_dkim ("create dkim context sig = %L", ctx->common.sig_hash);
+
 	while (p <= end) {
 		switch (state) {
 		case DKIM_STATE_TAG:
@@ -2416,19 +2418,29 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx,
 			if (rh) {
 				/* We need to find our own signature */
 				if (!dkim_domain) {
+					msg_err_dkim ("cannot verify dkim as we have no dkim domain!");
 					return FALSE;
 				}
 
+				gboolean found = FALSE;
+
 				DL_FOREACH (rh, cur) {
-					guint64 th = rspamd_cryptobox_fast_hash (rh->decoded,
-							strlen (rh->decoded), rspamd_hash_seed ());
+					guint64 th = rspamd_cryptobox_fast_hash (cur->decoded,
+							strlen (cur->decoded), rspamd_hash_seed ());
 
 					if (th == ctx->sig_hash) {
-						rspamd_dkim_signature_update (ctx, rh->raw_value,
-								rh->raw_len);
+						rspamd_dkim_signature_update (ctx, cur->raw_value,
+								cur->raw_len);
+						found = TRUE;
 						break;
 					}
 				}
+				if (!found) {
+					msg_err_dkim ("BUGON: cannot verify dkim as we have lost our signature"
+								  " during simple canonicalisation, expected hash=%L",
+								  ctx->sig_hash);
+					return FALSE;
+				}
 			}
 			else {
 				return FALSE;