[CritFix] Dkim: Fix simple canonicalisation if multiple signatures are presented

author Vsevolod Stakhov <vsevolod@highsecure.ru>

Fri, 23 Oct 2020 11:18:57 +0000 (12:18 +0100)

committer Vsevolod Stakhov <vsevolod@highsecure.ru>

Fri, 23 Oct 2020 11:19:33 +0000 (12:19 +0100)
author Vsevolod Stakhov <vsevolod@highsecure.ru>
Fri, 23 Oct 2020 11:18:57 +0000 (12:18 +0100)
committer Vsevolod Stakhov <vsevolod@highsecure.ru>
Fri, 23 Oct 2020 11:19:33 +0000 (12:19 +0100)
diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c

index 27db77c266db3b06918e5458c3495e8eddf3b8f1..a8db8fe56deb80758e81a9751a3a1e3ee0dac71b 100644 (file)
--- a/src/libserver/dkim.c
+++ b/src/libserver/dkim.c
@@ -849,6 +849,8 @@ rspamd_create_dkim_context (const gchar *sig,
         ctx->common.sig_hash = rspamd_cryptobox_fast_hash (sig, end - sig,
                         rspamd_hash_seed ());
  
+       msg_debug_dkim ("create dkim context sig = %L", ctx->common.sig_hash);
+
         while (p <= end) {
                 switch (state) {
                 case DKIM_STATE_TAG:
@@ -2416,19 +2418,29 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx,
                         if (rh) {
                                 /* We need to find our own signature */
                                 if (!dkim_domain) {
+                                       msg_err_dkim ("cannot verify dkim as we have no dkim domain!");
                                         return FALSE;
                                 }
  
+                               gboolean found = FALSE;
+
                                 DL_FOREACH (rh, cur) {
-                                       guint64 th = rspamd_cryptobox_fast_hash (rh->decoded,
-                                                       strlen (rh->decoded), rspamd_hash_seed ());
+                                       guint64 th = rspamd_cryptobox_fast_hash (cur->decoded,
+                                                       strlen (cur->decoded), rspamd_hash_seed ());
  
                                         if (th == ctx->sig_hash) {
-                                               rspamd_dkim_signature_update (ctx, rh->raw_value,
-                                                               rh->raw_len);
+                                               rspamd_dkim_signature_update (ctx, cur->raw_value,
+                                                               cur->raw_len);
+                                               found = TRUE;
                                                 break;
                                         }
                                 }
+                               if (!found) {
+                                       msg_err_dkim ("BUGON: cannot verify dkim as we have lost our signature"
+                                                                 " during simple canonicalisation, expected hash=%L",
+                                                                 ctx->sig_hash);
+                                       return FALSE;
+                               }
                         }
                         else {
                                 return FALSE;
author	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Fri, 23 Oct 2020 11:18:57 +0000 (12:18 +0100)
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Fri, 23 Oct 2020 11:19:33 +0000 (12:19 +0100)