From: Vsevolod Stakhov Date: Thu, 1 Feb 2018 19:06:00 +0000 (+0000) Subject: [CritFix] Fix ARC chain verification X-Git-Tag: 1.7.0~226 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1fc02ffef13e2848ecfcad48201517cf6aa564cc;p=thirdparty%2Frspamd.git [CritFix] Fix ARC chain verification MFH: rspamd-1.6 --- diff --git a/src/plugins/lua/arc.lua b/src/plugins/lua/arc.lua index 46e361f2da..c87946aff6 100644 --- a/src/plugins/lua/arc.lua +++ b/src/plugins/lua/arc.lua @@ -109,6 +109,8 @@ local function parse_arc_header(hdr, target) end, fun.map(function(elt) return lua_util.rspamd_str_split(elt, '=') end, elts)) + target[i].header = hdr[i].decoded + target[i].raw_header = hdr[i].value end end @@ -145,11 +147,6 @@ local function arc_validate_seals(task, seals, sigs, seal_headers, sig_headers) return false end end - - sigs[i].header = sig_headers[i].decoded - seals[i].header = seal_headers[i].decoded - sigs[i].raw_header = sig_headers[i].value - seals[i].raw_header = seal_headers[i].value end return true @@ -236,8 +233,6 @@ local function arc_callback(task) end local function arc_signature_cb(_, res, err, domain) - cbdata.checked = cbdata.checked + 1 - rspamd_logger.debugm(N, task, 'checked arc signature %s: %s(%s), %s processed', domain, res, err, cbdata.checked) @@ -247,47 +242,42 @@ local function arc_callback(task) table.insert(cbdata.errors, string.format('sig:%s:%s', domain, err)) end end - - if cbdata.checked == #arc_sig_headers then - if cbdata.res == 'success' then - -- Verify seals - cbdata.checked = 0 - fun.each( - function(sig) - local ret, lerr = dkim_verify(task, sig.header, arc_seal_cb, 'arc-seal') - if not ret then - cbdata.res = 'fail' - table.insert(cbdata.errors, string.format('sig:%s:%s', sig.d or '', lerr)) - cbdata.checked = cbdata.checked + 1 - rspamd_logger.debugm(N, task, 'checked arc seal %s: %s(%s), %s processed', - sig.d, ret, lerr, cbdata.checked) - end - end, cbdata.seals) - else - task:insert_result(arc_symbols['reject'], 1.0, - rspamd_logger.slog('signature check failed: %s, %s', cbdata.res, - cbdata.errors)) - end + if cbdata.res == 'success' then + -- Verify seals + cbdata.checked = 0 + fun.each( + function(sig) + local ret, lerr = dkim_verify(task, sig.header, arc_seal_cb, 'arc-seal') + if not ret then + cbdata.res = 'fail' + table.insert(cbdata.errors, string.format('sig:%s:%s', sig.d or '', lerr)) + cbdata.checked = cbdata.checked + 1 + rspamd_logger.debugm(N, task, 'checked arc seal %s: %s(%s), %s processed', + sig.d, ret, lerr, cbdata.checked) + end + end, cbdata.seals) + else + task:insert_result(arc_symbols['reject'], 1.0, + rspamd_logger.slog('signature check failed: %s, %s', cbdata.res, + cbdata.errors)) end end -- Now we can verify all signatures local processed = 0 - fun.each( - function(sig) - local ret,err = dkim_verify(task, sig.header, arc_signature_cb, 'arc-sign') + local sig = cbdata.sigs[#cbdata.sigs] + local ret,err = dkim_verify(task, sig.header, arc_signature_cb, 'arc-sign') - if not ret then - cbdata.res = 'fail' - table.insert(cbdata.errors, string.format('sig:%s:%s', sig.d or '', err)) - else - processed = processed + 1 - rspamd_logger.debugm(N, task, 'processed arc signature %s: %s(%s), %s processed', - sig.d, ret, err, cbdata.checked) - end - end, cbdata.sigs) + if not ret then + cbdata.res = 'fail' + table.insert(cbdata.errors, string.format('sig:%s:%s', sig.d or '', err)) + else + processed = processed + 1 + rspamd_logger.debugm(N, task, 'processed arc signature %s[%s]: %s(%s), %s processed', + sig.d, sig.i, ret, err, cbdata.checked) + end - if processed ~= #arc_sig_headers then + if processed == 0 then task:insert_result(arc_symbols['reject'], 1.0, rspamd_logger.slog('cannot verify %s of %s signatures: %s', #arc_sig_headers - processed, #arc_sig_headers, cbdata.errors))