git » chasquid » main » tree

[main] / internal / dkim / verify.go 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
package dkim

import (
	"bytes"
	"context"
	"crypto"
	"encoding/base64"
	"errors"
	"fmt"
	"net"
	"regexp"
	"slices"
	"strings"
)

// These two errors are returned when the verification fails, but the header
// is considered valid.
var (
	ErrBodyHashMismatch   = errors.New("body hash mismatch")
	ErrVerificationFailed = errors.New("verification failed")
)

// Evaluation states, as per
// https://datatracker.ietf.org/doc/html/rfc6376#section-3.9.
type EvaluationState string

const (
	SUCCESS  EvaluationState = "SUCCESS"
	PERMFAIL EvaluationState = "PERMFAIL"
	TEMPFAIL EvaluationState = "TEMPFAIL"
)

type VerifyResult struct {
	// How many signatures were found.
	Found uint

	// How many signatures were verified successfully.
	Valid uint

	// The details for each signature that was found.
	Results []*OneResult
}

type OneResult struct {
	// The raw signature header.
	SignatureHeader string

	// Domain and selector from the signature header.
	Domain   string
	Selector string

	// Base64-encoded signature. May be missing if it is not present in the
	// header.
	B string

	// The result of the evaluation.
	State EvaluationState
	Error error
}

// Returns the DKIM-specific contents for an Authentication-Results header.
// It is just the contents, the header needs to still be constructed.
// Note that the output will need to be indented by the caller.
// https://datatracker.ietf.org/doc/html/rfc8601#section-2.7.1
func (r *VerifyResult) AuthenticationResults() string {
	// The weird placement of the ";" is due to the specification saying they
	// have to be before each method, not at the end.
	// By doing it this way, we can concate the output of this function with
	// other results.
	ar := &strings.Builder{}
	if r.Found == 0 {
		// https://datatracker.ietf.org/doc/html/rfc8601#section-2.7.1
		ar.WriteString(";dkim=none\r\n")
		return ar.String()
	}

	for _, res := range r.Results {
		// Map state to the corresponding result.
		// https://datatracker.ietf.org/doc/html/rfc8601#section-2.7.1
		switch res.State {
		case SUCCESS:
			ar.WriteString(";dkim=pass")
		case TEMPFAIL:
			// The reason must come before the properties, include it here.
			fmt.Fprintf(ar, ";dkim=temperror  reason=%q\r\n", res.Error)
		case PERMFAIL:
			// The reason must come before the properties, include it here.
			if errors.Is(res.Error, ErrVerificationFailed) ||
				errors.Is(res.Error, ErrBodyHashMismatch) {
				fmt.Fprintf(ar, ";dkim=fail  reason=%q\r\n", res.Error)
			} else {
				fmt.Fprintf(ar, ";dkim=permerror  reason=%q\r\n", res.Error)
			}
		}

		if res.B != "" {
			// Include a partial b= tag to help identify which signature
			// is being referred to.
			// https://datatracker.ietf.org/doc/html/rfc6008#section-4
			fmt.Fprintf(ar, "  header.b=%.12s", res.B)
		}

		ar.WriteString("  header.d=" + res.Domain + "\r\n")
	}

	return ar.String()
}

func VerifyMessage(ctx context.Context, message string) (*VerifyResult, error) {
	// https://datatracker.ietf.org/doc/html/rfc6376#section-6
	headers, body, err := parseMessage(message)
	if err != nil {
		trace(ctx, "Error parsing message: %v", err)
		return nil, err
	}

	results := &VerifyResult{
		Results: []*OneResult{},
	}

	for i, sig := range headers.FindAll("DKIM-Signature") {
		trace(ctx, "Found DKIM-Signature header: %s", sig.Value)

		if i >= maxHeaders(ctx) {
			// Protect from potential DoS by capping the number of signatures.
			// https://datatracker.ietf.org/doc/html/rfc6376#section-4.2
			// https://datatracker.ietf.org/doc/html/rfc6376#section-8.4
			trace(ctx, "Too many DKIM-Signature headers found")
			break
		}

		results.Found++
		res := verifySignature(ctx, sig, headers, body)
		results.Results = append(results.Results, res)
		if res.State == SUCCESS {
			results.Valid++
		}
	}

	trace(ctx, "Found %d signatures, %d valid", results.Found, results.Valid)
	return results, nil
}

// Regular expression that matches the "b=" tag.
// First capture group is the "b=" part (including any whitespace up to the
// '=').
var bTag = regexp.MustCompile(`(b[ \t\r\n]*=)[^;]+`)

func verifySignature(ctx context.Context, sigH header,
	headers headers, body string) *OneResult {
	result := &OneResult{
		SignatureHeader: sigH.Value,
	}

	sig, err := dkimSignatureFromHeader(sigH.Value)
	if err != nil {
		// Header validation errors are a PERMFAIL.
		// https://datatracker.ietf.org/doc/html/rfc6376#section-6.1.1
		result.Error = err
		result.State = PERMFAIL
		return result
	}

	result.Domain = sig.d
	result.Selector = sig.s
	result.B = base64.StdEncoding.EncodeToString(sig.b)

	// Get the public key.
	// https://datatracker.ietf.org/doc/html/rfc6376#section-6.1.2
	pubKeys, err := findPublicKeys(ctx, sig.d, sig.s)
	if err != nil {
		result.Error = err

		// DNS errors when looking up the public key are a TEMPFAIL; all
		// others are PERMFAIL.
		// https://datatracker.ietf.org/doc/html/rfc6376#section-6.1.2
		if dnsErr, ok := err.(*net.DNSError); ok && dnsErr.Temporary() {
			result.State = TEMPFAIL
		} else {
			result.State = PERMFAIL
		}
		return result
	}

	// Compute the verification.
	// https://datatracker.ietf.org/doc/html/rfc6376#section-6.1.3

	// Step 1: Prepare a canonicalized version of the body, truncate it to l=
	// (if present).
	// https://datatracker.ietf.org/doc/html/rfc6376#section-3.7
	bodyC := sig.cB.body(body)
	if sig.l > 0 {
		bodyC = bodyC[:sig.l]
	}

	// Step 2: Compute the hash of the canonicalized body.
	bodyH := hashWith(sig.Hash, []byte(bodyC))

	// Step 3: Verify the hash of the body by comparing it with bh=.
	if !bytes.Equal(bodyH, sig.bh) {
		bodyHStr := base64.StdEncoding.EncodeToString(bodyH)
		trace(ctx, "Body hash mismatch: %q", bodyHStr)

		result.Error = fmt.Errorf("%w (got %s)",
			ErrBodyHashMismatch, bodyHStr)
		result.State = PERMFAIL
		return result
	}
	trace(ctx, "Body hash matches: %q",
		base64.StdEncoding.EncodeToString(bodyH))

	// Step 4 A: Hash the (canonicalized) headers that appear in the h= tag.
	// https://datatracker.ietf.org/doc/html/rfc6376#section-3.7
	b := sig.Hash.New()
	for _, header := range headersToInclude(sigH, sig.h, headers) {
		hsrc := sig.cH.header(header).Source + "\r\n"
		trace(ctx, "Hashing header: %q", hsrc)
		b.Write([]byte(hsrc))
	}

	// Step 4 B: Hash the (canonicalized) DKIM-Signature header itself, but
	// with an empty b= tag, and without a trailing \r\n.
	// https://datatracker.ietf.org/doc/html/rfc6376#section-3.7
	sigC := sig.cH.header(sigH)
	sigCStr := bTag.ReplaceAllString(sigC.Source, "$1")
	trace(ctx, "Hashing header: %q", sigCStr)
	b.Write([]byte(sigCStr))
	bSum := b.Sum(nil)
	trace(ctx, "Resulting hash: %q", base64.StdEncoding.EncodeToString(bSum))

	// Step 4 C: Validate the signature.
	for _, pubKey := range pubKeys {
		if !pubKey.Matches(sig.KeyType, sig.Hash) {
			trace(ctx, "PK %v: key type or hash mismatch, skipping", pubKey)
			continue
		}

		if sig.i != "" && pubKey.StrictDomainCheck() {
			_, domain, _ := strings.Cut(sig.i, "@")
			if domain != sig.d {
				trace(ctx, "PK %v: Strict domain check failed: %q != %q (%q)",
					pubKey, sig.d, domain, sig.i)
				continue
			}

			trace(ctx, "PK %v: Strict domain check passed", pubKey)
		}

		err := pubKey.verify(sig.Hash, bSum, sig.b)
		if err != nil {
			trace(ctx, "PK %v: Verification failed: %v", pubKey, err)
			continue
		}
		trace(ctx, "PK %v: Verification succeeded", pubKey)
		result.State = SUCCESS
		return result
	}

	result.State = PERMFAIL
	result.Error = ErrVerificationFailed
	return result
}

func headersToInclude(sigH header, hTag []string, headers headers) []header {
	// Return the actual headers to include in the hash, based on the list
	// given in the h= tag.
	// This is complicated because:
	//  - Headers can be included multiple times. In that case, we must pick
	//    the last instance (which hasn't been already included).
	//    https://datatracker.ietf.org/doc/html/rfc6376#section-5.4.2
	//  - Headers may appear fewer times than they are requested.
	//  - DKIM-Signature header may be included, but we must not include the
	//    one being verified.
	//    https://datatracker.ietf.org/doc/html/rfc6376#section-3.7
	//  - Headers may be missing, and that's allowed.
	//    https://datatracker.ietf.org/doc/html/rfc6376#section-5.4
	seen := map[string]int{}
	include := []header{}
	for _, h := range hTag {
		all := headers.FindAll(h)
		slices.Reverse(all)

		// We keep track of the last instance of each header that we
		// included, and find the next one every time it appears in h=.
		// We have to be careful because the header itself may not be present,
		// or we may be asked to include it more times than it appears.
		lh := strings.ToLower(h)
		i := seen[lh]
		if i >= len(all) {
			continue
		}
		seen[lh]++

		selected := all[i]

		if selected == sigH {
			continue
		}

		include = append(include, selected)
	}

	return include
}

func hashWith(a crypto.Hash, data []byte) []byte {
	h := a.New()
	h.Write(data)
	return h.Sum(nil)
}