search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
make the smtp_to_mbx flag actually work, other random changes
[ghsmtp.git] / OpenDKIM.cpp
blob737eaa8151057098508257db7775435e948a804d
1 #include "OpenDKIM.hpp"
2
3 #include "iobuffer.hpp"
4
5 #include <stdbool.h> // needs to be above <dkim.h>
6
7 #include <dkim.h>
8
9 #include <glog/logging.h>
10
11 namespace {
12 // Not nice to use "unsigned char" for character data.
13 u_char* uc(char const* cp)
14 {
15 return reinterpret_cast<u_char*>(const_cast<char*>(cp));
16 }
17
18 char const* c(unsigned char* ucp) { return reinterpret_cast<char const*>(ucp); }
19
20 constexpr unsigned char id_v[]{"DKIM::verify"};
21 constexpr unsigned char id_s[]{"DKIM::sign"};
22 } // namespace
23
24 namespace OpenDKIM {
25
26 lib::lib()
27 : lib_(CHECK_NOTNULL(dkim_init(nullptr, nullptr)))
28 {
29 char const* signhdrs[] = {"cc",
30 "content-language",
31 "content-transfer-encoding",
32 "content-type",
33 "date",
34 "from",
35 "in-reply-to",
36 "list-archive",
37 "list-help",
38 "list-id",
39 "list-owner",
40 "list-post",
41 "list-subscribe",
42 "list-unsubscribe",
43 "references",
44 "message-id",
45 "mime-version",
46 "precedence",
47 "references",
48 "reply-to",
49 "resent-cc",
50 "resent-date",
51 "resent-from",
52 "resent-sender",
53 "resent-to",
54 "sender",
55 "subject",
56 "to",
57 nullptr};
58
59 CHECK_EQ(dkim_options(lib_, DKIM_OP_SETOPT, DKIM_OPTS_SIGNHDRS, signhdrs,
60 sizeof(char const**)),
61 DKIM_STAT_OK);
62
63 char const* oversign[] = {"cc", "date", "from",
64 "in-reply-to", "message-id", "sender",
65 "subject", "to", nullptr};
66
67 CHECK_EQ(dkim_options(lib_, DKIM_OP_SETOPT, DKIM_OPTS_OVERSIGNHDRS, oversign,
68 sizeof(char const**)),
69 DKIM_STAT_OK);
70 }
71
72 lib::~lib()
73 {
74 dkim_free(dkim_);
75 dkim_close(lib_);
76 }
77
78 void lib::header(std::string_view header)
79 {
80 if (header.size() && header.back() == '\n')
81 header.remove_suffix(1);
82 if (header.size() && header.back() == '\r')
83 header.remove_suffix(1);
84
85 CHECK_EQ((status_ = dkim_header(dkim_, uc(header.data()), header.length())),
86 DKIM_STAT_OK)
87 << "dkim_header error: " << dkim_getresultstr(status_);
88
89 // LOG(INFO) << "processed: " << std::string(header.data(),
90 // header.length());
91 }
92
93 void lib::eoh()
94 {
95 status_ = dkim_eoh(dkim_);
96 switch (status_) {
97 case DKIM_STAT_OK:
98 case DKIM_STAT_NOSIG:
99 // all good
100 break;
101
102 default:
103 LOG(WARNING) << "dkim_eoh error: " << dkim_getresultstr(status_);
104 break;
105 }
106 }
107
108 void lib::body(std::string_view body)
109 {
110 CHECK_EQ((status_ = dkim_body(dkim_, uc(body.data()), body.length())),
111 DKIM_STAT_OK)
112 << "dkim_body error: " << dkim_getresultstr(status_);
113 }
114
115 void lib::chunk(std::string_view chunk)
116 {
117 CHECK_EQ((status_ = dkim_chunk(dkim_, uc(chunk.data()), chunk.length())),
118 DKIM_STAT_OK)
119 << "dkim_chunk error: " << dkim_getresultstr(status_);
120 }
121
122 void lib::eom()
123 {
124 status_ = dkim_eom(dkim_, nullptr);
125
126 switch (status_) {
127 case DKIM_STAT_OK:
128 case DKIM_STAT_NOSIG:
129 // all good
130 break;
131
132 default:
133 LOG(WARNING) << "dkim_eom error: " << dkim_getresultstr(status_);
134 break;
135 }
136 }
137
138 //.............................................................................
139
140 sign::sign(char const* secretkey,
141 char const* selector,
142 char const* domain,
143 body_type typ)
144 {
145 // clang-format off
146 dkim_ = dkim_sign(lib_,
147 id_s,
148 nullptr,
149 uc(secretkey),
150 uc(selector),
151 uc(domain),
152 DKIM_CANON_RELAXED,
153 (typ == body_type::binary) ? DKIM_CANON_SIMPLE
154 : DKIM_CANON_RELAXED,
155 DKIM_SIGN_RSASHA256,
156 -1,
157 &status_);
158 // clang-format on
159 CHECK_NOTNULL(dkim_);
160 CHECK_EQ(status_, DKIM_STAT_OK);
161 }
162
163 std::string sign::getsighdr()
164 {
165 auto const initial{strlen(DKIM_SIGNHEADER) + 2};
166 unsigned char* buf = nullptr;
167 size_t len = 0;
168 status_ = dkim_getsighdr_d(dkim_, initial, &buf, &len);
169 CHECK_EQ(status_, DKIM_STAT_OK);
170 return std::string(c(buf), len);
171 }
172
173 //.............................................................................
174
175 void verify::foreach_sig(std::function<void(char const* domain,
176 bool passed,
177 char const* identity,
178 char const* selector,
179 char const* b)> func)
180 {
181 int nsigs = 0;
182 DKIM_SIGINFO** sigs = nullptr;
183 status_ = dkim_getsiglist(dkim_, &sigs, &nsigs);
184 if (status_ == DKIM_STAT_INVALID) {
185 LOG(WARNING) << "skipping DKIM sigs";
186 return;
187 }
188 CHECK_EQ(status_, DKIM_STAT_OK);
189
190 iobuffer<u_char> identity(4 * 1024);
191
192 for (auto i{0}; i < nsigs; ++i) {
193 auto const dom = CHECK_NOTNULL(dkim_sig_getdomain(sigs[i]));
194
195 auto const flg = dkim_sig_getflags(sigs[i]);
196 if ((flg & DKIM_SIGFLAG_IGNORE) != 0) {
197 LOG(INFO) << "ignoring signature for domain " << dom;
198 continue;
199 }
200 if ((flg & DKIM_SIGFLAG_TESTKEY) != 0) {
201 LOG(INFO) << "testkey for domain " << dom;
202 }
203
204 if ((flg & DKIM_SIGFLAG_PROCESSED) == 0) {
205 LOG(INFO) << "ignoring unprocessed sig for domain " << dom;
206 continue;
207 }
208
209 auto const bh = dkim_sig_getbh(sigs[i]);
210 if (bh != DKIM_SIGBH_MATCH) {
211 LOG(INFO) << "body hash mismatch for domain " << dom;
212 }
213
214 auto bits{0u};
215 status_ = dkim_sig_getkeysize(sigs[i], &bits);
216 if (status_ == DKIM_STAT_OK) {
217 if (bits < 1024) {
218 LOG(WARNING) << "keysize " << bits << " too small for domain " << dom;
219 }
220 }
221 else {
222 LOG(WARNING) << "getkeysize failed for domain " << dom << " with "
223 << dkim_getresultstr(status_);
224 }
225
226 auto const passed =
227 ((flg & DKIM_SIGFLAG_PASSED) != 0) && (bh == DKIM_SIGBH_MATCH);
228
229 CHECK_EQ(
230 dkim_sig_getidentity(dkim_, sigs[i], identity.data(), identity.size()),
231 DKIM_STAT_OK);
232
233 auto const selector = dkim_sig_getselector(sigs[i]);
234
235 auto const b = dkim_sig_gettagvalue(sigs[i], false, uc("b"));
236
237 func(c(dom), passed, c(identity.data()), c(selector), c(b));
238 }
239 }
240
241 verify::verify()
242 {
243 dkim_ = CHECK_NOTNULL(dkim_verify(lib_, id_v, nullptr, &status_));
244 }
245
246 bool verify::check()
247 {
248 int nsigs = 0;
249 DKIM_SIGINFO** sigs = nullptr;
250 status_ = dkim_getsiglist(dkim_, &sigs, &nsigs);
251 CHECK_EQ(status_, DKIM_STAT_OK);
252
253 LOG(INFO) << "nsigs == " << nsigs;
254
255 for (auto i{0}; i < nsigs; ++i) {
256 LOG(INFO) << i << " domain == " << dkim_sig_getdomain(sigs[i]);
257 auto flg = dkim_sig_getflags(sigs[i]);
258 if ((flg & DKIM_SIGFLAG_IGNORE) != 0) {
259 LOG(INFO) << "DKIM_SIGFLAG_IGNORE";
260 }
261 if ((flg & DKIM_SIGFLAG_PROCESSED) != 0) {
262 LOG(INFO) << "DKIM_SIGFLAG_PROCESSED";
263 }
264 if ((flg & DKIM_SIGFLAG_PASSED) != 0) {
265 LOG(INFO) << "DKIM_SIGFLAG_PASSED";
266 }
267 if ((flg & DKIM_SIGFLAG_TESTKEY) != 0) {
268 LOG(INFO) << "DKIM_SIGFLAG_TESTKEY";
269 }
270 if ((flg & DKIM_SIGFLAG_NOSUBDOMAIN) != 0) {
271 LOG(INFO) << "DKIM_SIGFLAG_NOSUBDOMAIN";
272 }
273 }
274
275 if (nsigs) {
276 auto sig{dkim_getsignature(dkim_)};
277 if (sig) {
278
279 LOG(INFO) << "dkim_getsignature domain == " << dkim_sig_getdomain(sig);
280
281 ssize_t msglen;
282 ssize_t canonlen;
283 ssize_t signlen;
284
285 status_ = dkim_sig_getcanonlen(dkim_, sig, &msglen, &canonlen, &signlen);
286
287 CHECK_EQ(status_, DKIM_STAT_OK);
288
289 LOG(INFO) << "msglen == " << msglen;
290 LOG(INFO) << "canonlen == " << canonlen;
291 LOG(INFO) << "signlen == " << signlen;
292
293 auto nhdrs{0u};
294 status_ = dkim_sig_getsignedhdrs(dkim_, sig, nullptr, 0, &nhdrs);
295 if (status_ != DKIM_STAT_NORESOURCE) {
296 return false;
297 }
298
299 LOG(INFO) << "nhdrs == " << nhdrs;
300
301 auto constexpr hdr_sz{DKIM_MAXHEADER + 1};
302 auto signedhdrs{std::vector<unsigned char>(nhdrs * hdr_sz, '\0')};
303
304 status_ =
305 dkim_sig_getsignedhdrs(dkim_, sig, &signedhdrs[0], hdr_sz, &nhdrs);
306 CHECK_EQ(status_, DKIM_STAT_OK);
307
308 for (auto i{0u}; i < nhdrs; ++i)
309 LOG(INFO) << &signedhdrs[i * hdr_sz];
310
311 return true;
312 }
313 }
314
315 return false;
316 }
317
318 bool verify::sig_syntax(std::string_view sig)
319 {
320 return dkim_sig_syntax(dkim_, uc(sig.data()), sig.length()) == DKIM_STAT_OK;
321 }
322
323 } // namespace OpenDKIM
Gene's SMTP server