From: ooga@e.email
To: 9front@9front.org
Subject: [9front] dkim patches
Date: Mon, 24 Apr 2023 20:29:24 +0000 (UTC) [thread overview]
Message-ID: <2c9b768e-0b61-4d42-9caf-5a3cba64ecef@e.email> (raw)
[-- Attachment #1: Type: text/plain, Size: 509 bytes --]
I'm not sure how to send these patches, but here they are, attached: one to use custom headers, one to prevent headers from being inserted and one to silence upas/qer.
The first one is fresh, but dkim didn't crashed :) with a couple of message I've test it. I'm not sure I use the right function to parse the command line argument. I used to have a hardcoded list in dkim.c, but it wasn't enough.
The messages pass the validation from Google and FairMail (android app), with or without the trailing ":".
[-- Attachment #2: dkim-custom-headers.diff --]
[-- Type: text/plain, Size: 1756 bytes --]
upas/dkim: allow custom headers to be signed
The list of headers someone wants to sign is larger that the default
list used by upas/dkim. For example, many servers add 'cc',
'reply-to', 'sender' and 'mime-version', the top of the recommended
list[1].
In addition to this, there are times when you want to sign
specific headers on some messages. For example, Google
signs tls-report-submitter and tls-report-domain with smpt-tls-reporting
messages.
[1]: https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields
---
diff 2c6484d1804bd719ae89b9ee36e90b61dd9f6fbb 742fd9b6fa574793f709fa69b791196438ad1ee8
--- a/sys/man/1/filter
+++ b/sys/man/1/filter
@@ -204,6 +204,11 @@
flag specifies the selector. If the selector is not
specified, it defaults to
.IR dkim .
+.I -h
+flag specifies a list of headers to sign. If this flag is not
+specified, it defaults to
+.IR from:,to:,subject:,date:,message-id:
+.
The keyspec searched for the signing key is:
.IP
.EX
--- a/sys/src/cmd/upas/dkim/dkim.c
+++ b/sys/src/cmd/upas/dkim/dkim.c
@@ -6,7 +6,7 @@
#include <authsrv.h>
#include <pool.h>
-char *signhdr[] = {
+char *defsignhdr[] = {
"from:",
"to:",
"subject:",
@@ -14,6 +14,8 @@
"message-id:",
nil
};
+char **signhdr = defsignhdr;
+char *usersignhdr[20];
char *keyspec;
char *domain;
@@ -93,7 +95,7 @@
void
usage(void)
{
- fprint(2, "usage: %s [-s sel] -d dom\n", argv0);
+ fprint(2, "usage: %s [-s sel] [-h headers] -d dom\n", argv0);
exits("usage");
}
@@ -109,6 +111,10 @@
ARGBEGIN{
case 'd':
domain = EARGF(usage());
+ break;
+ case 'h':
+ usersignhdr[getfields(EARGF(usage()), usersignhdr, nelem(usersignhdr)-1, 1, ",")] = nil;
+ signhdr = usersignhdr;
break;
case 's':
selector = EARGF(usage());
[-- Attachment #3: dkim-seal.diff --]
[-- Type: text/plain, Size: 985 bytes --]
upas/dkim: seal the signed header fields
"Signers MAY claim to have signed header fields that do not exist
...
A header field name need only be listed once more
than the actual number of that header field in a message
at the time of signing in order to prevent any further additions."
https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields
---
diff 742fd9b6fa574793f709fa69b791196438ad1ee8 c24531318db27a706d0af70f69ae7f524ba1754a
--- a/sys/src/cmd/upas/dkim/dkim.c
+++ b/sys/src/cmd/upas/dkim/dkim.c
@@ -33,6 +33,18 @@
return e - p;
}
+void
+addallhdrs(char **hs)
+{
+ char **p;
+
+ for(p = signhdr; *p; p++){
+ if((*hs = realloc(*hs, strlen(*hs) + strlen(*p) + 1)) == nil)
+ sysfatal("realloc: %r");
+ strcat(*hs, *p);
+ }
+}
+
int
usehdr(char *ln, char **hs)
{
@@ -165,6 +177,7 @@
}
append(&hdr, &nhdr, &hdrsz, ln, n);
}
+ addallhdrs(&hdrset); /* https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields */
sb = nil;
ntail = 0;
[-- Attachment #4: qer.diff --]
[-- Type: text/plain, Size: 670 bytes --]
upas/qer: don't log if mail starts with DKIM-Signature:
Without this, when we use upas/dkim in /mail/lib/qmail:
upas/dkim ... | upas/qer ...
we'll have a warning in our logs for every message we send.
---
diff f9aa809cbf2d1c17d989bd777c97d4bd4944a8e3 2c6484d1804bd719ae89b9ee36e90b61dd9f6fbb
--- a/sys/src/cmd/upas/q/qer.c
+++ b/sys/src/cmd/upas/q/qer.c
@@ -129,7 +129,7 @@
*/
i = 0;
while((n = read(0, buf, sizeof(buf)-1)) > 0){
- if(i++ == 0 && strncmp(buf, "From", 4) != 0){
+ if(i++ == 0 && strncmp(buf, "From", 4) != 0 && strncmp(buf, "DKIM-Signature:", 15) != 0){
buf[n] = 0;
syslog(0, "smtp", "qer usys data starts with %-40.40s", buf);
}
reply other threads:[~2023-04-24 20:39 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2c9b768e-0b61-4d42-9caf-5a3cba64ecef@e.email \
--to=ooga@e.email \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).