9front - general discussion about 9front
 help / color / mirror / Atom feed
From: ooga@e.email
To: 9front@9front.org
Subject: [9front] dkim patches
Date: Mon, 24 Apr 2023 20:29:24 +0000 (UTC)	[thread overview]
Message-ID: <2c9b768e-0b61-4d42-9caf-5a3cba64ecef@e.email> (raw)

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

I'm not sure how to send these patches, but here they are, attached: one to use custom headers, one to prevent headers from being inserted and one to silence upas/qer.

The first one is fresh, but dkim didn't crashed :) with a couple of message I've test it. I'm not sure I use the right function to parse the command line argument. I used to have a hardcoded list in dkim.c, but it wasn't enough.

The messages pass the validation from Google and FairMail (android app), with or without the trailing ":".




[-- Attachment #2: dkim-custom-headers.diff --]
[-- Type: text/plain, Size: 1756 bytes --]

upas/dkim: allow custom headers to be signed

The list of headers someone wants to sign is larger that the default
list used by upas/dkim.  For example, many servers add 'cc',
'reply-to', 'sender' and 'mime-version', the top of the recommended
list[1].

In addition to this, there are times when you want to sign
specific headers on some messages. For example, Google
signs tls-report-submitter and tls-report-domain with smpt-tls-reporting
messages.

[1]: https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields
---
diff 2c6484d1804bd719ae89b9ee36e90b61dd9f6fbb 742fd9b6fa574793f709fa69b791196438ad1ee8
--- a/sys/man/1/filter
+++ b/sys/man/1/filter
@@ -204,6 +204,11 @@
 flag specifies the selector. If the selector is not
 specified, it defaults to
 .IR dkim .
+.I -h
+flag specifies a list of headers to sign. If this flag is not
+specified, it defaults to
+.IR from:,to:,subject:,date:,message-id:
+.
 The keyspec searched for the signing key is:
 .IP
 .EX
--- a/sys/src/cmd/upas/dkim/dkim.c
+++ b/sys/src/cmd/upas/dkim/dkim.c
@@ -6,7 +6,7 @@
 #include <authsrv.h>
 #include <pool.h>
 
-char *signhdr[] = {
+char *defsignhdr[] = {
 	"from:",
 	"to:",
 	"subject:",
@@ -14,6 +14,8 @@
 	"message-id:",
 	nil
 };
+char **signhdr = defsignhdr;
+char *usersignhdr[20];
 
 char *keyspec;
 char *domain;
@@ -93,7 +95,7 @@
 void
 usage(void)
 {
-	fprint(2, "usage: %s [-s sel] -d dom\n", argv0);
+	fprint(2, "usage: %s [-s sel] [-h headers] -d dom\n", argv0);
 	exits("usage");
 }
 
@@ -109,6 +111,10 @@
 	ARGBEGIN{
 	case 'd':
 		domain = EARGF(usage());
+		break;
+	case 'h':
+		usersignhdr[getfields(EARGF(usage()), usersignhdr, nelem(usersignhdr)-1, 1, ",")] = nil;
+		signhdr = usersignhdr;
 		break;
 	case 's':
 		selector = EARGF(usage());

[-- Attachment #3: dkim-seal.diff --]
[-- Type: text/plain, Size: 985 bytes --]

upas/dkim: seal the signed header fields

"Signers MAY claim to have signed header fields that do not exist
...
A header field name need only be listed once more
than the actual number of that header field in a message
at the time of signing in order to prevent any further additions."

https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields
---
diff 742fd9b6fa574793f709fa69b791196438ad1ee8 c24531318db27a706d0af70f69ae7f524ba1754a
--- a/sys/src/cmd/upas/dkim/dkim.c
+++ b/sys/src/cmd/upas/dkim/dkim.c
@@ -33,6 +33,18 @@
 	return e - p;
 }		
 
+void
+addallhdrs(char **hs)
+{
+	char **p;
+
+	for(p = signhdr; *p; p++){
+		if((*hs = realloc(*hs, strlen(*hs) + strlen(*p) + 1)) == nil)
+			sysfatal("realloc: %r");
+		strcat(*hs, *p);
+	}
+}
+
 int
 usehdr(char *ln, char **hs)
 {
@@ -165,6 +177,7 @@
 		}
 		append(&hdr, &nhdr, &hdrsz, ln, n);
 	}
+	addallhdrs(&hdrset); /* https://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields */
 
 	sb = nil;
 	ntail = 0;

[-- Attachment #4: qer.diff --]
[-- Type: text/plain, Size: 670 bytes --]

upas/qer: don't log if mail starts with DKIM-Signature:

Without this, when we use upas/dkim in /mail/lib/qmail:

	upas/dkim ... | upas/qer ...

we'll have a warning in our logs for every message we send.
---
diff f9aa809cbf2d1c17d989bd777c97d4bd4944a8e3 2c6484d1804bd719ae89b9ee36e90b61dd9f6fbb
--- a/sys/src/cmd/upas/q/qer.c
+++ b/sys/src/cmd/upas/q/qer.c
@@ -129,7 +129,7 @@
 	 */
 	i = 0;
 	while((n = read(0, buf, sizeof(buf)-1)) > 0){
-		if(i++ == 0 && strncmp(buf, "From", 4) != 0){
+		if(i++ == 0 && strncmp(buf, "From", 4) != 0 && strncmp(buf, "DKIM-Signature:", 15) != 0){
 			buf[n] = 0;
 			syslog(0, "smtp", "qer usys data starts with %-40.40s", buf);
 		}

                 reply	other threads:[~2023-04-24 20:39 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2c9b768e-0b61-4d42-9caf-5a3cba64ecef@e.email \
    --to=ooga@e.email \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).