Another day, another patch...
http://www.arise.demon.co.uk/exim_hmac_patch
This patch adds support for HMAC, as specified in RFC2104.
Basically, you can take a piece of data, combine it with a secret using a
hash algorithm, and produce a code which you can check against the original
data if you know the secret.
You could produce a similar effect using ${md5:secret_text${data}}, but
apparenly HMAC provides better defence against deducing the secret.
Syntax:
${hmac_md5:secret:data}
e.g.:
# In main
SPAMSCAN_SECRET=cohgheeLei2thahw
# In router/transport
headers_add="X-Spam-Scanned: ${primary_hostname} ${message_id} \
${hmac_md5:SPAMSCAN_SECRET:${primary_hostname},${message_id},$h_message-id:}"
Then given a message, you could check where it was scanned by looking at the
X-Spam-Scanned header, and could check the X-Spam-Scanned header was
authentic by grabbing the hostname, queue-id and message-id and running them
through HMAC, using exim -be or:
perl -MDigest::HMAC_MD5=hmac_md5_hex -e 'print hmac_md5_hex($data,$secret)'
... which just goes to show how useful standards can be :)
Expansion:
I anticipate that in the future, more hash algorithms will be added (e.g.
SHA-1), so the code reads the "_md5" as an argument, to allow
${hmac_sha1:..:..} etc.
Possibly add an extra arg for how to encode the hash value, e.g.
${hmac_md5_hex:...:...}, ${hmac_md5_b64:...:...}. (Notice how they converge
to the perl function names, handy that :) )
I ought to write a patch for spec.txt or spec.texinfo too. Sorry. Phil, if
you want people to write documentation for their patches, which format do
you want it in?
SRH
--
Steve Haslam Reading, UK araqnid@???
Debian GNU/Linux Maintainer araqnid@???
Your heart has been ruptured and it will never heal
To get another heart you'll have to steal [leæther strip]
