[exim-dev] [Bug 1309] Headers included in dkim_sign_headers …

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1309] Headers included in dkim_sign_headers are not in the signature when not in the message
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1309




--- Comment #3 from Todd Lyons <tlyons@???> 2012-10-15 14:12:01 ---
On Sun, Oct 14, 2012 at 5:22 PM, Tony Meyer <tony@???> wrote:
> For example, in the message below I have dkim_sign_headers set to
> subject:to:from, and a message that has Subject: and From: headers, but no To:
> header, and the h= tag in the DKIM signature is From:Subject (i.e. "To" is
> missing).


For those that don't know, the process of signing a header that is not
actually present is one form of what is commonly referred to as
oversigning headers. If you sign a header that isn't there and then
someone actually adds that header, it will invalidate the signature.
The way that it is operating above allows a person to take a signed
email, add the missing header and it will still pass DKIM.

Possible Solutions:
1. Retain current behavior, but add option to detect and perform oversign.
2. Don't give the knob, just sign the fields.

To me #2 is easiest. I can't really think of any instance where I
would want #1, but maybe I'm just not that imaginative.

Looking at the code, it explicitly skips headers which are missing, so
we need to test if signing a non-existent header creates a problem.
I'm a bit wrapped up in some stuff for the next couple of weeks, maybe
someone else can do this. Basically it just needs to exclude the
header_name_match test and just unconditionally add the header name to
the list.

1069   /* SIGNING
-------------------------------------------------------------- */
1070   if (ctx->mode == PDKIM_MODE_SIGN) {
1071     /* Traverse all signatures */
1072     while (sig != NULL) {
1073       pdkim_stringlist *list;
1074
1075       if (header_name_match(ctx->cur_header->str,
1076                             sig->sign_headers?
1077                               sig->sign_headers:
1078                               PDKIM_DEFAULT_SIGN_HEADERS, 0) !=
PDKIM_OK) goto NEXT_SIG;
1079
1080       /* Add header to the signed headers list (in reverse order) */
1081       list = pdkim_prepend_stringlist(sig->headers,
1082                                       ctx->cur_header->str);
1083       if (list == NULL) return PDKIM_ERR_OOM;
1084       sig->headers = list;
1085
1086       NEXT_SIG:
1087       sig = sig->next;
1088     }
1089   }


I don't know if this is going to cause a problem in the signing
library (how well it handles signing a non-existent header, this would
be uncovered during testing).

...Todd


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email