[exim-dev] [Bug 2295] Invalid DKIM signatures (due to header…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2295] Invalid DKIM signatures (due to header hash miscomputed)
https://bugs.exim.org/show_bug.cgi?id=2295

--- Comment #6 from Guillaume Outters <guillaume-exim@???> ---
I did additional tests with dkimvalidator.org, adding a dummy DKIM attribute as
padding to force the "b=;" to be near the line end:
1. "bh=…; un=droole_de_pas_dingue; b=;" (makes the ";" of "b=;" be the last
character of the line)
2. "bh=…; un=drooole_de_pas_dingue; b=;" (one more o, making the 78-character
split occur between = and ;)

Both values of the dummy field gave a successful signature!

(with 2., the full "b=;" got wrapped to a new line)

For the record: I tried playing with fire, by reverting ea18931 (headcating
first "b=", then ";" alone).
The (new) headcat did what it should given what it knew, putting the "b=" at
the end of the line, then starting a new, padded line with ";".
But this did not validate in dkimvalidtor, thus confirms that "the headcat
routine could insert a linebreak" that the canonicalization then converts to an
RFC-breaking space, generating an invalid signature.

Maybe we should change the comment to "will insert" instead of "could insert"
(detailing why).
Or simply get rid of the final ";", as suggested by the "I'm not sure if this
is actually needed" comment, and as done by GMail?

(but I digress, canonicalization is another thing: maybe as a new bug, or
simply an addition to the comment "In fact it adds complexity, see comment of
the !final case". For this 2295 bug, I consider it to be fixed by the patch. I
will change its title, now that we know which case triggered it)

--
You are receiving this mail because:
You are on the CC list for the bug.