Gitweb:
https://git.exim.org/exim.git/commitdiff/6ce1ece9cb2b13fdc4d235146fa98835811570bd
Commit: 6ce1ece9cb2b13fdc4d235146fa98835811570bd
Parent: 0075b53360a9b1452bd5d11b9c0a6c254c42a465
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Oct 23 13:27:06 2019 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Wed Oct 23 13:27:06 2019 +0100
DKIM: disallow default acceptance of sha1 for verify
---
doc/doc-docbook/spec.xfpt | 13 +++++++++----
doc/doc-txt/ChangeLog | 4 ++++
src/src/globals.c | 2 +-
test/confs/4500 | 1 +
test/stderr/4507 | 8 ++++----
5 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index bb19e39..c8b999c 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15113,15 +15113,20 @@ to handle IPv6 literal addresses.
.new
-.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1"
+.option dkim_verify_hashes main "string list" "sha256 : sha512"
.cindex DKIM "selecting signature algorithms"
This option gives a list of hash types which are acceptable in signatures,
and an order of processing.
Signatures with algorithms not in the list will be ignored.
-Note that the presence of sha1 violates RFC 8301.
-Signatures using the rsa-sha1 are however (as of writing) still common.
-The default inclusion of sha1 may be dropped in a future release.
+Acceptable values include:
+.code
+sha1
+sha256
+sha512
+.endd
+
+Note that the acceptance of sha1 violates RFC 8301.
.option dkim_verify_keytypes main "string list" "ed25519 : rsa"
This option gives a list of key types which are acceptable in signatures,
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 079b5a1..45d126c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -14,6 +14,10 @@ JH/01 Avoid costly startup code when not strictly needed. This reduces time
JH/02 Early-pipelining support code is now included unless disabled in Makefile.
+JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
+ RFC 8301. They can still be enabled, using the dkim_verify_hashes main
+ option.
+
Exim version 4.93
-----------------
diff --git a/src/src/globals.c b/src/src/globals.c
index 87ff2e6..b874c46 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -831,7 +831,7 @@ void *dkim_signatures = NULL;
uschar *dkim_signers = NULL;
uschar *dkim_signing_domain = NULL;
uschar *dkim_signing_selector = NULL;
-uschar *dkim_verify_hashes = US"sha256:sha512:sha1";
+uschar *dkim_verify_hashes = US"sha256:sha512";
uschar *dkim_verify_keytypes = US"ed25519:rsa";
BOOL dkim_verify_minimal = FALSE;
uschar *dkim_verify_overall = NULL;
diff --git a/test/confs/4500 b/test/confs/4500
index 502de4a..c733532 100644
--- a/test/confs/4500
+++ b/test/confs/4500
@@ -13,6 +13,7 @@ acl_smtp_dkim = check_dkim
acl_smtp_data = check_data
log_selector = +dkim_verbose
+dkim_verify_hashes = sha256 : sha512 : sha1
queue_only
queue_run_in_order
diff --git a/test/stderr/4507 b/test/stderr/4507
index 48d4d9f..1c45d09 100644
--- a/test/stderr/4507
+++ b/test/stderr/4507
@@ -9,22 +9,22 @@
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
>>> xxx in helo_lookup_domains? no (end of list)
->>> processing "accept" (TESTSUITE/test-config 43)
+>>> processing "accept" (TESTSUITE/test-config 44)
>>> accept: condition test succeeded in inline ACL
>>> end of inline ACL: ACCEPT
>>> host in ignore_fromline_hosts? no (option unset)
>>> using ACL "check_dkim"
->>> processing "warn" (TESTSUITE/test-config 34)
+>>> processing "warn" (TESTSUITE/test-config 35)
>>> check logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
>>> = signer: test.ex bits: 1024
LOG: 10HmaX-0005vi-00 signer: test.ex bits: 1024
>>> warn: condition test succeeded in ACL "check_dkim"
->>> processing "accept" (TESTSUITE/test-config 37)
+>>> processing "accept" (TESTSUITE/test-config 38)
>>> accept: condition test succeeded in ACL "check_dkim"
>>> end of ACL "check_dkim": ACCEPT
LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
>>> using ACL "check_data"
->>> processing "accept" (TESTSUITE/test-config 41)
+>>> processing "accept" (TESTSUITE/test-config 42)
>>> check logwrite = ${authresults {$primary_hostname}}
>>> = Authentication-Results: myhost.test.ex;
>>> dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
