From 2115a5e9f898bab1d70f28e4030e4278dc3a8153 Mon Sep 17 00:00:00 2001 From: Scott Kitterman Date: Sat, 25 Feb 2023 17:10:17 -0500 Subject: [PATCH] Invalid Authentication-Results header fields are ignored for ARC signing (LP: #1884044) --- ChangeLog | 2 ++ README.md | 3 +++ dkim/__init__.py | 18 ++++++++++++------ 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 81dd045..35cde20 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,8 @@ Version 1.1.0 installed (LP: #1954331) - see README.md for details - Add new dkim.DnsTimeoutError class to report queried domain and selector along with timeout error from dnspython (LP: #1873449) + - Invalid Authentication-Results header fields are ignored for ARC signing + (LP: #1884044) 2019-12-31 Version 1.0.2 - dknewkey: On posix operating systems set file permissions to 600 for diff --git a/README.md b/README.md index 17c5aef..17ffa21 100644 --- a/README.md +++ b/README.md @@ -176,6 +176,9 @@ https://tools.ietf.org/html/rfc8617 In addition to arcsign and arcverify, the dkim module now provides arc_sign and arc_verify functions as well as an ARC class. +If an invalid authentication results header field is included in the set for +ARC, it is ignored and no error is raised. + Both DKIM ed25519 and ARC are now considered stable (no longer experimantal). ## ASYNC SUPPORT diff --git a/dkim/__init__.py b/dkim/__init__.py index c6d07d6..52d1c8b 100644 --- a/dkim/__init__.py +++ b/dkim/__init__.py @@ -45,7 +45,7 @@ USE_ASYNC = True # only needed for arc try: - from authres import AuthenticationResultsHeader + import authres except ImportError: pass @@ -1037,10 +1037,10 @@ class ARC(DomainSigner): self.add_should_not(('Authentication-Results',)) # check if authres has been imported try: - AuthenticationResultsHeader + authres.AuthenticationResultsHeader except: self.logger.debug("authres package not installed") - raise AuthresNotFoundError + raise authres.AuthresNotFoundError try: pk = parse_pem_private_key(privkey) @@ -1049,8 +1049,14 @@ class ARC(DomainSigner): # extract, parse, filter & group AR headers ar_headers = [res.strip() for [ar, res] in self.headers if ar == b'Authentication-Results'] - grouped_headers = [(res, AuthenticationResultsHeader.parse('Authentication-Results: ' + res.decode('utf-8'))) - for res in ar_headers] + + grouped_headers = [] + for res in ar_headers: + try: # see LP: #1884044 + grouped_headers.append((res, authres.AuthenticationResultsHeader.parse('Authentication-Results: ' + res.decode('utf-8')))) + except authres.core.SyntaxError: + # Skip over invalid AR header fields + pass auth_headers = [res for res in grouped_headers if res[1].authserv_id == srv_id.decode('utf-8')] if len(auth_headers) == 0: @@ -1064,7 +1070,7 @@ class ARC(DomainSigner): auth_results = srv_id + b'; ' + (b';' + self.linesep + b' ').join(results) # extract cv - parsed_auth_results = AuthenticationResultsHeader.parse('Authentication-Results: ' + auth_results.decode('utf-8')) + parsed_auth_results = authres.AuthenticationResultsHeader.parse('Authentication-Results: ' + auth_results.decode('utf-8')) arc_results = [res for res in parsed_auth_results.results if res.method == 'arc'] if len(arc_results) == 0: chain_validation_status = CV_None