From c3eb34261137d8e4ad59d62e70ed40d294b845ab Mon Sep 17 00:00:00 2001 From: Scott Kitterman Date: Fri, 9 Nov 2018 19:58:11 -0500 Subject: [PATCH] Fixed ARC verification to fail is h= tag is present in Arc-Seal, added test, bumped version to start 0.9.1 --- ChangeLog | 4 ++++ dkim/__init__.py | 6 +++++- dkim/tests/test_arc.py | 9 +++++++++ setup.py | 2 +- 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e8e7af4..4633a67 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +UNRELEASED Version 0.9.1 + - Fixed ARC verification to fail if h= tag is present in Arc-Seal and + added tests + 2018-10-30 Version 0.9.0 - Update oversigned (frozen) header field list to reduce signature fragility (removes 'date' and 'subject' fields from being oversigned by diff --git a/dkim/__init__.py b/dkim/__init__.py index 395cd64..ed54d1f 100644 --- a/dkim/__init__.py +++ b/dkim/__init__.py @@ -1056,7 +1056,8 @@ class ARC(DomainSigner): # reversing the order of the headers accomplishes this if chain_validation_status == CV_Fail: self.headers.reverse() - + if b'h' in as_fields: + raise ValidationError("h= tag not permitted in ARC-Seal header field") res = self.gen_header(as_fields, as_include_headers, canon_policy, b"ARC-Seal", pk, standardize) @@ -1190,6 +1191,9 @@ class ARC(DomainSigner): self.logger.debug("as sig[%d]: %r" % (instance, sig)) validate_signature_fields(sig, [b'i', b'a', b'b', b'cv', b'd', b's'], True) + if b'h' in sig: + raise ValidationError("h= tag not permitted in ARC-Seal header field") + output['as-domain'] = sig[b'd'] output['as-selector'] = sig[b's'] output['cv'] = sig[b'cv'] diff --git a/dkim/tests/test_arc.py b/dkim/tests/test_arc.py index e02f2eb..18719a3 100644 --- a/dkim/tests/test_arc.py +++ b/dkim/tests/test_arc.py @@ -81,6 +81,15 @@ Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB""" (cv, res, reason) = dkim.arc_verify(b''.join(sig_lines) + self.message, dnsfunc=self.dnsfunc) self.assertEqual(cv, dkim.CV_Pass) + def test_fails_h_in_as(self): + # ARC 4.1.3, h= not allowed in AS + self.maxDiff = None + sig_lines = [b'ARC-Seal: i=1; cv=none; a=rsa-sha256; d=example.com; s=test; t=12345; \r\n h=message-id : date : from : to : subject : from; \r\n b=mIurIuLl0/wAxWhA4DBS1wsUE15IBnmJ7o3sH15hIuesdD4smz1cCLXVhRtxQE\r\n rVtVLv4OgNCgdFsB5zbSOUao2bSSYP6y0BGyCWvr+hU4tai5axIc1Kfwbtv/0Mqg\r\n waiGJPreOAAeZOJ4vPfdaAbSXlN5MI4PHW89U82FSIBKI=\r\n', b'ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; \r\n d=example.com; s=test; t=12345; h=message-id : \r\n date : from : to : subject : from; \r\n bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=; \r\n b=a0f6qc3k9eECTSR155A0TQS+LjqPFWfI/brQBA83EUz00SNxj\r\n 1wmWykvs1hhBVeM0r1kEQc6CKbzRYaBNSiFj4q8JBpRIujLz1qL\r\n yGmPuAI6ddu/Z/1hQxgpVcp/odmI1UMV2R+d+yQ7tUp3EQxF/GY\r\n Nt22rV4rNmDmANZVqJ90=\r\n', b'ARC-Authentication-Results: i=1; lists.example.org; arc=none;\r\n spf=pass smtp.mfrom=jqd@d1.example;\r\n dkim=pass (1024-bit key) header.i=@d1.example;\r\n dmarc=pass\r\n'] + + (cv, res, reason) = dkim.arc_verify(b''.join(sig_lines) + self.message, dnsfunc=self.dnsfunc) + self.assertEqual(cv, dkim.CV_Fail) + + def test_suite(): from unittest import TestLoader diff --git a/setup.py b/setup.py index e0c9584..93f0003 100644 --- a/setup.py +++ b/setup.py @@ -25,7 +25,7 @@ from setuptools import setup import os import sys -version = "0.9.0" +version = "0.9.1" kw = {} # Work-around for lack of 'or' requires in setuptools. try: