Fixed ARC verification to fail is h= tag is present in Arc-Seal, added test, bumped version to start 0.9.1

2018-11-09 19:58:11 -05:00
parent d659c496e5
commit c3eb342611
4 changed files with 19 additions and 2 deletions
@@ -1,3 +1,7 @@
+UNRELEASED Version 0.9.1
+    - Fixed ARC verification to fail if h= tag is present in Arc-Seal and
+      added tests
+
 2018-10-30 Version 0.9.0
    - Update oversigned (frozen) header field list to reduce signature
      fragility (removes 'date' and 'subject' fields from being oversigned by
@@ -1056,7 +1056,8 @@ class ARC(DomainSigner):
    # reversing the order of the headers accomplishes this
    if chain_validation_status == CV_Fail:
      self.headers.reverse()
-
+    if b'h' in as_fields:
+        raise ValidationError("h= tag not permitted in ARC-Seal header field")    
    res = self.gen_header(as_fields, as_include_headers, canon_policy,
                           b"ARC-Seal", pk, standardize)

@@ -1190,6 +1191,9 @@ class ARC(DomainSigner):
    self.logger.debug("as sig[%d]: %r" % (instance, sig))

    validate_signature_fields(sig, [b'i', b'a', b'b', b'cv', b'd', b's'], True)
+    if b'h' in sig:
+        raise ValidationError("h= tag not permitted in ARC-Seal header field")
+
    output['as-domain'] = sig[b'd']
    output['as-selector'] = sig[b's']
    output['cv'] = sig[b'cv']
@@ -81,6 +81,15 @@ Y+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"""
        (cv, res, reason) = dkim.arc_verify(b''.join(sig_lines) + self.message, dnsfunc=self.dnsfunc)
        self.assertEqual(cv, dkim.CV_Pass)

+    def test_fails_h_in_as(self):
+        # ARC 4.1.3, h= not allowed in AS
+        self.maxDiff = None
+        sig_lines = [b'ARC-Seal: i=1; cv=none; a=rsa-sha256; d=example.com; s=test; t=12345; \r\n h=message-id : date : from : to : subject : from; \r\n b=mIurIuLl0/wAxWhA4DBS1wsUE15IBnmJ7o3sH15hIuesdD4smz1cCLXVhRtxQE\r\n rVtVLv4OgNCgdFsB5zbSOUao2bSSYP6y0BGyCWvr+hU4tai5axIc1Kfwbtv/0Mqg\r\n waiGJPreOAAeZOJ4vPfdaAbSXlN5MI4PHW89U82FSIBKI=\r\n', b'ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; \r\n d=example.com; s=test; t=12345; h=message-id : \r\n date : from : to : subject : from; \r\n bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=; \r\n b=a0f6qc3k9eECTSR155A0TQS+LjqPFWfI/brQBA83EUz00SNxj\r\n 1wmWykvs1hhBVeM0r1kEQc6CKbzRYaBNSiFj4q8JBpRIujLz1qL\r\n yGmPuAI6ddu/Z/1hQxgpVcp/odmI1UMV2R+d+yQ7tUp3EQxF/GY\r\n Nt22rV4rNmDmANZVqJ90=\r\n', b'ARC-Authentication-Results: i=1; lists.example.org; arc=none;\r\n  spf=pass smtp.mfrom=jqd@d1.example;\r\n  dkim=pass (1024-bit key) header.i=@d1.example;\r\n  dmarc=pass\r\n']
+
+        (cv, res, reason) = dkim.arc_verify(b''.join(sig_lines) + self.message, dnsfunc=self.dnsfunc)
+        self.assertEqual(cv, dkim.CV_Fail)
+
+

 def test_suite():
    from unittest import TestLoader
@@ -25,7 +25,7 @@ from setuptools import setup
 import os
 import sys

-version = "0.9.0"
+version = "0.9.1"

 kw = {}  # Work-around for lack of 'or' requires in setuptools.
 try: