On Tue, 15 Jan 2008, Alin N?~Cstac wrote:
Please note that my patch checks the key's t tag when it verifies subdomain
messages and it will verify the signature only if t=s doesn't exist there:
if ((sig->sig_flags & DKIM_SIGFLAG_NOSUBDOMAIN) == 0)
Therefore, I think my patch is in concordance with RFC4871's definition of
valid originator signature.
We can bypass the check entirely if according to RFC4871 the signature is
not valid because it doesn't pass the "t=s" test. This is determined much
earlier, in the last part of dkim_sig_process().
(To that end, dkim_policy() should also be checking that sig_error is not
set to indicate that there was a problem. I'll add that.)
On the other hand, your patch have the following flaws:
- don't test key's t tag when verifying subdomain signatures
This patch doesn't have to do that explicitly since that's verified
elsewhere, although it does need to test sig_error in general.
- use strlcpy() instead sm_strlcpy()
It was only a preliminary patch, but yes, you're right.
As for SSP's t tag, the draft says that t=s only disable the given policy for
its subdomains, hence you will have query the
_ssp._domainkey.subdom.example.com if you want to obtain the SSP policy of a
given subdomain. But, since all I'm interested in is checking whether the
given signature is a valid originator signature or not, it doesn't make sense
to verify SSP record at that point.
The patch amends the "valid originator signature" test in dkim_policy(),
correcting it to cover your case. The definition of that test in the SSP
draft includes making sure the "i=" value (explicit or implied) matches
what's in the From: header, which is what my patch does. If that test
passes, it never has to query anything according to the current SSP
algorithm.
Granted, my patch could be improved by following changes:
[...]
- if originator signature verification fails, the proper SSP policy should
be found by querying the subdomain's SSP entry when the domain policy has t=s
and identity is in a subdomain (eg. if sender is in
subdom1.subdom2.domain.com, queries will be made in this order: domain.com,
subdom2.domain.com, subdom1.subdom2.domain.com).
But that's not what the current draft's algorithm specifies. Moreover,
given an arbitrary domain a.b.c.d.e.f, how do I know where to send the
first query? Your example chopped two labels off, but how do I know
that's correct?
- i tag and sender should match. A dkim_sig_signer() call would be the best
way to accomplish that, but you need to remove that pesky "#if 0" before its
definition ;)
That's what my patch adds. I should actually get rid of dkim_sig_signer()
as it was used in very early versions of the code and is no longer needed.-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
