commit 201f4fd: [Minor] Log key id on DKIM failures

Vsevolod Stakhov vsevolod at highsecure.ru
Wed Apr 8 15:28:06 UTC 2020


Author: Vsevolod Stakhov
Date: 2020-04-08 16:23:57 +0100
URL: https://github.com/rspamd/rspamd/commit/201f4fdeb20444ccf6dd5474d596cf6227badb37 (HEAD -> master)

[Minor] Log key id on DKIM failures

---
 src/libserver/dkim.c | 39 ++++++++++++++++++++++++++++++---------
 src/libserver/dkim.h |  7 +++++++
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c
index 3c7b9530c..daa0c380f 100644
--- a/src/libserver/dkim.c
+++ b/src/libserver/dkim.c
@@ -146,20 +146,23 @@ struct rspamd_dkim_context_s {
 	const gchar *dkim_header;
 };
 
+#define RSPAMD_DKIM_KEY_ID_LEN 8
+
 struct rspamd_dkim_key_s {
 	guint8 *keydata;
 	gsize keylen;
 	gsize decoded_len;
-	guint ttl;
+	gchar key_id[RSPAMD_DKIM_KEY_ID_LEN];
 	union {
 		RSA *key_rsa;
 		EC_KEY *key_ecdsa;
 		guchar *key_eddsa;
 	} key;
-	enum rspamd_dkim_key_type type;
 	BIO *key_bio;
 	EVP_PKEY *key_evp;
 	time_t mtime;
+	guint ttl;
+	enum rspamd_dkim_key_type type;
 	ref_entry_t ref;
 };
 
@@ -1289,6 +1292,8 @@ rspamd_dkim_make_key (const gchar *keydata,
 	key->keylen = keylen;
 	key->type = type;
 
+	rspamd_strlcpy (key->key_id, keydata, MIN (keylen, sizeof (key->key_id)));
+
 	rspamd_cryptobox_base64_decode (keydata, keylen, key->keydata,
 			&key->decoded_len);
 
@@ -1362,6 +1367,16 @@ rspamd_dkim_make_key (const gchar *keydata,
 	return key;
 }
 
+const gchar *
+rspamd_dkim_key_id (rspamd_dkim_key_t *key)
+{
+	if (key) {
+		return key->key_id;
+	}
+
+	return NULL;
+}
+
 /**
  * Free DKIM key
  * @param key
@@ -2617,11 +2632,13 @@ rspamd_dkim_check (rspamd_dkim_context_t *ctx,
 
 			msg_info_dkim (
 					"%s: headers RSA verification failure; "
-					"body length %d->%d; headers length %d; d=%s; s=%s; orig header: %s",
+					"body length %d->%d; headers length %d; d=%s; s=%s; key=%s; orig header: %s",
 					rspamd_dkim_type_to_string (ctx->common.type),
 					(gint)(body_end - body_start), ctx->common.body_canonicalised,
 					ctx->common.headers_canonicalised,
-					ctx->domain, ctx->selector, ctx->dkim_header);
+					ctx->domain, ctx->selector,
+					rspamd_dkim_key_id (key),
+					ctx->dkim_header);
 		}
 		break;
 	case RSPAMD_DKIM_KEY_ECDSA:
@@ -2629,11 +2646,13 @@ rspamd_dkim_check (rspamd_dkim_context_t *ctx,
 				key->key.key_ecdsa) != 1) {
 			msg_info_dkim (
 					"%s: headers ECDSA verification failure; "
-					"body length %d->%d; headers length %d; d=%s; s=%s; orig header: %s",
+					"body length %d->%d; headers length %d; d=%s; s=%s; key=%s; orig header: %s",
 					rspamd_dkim_type_to_string (ctx->common.type),
 					(gint)(body_end - body_start), ctx->common.body_canonicalised,
 					ctx->common.headers_canonicalised,
-					ctx->domain, ctx->selector, ctx->dkim_header);
+					ctx->domain, ctx->selector,
+					rspamd_dkim_key_id (key),
+					ctx->dkim_header);
 			msg_debug_dkim ("headers ecdsa verify failed");
 			res->rcode = DKIM_REJECT;
 			res->fail_reason = "headers ecdsa verify failed";
@@ -2644,11 +2663,13 @@ rspamd_dkim_check (rspamd_dkim_context_t *ctx,
 				key->key.key_eddsa, RSPAMD_CRYPTOBOX_MODE_25519)) {
 			msg_info_dkim (
 					"%s: headers EDDSA verification failure; "
-					"body length %d->%d; headers length %d; d=%s; s=%s; orig header: %s",
+					"body length %d->%d; headers length %d; d=%s; s=%s; key=%s; orig header: %s",
 					rspamd_dkim_type_to_string (ctx->common.type),
 					(gint)(body_end - body_start), ctx->common.body_canonicalised,
 					ctx->common.headers_canonicalised,
-					ctx->domain, ctx->selector, ctx->dkim_header);
+					ctx->domain, ctx->selector,
+					rspamd_dkim_key_id (key),
+					ctx->dkim_header);
 			msg_debug_dkim ("headers eddsa verify failed");
 			res->rcode = DKIM_REJECT;
 			res->fail_reason = "headers eddsa verify failed";
@@ -2657,7 +2678,7 @@ rspamd_dkim_check (rspamd_dkim_context_t *ctx,
 	}
 
 
-	if (ctx->common.type == RSPAMD_DKIM_ARC_SEAL && res && res->rcode == DKIM_CONTINUE) {
+	if (ctx->common.type == RSPAMD_DKIM_ARC_SEAL && res->rcode == DKIM_CONTINUE) {
 		switch (ctx->cv) {
 		case RSPAMD_ARC_INVALID:
 			msg_info_dkim ("arc seal is invalid i=%d", ctx->common.idx);
diff --git a/src/libserver/dkim.h b/src/libserver/dkim.h
index adc68403a..6245dc512 100644
--- a/src/libserver/dkim.h
+++ b/src/libserver/dkim.h
@@ -268,6 +268,13 @@ rspamd_dkim_key_t *rspamd_dkim_make_key (const gchar *keydata, guint keylen,
 										 enum rspamd_dkim_key_type type,
 										 GError **err);
 
+/**
+ * Returns key id for dkim key (first 7 bytes of base64 representation)
+ * @param key
+ * @return
+ */
+const gchar *rspamd_dkim_key_id (rspamd_dkim_key_t *key);
+
 /**
  * Parse DKIM public key from a TXT record
  * @param txt


More information about the Commits mailing list