diff options
| author |   gilles <gilles@openbsd.org> | 2019-09-29 10:03:49 +0000 |
|---|---|---|
| committer | gilles <gilles@openbsd.org> | 2019-09-29 10:03:49 +0000 |
| commit | 8cfe10406a9358b7d20a364c5f631b9f14506459 (patch) | |
| tree | c5305974790c334bc09355612591a5d57054c114 | |
| parent | Configure USB port power control if the power GPIO is defined in fdt. (diff) | |
| download | wireguard-openbsd-8cfe10406a9358b7d20a364c5f631b9f14506459.tar.xz wireguard-openbsd-8cfe10406a9358b7d20a364c5f631b9f14506459.zip | |
SRS uses base64 encoding for the checksum, however while this is ok when we
only have MTA in the loop, some implementations like Dovecot's LMTP dislike
finding '/' in an e-mail address. Since checksum is meant to be verified at
the MX that generated the SRS encoding, use alternate rfc354 base64 encode,
swapping '/' with '_' and '+' with '-'.
ok eric@ millert@
| -rw-r--r-- | usr.sbin/smtpd/smtpd.h | 4 | ||||
| -rw-r--r-- | usr.sbin/smtpd/srs.c | 16 | ||||
| -rw-r--r-- | usr.sbin/smtpd/util.c | 22 |
3 files changed, 32 insertions, 10 deletions
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 7ba6a472a19..ceefa269279 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.639 2019/09/20 17:46:05 gilles Exp $ */ +/* $OpenBSD: smtpd.h,v 1.640 2019/09/29 10:03:49 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1708,6 +1708,8 @@ int session_socket_error(int); int getmailname(char *, size_t); int base64_encode(unsigned char const *, size_t, char *, size_t); int base64_decode(char const *, unsigned char *, size_t); +int base64_encode_rfc3548(unsigned char const *, size_t, + char *, size_t); void log_trace_verbose(int); void log_trace(int, const char *, ...) diff --git a/usr.sbin/smtpd/srs.c b/usr.sbin/smtpd/srs.c index dc34ae486b9..05737d8d9c9 100644 --- a/usr.sbin/smtpd/srs.c +++ b/usr.sbin/smtpd/srs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: srs.c,v 1.2 2019/09/21 06:40:48 semarie Exp $ */ +/* $OpenBSD: srs.c,v 1.3 2019/09/29 10:03:49 gilles Exp $ */ /* * Copyright (c) 2019 Gilles Chehade <gilles@poolp.org> @@ -125,7 +125,7 @@ srs0_encode(const char *sender, const char *rcpt_domain) return sender; /* compute HHHH */ - base64_encode(srs_hash(env->sc_srs_key, tmp), SHA_DIGEST_LENGTH, + base64_encode_rfc3548(srs_hash(env->sc_srs_key, tmp), SHA_DIGEST_LENGTH, md, sizeof md); /* prepend SRS0=HHHH= prefix */ @@ -157,7 +157,7 @@ srs1_encode_srs0(const char *sender, const char *rcpt_domain) return sender; /* compute HHHH */ - base64_encode(srs_hash(env->sc_srs_key, tmp), SHA_DIGEST_LENGTH, + base64_encode_rfc3548(srs_hash(env->sc_srs_key, tmp), SHA_DIGEST_LENGTH, md, sizeof md); /* prepend SRS1=HHHH= prefix */ @@ -196,7 +196,7 @@ srs1_encode_srs1(const char *sender, const char *rcpt_domain) return sender; /* compute HHHH */ - base64_encode(srs_hash(env->sc_srs_key, tmp + 5), SHA_DIGEST_LENGTH, + base64_encode_rfc3548(srs_hash(env->sc_srs_key, tmp + 5), SHA_DIGEST_LENGTH, md, sizeof md); /* prepend SRS1=HHHH= prefix skipping previous hops' HHHH */ @@ -234,14 +234,14 @@ srs0_decode(const char *rcpt) return NULL; /* compute checksum */ - base64_encode(srs_hash(env->sc_srs_key, rcpt+5), SHA_DIGEST_LENGTH, + base64_encode_rfc3548(srs_hash(env->sc_srs_key, rcpt+5), SHA_DIGEST_LENGTH, md, sizeof md); /* compare prefix checksum with computed checksum */ if (strncmp(md, rcpt, 4) != 0) { if (env->sc_srs_key_backup == NULL) return NULL; - base64_encode(srs_hash(env->sc_srs_key_backup, rcpt+5), + base64_encode_rfc3548(srs_hash(env->sc_srs_key_backup, rcpt+5), SHA_DIGEST_LENGTH, md, sizeof md); if (strncmp(md, rcpt, 4) != 0) return NULL; @@ -302,14 +302,14 @@ srs1_decode(const char *rcpt) return NULL; /* compute checksum */ - base64_encode(srs_hash(env->sc_srs_key, rcpt+5), SHA_DIGEST_LENGTH, + base64_encode_rfc3548(srs_hash(env->sc_srs_key, rcpt+5), SHA_DIGEST_LENGTH, md, sizeof md); /* compare prefix checksum with computed checksum */ if (strncmp(md, rcpt, 4) != 0) { if (env->sc_srs_key_backup == NULL) return NULL; - base64_encode(srs_hash(env->sc_srs_key_backup, rcpt+5), + base64_encode_rfc3548(srs_hash(env->sc_srs_key_backup, rcpt+5), SHA_DIGEST_LENGTH, md, sizeof md); if (strncmp(md, rcpt, 4) != 0) return NULL; diff --git a/usr.sbin/smtpd/util.c b/usr.sbin/smtpd/util.c index fff0f774aee..2138d1a480f 100644 --- a/usr.sbin/smtpd/util.c +++ b/usr.sbin/smtpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.147 2019/08/28 19:46:20 eric Exp $ */ +/* $OpenBSD: util.c,v 1.148 2019/09/29 10:03:49 gilles Exp $ */ /* * Copyright (c) 2000,2001 Markus Friedl. All rights reserved. @@ -860,6 +860,26 @@ base64_decode(char const *src, unsigned char *dest, size_t destsize) return __b64_pton(src, dest, destsize); } +int +base64_encode_rfc3548(unsigned char const *src, size_t srclen, + char *dest, size_t destsize) +{ + size_t i; + int ret; + + if ((ret = base64_encode(src, srclen, dest, destsize)) == -1) + return -1; + + for (i = 0; i < destsize; ++i) { + if (dest[i] == '/') + dest[i] = '_'; + else if (dest[i] == '+') + dest[i] = '-'; + } + + return ret; +} + void log_trace(int mask, const char *emsg, ...) { |