Re: injected body trailers
From: Kees Cook <hidden>
Date: 2021-10-21 21:22:32
Also in:
tools
On Thu, Oct 21, 2021 at 04:44:59PM -0400, Konstantin Ryabitsev wrote:
On Thu, Oct 21, 2021 at 01:22:31PM -0700, Kees Cook wrote:quoted
Hi! So, I just saw a DKIM failure, and it was entirely justified. :) Grabbing thread from lore.kernel.org/all/20211021142516.1843042-1-ardb%40kernel.org/t.mbox.gz Checking for newer revisions on https://lore.kernel.org/all/ Analyzing 1 messages in the thread Checking attestation on all messages, may take a moment... --- ✓ [PATCH] ARM: stackprotector: prefer compiler for TLS based per-task protector ✓ Signed: openpgp/ardb@kernel.orgYou will notice that the openpgp signature passed. This is because we: 1. record the length of the original message when we're creating the signature (see l=2495 in X-Developer-Signature) 2. if the initial validation fails and the body is longer than l=2495, we trim the body to that number of bytes 3. if the trimmed validation passes, we use that version for the patch body content, since that's clearly what the developer intended
I suspected something like this was happening to make that one pass. Nice.
quoted
✗ BADSIG: DKIM/kernel.org ✓ Signed: DKIM/lists.infradead.org (From: ardb@kernel.org) --- This is https://lore.kernel.org/all/20211021142516.1843042-1-ardb@kernel.org/ (local) and for some reason, the linux-arm-kernel mailing list is injecting a body trailer."For some reason" is really "that's the default for mailman-2". Mailman-2 belongs to a wholly different era and *can* be configured to be DKIM compliant, but rarely is.quoted
I just downloaded this directly and removed the trailer, and the DKIM passed. This experience has raise a few questions... 1) Can (should) b4 grow logic to progressively strip lines off the end of a body until DKIM passes?Ah, but then the lists.infradead.org DKIM will fail. Theoretically, we should always prioritize the signature that is closest aligned with the From: header, but that's not actually that straightforward, as DNS lookup and validation rules can get really complex.
Could each signature validation independently process the body, with the smallest signed body being what is "produced"? i.e. GPG already self-trims. DKIM could do the same, trying to find a matching body i.e. on failure (slow path), trying trimming up to 10(?) lines progressively looking for a match? (Probably better is to just fix the mailing lists, but maybe this would be useful for historical patch extraction? Dunno.)
quoted
2) Can the linux-arm-kernel mailing list please stop breaking DKIM? Who should authorize this change (rmk, Catalin)? And who can make the change (peterz)?The relevant settings should be a) don't add any subject prefixes, b) don't add anything to the body trailers, c) don't rewrite any other headers (to, cc, reply-to, etc).
rmk, Catalin, Peter, can this get sorted out? Having mailing list trailers is annoying beyond just DKIM breakage. :)
quoted
(I realize now that all the mail from linux-arm-kernel has been getting dropped into my Spam folder -- I normally don't notice since I'm usually CCed directly or via some other list on things I wanted to see.) 3) Are there other lists for which lore is collecting emails where DKIM is persistently broken, and can we fix those lists too?I would also note that lists.infradead.org should not really be adding its own DKIM signature to messages it sends out. It doesn't really serve any purpose unless the From: header is rewritten (but please don't do that either).
-Kees -- Kees Cook _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel