dkimsign.cpp

Go to the documentation of this file.

/*****************************************************************************
*  Copyright 2005 Alt-N Technologies, Ltd.
*
*  Licensed under the Apache License, Version 2.0 (the "License");
*  you may not use this file except in compliance with the License.
*  You may obtain a copy of the License at
*
*      http://www.apache.org/licenses/LICENSE-2.0
*
*  This code incorporates intellectual property owned by Yahoo! and licensed
*  pursuant to the Yahoo! DomainKeys Patent License Agreement.
*
*  Unless required by applicable law or agreed to in writing, software
*  distributed under the License is distributed on an "AS IS" BASIS,
*  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*  See the License for the specific language governing permissions and
*  limitations under the License.
*
*  Changes done by ¢feh@fehcom.de obeying the above license
*
*****************************************************************************/
 
#define _strnicmp strncasecmp
#define _stricmp strcasecmp
#define LOWORD(l) ((unsigned)(l) & 0xffff)
#define HIWORD(l) ((unsigned)(l) >> 16)
 
#include <string.h>
#include <map>
 
#include "dkim.h"
#include "dkimsign.h"
 
/*****************************************************************************
*
* Generating Ed25519 signed message:
*
* 1. RSA SHA1/SHA256 signatures are generated in streaming mode together with
*    their hashes. Two different 'contexts' (ctx) are used here:
*    m_Hdr_shaXctx      => Used for signing (EVP_Sign...) -- covering the header only
*    m_[B,E]dy_shaXctx  => Used for hashing (EVP_Digest..) -- covering the body only
*
* 2. Private keys
*    For hybrid signing we need two distinct keys:
*    - RSAKey
*    - ECCKey
*    These private keys needs to be passed concurrently to the signature functions.
*    Given those keys, the signature operation itself is executed in one step.
*
* 3. Public keys
*    The 'public keys' need to be deployed in the DNS:
*    - The RSA public key is DER-header enriched base64-encoded; thus is 9 byte larger
*      than the 'naked' public key, which size depends on the given parameters. 
*    - The Ed25519 public key is also base64-encoded with a constant length of 60 byte.
*
* 4. DKIM message preparation scheme 
*    According to RFC 6376 Sec. 3.7, we have a conducted hash for
*    - the previously available headers in the message; 
*      selected and given in order by h=...,
*    - any existing DKIM signature fields b=...,
*    - except for previous added 'X-Authentication ...' header fields,
*    - and all (new) synthezised DKIM header tokens; except of course for the 
*      signature itself - treated as 'null string': b="".
*    All this is subject of canonicalization (adding/removing CRLF, whitespaces ...).
+    As a result, the input for further calculations depends on this order given.
*
*    Results following the 'preparation scheme':
*    -  The message body hash is included in the DKIM header   => bh=[m_[B,E]dy_shaXctx].
*    -  The message signature (including the result of bh=...) =>  b=[m_Hdr_shaXctx]
*
*    We consider SHA256 as default hash function and SHA1 as exception (on demand).
*
* 5. Generating (ECC) signatures
*    According to RFC 8032 Sect 4., we have two possible Ed25519 signature schemes:
*
*    a) PureEd25519, as a one shot signature calculation swallowing the 
*       complete message and employing a shortened SHA-512 hash input.
*    b) HashEd25519 working again in 'streaming mode' and permitting a choice 
*        for the hash function - which is in RFC 8463 - defined to be SHA-256.
*
*    RFC 8463 in Sect 3 is a bit ambiguous about the signing function:
*    Ed25519-256 vs. PureEd25519. 
*    In fact (after consulting John Levine), it is PureEd25519.
*
*    In order to allow parallel RSA/Ed25519 processing, we need to generate:
*    m_Hdr_sha256ctx  => Used for RSA signatures
*    m_Bdy_sha256ctx  => The SHA256 hash of selected header parts and body (RSA)
*    m_Edy_sha256ctx  => The SHA256 hash of selected header parts and body (Ed25519)
*    m_Hdr_ed25519ctx => The signature of the messsage header using PureEd25519
*                        following the 'preparation' scheme
*
*    Now, two cryptographic informations are provided in the header:
*    bh=[m_Edy_sha256ctx]  => The SHA256 digest of the message (BodyHash),
*     b=[m_Hdr_ed25519ctx] => The PureED25519 signature.
*                             including the value of bh=... (EmailSignature)
*                             having a length of 512 bits => 64 bytes.
*
* 6. Hybrid signatures (RSA and Ed25519)
*    They involve 
*    m_Hdr_sha256ctx  => Used for RSA signatures
*    m_Hdr_ed25519ctx => PureED25519 signature
*    m_Bdy_sha256ctx  => SHA256 digest of the message (BodyHash) for RSA
*    m_Edy_sha256ctx  => SHA256 digest of the message (BodyHash) for Ed25519
*
*    The EVP_DigestFinal routine has to be replaced by EVP_DigestFinal_ex.
*    However; after the first call, its content seems to be garbeled.
*    A common MD for both RSA and Ed2551 seems to be infeasible.
*
* ------
*
* The particular function and variable names chosen here do not obviously match 
* what they are intended to do. However, in order to keep traceablility of the 
* changes, I left those untouched.
*    
*****************************************************************************/
 
CDKIMSign::CDKIMSign()
{
  m_EmptyLineCount = 0;
  m_pfnHdrCallback = NULL;
 
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
   EVP_SignInit(&m_Hdr_sha1ctx,EVP_sha1());
   EVP_SignInit(&m_Hdr_sha256ctx,EVP_sha256());
   EVP_DigestInit(&m_Bdy_sha1ctx,EVP_sha1());
   EVP_DigestInit(&m_Bdy_sha256ctx,EVP_sha256());
#else
  m_Hdr_sha1ctx = EVP_MD_CTX_create();
  EVP_SignInit_ex(m_Hdr_sha1ctx,EVP_sha1(),NULL);
 
  m_Hdr_sha256ctx = EVP_MD_CTX_create();
  EVP_SignInit_ex(m_Hdr_sha256ctx,EVP_sha256(),NULL);
 
  m_Bdy_sha1ctx = EVP_MD_CTX_create();
  EVP_DigestInit_ex(m_Bdy_sha1ctx,EVP_sha1(),NULL);
 
  m_Bdy_sha256ctx = EVP_MD_CTX_create();
  EVP_DigestInit_ex(m_Bdy_sha256ctx,EVP_sha256(),NULL);
 
  m_Hdr_ed25519ctx = EVP_MD_CTX_create();
 
  m_Edy_sha256ctx = EVP_MD_CTX_create();
  EVP_DigestInit_ex(m_Edy_sha256ctx,EVP_sha256(),NULL);
#endif
}
 
CDKIMSign::~CDKIMSign()
{
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
   EVP_MD_CTX_cleanup(&m_Hdr_sha1ctx);
   EVP_MD_CTX_cleanup(&m_Hdr_sha256ctx);
   EVP_MD_CTX_cleanup(&m_Bdy_sha1ctx);
   EVP_MD_CTX_cleanup(&m_Bdy_sha256ctx);
#else
   EVP_MD_CTX_free(m_Hdr_sha1ctx);
   EVP_MD_CTX_free(m_Hdr_sha256ctx);
   EVP_MD_CTX_free(m_Hdr_ed25519ctx);
   EVP_MD_CTX_free(m_Bdy_sha1ctx);
   EVP_MD_CTX_free(m_Bdy_sha256ctx);
   EVP_MD_CTX_free(m_Edy_sha256ctx);
#endif
}
 
// 
// Init - save the options
//
int CDKIMSign::Init(DKIMSignOptions* pOptions)
{
  int nRet = CDKIMBase::Init();
 
  m_Canon = pOptions->nCanon;
 
  // as of draft 01, these are the only allowed signing types:
  if ((m_Canon != DKIM_SIGN_SIMPLE_RELAXED) && 
      (m_Canon != DKIM_SIGN_RELAXED) && 
      (m_Canon != DKIM_SIGN_RELAXED_SIMPLE)) {
    m_Canon = DKIM_SIGN_SIMPLE;
  }
 
  sSelector.assign(pOptions->szSelector);
  eSelector.assign(pOptions->szSelectorE);
 
  m_pfnHdrCallback = pOptions->pfnHeaderCallback;
 
  sDomain.assign(pOptions->szDomain);
 
  m_IncludeBodyLengthTag = (pOptions->nIncludeBodyLengthTag != 0);
 
  m_nBodyLength = 0;
 
  m_ExpireTime = pOptions->expireTime;
 
  sIdentity.assign(pOptions->szIdentity);
 
  m_nIncludeTimeStamp = pOptions->nIncludeTimeStamp;
  m_nIncludeQueryMethod = pOptions->nIncludeQueryMethod;
  m_nIncludeCopiedHeaders = pOptions->nIncludeCopiedHeaders;
 
  // NOTE: the following line is not backwards compatible with MD 8.0.3
  // because the szRequiredHeaders member was added after the release
  //sRequiredHeaders.assign(pOptions->szRequiredHeaders);
 
  //make sure there is a colon after the last header in the list
  if ((sRequiredHeaders.size() > 0) && 
       sRequiredHeaders.at(sRequiredHeaders.size() - 1) != ':') {
    sRequiredHeaders.append(":");
  }
 
  m_nHash = pOptions->nHash;
  m_bReturnedSigAssembled = false;
  m_sCopiedHeaders.erase();
 
  // Initializes ED25519 header fields SigHdrs
#if ((OPENSSL_VERSION_NUMBER > 0x10101000L))
  SigHdrs.assign("");
  m_SigHdrs = 0;
#endif
 
  return nRet;
}
 
// 
// Hash - update the hash
//
void CDKIMSign::Hash(const char *szBuffer,int nBufLength,bool bHdr)
{
 
  if (bHdr) {                                    /* Generate signature: b=... */
    if ((m_nHash == DKIM_HASH_SHA1) || 
        (m_nHash == DKIM_HASH_SHA1_AND_SHA256))
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      EVP_SignUpdate(&m_Hdr_sha1ctx,szBuffer,nBufLength);
#else  
      EVP_SignUpdate(m_Hdr_sha1ctx,szBuffer,nBufLength);
#endif
    if ((m_nHash == DKIM_HASH_SHA256) || 
        (m_nHash == DKIM_HASH_SHA1_AND_SHA256) ||
        (m_nHash == DKIM_HASH_RSA256_AND_ED25519)) 
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      EVP_SignUpdate(&m_Hdr_sha256ctx,szBuffer,nBufLength);
#else  
      EVP_SignUpdate(m_Hdr_sha256ctx,szBuffer,nBufLength);
#endif
#if ((OPENSSL_VERSION_NUMBER > 0x10101000L))
    if ((m_nHash == DKIM_HASH_ED25519) ||
        (m_nHash == DKIM_HASH_RSA256_AND_ED25519)) {
      SigHdrs.append(szBuffer,nBufLength);
      m_SigHdrs += nBufLength;
    }
#endif
  } else {                                       /* lets go for body hash values: bh=... (either SHA1 or SHA256) */
    if ((m_nHash == DKIM_HASH_SHA1) || 
        (m_nHash == DKIM_HASH_SHA1_AND_SHA256)) 
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      EVP_DigestUpdate(&m_Bdy_sha1ctx,szBuffer,nBufLength);
#else  
      EVP_DigestUpdate(m_Bdy_sha1ctx,szBuffer,nBufLength);
#endif
    if (m_nHash != DKIM_HASH_SHA1)
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      EVP_DigestUpdate(&m_Bdy_sha256ctx,szBuffer,nBufLength);
#else
      EVP_DigestUpdate(m_Bdy_sha256ctx,szBuffer,nBufLength);
#endif
#if ((OPENSSL_VERSION_NUMBER > 0x10101000L))
    if ((m_nHash == DKIM_HASH_ED25519) ||
        (m_nHash == DKIM_HASH_RSA256_AND_ED25519))
      EVP_DigestUpdate(m_Edy_sha256ctx,szBuffer,nBufLength);
#endif
  }
}
 
// 
// SignThisTag - return boolean whether or not to sign this tag
//
bool CDKIMSign::SignThisTag(const string& sTag)
{
  bool bRet = true;
 
  if (_strnicmp(sTag.c_str(),"X-",2) == 0 || 
      _stricmp(sTag.c_str(),"Authentication-Results:") == 0 ||
      _stricmp(sTag.c_str(),"Return-Path:") == 0) {
    bRet = false;
  }
 
  return bRet;
}
 
bool ConvertHeaderToQuotedPrintable(const char* source, char* dest)
{
  bool bConvert = false;
 
  // do quoted printable
  static unsigned char hexchars[16] = {'0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'};
 
  unsigned char *d = (unsigned char*)dest;
  for (const unsigned char *s = (const unsigned char *)source; *s != '\0'; s++)
  {
    if (*s >= 33 && *s <= 126 && *s != '=' && *s != ':' && *s != ';' && *s != '|') {
      *d++ = *s;
    } else {
      bConvert = true;
      *d++ = '=';
      *d++ = hexchars[*s >> 4];
      *d++ = hexchars[*s & 15];
    }
  }
  *d = '\0';
 
  return bConvert;
}
 
// 
// GetHeaderParams - Extract any needed header parameters
//
void CDKIMSign::GetHeaderParams(const string &sHdr)
{
  if (_strnicmp(sHdr.c_str(),"X",1) == 0) return;
  if (_strnicmp(sHdr.c_str(),"From:",5) == 0) { sFrom.assign(sHdr.c_str() + 5); }
  if (_strnicmp(sHdr.c_str(),"Sender:",7) == 0) { sSender.assign(sHdr.c_str() + 7); }  
 
  if (m_nIncludeCopiedHeaders) {
    string::size_type pos = sHdr.find(':');
 
    if (pos != string::npos) {
      string sTag, sValue;
      char *workBuffer = new char[sHdr.size() * 3 + 1];
 
      sTag.assign(sHdr.substr(0,pos));
      sValue.assign(sHdr.substr(pos + 1,string::npos));
 
      ConvertHeaderToQuotedPrintable(sTag.c_str(),workBuffer);
      if (!m_sCopiedHeaders.empty()) { m_sCopiedHeaders.append("|"); }
      m_sCopiedHeaders.append(workBuffer); m_sCopiedHeaders.append(":");
      ConvertHeaderToQuotedPrintable(sValue.c_str(),workBuffer);
      m_sCopiedHeaders.append(workBuffer);
 
      delete[] workBuffer;
    }
  }
}
 
// 
// ProcessHeaders - sign headers and save needed parameters (this is a lie)
//
int CDKIMSign::ProcessHeaders(void)
{
  map<string,list<string>::reverse_iterator> IterMap;
  map<string,list<string>::reverse_iterator>::iterator IterMapIter;
  list<string>::reverse_iterator riter;
  list<string>::iterator iter;
  string sTag;
  bool bFromHeaderFound = false;
 
  // walk the header list
  for (iter = HeaderList.begin(); iter != HeaderList.end(); iter++) {
    sTag.assign(*iter);
 
    // look for a colon
    string::size_type pos = sTag.find(':');
 
    if (pos != string::npos) {
      int nSignThisTag = 1;
 
      // hack off anything past the colon
      sTag.erase(pos + 1,string::npos);
 
      // is this the From: header?
      if (_stricmp(sTag.c_str(),"From:") == 0) {
        bFromHeaderFound = true;
        nSignThisTag = 1;
        IsRequiredHeader(sTag);  // remove from required header list
      }
      // is this in the list of headers that must be signed?
      else if (IsRequiredHeader(sTag)) {
        nSignThisTag = 1;
      }
      else {
        if(m_pfnHdrCallback) {
          nSignThisTag = m_pfnHdrCallback(iter->c_str());
        } else {
          nSignThisTag = SignThisTag(sTag) ? 1 : 0;
        }
      }
 
      // save header parameters
      GetHeaderParams(*iter);
 
      if (nSignThisTag > 0) {
        // add this tag to h=
        hParam.append(sTag);
 
        IterMapIter = IterMap.find(sTag);
 
        riter = (IterMapIter == IterMap.end()) ? HeaderList.rbegin() : IterMapIter->second;
 
        // walk the list in reverse looking for the last instance of this header
        while (riter != HeaderList.rend()) {
          if (_strnicmp(riter->c_str(),sTag.c_str(),sTag.size()) == 0) {
            ProcessHeader(*riter);
 
            // save the reverse iterator position for this tag
            riter++;
            IterMap[sTag] = riter;
            break;
          }
          riter++;
        } 
      }
    }
  }
 
  if(!bFromHeaderFound) {
    string sFrom("From:");
    hParam.append(sFrom);
    IsRequiredHeader(sFrom); // remove from required header list
//    Hash("\r\n",2);
  }
 
  hParam.append(sRequiredHeaders);
 
//  string::size_type end = sRequiredHeaders.find(':');
//  while (end != string::npos)
//  {
//    Hash("\r\n",2);
//    end = sRequiredHeaders.find(':', end+1);
//  }
 
  // remove the last colon from h=
  if (hParam.at(hParam.size() - 1) == ':')
    hParam.erase(hParam.size() - 1,string::npos);
 
  return DKIM_SUCCESS;
}
 
void CDKIMSign::ProcessHeader(const string &sHdr)
{
  switch (HIWORD(m_Canon)) {
    case DKIM_CANON_SIMPLE:
      Hash(sHdr.c_str(),sHdr.size(),true);
      Hash("\r\n",2,true);
      break;
 
  case DKIM_CANON_NOWSP: {
      string sTemp = sHdr;
      RemoveSWSP(sTemp);
 
      // convert characters before ':' to lower case
      for (char *s = (char*)sTemp.c_str(); *s != '\0' && *s != ':'; s++) {
        if (*s >= 'A' && *s <= 'Z')
          *s += 'a' - 'A';
      }
 
      Hash(sTemp.c_str(),sTemp.size(),true);
      Hash("\r\n",2,true);
    }
    break;
 
  case DKIM_CANON_RELAXED: {
      string sTemp = RelaxHeader(sHdr);
      Hash(sTemp.c_str(),sTemp.length(),true);
      Hash("\r\n",2,true);
    }
    break;  
  }
}
 
int CDKIMSign::ProcessBody(char *szBuffer,int nBufLength,bool bEOF)
{
  switch(LOWORD(m_Canon)) {
    case DKIM_CANON_SIMPLE:
      if (nBufLength > 0) {
        while (m_EmptyLineCount > 0) {
          Hash("\r\n",2,false);
          m_nBodyLength += 2;
          m_EmptyLineCount--;
        }
        Hash(szBuffer,nBufLength,false);
        Hash("\r\n",2,false);
        m_nBodyLength += nBufLength + 2;
      } else {
        m_EmptyLineCount++;
        if (bEOF) {
          Hash("\r\n",2,false);
          m_nBodyLength += 2;
        }
      }
      break;
    case DKIM_CANON_NOWSP:
      RemoveSWSP(szBuffer,nBufLength);
      if (nBufLength > 0) {
        Hash(szBuffer,nBufLength,false);
        m_nBodyLength += nBufLength;
      }
      break;
    case DKIM_CANON_RELAXED:
      CompressSWSP(szBuffer,nBufLength);
      if (nBufLength > 0) {
        while (m_EmptyLineCount > 0) {
          Hash("\r\n",2,false);
          m_nBodyLength += 2;
          m_EmptyLineCount--;
        }
        Hash(szBuffer,nBufLength,false);
        m_nBodyLength += nBufLength;
        if (!bEOF) {
          Hash("\r\n",2,false);
          m_nBodyLength += 2;
        }
      } else
        m_EmptyLineCount++;
      break;
  }
 
  return DKIM_SUCCESS;
}
 
bool CDKIMSign::ParseFromAddress(void)
{
  string::size_type pos;
  string sAddress;
 
  if (!sFrom.empty()) {
    sAddress.assign(sFrom);
  } else if (!sSender.empty()) {
    sAddress.assign(sSender);
  } else {
    return false;
  }
 
  // simple for now, beef it up later
 
  // remove '<' and anything before it
  pos = sAddress.find('<');
  if(pos != string::npos)
    sAddress.erase(0,pos);
 
  // remove '>' and anything after it
  pos = sAddress.find('>');
  if (pos != string::npos)
    sAddress.erase(pos,string::npos);
 
  // look for '@' symbol
  pos = sAddress.find('@');
  if (pos == string::npos)
    return false;
 
  if (sDomain.empty()) {
    sDomain.assign (sAddress.c_str() + pos + 1);
    RemoveSWSP(sDomain);
  }
 
  return true;
}
 
// 
// InitSig - initialize signature folding algorithm
//
void CDKIMSign::InitSig(void)
{
  m_sSig.reserve(1024);
  m_sSig.assign("DKIM-Signature:");
  m_nSigPos = m_sSig.size();
}
 
// 
// AddTagToSig - add tag and value to signature folding if necessary
//               if bFold, fold at cbrk char
//
void CDKIMSign::AddTagToSig(const char* const Tag,const string &sValue,char cbrk,bool bFold)
{
  int nTagLen = strlen(Tag);
 
  AddInterTagSpace((!bFold) ? sValue.size() + nTagLen + 2 : nTagLen + 2);
 
  m_sSig.append(Tag);
  m_sSig.append("=");
  m_nSigPos += 1 + nTagLen;
 
  if (!bFold) {
    m_sSig.append(sValue);
    m_nSigPos += sValue.size();
  } else {
    AddFoldedValueToSig(sValue,cbrk);
  }
  m_sSig.append(";");
  m_nSigPos++;
}
 
// 
// AddTagToSig - add tag and numeric value to signature folding if necessary
//
void CDKIMSign::AddTagToSig(const char* const Tag,unsigned long nValue)
{
  char szValue[64];
  sprintf(szValue,"%lu",nValue);
  AddTagToSig(Tag,szValue,0,false);
}
 
// 
// AddInterTagSpace - add space or fold here
//
void CDKIMSign::AddInterTagSpace(int nSizeOfNextTag)
{
  if (m_nSigPos + nSizeOfNextTag + 1 > OptimalHeaderLineLength) {
//    m_sSig.append("\r\n\t");
    m_sSig.append("\r\n  ");  /* s/qmail style */
    m_nSigPos = 1; 
  } else {
    m_sSig.append(" ");
    m_nSigPos++;
  }
}
 
// 
// AddTagToSig - add value to signature folding if necessary
//               if cbrk == 0 fold anywhere, otherwise fold only at cbrk
//
void CDKIMSign::AddFoldedValueToSig(const string &sValue,char cbrk)
{
  string::size_type pos = 0;
 
  if (cbrk == 0) {
    // fold anywhere
    while (pos < sValue.size()) {
      string::size_type len = OptimalHeaderLineLength - m_nSigPos;
      if (len > sValue.size() - pos)
        len = sValue.size() - pos;
      m_sSig.append(sValue.substr(pos,len));
      m_nSigPos += len;
      pos += len;
 
      if (pos < sValue.size()) {
//        m_sSig.append("\r\n\t");
        m_sSig.append("\r\n  ");   /* s/qmail style */
        m_nSigPos = 1;
      }
    }
  } else {
    // fold only at cbrk
    while (pos < sValue.size()) {
      string::size_type len = OptimalHeaderLineLength - m_nSigPos;
      string::size_type brkpos;
 
      if (sValue.size() - pos < len) {
        brkpos = sValue.size();
      } else {
        brkpos = sValue.rfind(cbrk,pos + len);
      }
 
      if (brkpos == string::npos || brkpos < pos) {
        brkpos = sValue.find(cbrk,pos);
        if (brkpos == string::npos) {
          brkpos = sValue.size();
        }
      }
 
      len = brkpos - pos + 1;
 
      m_sSig.append(sValue.substr(pos,len));
 
      m_nSigPos += len;
      pos += len;
 
      if (pos < sValue.size()) {
//        m_sSig.append("\r\n\t");
        m_sSig.append("\r\n  ");   /* s/qmail style */
        m_nSigPos = 1;
      }
    }
  }
}
 
// 
// GetSig - compute hash and return signature header in szSignature
//
int CDKIMSign::GetSig2(char* szRSAKey,char* szECCKey,char** pszSignature)
{
  if (szRSAKey == NULL && szECCKey == NULL) {
    return DKIM_BAD_PRIVATE_KEY;
  }
 
  if (pszSignature == NULL) {
    return DKIM_BUFFER_TOO_SMALL;
  }
 
  int nRet = AssembleReturnedSig(szRSAKey,szECCKey);
 
  if (nRet != DKIM_SUCCESS)
    return nRet;
 
  *pszSignature = (char*)m_sReturnedSig.c_str();
 
  return DKIM_SUCCESS;
}
 
 
// 
// IsRequiredHeader - Check if header in required list. If so, delete
//                    header from list.
//
bool CDKIMSign::IsRequiredHeader(const string& sTag)
{
  string::size_type start = 0;
  string::size_type end = sRequiredHeaders.find(':');
 
  while (end != string::npos) {
    // check for a zero-length header
    if(start == end) {
      sRequiredHeaders.erase(start,1);
    } else {
      if (_stricmp(sTag.c_str(),sRequiredHeaders.substr(start,end - start + 1).c_str()) == 0) {
        sRequiredHeaders.erase(start,end - start + 1);
        return true;
      } else {
        start = end + 1;
      }
    }
 
    end = sRequiredHeaders.find(':',start);
  }
 
  return false;
}
// 
// ConstructSignature
//
//  Here, we don't construct the 'signature' but rather the DKIM header
//  multiply and indidually crafted for each distinct nSigAlg method
// 
//  nSigAlg: DKIM_HASH_SHA1, DKIM_HASH_SHA256, DKIM_HASH_ED25519
//
int CDKIMSign::ConstructSignature(char* szPrivKey,int nSigAlg)
{
  string sSignedSig;
  unsigned char* sig;
  EVP_PKEY *pkey = 0;
  BIO *bio, *b64;
  unsigned int siglen;
  int size;
  int len;
  char* buf;
  int nSignRet;
 
  /* construct the DKIM-Signature: header and add to hash */
  InitSig();
 
  AddTagToSig("v","1",0,false); 
 
  switch (nSigAlg) {
    case DKIM_HASH_SHA1: 
      AddTagToSig("a","rsa-sha1",0,false); break;
    case DKIM_HASH_SHA256: 
      AddTagToSig("a","rsa-sha256",0,false); break;
    case DKIM_HASH_ED25519: 
      AddTagToSig("a","ed25519-sha256",0,false); break;
  }
 
  switch (m_Canon) {
    case DKIM_SIGN_SIMPLE:
      AddTagToSig("c","simple/simple",0,false); break;
    case DKIM_SIGN_SIMPLE_RELAXED:
      AddTagToSig("c","simple/relaxed",0,false); break;
    case DKIM_SIGN_RELAXED:
      AddTagToSig("c","relaxed/relaxed",0,false); break;
    case DKIM_SIGN_RELAXED_SIMPLE:
      AddTagToSig("c","relaxed/simple",0,false); break;
  }
 
  AddTagToSig("d",sDomain,0,false);
  if (nSigAlg == DKIM_HASH_ED25519)
    AddTagToSig("s",eSelector,0,false);
  else
    AddTagToSig("s",sSelector,0,false);
  if (m_IncludeBodyLengthTag) { AddTagToSig("l",m_nBodyLength); }
  if (m_nIncludeTimeStamp != 0) { time_t t; time(&t); AddTagToSig("t",t); }
  if (m_ExpireTime != 0) { AddTagToSig("x",m_ExpireTime); }
  if (!sIdentity.empty()) { AddTagToSig("i",sIdentity,0,false); }
  if (m_nIncludeQueryMethod) { AddTagToSig("q","dns/txt",0,false); }
 
  AddTagToSig("h",hParam,':',true); // copied headers follow the ':'
  if (m_nIncludeCopiedHeaders) { AddTagToSig("z",m_sCopiedHeaders,0,true); }
 
  /* Set up context for (body) hash */
 
  unsigned char Hash[4096];
  unsigned int nHashLen = 0;
 
  switch (nSigAlg) {
    case DKIM_HASH_SHA1: 
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      EVP_DigestFinal(&m_Bdy_sha1ctx,Hash,&nHashLen); break;
#else
      EVP_DigestFinal_ex(m_Bdy_sha1ctx,Hash,&nHashLen); break;
#endif
    case DKIM_HASH_SHA256: 
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      EVP_DigestFinal(&m_Bdy_sha256ctx,Hash,&nHashLen); break;
#else
      EVP_DigestFinal_ex(m_Bdy_sha256ctx,Hash,&nHashLen); break;
#endif
#if (OPENSSL_VERSION_NUMBER > 0x10101000L) 
    case DKIM_HASH_ED25519: 
      EVP_DigestFinal_ex(m_Edy_sha256ctx,Hash,&nHashLen); break;
#endif
  }
 
  bio = BIO_new(BIO_s_mem());
  if (!bio) return DKIM_OUT_OF_MEMORY; 
    
  b64 = BIO_new(BIO_f_base64());
  if (!b64) {
    BIO_free(bio);
    return DKIM_OUT_OF_MEMORY;
  }
  BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL);
  BIO_push(b64,bio);
  if (BIO_write(b64,Hash,nHashLen) < (int)nHashLen) {
    BIO_free_all(b64);
    return DKIM_OUT_OF_MEMORY;
  }
  BIO_flush(b64);
 
  len = nHashLen * 2;
  buf = new char[len];
 
  if (buf == NULL) {
    BIO_free_all(b64);
    return DKIM_OUT_OF_MEMORY;
  }
 
  size = BIO_read(bio,buf,len);
  BIO_free_all(b64);
 
  // this should never happen
  if (size >= len) {
     delete[] buf;
     return DKIM_OUT_OF_MEMORY;  
  }
 
  buf[size] = '\0';
  AddTagToSig("bh",buf,0,true);
  delete[] buf;
 
  AddInterTagSpace(3);
 
  m_sSig.append("b=");
  m_nSigPos += 2;
 
  // Force a full copy - no reference copies please
  sSignedSig.assign(m_sSig.c_str());
 
  // note that since we're not calling hash here, need to dump this
  // to the debug file if you want the full canonical form
 
  string sTemp;
 
  if (HIWORD(m_Canon) == DKIM_CANON_RELAXED) {
    sTemp = RelaxHeader(sSignedSig);
  } else {
    sTemp = sSignedSig.c_str();
  }
 
  /* Update streaming signatures */
 
  switch (nSigAlg) {
    case DKIM_HASH_SHA1: 
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      EVP_SignUpdate(&m_Hdr_sha1ctx,sTemp.c_str(),sTemp.size()); break;
#else
      EVP_SignUpdate(m_Hdr_sha1ctx,sTemp.c_str(),sTemp.size()); break;
#endif
    case DKIM_HASH_SHA256: 
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      EVP_SignUpdate(&m_Hdr_sha256ctx,sTemp.c_str(),sTemp.size()); break;
#else
      EVP_SignUpdate(m_Hdr_sha256ctx,sTemp.c_str(),sTemp.size()); break;
#endif
#if ((OPENSSL_VERSION_NUMBER > 0x10101000L))
    case DKIM_HASH_ED25519: 
      SigHdrs.append(sTemp.c_str(),sTemp.size());
      m_SigHdrs += sTemp.size(); break;
#endif
  }
 
  bio = BIO_new_mem_buf(szPrivKey, -1);
  if (bio == NULL) return DKIM_OUT_OF_MEMORY;
 
  pkey = PEM_read_bio_PrivateKey(bio,NULL,NULL,NULL);  // FIXME - done
  BIO_free(bio);
 
  if (!pkey) { return DKIM_BAD_PRIVATE_KEY; }
  siglen = EVP_PKEY_size(pkey);
 
  sig = (unsigned char*) OPENSSL_malloc(siglen);
  if (sig == NULL) {
    EVP_PKEY_free(pkey);
    return DKIM_OUT_OF_MEMORY;
  }
 
  /* Finish streaming signature and potentially go for Ed25519 signatures */
 
  size_t sig_len;
  unsigned char* SignMsg;
 
  switch (nSigAlg) {
    case DKIM_HASH_SHA1: 
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      nSignRet = EVP_SignFinal(&m_Hdr_sha1ctx,sig,&siglen,pkey); break;
#else
      nSignRet = EVP_SignFinal(m_Hdr_sha1ctx,sig,&siglen,pkey); break;
#endif
    case DKIM_HASH_SHA256: 
#if ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER > 0 && LIBRESSL_VERSION_NUMBER < 0x20700000L))
      nSignRet = EVP_SignFinal(&m_Hdr_sha256ctx,sig,&siglen,pkey); break;
#else
      nSignRet = EVP_SignFinal(m_Hdr_sha256ctx,sig,&siglen,pkey); break;
#endif
#if (OPENSSL_VERSION_NUMBER > 0x10101000L) 
    case DKIM_HASH_ED25519: 
      EVP_DigestSignInit(m_Hdr_ed25519ctx,NULL,NULL,NULL,pkey);
      SignMsg = (unsigned char*) SigHdrs.c_str(); 
      EVP_DigestSign(m_Hdr_ed25519ctx,NULL,&sig_len,SignMsg,m_SigHdrs);
      sig = (unsigned char*) OPENSSL_malloc(sig_len);
      nSignRet = EVP_DigestSign(m_Hdr_ed25519ctx,sig,&sig_len,SignMsg,m_SigHdrs); 
      siglen = (unsigned int) sig_len; break;
#endif
  }
  EVP_PKEY_free(pkey);
 
  if (!nSignRet) {
    OPENSSL_free(sig);
    return DKIM_BAD_PRIVATE_KEY; // key too small
  }
 
  bio = BIO_new(BIO_s_mem());
  if (!bio) {
    return DKIM_OUT_OF_MEMORY; 
  }
 
  b64 = BIO_new(BIO_f_base64());
  if (!b64) {
    BIO_free(bio);
    return DKIM_OUT_OF_MEMORY;
  }
 
  BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL);
  BIO_push(b64,bio);
 
  if (BIO_write(b64,sig,siglen) < (int) siglen) {
    OPENSSL_free(sig);
    BIO_free_all(b64);
    return DKIM_OUT_OF_MEMORY;
  }
  BIO_flush(b64);
  OPENSSL_free(sig);
 
  len = siglen * 2;
  buf = new char[len];
 
  if (buf == NULL) {
    BIO_free_all(b64);
    return DKIM_OUT_OF_MEMORY;
  }
 
  size = BIO_read(bio,buf,len);
  BIO_free_all(b64);
 
  // this should never happen
  if (size >= len) {
    delete[] buf;
    return DKIM_OUT_OF_MEMORY;  
  }
 
  buf[size] = '\0';
  AddFoldedValueToSig(buf,0);
  delete[] buf;
  return DKIM_SUCCESS;
}
 
// 
// AssembleReturnSig
//
//  calls ConstructSignature 
//  for all different hashes and signature key files
//
int CDKIMSign::AssembleReturnedSig(char* szRSAKey,char* szECCKey)
{
  int nRet;
 
  if (m_bReturnedSigAssembled)
    return DKIM_SUCCESS;
 
  ProcessFinal();
 
  if (ParseFromAddress() == false) {
    return DKIM_NO_SENDER;
  }
 
  string ed25519Sig, sha256Sig, sha1Sig;
 
  if ((m_nHash == DKIM_HASH_ED25519) ||
      (m_nHash == DKIM_HASH_RSA256_AND_ED25519)) {
    nRet = ConstructSignature(szECCKey,DKIM_HASH_ED25519);
    if (nRet == DKIM_SUCCESS) {
      ed25519Sig.assign(m_sSig);
    } else {
      return nRet;
     }
  }
 
  if ((m_nHash == DKIM_HASH_SHA256) || 
      (m_nHash == DKIM_HASH_SHA1_AND_SHA256) ||
      (m_nHash == DKIM_HASH_RSA256_AND_ED25519)) {
    nRet = ConstructSignature(szRSAKey,DKIM_HASH_SHA256);
    if (nRet == DKIM_SUCCESS) {
      sha256Sig.assign(m_sSig);
    } else {
      return nRet;
     }
  }
 
  if ((m_nHash == DKIM_HASH_SHA1) || 
      (m_nHash == DKIM_HASH_SHA1_AND_SHA256)) {
    nRet = ConstructSignature(szRSAKey,DKIM_HASH_SHA1);
    if (nRet == DKIM_SUCCESS) {
      sha1Sig.assign(m_sSig);
    } else {
      return nRet;
    }
  }
 
//  fclose(fpdebug);
//  fpdebug = NULL;
 
  if (!ed25519Sig.empty()) {
/*    if (!m_sReturnedSig.empty()) {
      m_sReturnedSig.append("\r\n");
    }
    */
    m_sReturnedSig.assign(ed25519Sig);
  }
 
  if (!sha1Sig.empty()) {
    if (!m_sReturnedSig.empty()) {
      m_sReturnedSig.append("\r\n");
    }
    m_sReturnedSig.append(sha1Sig);
  }
 
  if (!sha256Sig.empty()) {
    if (!m_sReturnedSig.empty()) {
      m_sReturnedSig.append("\r\n");
    }
    m_sReturnedSig.append(sha256Sig);
  }
 
  m_bReturnedSigAssembled = true;
  return DKIM_SUCCESS;
}