add parser of Authentication-Results, and fix bugs it found in our generated headers

we weren't always quoting the values, like dkim's header.b=abc/def. the "/" requires that the value be quoted.
2025-07-12 17:04:39 +03:00 · 2024-03-13 17:35:53 +01:00
parent b91480b5af
commit 2c9cb5b847
4 changed files with 674 additions and 16 deletions
--- a/message/authresults.go
+++ b/message/authresults.go
@ -2,6 +2,9 @@ package message

 import (
 	"fmt"
+	"strings"
+
+	"github.com/mjl-/mox/dns"
 )

 // ../rfc/8601:577
@ -9,8 +12,11 @@ import (
 // Authentication-Results header, see RFC 8601.
 type AuthResults struct {
 	Hostname string
-	Comment  string // If not empty, header comment without "()", added after Hostname.
-	Methods  []AuthMethod
+	// Optional version of Authentication-Results header, assumed "1" when absent,
+	// which is common.
+	Version string
+	Comment string       // If not empty, header comment without "()", added after Hostname.
+	Methods []AuthMethod // Can be empty, in case of "none".
 }

 // ../rfc/8601:598
@ -21,6 +27,7 @@ type AuthResults struct {
 type AuthMethod struct {
 	// E.g. "dkim", "spf", "iprev", "auth".
 	Method  string
+	Version string // For optional method version. "1" is implied when missing, which is common.
 	Result  string // Each method has a set of known values, e.g. "pass", "temperror", etc.
 	Comment string // Optional, message header comment.
 	Reason  string // Optional.
@ -64,7 +71,7 @@ func (h AuthResults) Header() string {
 	}

 	w := &HeaderWriter{}
-	w.Add("", "Authentication-Results:"+optComment(h.Comment)+" "+value(h.Hostname)+";")
+	w.Add("", "Authentication-Results:"+optComment(h.Comment)+" "+value(h.Hostname, false)+";")
 	for i, m := range h.Methods {
 		w.Newline()

@ -78,13 +85,10 @@ func (h AuthResults) Header() string {
 			addf("(%s)", m.Comment)
 		}
 		if m.Reason != "" {
-			addf("reason=%s", value(m.Reason))
+			addf("reason=%s", value(m.Reason, false))
 		}
 		for _, p := range m.Props {
-			v := p.Value
-			if !p.IsAddrLike {
-				v = value(v)
-			}
+			v := value(p.Value, p.IsAddrLike)
 			addf("%s.%s=%s%s", p.Type, p.Property, v, optComment(p.Comment))
 		}
 		for j, t := range tokens {
@ -101,11 +105,12 @@ func (h AuthResults) Header() string {
 	return w.String()
 }

-func value(s string) string {
+func value(s string, isAddrLike bool) string {
 	quote := s == ""
 	for _, c := range s {
 		// utf-8 does not have to be quoted. ../rfc/6532:242
-		if c == '"' || c == '\\' || c <= ' ' || c == 0x7f {
+		// Characters outside of tokens do. ../rfc/2045:661
+		if c <= ' ' || c == 0x7f || (c == '@' && !isAddrLike) || strings.ContainsRune(`()<>,;:\\"/[]?= `, c) {
 			quote = true
 			break
 		}
@ -123,3 +128,351 @@ func value(s string) string {
 	r += `"`
 	return r
 }
+
+// ParseAuthResults parses a Authentication-Results header value.
+//
+// Comments are not populated in the returned AuthResults.
+// Both crlf and lf line-endings are accepted. The input string must end with
+// either crlf or lf.
+func ParseAuthResults(s string) (ar AuthResults, err error) {
+	// ../rfc/8601:577
+	lower := make([]byte, len(s))
+	for i, c := range []byte(s) {
+		if c >= 'A' && c <= 'Z' {
+			c += 'a' - 'A'
+		}
+		lower[i] = c
+	}
+	p := &parser{s: s, lower: string(lower)}
+	defer p.recover(&err)
+
+	p.cfws()
+	ar.Hostname = p.xvalue()
+	p.cfws()
+	ar.Version = p.digits()
+	p.cfws()
+	for {
+		p.xtake(";")
+		p.cfws()
+		// Yahoo has ";" at the end of the header value, incorrect.
+		if !Pedantic && p.end() {
+			break
+		}
+		method := p.xkeyword(false)
+		p.cfws()
+		if method == "none" {
+			if len(ar.Methods) == 0 {
+				p.xerrorf("missing results")
+			}
+			if !p.end() {
+				p.xerrorf(`data after "none" result`)
+			}
+			return
+		}
+		ar.Methods = append(ar.Methods, p.xresinfo(method))
+		p.cfws()
+		if p.end() {
+			break
+		}
+	}
+	return
+}
+
+type parser struct {
+	s     string
+	lower string // Like s, but with ascii characters lower-cased (utf-8 offsets preserved).
+	o     int
+}
+
+type parseError struct{ err error }
+
+func (p *parser) recover(err *error) {
+	x := recover()
+	if x == nil {
+		return
+	}
+	perr, ok := x.(parseError)
+	if ok {
+		*err = perr.err
+		return
+	}
+	panic(x)
+}
+
+func (p *parser) xerrorf(format string, args ...any) {
+	panic(parseError{fmt.Errorf(format, args...)})
+}
+
+func (p *parser) end() bool {
+	return p.s[p.o:] == "\r\n" || p.s[p.o:] == "\n"
+}
+
+// ../rfc/5322:599
+func (p *parser) cfws() {
+	p.fws()
+	for p.prefix("(") {
+		p.xcomment()
+	}
+	p.fws()
+}
+
+func (p *parser) fws() {
+	for p.take(" ") || p.take("\t") {
+	}
+	opts := []string{"\n ", "\n\t", "\r\n ", "\r\n\t"}
+	for _, o := range opts {
+		if p.take(o) {
+			break
+		}
+	}
+	for p.take(" ") || p.take("\t") {
+	}
+}
+
+func (p *parser) xcomment() {
+	p.xtake("(")
+	p.fws()
+	for !p.take(")") {
+		if p.empty() {
+			p.xerrorf("unexpected end in comment")
+		}
+		if p.prefix("(") {
+			p.xcomment()
+			p.fws()
+			continue
+		}
+		p.take(`\`)
+		if c := p.s[p.o]; c > ' ' && c < 0x7f {
+			p.o++
+		} else {
+			p.xerrorf("bad character %c in comment", c)
+		}
+		p.fws()
+	}
+}
+
+func (p *parser) prefix(s string) bool {
+	return strings.HasPrefix(p.lower[p.o:], s)
+}
+
+func (p *parser) xvalue() string {
+	if p.prefix(`"`) {
+		return p.xquotedString()
+	}
+	return p.xtakefn1("value token", func(c rune, i int) bool {
+		// ../rfc/2045:661
+		// todo: token cannot contain utf-8? not updated in ../rfc/6532. however, we also use it for the localpart & domain parsing, so we'll allow it.
+		return c > ' ' && !strings.ContainsRune(`()<>@,;:\\"/[]?= `, c)
+	})
+}
+
+func (p *parser) xchar() rune {
+	// We are careful to track invalid utf-8 properly.
+	if p.empty() {
+		p.xerrorf("need another character")
+	}
+	var r rune
+	var o int
+	for i, c := range p.s[p.o:] {
+		if i > 0 {
+			o = i
+			break
+		}
+		r = c
+	}
+	if o == 0 {
+		p.o = len(p.s)
+	} else {
+		p.o += o
+	}
+	return r
+}
+
+func (p *parser) xquotedString() string {
+	p.xtake(`"`)
+	var s string
+	var esc bool
+	for {
+		c := p.xchar()
+		if esc {
+			if c >= ' ' && c < 0x7f {
+				s += string(c)
+				esc = false
+				continue
+			}
+			p.xerrorf("bad escaped char %c in quoted string", c)
+		}
+		if c == '\\' {
+			esc = true
+			continue
+		}
+		if c == '"' {
+			return s
+		}
+		if c >= ' ' && c != '\\' && c != '"' {
+			s += string(c)
+			continue
+		}
+		p.xerrorf("invalid quoted string, invalid character %c", c)
+	}
+}
+
+func (p *parser) digits() string {
+	o := p.o
+	for o < len(p.s) && p.s[o] >= '0' && p.s[o] <= '9' {
+		o++
+	}
+	p.o = o
+	return p.s[o:p.o]
+}
+
+func (p *parser) xdigits() string {
+	s := p.digits()
+	if s == "" {
+		p.xerrorf("expected digits, remaining %q", p.s[p.o:])
+	}
+	return s
+}
+
+func (p *parser) xtake(s string) {
+	if !p.prefix(s) {
+		p.xerrorf("expected %q, remaining %q", s, p.s[p.o:])
+	}
+	p.o += len(s)
+}
+
+func (p *parser) empty() bool {
+	return p.o >= len(p.s)
+}
+
+func (p *parser) take(s string) bool {
+	if p.prefix(s) {
+		p.o += len(s)
+		return true
+	}
+	return false
+}
+
+func (p *parser) xtakefn1(what string, fn func(c rune, i int) bool) string {
+	if p.empty() {
+		p.xerrorf("need at least one char for %s", what)
+	}
+	for i, c := range p.s[p.o:] {
+		if !fn(c, i) {
+			if i == 0 {
+				p.xerrorf("expected at least one char for %s, remaining %q", what, p.s[p.o:])
+			}
+			s := p.s[p.o : p.o+i]
+			p.o += i
+			return s
+		}
+	}
+	s := p.s[p.o:]
+	p.o = len(p.s)
+	return s
+}
+
+// ../rfc/5321:2287
+func (p *parser) xkeyword(isResult bool) string {
+	s := strings.ToLower(p.xtakefn1("keyword", func(c rune, i int) bool {
+		// Yahoo sends results like "dkim=perm_fail".
+		return c >= 'a' && c <= 'z' || c >= '0' && c <= '9' || c == '-' || isResult && !Pedantic && c == '_'
+	}))
+	if s == "-" {
+		p.xerrorf("missing keyword")
+	} else if strings.HasSuffix(s, "-") {
+		p.o--
+		s = s[:len(s)-1]
+	}
+	return s
+}
+
+func (p *parser) xmethodspec(methodKeyword string) (string, string, string) {
+	p.cfws()
+	var methodDigits string
+	if p.take("/") {
+		methodDigits = p.xdigits()
+		p.cfws()
+	}
+	p.xtake("=")
+	p.cfws()
+	result := p.xkeyword(true)
+	return methodKeyword, methodDigits, result
+}
+
+func (p *parser) xpropspec() (ap AuthProp) {
+	ap.Type = p.xkeyword(false)
+	p.cfws()
+	p.xtake(".")
+	p.cfws()
+	if p.take("mailfrom") {
+		ap.Property = "mailfrom"
+	} else if p.take("rcptto") {
+		ap.Property = "rcptto"
+	} else {
+		ap.Property = p.xkeyword(false)
+	}
+	p.cfws()
+	p.xtake("=")
+	ap.IsAddrLike, ap.Value = p.xpvalue()
+	return
+}
+
+// method keyword has been parsed, method-version not yet.
+func (p *parser) xresinfo(methodKeyword string) (am AuthMethod) {
+	p.cfws()
+	am.Method, am.Version, am.Result = p.xmethodspec(methodKeyword)
+	p.cfws()
+	if p.take("reason") {
+		p.cfws()
+		am.Reason = p.xvalue()
+	}
+	p.cfws()
+	for !p.prefix(";") && !p.end() {
+		am.Props = append(am.Props, p.xpropspec())
+		p.cfws()
+	}
+	return
+}
+
+// todo: could keep track whether this is a localpart.
+func (p *parser) xpvalue() (bool, string) {
+	p.cfws()
+	if p.take("@") {
+		// Bare domain.
+		dom, _ := p.xdomain()
+		return true, "@" + dom
+	}
+	s := p.xvalue()
+	if p.take("@") {
+		dom, _ := p.xdomain()
+		s += "@" + dom
+		return true, s
+	}
+	return false, s
+}
+
+// ../rfc/5321:2291
+func (p *parser) xdomain() (string, dns.Domain) {
+	s := p.xsubdomain()
+	for p.take(".") {
+		s += "." + p.xsubdomain()
+	}
+	d, err := dns.ParseDomain(s)
+	if err != nil {
+		p.xerrorf("parsing domain name %q: %s", s, err)
+	}
+	if len(s) > 255 {
+		// ../rfc/5321:3491
+		p.xerrorf("domain longer than 255 octets")
+	}
+	return s, d
+}
+
+// ../rfc/5321:2303
+// ../rfc/5321:2303 ../rfc/6531:411
+func (p *parser) xsubdomain() string {
+	return p.xtakefn1("subdomain", func(c rune, i int) bool {
+		return c >= '0' && c <= '9' || c >= 'a' && c <= 'z' || c >= 'A' && c <= 'Z' || i > 0 && c == '-' || c > 0x7f
+	})
+}