Mirrors/go-chasquid-smtp
1
0
Fork 0
mirror of https://blitiri.com.ar/repos/chasquid synced 2025-12-18 14:47:03 +00:00
Code Releases Activity

sts: Reject policies with max_age > 1y, as per RFC

Browse Source 
The MTA-STS standard explicitly says the maximum max_age is 1 year.

This patch adds a check to the STS library to enforce this. Policies
with max_age > 1y will be treated as invalid.

See this email thread for some discussion on the topic:
https://mailarchive.ietf.org/arch/msg/uta/bnUjy9jxM_Va-lDXVtbB32zIkYI
This commit is contained in:
Alberto Bertogli
2019-08-31 01:03:24 +01:00
parent 0f487e5fb5
commit f63e5bf0b2
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/sts/sts.go
View File

@@ -125,7 +125,11 @@ func (p *Policy) Check() error {
if p.Version != "STSv1" { if p.Version != "STSv1" {
return ErrUnknownVersion return ErrUnknownVersion
} }
if p.MaxAge <= 0 {
// A 0 max age is invalid (could also represent an Atoi error), and so is
// one greater than 31557600 (1 year), as per
// https://tools.ietf.org/html/rfc8461#section-3.2.
if p.MaxAge <= 0 || p.MaxAge > 31557600*time.Second {
return ErrInvalidMaxAge return ErrInvalidMaxAge
} }

4
internal/sts/sts_test.go
View File

@@ -98,6 +98,8 @@ func TestCheckPolicy(t *testing.T) {
MXs: []string{"mx1"}}, MXs: []string{"mx1"}},
{Version: "STSv1", Mode: "none", MaxAge: 1 * time.Hour, {Version: "STSv1", Mode: "none", MaxAge: 1 * time.Hour,
MXs: []string{"mx1"}}, MXs: []string{"mx1"}},
{Version: "STSv1", Mode: "none", MaxAge: 31557600 * time.Second,
MXs: []string{"mx1"}},
} }
for i, p := range validPs { for i, p := range validPs {
if err := p.Check(); err != nil { if err := p.Check(); err != nil {
@@ -111,6 +113,8 @@ func TestCheckPolicy(t *testing.T) {
}{ }{
{Policy{Version: "STSv2"}, ErrUnknownVersion}, {Policy{Version: "STSv2"}, ErrUnknownVersion},
{Policy{Version: "STSv1"}, ErrInvalidMaxAge}, {Policy{Version: "STSv1"}, ErrInvalidMaxAge},
{Policy{Version: "STSv1", MaxAge: 31557601 * time.Second},
ErrInvalidMaxAge},
{Policy{Version: "STSv1", MaxAge: 1, Mode: "blah"}, ErrInvalidMode}, {Policy{Version: "STSv1", MaxAge: 1, Mode: "blah"}, ErrInvalidMode},
{Policy{Version: "STSv1", MaxAge: 1, Mode: "enforce"}, ErrInvalidMX}, {Policy{Version: "STSv1", MaxAge: 1, Mode: "enforce"}, ErrInvalidMX},
{Policy{Version: "STSv1", MaxAge: 1, Mode: "enforce", MXs: []string{}}, {Policy{Version: "STSv1", MaxAge: 1, Mode: "enforce", MXs: []string{}},