Merge branch '2.x' into backport-5x-2x-favicons-and-signrules-2025-01-02

chrome/content/options_advanced.xul

@@ -39,8 +39,11 @@
 		<preference id="pref_error.algorithm.rsa.weakKeyLength.treatAs"
 		            name="extensions.dkim_verifier.error.algorithm.rsa.weakKeyLength.treatAs"
 		            type="int"/>
+		<preference id="pref_error.sanitizeSubject"
+		            name="extensions.dkim_verifier.error.sanitizeSubject"
+		            type="bool"/>
 	</preferences>
-	
+
 	<checkbox preference="pref_debug" label="&debug.label;"/>
 	<checkbox preference="pref_error.detailedReasons" label="&error.detailedReasons.label;"/>
 	<checkbox preference="pref_error.key_testmode.ignore"
@@ -51,6 +54,8 @@
 	          label="&arh.replaceAddonResult.label;"/>
 	<checkbox preference="pref_arh.relaxedParsing"
 	          label="&arh.relaxedParsing.label;"/>
+	<checkbox preference="pref_error.sanitizeSubject"
+	          label="&error.sanitizeSubject.label;"/>
 	<hbox align="center">
 		<label>&error.illformed_i.treatAs.label;</label>
 		<menulist preference="pref_error.illformed_i.treatAs">

chrome/locale/de/dkim.properties

@@ -105,3 +105,5 @@ DKIM_SIGWARNING_FROM_NOT_IN_AUID	= Absender passt nicht zur Benutzeridentität
 
 # DKIM_SIGWARNING - POLICY
 DKIM_SIGWARNING_UNSIGNED_HEADER = Kopfzeile '%S' ist nicht signiert
+
+DKIM_SIGERROR_SUBJECT_MODIFIED	= Der Betreff wurde verändert: '%S'

chrome/locale/de/options.dtd

@@ -102,3 +102,5 @@
 <!ENTITY policy.unsigned_header.mode.value.0.label "Tolerant">
 <!ENTITY policy.unsigned_header.mode.value.1.label "Empfohlen">
 <!ENTITY policy.unsigned_header.mode.value.2.label "Streng">
+
+<!ENTITY error.sanitizeSubject.label "Versuche Ergänzungen im Betreff zu korrigieren">

chrome/locale/en-US/dkim.properties

@@ -105,3 +105,5 @@ DKIM_SIGWARNING_FROM_NOT_IN_AUID	= From does not match the user identifier
 
 # DKIM_SIGWARNING - POLICY
 DKIM_SIGWARNING_UNSIGNED_HEADER = Header '%S' is not signed
+
+DKIM_SIGERROR_SUBJECT_MODIFIED	= Subject was modified: '%S'

chrome/locale/en-US/options.dtd

@@ -102,3 +102,5 @@
 <!ENTITY policy.unsigned_header.mode.value.0.label "Relaxed">
 <!ENTITY policy.unsigned_header.mode.value.1.label "Recommended">
 <!ENTITY policy.unsigned_header.mode.value.2.label "Strict">
+
+<!ENTITY error.sanitizeSubject.label "Try to remove amendments in the subject">

chrome/locale/fr/dkim.properties

@@ -105,3 +105,5 @@ DKIM_SIGWARNING_FROM_NOT_IN_AUID	= L'expéditeur ne correspond pas avec l'identi
 
 # DKIM_SIGWARNING - POLICY
 DKIM_SIGWARNING_UNSIGNED_HEADER = Header '%S' is not signed
+
+DKIM_SIGERROR_SUBJECT_MODIFIED	= Subject was modified: '%S'

chrome/locale/fr/options.dtd

@@ -102,3 +102,5 @@
 <!ENTITY policy.unsigned_header.mode.value.0.label "Relaxed">
 <!ENTITY policy.unsigned_header.mode.value.1.label "Recommended">
 <!ENTITY policy.unsigned_header.mode.value.2.label "Strict">
+
+<!ENTITY error.sanitizeSubject.label "Try to remove amendments in the subject">

chrome/locale/hu/dkim.properties

@@ -105,3 +105,5 @@ DKIM_SIGWARNING_FROM_NOT_IN_AUID	= A feladó nem egyezik a felhasználói azonos
 
 # DKIM_SIGWARNING - POLICY
 DKIM_SIGWARNING_UNSIGNED_HEADER = Header '%S' is not signed
+
+DKIM_SIGERROR_SUBJECT_MODIFIED	= Subject was modified: '%S'

chrome/locale/hu/options.dtd

@@ -102,3 +102,5 @@
 <!ENTITY policy.unsigned_header.mode.value.0.label "Relaxed">
 <!ENTITY policy.unsigned_header.mode.value.1.label "Recommended">
 <!ENTITY policy.unsigned_header.mode.value.2.label "Strict">
+
+<!ENTITY error.sanitizeSubject.label "Try to remove amendments in the subject">

chrome/locale/it/dkim.properties

@@ -105,3 +105,5 @@ DKIM_SIGWARNING_FROM_NOT_IN_AUID	= Il mittente non corrisponde all’identificat
 
 # DKIM_SIGWARNING - POLICY
 DKIM_SIGWARNING_UNSIGNED_HEADER = Header '%S' is not signed
+
+DKIM_SIGERROR_SUBJECT_MODIFIED	= Subject was modified: '%S'

chrome/locale/it/options.dtd

@@ -102,3 +102,5 @@
 <!ENTITY policy.unsigned_header.mode.value.0.label "Relaxed">
 <!ENTITY policy.unsigned_header.mode.value.1.label "Recommended">
 <!ENTITY policy.unsigned_header.mode.value.2.label "Strict">
+
+<!ENTITY error.sanitizeSubject.label "Try to remove amendments in the subject">

chrome/locale/ja-JP/dkim.properties

@@ -105,3 +105,5 @@ DKIM_SIGWARNING_FROM_NOT_IN_AUID	= 差出人がユーザ識別子とマッチし
 
 # DKIM_SIGWARNING - POLICY
 DKIM_SIGWARNING_UNSIGNED_HEADER = Header '%S' is not signed
+
+DKIM_SIGERROR_SUBJECT_MODIFIED	= Subject was modified: '%S'

chrome/locale/ja-JP/options.dtd

@@ -102,3 +102,5 @@
 <!ENTITY policy.unsigned_header.mode.value.0.label "Relaxed">
 <!ENTITY policy.unsigned_header.mode.value.1.label "Recommended">
 <!ENTITY policy.unsigned_header.mode.value.2.label "Strict">
+
+<!ENTITY error.sanitizeSubject.label "Try to remove amendments in the subject">

chrome/locale/zh-CN/dkim.properties

@@ -100,3 +100,5 @@ DKIM_SIGWARNING_FROM_NOT_IN_SDID=From 不在签名域中
 DKIM_SIGWARNING_FROM_NOT_IN_AUID=From 不匹配用户标识符
 # DKIM_SIGWARNING - POLICY
 DKIM_SIGWARNING_UNSIGNED_HEADER = Header '%S' is not signed
+
+DKIM_SIGERROR_SUBJECT_MODIFIED	= Subject was modified: '%S'

chrome/locale/zh-CN/options.dtd

@@ -81,3 +81,5 @@
 <!ENTITY policy.unsigned_header.mode.value.0.label "Relaxed">
 <!ENTITY policy.unsigned_header.mode.value.1.label "Recommended">
 <!ENTITY policy.unsigned_header.mode.value.2.label "Strict">
+
+<!ENTITY error.sanitizeSubject.label "Try to remove amendments in the subject">

chrome/skin/global/msgHdrViewOverlay.css

@@ -18,14 +18,26 @@
   display: none;
 }
 
+#expandeddkim-verifierBox[spf="true"]  [anonid="spf"] {
+  display: contents;
+}
+
 #expandeddkim-verifierBox:not([dmarc="true"])  [anonid="dmarc"] {
   display: none;
 }
 
+#expandeddkim-verifierBox[dmarc="true"]  [anonid="dmarc"] {
+  display: contents;
+}
+
 #expandeddkim-verifierBox:not([arhDkim="true"])  [anonid="arhDkim"] {
   display: none;
 }
 
+#expandeddkim-verifierBox[arhDkim="true"]  [anonid="arhDkim"] {
+  display: contents;
+}
+
 mail-multi-emailHeaderField {
   -moz-binding: url("chrome://dkim_verifier/content/bindings.xml#dkim-mail-multi-emailHeaderField") !important;
 }

defaults/preferences/prefs.js

@@ -64,7 +64,7 @@ pref("extensions.dkim_verifier.policy.DMARC.shouldBeSigned.neededPolicy", "none"
 
 pref("extensions.dkim_verifier.display.favicon.show", true);
 
-/* 
+/*
  * Mode to handle headers, which should be signed, but are not
  * 10  relaxed
  * 20  recommended
@@ -145,7 +145,7 @@ pref("extensions.dkim_verifier.error.key_testmode.ignore", false);
 pref("extensions.dkim_verifier.error.contentTypeCharsetAddedQuotes.treatAs", 0);
 pref("extensions.dkim_verifier.error.algorithm.sign.rsa-sha1.treatAs", 1);
 pref("extensions.dkim_verifier.error.algorithm.rsa.weakKeyLength.treatAs", 2);
-
+pref("extensions.dkim_verifier.error.sanitizeSubject", false);
 
 ////////////////////////////////////////////////////////////////////////////////
 // account specific options

modules/dkimVerifier.jsm.js

@@ -1102,7 +1102,8 @@ var Verifier = (function() {
 			if (recDateTimeStart === -1) {
 				log.warn("Could not find the date time in the Received header: "+receivedHeaders[0]);
 			} else {
-				const recDateTimeStr = receivedHeaders[0].substring(recDateTimeStart + 1);
+				// Trim all surrounding whitespace to avoid parsing problems.
+				const recDateTimeStr = receivedHeaders[0].substring(recDateTimeStart + 1).trim();
 				receivedTime = new Date(recDateTimeStr);
 				if (receivedTime.toString() === "Invalid Date") {
 					log.warn("Could not parse the date time in the Received header");
@@ -1209,30 +1210,61 @@ var Verifier = (function() {
 
 		var isValid = verifyFunction(DKIMSignature.DKIMKey.p, headerHashInput, DKIMSignature.a_hash,
 			DKIMSignature.b, DKIMSignature.warnings, keyInfo);
-		if (!isValid) {
-			if (prefs.getIntPref("error.contentTypeCharsetAddedQuotes.treatAs") > 0) {
-				log.debug("Try with removed quotes in Content-Type charset.");
-				msg.headerFields.get("content-type")[0] =
-					msg.headerFields.get("content-type")[0].
-					replace(/charset="([^"]+)"/i,	"charset=$1");
+
+		if (!isValid && prefs.getIntPref("error.contentTypeCharsetAddedQuotes.treatAs") > 0) {
+			log.debug("Try with removed quotes in Content-Type charset.");
+			const contentTypeField = msg.headerFields.get("content-type")[0];
+			const sanitizedContentTypeField = contentTypeField.replace(/charset="([^"]+)"/i, "charset=$1");
+
+			if (contentTypeField !== sanitizedContentTypeField) {
+				msg.headerFields.get("content-type")[0] = sanitizedContentTypeField;
 				// Compute the input for the header hash
 				headerHashInput = computeHeaderHashInput(msg,DKIMSignature);
 				log.debug("Header hash input:\n" + headerHashInput);
 				// verify Signature
 				keyInfo = {};
 				isValid = verifyFunction(DKIMSignature.DKIMKey.p, headerHashInput,
 						DKIMSignature.a_hash, DKIMSignature.b, DKIMSignature.warnings, keyInfo);
-
-				if (!isValid) {
-					throw new DKIM_SigError("DKIM_SIGERROR_BADSIG");
-				} else if (prefs.getIntPref("error.contentTypeCharsetAddedQuotes.treatAs") === 1) {
+				if (prefs.getIntPref("error.contentTypeCharsetAddedQuotes.treatAs") === 1) {
 					DKIMSignature.warnings.push({name: "DKIM_SIGERROR_CONTENT_TYPE_CHARSET_ADDED_QUOTES"});
 					log.debug("Warning: DKIM_SIGERROR_CONTENT_TYPE_CHARSET_ADDED_QUOTES");
 				}
 			} else {
-				throw new DKIM_SigError("DKIM_SIGERROR_BADSIG");
+				log.debug("Nothing changed, no need to reverify...");
 			}
 		}
+		if (!isValid && prefs.getBoolPref("error.sanitizeSubject")) {
+			log.debug("Trying to sanitize the subject header field");
+			const subjectField = msg.headerFields.get("subject")[0];
+			const sanitizeRegexp = /(Subject:\s)(?:\*|\[).+(?:\*|\])\s(.*)/;
+			const sanitizedSubject = subjectField.replace(sanitizeRegexp, "$2").trim();
+			const sanitizedSubjectField = subjectField.replace(sanitizeRegexp, "$1$2");
+
+			if (subjectField !== sanitizedSubjectField) {
+				msg.headerFields.get("subject")[0] = sanitizedSubjectField;
+				// Compute the input for the header hash
+				headerHashInput = computeHeaderHashInput(msg,DKIMSignature);
+				log.debug("Header hash input:\n" + headerHashInput);
+				// verify Signature
+				keyInfo = {};
+				isValid = verifyFunction(DKIMSignature.DKIMKey.p, headerHashInput,
+						DKIMSignature.a_hash, DKIMSignature.b, DKIMSignature.warnings, keyInfo);
+				if (isValid) {
+					// Adding a warning, that the subject was changed
+					DKIMSignature.warnings.push({ name: "DKIM_SIGERROR_SUBJECT_MODIFIED", params: [sanitizedSubject] });
+					log.debug("Sanitized subject: " + sanitizedSubject);
+				} else {
+					// Restoring the original subject field
+					msg.headerFields.get("subject")[0] = subjectField;
+				}
+			} else {
+				log.debug("Nothing changed, no need to reverify...");
+			}
+		}
+
+		if (!isValid) {
+			throw new DKIM_SigError("DKIM_SIGERROR_BADSIG");
+		}
 
 		if (DKIMSignature.a_sig !== DKIMSignature.DKIMKey.k) {
 			throw new DKIM_SigError("DKIM_SIGERROR_KEY_MISMATCHED_K");
@@ -1259,6 +1291,7 @@ var Verifier = (function() {
 			selector : DKIMSignature.s,
 			warnings : DKIMSignature.warnings,
 			keySecure : DKIMSignature.keyQueryResult.secure,
+			sigAlgo : DKIMSignature.a_sig
 		};
 		return verification_result;
 	}
@@ -1589,6 +1622,20 @@ var that = {
 			return 0;
 		}
 
+		function algo_compare(sig1, sig2) {
+			// prefer ed25519 over rsa
+			if (sig1.sigAlgo === sig2.sigAlgo) {
+				// both algorithms are equal
+				return 0;
+			}
+			if (sig1.sigAlgo === "ed25519") {
+				// there are only ed25519 and rsa allowed, so sig2.a is rsa
+				return -1;
+			}
+			// there are only ed25519 and rsa allowed, so sig2.a is ed25519
+			return 1;
+		}
+
 		signatures.sort(function (sig1, sig2) {
 			let cmp;
 			cmp = result_compare(sig1, sig2);
@@ -1603,6 +1650,10 @@ var that = {
 			if (cmp !== 0) {
 				return cmp;
 			}
+			cmp = algo_compare(sig1, sig2);
+			if (cmp !== 0) {
+				return cmp;
+			}
 			return -1;
 		});
 	},
@@ -1616,7 +1667,6 @@ var that = {
 	 * make handleException public
 	 */
 	handleException : handleException,
-	handleExeption : handleException,
 
 	/*
 	 * make checkForSignatureExsistens public

modules/rfcParser.jsm.js

@@ -59,8 +59,13 @@ let rfcParser = (function() {
 	RfcParserStd.FWS_op = `${RfcParserStd.FWS}?`;
 	// Note: this is incomplete (obs-ctext is missing)
 	RfcParserStd.ctext = "[!-'*-[\\]-~]";
-	// Note: this is incomplete (comment is missing)
-	RfcParserStd.ccontent = `(?:${RfcParserStd.ctext}|${RfcParserStd.quoted_pair})`;
+	// Note: There is a recursion in ccontent/comment, which is not supported by the RegExp in JavaScript.
+	// We currently unroll it to support a depth of up to 3 comments.
+	RfcParserStd.ccontent_2 = `(?:${RfcParserStd.ctext}|${RfcParserStd.quoted_pair})`;
+	RfcParserStd.comment_2 = `\\((?:${RfcParserStd.FWS_op}${RfcParserStd.ccontent_2})*${RfcParserStd.FWS_op}\\)`;
+	RfcParserStd.ccontent_1 = `(?:${RfcParserStd.ctext}|${RfcParserStd.quoted_pair}|${RfcParserStd.comment_2})`;
+	RfcParserStd.comment_1 = `\\((?:${RfcParserStd.FWS_op}${RfcParserStd.ccontent_1})*${RfcParserStd.FWS_op}\\)`;
+	RfcParserStd.ccontent = `(?:${RfcParserStd.ctext}|${RfcParserStd.quoted_pair}|${RfcParserStd.comment_1})`;
 	RfcParserStd.comment = `\\((?:${RfcParserStd.FWS_op}${RfcParserStd.ccontent})*${RfcParserStd.FWS_op}\\)`;
 	RfcParserStd.CFWS = `(?:(?:(?:${RfcParserStd.FWS_op}${RfcParserStd.comment})+${RfcParserStd.FWS_op})|${RfcParserStd.FWS})`;
 	// Note: helper only, not part of the RFC