From 0e40c0ed7ffd837458269d3d7a7f9cbaa6dc0caf Mon Sep 17 00:00:00 2001
From: Rotzbua <Rotzbua@users.noreply.github.com>
Date: Fri, 10 Feb 2017 22:16:19 +0100
Subject: [PATCH] Update dkim

---
 lib/classes/Swift/Signers/DKIMSigner.php    | 46 ++++++++++++++-------
 tests/unit/Swift/Signers/DKIMSignerTest.php |  5 ++-
 2 files changed, 34 insertions(+), 17 deletions(-)

diff --git a/lib/classes/Swift/Signers/DKIMSigner.php b/lib/classes/Swift/Signers/DKIMSigner.php
index 6ddd4f928..83766c2a3 100644
--- a/lib/classes/Swift/Signers/DKIMSigner.php
+++ b/lib/classes/Swift/Signers/DKIMSigner.php
@@ -39,9 +39,11 @@ class Swift_Signers_DKIMSigner implements Swift_Signers_HeaderSigner
     /**
      * Hash algorithm used.
      *
+     * @see RFC6376 3.3: Signers MUST implement and SHOULD sign using rsa-sha256.
+     *
      * @var string
      */
-    protected $_hashAlgorithm = 'rsa-sha1';
+    protected $_hashAlgorithm = 'rsa-sha256';
 
     /**
      * Body canon method.
@@ -174,6 +176,11 @@ public function __construct($privateKey, $domainName, $selector)
         $this->_domainName = $domainName;
         $this->_signerIdentity = '@'.$domainName;
         $this->_selector = $selector;
+
+        // keep fallback hash algorithm sha1, if php version is lower than 5.4.8
+        if (version_compare(phpversion(), '5.4.8', '<')) {
+            $this->_hashAlgorithm = 'rsa-sha1';
+        }
     }
 
     /**
@@ -223,6 +230,7 @@ public function reset()
      *
      * @return int
      */
+    // TODO fix return
     public function write($bytes)
     {
         $this->_canonicalizeBody($bytes);
@@ -234,8 +242,6 @@ public function write($bytes)
     /**
      * For any bytes that are currently buffered inside the stream, force them
      * off the buffer.
-     *
-     * @throws Swift_IoException
      */
     public function commit()
     {
@@ -276,8 +282,6 @@ public function unbind(Swift_InputByteStream $is)
                 return;
             }
         }
-
-        return;
     }
 
     /**
@@ -292,19 +296,28 @@ public function flushBuffers()
     }
 
     /**
-     * Set hash_algorithm, must be one of rsa-sha256 | rsa-sha1 defaults to rsa-sha256.
+     * Set hash_algorithm, must be one of rsa-sha256 | rsa-sha1.
+     *
+     * @param string $hash 'rsa-sha1' or 'rsa-sha256'
      *
-     * @param string $hash
+     * @throws Swift_SwiftException
      *
      * @return Swift_Signers_DKIMSigner
      */
     public function setHashAlgorithm($hash)
     {
-        // Unable to sign with rsa-sha256
-        if ($hash == 'rsa-sha1') {
-            $this->_hashAlgorithm = 'rsa-sha1';
-        } else {
-            $this->_hashAlgorithm = 'rsa-sha256';
+        switch ($hash) {
+            case 'rsa-sha1':
+                $this->_hashAlgorithm = 'rsa-sha1';
+                break;
+            case 'rsa-sha256':
+                $this->_hashAlgorithm = 'rsa-sha256';
+                if (!defined('OPENSSL_ALGO_SHA256')) {
+                    throw new Swift_SwiftException('Unable to set sha256, not offered by openssl');
+                }
+                break;
+            default:
+                throw new Swift_SwiftException('Unable to set hash algorithm');
         }
 
         return $this;
@@ -432,12 +445,12 @@ public function startBody()
     {
         // Init
         switch ($this->_hashAlgorithm) {
-            case 'rsa-sha256':
-                $this->_bodyHashHandler = hash_init('sha256');
-                break;
             case 'rsa-sha1':
                 $this->_bodyHashHandler = hash_init('sha1');
                 break;
+            case 'rsa-sha256':
+                $this->_bodyHashHandler = hash_init('sha256');
+                break;
         }
         $this->_bodyCanonLine = '';
     }
@@ -678,6 +691,7 @@ private function _addToHeaderHash($header)
     private function _getEncryptedHash()
     {
         $signature = '';
+
         switch ($this->_hashAlgorithm) {
             case 'rsa-sha1':
                 $algorithm = OPENSSL_ALGO_SHA1;
@@ -685,6 +699,8 @@ private function _getEncryptedHash()
             case 'rsa-sha256':
                 $algorithm = OPENSSL_ALGO_SHA256;
                 break;
+            default:
+                throw new Swift_SwiftException('Unable to set hash algorithm');
         }
         $pkeyId = openssl_get_privatekey($this->_privateKey);
         if (!$pkeyId) {
diff --git a/tests/unit/Swift/Signers/DKIMSignerTest.php b/tests/unit/Swift/Signers/DKIMSignerTest.php
index 13c1b4c1e..7f86c262e 100644
--- a/tests/unit/Swift/Signers/DKIMSignerTest.php
+++ b/tests/unit/Swift/Signers/DKIMSignerTest.php
@@ -29,12 +29,13 @@ public function testBasicSigningHeaderManipulation()
         $signer->addSignature($headers);
     }
 
-    // Default Signing
-    public function testSigningDefaults()
+    // SHA1 Signing
+    public function testSigningSHA1()
     {
         $headerSet = $this->_createHeaderSet();
         $messageContent = 'Hello World';
         $signer = new Swift_Signers_DKIMSigner(file_get_contents(dirname(dirname(dirname(__DIR__))).'/_samples/dkim/dkim.test.priv'), 'dummy.nxdomain.be', 'dummySelector');
+        $signer->setHashAlgorithm('rsa-sha1');
         $signer->setSignatureTimestamp('1299879181');
         $altered = $signer->getAlteredHeaders();
         $this->assertEquals(array('DKIM-Signature'), $altered);