commit 04225ff91820d9bfde83a32d1e5e60bb0050d3e2
from: Martijn van Duren <martijn@openbsd.org>
date: Wed Mar 30 20:41:09 2022 UTC

FWS after h=-tag value could lead to a end mismatch.
Use osmtpd_ltok_skip_sig_h_tag_value for checking and original code for copying data

commit - 09150ec45067fe90a5ec86518b89913e6c159ee8
commit + 04225ff91820d9bfde83a32d1e5e60bb0050d3e2
blob - e637178de5a719aef0399ece16b12ec88038fd6a
blob + 1f60e6ec2a3e32f5668ea56d4ab2049edea92ce7
--- main.c
+++ main.c
@@ -725,6 +725,10 @@ dkim_signature_parse_h(struct signature *sig, const ch
 
 	if (sig->h != NULL) {
 		dkim_signature_state(sig, DKIM_PERMERROR, "Duplicate h tag");
+		return;
+	}
+	if (osmtpd_ltok_skip_sig_h_tag_value(start, 0) != end) {
+		dkim_signature_state(sig, DKIM_PERMERROR, "Invalid h tag");
 		return;
 	}
 	h = start;
@@ -744,10 +748,6 @@ dkim_signature_parse_h(struct signature *sig, const ch
 		if (h[0] != ':')
 			break;
 		h = osmtpd_ltok_skip_fws(h + 1, 1);
-	}
-	if (h != end) {
-		dkim_signature_state(sig, DKIM_PERMERROR, "Invalid h tag");
-		return;
 	}
 	if ((sig->h = calloc(n + 1, sizeof(*sig->h))) == NULL) {
 		dkim_err(sig->header->msg, "malloc");