commit 04225ff91820d9bfde83a32d1e5e60bb0050d3e2
from: Martijn van Duren <martijn@openbsd.org>
date: Wed Mar 30 20:41:09 2022 UTC

FWS after h=-tag value could lead to a end mismatch.
Use osmtpd_ltok_skip_sig_h_tag_value for checking and original code for copying data

commit - 09150ec45067fe90a5ec86518b89913e6c159ee8
commit + 04225ff91820d9bfde83a32d1e5e60bb0050d3e2
blob - e637178de5a719aef0399ece16b12ec88038fd6a
blob + 1f60e6ec2a3e32f5668ea56d4ab2049edea92ce7
--- main.c
+++ main.c
@@ -727,6 +727,10 @@ dkim_signature_parse_h(struct signature *sig, const ch
 		dkim_signature_state(sig, DKIM_PERMERROR, "Duplicate h tag");
 		return;
 	}
+	if (osmtpd_ltok_skip_sig_h_tag_value(start, 0) != end) {
+		dkim_signature_state(sig, DKIM_PERMERROR, "Invalid h tag");
+		return;
+	}
 	h = start;
 	while (1) {
 		if ((h = osmtpd_ltok_skip_hdr_name(h, 0)) == NULL) {
@@ -745,10 +749,6 @@ dkim_signature_parse_h(struct signature *sig, const ch
 			break;
 		h = osmtpd_ltok_skip_fws(h + 1, 1);
 	}
-	if (h != end) {
-		dkim_signature_state(sig, DKIM_PERMERROR, "Invalid h tag");
-		return;
-	}
 	if ((sig->h = calloc(n + 1, sizeof(*sig->h))) == NULL) {
 		dkim_err(sig->header->msg, "malloc");
 		return;