summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2018-02-09 21:59:49 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2018-02-09 23:35:19 +0000
commit260958d632506e2789fc632381f560f5a0c77ed7 (patch)
treec92878ab810609c1234861ccc23a574b6d66add1
parent165acdd1ea3b7399b2279f94c881f8e366efaf71 (diff)
Builtin macros for sha3-hash and ed25519-signing support
-rw-r--r--doc/doc-docbook/spec.xfpt8
-rw-r--r--doc/doc-txt/NewStuff3
-rw-r--r--src/OS/Makefile-Base9
-rw-r--r--src/src/macro_predef.c2
-rw-r--r--src/src/macro_predef.h1
-rw-r--r--src/src/pdkim/crypt_ver.h2
-rw-r--r--src/src/pdkim/signing.c24
-rw-r--r--src/src/sha_ver.h2
-rw-r--r--src/src/tls-openssl.c4
9 files changed, 42 insertions, 13 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b5865e966..972cdc76e 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -10648,6 +10648,7 @@ The &%sha3%& expansion item is only supported if Exim has been
compiled with GnuTLS 3.5.0 or later,
.new
or OpenSSL 1.1.1 or later.
+The macro "_CRYPTO_HASH_SHA3" will be defined if it is supported.
.wen
@@ -38663,7 +38664,6 @@ for the former it is the base64 of the ASN.1 for the RSA public key
(equivalent to the private-key .pem with the header/trailer stripped)
but for EC keys it is the base64 of the pure key; no ASN.1 wrapping.
.wen
-.wen
Signing is enabled by setting private options on the SMTP transport.
These options take (expandable) strings as arguments.
@@ -38710,6 +38710,7 @@ Note that RFC 8301 says:
.code
Signers MUST use RSA keys of at least 1024 bits for all keys.
Signers SHOULD use RSA keys of at least 2048 bits.
+.endd
Support for EC keys is being developed under
&url(https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-crypto/).
@@ -38717,7 +38718,8 @@ They are considerably smaller than RSA keys for equivalent protection.
As they are a recent development, users should consider dual-signing
(by setting a list of selectors, and an expansion for this option)
for some transition period.
-.endd
+The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
+for EC keys.
.wen
.option dkim_hash smtp string&!! sha256
@@ -38902,6 +38904,8 @@ The key record selector string.
The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'.
.new
If running under GnuTLS 3.6.0 or later, may also be 'ed25519-sha256'.
+The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
+for EC keys.
.wen
.new
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index ee40553a6..8464872b4 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -36,6 +36,9 @@ Version 4.91
9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under
GnuTLS 3.6.0 or later.
+10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library
+ version dependent.
+
Version 4.90
------------
diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base
index c96f46f0e..11ba19e61 100644
--- a/src/OS/Makefile-Base
+++ b/src/OS/Makefile-Base
@@ -134,8 +134,8 @@ OBJ_MACRO = macro_predef.o \
macro-smtp.o macro-accept.o macro-dnslookup.o macro-ipliteral.o macro-iplookup.o \
macro-manualroute.o macro-queryprogram.o macro-redirect.o \
macro-auth-spa.o macro-cram_md5.o macro-cyrus_sasl.o macro-dovecot.o macro-gsasl_exim.o \
- macro-heimdal_gssapi.o macro-plaintext.o macro-spa.o macro-tls.o\
- macro-dkim.o macro-malware.o macro-macro.o macro-tree.o
+ macro-heimdal_gssapi.o macro-plaintext.o macro-spa.o macro-authtls.o \
+ macro-dkim.o macro-malware.o macro-macro.o macro-tree.o macro-signing.o
$(OBJ_MACRO): $(MACRO_HSRC)
@@ -220,7 +220,7 @@ macro-plaintext.o : auths/plaintext.c
macro-spa.o : auths/spa.c
@echo "$(CC) -DMACRO_PREDEF auths/spa.c"
$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/spa.c
-macro-tls.o: auths/tls.c
+macro-authtls.o: auths/tls.c
@echo "$(CC) -DMACRO_PREDEF auths/tls.c"
$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/tls.c
macro-dkim.o: dkim.c
@@ -235,6 +235,9 @@ macro-macro.o: macro.c
macro-tree.o: tree.c
@echo "$(CC) -DMACRO_PREDEF tree.c"
$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ tree.c
+macro-signing.o: pdkim/signing.c
+ @echo "$(CC) -DMACRO_PREDEF pdkim/signing.c"
+ $(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ pdkim/signing.c
macro_predef: $(OBJ_MACRO)
@echo "$(LNCC) -o $@"
diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c
index b594d5bfd..2485072f4 100644
--- a/src/src/macro_predef.c
+++ b/src/src/macro_predef.c
@@ -258,6 +258,8 @@ due to conflicts with other common macros. */
#ifdef WITH_CONTENT_SCAN
features_malware();
#endif
+
+features_crypto();
}
diff --git a/src/src/macro_predef.h b/src/src/macro_predef.h
index bfa201068..50b61a897 100644
--- a/src/src/macro_predef.h
+++ b/src/src/macro_predef.h
@@ -13,6 +13,7 @@ extern void builtin_macro_create_var(const uschar *, const uschar *);
extern void options_from_list(optionlist *, unsigned, const uschar *, uschar *);
extern void features_malware(void);
+extern void features_crypto(void);
extern void options_main(void);
extern void options_routers(void);
extern void options_transports(void);
diff --git a/src/src/pdkim/crypt_ver.h b/src/src/pdkim/crypt_ver.h
index 7b0ddf92a..ad7db025e 100644
--- a/src/src/pdkim/crypt_ver.h
+++ b/src/src/pdkim/crypt_ver.h
@@ -17,7 +17,7 @@
# if GNUTLS_VERSION_NUMBER >= 0x030000
# define SIGN_GNUTLS
# if GNUTLS_VERSION_NUMBER >= 0x030600
-# define SIGN_HAVE_ED25519
+# define SIGN_HAVE_ED25519 /*MMMM*/
# endif
# else
# define SIGN_GCRYPT
diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c
index f73fa9cc8..b61b42832 100644
--- a/src/src/pdkim/signing.c
+++ b/src/src/pdkim/signing.c
@@ -7,16 +7,31 @@
*/
#include "../exim.h"
+#include "crypt_ver.h"
+#include "signing.h"
+
+
+#ifdef MACRO_PREDEF
+# include "../macro_predef.h"
+
+void
+features_crypto(void)
+{
+# ifdef SIGN_HAVE_ED25519
+ builtin_macro_create(US"_CRYPTO_SIGN_ED25519");
+# endif
+# ifdef EXIM_HAVE_SHA3
+ builtin_macro_create(US"_CRYPTO_HASH_SHA3");
+# endif
+}
+#else
-#ifndef DISABLE_DKIM /* entire file */
+#ifndef DISABLE_DKIM /* rest of file */
#ifndef SUPPORT_TLS
# error Need SUPPORT_TLS for DKIM
#endif
-#include "crypt_ver.h"
-#include "signing.h"
-
/******************************************************************************/
#ifdef SIGN_GNUTLS
@@ -884,4 +899,5 @@ switch (hash)
/******************************************************************************/
#endif /*DISABLE_DKIM*/
+#endif /*MACRO_PREDEF*/
/* End of File */
diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index b86e9a831..61408788b 100644
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -26,7 +26,7 @@
# if GNUTLS_VERSION_NUMBER >= 0x020a00
# define SHA_GNUTLS
# if GNUTLS_VERSION_NUMBER >= 0x030500
-# define EXIM_HAVE_SHA3
+# define EXIM_HAVE_SHA3 /*MMMM*/
# endif
# else
# define SHA_GCRYPT
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index a542d4db0..00b5a7349 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -51,7 +51,7 @@ functions from the OpenSSL library. */
# define EXIM_HAVE_RAND_PSEUDO
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
-# define EXIM_HAVE_SHA256
+# define EXIM_HAVE_SHA256 /*MMMM*/
#endif
/*
@@ -81,7 +81,7 @@ functions from the OpenSSL library. */
|| LIBRESSL_VERSION_NUMBER >= 0x20010000L
# if !defined(OPENSSL_NO_ECDH)
# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
-# define EXIM_HAVE_ECDH
+# define EXIM_HAVE_ECDH /*MMMM*/
# endif
# if OPENSSL_VERSION_NUMBER >= 0x10002000L
# define EXIM_HAVE_OPENSSL_EC_NIST2NID