diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2017-09-12 17:37:48 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2017-09-12 20:01:05 +0100 |
commit | d73e45df63ef6602fa32bd3e196d20735a0b69b5 (patch) | |
tree | fe58c7e3c44669c32118c33d2eb05db2d80eb065 /src | |
parent | 9b2583c440ab9104070054dfa02e8611799f777b (diff) |
DKIM: support multiple hash methods
Diffstat (limited to 'src')
-rw-r--r-- | src/src/dkim.c | 39 | ||||
-rw-r--r-- | src/src/expand.c | 2 | ||||
-rw-r--r-- | src/src/hash.c | 53 | ||||
-rw-r--r-- | src/src/hash.h | 10 | ||||
-rw-r--r-- | src/src/pdkim/crypt_ver.h | 8 | ||||
-rw-r--r-- | src/src/pdkim/pdkim.c | 134 | ||||
-rw-r--r-- | src/src/pdkim/pdkim.h | 18 | ||||
-rw-r--r-- | src/src/pdkim/pdkim_hash.h | 4 | ||||
-rw-r--r-- | src/src/pdkim/signing.c | 208 | ||||
-rw-r--r-- | src/src/pdkim/signing.h | 22 | ||||
-rw-r--r-- | src/src/structs.h | 1 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 3 |
12 files changed, 276 insertions, 226 deletions
diff --git a/src/src/dkim.c b/src/src/dkim.c index f7b9ee0d1..2b7f55ae8 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -20,6 +20,12 @@ pdkim_signature *dkim_signatures = NULL; pdkim_signature *dkim_cur_sig = NULL; static const uschar * dkim_collect_error = NULL; + + +/*XXX the caller only uses the first record if we return multiple. +Could we hand back an allocated string? +*/ + static int dkim_exim_query_dns_txt(char *name, char *answer) { @@ -164,9 +170,7 @@ for (sig = dkim_signatures; sig; sig = sig->next) logmsg = string_append(logmsg, &size, &ptr, 7, " c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed", "/", sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed", - " a=", sig->algo == PDKIM_ALGO_RSA_SHA256 - ? "rsa-sha256" - : sig->algo == PDKIM_ALGO_RSA_SHA1 ? "rsa-sha1" : "err", + " a=", dkim_sig_to_a_tag(sig), string_sprintf(" b=%d", (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0)); if ((s= sig->identity)) logmsg = string_append(logmsg, &size, &ptr, 2, " i=", s); @@ -338,12 +342,7 @@ if (!dkim_verify_ctx || dkim_disable_verify || !dkim_cur_sig) switch (what) { case DKIM_ALGO: - switch (dkim_cur_sig->algo) - { - case PDKIM_ALGO_RSA_SHA1: return US"rsa-sha1"; - case PDKIM_ALGO_RSA_SHA256: - default: return US"rsa-sha256"; - } + return dkim_sig_to_a_tag(dkim_cur_sig); case DKIM_BODYLENGTH: return dkim_cur_sig->bodylength >= 0 @@ -466,6 +465,7 @@ int seen_items_offset = 0; uschar *dkim_canon_expanded; uschar *dkim_sign_headers_expanded; uschar *dkim_private_key_expanded; +uschar *dkim_hash_expanded; pdkim_ctx *ctx = NULL; uschar *rc = NULL; uschar *sigbuf = NULL; @@ -608,15 +608,20 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0))) dkim_private_key_expanded = big_buffer; } -/*XXX so we currently nail signing to RSA + SHA256. Need to extract algo -from privkey, and provide means for selecting hash-method. -Check for disallowed combos. -Will need new dkim_ transport option for hash. */ + if (!(dkim_hash_expanded = expand_string(dkim->dkim_hash))) + { + log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand " + "dkim_hash: %s", expand_string_message); + goto bad; + } + +/*XXX so we currently nail signing to RSA + given hash. +Need to extract algo from privkey and check for disallowed combos. */ - if (!(ctx = pdkim_init_sign(CS dkim_signing_domain, - CS dkim_signing_selector, - CS dkim_private_key_expanded, - PDKIM_ALGO_RSA_SHA256, + if (!(ctx = pdkim_init_sign(dkim_signing_domain, + dkim_signing_selector, + dkim_private_key_expanded, + dkim_hash_expanded, dkim->dot_stuffed, &dkim_exim_query_dns_txt, errstr diff --git a/src/src/expand.c b/src/src/expand.c index 83e519a7d..c51c1ff1b 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -6461,7 +6461,7 @@ while (*s != 0) blob b; char st[3]; - if (!exim_sha_init(&h, HASH_SHA256)) + if (!exim_sha_init(&h, HASH_SHA2_256)) { expand_string_message = US"unrecognised sha256 variant"; goto EXPAND_FAILED; diff --git a/src/src/hash.c b/src/src/hash.c index e239516e1..19ab1efd0 100644 --- a/src/src/hash.c +++ b/src/src/hash.c @@ -36,9 +36,11 @@ exim_sha_init(hctx * h, hashmethod m) /*XXX extend for sha512 */ switch (h->method = m) { - case HASH_SHA1: h->hashlen = 20; SHA1_Init (&h->u.sha1); break; - case HASH_SHA256: h->hashlen = 32; SHA256_Init(&h->u.sha2); break; - default: h->hashlen = 0; return FALSE; + case HASH_SHA1: h->hashlen = 20; SHA1_Init (&h->u.sha1); break; + case HASH_SHA2_256: h->hashlen = 32; SHA256_Init(&h->u.sha2_256); break; + case HASH_SHA2_384: h->hashlen = 48; SHA384_Init(&h->u.sha2_512); break; + case HASH_SHA2_512: h->hashlen = 64; SHA512_Init(&h->u.sha2_512); break; + default: h->hashlen = 0; return FALSE; } return TRUE; } @@ -49,8 +51,10 @@ exim_sha_update(hctx * h, const uschar * data, int len) { switch (h->method) { - case HASH_SHA1: SHA1_Update (&h->u.sha1, data, len); break; - case HASH_SHA256: SHA256_Update(&h->u.sha2, data, len); break; + case HASH_SHA1: SHA1_Update (&h->u.sha1, data, len); break; + case HASH_SHA2_256: SHA256_Update(&h->u.sha2_256, data, len); break; + case HASH_SHA2_384: SHA384_Update(&h->u.sha2_512, data, len); break; + case HASH_SHA2_512: SHA512_Update(&h->u.sha2_512, data, len); break; /* should be blocked by init not handling these, but be explicit to guard against accidents later (and hush up clang -Wswitch) */ default: assert(0); @@ -64,8 +68,10 @@ exim_sha_finish(hctx * h, blob * b) b->data = store_get(b->len = h->hashlen); switch (h->method) { - case HASH_SHA1: SHA1_Final (b->data, &h->u.sha1); break; - case HASH_SHA256: SHA256_Final(b->data, &h->u.sha2); break; + case HASH_SHA1: SHA1_Final (b->data, &h->u.sha1); break; + case HASH_SHA2_256: SHA256_Final(b->data, &h->u.sha2_256); break; + case HASH_SHA2_384: SHA384_Final(b->data, &h->u.sha2_512); break; + case HASH_SHA2_512: SHA512_Final(b->data, &h->u.sha2_512); break; default: assert(0); } } @@ -81,10 +87,14 @@ exim_sha_init(hctx * h, hashmethod m) /*XXX extend for sha512 */ switch (h->method = m) { - case HASH_SHA1: h->hashlen = 20; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA1); break; - case HASH_SHA256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA256); break; + case HASH_SHA1: h->hashlen = 20; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA1); break; + case HASH_SHA2_256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA256); break; + case HASH_SHA2_384: h->hashlen = 48; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA384); break; + case HASH_SHA2_512: h->hashlen = 64; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA512); break; #ifdef EXIM_HAVE_SHA3 case HASH_SHA3_256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_256); break; + case HASH_SHA3_384: h->hashlen = 48; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_384); break; + case HASH_SHA3_512: h->hashlen = 64; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_512); break; #endif default: h->hashlen = 0; return FALSE; } @@ -117,8 +127,13 @@ exim_sha_init(hctx * h, hashmethod m) /*XXX extend for sha512 */ switch (h->method = m) { - case HASH_SHA1: h->hashlen = 20; gcry_md_open(&h->sha, GCRY_MD_SHA1, 0); break; - case HASH_SHA256: h->hashlen = 32; gcry_md_open(&h->sha, GCRY_MD_SHA256, 0); break; + case HASH_SHA1: h->hashlen = 20; gcry_md_open(&h->sha, GCRY_MD_SHA1, 0); break; + case HASH_SHA2_256: h->hashlen = 32; gcry_md_open(&h->sha, GCRY_MD_SHA256, 0); break; + case HASH_SHA2_384: h->hashlen = 48; gcry_md_open(&h->sha, GCRY_MD_SHA384, 0); break; + case HASH_SHA2_512: h->hashlen = 64; gcry_md_open(&h->sha, GCRY_MD_SHA512, 0); break; + case HASH_SHA3_256: h->hashlen = 32; gcry_md_open(&h->sha, GCRY_MD_SHA3_256, 0); break; + case HASH_SHA3_384: h->hashlen = 48; gcry_md_open(&h->sha, GCRY_MD_SHA3_384, 0); break; + case HASH_SHA3_512: h->hashlen = 64; gcry_md_open(&h->sha, GCRY_MD_SHA3_512, 0); break; default: h->hashlen = 0; return FALSE; } return TRUE; @@ -152,7 +167,7 @@ exim_sha_init(hctx * h, hashmethod m) switch (h->method = m) { case HASH_SHA1: h->hashlen = 20; sha1_starts(&h->u.sha1); break; - case HASH_SHA256: h->hashlen = 32; sha2_starts(&h->u.sha2, 0); break; + case HASH_SHA2_256: h->hashlen = 32; sha2_starts(&h->u.sha2, 0); break; default: h->hashlen = 0; return FALSE; } return TRUE; @@ -165,7 +180,7 @@ exim_sha_update(hctx * h, const uschar * data, int len) switch (h->method) { case HASH_SHA1: sha1_update(h->u.sha1, US data, len); break; - case HASH_SHA256: sha2_update(h->u.sha2, US data, len); break; + case HASH_SHA2_256: sha2_update(h->u.sha2, US data, len); break; } } @@ -177,7 +192,7 @@ b->data = store_get(b->len = h->hashlen); switch (h->method) { case HASH_SHA1: sha1_finish(h->u.sha1, b->data); break; - case HASH_SHA256: sha2_finish(h->u.sha2, b->data); break; + case HASH_SHA2_256: sha2_finish(h->u.sha2, b->data); break; } } @@ -421,16 +436,6 @@ native_sha1_end(&h->sha1, NULL, 0, b->data); #endif -/******************************************************************************/ - -/* Common to all library versions */ -int -exim_sha_hashlen(hctx * h) -{ -return h->method == HASH_SHA1 ? 20 - : h->method == HASH_SHA256 ? 32 - : 0; -} /******************************************************************************/ diff --git a/src/src/hash.h b/src/src/hash.h index 09b65944d..b745e6218 100644 --- a/src/src/hash.h +++ b/src/src/hash.h @@ -32,7 +32,11 @@ typedef enum hashmethod { HASH_BADTYPE, HASH_SHA1, - HASH_SHA256, + + HASH_SHA2_256, + HASH_SHA2_384, + HASH_SHA2_512, + HASH_SHA3_224, HASH_SHA3_256, HASH_SHA3_384, @@ -46,7 +50,8 @@ typedef struct { #ifdef SHA_OPENSSL union { SHA_CTX sha1; /* SHA1 block */ - SHA256_CTX sha2; /* SHA256 block */ + SHA256_CTX sha2_256; /* SHA256 or 224 block */ + SHA512_CTX sha2_512; /* SHA512 or 384 block */ } u; #elif defined(SHA_GNUTLS) @@ -70,7 +75,6 @@ typedef struct { extern BOOL exim_sha_init(hctx *, hashmethod); extern void exim_sha_update(hctx *, const uschar *a, int); extern void exim_sha_finish(hctx *, blob *); -extern int exim_sha_hashlen(hctx *); #endif /* End of File */ diff --git a/src/src/pdkim/crypt_ver.h b/src/src/pdkim/crypt_ver.h index cd2171c82..439d99b3a 100644 --- a/src/src/pdkim/crypt_ver.h +++ b/src/src/pdkim/crypt_ver.h @@ -5,7 +5,7 @@ /* Copyright (c) Jeremy Harris 2016 */ /* See the file NOTICE for conditions of use and distribution. */ -/* RSA and SHA routine selection for PDKIM */ +/* Signing and hashing routine selection for PDKIM */ #include "../exim.h" #include "../sha_ver.h" @@ -15,12 +15,12 @@ # include <gnutls/gnutls.h> # if GNUTLS_VERSION_NUMBER >= 0x30000 -# define RSA_GNUTLS +# define SIGN_GNUTLS # else -# define RSA_GCRYPT +# define SIGN_GCRYPT # endif #else -# define RSA_OPENSSL +# define SIGN_OPENSSL #endif diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c index 441f96cb5..bef6b6a69 100644 --- a/src/src/pdkim/pdkim.c +++ b/src/src/pdkim/pdkim.c @@ -32,11 +32,11 @@ #include "crypt_ver.h" -#ifdef RSA_OPENSSL +#ifdef SIGN_OPENSSL # include <openssl/rsa.h> # include <openssl/ssl.h> # include <openssl/err.h> -#elif defined(RSA_GNUTLS) +#elif defined(SIGN_GNUTLS) # include <gnutls/gnutls.h> # include <gnutls/x509.h> #endif @@ -73,26 +73,24 @@ const uschar * pdkim_querymethods[] = { US"dns/txt", NULL }; -const uschar * pdkim_algos[] = { - US"rsa-sha256", - US"rsa-sha1", - NULL -}; const uschar * pdkim_canons[] = { US"simple", US"relaxed", NULL }; -/*XXX currently unused */ -const uschar * pdkim_hashes[] = { - US"sha256", - US"sha1", - NULL + +typedef struct { + const uschar * dkim_hashname; + hashmethod exim_hashmethod; +} pdkim_hashtype; +static const pdkim_hashtype pdkim_hashes[] = { + { US"sha1", HASH_SHA1 }, + { US"sha256", HASH_SHA2_256 }, + { US"sha512", HASH_SHA2_512 } }; -/*XXX currently unused */ + const uschar * pdkim_keytypes[] = { - US"rsa", - NULL + US"rsa" }; typedef struct pdkim_combined_canon_entry { @@ -113,6 +111,17 @@ pdkim_combined_canon_entry pdkim_combined_canons[] = { /* -------------------------------------------------------------------------- */ +uschar * +dkim_sig_to_a_tag(pdkim_signature * sig) +{ +if ( sig->keytype < 0 || sig->keytype > nelem(pdkim_keytypes) + || sig->hashtype < 0 || sig->hashtype > nelem(pdkim_hashes)) + return US"err"; +return string_sprintf("%s-%s", + pdkim_keytypes[sig->keytype], pdkim_hashes[sig->hashtype].dkim_hashname); +} + + const char * pdkim_verify_status_str(int status) @@ -433,8 +442,9 @@ memset(sig, 0, sizeof(pdkim_signature)); sig->bodylength = -1; /* Set so invalid/missing data error display is accurate */ -sig->algo = -1; sig->version = 0; +sig->keytype = -1; +sig->hashtype = -1; q = sig->rawsig_no_b_val = store_get(Ustrlen(raw_hdr)+1); @@ -507,14 +517,18 @@ for (p = raw_hdr; ; p++) Ustrcmp(cur_val, PDKIM_SIGNATURE_VERSION) == 0 ? 1 : -1; break; case 'a': -/*XXX this searches a list of combined (algo + hash-method)s */ - for (i = 0; pdkim_algos[i]; i++) - if (Ustrcmp(cur_val, pdkim_algos[i]) == 0) - { - sig->algo = i; - break; - } + { + uschar * s = Ustrchr(cur_val, '-'); + + for(i = 0; i < nelem(pdkim_keytypes); i++) + if (Ustrncmp(cur_val, pdkim_keytypes[i], s - cur_val) == 0) + { sig->keytype = i; break; } + for (++s, i = 0; i < nelem(pdkim_hashes); i++) + if (Ustrcmp(s, pdkim_hashes[i].dkim_hashname) == 0) + { sig->hashtype = i; break; } break; + } + case 'c': for (i = 0; pdkim_combined_canons[i].str; i++) if (Ustrcmp(cur_val, pdkim_combined_canons[i].str) == 0) @@ -588,9 +602,10 @@ DEBUG(D_acl) /*XXX hash method: extend for sha512 */ if (!exim_sha_init(&sig->body_hash_ctx, - sig->algo == PDKIM_ALGO_RSA_SHA1 ? HASH_SHA1 : HASH_SHA256)) + pdkim_hashes[sig->hashtype].exim_hashmethod)) { - DEBUG(D_acl) debug_printf("PDKIM: hash init internal error\n"); + DEBUG(D_acl) + debug_printf("PDKIM: hash init error, possibly nonhandled hashtype\n"); return NULL; } return sig; @@ -1189,8 +1204,7 @@ col = hdr_len; /* Required and static bits */ hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"a=", -/*XXX this is a combo of algo and hash-method */ - pdkim_algos[sig->algo]); + dkim_sig_to_a_tag(sig)); hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"q=", pdkim_querymethods[sig->querymethod]); hdr = pdkim_headcat(&col, hdr, &hdr_size, &hdr_len, US";", US"c=", @@ -1375,8 +1389,6 @@ pdkim_finish_bodyhash(ctx); while (sig) { -/*XXX bool probably not enough */ - BOOL is_sha1 = sig->algo == PDKIM_ALGO_RSA_SHA1; hctx hhash_ctx; uschar * sig_hdr = US""; blob hhash; @@ -1386,9 +1398,10 @@ while (sig) hdata.data = NULL; hdata.len = 0; - if (!exim_sha_init(&hhash_ctx, is_sha1 ? HASH_SHA1 : HASH_SHA256)) + if (!exim_sha_init(&hhash_ctx, pdkim_hashes[sig->hashtype].exim_hashmethod)) { - DEBUG(D_acl) debug_printf("PDKIM: hask setup internal error\n"); + DEBUG(D_acl) + debug_printf("PDKIM: hash setup error, possibly nonhandled hashtype\n"); break; } @@ -1537,9 +1550,9 @@ while (sig) { es_ctx sctx; - /* Import private key */ + /* Import private key, including the keytype */ /*XXX extend for non-RSA algos */ - if ((*err = exim_dkim_signing_init(US sig->rsa_privkey, &sctx))) + if ((*err = exim_dkim_signing_init(US sig->privkey, &sctx))) { DEBUG(D_acl) debug_printf("signing_init: %s\n", *err); return PDKIM_ERR_RSA_PRIVKEY; @@ -1549,15 +1562,14 @@ while (sig) calculated, with GnuTLS we have to sign an entire block of headers (due to available interfaces) and it recalculates the hash internally. */ -#if defined(RSA_OPENSSL) || defined(RSA_GCRYPT) +#if defined(SIGN_OPENSSL) || defined(SIGN_GCRYPT) hdata = hhash; #endif /*XXX extend for non-RSA algos */ -/*XXX oddly the dkim rfc does _not_ say what variant (sha1 or sha256) of -RSA signing should be done. We use the same variant as the hash-method. */ - - if ((*err = exim_dkim_sign(&sctx, is_sha1, &hdata, &sig->sighash))) + if ((*err = exim_dkim_sign(&sctx, + pdkim_hashes[sig->hashtype].exim_hashmethod, + &hdata, &sig->sighash))) { DEBUG(D_acl) debug_printf("signing: %s\n", *err); return PDKIM_ERR_RSA_SIGNING; @@ -1583,7 +1595,8 @@ RSA signing should be done. We use the same variant as the hash-method. */ && sig->headernames && *sig->headernames && sig->bodyhash.data && sig->sighash.data - && sig->algo > -1 + && sig->keytype >= 0 + && sig->hashtype >= 0 && sig->version ) ) { @@ -1619,11 +1632,13 @@ RSA signing should be done. We use the same variant as the hash-method. */ const uschar * list = sig->pubkey->hashes, * ele; int sep = ':'; while ((ele = string_nextinlist(&list, &sep, NULL, 0))) - if (Ustrcmp(ele, pdkim_algos[sig->algo] + 4) == 0) break; + if (Ustrcmp(ele, pdkim_hashes[sig->hashtype].dkim_hashname) == 0) break; if (!ele) { - DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%s\n", - sig->pubkey->hashes, pdkim_algos[sig->algo]); + DEBUG(D_acl) debug_printf("pubkey h=%s vs. sig a=%s_%s\n", + sig->pubkey->hashes, + pdkim_keytypes[sig->keytype], + pdkim_hashes[sig->hashtype].dkim_hashname); sig->verify_status = PDKIM_VERIFY_FAIL; sig->verify_ext_status = PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH; goto NEXT_VERIFY; @@ -1632,7 +1647,9 @@ RSA signing should be done. We use the same variant as the hash-method. */ /* Check the signature */ /*XXX needs extension for non-RSA */ - if ((*err = exim_dkim_verify(&vctx, is_sha1, &hhash, &sig->sighash))) + if ((*err = exim_dkim_verify(&vctx, + pdkim_hashes[sig->hashtype].exim_hashmethod, + &hhash, &sig->sighash))) { DEBUG(D_acl) debug_printf("headers verify: %s\n", *err); sig->verify_status = PDKIM_VERIFY_FAIL; @@ -1690,18 +1707,18 @@ return ctx; /* -------------------------------------------------------------------------- */ -/*XXX ? needs extension to cover non-RSA algo? Currently the "algo" is actually -the combo of algo and hash-method */ +/*XXX ? needs extension to cover non-RSA algo? */ DLLEXPORT pdkim_ctx * -pdkim_init_sign(char * domain, char * selector, char * rsa_privkey, int algo, - BOOL dot_stuffed, int(*dns_txt_callback)(char *, char *), +pdkim_init_sign(uschar * domain, uschar * selector, uschar * privkey, + uschar * hashname, BOOL dot_stuffed, int(*dns_txt_callback)(char *, char *), const uschar ** errstr) { +int hashtype; pdkim_ctx * ctx; pdkim_signature * sig; -if (!domain || !selector || !rsa_privkey) +if (!domain || !selector || !privkey) return NULL; ctx = store_get(sizeof(pdkim_ctx) + PDKIM_MAX_BODY_LINE_LEN + sizeof(pdkim_signature)); @@ -1720,14 +1737,23 @@ ctx->sig = sig; sig->domain = string_copy(US domain); sig->selector = string_copy(US selector); -sig->rsa_privkey = string_copy(US rsa_privkey); -sig->algo = algo; +sig->privkey = string_copy(US privkey); +/*XXX no keytype yet; comes from privkey */ -/*XXX extend for sha512 */ -if (!exim_sha_init(&sig->body_hash_ctx, - algo == PDKIM_ALGO_RSA_SHA1 ? HASH_SHA1 : HASH_SHA256)) +for (hashtype = 0; hashtype < nelem(pdkim_hashes); hashtype++) + if (Ustrcmp(hashname, pdkim_hashes[hashtype].dkim_hashname) == 0) + { sig->hashtype = hashtype; break; } +if (hashtype >= nelem(pdkim_hashes)) { - DEBUG(D_acl) debug_printf("PDKIM: hash setup internal error\n"); + DEBUG(D_acl) + debug_printf("PDKIM: unrecognised hashname '%s'\n", hashname); + return NULL; + } + +if (!exim_sha_init(&sig->body_hash_ctx, pdkim_hashes[hashtype].exim_hashmethod)) + { + DEBUG(D_acl) + debug_printf("PDKIM: hash setup error, possibly nonhandled hashtype\n"); return NULL; } diff --git a/src/src/pdkim/pdkim.h b/src/src/pdkim/pdkim.h index 176bc36e0..3c420ae63 100644 --- a/src/src/pdkim/pdkim.h +++ b/src/src/pdkim/pdkim.h @@ -63,14 +63,11 @@ /* Some parameter values */ #define PDKIM_QUERYMETHOD_DNS_TXT 0 -#define PDKIM_ALGO_RSA_SHA256 0 -#define PDKIM_ALGO_RSA_SHA1 1 - #define PDKIM_CANON_SIMPLE 0 #define PDKIM_CANON_RELAXED 1 -#define PDKIM_HASH_SHA256 0 -#define PDKIM_HASH_SHA1 1 +/*XXX change to enums */ +#define PDKIM_HASH_SHA256 1 #define PDKIM_KEYTYPE_RSA 0 @@ -122,9 +119,8 @@ typedef struct pdkim_signature { /* (v=) The version, as an integer. Currently, always "1" */ int version; - /* (a=) The signature algorithm. Either PDKIM_ALGO_RSA_SHA256 - or PDKIM_ALGO_RSA_SHA1 */ - int algo; + int keytype; /* PDKIM_KEYTYPE_RSA */ + int hashtype; /* pdkim_hashes index */ /* (c=x/) Header canonicalization method. Either PDKIM_CANON_SIMPLE or PDKIM_CANON_RELAXED */ @@ -239,7 +235,7 @@ typedef struct pdkim_signature { unsigned long signed_body_bytes; /* How many body bytes we hashed */ pdkim_stringlist *headers; /* Raw headers included in the sig */ /* Signing specific ------------------------------------------------- */ - uschar * rsa_privkey; /* Private RSA key */ + uschar * privkey; /* Private key */ uschar * sign_headers; /* To-be-signed header names */ uschar * rawsig_no_b_val; /* Original signature header w/o b= tag value. */ } pdkim_signature; @@ -287,7 +283,7 @@ extern "C" { void pdkim_init (void); DLLEXPORT -pdkim_ctx *pdkim_init_sign (char *, char *, char *, int, +pdkim_ctx *pdkim_init_sign (uschar *, uschar *, uschar *, uschar *, BOOL, int(*)(char *, char *), const uschar **); DLLEXPORT @@ -310,6 +306,8 @@ void pdkim_free_ctx (pdkim_ctx *); const uschar * pdkim_errstr(int); +uschar * dkim_sig_to_a_tag(pdkim_signature * sig); + #ifdef __cplusplus } #endif diff --git a/src/src/pdkim/pdkim_hash.h b/src/src/pdkim/pdkim_hash.h index 143cd19df..008f277b3 100644 --- a/src/src/pdkim/pdkim_hash.h +++ b/src/src/pdkim/pdkim_hash.h @@ -19,11 +19,11 @@ #include "../blob.h" #include "../hash.h" -#ifdef RSA_OPENSSL +#ifdef SIGN_OPENSSL # include <openssl/rsa.h> # include <openssl/ssl.h> # include <openssl/err.h> -#elif defined(RSA_GNUTLS) +#elif defined(SIGN_GNUTLS) # include <gnutls/gnutls.h> # include <gnutls/x509.h> #endif diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c index bcd64fdc4..ec68414c8 100644 --- a/src/src/pdkim/signing.c +++ b/src/src/pdkim/signing.c @@ -3,11 +3,7 @@ * * Copyright (C) 2016 Exim maintainers * - * RSA signing/verification interface -XXX rename interfaces to cover all signature methods. -the method (algo) needs to be extracted from the supplied private-key -and not only stashed as needed in the sign- or verify- context, but -indicated to caller for protocol tag construction. + * signing/verification interface */ #include "../exim.h" @@ -23,7 +19,7 @@ indicated to caller for protocol tag construction. /******************************************************************************/ -#ifdef RSA_GNUTLS +#ifdef SIGN_GNUTLS void exim_dkim_init(void) @@ -55,8 +51,8 @@ int rc; k.data = privkey_pem; k.size = strlen(privkey_pem); -if ( (rc = gnutls_x509_privkey_init(&sign_ctx->rsa)) != GNUTLS_E_SUCCESS - || (rc = gnutls_x509_privkey_import(sign_ctx->rsa, &k, +if ( (rc = gnutls_x509_privkey_init(&sign_ctx->key)) != GNUTLS_E_SUCCESS + || (rc = gnutls_x509_privkey_import(sign_ctx->key, &k, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS ) return gnutls_strerror(rc); @@ -74,33 +70,38 @@ sign hash. Return: NULL for success, or an error string */ const uschar * -exim_dkim_sign(es_ctx * sign_ctx, BOOL is_sha1, blob * data, blob * sig) +exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig) { +gnutls_digest_algorithm_t dig; gnutls_datum_t k; size_t sigsize = 0; int rc; const uschar * ret = NULL; +switch (hash) + { + case HASH_SHA1: dig = GNUTLS_DIG_SHA1; break; + case HASH_SHA2_256: dig = GNUTLS_DIG_SHA256; break; + case HASH_SHA2_512: dig = GNUTLS_DIG_SHA512; break; + default: return US"nonhandled hash type"; + } + /* Allocate mem for signature */ k.data = data->data; k.size = data->len; -(void) gnutls_x509_privkey_sign_data(sign_ctx->rsa, - is_sha1 ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256, +(void) gnutls_x509_privkey_sign_data(sign_ctx->key, dig, 0, &k, NULL, &sigsize); sig->data = store_get(sigsize); sig->len = sigsize; /* Do signing */ -/*XXX will need extension for hash type; looks ok for non-RSA algos -so long as the privkey_import stage got them. */ -if ((rc = gnutls_x509_privkey_sign_data(sign_ctx->rsa, - is_sha1 ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256, +if ((rc = gnutls_x509_privkey_sign_data(sign_ctx->key, dig, 0, &k, sig->data, &sigsize)) != GNUTLS_E_SUCCESS ) ret = gnutls_strerror(rc); -gnutls_x509_privkey_deinit(sign_ctx->rsa); +gnutls_x509_privkey_deinit(sign_ctx->key); return ret; } @@ -116,12 +117,12 @@ gnutls_datum_t k; int rc; const uschar * ret = NULL; -gnutls_pubkey_init(&verify_ctx->rsa); +gnutls_pubkey_init(&verify_ctx->key); k.data = pubkey_der->data; k.size = pubkey_der->len; -if ((rc = gnutls_pubkey_import(verify_ctx->rsa, &k, GNUTLS_X509_FMT_DER)) +if ((rc = gnutls_pubkey_import(verify_ctx->key, &k, GNUTLS_X509_FMT_DER)) != GNUTLS_E_SUCCESS) ret = gnutls_strerror(rc); return ret; @@ -132,31 +133,39 @@ return ret; Return: NULL for success, or an error string */ const uschar * -exim_dkim_verify(ev_ctx * verify_ctx, BOOL is_sha1, blob * data_hash, blob * sig) +exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data_hash, blob * sig) { +gnutls_sign_algorithm_t algo; gnutls_datum_t k, s; int rc; const uschar * ret = NULL; +/*XXX needs extension for non-rsa */ +switch (hash) + { + case HASH_SHA1: algo = GNUTLS_SIGN_RSA_SHA1; break; + case HASH_SHA2_256: algo = GNUTLS_SIGN_RSA_SHA256; break; + case HASH_SHA2_512: algo = GNUTLS_SIGN_RSA_SHA512; break; + default: return US"nonhandled hash type"; + } + k.data = data_hash->data; k.size = data_hash->len; s.data = sig->data; s.size = sig->len; -if ((rc = gnutls_pubkey_verify_hash2(verify_ctx->rsa, -/*XXX needs extension for SHA512 */ - is_sha1 ? GNUTLS_SIGN_RSA_SHA1 : GNUTLS_SIGN_RSA_SHA256, - 0, &k, &s)) < 0) +if ((rc = gnutls_pubkey_verify_hash2(verify_ctx->key, algo, 0, &k, &s)) < 0) ret = gnutls_strerror(rc); -gnutls_pubkey_deinit(verify_ctx->rsa); +gnutls_pubkey_deinit(verify_ctx->key); return ret; } -#elif defined(RSA_GCRYPT) +#elif defined(SIGN_GCRYPT) /******************************************************************************/ +/* This variant is used under pre-3.0.0 GnuTLS. Only rsa-sha1 and rsa-sha256 */ /* Internal service routine: @@ -364,8 +373,9 @@ sign hash. Return: NULL for success, or an error string */ const uschar * -exim_dkim_sign(es_ctx * sign_ctx, BOOL is_sha1, blob * data, blob * sig) +exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig) { +BOOL is_sha1; gcry_sexp_t s_hash = NULL, s_key = NULL, s_sig = NULL; gcry_mpi_t m_sig; uschar * errstr; @@ -373,11 +383,18 @@ gcry_error_t gerr; /*XXX will need extension for hash types (though, possibly, should be re-specced to not rehash but take an already-hashed value? Actually -current impl looks WRONG - it _is_ given a has so should not be +current impl looks WRONG - it _is_ given a hash so should not be re-hashing. Has this been tested? Will need extension for non-RSA sugning algos. */ +switch (hash) + { + case HASH_SHA1: is_sha1 = TRUE; break; + case HASH_SHA2_256: is_sha1 = FALSE; break; + default: return US"nonhandled hash type"; + } + #define SIGSPACE 128 sig->data = store_get(SIGSPACE); @@ -512,7 +529,7 @@ DEBUG(D_acl) return string_sprintf("%s: %s", stage, asn1_strerror(rc)); Return: NULL for success, or an error string */ const uschar * -exim_dkim_verify(ev_ctx * verify_ctx, BOOL is_sha1, blob * data_hash, blob * sig) +exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data_hash, blob * sig) { /* cf. libgnutls 2.8.5 _wrap_gcry_pk_verify() @@ -522,6 +539,13 @@ gcry_sexp_t s_sig = NULL, s_hash = NULL, s_pkey = NULL; gcry_error_t gerr; uschar * stage; +switch (hash) + { + case HASH_SHA1: is_sha1 = TRUE; break; + case HASH_SHA2_256: is_sha1 = FALSE; break; + default: return US"nonhandled hash type"; + } + if ( (stage = US"pkey sexp build", gerr = gcry_sexp_build (&s_pkey, NULL, "(public-key(rsa(n%m)(e%m)))", verify_ctx->n, verify_ctx->e)) @@ -557,7 +581,7 @@ return NULL; -#elif defined(RSA_OPENSSL) +#elif defined(SIGN_OPENSSL) /******************************************************************************/ void @@ -580,30 +604,10 @@ Return: NULL for success, or an error string */ const uschar * exim_dkim_signing_init(uschar * privkey_pem, es_ctx * sign_ctx) { -uschar * p, * q; -int len; - -/*XXX maybe use PEM_read_bio_PrivateKey() ??? -The sign_ctx would need to have an EVP_PKEY* */ - -/* Convert PEM to DER */ -if ( !(p = Ustrstr(privkey_pem, "-----BEGIN RSA PRIVATE KEY-----")) - || !(q = Ustrstr(p+=31, "-----END RSA PRIVATE KEY-----")) - ) - return US"Bad PEM wrapping"; - -*q = '\0'; -if ((len = b64decode(p, &p)) < 0) - return US"b64decode failed"; - -if (!(sign_ctx->rsa = d2i_RSAPrivateKey(NULL, CUSS &p, len))) - { - char ssl_errstring[256]; - ERR_load_crypto_strings(); /*XXX move to a startup routine */ - ERR_error_string(ERR_get_error(), ssl_errstring); - return string_copy(US ssl_errstring); - } +BIO * bp = BIO_new_mem_buf(privkey_pem, -1); +if (!(sign_ctx->key = PEM_read_bio_PrivateKey(bp, NULL, NULL, NULL))) + return ERR_error_string(ERR_get_error(), NULL); return NULL; } @@ -617,32 +621,37 @@ sign hash. Return: NULL for success, or an error string */ const uschar * -exim_dkim_sign(es_ctx * sign_ctx, BOOL is_sha1, blob * data, blob * sig) +exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig) { -uint len; -const uschar * ret = NULL; - -/*XXX will need extension for non-RSA signing algo. Maybe use -https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_sign.html ??? */ +const EVP_MD * md; +EVP_PKEY_CTX * ctx; +size_t siglen; -/* Allocate mem for signature */ -len = RSA_size(sign_ctx->rsa); -sig->data = store_get(len); -sig->len = len; +switch (hash) + { + case HASH_SHA1: md = EVP_sha1(); break; + case HASH_SHA2_256: md = EVP_sha256(); break; + case HASH_SHA2_512: md = EVP_sha512(); break; + default: return US"nonhandled hash type"; + } -/* Do signing */ -if (RSA_sign(is_sha1 ? NID_sha1 : NID_sha256, - CUS data->data, data->len, - US sig->data, &len, sign_ctx->rsa) != 1) +if ( (ctx = EVP_PKEY_CTX_new(sign_ctx->key, NULL)) + && EVP_PKEY_sign_init(ctx) > 0 + && EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > 0 + && EVP_PKEY_CTX_set_signature_md(ctx, md) > 0 + && EVP_PKEY_sign(ctx, NULL, &siglen, data->data, data->len) > 0 + ) { - char ssl_errstring[256]; - ERR_load_crypto_strings(); /*XXX move to a startup routine */ - ERR_error_string(ERR_get_error(), ssl_errstring); - ret = string_copy(US ssl_errstring); + /* Allocate mem for signature */ + sig->data = store_get(siglen); + sig->len = siglen; + + if (EVP_PKEY_sign(ctx, sig->data, &siglen, data->data, data->len) > 0) + { EVP_PKEY_CTX_free(ctx); return NULL; } } -RSA_free(sign_ctx->rsa); -return ret;; +if (ctx) EVP_PKEY_CTX_free(ctx); +return ERR_error_string(ERR_get_error(), NULL); } @@ -653,19 +662,13 @@ Return: NULL for success, or an error string */ const uschar * exim_dkim_verify_init(blob * pubkey_der, ev_ctx * verify_ctx) { -const uschar * p = CUS pubkey_der->data; -const uschar * ret = NULL; +const uschar * s = pubkey_der->data; -/*XXX d2i_X509_PUBKEY, X509_get_pubkey(), and an EVP_PKEY* in verify_ctx. */ +/*XXX hmm, we never free this */ -if (!(verify_ctx->rsa = d2i_RSA_PUBKEY(NULL, &p, (long) pubkey_der->len))) - { - char ssl_errstring[256]; - ERR_load_crypto_strings(); /*XXX move to a startup routine */ - ERR_error_string(ERR_get_error(), ssl_errstring); - ret = string_copy(CUS ssl_errstring); - } -return ret; +if ((verify_ctx->key = d2i_PUBKEY(NULL, &s, pubkey_der->len))) + return NULL; +return ERR_error_string(ERR_get_error(), NULL); } @@ -675,31 +678,34 @@ return ret; Return: NULL for success, or an error string */ const uschar * -exim_dkim_verify(ev_ctx * verify_ctx, BOOL is_sha1, blob * data_hash, blob * sig) +exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data_hash, blob * sig) { -const uschar * ret = NULL; +const EVP_MD * md; +EVP_PKEY_CTX * ctx; -/*XXX needs extension for SHA512, Possibly EVP_PKEY_verify() is all we need??? */ -/* with EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) -- see example code at https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_verify.html -and maybe also EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) though unclear -if that only sets a pad/type field byte value, or sets up for an actual hash operation... -Same on the signing side. -https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_rsa_padding.html says it does what we want. */ - -if (RSA_verify(is_sha1 ? NID_sha1 : NID_sha256, - CUS data_hash->data, data_hash->len, - US sig->data, (uint) sig->len, verify_ctx->rsa) != 1) +switch (hash) { - char ssl_errstring[256]; - ERR_load_crypto_strings(); /*XXX move to a startup routine */ - ERR_error_string(ERR_get_error(), ssl_errstring); - ret = string_copy(US ssl_errstring); + case HASH_SHA1: md = EVP_sha1(); break; + case HASH_SHA2_256: md = EVP_sha256(); break; + case HASH_SHA2_512: md = EVP_sha512(); break; + default: return US"nonhandled hash type"; } -return ret; + +if ( (ctx = EVP_PKEY_CTX_new(verify_ctx->key, NULL)) + && EVP_PKEY_verify_init(ctx) > 0 + && EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > 0 + && EVP_PKEY_CTX_set_signature_md(ctx, md) > 0 + && EVP_PKEY_verify(ctx, sig->data, sig->len, + data_hash->data, data_hash->len) == 1 + ) + { EVP_PKEY_CTX_free(ctx); return NULL; } + +if (ctx) EVP_PKEY_CTX_free(ctx); +return ERR_error_string(ERR_get_error(), NULL); } + #endif /******************************************************************************/ diff --git a/src/src/pdkim/signing.h b/src/src/pdkim/signing.h index 4e8580859..04288103e 100644 --- a/src/src/pdkim/signing.h +++ b/src/src/pdkim/signing.h @@ -12,15 +12,15 @@ #include "crypt_ver.h" -#ifdef RSA_OPENSSL +#ifdef SIGN_OPENSSL # include <openssl/rsa.h> # include <openssl/ssl.h> # include <openssl/err.h> -#elif defined(RSA_GNUTLS) +#elif defined(SIGN_GNUTLS) # include <gnutls/gnutls.h> # include <gnutls/x509.h> # include <gnutls/abstract.h> -#elif defined(RSA_GCRYPT) +#elif defined(SIGN_GCRYPT) # include <gcrypt.h> # include <libtasn1.h> #endif @@ -28,29 +28,30 @@ #include "../blob.h" -#ifdef RSA_OPENSSL +#ifdef SIGN_OPENSSL typedef struct { - RSA * rsa; + EVP_PKEY * key; } es_ctx; typedef struct { - RSA * rsa; + EVP_PKEY * key; } ev_ctx; -#elif defined(RSA_GNUTLS) +#elif defined(SIGN_GNUTLS) typedef struct { - gnutls_x509_privkey_t rsa; + gnutls_x509_privkey_t key; } es_ctx; typedef struct { - gnutls_pubkey_t rsa; + gnutls_pubkey_t key; } ev_ctx; -#elif defined(RSA_GCRYPT) +#elif defined(SIGN_GCRYPT) typedef struct { + int keytype; gcry_mpi_t n; gcry_mpi_t e; gcry_mpi_t d; @@ -62,6 +63,7 @@ typedef struct { } es_ctx; typedef struct { + int keytype; gcry_mpi_t n; gcry_mpi_t e; } ev_ctx; diff --git a/src/src/structs.h b/src/src/structs.h index beea57f34..06fcd4188 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -872,6 +872,7 @@ struct ob_dkim { uschar *dkim_canon; uschar *dkim_sign_headers; uschar *dkim_strict; + uschar *dkim_hash; BOOL dot_stuffed; }; diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index d8bc596fc..147dfdeaf 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -43,6 +43,8 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, dkim.dkim_canon) }, { "dkim_domain", opt_stringptr, (void *)offsetof(smtp_transport_options_block, dkim.dkim_domain) }, + { "dkim_hash", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, dkim.dkim_hash) }, { "dkim_private_key", opt_stringptr, (void *)offsetof(smtp_transport_options_block, dkim.dkim_private_key) }, { "dkim_selector", opt_stringptr, @@ -281,6 +283,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { .dkim_canon = NULL, .dkim_sign_headers = NULL, .dkim_strict = NULL, + .dkim_hash = US"sha256", .dot_stuffed = FALSE}, #endif }; |