summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/src/pdkim/signing.c31
1 files changed, 16 insertions, 15 deletions
diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c
index 77728bab1..5f270bfd4 100644
--- a/src/src/pdkim/signing.c
+++ b/src/src/pdkim/signing.c
@@ -338,6 +338,7 @@ if ( (s1 = as_mpi(&der, &sign_ctx->n))
)
return s1;
+#ifdef extreme_debug
DEBUG(D_acl) debug_printf_indent("rsa_signing_init:\n");
{
uschar * s;
@@ -358,6 +359,7 @@ DEBUG(D_acl) debug_printf_indent("rsa_signing_init:\n");
gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->qp);
debug_printf_indent(" QP: %s\n", s);
}
+#endif
return NULL;
asn_err: return US asn1_strerror(rc);
@@ -375,7 +377,7 @@ Return: NULL for success, or an error string */
const uschar *
exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig)
{
-BOOL is_sha1;
+char * sexp_hash;
gcry_sexp_t s_hash = NULL, s_key = NULL, s_sig = NULL;
gcry_mpi_t m_sig;
uschar * errstr;
@@ -390,8 +392,8 @@ Will need extension for non-RSA sugning algos. */
switch (hash)
{
- case HASH_SHA1: is_sha1 = TRUE; break;
- case HASH_SHA2_256: is_sha1 = FALSE; break;
+ case HASH_SHA1: sexp_hash = "(data(flags pkcs1)(hash sha1 %b))"; break;
+ case HASH_SHA2_256: sexp_hash = "(data(flags pkcs1)(hash sha256 %b))"; break;
default: return US"nonhandled hash type";
}
@@ -409,10 +411,7 @@ if ( (gerr = gcry_sexp_build (&s_key, NULL,
sign_ctx->n, sign_ctx->e,
sign_ctx->d, sign_ctx->p,
sign_ctx->q, sign_ctx->qp))
- || (gerr = gcry_sexp_build (&s_hash, NULL,
- is_sha1
- ? "(data(flags pkcs1)(hash sha1 %b))"
- : "(data(flags pkcs1)(hash sha256 %b))",
+ || (gerr = gcry_sexp_build (&s_hash, NULL, sexp_hash,
(int) data->len, CS data->data))
|| (gerr = gcry_pk_sign (&s_sig, s_hash, s_key))
)
@@ -426,12 +425,14 @@ if ( !(s_sig = gcry_sexp_find_token(s_sig, "s", 0))
m_sig = gcry_sexp_nth_mpi(s_sig, 1, GCRYMPI_FMT_USG);
+#ifdef extreme_debug
DEBUG(D_acl)
{
uschar * s;
gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, m_sig);
debug_printf_indent(" SG: %s\n", s);
}
+#endif
gerr = gcry_mpi_print(GCRYMPI_FMT_USG, sig->data, SIGSPACE, &sig->len, m_sig);
if (gerr)
@@ -508,6 +509,7 @@ if ( (errstr = as_mpi(pubkey_der, &verify_ctx->n))
)
return errstr;
+#ifdef extreme_debug
DEBUG(D_acl) debug_printf_indent("rsa_verify_init:\n");
{
uschar * s;
@@ -517,6 +519,7 @@ DEBUG(D_acl) debug_printf_indent("rsa_verify_init:\n");
debug_printf_indent(" E : %s\n", s);
}
+#endif
return NULL;
asn_err:
@@ -534,27 +537,25 @@ exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data_hash, blob *
/*
cf. libgnutls 2.8.5 _wrap_gcry_pk_verify()
*/
+char * sexp_hash;
gcry_mpi_t m_sig;
gcry_sexp_t s_sig = NULL, s_hash = NULL, s_pkey = NULL;
gcry_error_t gerr;
uschar * stage;
+/*XXX needs extension for SHA512 */
switch (hash)
{
- case HASH_SHA1: is_sha1 = TRUE; break;
- case HASH_SHA2_256: is_sha1 = FALSE; break;
- default: return US"nonhandled hash type";
+ case HASH_SHA1: sexp_hash = "(data(flags pkcs1)(hash sha1 %b))"; break;
+ case HASH_SHA2_256: sexp_hash = "(data(flags pkcs1)(hash sha256 %b))"; break;
+ default: return US"nonhandled hash type";
}
if ( (stage = US"pkey sexp build",
gerr = gcry_sexp_build (&s_pkey, NULL, "(public-key(rsa(n%m)(e%m)))",
verify_ctx->n, verify_ctx->e))
|| (stage = US"data sexp build",
- gerr = gcry_sexp_build (&s_hash, NULL,
-/*XXX needs extension for SHA512 */
- is_sha1
- ? "(data(flags pkcs1)(hash sha1 %b))"
- : "(data(flags pkcs1)(hash sha256 %b))",
+ gerr = gcry_sexp_build (&s_hash, NULL, sexp_hash,
(int) data_hash->len, CS data_hash->data))
|| (stage = US"sig mpi scan",
gerr = gcry_mpi_scan(&m_sig, GCRYMPI_FMT_USG, sig->data, sig->len, NULL))