};
struct rspamd_dkim_sign_key_s {
+ enum rspamd_dkim_sign_key_type type;
guint8 *keydata;
- guint keylen;
+ gsize keylen;
RSA *key_rsa;
BIO *key_bio;
EVP_PKEY *key_evp;
}
if (key->keydata && key->keylen > 0) {
- munmap (key->keydata, key->keylen);
+
+ if (key->type == RSPAMD_DKIM_SIGN_KEY_FILE) {
+ munmap (key->keydata, key->keylen);
+ }
+ else {
+ g_free (key->keydata);
+ }
}
g_slice_free1 (sizeof (rspamd_dkim_sign_key_t), key);
}
rspamd_dkim_sign_key_t*
-rspamd_dkim_sign_key_load (const gchar *path, GError **err)
+rspamd_dkim_sign_key_load (const gchar *what, gsize len,
+ enum rspamd_dkim_sign_key_type type,
+ GError **err)
{
gpointer map;
- gsize len = 0;
+ gsize map_len = 0;
rspamd_dkim_sign_key_t *nkey;
+ guint tmp;
- map = rspamd_file_xmap (path, PROT_READ, &len);
+ if (type == RSPAMD_DKIM_SIGN_KEY_FILE) {
+ gchar fpath[PATH_MAX];
- if (map == NULL) {
- g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
- "cannot map private key %s: %s",
- path, strerror (errno));
+ rspamd_snprintf (fpath, sizeof (fpath), "%*s", (gint)len, what);
+ map = rspamd_file_xmap (fpath, PROT_READ, &map_len);
- return NULL;
- }
+ if (map == NULL) {
+ g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
+ "cannot map private key %s: %s",
+ fpath, strerror (errno));
- nkey = g_slice_alloc0 (sizeof (*nkey));
- (void)mlock (map, len);
- nkey->keydata = map;
- nkey->keylen = len;
-
- nkey->key_bio = BIO_new_mem_buf (map, len);
-
- if (!PEM_read_bio_PrivateKey (nkey->key_bio, &nkey->key_evp, NULL, NULL)) {
- g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
- "cannot read private key from %s: %s",
- path, ERR_error_string (ERR_get_error (), NULL));
- rspamd_dkim_sign_key_free (nkey);
-
- return NULL;
- }
-
- nkey->key_rsa = EVP_PKEY_get1_RSA (nkey->key_evp);
- if (nkey->key_rsa == NULL) {
- g_set_error (err,
- DKIM_ERROR,
- DKIM_SIGERROR_KEYFAIL,
- "cannot extract rsa key from evp key");
- rspamd_dkim_sign_key_free (nkey);
-
- return NULL;
+ return NULL;
+ }
}
- REF_INIT_RETAIN (nkey, rspamd_dkim_sign_key_free);
-
- return nkey;
-}
-
-rspamd_dkim_sign_key_t*
-rspamd_dkim_sign_key_from_memory (const guchar *data,
- gsize len, GError **err)
-{
- rspamd_dkim_sign_key_t *nkey;
- gpointer map;
+ nkey = g_slice_alloc0 (sizeof (*nkey));
+ nkey->type = type;
+
+ switch (type) {
+ case RSPAMD_DKIM_SIGN_KEY_FILE:
+ (void)mlock (map, len);
+ nkey->keydata = map;
+ nkey->keylen = map_len;
+ break;
+ case RSPAMD_DKIM_SIGN_KEY_BASE64:
+ nkey->keydata = g_malloc (len);
+ nkey->keylen = len;
+
+ if (!rspamd_cryptobox_base64_decode (what, len, nkey->keydata,
+ &nkey->keylen)) {
+ g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
+ "cannot decode base64 encoded private key");
+ rspamd_dkim_sign_key_free (nkey);
- map = mmap (NULL, len, PROT_READ | PROT_WRITE,
- MAP_PRIVATE | MAP_ANON, -1, 0);
+ return NULL;
+ }
+ break;
+ case RSPAMD_DKIM_SIGN_KEY_DER:
+ case RSPAMD_DKIM_SIGN_KEY_PEM:
+ nkey->keydata = g_malloc (len);
+ memcpy (nkey->keydata, what, len);
+ nkey->keylen = len;
+ }
+
+ (void)mlock (nkey->keydata, nkey->keylen);
+ nkey->key_bio = BIO_new_mem_buf (nkey->keydata, nkey->keylen);
+
+ if (type == RSPAMD_DKIM_SIGN_KEY_DER || type == RSPAMD_DKIM_SIGN_KEY_BASE64) {
+ if (d2i_PrivateKey_bio (nkey->key_bio, &nkey->key_evp) == NULL) {
+ if (type == RSPAMD_DKIM_SIGN_KEY_FILE) {
+ g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
+ "cannot read private key from %*s: %s",
+ (gint)len, what,
+ ERR_error_string (ERR_get_error (), NULL));
+ }
+ else {
+ g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
+ "cannot read private key from string: %s",
+ ERR_error_string (ERR_get_error (), NULL));
+ }
- if (map == MAP_FAILED) {
- g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
- "cannot map in-memory private key %s",
- strerror (errno));
+ rspamd_dkim_sign_key_free (nkey);
- return NULL;
+ return NULL;
+ }
}
+ else {
+ if (!PEM_read_bio_PrivateKey (nkey->key_bio, &nkey->key_evp, NULL, NULL)) {
+ if (type == RSPAMD_DKIM_SIGN_KEY_FILE) {
+ g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
+ "cannot read private key from %*s: %s",
+ (gint)len, what,
+ ERR_error_string (ERR_get_error (), NULL));
+ }
+ else {
+ g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
+ "cannot read private key from string: %s",
+ ERR_error_string (ERR_get_error (), NULL));
+ }
- /* Initialize memory and set the appropriate access mode */
- memcpy (map, data, len);
- (void)mprotect (map, len, PROT_READ);
- (void)mlock (map, len);
-
- nkey = g_slice_alloc0 (sizeof (*nkey));
- nkey->keydata = map;
- nkey->keylen = len;
- nkey->key_bio = BIO_new_mem_buf (map, len);
-
- if (!PEM_read_bio_PrivateKey (nkey->key_bio, &nkey->key_evp, NULL, NULL)) {
- g_set_error (err, dkim_error_quark (), DKIM_SIGERROR_KEYFAIL,
- "cannot read private key from memory: %s",
- ERR_error_string (ERR_get_error (), NULL));
- rspamd_dkim_sign_key_free (nkey);
+ rspamd_dkim_sign_key_free (nkey);
- return NULL;
+ return NULL;
+ }
}
nkey->key_rsa = EVP_PKEY_get1_RSA (nkey->key_evp);
key, time (NULL));
if (dkim_key == NULL) {
- dkim_key = rspamd_dkim_sign_key_load (key, &err);
+ dkim_key = rspamd_dkim_sign_key_load (key, strlen (key),
+ RSPAMD_DKIM_SIGN_KEY_FILE, &err);
if (dkim_key == NULL) {
msg_err_task ("cannot load dkim key %s: %e",
hex_hash, time (NULL));
if (dkim_key == NULL) {
- dkim_key = rspamd_dkim_sign_key_from_memory (rawkey, rawlen, &err);
+ dkim_key = rspamd_dkim_sign_key_load (rawkey, rawlen,
+ RSPAMD_DKIM_SIGN_KEY_PEM, &err);
if (dkim_key == NULL) {
msg_err_task ("cannot load dkim key %s: %e",
struct rspamd_task **ptask;
gboolean sign = FALSE;
gint err_idx;
+ gsize len;
GString *tb, *hdr;
GError *err = NULL;
- const gchar *selector = NULL, *domain = NULL, *key = NULL;
+ const gchar *selector = NULL, *domain = NULL, *key = NULL, *type = NULL,
+ *lru_key;
rspamd_dkim_sign_context_t *ctx;
rspamd_dkim_sign_key_t *dkim_key;
+ enum rspamd_dkim_sign_key_type sign_type = RSPAMD_DKIM_SIGN_KEY_FILE;
+ guchar h[rspamd_cryptobox_HASHBYTES],
+ hex_hash[rspamd_cryptobox_HASHBYTES * 2 + 1];
if (dkim_module_ctx->sign_condition_ref != -1) {
sign = FALSE;
* - key
*/
if (!rspamd_lua_parse_table_arguments (L, -1, &err,
- "*key=S;*domain=S;*selector=S",
- &key, &domain, &selector)) {
+ "*key=V;*domain=S;*selector=S;type=S",
+ &len, &key, &domain, &selector, &type)) {
msg_err_task ("invalid return value from sign condition: %e",
err);
g_error_free (err);
return;
}
- dkim_key = rspamd_lru_hash_lookup (dkim_module_ctx->dkim_sign_hash,
- key, time (NULL));
+ if (type) {
+ if (strcmp (type, "file") == 0) {
+ sign_type = RSPAMD_DKIM_SIGN_KEY_FILE;
+ }
+ else if (strcmp (type, "base64") == 0) {
+ sign_type = RSPAMD_DKIM_SIGN_KEY_BASE64;
+ }
+ else if (strcmp (type, "pem") == 0) {
+ sign_type = RSPAMD_DKIM_SIGN_KEY_PEM;
+ }
+ else if (strcmp (type, "der") == 0 ||
+ strcmp (type, "raw") == 0) {
+ sign_type = RSPAMD_DKIM_SIGN_KEY_DER;
+ }
+ }
+
+ if (sign_type == RSPAMD_DKIM_SIGN_KEY_FILE) {
+
+ dkim_key = rspamd_lru_hash_lookup (
+ dkim_module_ctx->dkim_sign_hash,
+ key, time (NULL));
+ lru_key = key;
+ }
+ else {
+ /* Prehash */
+ memset (hex_hash, 0, sizeof (hex_hash));
+ rspamd_cryptobox_hash (h, key, len, NULL, 0);
+ rspamd_encode_hex_buf (h, sizeof (h),
+ hex_hash, sizeof (hex_hash));
+ dkim_key = rspamd_lru_hash_lookup (
+ dkim_module_ctx->dkim_sign_hash,
+ hex_hash, time (NULL));
+ lru_key = hex_hash;
+ }
if (dkim_key == NULL) {
- dkim_key = rspamd_dkim_sign_key_load (key, &err);
+ dkim_key = rspamd_dkim_sign_key_load (key, len,
+ sign_type, &err);
if (dkim_key == NULL) {
msg_err_task ("cannot load dkim key %s: %e",
}
rspamd_lru_hash_insert (dkim_module_ctx->dkim_sign_hash,
- g_strdup (key), dkim_key,
+ g_strdup (lru_key), dkim_key,
time (NULL), 0);
}
hdr = rspamd_dkim_sign (task, selector, domain, 0, 0, ctx);
if (hdr) {
- rspamd_mempool_set_variable (task->task_pool, "dkim-signature",
+ rspamd_mempool_set_variable (task->task_pool,
+ "dkim-signature",
hdr, rspamd_gstring_free_hard);
}
projects / rspamd.git / commitdiff