aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@rspamd.com>2024-08-09 18:39:05 +0600
committerGitHub <noreply@github.com>2024-08-09 18:39:05 +0600
commit8996bc1e16da4ae6775415a7b668904211f0e22a (patch)
treec3a2cd1ccb3a4eae0571744d5e3b61cb67aa75fd
parent2b3ed07bca8c6e1afb2716a7dc933b8ba1bf3c6c (diff)
parent03aa3490726177fb3cf9da5b80f63dc9bf5993dc (diff)
downloadrspamd-8996bc1e16da4ae6775415a7b668904211f0e22a.tar.gz
rspamd-8996bc1e16da4ae6775415a7b668904211f0e22a.zip
Merge pull request #5099 from rspamd/vstakhov-remove-nist-cryptobox
Remove NIST mode from cryptobox
-rw-r--r--contrib/librdns/curve.c569
-rw-r--r--src/client/rspamdclient.c6
-rw-r--r--src/fuzzy_storage.c13
-rw-r--r--src/libcryptobox/cryptobox.c1107
-rw-r--r--src/libcryptobox/cryptobox.h93
-rw-r--r--src/libcryptobox/keypair.c268
-rw-r--r--src/libcryptobox/keypair.h31
-rw-r--r--src/libcryptobox/keypair_private.h46
-rw-r--r--src/libcryptobox/keypairs_cache.c27
-rw-r--r--src/libserver/cfg_rcl.cxx7
-rw-r--r--src/libserver/cfg_rcl.h3
-rw-r--r--src/libserver/dkim.c23
-rw-r--r--src/libserver/http/http_connection.c331
-rw-r--r--src/libserver/http/http_context.c3
-rw-r--r--src/libserver/logger/logger.c20
-rw-r--r--src/libserver/maps/map.c13
-rw-r--r--src/lua/lua_cryptobox.c154
-rw-r--r--src/lua/lua_http.c5
-rw-r--r--src/lua/lua_map.c3
-rw-r--r--src/plugins/fuzzy_check.c12
-rw-r--r--src/rspamadm/signtool.c37
-rw-r--r--src/rspamd_proxy.c4
-rw-r--r--test/rspamd_cryptobox_test.c57
-rw-r--r--test/rspamd_cxx_unit_cryptobox.hxx60
24 files changed, 823 insertions, 2069 deletions
diff --git a/contrib/librdns/curve.c b/contrib/librdns/curve.c
index 19ec2508c..9fc345fb5 100644
--- a/contrib/librdns/curve.c
+++ b/contrib/librdns/curve.c
@@ -1,4 +1,20 @@
/*
+ * Copyright 2024 Vsevolod Stakhov
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
* Copyright (c) 2014, Vsevolod Stakhov
*
* All rights reserved.
@@ -39,12 +55,11 @@
#include <tweetnacl.h>
-void
-randombytes(uint8_t *data, uint64_t len)
+void randombytes(uint8_t *data, uint64_t len)
{
- ottery_rand_bytes (data, len);
+ ottery_rand_bytes(data, len);
}
-void sodium_memzero (uint8_t *data, uint64_t len)
+void sodium_memzero(uint8_t *data, uint64_t len)
{
volatile uint8_t *p = data;
@@ -54,14 +69,13 @@ void sodium_memzero (uint8_t *data, uint64_t len)
}
void sodium_init(void)
{
-
}
-ssize_t rdns_curve_send (struct rdns_request *req, void *plugin_data);
-ssize_t rdns_curve_recv (struct rdns_io_channel *ioc, void *buf, size_t len,
- void *plugin_data, struct rdns_request **req_out);
-void rdns_curve_finish_request (struct rdns_request *req, void *plugin_data);
-void rdns_curve_dtor (struct rdns_resolver *resolver, void *plugin_data);
+ssize_t rdns_curve_send(struct rdns_request *req, void *plugin_data);
+ssize_t rdns_curve_recv(struct rdns_io_channel *ioc, void *buf, size_t len,
+ void *plugin_data, struct rdns_request **req_out);
+void rdns_curve_finish_request(struct rdns_request *req, void *plugin_data);
+void rdns_curve_dtor(struct rdns_resolver *resolver, void *plugin_data);
struct rdns_curve_entry {
char *name;
@@ -103,34 +117,36 @@ struct rdns_curve_ctx {
};
static struct rdns_curve_client_key *
-rdns_curve_client_key_new (struct rdns_curve_ctx *ctx)
+rdns_curve_client_key_new(struct rdns_curve_ctx *ctx)
{
struct rdns_curve_client_key *new;
struct rdns_curve_nm_entry *nm;
struct rdns_curve_entry *entry, *tmp;
- new = calloc (1, sizeof (struct rdns_curve_client_key));
- crypto_box_keypair (new->pk, new->sk);
+ new = calloc(1, sizeof(struct rdns_curve_client_key));
+ crypto_box_keypair(new->pk, new->sk);
- HASH_ITER (hh, ctx->entries, entry, tmp) {
- nm = calloc (1, sizeof (struct rdns_curve_nm_entry));
+ HASH_ITER(hh, ctx->entries, entry, tmp)
+ {
+ nm = calloc(1, sizeof(struct rdns_curve_nm_entry));
nm->entry = entry;
- crypto_box_beforenm (nm->k, entry->pk, new->sk);
+ crypto_box_beforenm(nm->k, entry->pk, new->sk);
- DL_APPEND (new->nms, nm);
+ DL_APPEND(new->nms, nm);
}
- new->counter = ottery_rand_uint64 ();
+ new->counter = ottery_rand_uint64();
return new;
}
static struct rdns_curve_nm_entry *
-rdns_curve_find_nm (struct rdns_curve_client_key *key, struct rdns_curve_entry *entry)
+rdns_curve_find_nm(struct rdns_curve_client_key *key, struct rdns_curve_entry *entry)
{
struct rdns_curve_nm_entry *nm;
- DL_FOREACH (key->nms, nm) {
+ DL_FOREACH(key->nms, nm)
+ {
if (nm->entry == entry) {
return nm;
}
@@ -140,67 +156,68 @@ rdns_curve_find_nm (struct rdns_curve_client_key *key, struct rdns_curve_entry *
}
static void
-rdns_curve_client_key_free (struct rdns_curve_client_key *key)
+rdns_curve_client_key_free(struct rdns_curve_client_key *key)
{
struct rdns_curve_nm_entry *nm, *tmp;
- DL_FOREACH_SAFE (key->nms, nm, tmp) {
- sodium_memzero (nm->k, sizeof (nm->k));
- free (nm);
+ DL_FOREACH_SAFE(key->nms, nm, tmp)
+ {
+ sodium_memzero(nm->k, sizeof(nm->k));
+ free(nm);
}
- sodium_memzero (key->sk, sizeof (key->sk));
- free (key);
+ sodium_memzero(key->sk, sizeof(key->sk));
+ free(key);
}
-struct rdns_curve_ctx*
-rdns_curve_ctx_new (double key_refresh_interval)
+struct rdns_curve_ctx *
+rdns_curve_ctx_new(double key_refresh_interval)
{
struct rdns_curve_ctx *new;
- new = calloc (1, sizeof (struct rdns_curve_ctx));
+ new = calloc(1, sizeof(struct rdns_curve_ctx));
new->key_refresh_interval = key_refresh_interval;
return new;
}
-void
-rdns_curve_ctx_add_key (struct rdns_curve_ctx *ctx,
- const char *name, const unsigned char *pubkey)
+void rdns_curve_ctx_add_key(struct rdns_curve_ctx *ctx,
+ const char *name, const unsigned char *pubkey)
{
struct rdns_curve_entry *entry;
bool success = true;
- entry = malloc (sizeof (struct rdns_curve_entry));
+ entry = malloc(sizeof(struct rdns_curve_entry));
if (entry != NULL) {
- entry->name = strdup (name);
+ entry->name = strdup(name);
if (entry->name == NULL) {
success = false;
}
- memcpy (entry->pk, pubkey, sizeof (entry->pk));
+ memcpy(entry->pk, pubkey, sizeof(entry->pk));
if (success) {
- HASH_ADD_KEYPTR (hh, ctx->entries, entry->name, strlen (entry->name), entry);
+ HASH_ADD_KEYPTR(hh, ctx->entries, entry->name, strlen(entry->name), entry);
}
}
}
-#define rdns_curve_write_hex(in, out, offset, base) do { \
- *(out) |= ((in)[(offset)] - (base)) << ((1 - offset) * 4); \
-} while (0)
+#define rdns_curve_write_hex(in, out, offset, base) \
+ do { \
+ *(out) |= ((in)[(offset)] - (base)) << ((1 - offset) * 4); \
+ } while (0)
static bool
-rdns_curve_hex_to_byte (const char *in, unsigned char *out)
+rdns_curve_hex_to_byte(const char *in, unsigned char *out)
{
int i;
- for (i = 0; i <= 1; i ++) {
+ for (i = 0; i <= 1; i++) {
if (in[i] >= '0' && in[i] <= '9') {
- rdns_curve_write_hex (in, out, i, '0');
+ rdns_curve_write_hex(in, out, i, '0');
}
else if (in[i] >= 'a' && in[i] <= 'f') {
- rdns_curve_write_hex (in, out, i, 'a' - 10);
+ rdns_curve_write_hex(in, out, i, 'a' - 10);
}
else if (in[i] >= 'A' && in[i] <= 'F') {
- rdns_curve_write_hex (in, out, i, 'A' - 10);
+ rdns_curve_write_hex(in, out, i, 'A' - 10);
}
else {
return false;
@@ -212,16 +229,16 @@ rdns_curve_hex_to_byte (const char *in, unsigned char *out)
#undef rdns_curve_write_hex
unsigned char *
-rdns_curve_key_from_hex (const char *hex)
+rdns_curve_key_from_hex(const char *hex)
{
- unsigned int len = strlen (hex), i;
+ unsigned int len = strlen(hex), i;
unsigned char *res = NULL;
if (len == crypto_box_PUBLICKEYBYTES * 2) {
- res = calloc (1, crypto_box_PUBLICKEYBYTES);
- for (i = 0; i < crypto_box_PUBLICKEYBYTES; i ++) {
- if (!rdns_curve_hex_to_byte (&hex[i * 2], &res[i])) {
- free (res);
+ res = calloc(1, crypto_box_PUBLICKEYBYTES);
+ for (i = 0; i < crypto_box_PUBLICKEYBYTES; i++) {
+ if (!rdns_curve_hex_to_byte(&hex[i * 2], &res[i])) {
+ free(res);
return NULL;
}
}
@@ -230,35 +247,34 @@ rdns_curve_key_from_hex (const char *hex)
return res;
}
-void
-rdns_curve_ctx_destroy (struct rdns_curve_ctx *ctx)
+void rdns_curve_ctx_destroy(struct rdns_curve_ctx *ctx)
{
struct rdns_curve_entry *entry, *tmp;
- HASH_ITER (hh, ctx->entries, entry, tmp) {
- free (entry->name);
- free (entry);
+ HASH_ITER(hh, ctx->entries, entry, tmp)
+ {
+ free(entry->name);
+ free(entry);
}
- free (ctx);
+ free(ctx);
}
static void
-rdns_curve_refresh_key_callback (void *user_data)
+rdns_curve_refresh_key_callback(void *user_data)
{
struct rdns_curve_ctx *ctx = user_data;
struct rdns_resolver *resolver;
resolver = ctx->resolver;
- rdns_info ("refresh dnscurve keys");
- REF_RELEASE (ctx->cur_key);
- ctx->cur_key = rdns_curve_client_key_new (ctx);
- REF_INIT_RETAIN (ctx->cur_key, rdns_curve_client_key_free);
+ rdns_info("refresh dnscurve keys");
+ REF_RELEASE(ctx->cur_key);
+ ctx->cur_key = rdns_curve_client_key_new(ctx);
+ REF_INIT_RETAIN(ctx->cur_key, rdns_curve_client_key_free);
}
-void
-rdns_curve_register_plugin (struct rdns_resolver *resolver,
- struct rdns_curve_ctx *ctx)
+void rdns_curve_register_plugin(struct rdns_resolver *resolver,
+ struct rdns_curve_ctx *ctx)
{
struct rdns_plugin *plugin;
@@ -266,7 +282,7 @@ rdns_curve_register_plugin (struct rdns_resolver *resolver,
return;
}
- plugin = calloc (1, sizeof (struct rdns_plugin));
+ plugin = calloc(1, sizeof(struct rdns_plugin));
if (plugin != NULL) {
plugin->data = ctx;
plugin->type = RDNS_PLUGIN_CURVE;
@@ -274,24 +290,24 @@ rdns_curve_register_plugin (struct rdns_resolver *resolver,
plugin->cb.curve_plugin.recv_cb = rdns_curve_recv;
plugin->cb.curve_plugin.finish_cb = rdns_curve_finish_request;
plugin->dtor = rdns_curve_dtor;
- sodium_init ();
- ctx->cur_key = rdns_curve_client_key_new (ctx);
- REF_INIT_RETAIN (ctx->cur_key, rdns_curve_client_key_free);
+ sodium_init();
+ ctx->cur_key = rdns_curve_client_key_new(ctx);
+ REF_INIT_RETAIN(ctx->cur_key, rdns_curve_client_key_free);
if (ctx->key_refresh_interval > 0) {
- ctx->key_refresh_event = resolver->async->add_periodic (
- resolver->async->data, ctx->key_refresh_interval,
- rdns_curve_refresh_key_callback, ctx);
+ ctx->key_refresh_event = resolver->async->add_periodic(
+ resolver->async->data, ctx->key_refresh_interval,
+ rdns_curve_refresh_key_callback, ctx);
}
ctx->resolver = resolver;
- rdns_resolver_register_plugin (resolver, plugin);
+ rdns_resolver_register_plugin(resolver, plugin);
}
}
ssize_t
-rdns_curve_send (struct rdns_request *req, void *plugin_data)
+rdns_curve_send(struct rdns_request *req, void *plugin_data)
{
- struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *)plugin_data;
+ struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *) plugin_data;
struct rdns_curve_entry *entry;
struct iovec iov[4];
unsigned char *m;
@@ -301,62 +317,62 @@ rdns_curve_send (struct rdns_request *req, void *plugin_data)
ssize_t ret, boxed_len;
/* Check for key */
- HASH_FIND_STR (ctx->entries, req->io->srv->name, entry);
+ HASH_FIND_STR(ctx->entries, req->io->srv->name, entry);
if (entry != NULL) {
- nm = rdns_curve_find_nm (ctx->cur_key, entry);
- creq = malloc (sizeof (struct rdns_curve_request));
+ nm = rdns_curve_find_nm(ctx->cur_key, entry);
+ creq = malloc(sizeof(struct rdns_curve_request));
if (creq == NULL) {
return -1;
}
boxed_len = req->pos + crypto_box_ZEROBYTES;
- m = malloc (boxed_len);
+ m = malloc(boxed_len);
if (m == NULL) {
return -1;
}
/* Ottery is faster than sodium native PRG that uses /dev/random only */
- memcpy (creq->nonce, &ctx->cur_key->counter, sizeof (uint64_t));
- ottery_rand_bytes (creq->nonce + sizeof (uint64_t), 12 - sizeof (uint64_t));
- sodium_memzero (creq->nonce + 12, crypto_box_NONCEBYTES - 12);
+ memcpy(creq->nonce, &ctx->cur_key->counter, sizeof(uint64_t));
+ ottery_rand_bytes(creq->nonce + sizeof(uint64_t), 12 - sizeof(uint64_t));
+ sodium_memzero(creq->nonce + 12, crypto_box_NONCEBYTES - 12);
- sodium_memzero (m, crypto_box_ZEROBYTES);
- memcpy (m + crypto_box_ZEROBYTES, req->packet, req->pos);
+ sodium_memzero(m, crypto_box_ZEROBYTES);
+ memcpy(m + crypto_box_ZEROBYTES, req->packet, req->pos);
- if (crypto_box_afternm (m, m, boxed_len,
- creq->nonce, nm->k) == -1) {
- sodium_memzero (m, boxed_len);
- free (m);
+ if (crypto_box_afternm(m, m, boxed_len,
+ creq->nonce, nm->k) == -1) {
+ sodium_memzero(m, boxed_len);
+ free(m);
return -1;
}
creq->key = ctx->cur_key;
- REF_RETAIN (ctx->cur_key);
+ REF_RETAIN(ctx->cur_key);
creq->entry = entry;
creq->req = req;
creq->nm = nm;
- HASH_ADD_KEYPTR (hh, ctx->requests, creq->nonce, 12, creq);
+ HASH_ADD_KEYPTR(hh, ctx->requests, creq->nonce, 12, creq);
req->curve_plugin_data = creq;
- ctx->cur_key->counter ++;
- ctx->cur_key->uses ++;
+ ctx->cur_key->counter++;
+ ctx->cur_key->uses++;
/* Now form a dnscurve packet */
- iov[0].iov_base = (void *)qmagic;
- iov[0].iov_len = sizeof (qmagic) - 1;
+ iov[0].iov_base = (void *) qmagic;
+ iov[0].iov_len = sizeof(qmagic) - 1;
iov[1].iov_base = ctx->cur_key->pk;
- iov[1].iov_len = sizeof (ctx->cur_key->pk);
+ iov[1].iov_len = sizeof(ctx->cur_key->pk);
iov[2].iov_base = creq->nonce;
iov[2].iov_len = 12;
iov[3].iov_base = m + crypto_box_BOXZEROBYTES;
iov[3].iov_len = boxed_len - crypto_box_BOXZEROBYTES;
- ret = writev (req->io->sock, iov, sizeof (iov) / sizeof (iov[0]));
- sodium_memzero (m, boxed_len);
- free (m);
+ ret = writev(req->io->sock, iov, sizeof(iov) / sizeof(iov[0]));
+ sodium_memzero(m, boxed_len);
+ free(m);
}
else {
- ret = write (req->io->sock, req->packet, req->pos);
+ ret = write(req->io->sock, req->packet, req->pos);
req->curve_plugin_data = NULL;
}
@@ -364,10 +380,10 @@ rdns_curve_send (struct rdns_request *req, void *plugin_data)
}
ssize_t
-rdns_curve_recv (struct rdns_io_channel *ioc, void *buf, size_t len, void *plugin_data,
- struct rdns_request **req_out)
+rdns_curve_recv(struct rdns_io_channel *ioc, void *buf, size_t len, void *plugin_data,
+ struct rdns_request **req_out)
{
- struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *)plugin_data;
+ struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *) plugin_data;
ssize_t ret, boxlen;
static const char rmagic[] = "R6fnvWJ8";
unsigned char *p, *box;
@@ -376,71 +392,69 @@ rdns_curve_recv (struct rdns_io_channel *ioc, void *buf, size_t len, void *plugi
struct rdns_resolver *resolver;
resolver = ctx->resolver;
- ret = read (ioc->sock, buf, len);
+ ret = read(ioc->sock, buf, len);
if (ret <= 0 || ret < 64) {
/* Definitely not a DNSCurve packet */
return ret;
}
- if (memcmp (buf, rmagic, sizeof (rmagic) - 1) == 0) {
+ if (memcmp(buf, rmagic, sizeof(rmagic) - 1) == 0) {
/* Likely DNSCurve packet */
- p = ((unsigned char *)buf) + 8;
- HASH_FIND (hh, ctx->requests, p, 12, creq);
+ p = ((unsigned char *) buf) + 8;
+ HASH_FIND(hh, ctx->requests, p, 12, creq);
if (creq == NULL) {
- rdns_info ("unable to find nonce in the internal hash");
+ rdns_info("unable to find nonce in the internal hash");
return ret;
}
- memcpy (enonce, p, crypto_box_NONCEBYTES);
+ memcpy(enonce, p, crypto_box_NONCEBYTES);
p += crypto_box_NONCEBYTES;
boxlen = ret - crypto_box_NONCEBYTES +
- crypto_box_BOXZEROBYTES -
- sizeof (rmagic) + 1;
+ crypto_box_BOXZEROBYTES -
+ sizeof(rmagic) + 1;
if (boxlen < 0) {
return ret;
}
- box = malloc (boxlen);
- sodium_memzero (box, crypto_box_BOXZEROBYTES);
- memcpy (box + crypto_box_BOXZEROBYTES, p,
- boxlen - crypto_box_BOXZEROBYTES);
-
- if (crypto_box_open_afternm (box, box, boxlen, enonce, creq->nm->k) != -1) {
- memcpy (buf, box + crypto_box_ZEROBYTES,
- boxlen - crypto_box_ZEROBYTES);
+ box = malloc(boxlen);
+ sodium_memzero(box, crypto_box_BOXZEROBYTES);
+ memcpy(box + crypto_box_BOXZEROBYTES, p,
+ boxlen - crypto_box_BOXZEROBYTES);
+
+ if (crypto_box_open_afternm(box, box, boxlen, enonce, creq->nm->k) != -1) {
+ memcpy(buf, box + crypto_box_ZEROBYTES,
+ boxlen - crypto_box_ZEROBYTES);
ret = boxlen - crypto_box_ZEROBYTES;
*req_out = creq->req;
}
else {
- rdns_info ("unable open cryptobox of size %d", (int)boxlen);
+ rdns_info("unable open cryptobox of size %d", (int) boxlen);
}
- free (box);
+ free(box);
}
return ret;
}
-void
-rdns_curve_finish_request (struct rdns_request *req, void *plugin_data)
+void rdns_curve_finish_request(struct rdns_request *req, void *plugin_data)
{
- struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *)plugin_data;
+ struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *) plugin_data;
struct rdns_curve_request *creq = req->curve_plugin_data;
if (creq != NULL) {
- REF_RELEASE (creq->key);
- HASH_DELETE (hh, ctx->requests, creq);
+ REF_RELEASE(creq->key);
+ HASH_DELETE(hh, ctx->requests, creq);
}
}
-void
-rdns_curve_dtor (struct rdns_resolver *resolver, void *plugin_data)
+void rdns_curve_dtor(struct rdns_resolver *resolver, void *plugin_data)
{
- struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *)plugin_data;
+ struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *) plugin_data;
if (ctx->key_refresh_event != NULL) {
- resolver->async->del_periodic (resolver->async->data,
- ctx->key_refresh_event);
+ resolver->async->del_periodic(resolver->async->data,
+ ctx->key_refresh_event);
}
- REF_RELEASE (ctx->cur_key);
+ REF_RELEASE(ctx->cur_key);
}
#elif defined(USE_RSPAMD_CRYPTOBOX)
@@ -454,13 +468,13 @@ rdns_curve_dtor (struct rdns_resolver *resolver, void *plugin_data)
#define crypto_box_BOXZEROBYTES 16
#endif
-ssize_t rdns_curve_send (struct rdns_request *req, void *plugin_data,
- struct sockaddr *saddr, socklen_t slen);
-ssize_t rdns_curve_recv (struct rdns_io_channel *ioc, void *buf, size_t len,
- void *plugin_data, struct rdns_request **req_out,
- struct sockaddr *saddr, socklen_t slen);
-void rdns_curve_finish_request (struct rdns_request *req, void *plugin_data);
-void rdns_curve_dtor (struct rdns_resolver *resolver, void *plugin_data);
+ssize_t rdns_curve_send(struct rdns_request *req, void *plugin_data,
+ struct sockaddr *saddr, socklen_t slen);
+ssize_t rdns_curve_recv(struct rdns_io_channel *ioc, void *buf, size_t len,
+ void *plugin_data, struct rdns_request **req_out,
+ struct sockaddr *saddr, socklen_t slen);
+void rdns_curve_finish_request(struct rdns_request *req, void *plugin_data);
+void rdns_curve_dtor(struct rdns_resolver *resolver, void *plugin_data);
struct rdns_curve_entry {
char *name;
@@ -502,35 +516,36 @@ struct rdns_curve_ctx {
};
static struct rdns_curve_client_key *
-rdns_curve_client_key_new (struct rdns_curve_ctx *ctx)
+rdns_curve_client_key_new(struct rdns_curve_ctx *ctx)
{
struct rdns_curve_client_key *new;
struct rdns_curve_nm_entry *nm;
struct rdns_curve_entry *entry, *tmp;
- new = calloc (1, sizeof (struct rdns_curve_client_key));
- rspamd_cryptobox_keypair (new->pk, new->sk, RSPAMD_CRYPTOBOX_MODE_25519);
+ new = calloc(1, sizeof(struct rdns_curve_client_key));
+ rspamd_cryptobox_keypair(new->pk, new->sk);
- HASH_ITER (hh, ctx->entries, entry, tmp) {
- nm = calloc (1, sizeof (struct rdns_curve_nm_entry));
+ HASH_ITER(hh, ctx->entries, entry, tmp)
+ {
+ nm = calloc(1, sizeof(struct rdns_curve_nm_entry));
nm->entry = entry;
- rspamd_cryptobox_nm (nm->k, entry->pk, new->sk,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ rspamd_cryptobox_nm(nm->k, entry->pk, new->sk);
- DL_APPEND (new->nms, nm);
+ DL_APPEND(new->nms, nm);
}
- new->counter = ottery_rand_uint64 ();
+ new->counter = ottery_rand_uint64();
return new;
}
static struct rdns_curve_nm_entry *
-rdns_curve_find_nm (struct rdns_curve_client_key *key, struct rdns_curve_entry *entry)
+rdns_curve_find_nm(struct rdns_curve_client_key *key, struct rdns_curve_entry *entry)
{
struct rdns_curve_nm_entry *nm;
- DL_FOREACH (key->nms, nm) {
+ DL_FOREACH(key->nms, nm)
+ {
if (nm->entry == entry) {
return nm;
}
@@ -540,68 +555,69 @@ rdns_curve_find_nm (struct rdns_curve_client_key *key, struct rdns_curve_entry *
}
static void
-rdns_curve_client_key_free (struct rdns_curve_client_key *key)
+rdns_curve_client_key_free(struct rdns_curve_client_key *key)
{
struct rdns_curve_nm_entry *nm, *tmp;
- DL_FOREACH_SAFE (key->nms, nm, tmp) {
- rspamd_explicit_memzero (nm->k, sizeof (nm->k));
- free (nm);
+ DL_FOREACH_SAFE(key->nms, nm, tmp)
+ {
+ rspamd_explicit_memzero(nm->k, sizeof(nm->k));
+ free(nm);
}
- rspamd_explicit_memzero (key->sk, sizeof (key->sk));
- free (key);
+ rspamd_explicit_memzero(key->sk, sizeof(key->sk));
+ free(key);
}
-struct rdns_curve_ctx*
-rdns_curve_ctx_new (double key_refresh_interval)
+struct rdns_curve_ctx *
+rdns_curve_ctx_new(double key_refresh_interval)
{
struct rdns_curve_ctx *new;
- new = calloc (1, sizeof (struct rdns_curve_ctx));
+ new = calloc(1, sizeof(struct rdns_curve_ctx));
new->key_refresh_interval = key_refresh_interval;
return new;
}
-void
-rdns_curve_ctx_add_key (struct rdns_curve_ctx *ctx,
- const char *name, const unsigned char *pubkey)
+void rdns_curve_ctx_add_key(struct rdns_curve_ctx *ctx,
+ const char *name, const unsigned char *pubkey)
{
struct rdns_curve_entry *entry;
bool success = true;
- entry = malloc (sizeof (struct rdns_curve_entry));
+ entry = malloc(sizeof(struct rdns_curve_entry));
if (entry != NULL) {
- entry->name = strdup (name);
+ entry->name = strdup(name);
if (entry->name == NULL) {
success = false;
}
- memcpy (entry->pk, pubkey, sizeof (entry->pk));
+ memcpy(entry->pk, pubkey, sizeof(entry->pk));
if (success) {
- HASH_ADD_KEYPTR (hh, ctx->entries, entry->name, strlen (entry->name), entry);
+ HASH_ADD_KEYPTR(hh, ctx->entries, entry->name, strlen(entry->name), entry);
}
}
}
-#define rdns_curve_write_hex(in, out, offset, base) do { \
- *(out) |= ((in)[(offset)] - (base)) << ((1 - offset) * 4); \
-} while (0)
+#define rdns_curve_write_hex(in, out, offset, base) \
+ do { \
+ *(out) |= ((in)[(offset)] - (base)) << ((1 - offset) * 4); \
+ } while (0)
static bool
-rdns_curve_hex_to_byte (const char *in, unsigned char *out)
+rdns_curve_hex_to_byte(const char *in, unsigned char *out)
{
int i;
- for (i = 0; i <= 1; i ++) {
+ for (i = 0; i <= 1; i++) {
if (in[i] >= '0' && in[i] <= '9') {
- rdns_curve_write_hex (in, out, i, '0');
+ rdns_curve_write_hex(in, out, i, '0');
}
else if (in[i] >= 'a' && in[i] <= 'f') {
- rdns_curve_write_hex (in, out, i, 'a' - 10);
+ rdns_curve_write_hex(in, out, i, 'a' - 10);
}
else if (in[i] >= 'A' && in[i] <= 'F') {
- rdns_curve_write_hex (in, out, i, 'A' - 10);
+ rdns_curve_write_hex(in, out, i, 'A' - 10);
}
else {
return false;
@@ -613,18 +629,18 @@ rdns_curve_hex_to_byte (const char *in, unsigned char *out)
#undef rdns_curve_write_hex
unsigned char *
-rdns_curve_key_from_hex (const char *hex)
+rdns_curve_key_from_hex(const char *hex)
{
- unsigned int len = strlen (hex), i;
+ unsigned int len = strlen(hex), i;
unsigned char *res = NULL;
- if (len == rspamd_cryptobox_pk_bytes (RSPAMD_CRYPTOBOX_MODE_25519) * 2) {
- res = calloc (1, rspamd_cryptobox_pk_bytes (RSPAMD_CRYPTOBOX_MODE_25519));
+ if (len == crypto_box_publickeybytes() * 2) {
+ res = calloc(1, crypto_box_publickeybytes());
for (i = 0;
- i < rspamd_cryptobox_pk_bytes (RSPAMD_CRYPTOBOX_MODE_25519);
- i ++) {
- if (!rdns_curve_hex_to_byte (&hex[i * 2], &res[i])) {
- free (res);
+ i < crypto_box_publickeybytes();
+ i++) {
+ if (!rdns_curve_hex_to_byte(&hex[i * 2], &res[i])) {
+ free(res);
return NULL;
}
}
@@ -633,35 +649,34 @@ rdns_curve_key_from_hex (const char *hex)
return res;
}
-void
-rdns_curve_ctx_destroy (struct rdns_curve_ctx *ctx)
+void rdns_curve_ctx_destroy(struct rdns_curve_ctx *ctx)
{
struct rdns_curve_entry *entry, *tmp;
- HASH_ITER (hh, ctx->entries, entry, tmp) {
- free (entry->name);
- free (entry);
+ HASH_ITER(hh, ctx->entries, entry, tmp)
+ {
+ free(entry->name);
+ free(entry);
}
- free (ctx);
+ free(ctx);
}
static void
-rdns_curve_refresh_key_callback (void *user_data)
+rdns_curve_refresh_key_callback(void *user_data)
{
struct rdns_curve_ctx *ctx = user_data;
struct rdns_resolver *resolver;
resolver = ctx->resolver;
- rdns_info ("refresh dnscurve keys");
- REF_RELEASE (ctx->cur_key);
- ctx->cur_key = rdns_curve_client_key_new (ctx);
- REF_INIT_RETAIN (ctx->cur_key, rdns_curve_client_key_free);
+ rdns_info("refresh dnscurve keys");
+ REF_RELEASE(ctx->cur_key);
+ ctx->cur_key = rdns_curve_client_key_new(ctx);
+ REF_INIT_RETAIN(ctx->cur_key, rdns_curve_client_key_free);
}
-void
-rdns_curve_register_plugin (struct rdns_resolver *resolver,
- struct rdns_curve_ctx *ctx)
+void rdns_curve_register_plugin(struct rdns_resolver *resolver,
+ struct rdns_curve_ctx *ctx)
{
struct rdns_plugin *plugin;
@@ -669,7 +684,7 @@ rdns_curve_register_plugin (struct rdns_resolver *resolver,
return;
}
- plugin = calloc (1, sizeof (struct rdns_plugin));
+ plugin = calloc(1, sizeof(struct rdns_plugin));
if (plugin != NULL) {
plugin->data = ctx;
plugin->type = RDNS_PLUGIN_CURVE;
@@ -677,24 +692,24 @@ rdns_curve_register_plugin (struct rdns_resolver *resolver,
plugin->cb.curve_plugin.recv_cb = rdns_curve_recv;
plugin->cb.curve_plugin.finish_cb = rdns_curve_finish_request;
plugin->dtor = rdns_curve_dtor;
- ctx->cur_key = rdns_curve_client_key_new (ctx);
- REF_INIT_RETAIN (ctx->cur_key, rdns_curve_client_key_free);
+ ctx->cur_key = rdns_curve_client_key_new(ctx);
+ REF_INIT_RETAIN(ctx->cur_key, rdns_curve_client_key_free);
if (ctx->key_refresh_interval > 0) {
- ctx->key_refresh_event = resolver->async->add_periodic (
- resolver->async->data, ctx->key_refresh_interval,
- rdns_curve_refresh_key_callback, ctx);
+ ctx->key_refresh_event = resolver->async->add_periodic(
+ resolver->async->data, ctx->key_refresh_interval,
+ rdns_curve_refresh_key_callback, ctx);
}
ctx->resolver = resolver;
- rdns_resolver_register_plugin (resolver, plugin);
+ rdns_resolver_register_plugin(resolver, plugin);
}
}
ssize_t
-rdns_curve_send (struct rdns_request *req, void *plugin_data,
- struct sockaddr *saddr, socklen_t slen)
+rdns_curve_send(struct rdns_request *req, void *plugin_data,
+ struct sockaddr *saddr, socklen_t slen)
{
- struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *)plugin_data;
+ struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *) plugin_data;
struct rdns_curve_entry *entry;
struct iovec iov[4];
unsigned char *m;
@@ -704,53 +719,52 @@ rdns_curve_send (struct rdns_request *req, void *plugin_data,
ssize_t ret, boxed_len;
/* Check for key */
- HASH_FIND_STR (ctx->entries, req->io->srv->name, entry);
+ HASH_FIND_STR(ctx->entries, req->io->srv->name, entry);
if (entry != NULL) {
- nm = rdns_curve_find_nm (ctx->cur_key, entry);
- creq = malloc (sizeof (struct rdns_curve_request));
+ nm = rdns_curve_find_nm(ctx->cur_key, entry);
+ creq = malloc(sizeof(struct rdns_curve_request));
if (creq == NULL) {
return -1;
}
boxed_len = req->pos + crypto_box_ZEROBYTES;
- m = malloc (boxed_len);
+ m = malloc(boxed_len);
if (m == NULL) {
free(creq);
return -1;
}
/* Ottery is faster than sodium native PRG that uses /dev/random only */
- memcpy (creq->nonce, &ctx->cur_key->counter, sizeof (uint64_t));
- ottery_rand_bytes (creq->nonce + sizeof (uint64_t), 12 - sizeof (uint64_t));
- rspamd_explicit_memzero (creq->nonce + 12,
- rspamd_cryptobox_nonce_bytes (RSPAMD_CRYPTOBOX_MODE_25519) - 12);
+ memcpy(creq->nonce, &ctx->cur_key->counter, sizeof(uint64_t));
+ ottery_rand_bytes(creq->nonce + sizeof(uint64_t), 12 - sizeof(uint64_t));
+ rspamd_explicit_memzero(creq->nonce + 12,
+ crypto_box_noncebytes() - 12);
- rspamd_explicit_memzero (m, crypto_box_ZEROBYTES);
- memcpy (m + crypto_box_ZEROBYTES, req->packet, req->pos);
+ rspamd_explicit_memzero(m, crypto_box_ZEROBYTES);
+ memcpy(m + crypto_box_ZEROBYTES, req->packet, req->pos);
- rspamd_cryptobox_encrypt_nm_inplace (m + crypto_box_ZEROBYTES,
- boxed_len,
- creq->nonce,
- nm->k,
- m,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ rspamd_cryptobox_encrypt_nm_inplace(m + crypto_box_ZEROBYTES,
+ boxed_len,
+ creq->nonce,
+ nm->k,
+ m);
creq->key = ctx->cur_key;
- REF_RETAIN (ctx->cur_key);
+ REF_RETAIN(ctx->cur_key);
creq->entry = entry;
creq->req = req;
creq->nm = nm;
- HASH_ADD_KEYPTR (hh, ctx->requests, creq->nonce, 12, creq);
+ HASH_ADD_KEYPTR(hh, ctx->requests, creq->nonce, 12, creq);
req->curve_plugin_data = creq;
- ctx->cur_key->counter ++;
- ctx->cur_key->uses ++;
+ ctx->cur_key->counter++;
+ ctx->cur_key->uses++;
/* Now form a dnscurve packet */
- iov[0].iov_base = (void *)qmagic;
- iov[0].iov_len = sizeof (qmagic) - 1;
+ iov[0].iov_base = (void *) qmagic;
+ iov[0].iov_len = sizeof(qmagic) - 1;
iov[1].iov_base = ctx->cur_key->pk;
- iov[1].iov_len = sizeof (ctx->cur_key->pk);
+ iov[1].iov_len = sizeof(ctx->cur_key->pk);
iov[2].iov_base = creq->nonce;
iov[2].iov_len = 12;
iov[3].iov_base = m + crypto_box_BOXZEROBYTES;
@@ -758,17 +772,17 @@ rdns_curve_send (struct rdns_request *req, void *plugin_data,
struct msghdr msg;
- memset (&msg, 0, sizeof (msg));
+ memset(&msg, 0, sizeof(msg));
msg.msg_namelen = slen;
msg.msg_name = saddr;
msg.msg_iov = iov;
- msg.msg_iovlen = sizeof (iov) / sizeof (iov[0]);
- ret = sendmsg (req->io->sock, &msg, 0);
- rspamd_explicit_memzero (m, boxed_len);
- free (m);
+ msg.msg_iovlen = sizeof(iov) / sizeof(iov[0]);
+ ret = sendmsg(req->io->sock, &msg, 0);
+ rspamd_explicit_memzero(m, boxed_len);
+ free(m);
}
else {
- ret = sendto (req->io->sock, req->packet, req->pos, 0, saddr, slen);
+ ret = sendto(req->io->sock, req->packet, req->pos, 0, saddr, slen);
req->curve_plugin_data = NULL;
}
@@ -776,10 +790,10 @@ rdns_curve_send (struct rdns_request *req, void *plugin_data,
}
ssize_t
-rdns_curve_recv (struct rdns_io_channel *ioc, void *buf, size_t len, void *plugin_data,
- struct rdns_request **req_out, struct sockaddr *saddr, socklen_t slen)
+rdns_curve_recv(struct rdns_io_channel *ioc, void *buf, size_t len, void *plugin_data,
+ struct rdns_request **req_out, struct sockaddr *saddr, socklen_t slen)
{
- struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *)plugin_data;
+ struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *) plugin_data;
ssize_t ret, boxlen;
static const char rmagic[] = "R6fnvWJ8";
unsigned char *p, *box;
@@ -788,102 +802,97 @@ rdns_curve_recv (struct rdns_io_channel *ioc, void *buf, size_t len, void *plugi
struct rdns_resolver *resolver;
resolver = ctx->resolver;
- ret = recv (ioc->sock, buf, len, 0);
+ ret = recv(ioc->sock, buf, len, 0);
if (ret <= 0 || ret < 64) {
/* Definitely not a DNSCurve packet */
return ret;
}
- if (memcmp (buf, rmagic, sizeof (rmagic) - 1) == 0) {
+ if (memcmp(buf, rmagic, sizeof(rmagic) - 1) == 0) {
/* Likely DNSCurve packet */
- p = ((unsigned char *)buf) + 8;
- HASH_FIND (hh, ctx->requests, p, 12, creq);
+ p = ((unsigned char *) buf) + 8;
+ HASH_FIND(hh, ctx->requests, p, 12, creq);
if (creq == NULL) {
- rdns_info ("unable to find nonce in the internal hash");
+ rdns_info("unable to find nonce in the internal hash");
return ret;
}
- memcpy (enonce, p, rspamd_cryptobox_nonce_bytes (RSPAMD_CRYPTOBOX_MODE_25519));
- p += rspamd_cryptobox_nonce_bytes (RSPAMD_CRYPTOBOX_MODE_25519);
- boxlen = ret - rspamd_cryptobox_nonce_bytes (RSPAMD_CRYPTOBOX_MODE_25519) +
- crypto_box_BOXZEROBYTES -
- sizeof (rmagic) + 1;
+ memcpy(enonce, p, crypto_box_noncebytes());
+ p += crypto_box_noncebytes();
+ boxlen = ret - crypto_box_noncebytes() +
+ crypto_box_BOXZEROBYTES -
+ sizeof(rmagic) + 1;
if (boxlen < 0) {
return ret;
}
- box = malloc (boxlen);
- rspamd_explicit_memzero (box, crypto_box_BOXZEROBYTES);
- memcpy (box + crypto_box_BOXZEROBYTES, p,
- boxlen - crypto_box_BOXZEROBYTES);
-
- if (!rspamd_cryptobox_decrypt_nm_inplace (
- box + rspamd_cryptobox_mac_bytes (RSPAMD_CRYPTOBOX_MODE_25519),
- boxlen - rspamd_cryptobox_mac_bytes (RSPAMD_CRYPTOBOX_MODE_25519),
- enonce, creq->nm->k, box, RSPAMD_CRYPTOBOX_MODE_25519)) {
- memcpy (buf, box + crypto_box_ZEROBYTES,
- boxlen - crypto_box_ZEROBYTES);
+ box = malloc(boxlen);
+ rspamd_explicit_memzero(box, crypto_box_BOXZEROBYTES);
+ memcpy(box + crypto_box_BOXZEROBYTES, p,
+ boxlen - crypto_box_BOXZEROBYTES);
+
+ if (!rspamd_cryptobox_decrypt_nm_inplace(
+ box + crypto_box_macbytes(),
+ boxlen - crypto_box_macbytes(),
+ enonce, creq->nm->k, box)) {
+ memcpy(buf, box + crypto_box_ZEROBYTES,
+ boxlen - crypto_box_ZEROBYTES);
ret = boxlen - crypto_box_ZEROBYTES;
*req_out = creq->req;
}
else {
- rdns_info ("unable open cryptobox of size %d", (int)boxlen);
+ rdns_info("unable open cryptobox of size %d", (int) boxlen);
}
- free (box);
+ free(box);
}
return ret;
}
-void
-rdns_curve_finish_request (struct rdns_request *req, void *plugin_data)
+void rdns_curve_finish_request(struct rdns_request *req, void *plugin_data)
{
- struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *)plugin_data;
+ struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *) plugin_data;
struct rdns_curve_request *creq = req->curve_plugin_data;
if (creq != NULL) {
- REF_RELEASE (creq->key);
- HASH_DELETE (hh, ctx->requests, creq);
+ REF_RELEASE(creq->key);
+ HASH_DELETE(hh, ctx->requests, creq);
}
}
-void
-rdns_curve_dtor (struct rdns_resolver *resolver, void *plugin_data)
+void rdns_curve_dtor(struct rdns_resolver *resolver, void *plugin_data)
{
- struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *)plugin_data;
+ struct rdns_curve_ctx *ctx = (struct rdns_curve_ctx *) plugin_data;
if (ctx->key_refresh_event != NULL) {
- resolver->async->del_periodic (resolver->async->data,
- ctx->key_refresh_event);
+ resolver->async->del_periodic(resolver->async->data,
+ ctx->key_refresh_event);
}
- REF_RELEASE (ctx->cur_key);
+ REF_RELEASE(ctx->cur_key);
}
#else
/* Fake functions */
-struct rdns_curve_ctx* rdns_curve_ctx_new (double rekey_interval)
+struct rdns_curve_ctx *rdns_curve_ctx_new(double rekey_interval)
{
return NULL;
}
-void rdns_curve_ctx_add_key (struct rdns_curve_ctx *ctx,
- const char *name, const unsigned char *pubkey)
+void rdns_curve_ctx_add_key(struct rdns_curve_ctx *ctx,
+ const char *name, const unsigned char *pubkey)
{
-
}
-void rdns_curve_ctx_destroy (struct rdns_curve_ctx *ctx)
+void rdns_curve_ctx_destroy(struct rdns_curve_ctx *ctx)
{
-
}
-void rdns_curve_register_plugin (struct rdns_resolver *resolver,
- struct rdns_curve_ctx *ctx)
+void rdns_curve_register_plugin(struct rdns_resolver *resolver,
+ struct rdns_curve_ctx *ctx)
{
-
}
unsigned char *
-rdns_curve_key_from_hex (const char *hex)
+rdns_curve_key_from_hex(const char *hex)
{
return NULL;
}
diff --git a/src/client/rspamdclient.c b/src/client/rspamdclient.c
index 2b8d0e9bb..bcb3cf67c 100644
--- a/src/client/rspamdclient.c
+++ b/src/client/rspamdclient.c
@@ -302,12 +302,10 @@ rspamd_client_init(struct rspamd_http_context *http_ctx,
conn->timeout = timeout;
if (key) {
- conn->key = rspamd_pubkey_from_base32(key, 0, RSPAMD_KEYPAIR_KEX,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ conn->key = rspamd_pubkey_from_base32(key, 0, RSPAMD_KEYPAIR_KEX);
if (conn->key) {
- conn->keypair = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ conn->keypair = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX);
rspamd_http_connection_set_key(conn->http_conn, conn->keypair);
}
else {
diff --git a/src/fuzzy_storage.c b/src/fuzzy_storage.c
index 445289511..5fd3303dc 100644
--- a/src/fuzzy_storage.c
+++ b/src/fuzzy_storage.c
@@ -1088,8 +1088,7 @@ rspamd_fuzzy_make_reply(struct rspamd_fuzzy_cmd *cmd,
len,
session->reply.hdr.nonce,
session->nm,
- session->reply.hdr.mac,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ session->reply.hdr.mac);
}
else if (default_disabled) {
/* Hash is from a forbidden flag by default, and there is no encryption override */
@@ -1668,8 +1667,7 @@ rspamd_fuzzy_decrypt_command(struct fuzzy_session *s, unsigned char *buf, gsize
}
/* Now process the remote pubkey */
- rk = rspamd_pubkey_from_bin(hdr.pubkey, sizeof(hdr.pubkey),
- RSPAMD_KEYPAIR_KEX, RSPAMD_CRYPTOBOX_MODE_25519);
+ rk = rspamd_pubkey_from_bin(hdr.pubkey, sizeof(hdr.pubkey), RSPAMD_KEYPAIR_KEX);
if (rk == NULL) {
msg_err("bad key; ip=%s",
@@ -1683,7 +1681,7 @@ rspamd_fuzzy_decrypt_command(struct fuzzy_session *s, unsigned char *buf, gsize
/* Now decrypt request */
if (!rspamd_cryptobox_decrypt_nm_inplace(buf, buflen, hdr.nonce,
rspamd_pubkey_get_nm(rk, key->key),
- hdr.mac, RSPAMD_CRYPTOBOX_MODE_25519)) {
+ hdr.mac)) {
msg_err("decryption failed; ip=%s",
rspamd_inet_address_to_string(s->addr));
rspamd_pubkey_unref(rk);
@@ -2771,8 +2769,7 @@ fuzzy_add_keypair_from_ucl(const ucl_object_t *obj, khash_t(rspamd_fuzzy_keys_ha
return NULL;
}
- if (rspamd_keypair_alg(kp) != RSPAMD_CRYPTOBOX_MODE_25519 ||
- rspamd_keypair_type(kp) != RSPAMD_KEYPAIR_KEX) {
+ if (rspamd_keypair_type(kp) != RSPAMD_KEYPAIR_KEX) {
return FALSE;
}
@@ -2837,7 +2834,7 @@ fuzzy_add_keypair_from_ucl(const ucl_object_t *obj, khash_t(rspamd_fuzzy_keys_ha
}
}
- msg_debug("loaded keypair %*bs", rspamd_cryptobox_pk_bytes(RSPAMD_CRYPTOBOX_MODE_25519), pk);
+ msg_debug("loaded keypair %*bs", crypto_box_publickeybytes(), pk);
return key;
}
diff --git a/src/libcryptobox/cryptobox.c b/src/libcryptobox/cryptobox.c
index e47209963..eeeed020c 100644
--- a/src/libcryptobox/cryptobox.c
+++ b/src/libcryptobox/cryptobox.c
@@ -38,24 +38,8 @@
#endif
#ifdef HAVE_OPENSSL
#include <openssl/opensslv.h>
-/* Openssl >= 1.0.1d is required for GCM verification */
-#if OPENSSL_VERSION_NUMBER >= 0x1000104fL
-#define HAVE_USABLE_OPENSSL 1
-#endif
-#endif
-
-#ifdef HAVE_USABLE_OPENSSL
#include <openssl/evp.h>
-#include <openssl/ec.h>
-#include <openssl/ecdh.h>
-#include <openssl/ecdsa.h>
-#include <openssl/rand.h>
-#include <openssl/engine.h>
-#if OPENSSL_VERSION_MAJOR >= 3
-#include <openssl/param_build.h>
-#include <openssl/core.h>
-#endif
-#define CRYPTOBOX_CURVE_NID NID_X9_62_prime256v1
+#include <openssl/rsa.h>
#endif
#include <signal.h>
@@ -329,383 +313,44 @@ void rspamd_cryptobox_deinit(struct rspamd_cryptobox_library_ctx *ctx)
}
}
-void rspamd_cryptobox_keypair(rspamd_pk_t pk, rspamd_sk_t sk,
- enum rspamd_cryptobox_mode mode)
+void rspamd_cryptobox_keypair(rspamd_pk_t pk, rspamd_sk_t sk)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- ottery_rand_bytes(sk, rspamd_cryptobox_MAX_SKBYTES);
- sk[0] &= 248;
- sk[31] &= 127;
- sk[31] |= 64;
+ ottery_rand_bytes(sk, rspamd_cryptobox_MAX_SKBYTES);
+ sk[0] &= 248;
+ sk[31] &= 127;
+ sk[31] |= 64;
- crypto_scalarmult_base(pk, sk);
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
-
- gsize len;
-#if OPENSSL_VERSION_MAJOR >= 3
- OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
- EVP_PKEY *pkey = EVP_PKEY_Q_keygen(libctx, NULL, "EC", EC_curve_nid2nist(CRYPTOBOX_CURVE_NID));
- g_assert(pkey != NULL);
-
- BIGNUM *bn = NULL;
- g_assert(EVP_PKEY_get_bn_param(pkey, "priv", &bn) == 1);
-
- len = BN_num_bytes(bn);
- g_assert(len <= (int) rspamd_cryptobox_sk_bytes(RSPAMD_CRYPTOBOX_MODE_NIST));
- BN_bn2bin(bn, sk);
-
- /*
- * Welcome to the world of the OpenSSL:
- *
- * Note, in particular, that the choice of point compression format used for encoding the exported value via
- * EVP_PKEY_todata() depends on the underlying provider implementation.
- * Before OpenSSL 3.0.8, the implementation of providers included with OpenSSL always opted for an encoding in
- * compressed format, unconditionally.
- * Since OpenSSL 3.0.8, the implementation has been changed to honor the OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT
- * parameter, if set, or to default to uncompressed format.
- *
- * Of course, we cannot use compressed EC points, so we need to manually reconstruct them from `0x04 || x || y`
- */
- pk[0] = POINT_CONVERSION_UNCOMPRESSED;
- g_assert(EVP_PKEY_get_bn_param(pkey, "qx", &bn) == 1);
- g_assert(BN_num_bytes(bn) == 32);
- BN_bn2bin(bn, pk + 1);
- g_assert(EVP_PKEY_get_bn_param(pkey, "qy", &bn) == 1);
- g_assert(BN_num_bytes(bn) == 32);
- BN_bn2bin(bn, pk + 33);
- BN_free(bn);
-
- EVP_PKEY_free(pkey);
- OSSL_LIB_CTX_free(libctx);
-#else
- const EC_POINT *ec_pub;
- const EC_GROUP *group;
- const BIGNUM *bn_sec;
-
- EC_KEY *ec_sec;
-
- ec_sec = EC_KEY_new_by_curve_name(CRYPTOBOX_CURVE_NID);
- g_assert(ec_sec != NULL);
- g_assert(EC_KEY_generate_key(ec_sec) != 0);
-
- bn_sec = EC_KEY_get0_private_key(ec_sec);
- g_assert(bn_sec != NULL);
- ec_pub = EC_KEY_get0_public_key(ec_sec);
- g_assert(ec_pub != NULL);
-
- group = EC_KEY_get0_group(ec_sec);
- BIGNUM *bn_pub;
- bn_pub = EC_POINT_point2bn(group,
- ec_pub, POINT_CONVERSION_UNCOMPRESSED, NULL, NULL);
- len = BN_num_bytes(bn_pub);
- g_assert(len <= (int) rspamd_cryptobox_pk_bytes(mode));
- BN_bn2bin(bn_pub, pk);
- BN_free(bn_pub);
- EC_KEY_free(ec_sec);
-
- len = BN_num_bytes(bn_sec);
- g_assert(len <= (int) rspamd_cryptobox_sk_bytes(RSPAMD_CRYPTOBOX_MODE_NIST));
- BN_bn2bin(bn_sec, sk);
-#endif
-#endif
- }
+ crypto_scalarmult_base(pk, sk);
}
-void rspamd_cryptobox_keypair_sig(rspamd_sig_pk_t pk, rspamd_sig_sk_t sk,
- enum rspamd_cryptobox_mode mode)
+void rspamd_cryptobox_keypair_sig(rspamd_sig_pk_t pk, rspamd_sig_sk_t sk)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- crypto_sign_keypair(pk, sk);
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
-
- size_t len;
-#if OPENSSL_VERSION_MAJOR >= 3
- OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
- EVP_PKEY *pkey = EVP_PKEY_Q_keygen(libctx, NULL, "EC", EC_curve_nid2nist(CRYPTOBOX_CURVE_NID));
- g_assert(pkey != NULL);
-
- BIGNUM *bn = NULL;
- g_assert(EVP_PKEY_get_bn_param(pkey, "priv", &bn) == 1);
-
- len = BN_num_bytes(bn);
- g_assert(len <= (int) sizeof(rspamd_sig_sk_t));
- BN_bn2bin(bn, sk);
-
- /* Use the same logic as above */
- pk[0] = POINT_CONVERSION_UNCOMPRESSED;
- g_assert(EVP_PKEY_get_bn_param(pkey, "qx", &bn) == 1);
- g_assert(BN_num_bytes(bn) == 32);
- BN_bn2bin(bn, pk + 1);
- g_assert(EVP_PKEY_get_bn_param(pkey, "qy", &bn) == 1);
- g_assert(BN_num_bytes(bn) == 32);
- BN_bn2bin(bn, pk + 33);
- BN_free(bn);
-
- EVP_PKEY_free(pkey);
- OSSL_LIB_CTX_free(libctx);
-#else
- EC_KEY *ec_sec;
- const BIGNUM *bn_sec;
- const EC_POINT *ec_pub;
- const EC_GROUP *group;
-
- ec_sec = EC_KEY_new_by_curve_name(CRYPTOBOX_CURVE_NID);
- g_assert(ec_sec != NULL);
- g_assert(EC_KEY_generate_key(ec_sec) != 0);
-
- bn_sec = EC_KEY_get0_private_key(ec_sec);
- g_assert(bn_sec != NULL);
- ec_pub = EC_KEY_get0_public_key(ec_sec);
- g_assert(ec_pub != NULL);
-
- group = EC_KEY_get0_group(ec_sec);
-
- BIGNUM *bn_pub;
- bn_pub = EC_POINT_point2bn(group, ec_pub, POINT_CONVERSION_UNCOMPRESSED, NULL, NULL);
- len = BN_num_bytes(bn_pub);
- g_assert(len <= (int) rspamd_cryptobox_pk_sig_bytes(mode));
- BN_bn2bin(bn_pub, pk);
- BN_free(bn_pub);
-
- len = BN_num_bytes(bn_sec);
- g_assert(len <= (int) sizeof(rspamd_sig_sk_t));
- BN_bn2bin(bn_sec, sk);
-
- EC_KEY_free(ec_sec);
-#endif
-
-#endif
- }
+ crypto_sign_keypair(pk, sk);
}
-#if OPENSSL_VERSION_MAJOR >= 3
-/* Compatibility function for OpenSSL 3.0 - thanks for breaking all API one more time */
-EC_POINT *ec_point_bn2point_compat(const EC_GROUP *group,
- const BIGNUM *bn, EC_POINT *point, BN_CTX *ctx)
-{
- size_t buf_len = 0;
- unsigned char *buf;
- EC_POINT *ret;
-
- if ((buf_len = BN_num_bytes(bn)) == 0)
- buf_len = 1;
- if ((buf = OPENSSL_malloc(buf_len)) == NULL) {
- return NULL;
- }
-
- if (!BN_bn2binpad(bn, buf, buf_len)) {
- OPENSSL_free(buf);
- return NULL;
- }
-
- if (point == NULL) {
- if ((ret = EC_POINT_new(group)) == NULL) {
- OPENSSL_free(buf);
- return NULL;
- }
- }
- else
- ret = point;
-
- if (!EC_POINT_oct2point(group, ret, buf, buf_len, ctx)) {
- if (ret != point)
- EC_POINT_clear_free(ret);
- OPENSSL_free(buf);
- return NULL;
- }
-
- OPENSSL_free(buf);
- return ret;
-}
-#else
-#define ec_point_bn2point_compat EC_POINT_bn2point
-#endif
-
void rspamd_cryptobox_nm(rspamd_nm_t nm,
- const rspamd_pk_t pk, const rspamd_sk_t sk,
- enum rspamd_cryptobox_mode mode)
+ const rspamd_pk_t pk, const rspamd_sk_t sk)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- unsigned char s[32];
- unsigned char e[32];
-
- memcpy(e, sk, 32);
- e[0] &= 248;
- e[31] &= 127;
- e[31] |= 64;
-
- if (crypto_scalarmult(s, e, pk) != -1) {
- hchacha(s, n0, nm, 20);
- }
-
- rspamd_explicit_memzero(e, 32);
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- unsigned char s[32];
-
-#if OPENSSL_VERSION_MAJOR >= 3
- EVP_PKEY *sec_pkey = NULL;
- EVP_PKEY *pub_pkey = NULL;
- OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
- EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL);
- EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL);
- OSSL_PARAM param[3];
+ unsigned char s[32];
+ unsigned char e[32];
- param[0] = OSSL_PARAM_construct_utf8_string("group", "P-256", 0);
- param[1] = OSSL_PARAM_construct_BN("priv", (void *) sk, rspamd_cryptobox_sk_bytes(mode));
- param[2] = OSSL_PARAM_construct_end();
-
- g_assert(EVP_PKEY_fromdata_init(pctx) == 1);
- g_assert(EVP_PKEY_fromdata(pctx, &sec_pkey, EVP_PKEY_KEYPAIR, param) == 1);
- EVP_PKEY_CTX_free(pctx);
- pctx = EVP_PKEY_CTX_new_from_pkey(libctx, sec_pkey, NULL);
-
- param[0] = OSSL_PARAM_construct_utf8_string("group", "P-256", 0);
- param[1] = OSSL_PARAM_construct_octet_string("pub", (void *) pk, rspamd_cryptobox_pk_bytes(mode));
- param[2] = OSSL_PARAM_construct_end();
-
- g_assert(EVP_PKEY_fromdata_init(dctx) == 1);
- g_assert(EVP_PKEY_fromdata(dctx, &pub_pkey, EVP_PKEY_PUBLIC_KEY, param) == 1);
-
- g_assert(EVP_PKEY_derive_init(pctx) == 1);
-
- g_assert(EVP_PKEY_derive_set_peer(pctx, pub_pkey) == 1);
-
- size_t s_len = sizeof(s);
- g_assert(EVP_PKEY_derive(pctx, s, &s_len) == 1);
-
- EVP_PKEY_CTX_free(pctx);
- EVP_PKEY_free(pub_pkey);
- EVP_PKEY_free(sec_pkey);
- OSSL_LIB_CTX_free(libctx);
-#else
- //g_error(ERR_error_string(ERR_get_error(), NULL));
- int len;
- EC_KEY *lk;
- EC_POINT *ec_pub;
- BIGNUM *bn_pub, *bn_sec;
+ memcpy(e, sk, 32);
+ e[0] &= 248;
+ e[31] &= 127;
+ e[31] |= 64;
- lk = EC_KEY_new_by_curve_name(CRYPTOBOX_CURVE_NID);
- g_assert(lk != NULL);
-
- bn_pub = BN_bin2bn(pk, rspamd_cryptobox_pk_bytes(mode), NULL);
- g_assert(bn_pub != NULL);
- bn_sec = BN_bin2bn(sk, sizeof(rspamd_sk_t), NULL);
- g_assert(bn_sec != NULL);
-
- g_assert(EC_KEY_set_private_key(lk, bn_sec) == 1);
- ec_pub = ec_point_bn2point_compat(EC_KEY_get0_group(lk), bn_pub, NULL, NULL);
- g_assert(ec_pub != NULL);
-
- len = ECDH_compute_key(s, sizeof(s), ec_pub, lk, NULL);
- g_assert(len == sizeof(s));
-
- EC_KEY_free(lk);
-
- EC_POINT_free(ec_pub);
- BN_free(bn_sec);
- BN_free(bn_pub);
-#endif
- /* Still do hchacha iteration since we are not using SHA1 KDF */
+ if (crypto_scalarmult(s, e, pk) != -1) {
hchacha(s, n0, nm, 20);
-
-#endif
}
+
+ rspamd_explicit_memzero(e, 32);
}
void rspamd_cryptobox_sign(unsigned char *sig, unsigned long long *siglen_p,
const unsigned char *m, gsize mlen,
- const rspamd_sig_sk_t sk,
- enum rspamd_cryptobox_mode mode)
+ const rspamd_sig_sk_t sk)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- crypto_sign_detached(sig, siglen_p, m, mlen, sk);
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_MD_CTX *sha_ctx;
- unsigned char h[64];
- unsigned int diglen = rspamd_cryptobox_signature_bytes(mode);
-
- /* Prehash */
- sha_ctx = EVP_MD_CTX_create();
- g_assert(EVP_DigestInit(sha_ctx, EVP_sha512()) == 1);
- EVP_DigestUpdate(sha_ctx, m, mlen);
- EVP_DigestFinal(sha_ctx, h, NULL);
-
- /* ECDSA */
-#if OPENSSL_VERSION_MAJOR >= 3
- EVP_PKEY *pkey = NULL;
- OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
- EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL);
- OSSL_PARAM_BLD *param_bld;
- OSSL_PARAM *params = NULL;
- BIGNUM *bn_sec;
-
- param_bld = OSSL_PARAM_BLD_new();
- g_assert(OSSL_PARAM_BLD_push_utf8_string(param_bld, "group",
- EC_curve_nid2nist(CRYPTOBOX_CURVE_NID), 0) == 1);
-
- bn_sec = BN_bin2bn(sk, rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_NIST), NULL);
- g_assert(bn_sec != NULL);
-
- g_assert(OSSL_PARAM_BLD_push_BN(param_bld, "priv", bn_sec) == 1);
-
- params = OSSL_PARAM_BLD_to_param(param_bld);
- g_assert(EVP_PKEY_fromdata_init(pctx) == 1);
- g_assert(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR, params) == 1);
-
- g_assert(pkey != NULL);
-
- g_assert(EVP_DigestSignInit(sha_ctx, NULL, EVP_sha512(), NULL, pkey) == 1);
-
- size_t diglen_size_t = diglen;
- EVP_DigestSign(sha_ctx, sig, &diglen_size_t, m, mlen);
- diglen = diglen_size_t;
-
- EVP_PKEY_CTX_free(pctx);
- OSSL_PARAM_BLD_free(param_bld);
- OSSL_PARAM_free(params);
- BN_free(bn_sec);
- EVP_PKEY_free(pkey);
- OSSL_LIB_CTX_free(libctx);
-#else
- EC_KEY *lk;
- BIGNUM *bn_sec;
-
- /* Key setup */
- lk = EC_KEY_new_by_curve_name(CRYPTOBOX_CURVE_NID);
- g_assert(lk != NULL);
- bn_sec = BN_bin2bn(sk, rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_NIST), NULL);
- g_assert(bn_sec != NULL);
- g_assert(EC_KEY_set_private_key(lk, bn_sec) == 1);
-
- g_assert(ECDSA_sign(0, h, sizeof(h), sig, &diglen, lk) == 1);
- EC_KEY_free(lk);
- BN_free(bn_sec);
-#endif
- g_assert(diglen <= sizeof(rspamd_signature_t));
-
- if (siglen_p) {
- *siglen_p = diglen;
- }
-
- EVP_MD_CTX_destroy(sha_ctx);
-#endif
- }
+ crypto_sign_detached(sig, siglen_p, m, mlen, sk);
}
#ifdef HAVE_OPENSSL
@@ -718,7 +363,7 @@ bool rspamd_cryptobox_verify_evp_ed25519(int nid,
{
bool ret = false;
- if (siglen == rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519)) {
+ if (siglen == crypto_sign_bytes()) {
rspamd_pk_t pk;
size_t len_pk = sizeof(rspamd_pk_t);
EVP_PKEY_get_raw_public_key(pub_key, pk, &len_pk);
@@ -782,544 +427,213 @@ bool rspamd_cryptobox_verify(const unsigned char *sig,
gsize siglen,
const unsigned char *m,
gsize mlen,
- const rspamd_sig_pk_t pk,
- enum rspamd_cryptobox_mode mode)
+ const rspamd_sig_pk_t pk)
{
bool ret = false;
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- if (siglen == rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519)) {
- ret = (crypto_sign_verify_detached(sig, m, mlen, pk) == 0);
- }
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_MD_CTX *sha_ctx;
- unsigned char h[64];
-
- /* Prehash */
- sha_ctx = EVP_MD_CTX_create();
- g_assert(EVP_DigestInit(sha_ctx, EVP_sha512()) == 1);
- EVP_DigestUpdate(sha_ctx, m, mlen);
- EVP_DigestFinal(sha_ctx, h, NULL);
-
-
-#if OPENSSL_VERSION_MAJOR >= 3
- EVP_PKEY *pkey = NULL;
- OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
- EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL);
- OSSL_PARAM_BLD *param_bld;
- OSSL_PARAM *params = NULL;
-
- param_bld = OSSL_PARAM_BLD_new();
- g_assert(OSSL_PARAM_BLD_push_utf8_string(param_bld, "group",
- EC_curve_nid2nist(CRYPTOBOX_CURVE_NID), 0) == 1);
-
- g_assert(OSSL_PARAM_BLD_push_octet_string(param_bld, "pub", pk,
- rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_NIST)) == 1);
-
- params = OSSL_PARAM_BLD_to_param(param_bld);
- g_assert(EVP_PKEY_fromdata_init(pctx) == 1);
- g_assert(EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) == 1);
-
- g_assert(pkey != NULL);
-
- g_assert(EVP_DigestVerifyInit(sha_ctx, NULL, EVP_sha512(), NULL, pkey) == 1);
-
- if (EVP_DigestVerify(sha_ctx, sig, siglen, m, mlen) == 1)
- ret = true;
-
- EVP_PKEY_free(pkey);
- EVP_PKEY_CTX_free(pctx);
- OSSL_PARAM_free(params);
- OSSL_PARAM_BLD_free(param_bld);
- OSSL_LIB_CTX_free(libctx);
-#else
- EC_KEY *lk;
- EC_POINT *ec_pub;
- BIGNUM *bn_pub;
-
- /* Key setup */
- lk = EC_KEY_new_by_curve_name(CRYPTOBOX_CURVE_NID);
- g_assert(lk != NULL);
- bn_pub = BN_bin2bn(pk, rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_NIST), NULL);
- g_assert(bn_pub != NULL);
- ec_pub = ec_point_bn2point_compat(EC_KEY_get0_group(lk), bn_pub, NULL, NULL);
- g_assert(ec_pub != NULL);
- g_assert(EC_KEY_set_public_key(lk, ec_pub) == 1);
-
- /* ECDSA */
- ret = ECDSA_verify(0, h, sizeof(h), sig, siglen, lk) == 1;
-
- EC_KEY_free(lk);
-
- BN_free(bn_pub);
- EC_POINT_free(ec_pub);
-#endif
-
- EVP_MD_CTX_destroy(sha_ctx);
-#endif
+ if (siglen == crypto_sign_bytes()) {
+ ret = (crypto_sign_verify_detached(sig, m, mlen, pk) == 0);
}
return ret;
}
-static gsize
-rspamd_cryptobox_encrypt_ctx_len(enum rspamd_cryptobox_mode mode)
-{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- return sizeof(chacha_state) + CRYPTOBOX_ALIGNMENT;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- return sizeof(EVP_CIPHER_CTX *) + CRYPTOBOX_ALIGNMENT;
-#endif
- }
-
- return 0;
-}
-
-static gsize
-rspamd_cryptobox_auth_ctx_len(enum rspamd_cryptobox_mode mode)
-{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- return sizeof(crypto_onetimeauth_state) + RSPAMD_ALIGNOF(crypto_onetimeauth_state);
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- return sizeof(void *);
-#endif
- }
-
- return 0;
-}
-
static void *
rspamd_cryptobox_encrypt_init(void *enc_ctx, const rspamd_nonce_t nonce,
- const rspamd_nm_t nm,
- enum rspamd_cryptobox_mode mode)
+ const rspamd_nm_t nm)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- chacha_state *s;
+ chacha_state *s;
- s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
- xchacha_init(s,
- (const chacha_key *) nm,
- (const chacha_iv24 *) nonce,
- 20);
+ s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
+ xchacha_init(s,
+ (const chacha_key *) nm,
+ (const chacha_iv24 *) nonce,
+ 20);
- return s;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_CIPHER_CTX **s;
-
- s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
- memset(s, 0, sizeof(*s));
- *s = EVP_CIPHER_CTX_new();
- g_assert(EVP_EncryptInit_ex(*s, EVP_aes_256_gcm(), NULL, NULL, NULL) == 1);
- g_assert(EVP_CIPHER_CTX_ctrl(*s, EVP_CTRL_GCM_SET_IVLEN,
- rspamd_cryptobox_nonce_bytes(mode), NULL) == 1);
- g_assert(EVP_EncryptInit_ex(*s, NULL, NULL, nm, nonce) == 1);
-
- return s;
-#endif
- }
-
- return NULL;
+ return s;
}
static void *
-rspamd_cryptobox_auth_init(void *auth_ctx, void *enc_ctx,
- enum rspamd_cryptobox_mode mode)
+rspamd_cryptobox_auth_init(void *auth_ctx, void *enc_ctx)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- crypto_onetimeauth_state *mac_ctx;
- unsigned char RSPAMD_ALIGNED(32) subkey[CHACHA_BLOCKBYTES];
+ crypto_onetimeauth_state *mac_ctx;
+ unsigned char RSPAMD_ALIGNED(32) subkey[CHACHA_BLOCKBYTES];
- mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
- memset(subkey, 0, sizeof(subkey));
- chacha_update(enc_ctx, subkey, subkey, sizeof(subkey));
- crypto_onetimeauth_init(mac_ctx, subkey);
- rspamd_explicit_memzero(subkey, sizeof(subkey));
+ mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
+ memset(subkey, 0, sizeof(subkey));
+ chacha_update(enc_ctx, subkey, subkey, sizeof(subkey));
+ crypto_onetimeauth_init(mac_ctx, subkey);
+ rspamd_explicit_memzero(subkey, sizeof(subkey));
- return mac_ctx;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- auth_ctx = enc_ctx;
-
- return auth_ctx;
-#endif
- }
-
- return NULL;
+ return mac_ctx;
}
static gboolean
rspamd_cryptobox_encrypt_update(void *enc_ctx, const unsigned char *in, gsize inlen,
- unsigned char *out, gsize *outlen,
- enum rspamd_cryptobox_mode mode)
+ unsigned char *out, gsize *outlen)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- gsize r;
- chacha_state *s;
-
- s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
-
- r = chacha_update(s, in, out, inlen);
-
- if (outlen != NULL) {
- *outlen = r;
- }
-
- return TRUE;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_CIPHER_CTX **s = enc_ctx;
- int r;
+ gsize r;
+ chacha_state *s;
- r = inlen;
- g_assert(EVP_EncryptUpdate(*s, out, &r, in, inlen) == 1);
+ s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
- if (outlen) {
- *outlen = r;
- }
+ r = chacha_update(s, in, out, inlen);
- return TRUE;
-#endif
+ if (outlen != NULL) {
+ *outlen = r;
}
- return FALSE;
+ return TRUE;
}
static gboolean
-rspamd_cryptobox_auth_update(void *auth_ctx, const unsigned char *in, gsize inlen,
- enum rspamd_cryptobox_mode mode)
+rspamd_cryptobox_auth_update(void *auth_ctx, const unsigned char *in, gsize inlen)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- crypto_onetimeauth_state *mac_ctx;
+ crypto_onetimeauth_state *mac_ctx;
- mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
- crypto_onetimeauth_update(mac_ctx, in, inlen);
+ mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
+ crypto_onetimeauth_update(mac_ctx, in, inlen);
- return TRUE;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- return TRUE;
-#endif
- }
-
- return FALSE;
+ return TRUE;
}
static gsize
-rspamd_cryptobox_encrypt_final(void *enc_ctx, unsigned char *out, gsize remain,
- enum rspamd_cryptobox_mode mode)
+rspamd_cryptobox_encrypt_final(void *enc_ctx, unsigned char *out, gsize remain)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- chacha_state *s;
+ chacha_state *s;
- s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
- return chacha_final(s, out);
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_CIPHER_CTX **s = enc_ctx;
- int r = remain;
-
- g_assert(EVP_EncryptFinal_ex(*s, out, &r) == 1);
-
- return r;
-#endif
- }
-
- return 0;
+ s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
+ return chacha_final(s, out);
}
static gboolean
-rspamd_cryptobox_auth_final(void *auth_ctx, rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode)
+rspamd_cryptobox_auth_final(void *auth_ctx, rspamd_mac_t sig)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- crypto_onetimeauth_state *mac_ctx;
-
- mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
- crypto_onetimeauth_final(mac_ctx, sig);
+ crypto_onetimeauth_state *mac_ctx;
- return TRUE;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_CIPHER_CTX **s = auth_ctx;
+ mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
+ crypto_onetimeauth_final(mac_ctx, sig);
- g_assert(EVP_CIPHER_CTX_ctrl(*s, EVP_CTRL_GCM_GET_TAG,
- sizeof(rspamd_mac_t), sig) == 1);
-
- return TRUE;
-#endif
- }
-
- return FALSE;
+ return TRUE;
}
static void *
rspamd_cryptobox_decrypt_init(void *enc_ctx, const rspamd_nonce_t nonce,
- const rspamd_nm_t nm,
- enum rspamd_cryptobox_mode mode)
+ const rspamd_nm_t nm)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
-
- chacha_state *s;
+ chacha_state *s;
- s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
- xchacha_init(s,
- (const chacha_key *) nm,
- (const chacha_iv24 *) nonce,
- 20);
-
- return s;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_CIPHER_CTX **s;
-
- s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
- memset(s, 0, sizeof(*s));
- *s = EVP_CIPHER_CTX_new();
- g_assert(EVP_DecryptInit_ex(*s, EVP_aes_256_gcm(), NULL, NULL, NULL) == 1);
- g_assert(EVP_CIPHER_CTX_ctrl(*s, EVP_CTRL_GCM_SET_IVLEN,
- rspamd_cryptobox_nonce_bytes(mode), NULL) == 1);
- g_assert(EVP_DecryptInit_ex(*s, NULL, NULL, nm, nonce) == 1);
-
- return s;
-#endif
- }
+ s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
+ xchacha_init(s,
+ (const chacha_key *) nm,
+ (const chacha_iv24 *) nonce,
+ 20);
- return NULL;
+ return s;
}
static void *
-rspamd_cryptobox_auth_verify_init(void *auth_ctx, void *enc_ctx,
- enum rspamd_cryptobox_mode mode)
+rspamd_cryptobox_auth_verify_init(void *auth_ctx, void *enc_ctx)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- crypto_onetimeauth_state *mac_ctx;
- unsigned char RSPAMD_ALIGNED(32) subkey[CHACHA_BLOCKBYTES];
+ crypto_onetimeauth_state *mac_ctx;
+ unsigned char RSPAMD_ALIGNED(32) subkey[CHACHA_BLOCKBYTES];
- mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
- memset(subkey, 0, sizeof(subkey));
- chacha_update(enc_ctx, subkey, subkey, sizeof(subkey));
- crypto_onetimeauth_init(mac_ctx, subkey);
- rspamd_explicit_memzero(subkey, sizeof(subkey));
+ mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
+ memset(subkey, 0, sizeof(subkey));
+ chacha_update(enc_ctx, subkey, subkey, sizeof(subkey));
+ crypto_onetimeauth_init(mac_ctx, subkey);
+ rspamd_explicit_memzero(subkey, sizeof(subkey));
- return mac_ctx;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- auth_ctx = enc_ctx;
-
- return auth_ctx;
-#endif
- }
-
- return NULL;
+ return mac_ctx;
}
static gboolean
rspamd_cryptobox_decrypt_update(void *enc_ctx, const unsigned char *in, gsize inlen,
- unsigned char *out, gsize *outlen,
- enum rspamd_cryptobox_mode mode)
+ unsigned char *out, gsize *outlen)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- gsize r;
- chacha_state *s;
+ gsize r;
+ chacha_state *s;
- s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
- r = chacha_update(s, in, out, inlen);
+ s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
+ r = chacha_update(s, in, out, inlen);
- if (outlen != NULL) {
- *outlen = r;
- }
-
- return TRUE;
+ if (outlen != NULL) {
+ *outlen = r;
}
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_CIPHER_CTX **s = enc_ctx;
- int r;
-
- r = outlen ? *outlen : inlen;
- g_assert(EVP_DecryptUpdate(*s, out, &r, in, inlen) == 1);
- if (outlen) {
- *outlen = r;
- }
-
- return TRUE;
-#endif
- }
+ return TRUE;
}
static gboolean
rspamd_cryptobox_auth_verify_update(void *auth_ctx,
- const unsigned char *in, gsize inlen,
- enum rspamd_cryptobox_mode mode)
+ const unsigned char *in, gsize inlen)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- crypto_onetimeauth_state *mac_ctx;
-
- mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
- crypto_onetimeauth_update(mac_ctx, in, inlen);
+ crypto_onetimeauth_state *mac_ctx;
- return TRUE;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- /* We do not need to authenticate as a separate process */
- return TRUE;
-#else
-#endif
- }
+ mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
+ crypto_onetimeauth_update(mac_ctx, in, inlen);
- return FALSE;
+ return TRUE;
}
static gboolean
-rspamd_cryptobox_decrypt_final(void *enc_ctx, unsigned char *out, gsize remain,
- enum rspamd_cryptobox_mode mode)
+rspamd_cryptobox_decrypt_final(void *enc_ctx, unsigned char *out, gsize remain)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- chacha_state *s;
+ chacha_state *s;
- s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
- chacha_final(s, out);
+ s = cryptobox_align_ptr(enc_ctx, CRYPTOBOX_ALIGNMENT);
+ chacha_final(s, out);
- return TRUE;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_CIPHER_CTX **s = enc_ctx;
- int r = remain;
-
- if (EVP_DecryptFinal_ex(*s, out, &r) < 0) {
- return FALSE;
- }
-
- return TRUE;
-#endif
- }
-
- return FALSE;
+ return TRUE;
}
static gboolean
-rspamd_cryptobox_auth_verify_final(void *auth_ctx, const rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode)
+rspamd_cryptobox_auth_verify_final(void *auth_ctx, const rspamd_mac_t sig)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- rspamd_mac_t mac;
- crypto_onetimeauth_state *mac_ctx;
+ rspamd_mac_t mac;
+ crypto_onetimeauth_state *mac_ctx;
- mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
- crypto_onetimeauth_final(mac_ctx, mac);
+ mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
+ crypto_onetimeauth_final(mac_ctx, mac);
- if (crypto_verify_16(mac, sig) != 0) {
- return FALSE;
- }
-
- return TRUE;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_CIPHER_CTX **s = auth_ctx;
-
- if (EVP_CIPHER_CTX_ctrl(*s, EVP_CTRL_GCM_SET_TAG, 16, (unsigned char *) sig) != 1) {
- return FALSE;
- }
-
- return TRUE;
-#endif
+ if (crypto_verify_16(mac, sig) != 0) {
+ return FALSE;
}
- return FALSE;
+ return TRUE;
}
static void
-rspamd_cryptobox_cleanup(void *enc_ctx, void *auth_ctx,
- enum rspamd_cryptobox_mode mode)
+rspamd_cryptobox_cleanup(void *enc_ctx, void *auth_ctx)
{
- if (G_LIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- crypto_onetimeauth_state *mac_ctx;
-
- mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
- rspamd_explicit_memzero(mac_ctx, sizeof(*mac_ctx));
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
- EVP_CIPHER_CTX **s = enc_ctx;
+ crypto_onetimeauth_state *mac_ctx;
- EVP_CIPHER_CTX_cleanup(*s);
- EVP_CIPHER_CTX_free(*s);
-#endif
- }
+ mac_ctx = cryptobox_align_ptr(auth_ctx, CRYPTOBOX_ALIGNMENT);
+ rspamd_explicit_memzero(mac_ctx, sizeof(*mac_ctx));
}
void rspamd_cryptobox_encrypt_nm_inplace(unsigned char *data, gsize len,
const rspamd_nonce_t nonce,
const rspamd_nm_t nm,
- rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode)
+ rspamd_mac_t sig)
{
gsize r;
void *enc_ctx, *auth_ctx;
- enc_ctx = g_alloca(rspamd_cryptobox_encrypt_ctx_len(mode));
- auth_ctx = g_alloca(rspamd_cryptobox_auth_ctx_len(mode));
+ enc_ctx = g_alloca(sizeof(chacha_state) + CRYPTOBOX_ALIGNMENT);
+ auth_ctx = g_alloca(sizeof(crypto_onetimeauth_state) + RSPAMD_ALIGNOF(crypto_onetimeauth_state));
- enc_ctx = rspamd_cryptobox_encrypt_init(enc_ctx, nonce, nm, mode);
- auth_ctx = rspamd_cryptobox_auth_init(auth_ctx, enc_ctx, mode);
+ enc_ctx = rspamd_cryptobox_encrypt_init(enc_ctx, nonce, nm);
+ auth_ctx = rspamd_cryptobox_auth_init(auth_ctx, enc_ctx);
- rspamd_cryptobox_encrypt_update(enc_ctx, data, len, data, &r, mode);
- rspamd_cryptobox_encrypt_final(enc_ctx, data + r, len - r, mode);
+ rspamd_cryptobox_encrypt_update(enc_ctx, data, len, data, &r);
+ rspamd_cryptobox_encrypt_final(enc_ctx, data + r, len - r);
- rspamd_cryptobox_auth_update(auth_ctx, data, len, mode);
- rspamd_cryptobox_auth_final(auth_ctx, sig, mode);
+ rspamd_cryptobox_auth_update(auth_ctx, data, len);
+ rspamd_cryptobox_auth_final(auth_ctx, sig);
- rspamd_cryptobox_cleanup(enc_ctx, auth_ctx, mode);
+ rspamd_cryptobox_cleanup(enc_ctx, auth_ctx);
}
static void
@@ -1341,8 +655,7 @@ rspamd_cryptobox_flush_outbuf(struct rspamd_cryptobox_segment *st,
void rspamd_cryptobox_encryptv_nm_inplace(struct rspamd_cryptobox_segment *segments,
gsize cnt,
const rspamd_nonce_t nonce,
- const rspamd_nm_t nm, rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode)
+ const rspamd_nm_t nm, rspamd_mac_t sig)
{
struct rspamd_cryptobox_segment *cur = segments, *start_seg = segments;
unsigned char outbuf[CHACHA_BLOCKBYTES * 16];
@@ -1350,11 +663,11 @@ void rspamd_cryptobox_encryptv_nm_inplace(struct rspamd_cryptobox_segment *segme
unsigned char *out, *in;
gsize r, remain, inremain, seg_offset;
- enc_ctx = g_alloca(rspamd_cryptobox_encrypt_ctx_len(mode));
- auth_ctx = g_alloca(rspamd_cryptobox_auth_ctx_len(mode));
+ enc_ctx = g_alloca(sizeof(chacha_state) + CRYPTOBOX_ALIGNMENT);
+ auth_ctx = g_alloca(sizeof(crypto_onetimeauth_state) + RSPAMD_ALIGNOF(crypto_onetimeauth_state));
- enc_ctx = rspamd_cryptobox_encrypt_init(enc_ctx, nonce, nm, mode);
- auth_ctx = rspamd_cryptobox_auth_init(auth_ctx, enc_ctx, mode);
+ enc_ctx = rspamd_cryptobox_encrypt_init(enc_ctx, nonce, nm);
+ auth_ctx = rspamd_cryptobox_auth_init(auth_ctx, enc_ctx);
remain = sizeof(outbuf);
out = outbuf;
@@ -1374,9 +687,8 @@ void rspamd_cryptobox_encryptv_nm_inplace(struct rspamd_cryptobox_segment *segme
if (remain == 0) {
rspamd_cryptobox_encrypt_update(enc_ctx, outbuf, sizeof(outbuf),
- outbuf, NULL, mode);
- rspamd_cryptobox_auth_update(auth_ctx, outbuf, sizeof(outbuf),
- mode);
+ outbuf, NULL);
+ rspamd_cryptobox_auth_update(auth_ctx, outbuf, sizeof(outbuf));
rspamd_cryptobox_flush_outbuf(start_seg, outbuf,
sizeof(outbuf), seg_offset);
start_seg = cur;
@@ -1388,9 +700,8 @@ void rspamd_cryptobox_encryptv_nm_inplace(struct rspamd_cryptobox_segment *segme
else {
memcpy(out, cur->data, remain);
rspamd_cryptobox_encrypt_update(enc_ctx, outbuf, sizeof(outbuf),
- outbuf, NULL, mode);
- rspamd_cryptobox_auth_update(auth_ctx, outbuf, sizeof(outbuf),
- mode);
+ outbuf, NULL);
+ rspamd_cryptobox_auth_update(auth_ctx, outbuf, sizeof(outbuf));
rspamd_cryptobox_flush_outbuf(start_seg, outbuf, sizeof(outbuf),
seg_offset);
seg_offset = 0;
@@ -1408,12 +719,10 @@ void rspamd_cryptobox_encryptv_nm_inplace(struct rspamd_cryptobox_segment *segme
outbuf,
sizeof(outbuf),
outbuf,
- NULL,
- mode);
+ NULL);
rspamd_cryptobox_auth_update(auth_ctx,
outbuf,
- sizeof(outbuf),
- mode);
+ sizeof(outbuf));
memcpy(in, outbuf, sizeof(outbuf));
in += sizeof(outbuf);
inremain -= sizeof(outbuf);
@@ -1433,46 +742,44 @@ void rspamd_cryptobox_encryptv_nm_inplace(struct rspamd_cryptobox_segment *segme
}
rspamd_cryptobox_encrypt_update(enc_ctx, outbuf, sizeof(outbuf) - remain,
- outbuf, &r, mode);
+ outbuf, &r);
out = outbuf + r;
- rspamd_cryptobox_encrypt_final(enc_ctx, out, sizeof(outbuf) - remain - r,
- mode);
+ rspamd_cryptobox_encrypt_final(enc_ctx, out, sizeof(outbuf) - remain - r);
- rspamd_cryptobox_auth_update(auth_ctx, outbuf, sizeof(outbuf) - remain,
- mode);
- rspamd_cryptobox_auth_final(auth_ctx, sig, mode);
+ rspamd_cryptobox_auth_update(auth_ctx, outbuf, sizeof(outbuf) - remain);
+ rspamd_cryptobox_auth_final(auth_ctx, sig);
rspamd_cryptobox_flush_outbuf(start_seg, outbuf, sizeof(outbuf) - remain,
seg_offset);
- rspamd_cryptobox_cleanup(enc_ctx, auth_ctx, mode);
+ rspamd_cryptobox_cleanup(enc_ctx, auth_ctx);
}
gboolean
rspamd_cryptobox_decrypt_nm_inplace(unsigned char *data, gsize len,
const rspamd_nonce_t nonce, const rspamd_nm_t nm,
- const rspamd_mac_t sig, enum rspamd_cryptobox_mode mode)
+ const rspamd_mac_t sig)
{
gsize r = 0;
gboolean ret = TRUE;
void *enc_ctx, *auth_ctx;
- enc_ctx = g_alloca(rspamd_cryptobox_encrypt_ctx_len(mode));
- auth_ctx = g_alloca(rspamd_cryptobox_auth_ctx_len(mode));
+ enc_ctx = g_alloca(sizeof(chacha_state) + CRYPTOBOX_ALIGNMENT);
+ auth_ctx = g_alloca(sizeof(crypto_onetimeauth_state) + RSPAMD_ALIGNOF(crypto_onetimeauth_state));
- enc_ctx = rspamd_cryptobox_decrypt_init(enc_ctx, nonce, nm, mode);
- auth_ctx = rspamd_cryptobox_auth_verify_init(auth_ctx, enc_ctx, mode);
+ enc_ctx = rspamd_cryptobox_decrypt_init(enc_ctx, nonce, nm);
+ auth_ctx = rspamd_cryptobox_auth_verify_init(auth_ctx, enc_ctx);
- rspamd_cryptobox_auth_verify_update(auth_ctx, data, len, mode);
+ rspamd_cryptobox_auth_verify_update(auth_ctx, data, len);
- if (!rspamd_cryptobox_auth_verify_final(auth_ctx, sig, mode)) {
+ if (!rspamd_cryptobox_auth_verify_final(auth_ctx, sig)) {
ret = FALSE;
}
else {
- rspamd_cryptobox_decrypt_update(enc_ctx, data, len, data, &r, mode);
- ret = rspamd_cryptobox_decrypt_final(enc_ctx, data + r, len - r, mode);
+ rspamd_cryptobox_decrypt_update(enc_ctx, data, len, data, &r);
+ ret = rspamd_cryptobox_decrypt_final(enc_ctx, data + r, len - r);
}
- rspamd_cryptobox_cleanup(enc_ctx, auth_ctx, mode);
+ rspamd_cryptobox_cleanup(enc_ctx, auth_ctx);
return ret;
}
@@ -1481,14 +788,13 @@ gboolean
rspamd_cryptobox_decrypt_inplace(unsigned char *data, gsize len,
const rspamd_nonce_t nonce,
const rspamd_pk_t pk, const rspamd_sk_t sk,
- const rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode)
+ const rspamd_mac_t sig)
{
unsigned char nm[rspamd_cryptobox_MAX_NMBYTES];
gboolean ret;
- rspamd_cryptobox_nm(nm, pk, sk, mode);
- ret = rspamd_cryptobox_decrypt_nm_inplace(data, len, nonce, nm, sig, mode);
+ rspamd_cryptobox_nm(nm, pk, sk);
+ ret = rspamd_cryptobox_decrypt_nm_inplace(data, len, nonce, nm, sig);
rspamd_explicit_memzero(nm, sizeof(nm));
@@ -1498,13 +804,12 @@ rspamd_cryptobox_decrypt_inplace(unsigned char *data, gsize len,
void rspamd_cryptobox_encrypt_inplace(unsigned char *data, gsize len,
const rspamd_nonce_t nonce,
const rspamd_pk_t pk, const rspamd_sk_t sk,
- rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode)
+ rspamd_mac_t sig)
{
unsigned char nm[rspamd_cryptobox_MAX_NMBYTES];
- rspamd_cryptobox_nm(nm, pk, sk, mode);
- rspamd_cryptobox_encrypt_nm_inplace(data, len, nonce, nm, sig, mode);
+ rspamd_cryptobox_nm(nm, pk, sk);
+ rspamd_cryptobox_encrypt_nm_inplace(data, len, nonce, nm, sig);
rspamd_explicit_memzero(nm, sizeof(nm));
}
@@ -1512,13 +817,12 @@ void rspamd_cryptobox_encryptv_inplace(struct rspamd_cryptobox_segment *segments
gsize cnt,
const rspamd_nonce_t nonce,
const rspamd_pk_t pk, const rspamd_sk_t sk,
- rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode)
+ rspamd_mac_t sig)
{
unsigned char nm[rspamd_cryptobox_MAX_NMBYTES];
- rspamd_cryptobox_nm(nm, pk, sk, mode);
- rspamd_cryptobox_encryptv_nm_inplace(segments, cnt, nonce, nm, sig, mode);
+ rspamd_cryptobox_nm(nm, pk, sk);
+ rspamd_cryptobox_encryptv_nm_inplace(segments, cnt, nonce, nm, sig);
rspamd_explicit_memzero(nm, sizeof(nm));
}
@@ -1645,105 +949,6 @@ rspamd_cryptobox_pbkdf(const char *pass, gsize pass_len,
return ret;
}
-unsigned int rspamd_cryptobox_pk_bytes(enum rspamd_cryptobox_mode mode)
-{
- if (G_UNLIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- return 32;
- }
- else {
- return 65;
- }
-}
-
-unsigned int rspamd_cryptobox_pk_sig_bytes(enum rspamd_cryptobox_mode mode)
-{
- if (G_UNLIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- return 32;
- }
- else {
- return 65;
- }
-}
-
-unsigned int rspamd_cryptobox_nonce_bytes(enum rspamd_cryptobox_mode mode)
-{
- if (G_UNLIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- return 24;
- }
- else {
- return 16;
- }
-}
-
-
-unsigned int rspamd_cryptobox_sk_bytes(enum rspamd_cryptobox_mode mode)
-{
- return 32;
-}
-
-unsigned int rspamd_cryptobox_sk_sig_bytes(enum rspamd_cryptobox_mode mode)
-{
- if (G_UNLIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- return 64;
- }
- else {
- return 32;
- }
-}
-
-unsigned int rspamd_cryptobox_signature_bytes(enum rspamd_cryptobox_mode mode)
-{
- static unsigned int ssl_keylen;
-
- if (G_UNLIKELY(mode == RSPAMD_CRYPTOBOX_MODE_25519)) {
- return 64;
- }
- else {
-#ifndef HAVE_USABLE_OPENSSL
- g_assert(0);
-#else
-#if OPENSSL_VERSION_MAJOR >= 3
- if (ssl_keylen == 0) {
- OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
- EVP_MD_CTX *sha_ctx = EVP_MD_CTX_new();
- EVP_PKEY *pkey = EVP_PKEY_Q_keygen(libctx, NULL, "EC", "prime256v1");
- g_assert(pkey != NULL);
-
- g_assert(EVP_DigestSignInit(sha_ctx, NULL, EVP_sha512(), NULL, pkey) == 1);
-
- size_t keylen = 0;
- const unsigned char data[] = "data to be signed";
- size_t datalen = sizeof(data) - 1;
- g_assert(EVP_DigestSign(sha_ctx, NULL, &keylen, data, datalen) == 1);
- ssl_keylen = keylen;
-
- OSSL_LIB_CTX_free(libctx);
- EVP_PKEY_free(pkey);
- EVP_MD_CTX_free(sha_ctx);
- }
-#else
- if (ssl_keylen == 0) {
- EC_KEY *lk;
- lk = EC_KEY_new_by_curve_name(CRYPTOBOX_CURVE_NID);
- ssl_keylen = ECDSA_size(lk);
- EC_KEY_free(lk);
- }
-#endif
-#endif
- return ssl_keylen;
- }
-}
-
-unsigned int rspamd_cryptobox_nm_bytes(enum rspamd_cryptobox_mode mode)
-{
- return 32;
-}
-
-unsigned int rspamd_cryptobox_mac_bytes(enum rspamd_cryptobox_mode mode)
-{
- return 16;
-}
-
void rspamd_cryptobox_hash_init(rspamd_cryptobox_hash_state_t *p, const unsigned char *key, gsize keylen)
{
crypto_generichash_blake2b_state *st = cryptobox_align_ptr(p,
diff --git a/src/libcryptobox/cryptobox.h b/src/libcryptobox/cryptobox.h
index c95de3031..afe9c4f9a 100644
--- a/src/libcryptobox/cryptobox.h
+++ b/src/libcryptobox/cryptobox.h
@@ -40,18 +40,18 @@ struct rspamd_cryptobox_segment {
#define RSPAMD_HAS_TARGET_ATTR 1
#endif
-#define rspamd_cryptobox_MAX_NONCEBYTES 24
-#define rspamd_cryptobox_MAX_PKBYTES 65
-#define rspamd_cryptobox_MAX_SKBYTES 32
-#define rspamd_cryptobox_MAX_MACBYTES 16
-#define rspamd_cryptobox_MAX_NMBYTES 32
+#define rspamd_cryptobox_MAX_NONCEBYTES crypto_box_NONCEBYTES
+#define rspamd_cryptobox_MAX_PKBYTES crypto_box_PUBLICKEYBYTES
+#define rspamd_cryptobox_MAX_SKBYTES crypto_box_SECRETKEYBYTES
+#define rspamd_cryptobox_MAX_MACBYTES crypto_box_MACBYTES
+#define rspamd_cryptobox_MAX_NMBYTES crypto_box_BEFORENMBYTES
#define rspamd_cryptobox_SIPKEYBYTES 16
#define rspamd_cryptobox_HASHBYTES 64
#define rspamd_cryptobox_HASHKEYBYTES 64
#define rspamd_cryptobox_HASHSTATEBYTES sizeof(crypto_generichash_blake2b_state) + 64
-#define rspamd_cryptobox_MAX_SIGSKBYTES 64
-#define rspamd_cryptobox_MAX_SIGPKBYTES 65
-#define rspamd_cryptobox_MAX_SIGBYTES 72
+#define rspamd_cryptobox_MAX_SIGSKBYTES crypto_sign_SECRETKEYBYTES
+#define rspamd_cryptobox_MAX_SIGPKBYTES crypto_sign_PUBLICKEYBYTES
+#define rspamd_cryptobox_MAX_SIGBYTES crypto_sign_BYTES
#define CPUID_AVX2 0x1
#define CPUID_AVX 0x2
@@ -72,10 +72,6 @@ typedef unsigned char rspamd_signature_t[rspamd_cryptobox_MAX_SIGBYTES];
typedef unsigned char rspamd_sig_pk_t[rspamd_cryptobox_MAX_SIGPKBYTES];
typedef unsigned char rspamd_sig_sk_t[rspamd_cryptobox_MAX_SIGSKBYTES];
-enum rspamd_cryptobox_mode {
- RSPAMD_CRYPTOBOX_MODE_25519 = 0,
- RSPAMD_CRYPTOBOX_MODE_NIST
-};
struct rspamd_cryptobox_library_ctx {
char *cpu_extensions;
@@ -95,16 +91,14 @@ void rspamd_cryptobox_deinit(struct rspamd_cryptobox_library_ctx *);
* @param pk public key buffer
* @param sk secret key buffer
*/
-void rspamd_cryptobox_keypair(rspamd_pk_t pk, rspamd_sk_t sk,
- enum rspamd_cryptobox_mode mode);
+void rspamd_cryptobox_keypair(rspamd_pk_t pk, rspamd_sk_t sk);
/**
* Generate new keypair for signing
* @param pk public key buffer
* @param sk secret key buffer
*/
-void rspamd_cryptobox_keypair_sig(rspamd_sig_pk_t pk, rspamd_sig_sk_t sk,
- enum rspamd_cryptobox_mode mode);
+void rspamd_cryptobox_keypair_sig(rspamd_sig_pk_t pk, rspamd_sig_sk_t sk);
/**
* Encrypt data inplace adding signature to sig afterwards
@@ -115,8 +109,7 @@ void rspamd_cryptobox_keypair_sig(rspamd_sig_pk_t pk, rspamd_sig_sk_t sk,
*/
void rspamd_cryptobox_encrypt_inplace(unsigned char *data, gsize len,
const rspamd_nonce_t nonce,
- const rspamd_pk_t pk, const rspamd_sk_t sk, rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode);
+ const rspamd_pk_t pk, const rspamd_sk_t sk, rspamd_mac_t sig);
/**
* Encrypt segments of data inplace adding signature to sig afterwards
@@ -129,8 +122,7 @@ void rspamd_cryptobox_encrypt_inplace(unsigned char *data, gsize len,
void rspamd_cryptobox_encryptv_inplace(struct rspamd_cryptobox_segment *segments,
gsize cnt,
const rspamd_nonce_t nonce,
- const rspamd_pk_t pk, const rspamd_sk_t sk, rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode);
+ const rspamd_pk_t pk, const rspamd_sk_t sk, rspamd_mac_t sig);
/**
@@ -144,8 +136,7 @@ void rspamd_cryptobox_encryptv_inplace(struct rspamd_cryptobox_segment *segments
*/
gboolean rspamd_cryptobox_decrypt_inplace(unsigned char *data, gsize len,
const rspamd_nonce_t nonce,
- const rspamd_pk_t pk, const rspamd_sk_t sk, const rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode);
+ const rspamd_pk_t pk, const rspamd_sk_t sk, const rspamd_mac_t sig);
/**
* Encrypt segments of data inplace adding signature to sig afterwards
@@ -157,8 +148,7 @@ gboolean rspamd_cryptobox_decrypt_inplace(unsigned char *data, gsize len,
*/
void rspamd_cryptobox_encrypt_nm_inplace(unsigned char *data, gsize len,
const rspamd_nonce_t nonce,
- const rspamd_nm_t nm, rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode);
+ const rspamd_nm_t nm, rspamd_mac_t sig);
/**
* Encrypt segments of data inplace adding signature to sig afterwards
@@ -171,8 +161,7 @@ void rspamd_cryptobox_encrypt_nm_inplace(unsigned char *data, gsize len,
void rspamd_cryptobox_encryptv_nm_inplace(struct rspamd_cryptobox_segment *segments,
gsize cnt,
const rspamd_nonce_t nonce,
- const rspamd_nm_t nm, rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode);
+ const rspamd_nm_t nm, rspamd_mac_t sig);
/**
@@ -186,8 +175,7 @@ void rspamd_cryptobox_encryptv_nm_inplace(struct rspamd_cryptobox_segment *segme
*/
gboolean rspamd_cryptobox_decrypt_nm_inplace(unsigned char *data, gsize len,
const rspamd_nonce_t nonce,
- const rspamd_nm_t nm, const rspamd_mac_t sig,
- enum rspamd_cryptobox_mode mode);
+ const rspamd_nm_t nm, const rspamd_mac_t sig);
/**
* Generate shared secret from local sk and remote pk
@@ -195,8 +183,7 @@ gboolean rspamd_cryptobox_decrypt_nm_inplace(unsigned char *data, gsize len,
* @param pk remote pubkey
* @param sk local privkey
*/
-void rspamd_cryptobox_nm(rspamd_nm_t nm, const rspamd_pk_t pk,
- const rspamd_sk_t sk, enum rspamd_cryptobox_mode mode);
+void rspamd_cryptobox_nm(rspamd_nm_t nm, const rspamd_pk_t pk, const rspamd_sk_t sk);
/**
* Create digital signature for the specified message and place result in `sig`
@@ -208,8 +195,7 @@ void rspamd_cryptobox_nm(rspamd_nm_t nm, const rspamd_pk_t pk,
*/
void rspamd_cryptobox_sign(unsigned char *sig, unsigned long long *siglen_p,
const unsigned char *m, gsize mlen,
- const rspamd_sig_sk_t sk,
- enum rspamd_cryptobox_mode mode);
+ const rspamd_sig_sk_t sk);
/**
* Verifies digital signature for the specified message using the specified
@@ -224,8 +210,7 @@ bool rspamd_cryptobox_verify(const unsigned char *sig,
gsize siglen,
const unsigned char *m,
gsize mlen,
- const rspamd_sig_pk_t pk,
- enum rspamd_cryptobox_mode mode);
+ const rspamd_sig_pk_t pk);
#ifdef HAVE_OPENSSL
/**
@@ -308,46 +293,6 @@ gboolean rspamd_cryptobox_pbkdf(const char *pass, gsize pass_len,
enum rspamd_cryptobox_pbkdf_type type);
-/**
-* Real size of rspamd cryptobox public key
-*/
-unsigned int rspamd_cryptobox_pk_bytes(enum rspamd_cryptobox_mode mode);
-
-/**
-* Real size of rspamd cryptobox signing public key
-*/
-unsigned int rspamd_cryptobox_pk_sig_bytes(enum rspamd_cryptobox_mode mode);
-
-/**
-* Real size of crypto nonce
-*/
-unsigned int rspamd_cryptobox_nonce_bytes(enum rspamd_cryptobox_mode mode);
-
-/**
-* Real size of rspamd cryptobox secret key
-*/
-unsigned int rspamd_cryptobox_sk_bytes(enum rspamd_cryptobox_mode mode);
-
-/**
-* Real size of rspamd cryptobox signing secret key
-*/
-unsigned int rspamd_cryptobox_sk_sig_bytes(enum rspamd_cryptobox_mode mode);
-
-/**
-* Real size of rspamd cryptobox shared key
-*/
-unsigned int rspamd_cryptobox_nm_bytes(enum rspamd_cryptobox_mode mode);
-
-/**
-* Real size of rspamd cryptobox MAC signature
-*/
-unsigned int rspamd_cryptobox_mac_bytes(enum rspamd_cryptobox_mode mode);
-
-/**
-* Real size of rspamd cryptobox digital signature
-*/
-unsigned int rspamd_cryptobox_signature_bytes(enum rspamd_cryptobox_mode mode);
-
/* Hash IUF interface */
typedef crypto_generichash_blake2b_state rspamd_cryptobox_hash_state_t;
diff --git a/src/libcryptobox/keypair.c b/src/libcryptobox/keypair.c
index 02070bb46..96389dce8 100644
--- a/src/libcryptobox/keypair.c
+++ b/src/libcryptobox/keypair.c
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -38,29 +38,14 @@ rspamd_cryptobox_keypair_sk(struct rspamd_cryptobox_keypair *kp,
{
g_assert(kp != NULL);
- if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) {
- if (kp->type == RSPAMD_KEYPAIR_KEX) {
- *len = 32;
- return RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp)->sk;
- }
- else {
- *len = 64;
- return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(kp)->sk;
- }
+ if (kp->type == RSPAMD_KEYPAIR_KEX) {
+ *len = 32;
+ return RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp)->sk;
}
else {
- if (kp->type == RSPAMD_KEYPAIR_KEX) {
- *len = 32;
- return RSPAMD_CRYPTOBOX_KEYPAIR_NIST(kp)->sk;
- }
- else {
- *len = 32;
- return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_NIST(kp)->sk;
- }
+ *len = 64;
+ return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(kp)->sk;
}
-
- /* Not reached */
- return NULL;
}
static void *
@@ -69,29 +54,14 @@ rspamd_cryptobox_keypair_pk(struct rspamd_cryptobox_keypair *kp,
{
g_assert(kp != NULL);
- if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) {
- if (kp->type == RSPAMD_KEYPAIR_KEX) {
- *len = 32;
- return RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp)->pk;
- }
- else {
- *len = 32;
- return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(kp)->pk;
- }
+ if (kp->type == RSPAMD_KEYPAIR_KEX) {
+ *len = 32;
+ return RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp)->pk;
}
else {
- if (kp->type == RSPAMD_KEYPAIR_KEX) {
- *len = 65;
- return RSPAMD_CRYPTOBOX_KEYPAIR_NIST(kp)->pk;
- }
- else {
- *len = 65;
- return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_NIST(kp)->pk;
- }
+ *len = 32;
+ return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(kp)->pk;
}
-
- /* Not reached */
- return NULL;
}
static void *
@@ -100,53 +70,27 @@ rspamd_cryptobox_pubkey_pk(const struct rspamd_cryptobox_pubkey *kp,
{
g_assert(kp != NULL);
- if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) {
- if (kp->type == RSPAMD_KEYPAIR_KEX) {
- *len = 32;
- return RSPAMD_CRYPTOBOX_PUBKEY_25519(kp)->pk;
- }
- else {
- *len = 32;
- return RSPAMD_CRYPTOBOX_PUBKEY_SIG_25519(kp)->pk;
- }
+ if (kp->type == RSPAMD_KEYPAIR_KEX) {
+ *len = 32;
+ return RSPAMD_CRYPTOBOX_PUBKEY_25519(kp)->pk;
}
else {
- if (kp->type == RSPAMD_KEYPAIR_KEX) {
- *len = 65;
- return RSPAMD_CRYPTOBOX_PUBKEY_NIST(kp)->pk;
- }
- else {
- *len = 65;
- return RSPAMD_CRYPTOBOX_PUBKEY_SIG_NIST(kp)->pk;
- }
+ *len = 32;
+ return RSPAMD_CRYPTOBOX_PUBKEY_SIG_25519(kp)->pk;
}
-
- /* Not reached */
- return NULL;
}
static struct rspamd_cryptobox_keypair *
-rspamd_cryptobox_keypair_alloc(enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg)
+rspamd_cryptobox_keypair_alloc(enum rspamd_cryptobox_keypair_type type)
{
struct rspamd_cryptobox_keypair *kp;
unsigned int size = 0;
- if (alg == RSPAMD_CRYPTOBOX_MODE_25519) {
- if (type == RSPAMD_KEYPAIR_KEX) {
- size = sizeof(struct rspamd_cryptobox_keypair_25519);
- }
- else {
- size = sizeof(struct rspamd_cryptobox_keypair_sig_25519);
- }
+ if (type == RSPAMD_KEYPAIR_KEX) {
+ size = sizeof(struct rspamd_cryptobox_keypair_25519);
}
else {
- if (type == RSPAMD_KEYPAIR_KEX) {
- size = sizeof(struct rspamd_cryptobox_keypair_nist);
- }
- else {
- size = sizeof(struct rspamd_cryptobox_keypair_sig_nist);
- }
+ size = sizeof(struct rspamd_cryptobox_keypair_sig_25519);
}
g_assert(size >= sizeof(*kp));
@@ -161,27 +105,17 @@ rspamd_cryptobox_keypair_alloc(enum rspamd_cryptobox_keypair_type type,
}
static struct rspamd_cryptobox_pubkey *
-rspamd_cryptobox_pubkey_alloc(enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg)
+rspamd_cryptobox_pubkey_alloc(enum rspamd_cryptobox_keypair_type type)
{
struct rspamd_cryptobox_pubkey *pk;
unsigned int size = 0;
- if (alg == RSPAMD_CRYPTOBOX_MODE_25519) {
- if (type == RSPAMD_KEYPAIR_KEX) {
- size = sizeof(struct rspamd_cryptobox_pubkey_25519);
- }
- else {
- size = sizeof(struct rspamd_cryptobox_pubkey_sig_25519);
- }
+
+ if (type == RSPAMD_KEYPAIR_KEX) {
+ size = sizeof(struct rspamd_cryptobox_pubkey_25519);
}
else {
- if (type == RSPAMD_KEYPAIR_KEX) {
- size = sizeof(struct rspamd_cryptobox_pubkey_nist);
- }
- else {
- size = sizeof(struct rspamd_cryptobox_pubkey_sig_nist);
- }
+ size = sizeof(struct rspamd_cryptobox_pubkey_sig_25519);
}
g_assert(size >= sizeof(*pk));
@@ -230,25 +164,23 @@ void rspamd_cryptobox_pubkey_dtor(struct rspamd_cryptobox_pubkey *p)
}
struct rspamd_cryptobox_keypair *
-rspamd_keypair_new(enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg)
+rspamd_keypair_new(enum rspamd_cryptobox_keypair_type type)
{
struct rspamd_cryptobox_keypair *kp;
void *pk, *sk;
unsigned int size;
- kp = rspamd_cryptobox_keypair_alloc(type, alg);
- kp->alg = alg;
+ kp = rspamd_cryptobox_keypair_alloc(type);
kp->type = type;
sk = rspamd_cryptobox_keypair_sk(kp, &size);
pk = rspamd_cryptobox_keypair_pk(kp, &size);
if (type == RSPAMD_KEYPAIR_KEX) {
- rspamd_cryptobox_keypair(pk, sk, alg);
+ rspamd_cryptobox_keypair(pk, sk);
}
else {
- rspamd_cryptobox_keypair_sig(pk, sk, alg);
+ rspamd_cryptobox_keypair_sig(pk, sk);
}
rspamd_cryptobox_hash(kp->id, pk, size, NULL, 0);
@@ -302,27 +234,10 @@ rspamd_pubkey_type(struct rspamd_cryptobox_pubkey *p)
}
-enum rspamd_cryptobox_mode
-rspamd_keypair_alg(struct rspamd_cryptobox_keypair *kp)
-{
- g_assert(kp != NULL);
-
- return kp->alg;
-}
-
-enum rspamd_cryptobox_mode
-rspamd_pubkey_alg(struct rspamd_cryptobox_pubkey *p)
-{
- g_assert(p != NULL);
-
- return p->alg;
-}
-
struct rspamd_cryptobox_pubkey *
rspamd_pubkey_from_base32(const char *b32,
gsize len,
- enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg)
+ enum rspamd_cryptobox_keypair_type type)
{
unsigned char *decoded;
gsize dlen, expected_len;
@@ -342,16 +257,15 @@ rspamd_pubkey_from_base32(const char *b32,
return NULL;
}
- expected_len = (type == RSPAMD_KEYPAIR_KEX) ? rspamd_cryptobox_pk_bytes(alg) : rspamd_cryptobox_pk_sig_bytes(alg);
+ expected_len = (type == RSPAMD_KEYPAIR_KEX) ? crypto_box_PUBLICKEYBYTES : crypto_sign_PUBLICKEYBYTES;
if (dlen != expected_len) {
g_free(decoded);
return NULL;
}
- pk = rspamd_cryptobox_pubkey_alloc(type, alg);
+ pk = rspamd_cryptobox_pubkey_alloc(type);
REF_INIT_RETAIN(pk, rspamd_cryptobox_pubkey_dtor);
- pk->alg = alg;
pk->type = type;
pk_data = rspamd_cryptobox_pubkey_pk(pk, &pklen);
@@ -365,8 +279,7 @@ rspamd_pubkey_from_base32(const char *b32,
struct rspamd_cryptobox_pubkey *
rspamd_pubkey_from_hex(const char *hex,
gsize len,
- enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg)
+ enum rspamd_cryptobox_keypair_type type)
{
unsigned char *decoded;
gsize dlen, expected_len;
@@ -388,16 +301,15 @@ rspamd_pubkey_from_hex(const char *hex,
return NULL;
}
- expected_len = (type == RSPAMD_KEYPAIR_KEX) ? rspamd_cryptobox_pk_bytes(alg) : rspamd_cryptobox_pk_sig_bytes(alg);
+ expected_len = (type == RSPAMD_KEYPAIR_KEX) ? crypto_box_PUBLICKEYBYTES : crypto_sign_PUBLICKEYBYTES;
if (dlen != expected_len) {
g_free(decoded);
return NULL;
}
- pk = rspamd_cryptobox_pubkey_alloc(type, alg);
+ pk = rspamd_cryptobox_pubkey_alloc(type);
REF_INIT_RETAIN(pk, rspamd_cryptobox_pubkey_dtor);
- pk->alg = alg;
pk->type = type;
pk_data = rspamd_cryptobox_pubkey_pk(pk, &pklen);
@@ -411,25 +323,20 @@ rspamd_pubkey_from_hex(const char *hex,
struct rspamd_cryptobox_pubkey *
rspamd_pubkey_from_bin(const unsigned char *raw,
gsize len,
- enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg)
+ enum rspamd_cryptobox_keypair_type type)
{
- gsize expected_len;
unsigned int pklen;
struct rspamd_cryptobox_pubkey *pk;
unsigned char *pk_data;
g_assert(raw != NULL && len > 0);
- expected_len = (type == RSPAMD_KEYPAIR_KEX) ? rspamd_cryptobox_pk_bytes(alg) : rspamd_cryptobox_pk_sig_bytes(alg);
-
- if (len != expected_len) {
+ if (len != crypto_box_PUBLICKEYBYTES) {
return NULL;
}
- pk = rspamd_cryptobox_pubkey_alloc(type, alg);
+ pk = rspamd_cryptobox_pubkey_alloc(type);
REF_INIT_RETAIN(pk, rspamd_cryptobox_pubkey_dtor);
- pk->alg = alg;
pk->type = type;
pk_data = rspamd_cryptobox_pubkey_pk(pk, &pklen);
@@ -463,7 +370,6 @@ const unsigned char *
rspamd_pubkey_calculate_nm(struct rspamd_cryptobox_pubkey *p,
struct rspamd_cryptobox_keypair *kp)
{
- g_assert(kp->alg == p->alg);
g_assert(kp->type == p->type);
g_assert(p->type == RSPAMD_KEYPAIR_KEX);
@@ -476,22 +382,12 @@ rspamd_pubkey_calculate_nm(struct rspamd_cryptobox_pubkey *p,
REF_INIT_RETAIN(p->nm, rspamd_cryptobox_nm_dtor);
}
- if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) {
- struct rspamd_cryptobox_pubkey_25519 *rk_25519 =
- RSPAMD_CRYPTOBOX_PUBKEY_25519(p);
- struct rspamd_cryptobox_keypair_25519 *sk_25519 =
- RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp);
+ struct rspamd_cryptobox_pubkey_25519 *rk_25519 =
+ RSPAMD_CRYPTOBOX_PUBKEY_25519(p);
+ struct rspamd_cryptobox_keypair_25519 *sk_25519 =
+ RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp);
- rspamd_cryptobox_nm(p->nm->nm, rk_25519->pk, sk_25519->sk, p->alg);
- }
- else {
- struct rspamd_cryptobox_pubkey_nist *rk_nist =
- RSPAMD_CRYPTOBOX_PUBKEY_NIST(p);
- struct rspamd_cryptobox_keypair_nist *sk_nist =
- RSPAMD_CRYPTOBOX_KEYPAIR_NIST(kp);
-
- rspamd_cryptobox_nm(p->nm->nm, rk_nist->pk, sk_nist->sk, p->alg);
- }
+ rspamd_cryptobox_nm(p->nm->nm, rk_25519->pk, sk_25519->sk);
return p->nm->nm;
}
@@ -662,7 +558,6 @@ rspamd_keypair_from_ucl(const ucl_object_t *obj)
const ucl_object_t *privkey, *pubkey, *elt;
const char *str;
enum rspamd_cryptobox_keypair_type type = RSPAMD_KEYPAIR_KEX;
- enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;
gboolean is_hex = FALSE;
struct rspamd_cryptobox_keypair *kp;
unsigned int len;
@@ -705,19 +600,6 @@ rspamd_keypair_from_ucl(const ucl_object_t *obj)
/* TODO: handle errors */
}
- elt = ucl_object_lookup(obj, "algorithm");
- if (elt && ucl_object_type(elt) == UCL_STRING) {
- str = ucl_object_tostring(elt);
-
- if (g_ascii_strcasecmp(str, "curve25519") == 0) {
- mode = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else if (g_ascii_strcasecmp(str, "nistp256") == 0) {
- mode = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- /* TODO: handle errors */
- }
-
elt = ucl_object_lookup(obj, "encoding");
if (elt && ucl_object_type(elt) == UCL_STRING) {
str = ucl_object_tostring(elt);
@@ -728,9 +610,8 @@ rspamd_keypair_from_ucl(const ucl_object_t *obj)
/* TODO: handle errors */
}
- kp = rspamd_cryptobox_keypair_alloc(type, mode);
+ kp = rspamd_cryptobox_keypair_alloc(type);
kp->type = type;
- kp->alg = mode;
REF_INIT_RETAIN(kp, rspamd_cryptobox_keypair_dtor);
g_assert(kp != NULL);
@@ -838,8 +719,7 @@ rspamd_keypair_to_ucl(struct rspamd_cryptobox_keypair *kp,
"encoding", 0, false);
ucl_object_insert_key(elt,
- ucl_object_fromstring(
- kp->alg == RSPAMD_CRYPTOBOX_MODE_NIST ? "nistp256" : "curve25519"),
+ ucl_object_fromstring("curve25519"),
"algorithm", 0, false);
ucl_object_insert_key(elt,
@@ -873,9 +753,9 @@ rspamd_keypair_decrypt(struct rspamd_cryptobox_keypair *kp,
return FALSE;
}
- if (inlen < sizeof(encrypted_magic) + rspamd_cryptobox_pk_bytes(kp->alg) +
- rspamd_cryptobox_mac_bytes(kp->alg) +
- rspamd_cryptobox_nonce_bytes(kp->alg)) {
+ if (inlen < sizeof(encrypted_magic) + crypto_box_publickeybytes() +
+ crypto_box_macbytes() +
+ crypto_box_noncebytes()) {
g_set_error(err, rspamd_keypair_quark(), E2BIG, "invalid size: too small");
return FALSE;
@@ -890,9 +770,9 @@ rspamd_keypair_decrypt(struct rspamd_cryptobox_keypair *kp,
/* Set pointers */
pubkey = in + sizeof(encrypted_magic);
- mac = pubkey + rspamd_cryptobox_pk_bytes(kp->alg);
- nonce = mac + rspamd_cryptobox_mac_bytes(kp->alg);
- data = nonce + rspamd_cryptobox_nonce_bytes(kp->alg);
+ mac = pubkey + crypto_box_publickeybytes();
+ nonce = mac + crypto_box_macbytes();
+ data = nonce + crypto_box_noncebytes();
if (data - in >= inlen) {
g_set_error(err, rspamd_keypair_quark(), E2BIG, "invalid size: too small");
@@ -908,7 +788,7 @@ rspamd_keypair_decrypt(struct rspamd_cryptobox_keypair *kp,
if (!rspamd_cryptobox_decrypt_inplace(*out, inlen, nonce, pubkey,
rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL),
- mac, kp->alg)) {
+ mac)) {
g_set_error(err, rspamd_keypair_quark(), EPERM, "verification failed");
g_free(*out);
@@ -942,26 +822,26 @@ rspamd_keypair_encrypt(struct rspamd_cryptobox_keypair *kp,
return FALSE;
}
- local = rspamd_keypair_new(kp->type, kp->alg);
+ local = rspamd_keypair_new(kp->type);
olen = inlen + sizeof(encrypted_magic) +
- rspamd_cryptobox_pk_bytes(kp->alg) +
- rspamd_cryptobox_mac_bytes(kp->alg) +
- rspamd_cryptobox_nonce_bytes(kp->alg);
+ crypto_box_publickeybytes() +
+ crypto_box_macbytes() +
+ crypto_box_noncebytes();
*out = g_malloc(olen);
memcpy(*out, encrypted_magic, sizeof(encrypted_magic));
pubkey = *out + sizeof(encrypted_magic);
- mac = pubkey + rspamd_cryptobox_pk_bytes(kp->alg);
- nonce = mac + rspamd_cryptobox_mac_bytes(kp->alg);
- data = nonce + rspamd_cryptobox_nonce_bytes(kp->alg);
+ mac = pubkey + crypto_box_publickeybytes();
+ nonce = mac + crypto_box_macbytes();
+ data = nonce + crypto_box_noncebytes();
- ottery_rand_bytes(nonce, rspamd_cryptobox_nonce_bytes(kp->alg));
+ ottery_rand_bytes(nonce, crypto_box_noncebytes());
memcpy(data, in, inlen);
memcpy(pubkey, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_PK, NULL),
- rspamd_cryptobox_pk_bytes(kp->alg));
+ crypto_box_publickeybytes());
rspamd_cryptobox_encrypt_inplace(data, inlen, nonce, pubkey,
rspamd_keypair_component(local, RSPAMD_KEYPAIR_COMPONENT_SK, NULL),
- mac, kp->alg);
+ mac);
rspamd_keypair_unref(local);
if (outlen) {
@@ -991,26 +871,26 @@ rspamd_pubkey_encrypt(struct rspamd_cryptobox_pubkey *pk,
return FALSE;
}
- local = rspamd_keypair_new(pk->type, pk->alg);
+ local = rspamd_keypair_new(pk->type);
olen = inlen + sizeof(encrypted_magic) +
- rspamd_cryptobox_pk_bytes(pk->alg) +
- rspamd_cryptobox_mac_bytes(pk->alg) +
- rspamd_cryptobox_nonce_bytes(pk->alg);
+ crypto_box_publickeybytes() +
+ crypto_box_macbytes() +
+ crypto_box_noncebytes();
*out = g_malloc(olen);
memcpy(*out, encrypted_magic, sizeof(encrypted_magic));
pubkey = *out + sizeof(encrypted_magic);
- mac = pubkey + rspamd_cryptobox_pk_bytes(pk->alg);
- nonce = mac + rspamd_cryptobox_mac_bytes(pk->alg);
- data = nonce + rspamd_cryptobox_nonce_bytes(pk->alg);
+ mac = pubkey + crypto_box_publickeybytes();
+ nonce = mac + crypto_box_macbytes();
+ data = nonce + crypto_box_noncebytes();
- ottery_rand_bytes(nonce, rspamd_cryptobox_nonce_bytes(pk->alg));
+ ottery_rand_bytes(nonce, crypto_box_noncebytes());
memcpy(data, in, inlen);
memcpy(pubkey, rspamd_pubkey_get_pk(pk, NULL),
- rspamd_cryptobox_pk_bytes(pk->alg));
+ crypto_box_publickeybytes());
rspamd_cryptobox_encrypt_inplace(data, inlen, nonce, pubkey,
rspamd_keypair_component(local, RSPAMD_KEYPAIR_COMPONENT_SK, NULL),
- mac, pk->alg);
+ mac);
rspamd_keypair_unref(local);
if (outlen) {
diff --git a/src/libcryptobox/keypair.h b/src/libcryptobox/keypair.h
index 849246255..97b46cbf5 100644
--- a/src/libcryptobox/keypair.h
+++ b/src/libcryptobox/keypair.h
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -50,8 +50,7 @@ struct rspamd_cryptobox_pubkey;
* @return fresh keypair generated
*/
struct rspamd_cryptobox_keypair *rspamd_keypair_new(
- enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg);
+ enum rspamd_cryptobox_keypair_type type);
/**
* Increase refcount for the specific keypair
@@ -84,8 +83,7 @@ struct rspamd_cryptobox_pubkey *rspamd_pubkey_ref(
*/
struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_base32(const char *b32,
gsize len,
- enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg);
+ enum rspamd_cryptobox_keypair_type type);
/**
* Load pubkey from hex string
@@ -96,8 +94,7 @@ struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_base32(const char *b32,
*/
struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_hex(const char *hex,
gsize len,
- enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg);
+ enum rspamd_cryptobox_keypair_type type);
/**
* Load pubkey from raw chunk string
@@ -108,8 +105,7 @@ struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_hex(const char *hex,
*/
struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_bin(const unsigned char *raw,
gsize len,
- enum rspamd_cryptobox_keypair_type type,
- enum rspamd_cryptobox_mode alg);
+ enum rspamd_cryptobox_keypair_type type);
/**
@@ -127,18 +123,7 @@ enum rspamd_cryptobox_keypair_type rspamd_keypair_type(
/**
* Get type of pubkey
*/
-enum rspamd_cryptobox_keypair_type rspamd_pubkey_type(
- struct rspamd_cryptobox_pubkey *p);
-
-/**
- * Get algorithm of keypair
- */
-enum rspamd_cryptobox_mode rspamd_keypair_alg(struct rspamd_cryptobox_keypair *kp);
-
-/**
- * Get algorithm of pubkey
- */
-enum rspamd_cryptobox_mode rspamd_pubkey_alg(struct rspamd_cryptobox_pubkey *p);
+enum rspamd_cryptobox_keypair_type rspamd_pubkey_type(struct rspamd_cryptobox_pubkey *p);
/**
* Get cached NM for this specific pubkey
diff --git a/src/libcryptobox/keypair_private.h b/src/libcryptobox/keypair_private.h
index 793231701..2e372777c 100644
--- a/src/libcryptobox/keypair_private.h
+++ b/src/libcryptobox/keypair_private.h
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -38,22 +38,11 @@ struct rspamd_cryptobox_nm {
struct rspamd_cryptobox_keypair {
unsigned char id[rspamd_cryptobox_HASHBYTES];
enum rspamd_cryptobox_keypair_type type;
- enum rspamd_cryptobox_mode alg;
ucl_object_t *extensions;
ref_entry_t ref;
};
/*
- * NIST p256 ecdh keypair
- */
-#define RSPAMD_CRYPTOBOX_KEYPAIR_NIST(x) ((struct rspamd_cryptobox_keypair_nist *) (x))
-struct rspamd_cryptobox_keypair_nist {
- struct rspamd_cryptobox_keypair parent;
- unsigned char sk[32];
- unsigned char pk[65];
-};
-
-/*
* Curve25519 ecdh keypair
*/
#define RSPAMD_CRYPTOBOX_KEYPAIR_25519(x) ((struct rspamd_cryptobox_keypair_25519 *) (x))
@@ -64,16 +53,6 @@ struct rspamd_cryptobox_keypair_25519 {
};
/*
- * NIST p256 ecdsa keypair
- */
-#define RSPAMD_CRYPTOBOX_KEYPAIR_SIG_NIST(x) ((struct rspamd_cryptobox_keypair_sig_nist *) (x))
-struct rspamd_cryptobox_keypair_sig_nist {
- struct rspamd_cryptobox_keypair parent;
- unsigned char sk[32];
- unsigned char pk[65];
-};
-
-/*
* Ed25519 keypair
*/
#define RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(x) ((struct rspamd_cryptobox_keypair_sig_25519 *) (x))
@@ -90,20 +69,10 @@ struct rspamd_cryptobox_pubkey {
unsigned char id[rspamd_cryptobox_HASHBYTES];
struct rspamd_cryptobox_nm *nm;
enum rspamd_cryptobox_keypair_type type;
- enum rspamd_cryptobox_mode alg;
ref_entry_t ref;
};
/*
- * Public p256 ecdh
- */
-#define RSPAMD_CRYPTOBOX_PUBKEY_NIST(x) ((struct rspamd_cryptobox_pubkey_nist *) (x))
-struct rspamd_cryptobox_pubkey_nist {
- struct rspamd_cryptobox_pubkey parent;
- unsigned char pk[65];
-};
-
-/*
* Public curve25519 ecdh
*/
#define RSPAMD_CRYPTOBOX_PUBKEY_25519(x) ((struct rspamd_cryptobox_pubkey_25519 *) (x))
@@ -113,15 +82,6 @@ struct rspamd_cryptobox_pubkey_25519 {
};
/*
- * Public p256 ecdsa
- */
-#define RSPAMD_CRYPTOBOX_PUBKEY_SIG_NIST(x) ((struct rspamd_cryptobox_pubkey_sig_nist *) (x))
-struct rspamd_cryptobox_pubkey_sig_nist {
- struct rspamd_cryptobox_pubkey parent;
- unsigned char pk[65];
-};
-
-/*
* Public ed25519
*/
#define RSPAMD_CRYPTOBOX_PUBKEY_SIG_25519(x) ((struct rspamd_cryptobox_pubkey_sig_25519 *) (x))
diff --git a/src/libcryptobox/keypairs_cache.c b/src/libcryptobox/keypairs_cache.c
index 6003d9923..0b069a64b 100644
--- a/src/libcryptobox/keypairs_cache.c
+++ b/src/libcryptobox/keypairs_cache.c
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -77,7 +77,6 @@ void rspamd_keypair_cache_process(struct rspamd_keypair_cache *c,
g_assert(lk != NULL);
g_assert(rk != NULL);
- g_assert(rk->alg == lk->alg);
g_assert(rk->type == lk->type);
g_assert(rk->type == RSPAMD_KEYPAIR_KEX);
@@ -106,22 +105,12 @@ void rspamd_keypair_cache_process(struct rspamd_keypair_cache *c,
rspamd_cryptobox_HASHBYTES);
memcpy(&new->nm->sk_id, lk->id, sizeof(uint64_t));
- if (rk->alg == RSPAMD_CRYPTOBOX_MODE_25519) {
- struct rspamd_cryptobox_pubkey_25519 *rk_25519 =
- RSPAMD_CRYPTOBOX_PUBKEY_25519(rk);
- struct rspamd_cryptobox_keypair_25519 *sk_25519 =
- RSPAMD_CRYPTOBOX_KEYPAIR_25519(lk);
+ struct rspamd_cryptobox_pubkey_25519 *rk_25519 =
+ RSPAMD_CRYPTOBOX_PUBKEY_25519(rk);
+ struct rspamd_cryptobox_keypair_25519 *sk_25519 =
+ RSPAMD_CRYPTOBOX_KEYPAIR_25519(lk);
- rspamd_cryptobox_nm(new->nm->nm, rk_25519->pk, sk_25519->sk, rk->alg);
- }
- else {
- struct rspamd_cryptobox_pubkey_nist *rk_nist =
- RSPAMD_CRYPTOBOX_PUBKEY_NIST(rk);
- struct rspamd_cryptobox_keypair_nist *sk_nist =
- RSPAMD_CRYPTOBOX_KEYPAIR_NIST(lk);
-
- rspamd_cryptobox_nm(new->nm->nm, rk_nist->pk, sk_nist->sk, rk->alg);
- }
+ rspamd_cryptobox_nm(new->nm->nm, rk_25519->pk, sk_25519->sk);
rspamd_lru_hash_insert(c->hash, new, new, time(NULL), -1);
}
diff --git a/src/libserver/cfg_rcl.cxx b/src/libserver/cfg_rcl.cxx
index 9b6e759bb..7856af814 100644
--- a/src/libserver/cfg_rcl.cxx
+++ b/src/libserver/cfg_rcl.cxx
@@ -3051,21 +3051,16 @@ rspamd_rcl_parse_struct_pubkey(rspamd_mempool_t *pool,
gsize len;
const char *str;
rspamd_cryptobox_keypair_type keypair_type = RSPAMD_KEYPAIR_KEX;
- rspamd_cryptobox_mode keypair_mode = RSPAMD_CRYPTOBOX_MODE_25519;
if (pd->flags & RSPAMD_CL_FLAG_SIGNKEY) {
keypair_type = RSPAMD_KEYPAIR_SIGN;
}
- if (pd->flags & RSPAMD_CL_FLAG_NISTKEY) {
- keypair_mode = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
target = (struct rspamd_cryptobox_pubkey **) (((char *) pd->user_struct) +
pd->offset);
if (obj->type == UCL_STRING) {
str = ucl_object_tolstring(obj, &len);
- pk = rspamd_pubkey_from_base32(str, len, keypair_type,
- keypair_mode);
+ pk = rspamd_pubkey_from_base32(str, len, keypair_type);
if (pk != nullptr) {
*target = pk;
diff --git a/src/libserver/cfg_rcl.h b/src/libserver/cfg_rcl.h
index e33656b72..35b9b931f 100644
--- a/src/libserver/cfg_rcl.h
+++ b/src/libserver/cfg_rcl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2023 Vsevolod Stakhov
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -53,7 +53,6 @@ enum rspamd_rcl_flag {
RSPAMD_CL_FLAG_STRING_LIST_HASH = 0x1 << 12,
RSPAMD_CL_FLAG_MULTIPLE = 0x1 << 13,
RSPAMD_CL_FLAG_SIGNKEY = 0x1 << 14,
- RSPAMD_CL_FLAG_NISTKEY = 0x1 << 15,
};
struct rspamd_rcl_struct_parser {
diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c
index 0f2afc950..a76ed31ab 100644
--- a/src/libserver/dkim.c
+++ b/src/libserver/dkim.c
@@ -1393,14 +1393,13 @@ rspamd_dkim_make_key(const char *keydata,
if (key->type == RSPAMD_DKIM_KEY_EDDSA) {
key->specific.key_eddsa = key->keydata;
- if (key->decoded_len != rspamd_cryptobox_pk_sig_bytes(
- RSPAMD_CRYPTOBOX_MODE_25519)) {
+ if (key->decoded_len != crypto_sign_publickeybytes()) {
g_set_error(err,
DKIM_ERROR,
DKIM_SIGERROR_KEYFAIL,
- "DKIM key is has invalid length %d for eddsa; expected %d",
+ "DKIM key is has invalid length %d for eddsa; expected %zd",
(int) key->decoded_len,
- rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519));
+ crypto_sign_publickeybytes());
REF_RELEASE(key);
return NULL;
@@ -2912,7 +2911,7 @@ rspamd_dkim_check(rspamd_dkim_context_t *ctx,
case RSPAMD_DKIM_KEY_EDDSA:
if (!rspamd_cryptobox_verify(ctx->b, ctx->blen, raw_digest, dlen,
- key->specific.key_eddsa, RSPAMD_CRYPTOBOX_MODE_25519)) {
+ key->specific.key_eddsa)) {
msg_info_dkim(
"%s: headers EDDSA verification failure; "
"body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
@@ -3113,19 +3112,18 @@ rspamd_dkim_sign_key_load(const char *key, gsize len,
}
if (type == RSPAMD_DKIM_KEY_RAW && (len == 32 ||
- len == rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519))) {
+ len == crypto_sign_secretkeybytes())) {
if (len == 32) {
/* Seeded key, need scalarmult */
unsigned char pk[32];
nkey->type = RSPAMD_DKIM_KEY_EDDSA;
- nkey->specific.key_eddsa = g_malloc(
- rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519));
+ nkey->specific.key_eddsa = g_malloc(crypto_sign_secretkeybytes());
crypto_sign_ed25519_seed_keypair(pk, nkey->specific.key_eddsa, key);
- nkey->keylen = rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
+ nkey->keylen = crypto_sign_secretkeybytes();
}
else {
/* Full ed25519 key */
- unsigned klen = rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
+ unsigned klen = crypto_sign_secretkeybytes();
nkey->type = RSPAMD_DKIM_KEY_EDDSA;
nkey->specific.key_eddsa = g_malloc(klen);
memcpy(nkey->specific.key_eddsa, key, klen);
@@ -3518,11 +3516,10 @@ rspamd_dkim_sign(struct rspamd_task *task, const char *selector,
}
}
else if (ctx->key->type == RSPAMD_DKIM_KEY_EDDSA) {
- sig_len = rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
+ sig_len = crypto_sign_bytes();
sig_buf = g_alloca(sig_len);
- rspamd_cryptobox_sign(sig_buf, NULL, raw_digest, dlen,
- ctx->key->specific.key_eddsa, RSPAMD_CRYPTOBOX_MODE_25519);
+ rspamd_cryptobox_sign(sig_buf, NULL, raw_digest, dlen, ctx->key->specific.key_eddsa);
}
else {
g_string_free(hdr, TRUE);
diff --git a/src/libserver/http/http_connection.c b/src/libserver/http/http_connection.c
index ef39e11e7..1ae9bb034 100644
--- a/src/libserver/http/http_connection.c
+++ b/src/libserver/http/http_connection.c
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -159,8 +159,7 @@ rspamd_http_parse_key(rspamd_ftok_t *data, struct rspamd_http_connection *conn,
if (decoded_id != NULL && id_len >= RSPAMD_KEYPAIR_SHORT_ID_LEN) {
pk = rspamd_pubkey_from_base32(eq_pos + 1,
data->begin + data->len - eq_pos - 1,
- RSPAMD_KEYPAIR_KEX,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ RSPAMD_KEYPAIR_KEX);
if (pk != NULL) {
if (memcmp(rspamd_keypair_get_id(priv->local_key),
decoded_id,
@@ -572,21 +571,18 @@ rspamd_http_decrypt_message(struct rspamd_http_connection *conn,
struct rspamd_http_header *hdr, *hcur, *hcurtmp;
struct http_parser decrypted_parser;
struct http_parser_settings decrypted_cb;
- enum rspamd_cryptobox_mode mode;
- mode = rspamd_keypair_alg(priv->local_key);
nonce = msg->body_buf.str;
- m = msg->body_buf.str + rspamd_cryptobox_nonce_bytes(mode) +
- rspamd_cryptobox_mac_bytes(mode);
- dec_len = msg->body_buf.len - rspamd_cryptobox_nonce_bytes(mode) -
- rspamd_cryptobox_mac_bytes(mode);
+ m = msg->body_buf.str + crypto_box_noncebytes() +
+ crypto_box_macbytes();
+ dec_len = msg->body_buf.len - crypto_box_noncebytes() - crypto_box_macbytes();
if ((nm = rspamd_pubkey_get_nm(peer_key, priv->local_key)) == NULL) {
nm = rspamd_pubkey_calculate_nm(peer_key, priv->local_key);
}
if (!rspamd_cryptobox_decrypt_nm_inplace(m, dec_len, nonce,
- nm, m - rspamd_cryptobox_mac_bytes(mode), mode)) {
+ nm, m - crypto_box_macbytes())) {
msg_err("cannot verify encrypted message, first bytes of the input: %*xs",
(int) MIN(msg->body_buf.len, 64), msg->body_buf.begin);
return -1;
@@ -640,7 +636,6 @@ rspamd_http_on_message_complete(http_parser *parser)
(struct rspamd_http_connection *) parser->data;
struct rspamd_http_connection_private *priv;
int ret = 0;
- enum rspamd_cryptobox_mode mode;
if (conn->finished) {
return 0;
@@ -655,11 +650,10 @@ rspamd_http_on_message_complete(http_parser *parser)
}
if ((conn->opts & RSPAMD_HTTP_BODY_PARTIAL) == 0 && IS_CONN_ENCRYPTED(priv)) {
- mode = rspamd_keypair_alg(priv->local_key);
if (priv->local_key == NULL || priv->msg->peer_key == NULL ||
- priv->msg->body_buf.len < rspamd_cryptobox_nonce_bytes(mode) +
- rspamd_cryptobox_mac_bytes(mode)) {
+ priv->msg->body_buf.len < crypto_box_noncebytes() +
+ crypto_box_macbytes()) {
msg_err("cannot decrypt message");
return -1;
}
@@ -1576,10 +1570,8 @@ rspamd_http_connection_encrypt_message(
int i, cnt;
unsigned int outlen;
struct rspamd_http_header *hdr, *hcur;
- enum rspamd_cryptobox_mode mode;
- mode = rspamd_keypair_alg(priv->local_key);
- crlfp = mp + rspamd_cryptobox_mac_bytes(mode);
+ crlfp = mp + crypto_box_macbytes();
outlen = priv->out[0].iov_len + priv->out[1].iov_len;
/*
@@ -1632,7 +1624,7 @@ if ((nm = rspamd_pubkey_get_nm(peer_key, priv->local_key)) == NULL) {
nm = rspamd_pubkey_calculate_nm(peer_key, priv->local_key);
}
-rspamd_cryptobox_encryptv_nm_inplace(segments, cnt, np, nm, mp, mode);
+rspamd_cryptobox_encryptv_nm_inplace(segments, cnt, np, nm, mp);
/*
* iov[0] = base HTTP request
@@ -1642,12 +1634,12 @@ rspamd_cryptobox_encryptv_nm_inplace(segments, cnt, np, nm, mp, mode);
* iov[4..i] = encrypted HTTP request/reply
*/
priv->out[2].iov_base = np;
-priv->out[2].iov_len = rspamd_cryptobox_nonce_bytes(mode);
+priv->out[2].iov_len = crypto_box_noncebytes();
priv->out[3].iov_base = mp;
-priv->out[3].iov_len = rspamd_cryptobox_mac_bytes(mode);
+priv->out[3].iov_len = crypto_box_macbytes();
-outlen += rspamd_cryptobox_nonce_bytes(mode) +
- rspamd_cryptobox_mac_bytes(mode);
+outlen += crypto_box_noncebytes() +
+ crypto_box_macbytes();
for (i = 0; i < cnt; i++) {
priv->out[i + 4].iov_base = segments[i].data;
@@ -2027,7 +2019,6 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn,
unsigned char nonce[rspamd_cryptobox_MAX_NONCEBYTES], mac[rspamd_cryptobox_MAX_MACBYTES];
unsigned char *np = NULL, *mp = NULL, *meth_pos = NULL;
struct rspamd_cryptobox_pubkey *peer_key = NULL;
- enum rspamd_cryptobox_mode mode;
GError *err;
conn->ud = ud;
@@ -2059,8 +2050,7 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn,
if (msg->peer_key != NULL) {
if (priv->local_key == NULL) {
/* Automatically generate a temporary keypair */
- priv->local_key = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ priv->local_key = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX);
}
encrypted = TRUE;
@@ -2128,8 +2118,6 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn,
}
if (encrypted) {
- mode = rspamd_keypair_alg(priv->local_key);
-
if (msg->body_buf.len == 0) {
pbody = NULL;
bodylen = 0;
@@ -2154,8 +2142,8 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn,
* [iov[n + 2] = encrypted body]
*/
priv->outlen = 7;
- enclen = rspamd_cryptobox_nonce_bytes(mode) +
- rspamd_cryptobox_mac_bytes(mode) +
+ enclen = crypto_box_noncebytes() +
+ crypto_box_macbytes() +
4 + /* 2 * CRLF */
bodylen;
}
@@ -2197,8 +2185,8 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn,
ENCRYPTED_VERSION);
}
- enclen = rspamd_cryptobox_nonce_bytes(mode) +
- rspamd_cryptobox_mac_bytes(mode) +
+ enclen = crypto_box_noncebytes() +
+ crypto_box_macbytes() +
preludelen + /* version [content-length] + 2 * CRLF */
bodylen;
}
@@ -2275,10 +2263,9 @@ priv->out[0].iov_len = buf->len;
/* Buf will be used eventually for encryption */
if (encrypted) {
int meth_offset, nonce_offset, mac_offset;
- mode = rspamd_keypair_alg(priv->local_key);
- ottery_rand_bytes(nonce, rspamd_cryptobox_nonce_bytes(mode));
- memset(mac, 0, rspamd_cryptobox_mac_bytes(mode));
+ ottery_rand_bytes(nonce, crypto_box_noncebytes());
+ memset(mac, 0, crypto_box_macbytes());
meth_offset = buf->len;
if (conn->type == RSPAMD_HTTP_SERVER) {
@@ -2292,11 +2279,9 @@ if (encrypted) {
}
nonce_offset = buf->len;
- buf = rspamd_fstring_append(buf, nonce,
- rspamd_cryptobox_nonce_bytes(mode));
+ buf = rspamd_fstring_append(buf, nonce, crypto_box_noncebytes());
mac_offset = buf->len;
- buf = rspamd_fstring_append(buf, mac,
- rspamd_cryptobox_mac_bytes(mode));
+ buf = rspamd_fstring_append(buf, mac, crypto_box_macbytes());
/* Need to be encrypted */
if (conn->type == RSPAMD_HTTP_SERVER) {
@@ -2365,44 +2350,44 @@ if (conn->opts & RSPAMD_HTTP_CLIENT_SSL) {
gpointer ssl_ctx = (msg->flags & RSPAMD_HTTP_FLAG_SSL_NOVERIFY) ? priv->ctx->ssl_ctx_noverify : priv->ctx->ssl_ctx;
if (!ssl_ctx) {
- err = g_error_new(HTTP_ERROR, 400, "ssl message requested "
- "with no ssl ctx");
- rspamd_http_connection_ref(conn);
- conn->error_handler(conn, err);
- rspamd_http_connection_unref(conn);
- g_error_free(err);
- return FALSE;
+ err = g_error_new(HTTP_ERROR, 400, "ssl message requested "
+ "with no ssl ctx");
+ rspamd_http_connection_ref(conn);
+ conn->error_handler(conn, err);
+ rspamd_http_connection_unref(conn);
+ g_error_free(err);
+ return FALSE;
}
else {
- if (!priv->ssl) {
- priv->ssl = rspamd_ssl_connection_new(ssl_ctx, priv->ctx->event_loop,
- !(msg->flags & RSPAMD_HTTP_FLAG_SSL_NOVERIFY),
- conn->log_tag);
- g_assert(priv->ssl != NULL);
-
- if (!rspamd_ssl_connect_fd(priv->ssl, conn->fd, host, &priv->ev,
- priv->timeout, rspamd_http_event_handler,
- rspamd_http_ssl_err_handler, conn)) {
-
- err = g_error_new(HTTP_ERROR, 400,
- "ssl connection error: ssl error=%s, errno=%s",
- ERR_error_string(ERR_get_error(), NULL),
- strerror(errno));
- rspamd_http_connection_ref(conn);
- conn->error_handler(conn, err);
- rspamd_http_connection_unref(conn);
- g_error_free(err);
- return FALSE;
- }
- }
- else {
- /* Just restore SSL handlers */
- rspamd_ssl_connection_restore_handlers(priv->ssl,
- rspamd_http_event_handler,
- rspamd_http_ssl_err_handler,
- conn,
- EV_WRITE);
+ if (!priv->ssl) {
+ priv->ssl = rspamd_ssl_connection_new(ssl_ctx, priv->ctx->event_loop,
+ !(msg->flags & RSPAMD_HTTP_FLAG_SSL_NOVERIFY),
+ conn->log_tag);
+ g_assert(priv->ssl != NULL);
+
+ if (!rspamd_ssl_connect_fd(priv->ssl, conn->fd, host, &priv->ev,
+ priv->timeout, rspamd_http_event_handler,
+ rspamd_http_ssl_err_handler, conn)) {
+
+ err = g_error_new(HTTP_ERROR, 400,
+ "ssl connection error: ssl error=%s, errno=%s",
+ ERR_error_string(ERR_get_error(), NULL),
+ strerror(errno));
+ rspamd_http_connection_ref(conn);
+ conn->error_handler(conn, err);
+ rspamd_http_connection_unref(conn);
+ g_error_free(err);
+ return FALSE;
}
+ }
+ else {
+ /* Just restore SSL handlers */
+ rspamd_ssl_connection_restore_handlers(priv->ssl,
+ rspamd_http_event_handler,
+ rspamd_http_ssl_err_handler,
+ conn,
+ EV_WRITE);
+ }
}
}
else {
@@ -2467,10 +2452,10 @@ rspamd_http_connection_get_peer_key(struct rspamd_http_connection *conn)
struct rspamd_http_connection_private *priv = conn->priv;
if (priv->peer_key) {
- return priv->peer_key;
+ return priv->peer_key;
}
else if (priv->msg) {
- return priv->msg->peer_key;
+ return priv->msg->peer_key;
}
return NULL;
@@ -2482,10 +2467,10 @@ rspamd_http_connection_is_encrypted(struct rspamd_http_connection *conn)
struct rspamd_http_connection_private *priv = conn->priv;
if (priv->peer_key != NULL) {
- return TRUE;
+ return TRUE;
}
else if (priv->msg) {
- return priv->msg->peer_key != NULL;
+ return priv->msg->peer_key != NULL;
}
return FALSE;
@@ -2512,103 +2497,103 @@ rspamd_http_message_parse_query(struct rspamd_http_message *msg)
rspamd_fstring_mapped_ftok_free);
if (msg->url && msg->url->len > 0) {
- http_parser_parse_url(msg->url->str, msg->url->len, TRUE, &u);
-
- if (u.field_set & (1 << UF_QUERY)) {
- p = msg->url->str + u.field_data[UF_QUERY].off;
- c = p;
- end = p + u.field_data[UF_QUERY].len;
-
- while (p <= end) {
- switch (state) {
- case parse_key:
- if ((p == end || *p == '&') && p > c) {
- /* We have a single parameter without a value */
- key = rspamd_fstring_new_init(c, p - c);
- key_tok = rspamd_ftok_map(key);
- key_tok->len = rspamd_url_decode(key->str, key->str,
- key->len);
-
- value = rspamd_fstring_new_init("", 0);
- value_tok = rspamd_ftok_map(value);
+ http_parser_parse_url(msg->url->str, msg->url->len, TRUE, &u);
+
+ if (u.field_set & (1 << UF_QUERY)) {
+ p = msg->url->str + u.field_data[UF_QUERY].off;
+ c = p;
+ end = p + u.field_data[UF_QUERY].len;
+
+ while (p <= end) {
+ switch (state) {
+ case parse_key:
+ if ((p == end || *p == '&') && p > c) {
+ /* We have a single parameter without a value */
+ key = rspamd_fstring_new_init(c, p - c);
+ key_tok = rspamd_ftok_map(key);
+ key_tok->len = rspamd_url_decode(key->str, key->str,
+ key->len);
+
+ value = rspamd_fstring_new_init("", 0);
+ value_tok = rspamd_ftok_map(value);
+
+ g_hash_table_replace(res, key_tok, value_tok);
+ state = parse_ampersand;
+ }
+ else if (*p == '=' && p > c) {
+ /* We have something like key=value */
+ key = rspamd_fstring_new_init(c, p - c);
+ key_tok = rspamd_ftok_map(key);
+ key_tok->len = rspamd_url_decode(key->str, key->str,
+ key->len);
+
+ state = parse_eqsign;
+ }
+ else {
+ p++;
+ }
+ break;
- g_hash_table_replace(res, key_tok, value_tok);
- state = parse_ampersand;
- }
- else if (*p == '=' && p > c) {
- /* We have something like key=value */
- key = rspamd_fstring_new_init(c, p - c);
- key_tok = rspamd_ftok_map(key);
- key_tok->len = rspamd_url_decode(key->str, key->str,
- key->len);
-
- state = parse_eqsign;
- }
- else {
- p++;
- }
- break;
+ case parse_eqsign:
+ if (*p != '=') {
+ c = p;
+ state = parse_value;
+ }
+ else {
+ p++;
+ }
+ break;
- case parse_eqsign:
- if (*p != '=') {
- c = p;
- state = parse_value;
- }
- else {
- p++;
- }
- break;
-
- case parse_value:
- if ((p == end || *p == '&') && p >= c) {
- g_assert(key != NULL);
- if (p > c) {
- value = rspamd_fstring_new_init(c, p - c);
- value_tok = rspamd_ftok_map(value);
- value_tok->len = rspamd_url_decode(value->str,
- value->str,
- value->len);
- /* Detect quotes for value */
- if (value_tok->begin[0] == '"') {
- memmove(value->str, value->str + 1,
- value_tok->len - 1);
- value_tok->len--;
- }
- if (value_tok->begin[value_tok->len - 1] == '"') {
- value_tok->len--;
- }
+ case parse_value:
+ if ((p == end || *p == '&') && p >= c) {
+ g_assert(key != NULL);
+ if (p > c) {
+ value = rspamd_fstring_new_init(c, p - c);
+ value_tok = rspamd_ftok_map(value);
+ value_tok->len = rspamd_url_decode(value->str,
+ value->str,
+ value->len);
+ /* Detect quotes for value */
+ if (value_tok->begin[0] == '"') {
+ memmove(value->str, value->str + 1,
+ value_tok->len - 1);
+ value_tok->len--;
}
- else {
- value = rspamd_fstring_new_init("", 0);
- value_tok = rspamd_ftok_map(value);
+ if (value_tok->begin[value_tok->len - 1] == '"') {
+ value_tok->len--;
}
-
- g_hash_table_replace(res, key_tok, value_tok);
- key = value = NULL;
- key_tok = value_tok = NULL;
- state = parse_ampersand;
}
else {
- p++;
+ value = rspamd_fstring_new_init("", 0);
+ value_tok = rspamd_ftok_map(value);
}
- break;
- case parse_ampersand:
- if (p != end && *p != '&') {
- c = p;
- state = parse_key;
- }
- else {
- p++;
- }
- break;
+ g_hash_table_replace(res, key_tok, value_tok);
+ key = value = NULL;
+ key_tok = value_tok = NULL;
+ state = parse_ampersand;
+ }
+ else {
+ p++;
+ }
+ break;
+
+ case parse_ampersand:
+ if (p != end && *p != '&') {
+ c = p;
+ state = parse_key;
+ }
+ else {
+ p++;
}
+ break;
}
}
+ }
- if (state != parse_ampersand && key != NULL) {
- rspamd_fstring_free(key);
- }
+ if (state != parse_ampersand && key != NULL) {
+ rspamd_fstring_free(key);
+ }
}
return res;
@@ -2635,15 +2620,15 @@ void rspamd_http_connection_disable_encryption(struct rspamd_http_connection *co
priv = conn->priv;
if (priv) {
- if (priv->local_key) {
- rspamd_keypair_unref(priv->local_key);
- }
- if (priv->peer_key) {
- rspamd_pubkey_unref(priv->peer_key);
- }
+ if (priv->local_key) {
+ rspamd_keypair_unref(priv->local_key);
+ }
+ if (priv->peer_key) {
+ rspamd_pubkey_unref(priv->peer_key);
+ }
- priv->local_key = NULL;
- priv->peer_key = NULL;
- priv->flags &= ~RSPAMD_HTTP_CONN_FLAG_ENCRYPTED;
+ priv->local_key = NULL;
+ priv->peer_key = NULL;
+ priv->flags &= ~RSPAMD_HTTP_CONN_FLAG_ENCRYPTED;
}
} \ No newline at end of file
diff --git a/src/libserver/http/http_context.c b/src/libserver/http/http_context.c
index fe9412fe2..df32a2258 100644
--- a/src/libserver/http/http_context.c
+++ b/src/libserver/http/http_context.c
@@ -77,8 +77,7 @@ rspamd_http_context_client_rotate_ev(struct ev_loop *loop, ev_timer *w, int reve
ev_timer_again(loop, w);
kp = ctx->client_kp;
- ctx->client_kp = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ ctx->client_kp = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX);
rspamd_keypair_unref(kp);
}
diff --git a/src/libserver/logger/logger.c b/src/libserver/logger/logger.c
index 13bac5cbe..25818e7a5 100644
--- a/src/libserver/logger/logger.c
+++ b/src/libserver/logger/logger.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2023 Vsevolod Stakhov
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -277,8 +277,7 @@ rspamd_log_open_specific(rspamd_mempool_t *pool,
if (cfg->log_encryption_key) {
logger->pk = rspamd_pubkey_ref(cfg->log_encryption_key);
- logger->keypair = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ logger->keypair = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX);
rspamd_pubkey_calculate_nm(logger->pk, logger->keypair);
}
}
@@ -342,9 +341,9 @@ rspamd_log_encrypt_message(const char *begin, const char *end, gsize *enc_len,
g_assert(end > begin);
/* base64 (pubkey | nonce | message) */
- inlen = rspamd_cryptobox_nonce_bytes(RSPAMD_CRYPTOBOX_MODE_25519) +
- rspamd_cryptobox_pk_bytes(RSPAMD_CRYPTOBOX_MODE_25519) +
- rspamd_cryptobox_mac_bytes(RSPAMD_CRYPTOBOX_MODE_25519) +
+ inlen = crypto_box_noncebytes() +
+ crypto_box_publickeybytes() +
+ crypto_box_macbytes() +
(end - begin);
out = g_malloc(inlen);
@@ -352,16 +351,15 @@ rspamd_log_encrypt_message(const char *begin, const char *end, gsize *enc_len,
comp = rspamd_pubkey_get_pk(rspamd_log->pk, &len);
memcpy(p, comp, len);
p += len;
- ottery_rand_bytes(p, rspamd_cryptobox_nonce_bytes(RSPAMD_CRYPTOBOX_MODE_25519));
+ ottery_rand_bytes(p, crypto_box_noncebytes());
nonce = p;
- p += rspamd_cryptobox_nonce_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
+ p += crypto_box_noncebytes();
mac = p;
- p += rspamd_cryptobox_mac_bytes(RSPAMD_CRYPTOBOX_MODE_25519);
+ p += crypto_box_macbytes();
memcpy(p, begin, end - begin);
comp = rspamd_pubkey_get_nm(rspamd_log->pk, rspamd_log->keypair);
g_assert(comp != NULL);
- rspamd_cryptobox_encrypt_nm_inplace(p, end - begin, nonce, comp, mac,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ rspamd_cryptobox_encrypt_nm_inplace(p, end - begin, nonce, comp, mac);
b64 = rspamd_encode_base64(out, inlen, 0, enc_len);
g_free(out);
diff --git a/src/libserver/maps/map.c b/src/libserver/maps/map.c
index 15fce7e9d..631455755 100644
--- a/src/libserver/maps/map.c
+++ b/src/libserver/maps/map.c
@@ -670,14 +670,14 @@ rspamd_map_check_sig_pk_mem(const unsigned char *sig,
GString *b32_key;
gboolean ret = TRUE;
- if (siglen != rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519)) {
+ if (siglen != crypto_sign_bytes()) {
msg_err_map("can't open signature for %s: invalid size: %z", map->name, siglen);
ret = FALSE;
}
if (ret && !rspamd_cryptobox_verify(sig, siglen, input, inlen,
- rspamd_pubkey_get_pk(pk, NULL), RSPAMD_CRYPTOBOX_MODE_25519)) {
+ rspamd_pubkey_get_pk(pk, NULL))) {
msg_err_map("can't verify signature for %s: incorrect signature", map->name);
ret = FALSE;
@@ -718,8 +718,7 @@ rspamd_map_check_file_sig(const char *fname,
return FALSE;
}
- pk = rspamd_pubkey_from_base32(data, len, RSPAMD_KEYPAIR_SIGN,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ pk = rspamd_pubkey_from_base32(data, len, RSPAMD_KEYPAIR_SIGN);
munmap(data, len);
if (pk == NULL) {
@@ -2414,8 +2413,7 @@ rspamd_map_check_proto(struct rspamd_config *cfg,
end_key = memchr(pos, '+', end - pos);
if (end_key != NULL) {
- bk->trusted_pubkey = rspamd_pubkey_from_base32(pos, end_key - pos,
- RSPAMD_KEYPAIR_SIGN, RSPAMD_CRYPTOBOX_MODE_25519);
+ bk->trusted_pubkey = rspamd_pubkey_from_base32(pos, end_key - pos, RSPAMD_KEYPAIR_SIGN);
if (bk->trusted_pubkey == NULL) {
msg_err_config("cannot read pubkey from map: %s",
@@ -2426,8 +2424,7 @@ rspamd_map_check_proto(struct rspamd_config *cfg,
}
else if (end - pos > 64) {
/* Try hex encoding */
- bk->trusted_pubkey = rspamd_pubkey_from_hex(pos, 64,
- RSPAMD_KEYPAIR_SIGN, RSPAMD_CRYPTOBOX_MODE_25519);
+ bk->trusted_pubkey = rspamd_pubkey_from_hex(pos, 64, RSPAMD_KEYPAIR_SIGN);
if (bk->trusted_pubkey == NULL) {
msg_err_config("cannot read pubkey from map: %s",
diff --git a/src/lua/lua_cryptobox.c b/src/lua/lua_cryptobox.c
index bad7d7024..1b9074f58 100644
--- a/src/lua/lua_cryptobox.c
+++ b/src/lua/lua_cryptobox.c
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -257,7 +257,6 @@ lua_check_cryptobox_secretbox(lua_State *L, int pos)
* Loads public key from base32 encoded file
* @param {string} file filename to load
* @param {string} type optional 'sign' or 'kex' for signing and encryption
- * @param {string} alg optional 'default' or 'nist' for curve25519/nistp256 keys
* @return {cryptobox_pubkey} new public key
*/
static int
@@ -267,7 +266,6 @@ lua_cryptobox_pubkey_load(lua_State *L)
struct rspamd_cryptobox_pubkey *pkey = NULL, **ppkey;
const char *filename, *arg;
int type = RSPAMD_KEYPAIR_SIGN;
- int alg = RSPAMD_CRYPTOBOX_MODE_25519;
unsigned char *map;
gsize len;
@@ -293,19 +291,8 @@ lua_cryptobox_pubkey_load(lua_State *L)
type = RSPAMD_KEYPAIR_KEX;
}
}
- if (lua_type(L, 3) == LUA_TSTRING) {
- /* algorithm */
- arg = lua_tostring(L, 3);
-
- if (strcmp(arg, "default") == 0 || strcmp(arg, "curve25519") == 0) {
- type = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else if (strcmp(arg, "nist") == 0) {
- type = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- }
- pkey = rspamd_pubkey_from_base32(map, len, type, alg);
+ pkey = rspamd_pubkey_from_base32(map, len, type);
if (pkey == NULL) {
msg_err("cannot open pubkey from file: %s", filename);
@@ -333,7 +320,6 @@ lua_cryptobox_pubkey_load(lua_State *L)
* Loads public key from base32 encoded string
* @param {base32 string} base32 string with the key
* @param {string} type optional 'sign' or 'kex' for signing and encryption
- * @param {string} alg optional 'default' or 'nist' for curve25519/nistp256 keys
* @return {cryptobox_pubkey} new public key
*/
static int
@@ -344,7 +330,6 @@ lua_cryptobox_pubkey_create(lua_State *L)
const char *buf, *arg;
gsize len;
int type = RSPAMD_KEYPAIR_SIGN;
- int alg = RSPAMD_CRYPTOBOX_MODE_25519;
buf = luaL_checklstring(L, 1, &len);
if (buf != NULL) {
@@ -359,19 +344,8 @@ lua_cryptobox_pubkey_create(lua_State *L)
type = RSPAMD_KEYPAIR_KEX;
}
}
- if (lua_type(L, 3) == LUA_TSTRING) {
- /* algorithm */
- arg = lua_tostring(L, 3);
-
- if (strcmp(arg, "default") == 0 || strcmp(arg, "curve25519") == 0) {
- type = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else if (strcmp(arg, "nist") == 0) {
- type = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- }
- pkey = rspamd_pubkey_from_base32(buf, len, type, alg);
+ pkey = rspamd_pubkey_from_base32(buf, len, type);
if (pkey == NULL) {
msg_err("cannot load pubkey from string");
@@ -477,7 +451,6 @@ lua_cryptobox_keypair_load(lua_State *L)
* @function rspamd_cryptobox_keypair.create([type='encryption'[, alg='curve25519']])
* Generates new keypair
* @param {string} type type of keypair: 'encryption' (default) or 'sign'
- * @param {string} alg algorithm of keypair: 'curve25519' (default) or 'nist'
* @return {cryptobox_keypair} new keypair
*/
static int
@@ -486,7 +459,6 @@ lua_cryptobox_keypair_create(lua_State *L)
LUA_TRACE_POINT;
struct rspamd_cryptobox_keypair *kp, **pkp;
enum rspamd_cryptobox_keypair_type type = RSPAMD_KEYPAIR_KEX;
- enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519;
if (lua_isstring(L, 1)) {
const char *str = lua_tostring(L, 1);
@@ -502,21 +474,7 @@ lua_cryptobox_keypair_create(lua_State *L)
}
}
- if (lua_isstring(L, 2)) {
- const char *str = lua_tostring(L, 2);
-
- if (strcmp(str, "nist") == 0 || strcmp(str, "openssl") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- else if (strcmp(str, "curve25519") == 0 || strcmp(str, "default") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else {
- return luaL_error(L, "invalid keypair algorithm: %s", str);
- }
- }
-
- kp = rspamd_keypair_new(type, alg);
+ kp = rspamd_keypair_new(type);
pkp = lua_newuserdata(L, sizeof(gpointer));
*pkp = kp;
@@ -606,12 +564,7 @@ lua_cryptobox_keypair_get_alg(lua_State *L)
struct rspamd_cryptobox_keypair *kp = lua_check_cryptobox_keypair(L, 1);
if (kp) {
- if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) {
- lua_pushstring(L, "curve25519");
- }
- else {
- lua_pushstring(L, "nist");
- }
+ lua_pushstring(L, "curve25519");
}
else {
return luaL_error(L, "invalid arguments");
@@ -636,7 +589,7 @@ lua_cryptobox_keypair_get_pk(lua_State *L)
if (kp) {
data = rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_PK, &dlen);
- pk = rspamd_pubkey_from_bin(data, dlen, kp->type, kp->alg);
+ pk = rspamd_pubkey_from_bin(data, dlen, kp->type);
if (pk == NULL) {
return luaL_error(L, "invalid keypair");
@@ -654,7 +607,7 @@ lua_cryptobox_keypair_get_pk(lua_State *L)
}
/***
- * @function rspamd_cryptobox_signature.load(file, [alg = 'curve25519'])
+ * @function rspamd_cryptobox_signature.load(file)
* Loads signature from raw file
* @param {string} file filename to load
* @return {cryptobox_signature} new signature
@@ -668,7 +621,6 @@ lua_cryptobox_signature_load(lua_State *L)
gpointer data;
int fd;
struct stat st;
- enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519;
filename = luaL_checkstring(L, 1);
if (filename != NULL) {
@@ -686,22 +638,6 @@ lua_cryptobox_signature_load(lua_State *L)
lua_pushnil(L);
}
else {
- if (lua_isstring(L, 2)) {
- const char *str = lua_tostring(L, 2);
-
- if (strcmp(str, "nist") == 0 || strcmp(str, "openssl") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- else if (strcmp(str, "curve25519") == 0 || strcmp(str, "default") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else {
- munmap(data, st.st_size);
- close(fd);
-
- return luaL_error(L, "invalid keypair algorithm: %s", str);
- }
- }
if (st.st_size > 0) {
sig = rspamd_fstring_new_init(data, st.st_size);
psig = lua_newuserdata(L, sizeof(rspamd_fstring_t *));
@@ -711,7 +647,7 @@ lua_cryptobox_signature_load(lua_State *L)
else {
msg_err("size of %s mismatches: %d while %d is expected",
filename, (int) st.st_size,
- rspamd_cryptobox_signature_bytes(alg));
+ crypto_sign_bytes());
lua_pushnil(L);
}
@@ -821,7 +757,7 @@ lua_cryptobox_signature_create(lua_State *L)
}
if (data != NULL) {
- if (dlen == rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519)) {
+ if (dlen == crypto_sign_bytes()) {
sig = rspamd_fstring_new_init(data, dlen);
psig = lua_newuserdata(L, sizeof(rspamd_fstring_t *));
rspamd_lua_setclass(L, rspamd_cryptobox_signature_classname, -1);
@@ -1723,7 +1659,7 @@ lua_cryptobox_hash_gc(lua_State *L)
}
/***
- * @function rspamd_cryptobox.verify_memory(pk, sig, data, [alg = 'curve25519'])
+ * @function rspamd_cryptobox.verify_memory(pk, sig, data)
* Check memory using specified cryptobox key and signature
* @param {pubkey} pk public key to verify
* @param {sig} signature to check
@@ -1738,7 +1674,6 @@ lua_cryptobox_verify_memory(lua_State *L)
rspamd_fstring_t *signature;
struct rspamd_lua_text *t;
const char *data;
- enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519;
gsize len;
int ret;
@@ -1759,23 +1694,9 @@ lua_cryptobox_verify_memory(lua_State *L)
data = luaL_checklstring(L, 3, &len);
}
- if (lua_isstring(L, 4)) {
- const char *str = lua_tostring(L, 4);
-
- if (strcmp(str, "nist") == 0 || strcmp(str, "openssl") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- else if (strcmp(str, "curve25519") == 0 || strcmp(str, "default") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else {
- return luaL_error(L, "invalid algorithm: %s", str);
- }
- }
-
if (pk != NULL && signature != NULL && data != NULL) {
ret = rspamd_cryptobox_verify(signature->str, signature->len, data, len,
- rspamd_pubkey_get_pk(pk, NULL), alg);
+ rspamd_pubkey_get_pk(pk, NULL));
if (ret) {
lua_pushboolean(L, 1);
@@ -1792,7 +1713,7 @@ lua_cryptobox_verify_memory(lua_State *L)
}
/***
- * @function rspamd_cryptobox.verify_file(pk, sig, file, [alg = 'curve25519'])
+ * @function rspamd_cryptobox.verify_file(pk, sig, file)
* Check file using specified cryptobox key and signature
* @param {pubkey} pk public key to verify
* @param {sig} signature to check
@@ -1807,7 +1728,6 @@ lua_cryptobox_verify_file(lua_State *L)
struct rspamd_cryptobox_pubkey *pk;
rspamd_fstring_t *signature;
unsigned char *map = NULL;
- enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519;
gsize len;
int ret;
@@ -1815,26 +1735,12 @@ lua_cryptobox_verify_file(lua_State *L)
signature = lua_check_cryptobox_sign(L, 2);
fname = luaL_checkstring(L, 3);
- if (lua_isstring(L, 4)) {
- const char *str = lua_tostring(L, 4);
-
- if (strcmp(str, "nist") == 0 || strcmp(str, "openssl") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- else if (strcmp(str, "curve25519") == 0 || strcmp(str, "default") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else {
- return luaL_error(L, "invalid algorithm: %s", str);
- }
- }
-
map = rspamd_file_xmap(fname, PROT_READ, &len, TRUE);
if (map != NULL && pk != NULL && signature != NULL) {
ret = rspamd_cryptobox_verify(signature->str, signature->len,
map, len,
- rspamd_pubkey_get_pk(pk, NULL), alg);
+ rspamd_pubkey_get_pk(pk, NULL));
if (ret) {
lua_pushboolean(L, 1);
@@ -1896,12 +1802,11 @@ lua_cryptobox_sign_memory(lua_State *L)
return luaL_error(L, "invalid arguments");
}
- sig = rspamd_fstring_sized_new(rspamd_cryptobox_signature_bytes(
- rspamd_keypair_alg(kp)));
+ sig = rspamd_fstring_sized_new(crypto_sign_bytes());
unsigned long long siglen = sig->len;
rspamd_cryptobox_sign(sig->str, &siglen, data,
- len, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL), rspamd_keypair_alg(kp));
+ len, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL));
sig->len = siglen;
psig = lua_newuserdata(L, sizeof(void *));
@@ -1942,13 +1847,12 @@ lua_cryptobox_sign_file(lua_State *L)
lua_pushnil(L);
}
else {
- sig = rspamd_fstring_sized_new(rspamd_cryptobox_signature_bytes(
- rspamd_keypair_alg(kp)));
+ sig = rspamd_fstring_sized_new(crypto_sign_bytes());
unsigned long long siglen = sig->len;
rspamd_cryptobox_sign(sig->str, &siglen, data,
- len, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL), rspamd_keypair_alg(kp));
+ len, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL));
sig->len = siglen;
psig = lua_newuserdata(L, sizeof(void *));
@@ -1961,7 +1865,7 @@ lua_cryptobox_sign_file(lua_State *L)
}
/***
- * @function rspamd_cryptobox.encrypt_memory(kp, data[, nist=false])
+ * @function rspamd_cryptobox.encrypt_memory(kp, data)
* Encrypt data using specified keypair/pubkey
* @param {keypair|string} kp keypair or pubkey in base32 to use
* @param {string|text} data
@@ -1993,8 +1897,7 @@ lua_cryptobox_encrypt_memory(lua_State *L)
gsize blen;
b32 = lua_tolstring(L, 1, &blen);
- pk = rspamd_pubkey_from_base32(b32, blen, RSPAMD_KEYPAIR_KEX,
- lua_toboolean(L, 3) ? RSPAMD_CRYPTOBOX_MODE_NIST : RSPAMD_CRYPTOBOX_MODE_25519);
+ pk = rspamd_pubkey_from_base32(b32, blen, RSPAMD_KEYPAIR_KEX);
owned_pk = true;
}
@@ -2063,7 +1966,7 @@ err:
}
/***
- * @function rspamd_cryptobox.encrypt_file(kp|pk_string, filename[, nist=false])
+ * @function rspamd_cryptobox.encrypt_file(kp|pk_string, filename)
* Encrypt data using specified keypair/pubkey
* @param {keypair|string} kp keypair or pubkey in base32 to use
* @param {string} filename
@@ -2096,8 +1999,7 @@ lua_cryptobox_encrypt_file(lua_State *L)
gsize blen;
b32 = lua_tolstring(L, 1, &blen);
- pk = rspamd_pubkey_from_base32(b32, blen, RSPAMD_KEYPAIR_KEX,
- lua_toboolean(L, 3) ? RSPAMD_CRYPTOBOX_MODE_NIST : RSPAMD_CRYPTOBOX_MODE_25519);
+ pk = rspamd_pubkey_from_base32(b32, blen, RSPAMD_KEYPAIR_KEX);
own_pk = true;
}
@@ -2658,11 +2560,11 @@ lua_cryptobox_gen_dkim_keypair(lua_State *L)
char *b64_data;
gsize b64_len;
- rspamd_cryptobox_keypair_sig(pk, sk, RSPAMD_CRYPTOBOX_MODE_25519);
+ rspamd_cryptobox_keypair_sig(pk, sk);
/* Process private key */
b64_data = rspamd_encode_base64(sk,
- rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519),
+ crypto_sign_secretkeybytes(),
-1, &b64_len);
priv_out = lua_newuserdata(L, sizeof(*priv_out));
@@ -2673,7 +2575,7 @@ lua_cryptobox_gen_dkim_keypair(lua_State *L)
/* Process public key */
b64_data = rspamd_encode_base64(pk,
- rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519),
+ crypto_sign_publickeybytes(),
-1, &b64_len);
pub_out = lua_newuserdata(L, sizeof(*pub_out));
@@ -2691,7 +2593,7 @@ lua_cryptobox_gen_dkim_keypair(lua_State *L)
char *b64_data;
gsize b64_len;
- rspamd_cryptobox_keypair_sig(pk, sk, RSPAMD_CRYPTOBOX_MODE_25519);
+ rspamd_cryptobox_keypair_sig(pk, sk);
/* Process private key */
b64_data = rspamd_encode_base64(sk,
@@ -2706,7 +2608,7 @@ lua_cryptobox_gen_dkim_keypair(lua_State *L)
/* Process public key */
b64_data = rspamd_encode_base64(pk,
- rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519),
+ crypto_sign_publickeybytes(),
-1, &b64_len);
pub_out = lua_newuserdata(L, sizeof(*pub_out));
diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index 2032f7dc1..8ba612c1b 100644
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2023 Vsevolod Stakhov
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -907,8 +907,7 @@ lua_http_request(lua_State *L)
gsize inlen;
in = lua_tolstring(L, -1, &inlen);
- peer_key = rspamd_pubkey_from_base32(in, inlen,
- RSPAMD_KEYPAIR_KEX, RSPAMD_CRYPTOBOX_MODE_25519);
+ peer_key = rspamd_pubkey_from_base32(in, inlen, RSPAMD_KEYPAIR_KEX);
}
lua_pop(L, 1);
diff --git a/src/lua/lua_map.c b/src/lua/lua_map.c
index cce78ff2c..1cc2ce1bd 100644
--- a/src/lua/lua_map.c
+++ b/src/lua/lua_map.c
@@ -1293,8 +1293,7 @@ lua_map_set_sign_key(lua_State *L)
pk_str = lua_tolstring(L, 2, &len);
if (map && pk_str) {
- pk = rspamd_pubkey_from_base32(pk_str, len, RSPAMD_KEYPAIR_SIGN,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ pk = rspamd_pubkey_from_base32(pk_str, len, RSPAMD_KEYPAIR_SIGN);
if (!pk) {
return luaL_error(L, "invalid pubkey string");
diff --git a/src/plugins/fuzzy_check.c b/src/plugins/fuzzy_check.c
index b92177f1b..91b77c702 100644
--- a/src/plugins/fuzzy_check.c
+++ b/src/plugins/fuzzy_check.c
@@ -543,15 +543,13 @@ fuzzy_parse_rule(struct rspamd_config *cfg, const ucl_object_t *obj,
k = ucl_object_tostring(value);
if (k == NULL || (rule->peer_key =
- rspamd_pubkey_from_base32(k, 0, RSPAMD_KEYPAIR_KEX,
- RSPAMD_CRYPTOBOX_MODE_25519)) == NULL) {
+ rspamd_pubkey_from_base32(k, 0, RSPAMD_KEYPAIR_KEX)) == NULL) {
msg_err_config("bad encryption key value: %s",
k);
return -1;
}
- rule->local_key = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX,
- RSPAMD_CRYPTOBOX_MODE_25519);
+ rule->local_key = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX);
}
if ((value = ucl_object_lookup(obj, "learn_condition")) != NULL) {
@@ -1334,8 +1332,7 @@ fuzzy_encrypt_cmd(struct fuzzy_rule *rule,
rule->local_key, rule->peer_key);
rspamd_cryptobox_encrypt_nm_inplace(data, datalen,
hdr->nonce, rspamd_pubkey_get_nm(rule->peer_key, rule->local_key),
- hdr->mac,
- rspamd_pubkey_alg(rule->peer_key));
+ hdr->mac);
}
static struct fuzzy_cmd_io *
@@ -2209,8 +2206,7 @@ fuzzy_process_reply(unsigned char **pos, int *r, GPtrArray *req,
sizeof(encrep.rep),
encrep.hdr.nonce,
rspamd_pubkey_get_nm(rule->peer_key, rule->local_key),
- encrep.hdr.mac,
- rspamd_pubkey_alg(rule->peer_key))) {
+ encrep.hdr.mac)) {
msg_info("cannot decrypt reply");
return NULL;
}
diff --git a/src/rspamadm/signtool.c b/src/rspamadm/signtool.c
index 612a67c83..ddc3d45df 100644
--- a/src/rspamadm/signtool.c
+++ b/src/rspamadm/signtool.c
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -27,7 +27,6 @@
#include <sys/wait.h>
#endif
-static gboolean openssl = FALSE;
static gboolean verify = FALSE;
static gboolean quiet = FALSE;
static char *suffix = NULL;
@@ -37,7 +36,6 @@ static char *pubout = NULL;
static char *keypair_file = NULL;
static char *editor = NULL;
static gboolean edit = FALSE;
-enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;
static void rspamadm_signtool(int argc, char **argv,
const struct rspamadm_command *cmd);
@@ -53,8 +51,6 @@ struct rspamadm_command signtool_command = {
};
static GOptionEntry entries[] = {
- {"openssl", 'o', 0, G_OPTION_ARG_NONE, &openssl,
- "Generate openssl nistp256 keypair not curve25519 one", NULL},
{"verify", 'v', 0, G_OPTION_ARG_NONE, &verify,
"Verify signatures and not sign", NULL},
{"suffix", 'S', 0, G_OPTION_ARG_STRING, &suffix,
@@ -327,11 +323,8 @@ rspamadm_sign_file(const char *fname, struct rspamd_cryptobox_keypair *kp)
exit(EXIT_FAILURE);
}
- g_assert(rspamd_cryptobox_MAX_SIGBYTES >=
- rspamd_cryptobox_signature_bytes(mode));
-
sk = rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL);
- rspamd_cryptobox_sign(sig, NULL, map, st.st_size, sk, mode);
+ rspamd_cryptobox_sign(sig, NULL, map, st.st_size, sk);
if (edit) {
/* We also need to rename .new file */
@@ -348,7 +341,7 @@ rspamadm_sign_file(const char *fname, struct rspamd_cryptobox_keypair *kp)
rspamd_snprintf(sigpath, sizeof(sigpath), "%s%s", fname, suffix);
- if (write(fd_sig, sig, rspamd_cryptobox_signature_bytes(mode)) == -1) {
+ if (write(fd_sig, sig, crypto_sign_bytes()) == -1) {
rspamd_fprintf(stderr, "cannot write signature to %s: %s\n", sigpath,
strerror(errno));
exit(EXIT_FAILURE);
@@ -400,9 +393,6 @@ rspamadm_verify_file(const char *fname, const unsigned char *pk)
struct stat st, st_sig;
bool ret;
- g_assert(rspamd_cryptobox_MAX_SIGBYTES >=
- rspamd_cryptobox_signature_bytes(mode));
-
if (suffix == NULL) {
suffix = ".sig";
}
@@ -439,7 +429,7 @@ rspamadm_verify_file(const char *fname, const unsigned char *pk)
g_assert(fstat(fd_sig, &st_sig) != -1);
- if (st_sig.st_size != rspamd_cryptobox_signature_bytes(mode)) {
+ if (st_sig.st_size != crypto_sign_bytes()) {
close(fd_sig);
rspamd_fprintf(stderr, "invalid signature size %s: %ud\n", fname,
(unsigned int) st_sig.st_size);
@@ -458,7 +448,7 @@ rspamadm_verify_file(const char *fname, const unsigned char *pk)
}
ret = rspamd_cryptobox_verify(map_sig, st_sig.st_size,
- map, st.st_size, pk, mode);
+ map, st.st_size, pk);
munmap(map, st.st_size);
munmap(map_sig, st_sig.st_size);
@@ -503,10 +493,6 @@ rspamadm_signtool(int argc, char **argv, const struct rspamadm_command *cmd)
g_option_context_free(context);
- if (openssl) {
- mode = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
-
if (verify && (!pubkey && !pubkey_file)) {
rspamd_fprintf(stderr, "no pubkey for verification\n");
exit(EXIT_FAILURE);
@@ -549,14 +535,13 @@ rspamadm_signtool(int argc, char **argv, const struct rspamadm_command *cmd)
flen--;
}
- pk = rspamd_pubkey_from_base32(map, flen,
- RSPAMD_KEYPAIR_SIGN, mode);
+ pk = rspamd_pubkey_from_base32(map, flen, RSPAMD_KEYPAIR_SIGN);
if (pk == NULL) {
rspamd_fprintf(stderr, "bad size %s: %ud, %ud expected\n",
pubkey_file,
(unsigned int) flen,
- rspamd_cryptobox_pk_sig_bytes(mode));
+ crypto_sign_publickeybytes());
exit(EXIT_FAILURE);
}
@@ -564,13 +549,13 @@ rspamadm_signtool(int argc, char **argv, const struct rspamadm_command *cmd)
}
else {
pk = rspamd_pubkey_from_base32(pubkey, strlen(pubkey),
- RSPAMD_KEYPAIR_SIGN, mode);
+ RSPAMD_KEYPAIR_SIGN);
if (pk == NULL) {
rspamd_fprintf(stderr, "bad size %s: %ud, %ud expected\n",
pubkey_file,
(unsigned int) strlen(pubkey),
- rspamd_cryptobox_pk_sig_bytes(mode));
+ crypto_sign_publickeybytes());
exit(EXIT_FAILURE);
}
}
diff --git a/src/rspamd_proxy.c b/src/rspamd_proxy.c
index 6c8869e22..dbdd2e5a7 100644
--- a/src/rspamd_proxy.c
+++ b/src/rspamd_proxy.c
@@ -395,7 +395,7 @@ rspamd_proxy_parse_upstream(rspamd_mempool_t *pool,
elt = ucl_object_lookup(obj, "key");
if (elt != NULL) {
up->key = rspamd_pubkey_from_base32(ucl_object_tostring(elt), 0,
- RSPAMD_KEYPAIR_KEX, RSPAMD_CRYPTOBOX_MODE_25519);
+ RSPAMD_KEYPAIR_KEX);
if (up->key == NULL) {
g_set_error(err, rspamd_proxy_quark(), 100,
@@ -571,7 +571,7 @@ rspamd_proxy_parse_mirror(rspamd_mempool_t *pool,
elt = ucl_object_lookup(obj, "key");
if (elt != NULL) {
up->key = rspamd_pubkey_from_base32(ucl_object_tostring(elt), 0,
- RSPAMD_KEYPAIR_KEX, RSPAMD_CRYPTOBOX_MODE_25519);
+ RSPAMD_KEYPAIR_KEX);
if (up->key == NULL) {
g_set_error(err, rspamd_proxy_quark(), 100,
diff --git a/test/rspamd_cryptobox_test.c b/test/rspamd_cryptobox_test.c
index b32b2822b..03b833404 100644
--- a/test/rspamd_cryptobox_test.c
+++ b/test/rspamd_cryptobox_test.c
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,7 +24,6 @@
static const int mapping_size = 64 * 8192 + 1;
static const int max_seg = 32;
static const int random_fuzz_cnt = 10000;
-enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;
static void *
create_mapping(int mapping_len, unsigned char **beg, unsigned char **end)
@@ -52,7 +51,7 @@ check_result(const rspamd_nm_t key, const rspamd_nonce_t nonce,
uint64_t *t = (uint64_t *) begin;
g_assert(rspamd_cryptobox_decrypt_nm_inplace(begin, end - begin, nonce, key,
- mac, mode));
+ mac));
while (t < (uint64_t *) end) {
g_assert(*t == 0);
@@ -174,33 +173,17 @@ void rspamd_cryptobox_test_func(void)
/* Test baseline */
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encrypt_nm_inplace(begin, end - begin, nonce, key, mac,
- mode);
+ rspamd_cryptobox_encrypt_nm_inplace(begin, end - begin, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
msg_info("baseline encryption: %.0f", t2 - t1);
- mode = RSPAMD_CRYPTOBOX_MODE_NIST;
- t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encrypt_nm_inplace(begin,
- end - begin,
- nonce,
- key,
- mac,
- mode);
- t2 = rspamd_get_ticks(TRUE);
- check_result(key, nonce, mac, begin, end);
-
- msg_info("openssl baseline encryption: %.0f", t2 - t1);
- mode = RSPAMD_CRYPTOBOX_MODE_25519;
-
-start:
/* A single chunk as vector */
seg[0].data = begin;
seg[0].len = end - begin;
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, 1, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, 1, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -213,7 +196,7 @@ start:
seg[1].data = begin + seg[0].len;
seg[1].len = (end - begin) - seg[0].len;
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, 2, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, 2, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -225,7 +208,7 @@ start:
seg[1].data = begin + seg[0].len;
seg[1].len = (end - begin) - seg[0].len;
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, 2, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, 2, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -237,7 +220,7 @@ start:
seg[1].data = begin + seg[0].len;
seg[1].len = (end - begin) - seg[0].len;
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, 2, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, 2, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -250,7 +233,7 @@ start:
seg[1].data = begin + seg[0].len;
seg[1].len = (end - begin) - seg[0].len;
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, 2, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, 2, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -265,7 +248,7 @@ start:
seg[2].data = begin + seg[0].len + seg[1].len;
seg[2].len = (end - begin) - seg[0].len - seg[1].len;
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, 3, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, 3, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -274,7 +257,7 @@ start:
cnt = create_random_split(seg, max_seg, begin, end);
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -283,7 +266,7 @@ start:
cnt = create_realistic_split(seg, max_seg, begin, end);
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -292,7 +275,7 @@ start:
cnt = create_constrained_split(seg, max_seg + 1, 32, begin, end);
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -303,7 +286,7 @@ start:
ms = ottery_rand_range(i % max_seg * 2) + 1;
cnt = create_random_split(seg, ms, begin, end);
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -316,7 +299,7 @@ start:
ms = ottery_rand_range(i % max_seg * 2) + 1;
cnt = create_realistic_split(seg, ms, begin, end);
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -329,7 +312,7 @@ start:
ms = ottery_rand_range(i % max_seg * 10) + 1;
cnt = create_constrained_split(seg, ms, i, begin, end);
t1 = rspamd_get_ticks(TRUE);
- rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac, mode);
+ rspamd_cryptobox_encryptv_nm_inplace(seg, cnt, nonce, key, mac);
t2 = rspamd_get_ticks(TRUE);
check_result(key, nonce, mac, begin, end);
@@ -338,10 +321,4 @@ start:
msg_info("constrained fuzz iterations: %d", i);
}
}
-
- if (!checked_openssl) {
- checked_openssl = TRUE;
- mode = RSPAMD_CRYPTOBOX_MODE_NIST;
- goto start;
- }
}
diff --git a/test/rspamd_cxx_unit_cryptobox.hxx b/test/rspamd_cxx_unit_cryptobox.hxx
index cfa95dc61..3f3cab697 100644
--- a/test/rspamd_cxx_unit_cryptobox.hxx
+++ b/test/rspamd_cxx_unit_cryptobox.hxx
@@ -26,20 +26,18 @@ TEST_SUITE("rspamd_cryptobox")
TEST_CASE("rspamd_cryptobox_keypair")
{
- enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_NIST;
rspamd_sk_t sk;
rspamd_pk_t pk;
- rspamd_cryptobox_keypair(pk, sk, mode);
+ rspamd_cryptobox_keypair(pk, sk);
}
TEST_CASE("rspamd_cryptobox_keypair_sig")
{
- enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_NIST;
rspamd_sig_sk_t sk;
rspamd_sig_pk_t pk;
- rspamd_cryptobox_keypair_sig(pk, sk, mode);
+ rspamd_cryptobox_keypair_sig(pk, sk);
}
TEST_CASE("rspamd_cryptobox_hash")
@@ -124,73 +122,33 @@ TEST_SUITE("rspamd_cryptobox")
rspamd_pk_t pk;
rspamd_sk_t sk;
rspamd_mac_t sig;
- enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;
ottery_rand_bytes(nonce, sizeof(nonce));
- rspamd_cryptobox_keypair(pk, sk, mode);
+ rspamd_cryptobox_keypair(pk, sk);
memset(sig, 0, sizeof(sig));
- rspamd_cryptobox_encrypt_inplace(data, len, nonce, pk, sk, sig, mode);
+ rspamd_cryptobox_encrypt_inplace(data, len, nonce, pk, sk, sig);
- CHECK(rspamd_cryptobox_decrypt_inplace(data, len, nonce, pk, sk, sig, mode));
- }
-
- TEST_CASE("rspamd_cryptobox_encrypt_inplace_p256")
- {
- unsigned char data[256];
- gsize len = sizeof(data);
- rspamd_nonce_t nonce;
- rspamd_pk_t pk;
- rspamd_sk_t sk;
- rspamd_mac_t sig;
- enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_NIST;
-
- ottery_rand_bytes(nonce, sizeof(nonce));
-
- rspamd_cryptobox_keypair(pk, sk, mode);
-
- memset(sig, 0, sizeof(sig));
-
- rspamd_cryptobox_encrypt_inplace(data, len, nonce, pk, sk, sig, mode);
-
- CHECK(rspamd_cryptobox_decrypt_inplace(data, len, nonce, pk, sk, sig, mode));
+ CHECK(rspamd_cryptobox_decrypt_inplace(data, len, nonce, pk, sk, sig));
}
TEST_CASE("rspamd_cryptobox_sign_25519")
{
- enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;
- rspamd_sig_sk_t sk;
- rspamd_sig_pk_t pk;
- unsigned char sig[256];
- unsigned long long siglen;
- std::string m{"data to be signed"};
-
- rspamd_cryptobox_keypair_sig(pk, sk, mode);
-
- rspamd_cryptobox_sign(sig, &siglen,
- reinterpret_cast<const unsigned char *>(m.data()), m.size(), sk, mode);
- bool check_result = rspamd_cryptobox_verify(sig, siglen,
- reinterpret_cast<const unsigned char *>(m.data()), m.size(), pk, mode);
- CHECK(check_result == true);
- }
-
- TEST_CASE("rspamd_cryptobox_sign_nist")
- {
- enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_NIST;
rspamd_sig_sk_t sk;
rspamd_sig_pk_t pk;
unsigned char sig[256];
unsigned long long siglen;
std::string m{"data to be signed"};
- rspamd_cryptobox_keypair_sig(pk, sk, mode);
+ rspamd_cryptobox_keypair_sig(pk, sk);
rspamd_cryptobox_sign(sig, &siglen,
- reinterpret_cast<const unsigned char *>(m.data()), m.size(), sk, mode);
+ reinterpret_cast<const unsigned char *>(m.data()), m.size(), sk);
bool check_result = rspamd_cryptobox_verify(sig, siglen,
- reinterpret_cast<const unsigned char *>(m.data()), m.size(), pk, mode);
+ reinterpret_cast<const unsigned char *>(m.data()), m.size(),
+ pk);
CHECK(check_result == true);
}
}