diff options
| author | LeftTry <lerest.go@gmail.com> | 2024-07-27 14:25:54 +0500 |
|---|---|---|
| committer | LeftTry <lerest.go@gmail.com> | 2024-07-27 14:25:54 +0500 |
| commit | d31243ddf014c95543d5d05e1fc85d2cd07dc381 (patch) | |
| tree | d096a1163e3e915f1b150eddc76cbf8f00ef1160 /src/libserver | |
| parent | 7d6622aeaa07b530e4777a202a086ac3a7be1b7d (diff) | |
| download | rspamd-d31243ddf014c95543d5d05e1fc85d2cd07dc381.tar.gz rspamd-d31243ddf014c95543d5d05e1fc85d2cd07dc381.zip | |
[Feature] Add support for OpenSSL 3.0 for DKIM
Diffstat (limited to 'src/libserver')
| -rw-r--r-- | src/libserver/dkim.c | 70 |
1 files changed, 60 insertions, 10 deletions
diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c index 3d974c0c4..3dcaef246 100644 --- a/src/libserver/dkim.c +++ b/src/libserver/dkim.c @@ -25,6 +25,7 @@ #include <openssl/evp.h> #include <openssl/rsa.h> #include <openssl/engine.h> +#include <openssl/param_build.h> /* special DNS tokens */ #define DKIM_DNSKEYNAME "_domainkey" @@ -155,8 +156,8 @@ struct rspamd_dkim_key_s { gsize decoded_len; char key_id[RSPAMD_DKIM_KEY_ID_LEN]; union { - RSA *key_rsa; - EC_KEY *key_ecdsa; + //RSA *key_rsa; + //EC_KEY *key_ecdsa; unsigned char *key_eddsa; } key; BIO *key_bio; @@ -1492,6 +1493,8 @@ void rspamd_dkim_key_free(rspamd_dkim_key_t *key) RSA_free(key->key.key_rsa); } } +#endif +#if OPENSSL_VERSION_MAJOR < 3 else if (key->type == RSPAMD_DKIM_KEY_ECDSA) { if (key->key.key_ecdsa) { EC_KEY_free(key->key.key_ecdsa); @@ -2921,7 +2924,6 @@ rspamd_dkim_check(rspamd_dkim_context_t *ctx, /* Not reached */ nid = NID_sha1; } - switch (key->type) { case RSPAMD_DKIM_KEY_RSA: #if OPENSSL_VERSION_MAJOR < 3 @@ -2942,9 +2944,18 @@ rspamd_dkim_check(rspamd_dkim_context_t *ctx, RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key), ctx->dkim_header); } + msg_info_dkim( + "%s: headers RSA verification failure; " + "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s", + rspamd_dkim_type_to_string(ctx->common.type), + (int) (body_end - body_start), ctx->common.body_canonicalised, + ctx->common.headers_canonicalised, + ctx->domain, ctx->selector, + RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key), + ctx->dkim_header); #else - if (rspamd_cryptobox_verify_compat(nid, ctx->b, ctx->blen, raw_digest, dlen, - key->key_evp, RSPAMD_CRYPTOBOX_MODE_NIST) != 1) { + if (!rspamd_cryptobox_verify_compat(nid, ctx->b, ctx->blen, raw_digest, dlen, + key->key_evp, 1, RSPAMD_CRYPTOBOX_MODE_NIST)){ msg_debug_dkim("headers rsa verify failed"); ERR_clear_error(); res->rcode = DKIM_REJECT; @@ -2982,7 +2993,7 @@ rspamd_dkim_check(rspamd_dkim_context_t *ctx, } #else if (rspamd_cryptobox_verify_compat(nid, ctx->b, ctx->blen, raw_digest, dlen, - key->key_evp, RSPAMD_CRYPTOBOX_MODE_NIST) != 1) { + key->key_evp, 0, RSPAMD_CRYPTOBOX_MODE_NIST) != 1) { msg_info_dkim( "%s: headers ECDSA verification failure; " "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s", @@ -3318,7 +3329,7 @@ rspamd_create_dkim_sign_context(struct rspamd_task *task, return NULL; } - +#if OPENSSL_VERSION_MAJOR < 3 if (!priv_key || (!priv_key->key.key_rsa && !priv_key->key.key_eddsa)) { g_set_error(err, DKIM_ERROR, @@ -3327,6 +3338,17 @@ rspamd_create_dkim_sign_context(struct rspamd_task *task, return NULL; } +#else + + if (!priv_key) { + g_set_error(err, + DKIM_ERROR, + DKIM_SIGERROR_KEYFAIL, + "bad key to sign"); + + return NULL; + } +#endif nctx = rspamd_mempool_alloc0(task->task_pool, sizeof(*nctx)); nctx->common.pool = task->task_pool; @@ -3603,9 +3625,37 @@ rspamd_dkim_sign(struct rspamd_task *task, const char *selector, #else sig_len = EVP_PKEY_get_size(ctx->key->key_evp); sig_buf = g_alloca(sig_len); - rspamd_cryptobox_sign_compat(NID_sha256, sig_buf, NULL, raw_digest, dlen, - ctx->key->key_evp, RSPAMD_CRYPTOBOX_MODE_NIST); - msg_debug("signed RSA"); + + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(ctx->key->key_evp, NULL); + if (EVP_PKEY_sign_init(pctx) <= 0) { + g_string_free(hdr, TRUE); + msg_err_task("rsa sign error: %s", + ERR_error_string(ERR_get_error(), NULL)); + + return NULL; + } + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) <= 0) { + g_string_free(hdr, TRUE); + msg_err_task("rsa sign error: %s", + ERR_error_string(ERR_get_error(), NULL)); + + return NULL; + } + if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha256()) <= 0) { + g_string_free(hdr, TRUE); + msg_err_task("rsa sign error: %s", + ERR_error_string(ERR_get_error(), NULL)); + + return NULL; + } + size_t sig_len_size_t = sig_len; + if (EVP_PKEY_sign(pctx, sig_buf, &sig_len_size_t, raw_digest, dlen) <= 0) { + g_string_free(hdr, TRUE); + msg_err_task("rsa sign error: %s", + ERR_error_string(ERR_get_error(), NULL)); + + return NULL; + } #endif } else if (ctx->key->type == RSPAMD_DKIM_KEY_EDDSA) { |