diff options
| author | Vsevolod Stakhov <vsevolod@rspamd.com> | 2024-08-09 11:12:23 +0100 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@rspamd.com> | 2024-08-09 11:12:23 +0100 |
| commit | 12c12bdf0c00438d0cb37d02dae5a34f41066865 (patch) | |
| tree | d186aac0d2a8557fc191939339ed141e8d84c334 /src | |
| parent | 96cd1f0968158e5b3d0460cf364138d22f3d22e3 (diff) | |
| download | rspamd-12c12bdf0c00438d0cb37d02dae5a34f41066865.tar.gz rspamd-12c12bdf0c00438d0cb37d02dae5a34f41066865.zip | |
[Project] Remove NIST mode from everywhere
Diffstat (limited to 'src')
| -rw-r--r-- | src/client/rspamdclient.c | 6 | ||||
| -rw-r--r-- | src/fuzzy_storage.c | 13 | ||||
| -rw-r--r-- | src/libcryptobox/keypair.c | 265 | ||||
| -rw-r--r-- | src/libcryptobox/keypair.h | 31 | ||||
| -rw-r--r-- | src/libcryptobox/keypair_private.h | 46 | ||||
| -rw-r--r-- | src/libcryptobox/keypairs_cache.c | 27 | ||||
| -rw-r--r-- | src/libserver/cfg_rcl.cxx | 7 | ||||
| -rw-r--r-- | src/libserver/cfg_rcl.h | 3 | ||||
| -rw-r--r-- | src/libserver/dkim.c | 23 | ||||
| -rw-r--r-- | src/libserver/http/http_connection.c | 331 | ||||
| -rw-r--r-- | src/libserver/http/http_context.c | 3 | ||||
| -rw-r--r-- | src/libserver/logger/logger.c | 20 | ||||
| -rw-r--r-- | src/libserver/maps/map.c | 13 | ||||
| -rw-r--r-- | src/lua/lua_cryptobox.c | 154 | ||||
| -rw-r--r-- | src/lua/lua_http.c | 5 | ||||
| -rw-r--r-- | src/lua/lua_map.c | 3 | ||||
| -rw-r--r-- | src/plugins/fuzzy_check.c | 12 | ||||
| -rw-r--r-- | src/rspamadm/signtool.c | 37 | ||||
| -rw-r--r-- | src/rspamd_proxy.c | 4 |
19 files changed, 333 insertions, 670 deletions
diff --git a/src/client/rspamdclient.c b/src/client/rspamdclient.c index 2b8d0e9bb..bcb3cf67c 100644 --- a/src/client/rspamdclient.c +++ b/src/client/rspamdclient.c @@ -302,12 +302,10 @@ rspamd_client_init(struct rspamd_http_context *http_ctx, conn->timeout = timeout; if (key) { - conn->key = rspamd_pubkey_from_base32(key, 0, RSPAMD_KEYPAIR_KEX, - RSPAMD_CRYPTOBOX_MODE_25519); + conn->key = rspamd_pubkey_from_base32(key, 0, RSPAMD_KEYPAIR_KEX); if (conn->key) { - conn->keypair = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX, - RSPAMD_CRYPTOBOX_MODE_25519); + conn->keypair = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX); rspamd_http_connection_set_key(conn->http_conn, conn->keypair); } else { diff --git a/src/fuzzy_storage.c b/src/fuzzy_storage.c index 445289511..5fd3303dc 100644 --- a/src/fuzzy_storage.c +++ b/src/fuzzy_storage.c @@ -1088,8 +1088,7 @@ rspamd_fuzzy_make_reply(struct rspamd_fuzzy_cmd *cmd, len, session->reply.hdr.nonce, session->nm, - session->reply.hdr.mac, - RSPAMD_CRYPTOBOX_MODE_25519); + session->reply.hdr.mac); } else if (default_disabled) { /* Hash is from a forbidden flag by default, and there is no encryption override */ @@ -1668,8 +1667,7 @@ rspamd_fuzzy_decrypt_command(struct fuzzy_session *s, unsigned char *buf, gsize } /* Now process the remote pubkey */ - rk = rspamd_pubkey_from_bin(hdr.pubkey, sizeof(hdr.pubkey), - RSPAMD_KEYPAIR_KEX, RSPAMD_CRYPTOBOX_MODE_25519); + rk = rspamd_pubkey_from_bin(hdr.pubkey, sizeof(hdr.pubkey), RSPAMD_KEYPAIR_KEX); if (rk == NULL) { msg_err("bad key; ip=%s", @@ -1683,7 +1681,7 @@ rspamd_fuzzy_decrypt_command(struct fuzzy_session *s, unsigned char *buf, gsize /* Now decrypt request */ if (!rspamd_cryptobox_decrypt_nm_inplace(buf, buflen, hdr.nonce, rspamd_pubkey_get_nm(rk, key->key), - hdr.mac, RSPAMD_CRYPTOBOX_MODE_25519)) { + hdr.mac)) { msg_err("decryption failed; ip=%s", rspamd_inet_address_to_string(s->addr)); rspamd_pubkey_unref(rk); @@ -2771,8 +2769,7 @@ fuzzy_add_keypair_from_ucl(const ucl_object_t *obj, khash_t(rspamd_fuzzy_keys_ha return NULL; } - if (rspamd_keypair_alg(kp) != RSPAMD_CRYPTOBOX_MODE_25519 || - rspamd_keypair_type(kp) != RSPAMD_KEYPAIR_KEX) { + if (rspamd_keypair_type(kp) != RSPAMD_KEYPAIR_KEX) { return FALSE; } @@ -2837,7 +2834,7 @@ fuzzy_add_keypair_from_ucl(const ucl_object_t *obj, khash_t(rspamd_fuzzy_keys_ha } } - msg_debug("loaded keypair %*bs", rspamd_cryptobox_pk_bytes(RSPAMD_CRYPTOBOX_MODE_25519), pk); + msg_debug("loaded keypair %*bs", crypto_box_publickeybytes(), pk); return key; } diff --git a/src/libcryptobox/keypair.c b/src/libcryptobox/keypair.c index 02070bb46..f6f932957 100644 --- a/src/libcryptobox/keypair.c +++ b/src/libcryptobox/keypair.c @@ -1,11 +1,11 @@ -/*- - * Copyright 2016 Vsevolod Stakhov +/* + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -38,29 +38,14 @@ rspamd_cryptobox_keypair_sk(struct rspamd_cryptobox_keypair *kp, { g_assert(kp != NULL); - if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) { - if (kp->type == RSPAMD_KEYPAIR_KEX) { - *len = 32; - return RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp)->sk; - } - else { - *len = 64; - return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(kp)->sk; - } + if (kp->type == RSPAMD_KEYPAIR_KEX) { + *len = 32; + return RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp)->sk; } else { - if (kp->type == RSPAMD_KEYPAIR_KEX) { - *len = 32; - return RSPAMD_CRYPTOBOX_KEYPAIR_NIST(kp)->sk; - } - else { - *len = 32; - return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_NIST(kp)->sk; - } + *len = 64; + return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(kp)->sk; } - - /* Not reached */ - return NULL; } static void * @@ -69,29 +54,14 @@ rspamd_cryptobox_keypair_pk(struct rspamd_cryptobox_keypair *kp, { g_assert(kp != NULL); - if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) { - if (kp->type == RSPAMD_KEYPAIR_KEX) { - *len = 32; - return RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp)->pk; - } - else { - *len = 32; - return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(kp)->pk; - } + if (kp->type == RSPAMD_KEYPAIR_KEX) { + *len = 32; + return RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp)->pk; } else { - if (kp->type == RSPAMD_KEYPAIR_KEX) { - *len = 65; - return RSPAMD_CRYPTOBOX_KEYPAIR_NIST(kp)->pk; - } - else { - *len = 65; - return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_NIST(kp)->pk; - } + *len = 32; + return RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(kp)->pk; } - - /* Not reached */ - return NULL; } static void * @@ -100,53 +70,27 @@ rspamd_cryptobox_pubkey_pk(const struct rspamd_cryptobox_pubkey *kp, { g_assert(kp != NULL); - if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) { - if (kp->type == RSPAMD_KEYPAIR_KEX) { - *len = 32; - return RSPAMD_CRYPTOBOX_PUBKEY_25519(kp)->pk; - } - else { - *len = 32; - return RSPAMD_CRYPTOBOX_PUBKEY_SIG_25519(kp)->pk; - } + if (kp->type == RSPAMD_KEYPAIR_KEX) { + *len = 32; + return RSPAMD_CRYPTOBOX_PUBKEY_25519(kp)->pk; } else { - if (kp->type == RSPAMD_KEYPAIR_KEX) { - *len = 65; - return RSPAMD_CRYPTOBOX_PUBKEY_NIST(kp)->pk; - } - else { - *len = 65; - return RSPAMD_CRYPTOBOX_PUBKEY_SIG_NIST(kp)->pk; - } + *len = 32; + return RSPAMD_CRYPTOBOX_PUBKEY_SIG_25519(kp)->pk; } - - /* Not reached */ - return NULL; } static struct rspamd_cryptobox_keypair * -rspamd_cryptobox_keypair_alloc(enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg) +rspamd_cryptobox_keypair_alloc(enum rspamd_cryptobox_keypair_type type) { struct rspamd_cryptobox_keypair *kp; unsigned int size = 0; - if (alg == RSPAMD_CRYPTOBOX_MODE_25519) { - if (type == RSPAMD_KEYPAIR_KEX) { - size = sizeof(struct rspamd_cryptobox_keypair_25519); - } - else { - size = sizeof(struct rspamd_cryptobox_keypair_sig_25519); - } + if (type == RSPAMD_KEYPAIR_KEX) { + size = sizeof(struct rspamd_cryptobox_keypair_25519); } else { - if (type == RSPAMD_KEYPAIR_KEX) { - size = sizeof(struct rspamd_cryptobox_keypair_nist); - } - else { - size = sizeof(struct rspamd_cryptobox_keypair_sig_nist); - } + size = sizeof(struct rspamd_cryptobox_keypair_sig_25519); } g_assert(size >= sizeof(*kp)); @@ -161,27 +105,17 @@ rspamd_cryptobox_keypair_alloc(enum rspamd_cryptobox_keypair_type type, } static struct rspamd_cryptobox_pubkey * -rspamd_cryptobox_pubkey_alloc(enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg) +rspamd_cryptobox_pubkey_alloc(enum rspamd_cryptobox_keypair_type type) { struct rspamd_cryptobox_pubkey *pk; unsigned int size = 0; - if (alg == RSPAMD_CRYPTOBOX_MODE_25519) { - if (type == RSPAMD_KEYPAIR_KEX) { - size = sizeof(struct rspamd_cryptobox_pubkey_25519); - } - else { - size = sizeof(struct rspamd_cryptobox_pubkey_sig_25519); - } + + if (type == RSPAMD_KEYPAIR_KEX) { + size = sizeof(struct rspamd_cryptobox_pubkey_25519); } else { - if (type == RSPAMD_KEYPAIR_KEX) { - size = sizeof(struct rspamd_cryptobox_pubkey_nist); - } - else { - size = sizeof(struct rspamd_cryptobox_pubkey_sig_nist); - } + size = sizeof(struct rspamd_cryptobox_pubkey_sig_25519); } g_assert(size >= sizeof(*pk)); @@ -230,25 +164,23 @@ void rspamd_cryptobox_pubkey_dtor(struct rspamd_cryptobox_pubkey *p) } struct rspamd_cryptobox_keypair * -rspamd_keypair_new(enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg) +rspamd_keypair_new(enum rspamd_cryptobox_keypair_type type) { struct rspamd_cryptobox_keypair *kp; void *pk, *sk; unsigned int size; - kp = rspamd_cryptobox_keypair_alloc(type, alg); - kp->alg = alg; + kp = rspamd_cryptobox_keypair_alloc(type); kp->type = type; sk = rspamd_cryptobox_keypair_sk(kp, &size); pk = rspamd_cryptobox_keypair_pk(kp, &size); if (type == RSPAMD_KEYPAIR_KEX) { - rspamd_cryptobox_keypair(pk, sk, alg); + rspamd_cryptobox_keypair(pk, sk); } else { - rspamd_cryptobox_keypair_sig(pk, sk, alg); + rspamd_cryptobox_keypair_sig(pk, sk); } rspamd_cryptobox_hash(kp->id, pk, size, NULL, 0); @@ -302,27 +234,10 @@ rspamd_pubkey_type(struct rspamd_cryptobox_pubkey *p) } -enum rspamd_cryptobox_mode -rspamd_keypair_alg(struct rspamd_cryptobox_keypair *kp) -{ - g_assert(kp != NULL); - - return kp->alg; -} - -enum rspamd_cryptobox_mode -rspamd_pubkey_alg(struct rspamd_cryptobox_pubkey *p) -{ - g_assert(p != NULL); - - return p->alg; -} - struct rspamd_cryptobox_pubkey * rspamd_pubkey_from_base32(const char *b32, gsize len, - enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg) + enum rspamd_cryptobox_keypair_type type) { unsigned char *decoded; gsize dlen, expected_len; @@ -342,16 +257,15 @@ rspamd_pubkey_from_base32(const char *b32, return NULL; } - expected_len = (type == RSPAMD_KEYPAIR_KEX) ? rspamd_cryptobox_pk_bytes(alg) : rspamd_cryptobox_pk_sig_bytes(alg); + expected_len = (type == RSPAMD_KEYPAIR_KEX) ? crypto_box_PUBLICKEYBYTES : crypto_sign_PUBLICKEYBYTES; if (dlen != expected_len) { g_free(decoded); return NULL; } - pk = rspamd_cryptobox_pubkey_alloc(type, alg); + pk = rspamd_cryptobox_pubkey_alloc(type); REF_INIT_RETAIN(pk, rspamd_cryptobox_pubkey_dtor); - pk->alg = alg; pk->type = type; pk_data = rspamd_cryptobox_pubkey_pk(pk, &pklen); @@ -365,8 +279,7 @@ rspamd_pubkey_from_base32(const char *b32, struct rspamd_cryptobox_pubkey * rspamd_pubkey_from_hex(const char *hex, gsize len, - enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg) + enum rspamd_cryptobox_keypair_type type) { unsigned char *decoded; gsize dlen, expected_len; @@ -388,16 +301,15 @@ rspamd_pubkey_from_hex(const char *hex, return NULL; } - expected_len = (type == RSPAMD_KEYPAIR_KEX) ? rspamd_cryptobox_pk_bytes(alg) : rspamd_cryptobox_pk_sig_bytes(alg); + expected_len = (type == RSPAMD_KEYPAIR_KEX) ? crypto_box_PUBLICKEYBYTES : crypto_sign_PUBLICKEYBYTES; if (dlen != expected_len) { g_free(decoded); return NULL; } - pk = rspamd_cryptobox_pubkey_alloc(type, alg); + pk = rspamd_cryptobox_pubkey_alloc(type); REF_INIT_RETAIN(pk, rspamd_cryptobox_pubkey_dtor); - pk->alg = alg; pk->type = type; pk_data = rspamd_cryptobox_pubkey_pk(pk, &pklen); @@ -411,8 +323,7 @@ rspamd_pubkey_from_hex(const char *hex, struct rspamd_cryptobox_pubkey * rspamd_pubkey_from_bin(const unsigned char *raw, gsize len, - enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg) + enum rspamd_cryptobox_keypair_type type) { gsize expected_len; unsigned int pklen; @@ -421,15 +332,14 @@ rspamd_pubkey_from_bin(const unsigned char *raw, g_assert(raw != NULL && len > 0); - expected_len = (type == RSPAMD_KEYPAIR_KEX) ? rspamd_cryptobox_pk_bytes(alg) : rspamd_cryptobox_pk_sig_bytes(alg); + (type == RSPAMD_KEYPAIR_KEX) ? crypto_box_PUBLICKEYBYTES : crypto_sign_PUBLICKEYBYTES; if (len != expected_len) { return NULL; } - pk = rspamd_cryptobox_pubkey_alloc(type, alg); + pk = rspamd_cryptobox_pubkey_alloc(type); REF_INIT_RETAIN(pk, rspamd_cryptobox_pubkey_dtor); - pk->alg = alg; pk->type = type; pk_data = rspamd_cryptobox_pubkey_pk(pk, &pklen); @@ -463,7 +373,6 @@ const unsigned char * rspamd_pubkey_calculate_nm(struct rspamd_cryptobox_pubkey *p, struct rspamd_cryptobox_keypair *kp) { - g_assert(kp->alg == p->alg); g_assert(kp->type == p->type); g_assert(p->type == RSPAMD_KEYPAIR_KEX); @@ -476,22 +385,12 @@ rspamd_pubkey_calculate_nm(struct rspamd_cryptobox_pubkey *p, REF_INIT_RETAIN(p->nm, rspamd_cryptobox_nm_dtor); } - if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) { - struct rspamd_cryptobox_pubkey_25519 *rk_25519 = - RSPAMD_CRYPTOBOX_PUBKEY_25519(p); - struct rspamd_cryptobox_keypair_25519 *sk_25519 = - RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp); + struct rspamd_cryptobox_pubkey_25519 *rk_25519 = + RSPAMD_CRYPTOBOX_PUBKEY_25519(p); + struct rspamd_cryptobox_keypair_25519 *sk_25519 = + RSPAMD_CRYPTOBOX_KEYPAIR_25519(kp); - rspamd_cryptobox_nm(p->nm->nm, rk_25519->pk, sk_25519->sk, p->alg); - } - else { - struct rspamd_cryptobox_pubkey_nist *rk_nist = - RSPAMD_CRYPTOBOX_PUBKEY_NIST(p); - struct rspamd_cryptobox_keypair_nist *sk_nist = - RSPAMD_CRYPTOBOX_KEYPAIR_NIST(kp); - - rspamd_cryptobox_nm(p->nm->nm, rk_nist->pk, sk_nist->sk, p->alg); - } + rspamd_cryptobox_nm(p->nm->nm, rk_25519->pk, sk_25519->sk); return p->nm->nm; } @@ -662,7 +561,6 @@ rspamd_keypair_from_ucl(const ucl_object_t *obj) const ucl_object_t *privkey, *pubkey, *elt; const char *str; enum rspamd_cryptobox_keypair_type type = RSPAMD_KEYPAIR_KEX; - enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519; gboolean is_hex = FALSE; struct rspamd_cryptobox_keypair *kp; unsigned int len; @@ -705,19 +603,6 @@ rspamd_keypair_from_ucl(const ucl_object_t *obj) /* TODO: handle errors */ } - elt = ucl_object_lookup(obj, "algorithm"); - if (elt && ucl_object_type(elt) == UCL_STRING) { - str = ucl_object_tostring(elt); - - if (g_ascii_strcasecmp(str, "curve25519") == 0) { - mode = RSPAMD_CRYPTOBOX_MODE_25519; - } - else if (g_ascii_strcasecmp(str, "nistp256") == 0) { - mode = RSPAMD_CRYPTOBOX_MODE_NIST; - } - /* TODO: handle errors */ - } - elt = ucl_object_lookup(obj, "encoding"); if (elt && ucl_object_type(elt) == UCL_STRING) { str = ucl_object_tostring(elt); @@ -728,9 +613,8 @@ rspamd_keypair_from_ucl(const ucl_object_t *obj) /* TODO: handle errors */ } - kp = rspamd_cryptobox_keypair_alloc(type, mode); + kp = rspamd_cryptobox_keypair_alloc(type); kp->type = type; - kp->alg = mode; REF_INIT_RETAIN(kp, rspamd_cryptobox_keypair_dtor); g_assert(kp != NULL); @@ -838,8 +722,7 @@ rspamd_keypair_to_ucl(struct rspamd_cryptobox_keypair *kp, "encoding", 0, false); ucl_object_insert_key(elt, - ucl_object_fromstring( - kp->alg == RSPAMD_CRYPTOBOX_MODE_NIST ? "nistp256" : "curve25519"), + ucl_object_fromstring("curve25519"), "algorithm", 0, false); ucl_object_insert_key(elt, @@ -873,9 +756,9 @@ rspamd_keypair_decrypt(struct rspamd_cryptobox_keypair *kp, return FALSE; } - if (inlen < sizeof(encrypted_magic) + rspamd_cryptobox_pk_bytes(kp->alg) + - rspamd_cryptobox_mac_bytes(kp->alg) + - rspamd_cryptobox_nonce_bytes(kp->alg)) { + if (inlen < sizeof(encrypted_magic) + crypto_box_publickeybytes() + + crypto_box_macbytes() + + crypto_box_noncebytes()) { g_set_error(err, rspamd_keypair_quark(), E2BIG, "invalid size: too small"); return FALSE; @@ -890,9 +773,9 @@ rspamd_keypair_decrypt(struct rspamd_cryptobox_keypair *kp, /* Set pointers */ pubkey = in + sizeof(encrypted_magic); - mac = pubkey + rspamd_cryptobox_pk_bytes(kp->alg); - nonce = mac + rspamd_cryptobox_mac_bytes(kp->alg); - data = nonce + rspamd_cryptobox_nonce_bytes(kp->alg); + mac = pubkey + crypto_box_publickeybytes(); + nonce = mac + crypto_box_macbytes(); + data = nonce + crypto_box_noncebytes(); if (data - in >= inlen) { g_set_error(err, rspamd_keypair_quark(), E2BIG, "invalid size: too small"); @@ -908,7 +791,7 @@ rspamd_keypair_decrypt(struct rspamd_cryptobox_keypair *kp, if (!rspamd_cryptobox_decrypt_inplace(*out, inlen, nonce, pubkey, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL), - mac, kp->alg)) { + mac)) { g_set_error(err, rspamd_keypair_quark(), EPERM, "verification failed"); g_free(*out); @@ -942,26 +825,26 @@ rspamd_keypair_encrypt(struct rspamd_cryptobox_keypair *kp, return FALSE; } - local = rspamd_keypair_new(kp->type, kp->alg); + local = rspamd_keypair_new(kp->type); olen = inlen + sizeof(encrypted_magic) + - rspamd_cryptobox_pk_bytes(kp->alg) + - rspamd_cryptobox_mac_bytes(kp->alg) + - rspamd_cryptobox_nonce_bytes(kp->alg); + crypto_box_publickeybytes() + + crypto_box_macbytes() + + crypto_box_noncebytes(); *out = g_malloc(olen); memcpy(*out, encrypted_magic, sizeof(encrypted_magic)); pubkey = *out + sizeof(encrypted_magic); - mac = pubkey + rspamd_cryptobox_pk_bytes(kp->alg); - nonce = mac + rspamd_cryptobox_mac_bytes(kp->alg); - data = nonce + rspamd_cryptobox_nonce_bytes(kp->alg); + mac = pubkey + crypto_box_publickeybytes(); + nonce = mac + crypto_box_macbytes(); + data = nonce + crypto_box_noncebytes(); - ottery_rand_bytes(nonce, rspamd_cryptobox_nonce_bytes(kp->alg)); + ottery_rand_bytes(nonce, crypto_box_noncebytes()); memcpy(data, in, inlen); memcpy(pubkey, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_PK, NULL), - rspamd_cryptobox_pk_bytes(kp->alg)); + crypto_box_publickeybytes()); rspamd_cryptobox_encrypt_inplace(data, inlen, nonce, pubkey, rspamd_keypair_component(local, RSPAMD_KEYPAIR_COMPONENT_SK, NULL), - mac, kp->alg); + mac); rspamd_keypair_unref(local); if (outlen) { @@ -991,26 +874,26 @@ rspamd_pubkey_encrypt(struct rspamd_cryptobox_pubkey *pk, return FALSE; } - local = rspamd_keypair_new(pk->type, pk->alg); + local = rspamd_keypair_new(pk->type); olen = inlen + sizeof(encrypted_magic) + - rspamd_cryptobox_pk_bytes(pk->alg) + - rspamd_cryptobox_mac_bytes(pk->alg) + - rspamd_cryptobox_nonce_bytes(pk->alg); + crypto_box_publickeybytes() + + crypto_box_macbytes() + + crypto_box_noncebytes(); *out = g_malloc(olen); memcpy(*out, encrypted_magic, sizeof(encrypted_magic)); pubkey = *out + sizeof(encrypted_magic); - mac = pubkey + rspamd_cryptobox_pk_bytes(pk->alg); - nonce = mac + rspamd_cryptobox_mac_bytes(pk->alg); - data = nonce + rspamd_cryptobox_nonce_bytes(pk->alg); + mac = pubkey + crypto_box_publickeybytes(); + nonce = mac + crypto_box_macbytes(); + data = nonce + crypto_box_noncebytes(); - ottery_rand_bytes(nonce, rspamd_cryptobox_nonce_bytes(pk->alg)); + ottery_rand_bytes(nonce, crypto_box_noncebytes()); memcpy(data, in, inlen); memcpy(pubkey, rspamd_pubkey_get_pk(pk, NULL), - rspamd_cryptobox_pk_bytes(pk->alg)); + crypto_box_publickeybytes()); rspamd_cryptobox_encrypt_inplace(data, inlen, nonce, pubkey, rspamd_keypair_component(local, RSPAMD_KEYPAIR_COMPONENT_SK, NULL), - mac, pk->alg); + mac); rspamd_keypair_unref(local); if (outlen) { diff --git a/src/libcryptobox/keypair.h b/src/libcryptobox/keypair.h index 849246255..97b46cbf5 100644 --- a/src/libcryptobox/keypair.h +++ b/src/libcryptobox/keypair.h @@ -1,11 +1,11 @@ -/*- - * Copyright 2016 Vsevolod Stakhov +/* + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -50,8 +50,7 @@ struct rspamd_cryptobox_pubkey; * @return fresh keypair generated */ struct rspamd_cryptobox_keypair *rspamd_keypair_new( - enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg); + enum rspamd_cryptobox_keypair_type type); /** * Increase refcount for the specific keypair @@ -84,8 +83,7 @@ struct rspamd_cryptobox_pubkey *rspamd_pubkey_ref( */ struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_base32(const char *b32, gsize len, - enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg); + enum rspamd_cryptobox_keypair_type type); /** * Load pubkey from hex string @@ -96,8 +94,7 @@ struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_base32(const char *b32, */ struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_hex(const char *hex, gsize len, - enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg); + enum rspamd_cryptobox_keypair_type type); /** * Load pubkey from raw chunk string @@ -108,8 +105,7 @@ struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_hex(const char *hex, */ struct rspamd_cryptobox_pubkey *rspamd_pubkey_from_bin(const unsigned char *raw, gsize len, - enum rspamd_cryptobox_keypair_type type, - enum rspamd_cryptobox_mode alg); + enum rspamd_cryptobox_keypair_type type); /** @@ -127,18 +123,7 @@ enum rspamd_cryptobox_keypair_type rspamd_keypair_type( /** * Get type of pubkey */ -enum rspamd_cryptobox_keypair_type rspamd_pubkey_type( - struct rspamd_cryptobox_pubkey *p); - -/** - * Get algorithm of keypair - */ -enum rspamd_cryptobox_mode rspamd_keypair_alg(struct rspamd_cryptobox_keypair *kp); - -/** - * Get algorithm of pubkey - */ -enum rspamd_cryptobox_mode rspamd_pubkey_alg(struct rspamd_cryptobox_pubkey *p); +enum rspamd_cryptobox_keypair_type rspamd_pubkey_type(struct rspamd_cryptobox_pubkey *p); /** * Get cached NM for this specific pubkey diff --git a/src/libcryptobox/keypair_private.h b/src/libcryptobox/keypair_private.h index 793231701..2e372777c 100644 --- a/src/libcryptobox/keypair_private.h +++ b/src/libcryptobox/keypair_private.h @@ -1,11 +1,11 @@ -/*- - * Copyright 2016 Vsevolod Stakhov +/* + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -38,22 +38,11 @@ struct rspamd_cryptobox_nm { struct rspamd_cryptobox_keypair { unsigned char id[rspamd_cryptobox_HASHBYTES]; enum rspamd_cryptobox_keypair_type type; - enum rspamd_cryptobox_mode alg; ucl_object_t *extensions; ref_entry_t ref; }; /* - * NIST p256 ecdh keypair - */ -#define RSPAMD_CRYPTOBOX_KEYPAIR_NIST(x) ((struct rspamd_cryptobox_keypair_nist *) (x)) -struct rspamd_cryptobox_keypair_nist { - struct rspamd_cryptobox_keypair parent; - unsigned char sk[32]; - unsigned char pk[65]; -}; - -/* * Curve25519 ecdh keypair */ #define RSPAMD_CRYPTOBOX_KEYPAIR_25519(x) ((struct rspamd_cryptobox_keypair_25519 *) (x)) @@ -64,16 +53,6 @@ struct rspamd_cryptobox_keypair_25519 { }; /* - * NIST p256 ecdsa keypair - */ -#define RSPAMD_CRYPTOBOX_KEYPAIR_SIG_NIST(x) ((struct rspamd_cryptobox_keypair_sig_nist *) (x)) -struct rspamd_cryptobox_keypair_sig_nist { - struct rspamd_cryptobox_keypair parent; - unsigned char sk[32]; - unsigned char pk[65]; -}; - -/* * Ed25519 keypair */ #define RSPAMD_CRYPTOBOX_KEYPAIR_SIG_25519(x) ((struct rspamd_cryptobox_keypair_sig_25519 *) (x)) @@ -90,20 +69,10 @@ struct rspamd_cryptobox_pubkey { unsigned char id[rspamd_cryptobox_HASHBYTES]; struct rspamd_cryptobox_nm *nm; enum rspamd_cryptobox_keypair_type type; - enum rspamd_cryptobox_mode alg; ref_entry_t ref; }; /* - * Public p256 ecdh - */ -#define RSPAMD_CRYPTOBOX_PUBKEY_NIST(x) ((struct rspamd_cryptobox_pubkey_nist *) (x)) -struct rspamd_cryptobox_pubkey_nist { - struct rspamd_cryptobox_pubkey parent; - unsigned char pk[65]; -}; - -/* * Public curve25519 ecdh */ #define RSPAMD_CRYPTOBOX_PUBKEY_25519(x) ((struct rspamd_cryptobox_pubkey_25519 *) (x)) @@ -113,15 +82,6 @@ struct rspamd_cryptobox_pubkey_25519 { }; /* - * Public p256 ecdsa - */ -#define RSPAMD_CRYPTOBOX_PUBKEY_SIG_NIST(x) ((struct rspamd_cryptobox_pubkey_sig_nist *) (x)) -struct rspamd_cryptobox_pubkey_sig_nist { - struct rspamd_cryptobox_pubkey parent; - unsigned char pk[65]; -}; - -/* * Public ed25519 */ #define RSPAMD_CRYPTOBOX_PUBKEY_SIG_25519(x) ((struct rspamd_cryptobox_pubkey_sig_25519 *) (x)) diff --git a/src/libcryptobox/keypairs_cache.c b/src/libcryptobox/keypairs_cache.c index 6003d9923..0b069a64b 100644 --- a/src/libcryptobox/keypairs_cache.c +++ b/src/libcryptobox/keypairs_cache.c @@ -1,11 +1,11 @@ -/*- - * Copyright 2016 Vsevolod Stakhov +/* + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -77,7 +77,6 @@ void rspamd_keypair_cache_process(struct rspamd_keypair_cache *c, g_assert(lk != NULL); g_assert(rk != NULL); - g_assert(rk->alg == lk->alg); g_assert(rk->type == lk->type); g_assert(rk->type == RSPAMD_KEYPAIR_KEX); @@ -106,22 +105,12 @@ void rspamd_keypair_cache_process(struct rspamd_keypair_cache *c, rspamd_cryptobox_HASHBYTES); memcpy(&new->nm->sk_id, lk->id, sizeof(uint64_t)); - if (rk->alg == RSPAMD_CRYPTOBOX_MODE_25519) { - struct rspamd_cryptobox_pubkey_25519 *rk_25519 = - RSPAMD_CRYPTOBOX_PUBKEY_25519(rk); - struct rspamd_cryptobox_keypair_25519 *sk_25519 = - RSPAMD_CRYPTOBOX_KEYPAIR_25519(lk); + struct rspamd_cryptobox_pubkey_25519 *rk_25519 = + RSPAMD_CRYPTOBOX_PUBKEY_25519(rk); + struct rspamd_cryptobox_keypair_25519 *sk_25519 = + RSPAMD_CRYPTOBOX_KEYPAIR_25519(lk); - rspamd_cryptobox_nm(new->nm->nm, rk_25519->pk, sk_25519->sk, rk->alg); - } - else { - struct rspamd_cryptobox_pubkey_nist *rk_nist = - RSPAMD_CRYPTOBOX_PUBKEY_NIST(rk); - struct rspamd_cryptobox_keypair_nist *sk_nist = - RSPAMD_CRYPTOBOX_KEYPAIR_NIST(lk); - - rspamd_cryptobox_nm(new->nm->nm, rk_nist->pk, sk_nist->sk, rk->alg); - } + rspamd_cryptobox_nm(new->nm->nm, rk_25519->pk, sk_25519->sk); rspamd_lru_hash_insert(c->hash, new, new, time(NULL), -1); } diff --git a/src/libserver/cfg_rcl.cxx b/src/libserver/cfg_rcl.cxx index 9b6e759bb..7856af814 100644 --- a/src/libserver/cfg_rcl.cxx +++ b/src/libserver/cfg_rcl.cxx @@ -3051,21 +3051,16 @@ rspamd_rcl_parse_struct_pubkey(rspamd_mempool_t *pool, gsize len; const char *str; rspamd_cryptobox_keypair_type keypair_type = RSPAMD_KEYPAIR_KEX; - rspamd_cryptobox_mode keypair_mode = RSPAMD_CRYPTOBOX_MODE_25519; if (pd->flags & RSPAMD_CL_FLAG_SIGNKEY) { keypair_type = RSPAMD_KEYPAIR_SIGN; } - if (pd->flags & RSPAMD_CL_FLAG_NISTKEY) { - keypair_mode = RSPAMD_CRYPTOBOX_MODE_NIST; - } target = (struct rspamd_cryptobox_pubkey **) (((char *) pd->user_struct) + pd->offset); if (obj->type == UCL_STRING) { str = ucl_object_tolstring(obj, &len); - pk = rspamd_pubkey_from_base32(str, len, keypair_type, - keypair_mode); + pk = rspamd_pubkey_from_base32(str, len, keypair_type); if (pk != nullptr) { *target = pk; diff --git a/src/libserver/cfg_rcl.h b/src/libserver/cfg_rcl.h index e33656b72..35b9b931f 100644 --- a/src/libserver/cfg_rcl.h +++ b/src/libserver/cfg_rcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2023 Vsevolod Stakhov + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,7 +53,6 @@ enum rspamd_rcl_flag { RSPAMD_CL_FLAG_STRING_LIST_HASH = 0x1 << 12, RSPAMD_CL_FLAG_MULTIPLE = 0x1 << 13, RSPAMD_CL_FLAG_SIGNKEY = 0x1 << 14, - RSPAMD_CL_FLAG_NISTKEY = 0x1 << 15, }; struct rspamd_rcl_struct_parser { diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c index 0f2afc950..a76ed31ab 100644 --- a/src/libserver/dkim.c +++ b/src/libserver/dkim.c @@ -1393,14 +1393,13 @@ rspamd_dkim_make_key(const char *keydata, if (key->type == RSPAMD_DKIM_KEY_EDDSA) { key->specific.key_eddsa = key->keydata; - if (key->decoded_len != rspamd_cryptobox_pk_sig_bytes( - RSPAMD_CRYPTOBOX_MODE_25519)) { + if (key->decoded_len != crypto_sign_publickeybytes()) { g_set_error(err, DKIM_ERROR, DKIM_SIGERROR_KEYFAIL, - "DKIM key is has invalid length %d for eddsa; expected %d", + "DKIM key is has invalid length %d for eddsa; expected %zd", (int) key->decoded_len, - rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519)); + crypto_sign_publickeybytes()); REF_RELEASE(key); return NULL; @@ -2912,7 +2911,7 @@ rspamd_dkim_check(rspamd_dkim_context_t *ctx, case RSPAMD_DKIM_KEY_EDDSA: if (!rspamd_cryptobox_verify(ctx->b, ctx->blen, raw_digest, dlen, - key->specific.key_eddsa, RSPAMD_CRYPTOBOX_MODE_25519)) { + key->specific.key_eddsa)) { msg_info_dkim( "%s: headers EDDSA verification failure; " "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s", @@ -3113,19 +3112,18 @@ rspamd_dkim_sign_key_load(const char *key, gsize len, } if (type == RSPAMD_DKIM_KEY_RAW && (len == 32 || - len == rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519))) { + len == crypto_sign_secretkeybytes())) { if (len == 32) { /* Seeded key, need scalarmult */ unsigned char pk[32]; nkey->type = RSPAMD_DKIM_KEY_EDDSA; - nkey->specific.key_eddsa = g_malloc( - rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519)); + nkey->specific.key_eddsa = g_malloc(crypto_sign_secretkeybytes()); crypto_sign_ed25519_seed_keypair(pk, nkey->specific.key_eddsa, key); - nkey->keylen = rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519); + nkey->keylen = crypto_sign_secretkeybytes(); } else { /* Full ed25519 key */ - unsigned klen = rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519); + unsigned klen = crypto_sign_secretkeybytes(); nkey->type = RSPAMD_DKIM_KEY_EDDSA; nkey->specific.key_eddsa = g_malloc(klen); memcpy(nkey->specific.key_eddsa, key, klen); @@ -3518,11 +3516,10 @@ rspamd_dkim_sign(struct rspamd_task *task, const char *selector, } } else if (ctx->key->type == RSPAMD_DKIM_KEY_EDDSA) { - sig_len = rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519); + sig_len = crypto_sign_bytes(); sig_buf = g_alloca(sig_len); - rspamd_cryptobox_sign(sig_buf, NULL, raw_digest, dlen, - ctx->key->specific.key_eddsa, RSPAMD_CRYPTOBOX_MODE_25519); + rspamd_cryptobox_sign(sig_buf, NULL, raw_digest, dlen, ctx->key->specific.key_eddsa); } else { g_string_free(hdr, TRUE); diff --git a/src/libserver/http/http_connection.c b/src/libserver/http/http_connection.c index ef39e11e7..1ae9bb034 100644 --- a/src/libserver/http/http_connection.c +++ b/src/libserver/http/http_connection.c @@ -1,11 +1,11 @@ -/*- - * Copyright 2016 Vsevolod Stakhov +/* + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -159,8 +159,7 @@ rspamd_http_parse_key(rspamd_ftok_t *data, struct rspamd_http_connection *conn, if (decoded_id != NULL && id_len >= RSPAMD_KEYPAIR_SHORT_ID_LEN) { pk = rspamd_pubkey_from_base32(eq_pos + 1, data->begin + data->len - eq_pos - 1, - RSPAMD_KEYPAIR_KEX, - RSPAMD_CRYPTOBOX_MODE_25519); + RSPAMD_KEYPAIR_KEX); if (pk != NULL) { if (memcmp(rspamd_keypair_get_id(priv->local_key), decoded_id, @@ -572,21 +571,18 @@ rspamd_http_decrypt_message(struct rspamd_http_connection *conn, struct rspamd_http_header *hdr, *hcur, *hcurtmp; struct http_parser decrypted_parser; struct http_parser_settings decrypted_cb; - enum rspamd_cryptobox_mode mode; - mode = rspamd_keypair_alg(priv->local_key); nonce = msg->body_buf.str; - m = msg->body_buf.str + rspamd_cryptobox_nonce_bytes(mode) + - rspamd_cryptobox_mac_bytes(mode); - dec_len = msg->body_buf.len - rspamd_cryptobox_nonce_bytes(mode) - - rspamd_cryptobox_mac_bytes(mode); + m = msg->body_buf.str + crypto_box_noncebytes() + + crypto_box_macbytes(); + dec_len = msg->body_buf.len - crypto_box_noncebytes() - crypto_box_macbytes(); if ((nm = rspamd_pubkey_get_nm(peer_key, priv->local_key)) == NULL) { nm = rspamd_pubkey_calculate_nm(peer_key, priv->local_key); } if (!rspamd_cryptobox_decrypt_nm_inplace(m, dec_len, nonce, - nm, m - rspamd_cryptobox_mac_bytes(mode), mode)) { + nm, m - crypto_box_macbytes())) { msg_err("cannot verify encrypted message, first bytes of the input: %*xs", (int) MIN(msg->body_buf.len, 64), msg->body_buf.begin); return -1; @@ -640,7 +636,6 @@ rspamd_http_on_message_complete(http_parser *parser) (struct rspamd_http_connection *) parser->data; struct rspamd_http_connection_private *priv; int ret = 0; - enum rspamd_cryptobox_mode mode; if (conn->finished) { return 0; @@ -655,11 +650,10 @@ rspamd_http_on_message_complete(http_parser *parser) } if ((conn->opts & RSPAMD_HTTP_BODY_PARTIAL) == 0 && IS_CONN_ENCRYPTED(priv)) { - mode = rspamd_keypair_alg(priv->local_key); if (priv->local_key == NULL || priv->msg->peer_key == NULL || - priv->msg->body_buf.len < rspamd_cryptobox_nonce_bytes(mode) + - rspamd_cryptobox_mac_bytes(mode)) { + priv->msg->body_buf.len < crypto_box_noncebytes() + + crypto_box_macbytes()) { msg_err("cannot decrypt message"); return -1; } @@ -1576,10 +1570,8 @@ rspamd_http_connection_encrypt_message( int i, cnt; unsigned int outlen; struct rspamd_http_header *hdr, *hcur; - enum rspamd_cryptobox_mode mode; - mode = rspamd_keypair_alg(priv->local_key); - crlfp = mp + rspamd_cryptobox_mac_bytes(mode); + crlfp = mp + crypto_box_macbytes(); outlen = priv->out[0].iov_len + priv->out[1].iov_len; /* @@ -1632,7 +1624,7 @@ if ((nm = rspamd_pubkey_get_nm(peer_key, priv->local_key)) == NULL) { nm = rspamd_pubkey_calculate_nm(peer_key, priv->local_key); } -rspamd_cryptobox_encryptv_nm_inplace(segments, cnt, np, nm, mp, mode); +rspamd_cryptobox_encryptv_nm_inplace(segments, cnt, np, nm, mp); /* * iov[0] = base HTTP request @@ -1642,12 +1634,12 @@ rspamd_cryptobox_encryptv_nm_inplace(segments, cnt, np, nm, mp, mode); * iov[4..i] = encrypted HTTP request/reply */ priv->out[2].iov_base = np; -priv->out[2].iov_len = rspamd_cryptobox_nonce_bytes(mode); +priv->out[2].iov_len = crypto_box_noncebytes(); priv->out[3].iov_base = mp; -priv->out[3].iov_len = rspamd_cryptobox_mac_bytes(mode); +priv->out[3].iov_len = crypto_box_macbytes(); -outlen += rspamd_cryptobox_nonce_bytes(mode) + - rspamd_cryptobox_mac_bytes(mode); +outlen += crypto_box_noncebytes() + + crypto_box_macbytes(); for (i = 0; i < cnt; i++) { priv->out[i + 4].iov_base = segments[i].data; @@ -2027,7 +2019,6 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn, unsigned char nonce[rspamd_cryptobox_MAX_NONCEBYTES], mac[rspamd_cryptobox_MAX_MACBYTES]; unsigned char *np = NULL, *mp = NULL, *meth_pos = NULL; struct rspamd_cryptobox_pubkey *peer_key = NULL; - enum rspamd_cryptobox_mode mode; GError *err; conn->ud = ud; @@ -2059,8 +2050,7 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn, if (msg->peer_key != NULL) { if (priv->local_key == NULL) { /* Automatically generate a temporary keypair */ - priv->local_key = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX, - RSPAMD_CRYPTOBOX_MODE_25519); + priv->local_key = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX); } encrypted = TRUE; @@ -2128,8 +2118,6 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn, } if (encrypted) { - mode = rspamd_keypair_alg(priv->local_key); - if (msg->body_buf.len == 0) { pbody = NULL; bodylen = 0; @@ -2154,8 +2142,8 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn, * [iov[n + 2] = encrypted body] */ priv->outlen = 7; - enclen = rspamd_cryptobox_nonce_bytes(mode) + - rspamd_cryptobox_mac_bytes(mode) + + enclen = crypto_box_noncebytes() + + crypto_box_macbytes() + 4 + /* 2 * CRLF */ bodylen; } @@ -2197,8 +2185,8 @@ rspamd_http_connection_write_message_common(struct rspamd_http_connection *conn, ENCRYPTED_VERSION); } - enclen = rspamd_cryptobox_nonce_bytes(mode) + - rspamd_cryptobox_mac_bytes(mode) + + enclen = crypto_box_noncebytes() + + crypto_box_macbytes() + preludelen + /* version [content-length] + 2 * CRLF */ bodylen; } @@ -2275,10 +2263,9 @@ priv->out[0].iov_len = buf->len; /* Buf will be used eventually for encryption */ if (encrypted) { int meth_offset, nonce_offset, mac_offset; - mode = rspamd_keypair_alg(priv->local_key); - ottery_rand_bytes(nonce, rspamd_cryptobox_nonce_bytes(mode)); - memset(mac, 0, rspamd_cryptobox_mac_bytes(mode)); + ottery_rand_bytes(nonce, crypto_box_noncebytes()); + memset(mac, 0, crypto_box_macbytes()); meth_offset = buf->len; if (conn->type == RSPAMD_HTTP_SERVER) { @@ -2292,11 +2279,9 @@ if (encrypted) { } nonce_offset = buf->len; - buf = rspamd_fstring_append(buf, nonce, - rspamd_cryptobox_nonce_bytes(mode)); + buf = rspamd_fstring_append(buf, nonce, crypto_box_noncebytes()); mac_offset = buf->len; - buf = rspamd_fstring_append(buf, mac, - rspamd_cryptobox_mac_bytes(mode)); + buf = rspamd_fstring_append(buf, mac, crypto_box_macbytes()); /* Need to be encrypted */ if (conn->type == RSPAMD_HTTP_SERVER) { @@ -2365,44 +2350,44 @@ if (conn->opts & RSPAMD_HTTP_CLIENT_SSL) { gpointer ssl_ctx = (msg->flags & RSPAMD_HTTP_FLAG_SSL_NOVERIFY) ? priv->ctx->ssl_ctx_noverify : priv->ctx->ssl_ctx; if (!ssl_ctx) { - err = g_error_new(HTTP_ERROR, 400, "ssl message requested " - "with no ssl ctx"); - rspamd_http_connection_ref(conn); - conn->error_handler(conn, err); - rspamd_http_connection_unref(conn); - g_error_free(err); - return FALSE; + err = g_error_new(HTTP_ERROR, 400, "ssl message requested " + "with no ssl ctx"); + rspamd_http_connection_ref(conn); + conn->error_handler(conn, err); + rspamd_http_connection_unref(conn); + g_error_free(err); + return FALSE; } else { - if (!priv->ssl) { - priv->ssl = rspamd_ssl_connection_new(ssl_ctx, priv->ctx->event_loop, - !(msg->flags & RSPAMD_HTTP_FLAG_SSL_NOVERIFY), - conn->log_tag); - g_assert(priv->ssl != NULL); - - if (!rspamd_ssl_connect_fd(priv->ssl, conn->fd, host, &priv->ev, - priv->timeout, rspamd_http_event_handler, - rspamd_http_ssl_err_handler, conn)) { - - err = g_error_new(HTTP_ERROR, 400, - "ssl connection error: ssl error=%s, errno=%s", - ERR_error_string(ERR_get_error(), NULL), - strerror(errno)); - rspamd_http_connection_ref(conn); - conn->error_handler(conn, err); - rspamd_http_connection_unref(conn); - g_error_free(err); - return FALSE; - } - } - else { - /* Just restore SSL handlers */ - rspamd_ssl_connection_restore_handlers(priv->ssl, - rspamd_http_event_handler, - rspamd_http_ssl_err_handler, - conn, - EV_WRITE); + if (!priv->ssl) { + priv->ssl = rspamd_ssl_connection_new(ssl_ctx, priv->ctx->event_loop, + !(msg->flags & RSPAMD_HTTP_FLAG_SSL_NOVERIFY), + conn->log_tag); + g_assert(priv->ssl != NULL); + + if (!rspamd_ssl_connect_fd(priv->ssl, conn->fd, host, &priv->ev, + priv->timeout, rspamd_http_event_handler, + rspamd_http_ssl_err_handler, conn)) { + + err = g_error_new(HTTP_ERROR, 400, + "ssl connection error: ssl error=%s, errno=%s", + ERR_error_string(ERR_get_error(), NULL), + strerror(errno)); + rspamd_http_connection_ref(conn); + conn->error_handler(conn, err); + rspamd_http_connection_unref(conn); + g_error_free(err); + return FALSE; } + } + else { + /* Just restore SSL handlers */ + rspamd_ssl_connection_restore_handlers(priv->ssl, + rspamd_http_event_handler, + rspamd_http_ssl_err_handler, + conn, + EV_WRITE); + } } } else { @@ -2467,10 +2452,10 @@ rspamd_http_connection_get_peer_key(struct rspamd_http_connection *conn) struct rspamd_http_connection_private *priv = conn->priv; if (priv->peer_key) { - return priv->peer_key; + return priv->peer_key; } else if (priv->msg) { - return priv->msg->peer_key; + return priv->msg->peer_key; } return NULL; @@ -2482,10 +2467,10 @@ rspamd_http_connection_is_encrypted(struct rspamd_http_connection *conn) struct rspamd_http_connection_private *priv = conn->priv; if (priv->peer_key != NULL) { - return TRUE; + return TRUE; } else if (priv->msg) { - return priv->msg->peer_key != NULL; + return priv->msg->peer_key != NULL; } return FALSE; @@ -2512,103 +2497,103 @@ rspamd_http_message_parse_query(struct rspamd_http_message *msg) rspamd_fstring_mapped_ftok_free); if (msg->url && msg->url->len > 0) { - http_parser_parse_url(msg->url->str, msg->url->len, TRUE, &u); - - if (u.field_set & (1 << UF_QUERY)) { - p = msg->url->str + u.field_data[UF_QUERY].off; - c = p; - end = p + u.field_data[UF_QUERY].len; - - while (p <= end) { - switch (state) { - case parse_key: - if ((p == end || *p == '&') && p > c) { - /* We have a single parameter without a value */ - key = rspamd_fstring_new_init(c, p - c); - key_tok = rspamd_ftok_map(key); - key_tok->len = rspamd_url_decode(key->str, key->str, - key->len); - - value = rspamd_fstring_new_init("", 0); - value_tok = rspamd_ftok_map(value); + http_parser_parse_url(msg->url->str, msg->url->len, TRUE, &u); + + if (u.field_set & (1 << UF_QUERY)) { + p = msg->url->str + u.field_data[UF_QUERY].off; + c = p; + end = p + u.field_data[UF_QUERY].len; + + while (p <= end) { + switch (state) { + case parse_key: + if ((p == end || *p == '&') && p > c) { + /* We have a single parameter without a value */ + key = rspamd_fstring_new_init(c, p - c); + key_tok = rspamd_ftok_map(key); + key_tok->len = rspamd_url_decode(key->str, key->str, + key->len); + + value = rspamd_fstring_new_init("", 0); + value_tok = rspamd_ftok_map(value); + + g_hash_table_replace(res, key_tok, value_tok); + state = parse_ampersand; + } + else if (*p == '=' && p > c) { + /* We have something like key=value */ + key = rspamd_fstring_new_init(c, p - c); + key_tok = rspamd_ftok_map(key); + key_tok->len = rspamd_url_decode(key->str, key->str, + key->len); + + state = parse_eqsign; + } + else { + p++; + } + break; - g_hash_table_replace(res, key_tok, value_tok); - state = parse_ampersand; - } - else if (*p == '=' && p > c) { - /* We have something like key=value */ - key = rspamd_fstring_new_init(c, p - c); - key_tok = rspamd_ftok_map(key); - key_tok->len = rspamd_url_decode(key->str, key->str, - key->len); - - state = parse_eqsign; - } - else { - p++; - } - break; + case parse_eqsign: + if (*p != '=') { + c = p; + state = parse_value; + } + else { + p++; + } + break; - case parse_eqsign: - if (*p != '=') { - c = p; - state = parse_value; - } - else { - p++; - } - break; - - case parse_value: - if ((p == end || *p == '&') && p >= c) { - g_assert(key != NULL); - if (p > c) { - value = rspamd_fstring_new_init(c, p - c); - value_tok = rspamd_ftok_map(value); - value_tok->len = rspamd_url_decode(value->str, - value->str, - value->len); - /* Detect quotes for value */ - if (value_tok->begin[0] == '"') { - memmove(value->str, value->str + 1, - value_tok->len - 1); - value_tok->len--; - } - if (value_tok->begin[value_tok->len - 1] == '"') { - value_tok->len--; - } + case parse_value: + if ((p == end || *p == '&') && p >= c) { + g_assert(key != NULL); + if (p > c) { + value = rspamd_fstring_new_init(c, p - c); + value_tok = rspamd_ftok_map(value); + value_tok->len = rspamd_url_decode(value->str, + value->str, + value->len); + /* Detect quotes for value */ + if (value_tok->begin[0] == '"') { + memmove(value->str, value->str + 1, + value_tok->len - 1); + value_tok->len--; } - else { - value = rspamd_fstring_new_init("", 0); - value_tok = rspamd_ftok_map(value); + if (value_tok->begin[value_tok->len - 1] == '"') { + value_tok->len--; } - - g_hash_table_replace(res, key_tok, value_tok); - key = value = NULL; - key_tok = value_tok = NULL; - state = parse_ampersand; } else { - p++; + value = rspamd_fstring_new_init("", 0); + value_tok = rspamd_ftok_map(value); } - break; - case parse_ampersand: - if (p != end && *p != '&') { - c = p; - state = parse_key; - } - else { - p++; - } - break; + g_hash_table_replace(res, key_tok, value_tok); + key = value = NULL; + key_tok = value_tok = NULL; + state = parse_ampersand; + } + else { + p++; + } + break; + + case parse_ampersand: + if (p != end && *p != '&') { + c = p; + state = parse_key; + } + else { + p++; } + break; } } + } - if (state != parse_ampersand && key != NULL) { - rspamd_fstring_free(key); - } + if (state != parse_ampersand && key != NULL) { + rspamd_fstring_free(key); + } } return res; @@ -2635,15 +2620,15 @@ void rspamd_http_connection_disable_encryption(struct rspamd_http_connection *co priv = conn->priv; if (priv) { - if (priv->local_key) { - rspamd_keypair_unref(priv->local_key); - } - if (priv->peer_key) { - rspamd_pubkey_unref(priv->peer_key); - } + if (priv->local_key) { + rspamd_keypair_unref(priv->local_key); + } + if (priv->peer_key) { + rspamd_pubkey_unref(priv->peer_key); + } - priv->local_key = NULL; - priv->peer_key = NULL; - priv->flags &= ~RSPAMD_HTTP_CONN_FLAG_ENCRYPTED; + priv->local_key = NULL; + priv->peer_key = NULL; + priv->flags &= ~RSPAMD_HTTP_CONN_FLAG_ENCRYPTED; } }
\ No newline at end of file diff --git a/src/libserver/http/http_context.c b/src/libserver/http/http_context.c index fe9412fe2..df32a2258 100644 --- a/src/libserver/http/http_context.c +++ b/src/libserver/http/http_context.c @@ -77,8 +77,7 @@ rspamd_http_context_client_rotate_ev(struct ev_loop *loop, ev_timer *w, int reve ev_timer_again(loop, w); kp = ctx->client_kp; - ctx->client_kp = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX, - RSPAMD_CRYPTOBOX_MODE_25519); + ctx->client_kp = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX); rspamd_keypair_unref(kp); } diff --git a/src/libserver/logger/logger.c b/src/libserver/logger/logger.c index 13bac5cbe..25818e7a5 100644 --- a/src/libserver/logger/logger.c +++ b/src/libserver/logger/logger.c @@ -1,5 +1,5 @@ /* - * Copyright 2023 Vsevolod Stakhov + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -277,8 +277,7 @@ rspamd_log_open_specific(rspamd_mempool_t *pool, if (cfg->log_encryption_key) { logger->pk = rspamd_pubkey_ref(cfg->log_encryption_key); - logger->keypair = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX, - RSPAMD_CRYPTOBOX_MODE_25519); + logger->keypair = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX); rspamd_pubkey_calculate_nm(logger->pk, logger->keypair); } } @@ -342,9 +341,9 @@ rspamd_log_encrypt_message(const char *begin, const char *end, gsize *enc_len, g_assert(end > begin); /* base64 (pubkey | nonce | message) */ - inlen = rspamd_cryptobox_nonce_bytes(RSPAMD_CRYPTOBOX_MODE_25519) + - rspamd_cryptobox_pk_bytes(RSPAMD_CRYPTOBOX_MODE_25519) + - rspamd_cryptobox_mac_bytes(RSPAMD_CRYPTOBOX_MODE_25519) + + inlen = crypto_box_noncebytes() + + crypto_box_publickeybytes() + + crypto_box_macbytes() + (end - begin); out = g_malloc(inlen); @@ -352,16 +351,15 @@ rspamd_log_encrypt_message(const char *begin, const char *end, gsize *enc_len, comp = rspamd_pubkey_get_pk(rspamd_log->pk, &len); memcpy(p, comp, len); p += len; - ottery_rand_bytes(p, rspamd_cryptobox_nonce_bytes(RSPAMD_CRYPTOBOX_MODE_25519)); + ottery_rand_bytes(p, crypto_box_noncebytes()); nonce = p; - p += rspamd_cryptobox_nonce_bytes(RSPAMD_CRYPTOBOX_MODE_25519); + p += crypto_box_noncebytes(); mac = p; - p += rspamd_cryptobox_mac_bytes(RSPAMD_CRYPTOBOX_MODE_25519); + p += crypto_box_macbytes(); memcpy(p, begin, end - begin); comp = rspamd_pubkey_get_nm(rspamd_log->pk, rspamd_log->keypair); g_assert(comp != NULL); - rspamd_cryptobox_encrypt_nm_inplace(p, end - begin, nonce, comp, mac, - RSPAMD_CRYPTOBOX_MODE_25519); + rspamd_cryptobox_encrypt_nm_inplace(p, end - begin, nonce, comp, mac); b64 = rspamd_encode_base64(out, inlen, 0, enc_len); g_free(out); diff --git a/src/libserver/maps/map.c b/src/libserver/maps/map.c index 15fce7e9d..631455755 100644 --- a/src/libserver/maps/map.c +++ b/src/libserver/maps/map.c @@ -670,14 +670,14 @@ rspamd_map_check_sig_pk_mem(const unsigned char *sig, GString *b32_key; gboolean ret = TRUE; - if (siglen != rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519)) { + if (siglen != crypto_sign_bytes()) { msg_err_map("can't open signature for %s: invalid size: %z", map->name, siglen); ret = FALSE; } if (ret && !rspamd_cryptobox_verify(sig, siglen, input, inlen, - rspamd_pubkey_get_pk(pk, NULL), RSPAMD_CRYPTOBOX_MODE_25519)) { + rspamd_pubkey_get_pk(pk, NULL))) { msg_err_map("can't verify signature for %s: incorrect signature", map->name); ret = FALSE; @@ -718,8 +718,7 @@ rspamd_map_check_file_sig(const char *fname, return FALSE; } - pk = rspamd_pubkey_from_base32(data, len, RSPAMD_KEYPAIR_SIGN, - RSPAMD_CRYPTOBOX_MODE_25519); + pk = rspamd_pubkey_from_base32(data, len, RSPAMD_KEYPAIR_SIGN); munmap(data, len); if (pk == NULL) { @@ -2414,8 +2413,7 @@ rspamd_map_check_proto(struct rspamd_config *cfg, end_key = memchr(pos, '+', end - pos); if (end_key != NULL) { - bk->trusted_pubkey = rspamd_pubkey_from_base32(pos, end_key - pos, - RSPAMD_KEYPAIR_SIGN, RSPAMD_CRYPTOBOX_MODE_25519); + bk->trusted_pubkey = rspamd_pubkey_from_base32(pos, end_key - pos, RSPAMD_KEYPAIR_SIGN); if (bk->trusted_pubkey == NULL) { msg_err_config("cannot read pubkey from map: %s", @@ -2426,8 +2424,7 @@ rspamd_map_check_proto(struct rspamd_config *cfg, } else if (end - pos > 64) { /* Try hex encoding */ - bk->trusted_pubkey = rspamd_pubkey_from_hex(pos, 64, - RSPAMD_KEYPAIR_SIGN, RSPAMD_CRYPTOBOX_MODE_25519); + bk->trusted_pubkey = rspamd_pubkey_from_hex(pos, 64, RSPAMD_KEYPAIR_SIGN); if (bk->trusted_pubkey == NULL) { msg_err_config("cannot read pubkey from map: %s", diff --git a/src/lua/lua_cryptobox.c b/src/lua/lua_cryptobox.c index bad7d7024..1b9074f58 100644 --- a/src/lua/lua_cryptobox.c +++ b/src/lua/lua_cryptobox.c @@ -1,11 +1,11 @@ -/*- - * Copyright 2016 Vsevolod Stakhov +/* + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -257,7 +257,6 @@ lua_check_cryptobox_secretbox(lua_State *L, int pos) * Loads public key from base32 encoded file * @param {string} file filename to load * @param {string} type optional 'sign' or 'kex' for signing and encryption - * @param {string} alg optional 'default' or 'nist' for curve25519/nistp256 keys * @return {cryptobox_pubkey} new public key */ static int @@ -267,7 +266,6 @@ lua_cryptobox_pubkey_load(lua_State *L) struct rspamd_cryptobox_pubkey *pkey = NULL, **ppkey; const char *filename, *arg; int type = RSPAMD_KEYPAIR_SIGN; - int alg = RSPAMD_CRYPTOBOX_MODE_25519; unsigned char *map; gsize len; @@ -293,19 +291,8 @@ lua_cryptobox_pubkey_load(lua_State *L) type = RSPAMD_KEYPAIR_KEX; } } - if (lua_type(L, 3) == LUA_TSTRING) { - /* algorithm */ - arg = lua_tostring(L, 3); - - if (strcmp(arg, "default") == 0 || strcmp(arg, "curve25519") == 0) { - type = RSPAMD_CRYPTOBOX_MODE_25519; - } - else if (strcmp(arg, "nist") == 0) { - type = RSPAMD_CRYPTOBOX_MODE_NIST; - } - } - pkey = rspamd_pubkey_from_base32(map, len, type, alg); + pkey = rspamd_pubkey_from_base32(map, len, type); if (pkey == NULL) { msg_err("cannot open pubkey from file: %s", filename); @@ -333,7 +320,6 @@ lua_cryptobox_pubkey_load(lua_State *L) * Loads public key from base32 encoded string * @param {base32 string} base32 string with the key * @param {string} type optional 'sign' or 'kex' for signing and encryption - * @param {string} alg optional 'default' or 'nist' for curve25519/nistp256 keys * @return {cryptobox_pubkey} new public key */ static int @@ -344,7 +330,6 @@ lua_cryptobox_pubkey_create(lua_State *L) const char *buf, *arg; gsize len; int type = RSPAMD_KEYPAIR_SIGN; - int alg = RSPAMD_CRYPTOBOX_MODE_25519; buf = luaL_checklstring(L, 1, &len); if (buf != NULL) { @@ -359,19 +344,8 @@ lua_cryptobox_pubkey_create(lua_State *L) type = RSPAMD_KEYPAIR_KEX; } } - if (lua_type(L, 3) == LUA_TSTRING) { - /* algorithm */ - arg = lua_tostring(L, 3); - - if (strcmp(arg, "default") == 0 || strcmp(arg, "curve25519") == 0) { - type = RSPAMD_CRYPTOBOX_MODE_25519; - } - else if (strcmp(arg, "nist") == 0) { - type = RSPAMD_CRYPTOBOX_MODE_NIST; - } - } - pkey = rspamd_pubkey_from_base32(buf, len, type, alg); + pkey = rspamd_pubkey_from_base32(buf, len, type); if (pkey == NULL) { msg_err("cannot load pubkey from string"); @@ -477,7 +451,6 @@ lua_cryptobox_keypair_load(lua_State *L) * @function rspamd_cryptobox_keypair.create([type='encryption'[, alg='curve25519']]) * Generates new keypair * @param {string} type type of keypair: 'encryption' (default) or 'sign' - * @param {string} alg algorithm of keypair: 'curve25519' (default) or 'nist' * @return {cryptobox_keypair} new keypair */ static int @@ -486,7 +459,6 @@ lua_cryptobox_keypair_create(lua_State *L) LUA_TRACE_POINT; struct rspamd_cryptobox_keypair *kp, **pkp; enum rspamd_cryptobox_keypair_type type = RSPAMD_KEYPAIR_KEX; - enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519; if (lua_isstring(L, 1)) { const char *str = lua_tostring(L, 1); @@ -502,21 +474,7 @@ lua_cryptobox_keypair_create(lua_State *L) } } - if (lua_isstring(L, 2)) { - const char *str = lua_tostring(L, 2); - - if (strcmp(str, "nist") == 0 || strcmp(str, "openssl") == 0) { - alg = RSPAMD_CRYPTOBOX_MODE_NIST; - } - else if (strcmp(str, "curve25519") == 0 || strcmp(str, "default") == 0) { - alg = RSPAMD_CRYPTOBOX_MODE_25519; - } - else { - return luaL_error(L, "invalid keypair algorithm: %s", str); - } - } - - kp = rspamd_keypair_new(type, alg); + kp = rspamd_keypair_new(type); pkp = lua_newuserdata(L, sizeof(gpointer)); *pkp = kp; @@ -606,12 +564,7 @@ lua_cryptobox_keypair_get_alg(lua_State *L) struct rspamd_cryptobox_keypair *kp = lua_check_cryptobox_keypair(L, 1); if (kp) { - if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) { - lua_pushstring(L, "curve25519"); - } - else { - lua_pushstring(L, "nist"); - } + lua_pushstring(L, "curve25519"); } else { return luaL_error(L, "invalid arguments"); @@ -636,7 +589,7 @@ lua_cryptobox_keypair_get_pk(lua_State *L) if (kp) { data = rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_PK, &dlen); - pk = rspamd_pubkey_from_bin(data, dlen, kp->type, kp->alg); + pk = rspamd_pubkey_from_bin(data, dlen, kp->type); if (pk == NULL) { return luaL_error(L, "invalid keypair"); @@ -654,7 +607,7 @@ lua_cryptobox_keypair_get_pk(lua_State *L) } /*** - * @function rspamd_cryptobox_signature.load(file, [alg = 'curve25519']) + * @function rspamd_cryptobox_signature.load(file) * Loads signature from raw file * @param {string} file filename to load * @return {cryptobox_signature} new signature @@ -668,7 +621,6 @@ lua_cryptobox_signature_load(lua_State *L) gpointer data; int fd; struct stat st; - enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519; filename = luaL_checkstring(L, 1); if (filename != NULL) { @@ -686,22 +638,6 @@ lua_cryptobox_signature_load(lua_State *L) lua_pushnil(L); } else { - if (lua_isstring(L, 2)) { - const char *str = lua_tostring(L, 2); - - if (strcmp(str, "nist") == 0 || strcmp(str, "openssl") == 0) { - alg = RSPAMD_CRYPTOBOX_MODE_NIST; - } - else if (strcmp(str, "curve25519") == 0 || strcmp(str, "default") == 0) { - alg = RSPAMD_CRYPTOBOX_MODE_25519; - } - else { - munmap(data, st.st_size); - close(fd); - - return luaL_error(L, "invalid keypair algorithm: %s", str); - } - } if (st.st_size > 0) { sig = rspamd_fstring_new_init(data, st.st_size); psig = lua_newuserdata(L, sizeof(rspamd_fstring_t *)); @@ -711,7 +647,7 @@ lua_cryptobox_signature_load(lua_State *L) else { msg_err("size of %s mismatches: %d while %d is expected", filename, (int) st.st_size, - rspamd_cryptobox_signature_bytes(alg)); + crypto_sign_bytes()); lua_pushnil(L); } @@ -821,7 +757,7 @@ lua_cryptobox_signature_create(lua_State *L) } if (data != NULL) { - if (dlen == rspamd_cryptobox_signature_bytes(RSPAMD_CRYPTOBOX_MODE_25519)) { + if (dlen == crypto_sign_bytes()) { sig = rspamd_fstring_new_init(data, dlen); psig = lua_newuserdata(L, sizeof(rspamd_fstring_t *)); rspamd_lua_setclass(L, rspamd_cryptobox_signature_classname, -1); @@ -1723,7 +1659,7 @@ lua_cryptobox_hash_gc(lua_State *L) } /*** - * @function rspamd_cryptobox.verify_memory(pk, sig, data, [alg = 'curve25519']) + * @function rspamd_cryptobox.verify_memory(pk, sig, data) * Check memory using specified cryptobox key and signature * @param {pubkey} pk public key to verify * @param {sig} signature to check @@ -1738,7 +1674,6 @@ lua_cryptobox_verify_memory(lua_State *L) rspamd_fstring_t *signature; struct rspamd_lua_text *t; const char *data; - enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519; gsize len; int ret; @@ -1759,23 +1694,9 @@ lua_cryptobox_verify_memory(lua_State *L) data = luaL_checklstring(L, 3, &len); } - if (lua_isstring(L, 4)) { - const char *str = lua_tostring(L, 4); - - if (strcmp(str, "nist") == 0 || strcmp(str, "openssl") == 0) { - alg = RSPAMD_CRYPTOBOX_MODE_NIST; - } - else if (strcmp(str, "curve25519") == 0 || strcmp(str, "default") == 0) { - alg = RSPAMD_CRYPTOBOX_MODE_25519; - } - else { - return luaL_error(L, "invalid algorithm: %s", str); - } - } - if (pk != NULL && signature != NULL && data != NULL) { ret = rspamd_cryptobox_verify(signature->str, signature->len, data, len, - rspamd_pubkey_get_pk(pk, NULL), alg); + rspamd_pubkey_get_pk(pk, NULL)); if (ret) { lua_pushboolean(L, 1); @@ -1792,7 +1713,7 @@ lua_cryptobox_verify_memory(lua_State *L) } /*** - * @function rspamd_cryptobox.verify_file(pk, sig, file, [alg = 'curve25519']) + * @function rspamd_cryptobox.verify_file(pk, sig, file) * Check file using specified cryptobox key and signature * @param {pubkey} pk public key to verify * @param {sig} signature to check @@ -1807,7 +1728,6 @@ lua_cryptobox_verify_file(lua_State *L) struct rspamd_cryptobox_pubkey *pk; rspamd_fstring_t *signature; unsigned char *map = NULL; - enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519; gsize len; int ret; @@ -1815,26 +1735,12 @@ lua_cryptobox_verify_file(lua_State *L) signature = lua_check_cryptobox_sign(L, 2); fname = luaL_checkstring(L, 3); - if (lua_isstring(L, 4)) { - const char *str = lua_tostring(L, 4); - - if (strcmp(str, "nist") == 0 || strcmp(str, "openssl") == 0) { - alg = RSPAMD_CRYPTOBOX_MODE_NIST; - } - else if (strcmp(str, "curve25519") == 0 || strcmp(str, "default") == 0) { - alg = RSPAMD_CRYPTOBOX_MODE_25519; - } - else { - return luaL_error(L, "invalid algorithm: %s", str); - } - } - map = rspamd_file_xmap(fname, PROT_READ, &len, TRUE); if (map != NULL && pk != NULL && signature != NULL) { ret = rspamd_cryptobox_verify(signature->str, signature->len, map, len, - rspamd_pubkey_get_pk(pk, NULL), alg); + rspamd_pubkey_get_pk(pk, NULL)); if (ret) { lua_pushboolean(L, 1); @@ -1896,12 +1802,11 @@ lua_cryptobox_sign_memory(lua_State *L) return luaL_error(L, "invalid arguments"); } - sig = rspamd_fstring_sized_new(rspamd_cryptobox_signature_bytes( - rspamd_keypair_alg(kp))); + sig = rspamd_fstring_sized_new(crypto_sign_bytes()); unsigned long long siglen = sig->len; rspamd_cryptobox_sign(sig->str, &siglen, data, - len, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL), rspamd_keypair_alg(kp)); + len, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL)); sig->len = siglen; psig = lua_newuserdata(L, sizeof(void *)); @@ -1942,13 +1847,12 @@ lua_cryptobox_sign_file(lua_State *L) lua_pushnil(L); } else { - sig = rspamd_fstring_sized_new(rspamd_cryptobox_signature_bytes( - rspamd_keypair_alg(kp))); + sig = rspamd_fstring_sized_new(crypto_sign_bytes()); unsigned long long siglen = sig->len; rspamd_cryptobox_sign(sig->str, &siglen, data, - len, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL), rspamd_keypair_alg(kp)); + len, rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL)); sig->len = siglen; psig = lua_newuserdata(L, sizeof(void *)); @@ -1961,7 +1865,7 @@ lua_cryptobox_sign_file(lua_State *L) } /*** - * @function rspamd_cryptobox.encrypt_memory(kp, data[, nist=false]) + * @function rspamd_cryptobox.encrypt_memory(kp, data) * Encrypt data using specified keypair/pubkey * @param {keypair|string} kp keypair or pubkey in base32 to use * @param {string|text} data @@ -1993,8 +1897,7 @@ lua_cryptobox_encrypt_memory(lua_State *L) gsize blen; b32 = lua_tolstring(L, 1, &blen); - pk = rspamd_pubkey_from_base32(b32, blen, RSPAMD_KEYPAIR_KEX, - lua_toboolean(L, 3) ? RSPAMD_CRYPTOBOX_MODE_NIST : RSPAMD_CRYPTOBOX_MODE_25519); + pk = rspamd_pubkey_from_base32(b32, blen, RSPAMD_KEYPAIR_KEX); owned_pk = true; } @@ -2063,7 +1966,7 @@ err: } /*** - * @function rspamd_cryptobox.encrypt_file(kp|pk_string, filename[, nist=false]) + * @function rspamd_cryptobox.encrypt_file(kp|pk_string, filename) * Encrypt data using specified keypair/pubkey * @param {keypair|string} kp keypair or pubkey in base32 to use * @param {string} filename @@ -2096,8 +1999,7 @@ lua_cryptobox_encrypt_file(lua_State *L) gsize blen; b32 = lua_tolstring(L, 1, &blen); - pk = rspamd_pubkey_from_base32(b32, blen, RSPAMD_KEYPAIR_KEX, - lua_toboolean(L, 3) ? RSPAMD_CRYPTOBOX_MODE_NIST : RSPAMD_CRYPTOBOX_MODE_25519); + pk = rspamd_pubkey_from_base32(b32, blen, RSPAMD_KEYPAIR_KEX); own_pk = true; } @@ -2658,11 +2560,11 @@ lua_cryptobox_gen_dkim_keypair(lua_State *L) char *b64_data; gsize b64_len; - rspamd_cryptobox_keypair_sig(pk, sk, RSPAMD_CRYPTOBOX_MODE_25519); + rspamd_cryptobox_keypair_sig(pk, sk); /* Process private key */ b64_data = rspamd_encode_base64(sk, - rspamd_cryptobox_sk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519), + crypto_sign_secretkeybytes(), -1, &b64_len); priv_out = lua_newuserdata(L, sizeof(*priv_out)); @@ -2673,7 +2575,7 @@ lua_cryptobox_gen_dkim_keypair(lua_State *L) /* Process public key */ b64_data = rspamd_encode_base64(pk, - rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519), + crypto_sign_publickeybytes(), -1, &b64_len); pub_out = lua_newuserdata(L, sizeof(*pub_out)); @@ -2691,7 +2593,7 @@ lua_cryptobox_gen_dkim_keypair(lua_State *L) char *b64_data; gsize b64_len; - rspamd_cryptobox_keypair_sig(pk, sk, RSPAMD_CRYPTOBOX_MODE_25519); + rspamd_cryptobox_keypair_sig(pk, sk); /* Process private key */ b64_data = rspamd_encode_base64(sk, @@ -2706,7 +2608,7 @@ lua_cryptobox_gen_dkim_keypair(lua_State *L) /* Process public key */ b64_data = rspamd_encode_base64(pk, - rspamd_cryptobox_pk_sig_bytes(RSPAMD_CRYPTOBOX_MODE_25519), + crypto_sign_publickeybytes(), -1, &b64_len); pub_out = lua_newuserdata(L, sizeof(*pub_out)); diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c index 2032f7dc1..8ba612c1b 100644 --- a/src/lua/lua_http.c +++ b/src/lua/lua_http.c @@ -1,5 +1,5 @@ /* - * Copyright 2023 Vsevolod Stakhov + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -907,8 +907,7 @@ lua_http_request(lua_State *L) gsize inlen; in = lua_tolstring(L, -1, &inlen); - peer_key = rspamd_pubkey_from_base32(in, inlen, - RSPAMD_KEYPAIR_KEX, RSPAMD_CRYPTOBOX_MODE_25519); + peer_key = rspamd_pubkey_from_base32(in, inlen, RSPAMD_KEYPAIR_KEX); } lua_pop(L, 1); diff --git a/src/lua/lua_map.c b/src/lua/lua_map.c index cce78ff2c..1cc2ce1bd 100644 --- a/src/lua/lua_map.c +++ b/src/lua/lua_map.c @@ -1293,8 +1293,7 @@ lua_map_set_sign_key(lua_State *L) pk_str = lua_tolstring(L, 2, &len); if (map && pk_str) { - pk = rspamd_pubkey_from_base32(pk_str, len, RSPAMD_KEYPAIR_SIGN, - RSPAMD_CRYPTOBOX_MODE_25519); + pk = rspamd_pubkey_from_base32(pk_str, len, RSPAMD_KEYPAIR_SIGN); if (!pk) { return luaL_error(L, "invalid pubkey string"); diff --git a/src/plugins/fuzzy_check.c b/src/plugins/fuzzy_check.c index b92177f1b..91b77c702 100644 --- a/src/plugins/fuzzy_check.c +++ b/src/plugins/fuzzy_check.c @@ -543,15 +543,13 @@ fuzzy_parse_rule(struct rspamd_config *cfg, const ucl_object_t *obj, k = ucl_object_tostring(value); if (k == NULL || (rule->peer_key = - rspamd_pubkey_from_base32(k, 0, RSPAMD_KEYPAIR_KEX, - RSPAMD_CRYPTOBOX_MODE_25519)) == NULL) { + rspamd_pubkey_from_base32(k, 0, RSPAMD_KEYPAIR_KEX)) == NULL) { msg_err_config("bad encryption key value: %s", k); return -1; } - rule->local_key = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX, - RSPAMD_CRYPTOBOX_MODE_25519); + rule->local_key = rspamd_keypair_new(RSPAMD_KEYPAIR_KEX); } if ((value = ucl_object_lookup(obj, "learn_condition")) != NULL) { @@ -1334,8 +1332,7 @@ fuzzy_encrypt_cmd(struct fuzzy_rule *rule, rule->local_key, rule->peer_key); rspamd_cryptobox_encrypt_nm_inplace(data, datalen, hdr->nonce, rspamd_pubkey_get_nm(rule->peer_key, rule->local_key), - hdr->mac, - rspamd_pubkey_alg(rule->peer_key)); + hdr->mac); } static struct fuzzy_cmd_io * @@ -2209,8 +2206,7 @@ fuzzy_process_reply(unsigned char **pos, int *r, GPtrArray *req, sizeof(encrep.rep), encrep.hdr.nonce, rspamd_pubkey_get_nm(rule->peer_key, rule->local_key), - encrep.hdr.mac, - rspamd_pubkey_alg(rule->peer_key))) { + encrep.hdr.mac)) { msg_info("cannot decrypt reply"); return NULL; } diff --git a/src/rspamadm/signtool.c b/src/rspamadm/signtool.c index 612a67c83..ddc3d45df 100644 --- a/src/rspamadm/signtool.c +++ b/src/rspamadm/signtool.c @@ -1,11 +1,11 @@ -/*- - * Copyright 2016 Vsevolod Stakhov +/* + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -27,7 +27,6 @@ #include <sys/wait.h> #endif -static gboolean openssl = FALSE; static gboolean verify = FALSE; static gboolean quiet = FALSE; static char *suffix = NULL; @@ -37,7 +36,6 @@ static char *pubout = NULL; static char *keypair_file = NULL; static char *editor = NULL; static gboolean edit = FALSE; -enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519; static void rspamadm_signtool(int argc, char **argv, const struct rspamadm_command *cmd); @@ -53,8 +51,6 @@ struct rspamadm_command signtool_command = { }; static GOptionEntry entries[] = { - {"openssl", 'o', 0, G_OPTION_ARG_NONE, &openssl, - "Generate openssl nistp256 keypair not curve25519 one", NULL}, {"verify", 'v', 0, G_OPTION_ARG_NONE, &verify, "Verify signatures and not sign", NULL}, {"suffix", 'S', 0, G_OPTION_ARG_STRING, &suffix, @@ -327,11 +323,8 @@ rspamadm_sign_file(const char *fname, struct rspamd_cryptobox_keypair *kp) exit(EXIT_FAILURE); } - g_assert(rspamd_cryptobox_MAX_SIGBYTES >= - rspamd_cryptobox_signature_bytes(mode)); - sk = rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL); - rspamd_cryptobox_sign(sig, NULL, map, st.st_size, sk, mode); + rspamd_cryptobox_sign(sig, NULL, map, st.st_size, sk); if (edit) { /* We also need to rename .new file */ @@ -348,7 +341,7 @@ rspamadm_sign_file(const char *fname, struct rspamd_cryptobox_keypair *kp) rspamd_snprintf(sigpath, sizeof(sigpath), "%s%s", fname, suffix); - if (write(fd_sig, sig, rspamd_cryptobox_signature_bytes(mode)) == -1) { + if (write(fd_sig, sig, crypto_sign_bytes()) == -1) { rspamd_fprintf(stderr, "cannot write signature to %s: %s\n", sigpath, strerror(errno)); exit(EXIT_FAILURE); @@ -400,9 +393,6 @@ rspamadm_verify_file(const char *fname, const unsigned char *pk) struct stat st, st_sig; bool ret; - g_assert(rspamd_cryptobox_MAX_SIGBYTES >= - rspamd_cryptobox_signature_bytes(mode)); - if (suffix == NULL) { suffix = ".sig"; } @@ -439,7 +429,7 @@ rspamadm_verify_file(const char *fname, const unsigned char *pk) g_assert(fstat(fd_sig, &st_sig) != -1); - if (st_sig.st_size != rspamd_cryptobox_signature_bytes(mode)) { + if (st_sig.st_size != crypto_sign_bytes()) { close(fd_sig); rspamd_fprintf(stderr, "invalid signature size %s: %ud\n", fname, (unsigned int) st_sig.st_size); @@ -458,7 +448,7 @@ rspamadm_verify_file(const char *fname, const unsigned char *pk) } ret = rspamd_cryptobox_verify(map_sig, st_sig.st_size, - map, st.st_size, pk, mode); + map, st.st_size, pk); munmap(map, st.st_size); munmap(map_sig, st_sig.st_size); @@ -503,10 +493,6 @@ rspamadm_signtool(int argc, char **argv, const struct rspamadm_command *cmd) g_option_context_free(context); - if (openssl) { - mode = RSPAMD_CRYPTOBOX_MODE_NIST; - } - if (verify && (!pubkey && !pubkey_file)) { rspamd_fprintf(stderr, "no pubkey for verification\n"); exit(EXIT_FAILURE); @@ -549,14 +535,13 @@ rspamadm_signtool(int argc, char **argv, const struct rspamadm_command *cmd) flen--; } - pk = rspamd_pubkey_from_base32(map, flen, - RSPAMD_KEYPAIR_SIGN, mode); + pk = rspamd_pubkey_from_base32(map, flen, RSPAMD_KEYPAIR_SIGN); if (pk == NULL) { rspamd_fprintf(stderr, "bad size %s: %ud, %ud expected\n", pubkey_file, (unsigned int) flen, - rspamd_cryptobox_pk_sig_bytes(mode)); + crypto_sign_publickeybytes()); exit(EXIT_FAILURE); } @@ -564,13 +549,13 @@ rspamadm_signtool(int argc, char **argv, const struct rspamadm_command *cmd) } else { pk = rspamd_pubkey_from_base32(pubkey, strlen(pubkey), - RSPAMD_KEYPAIR_SIGN, mode); + RSPAMD_KEYPAIR_SIGN); if (pk == NULL) { rspamd_fprintf(stderr, "bad size %s: %ud, %ud expected\n", pubkey_file, (unsigned int) strlen(pubkey), - rspamd_cryptobox_pk_sig_bytes(mode)); + crypto_sign_publickeybytes()); exit(EXIT_FAILURE); } } diff --git a/src/rspamd_proxy.c b/src/rspamd_proxy.c index 6c8869e22..dbdd2e5a7 100644 --- a/src/rspamd_proxy.c +++ b/src/rspamd_proxy.c @@ -395,7 +395,7 @@ rspamd_proxy_parse_upstream(rspamd_mempool_t *pool, elt = ucl_object_lookup(obj, "key"); if (elt != NULL) { up->key = rspamd_pubkey_from_base32(ucl_object_tostring(elt), 0, - RSPAMD_KEYPAIR_KEX, RSPAMD_CRYPTOBOX_MODE_25519); + RSPAMD_KEYPAIR_KEX); if (up->key == NULL) { g_set_error(err, rspamd_proxy_quark(), 100, @@ -571,7 +571,7 @@ rspamd_proxy_parse_mirror(rspamd_mempool_t *pool, elt = ucl_object_lookup(obj, "key"); if (elt != NULL) { up->key = rspamd_pubkey_from_base32(ucl_object_tostring(elt), 0, - RSPAMD_KEYPAIR_KEX, RSPAMD_CRYPTOBOX_MODE_25519); + RSPAMD_KEYPAIR_KEX); if (up->key == NULL) { g_set_error(err, rspamd_proxy_quark(), 100, |