aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorDmitriy Alekseev <1865999+dragoangel@users.noreply.github.com>2024-10-17 14:59:29 +0200
committerGitHub <noreply@github.com>2024-10-17 14:59:29 +0200
commit202e15b2fad3cabf563474cb9089aa4da41eadf7 (patch)
tree5e37d41123aac2143764e8ba54eddc0b1028fe76 /src
parent69099098799749cf6499cf0a37e04af7fa7731ac (diff)
parent28302c84ef7c9ecdb4845b445d5ebba4c1ef204f (diff)
downloadrspamd-202e15b2fad3cabf563474cb9089aa4da41eadf7.tar.gz
rspamd-202e15b2fad3cabf563474cb9089aa4da41eadf7.zip
Merge branch 'master' into actualize-elastic-module
Diffstat (limited to 'src')
-rw-r--r--src/CMakeLists.txt4
-rw-r--r--src/client/CMakeLists.txt4
-rw-r--r--src/libcryptobox/cryptobox.c19
-rw-r--r--src/libcryptobox/cryptobox.h3
-rw-r--r--src/libserver/dkim.c53
-rw-r--r--src/libserver/ssl_util.c19
-rw-r--r--src/libstat/stat_internal.h10
-rw-r--r--src/libstat/stat_process.c3
-rw-r--r--src/rspamadm/CMakeLists.txt4
9 files changed, 86 insertions, 33 deletions
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 173917703..f7fdcef7b 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -235,9 +235,9 @@ ADD_EXECUTABLE(rspamd ${RSPAMDSRC} ${CMAKE_CURRENT_BINARY_DIR}/workers.c ${CMAKE
ADD_BACKWARD(rspamd)
SET_TARGET_PROPERTIES(rspamd PROPERTIES LINKER_LANGUAGE CXX)
SET_TARGET_PROPERTIES(rspamd-server PROPERTIES LINKER_LANGUAGE CXX)
-IF(NOT DEBIAN_BUILD)
+IF(NOT NO_TARGET_VERSIONS)
SET_TARGET_PROPERTIES(rspamd PROPERTIES VERSION ${RSPAMD_VERSION})
-ENDIF(NOT DEBIAN_BUILD)
+ENDIF()
#TARGET_LINK_LIBRARIES(rspamd ${RSPAMD_REQUIRED_LIBRARIES})
TARGET_LINK_LIBRARIES(rspamd rspamd-server)
diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt
index edf3cc1c4..543fc629c 100644
--- a/src/client/CMakeLists.txt
+++ b/src/client/CMakeLists.txt
@@ -9,8 +9,8 @@ SET_TARGET_PROPERTIES(rspamc PROPERTIES COMPILE_FLAGS "-I${CMAKE_SOURCE_DIR}/lib
TARGET_LINK_LIBRARIES(rspamc rspamd-server)
SET_TARGET_PROPERTIES(rspamc PROPERTIES LINKER_LANGUAGE CXX)
-IF(NOT DEBIAN_BUILD)
+IF(NOT NO_TARGET_VERSIONS)
SET_TARGET_PROPERTIES(rspamc PROPERTIES VERSION ${RSPAMD_VERSION})
-ENDIF(NOT DEBIAN_BUILD)
+ENDIF()
INSTALL(TARGETS rspamc RUNTIME DESTINATION bin)
diff --git a/src/libcryptobox/cryptobox.c b/src/libcryptobox/cryptobox.c
index a976653df..190d0e4a3 100644
--- a/src/libcryptobox/cryptobox.c
+++ b/src/libcryptobox/cryptobox.c
@@ -40,6 +40,7 @@
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
+#include <openssl/err.h>
#endif
#include <signal.h>
@@ -456,9 +457,10 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid,
gsize siglen,
const unsigned char *digest,
gsize dlen,
- EVP_PKEY *pub_key)
+ EVP_PKEY *pub_key,
+ GError **err)
{
- bool ret = false;
+ bool ret = false, r;
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pub_key, NULL);
g_assert(pctx != NULL);
@@ -467,7 +469,18 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid,
g_assert(EVP_PKEY_verify_init(pctx) == 1);
g_assert(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) == 1);
- g_assert(EVP_PKEY_CTX_set_signature_md(pctx, md) == 1);
+
+ if ((r = EVP_PKEY_CTX_set_signature_md(pctx, md)) <= 0) {
+ g_set_error(err, g_quark_from_static_string("OpenSSL"),
+ r,
+ "cannot set digest %s for RSA verification (%s returned from OpenSSL), try use `update-crypto-policies --set LEGACY` on RH",
+ EVP_MD_name(md),
+ ERR_lib_error_string(ERR_get_error()));
+ EVP_PKEY_CTX_free(pctx);
+ EVP_MD_CTX_free(mdctx);
+
+ return false;
+ }
ret = (EVP_PKEY_verify(pctx, sig, siglen, digest, dlen) == 1);
diff --git a/src/libcryptobox/cryptobox.h b/src/libcryptobox/cryptobox.h
index afe9c4f9a..8d1f5669e 100644
--- a/src/libcryptobox/cryptobox.h
+++ b/src/libcryptobox/cryptobox.h
@@ -238,7 +238,8 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid,
gsize siglen,
const unsigned char *digest,
gsize dlen,
- EVP_PKEY *pub_key);
+ EVP_PKEY *pub_key,
+ GError **err);
#endif
/**
diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c
index a76ed31ab..0f51c66c0 100644
--- a/src/libserver/dkim.c
+++ b/src/libserver/dkim.c
@@ -2871,25 +2871,48 @@ rspamd_dkim_check(rspamd_dkim_context_t *ctx,
nid = NID_sha1;
}
switch (key->type) {
- case RSPAMD_DKIM_KEY_RSA:
+ case RSPAMD_DKIM_KEY_RSA: {
+ GError *err = NULL;
+
if (!rspamd_cryptobox_verify_evp_rsa(nid, ctx->b, ctx->blen, raw_digest, dlen,
- key->specific.key_ssl.key_evp)) {
- msg_debug_dkim("headers rsa verify failed");
- ERR_clear_error();
- res->rcode = DKIM_REJECT;
- res->fail_reason = "headers rsa verify failed";
+ key->specific.key_ssl.key_evp, &err)) {
- msg_info_dkim(
- "%s: headers RSA verification failure; "
- "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
- rspamd_dkim_type_to_string(ctx->common.type),
- (int) (body_end - body_start), ctx->common.body_canonicalised,
- ctx->common.headers_canonicalised,
- ctx->domain, ctx->selector,
- RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
- ctx->dkim_header);
+ if (err == NULL) {
+ msg_debug_dkim("headers rsa verify failed");
+ ERR_clear_error();
+ res->rcode = DKIM_REJECT;
+ res->fail_reason = "headers rsa verify failed";
+
+ msg_info_dkim(
+ "%s: headers RSA verification failure; "
+ "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
+ rspamd_dkim_type_to_string(ctx->common.type),
+ (int) (body_end - body_start), ctx->common.body_canonicalised,
+ ctx->common.headers_canonicalised,
+ ctx->domain, ctx->selector,
+ RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
+ ctx->dkim_header);
+ }
+ else {
+ res->rcode = DKIM_PERM_ERROR;
+ res->fail_reason = "openssl internal error";
+ msg_err_dkim("internal OpenSSL error: %s", err->message);
+ msg_info_dkim(
+ "%s: headers RSA verification failure due to OpenSSL internal error; "
+ "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s",
+ rspamd_dkim_type_to_string(ctx->common.type),
+ (int) (body_end - body_start), ctx->common.body_canonicalised,
+ ctx->common.headers_canonicalised,
+ ctx->domain, ctx->selector,
+ RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key),
+ ctx->dkim_header);
+
+ ERR_clear_error();
+ g_error_free(err);
+ }
}
break;
+ }
case RSPAMD_DKIM_KEY_ECDSA:
if (rspamd_cryptobox_verify_evp_ecdsa(nid, ctx->b, ctx->blen, raw_digest, dlen,
key->specific.key_ssl.key_evp) != 1) {
diff --git a/src/libserver/ssl_util.c b/src/libserver/ssl_util.c
index b739961a8..c0443ecd9 100644
--- a/src/libserver/ssl_util.c
+++ b/src/libserver/ssl_util.c
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -1054,6 +1054,9 @@ gpointer rspamd_init_ssl_ctx_noverify(void)
return ssl_ctx_noverify;
}
+#if defined(RSPAMD_LEGACY_SSL_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/provider.h>
+#endif
void rspamd_openssl_maybe_init(void)
{
@@ -1075,6 +1078,16 @@ void rspamd_openssl_maybe_init(void)
#else
OPENSSL_init_ssl(0, NULL);
#endif
+#if defined(RSPAMD_LEGACY_SSL_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+ if (OSSL_PROVIDER_load(NULL, "legacy") == NULL) {
+ msg_err("cannot load legacy OpenSSL provider: %s", ERR_lib_error_string(ERR_get_error()));
+ ERR_clear_error();
+ }
+ if (OSSL_PROVIDER_load(NULL, "default") == NULL) {
+ msg_err("cannot load default OpenSSL provider: %s", ERR_lib_error_string(ERR_get_error()));
+ ERR_clear_error();
+ }
+#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
OPENSSL_config(NULL);
diff --git a/src/libstat/stat_internal.h b/src/libstat/stat_internal.h
index 96d67cbf6..663c39df5 100644
--- a/src/libstat/stat_internal.h
+++ b/src/libstat/stat_internal.h
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2024 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -41,8 +41,8 @@ struct rspamd_classifier {
GArray *statfiles_ids; /* int */
struct rspamd_stat_cache *cache;
gpointer cachecf;
- gulong spam_learns;
- gulong ham_learns;
+ guint64 spam_learns;
+ guint64 ham_learns;
int autolearn_cbref;
struct rspamd_classifier_config *cfg;
struct rspamd_stat_classifier *subrs;
diff --git a/src/libstat/stat_process.c b/src/libstat/stat_process.c
index 5db3af6ce..17caf4cc6 100644
--- a/src/libstat/stat_process.c
+++ b/src/libstat/stat_process.c
@@ -1017,6 +1017,9 @@ rspamd_stat_check_autolearn(struct rspamd_task *task)
cl = g_ptr_array_index(st_ctx->classifiers, i);
ret = FALSE;
+ rspamd_mempool_set_variable(task->task_pool, RSPAMD_MEMPOOL_HAM_LEARNS, (void *) &cl->ham_learns, NULL);
+ rspamd_mempool_set_variable(task->task_pool, RSPAMD_MEMPOOL_SPAM_LEARNS, (void *) &cl->spam_learns, NULL);
+
if (cl->cfg->opts) {
obj = ucl_object_lookup(cl->cfg->opts, "autolearn");
diff --git a/src/rspamadm/CMakeLists.txt b/src/rspamadm/CMakeLists.txt
index 5e88ec8dd..2f32a95f5 100644
--- a/src/rspamadm/CMakeLists.txt
+++ b/src/rspamadm/CMakeLists.txt
@@ -22,9 +22,9 @@ ENDIF()
ADD_EXECUTABLE(rspamadm ${RSPAMADMSRC})
TARGET_LINK_LIBRARIES(rspamadm rspamd-server)
-IF (NOT DEBIAN_BUILD)
+IF (NOT NO_TARGET_VERSIONS)
SET_TARGET_PROPERTIES(rspamadm PROPERTIES VERSION ${RSPAMD_VERSION})
-ENDIF (NOT DEBIAN_BUILD)
+ENDIF ()
SET_TARGET_PROPERTIES(rspamadm PROPERTIES LINKER_LANGUAGE CXX)
ADD_BACKWARD(rspamadm)