diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/CMakeLists.txt | 4 | ||||
-rw-r--r-- | src/client/CMakeLists.txt | 4 | ||||
-rw-r--r-- | src/libcryptobox/cryptobox.c | 19 | ||||
-rw-r--r-- | src/libcryptobox/cryptobox.h | 3 | ||||
-rw-r--r-- | src/libserver/dkim.c | 53 | ||||
-rw-r--r-- | src/libserver/ssl_util.c | 19 | ||||
-rw-r--r-- | src/libstat/stat_internal.h | 10 | ||||
-rw-r--r-- | src/libstat/stat_process.c | 3 | ||||
-rw-r--r-- | src/rspamadm/CMakeLists.txt | 4 |
9 files changed, 86 insertions, 33 deletions
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 173917703..f7fdcef7b 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -235,9 +235,9 @@ ADD_EXECUTABLE(rspamd ${RSPAMDSRC} ${CMAKE_CURRENT_BINARY_DIR}/workers.c ${CMAKE ADD_BACKWARD(rspamd) SET_TARGET_PROPERTIES(rspamd PROPERTIES LINKER_LANGUAGE CXX) SET_TARGET_PROPERTIES(rspamd-server PROPERTIES LINKER_LANGUAGE CXX) -IF(NOT DEBIAN_BUILD) +IF(NOT NO_TARGET_VERSIONS) SET_TARGET_PROPERTIES(rspamd PROPERTIES VERSION ${RSPAMD_VERSION}) -ENDIF(NOT DEBIAN_BUILD) +ENDIF() #TARGET_LINK_LIBRARIES(rspamd ${RSPAMD_REQUIRED_LIBRARIES}) TARGET_LINK_LIBRARIES(rspamd rspamd-server) diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt index edf3cc1c4..543fc629c 100644 --- a/src/client/CMakeLists.txt +++ b/src/client/CMakeLists.txt @@ -9,8 +9,8 @@ SET_TARGET_PROPERTIES(rspamc PROPERTIES COMPILE_FLAGS "-I${CMAKE_SOURCE_DIR}/lib TARGET_LINK_LIBRARIES(rspamc rspamd-server) SET_TARGET_PROPERTIES(rspamc PROPERTIES LINKER_LANGUAGE CXX) -IF(NOT DEBIAN_BUILD) +IF(NOT NO_TARGET_VERSIONS) SET_TARGET_PROPERTIES(rspamc PROPERTIES VERSION ${RSPAMD_VERSION}) -ENDIF(NOT DEBIAN_BUILD) +ENDIF() INSTALL(TARGETS rspamc RUNTIME DESTINATION bin) diff --git a/src/libcryptobox/cryptobox.c b/src/libcryptobox/cryptobox.c index a976653df..190d0e4a3 100644 --- a/src/libcryptobox/cryptobox.c +++ b/src/libcryptobox/cryptobox.c @@ -40,6 +40,7 @@ #include <openssl/opensslv.h> #include <openssl/evp.h> #include <openssl/rsa.h> +#include <openssl/err.h> #endif #include <signal.h> @@ -456,9 +457,10 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid, gsize siglen, const unsigned char *digest, gsize dlen, - EVP_PKEY *pub_key) + EVP_PKEY *pub_key, + GError **err) { - bool ret = false; + bool ret = false, r; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pub_key, NULL); g_assert(pctx != NULL); @@ -467,7 +469,18 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid, g_assert(EVP_PKEY_verify_init(pctx) == 1); g_assert(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) == 1); - g_assert(EVP_PKEY_CTX_set_signature_md(pctx, md) == 1); + + if ((r = EVP_PKEY_CTX_set_signature_md(pctx, md)) <= 0) { + g_set_error(err, g_quark_from_static_string("OpenSSL"), + r, + "cannot set digest %s for RSA verification (%s returned from OpenSSL), try use `update-crypto-policies --set LEGACY` on RH", + EVP_MD_name(md), + ERR_lib_error_string(ERR_get_error())); + EVP_PKEY_CTX_free(pctx); + EVP_MD_CTX_free(mdctx); + + return false; + } ret = (EVP_PKEY_verify(pctx, sig, siglen, digest, dlen) == 1); diff --git a/src/libcryptobox/cryptobox.h b/src/libcryptobox/cryptobox.h index afe9c4f9a..8d1f5669e 100644 --- a/src/libcryptobox/cryptobox.h +++ b/src/libcryptobox/cryptobox.h @@ -238,7 +238,8 @@ bool rspamd_cryptobox_verify_evp_rsa(int nid, gsize siglen, const unsigned char *digest, gsize dlen, - EVP_PKEY *pub_key); + EVP_PKEY *pub_key, + GError **err); #endif /** diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c index a76ed31ab..0f51c66c0 100644 --- a/src/libserver/dkim.c +++ b/src/libserver/dkim.c @@ -2871,25 +2871,48 @@ rspamd_dkim_check(rspamd_dkim_context_t *ctx, nid = NID_sha1; } switch (key->type) { - case RSPAMD_DKIM_KEY_RSA: + case RSPAMD_DKIM_KEY_RSA: { + GError *err = NULL; + if (!rspamd_cryptobox_verify_evp_rsa(nid, ctx->b, ctx->blen, raw_digest, dlen, - key->specific.key_ssl.key_evp)) { - msg_debug_dkim("headers rsa verify failed"); - ERR_clear_error(); - res->rcode = DKIM_REJECT; - res->fail_reason = "headers rsa verify failed"; + key->specific.key_ssl.key_evp, &err)) { - msg_info_dkim( - "%s: headers RSA verification failure; " - "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s", - rspamd_dkim_type_to_string(ctx->common.type), - (int) (body_end - body_start), ctx->common.body_canonicalised, - ctx->common.headers_canonicalised, - ctx->domain, ctx->selector, - RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key), - ctx->dkim_header); + if (err == NULL) { + msg_debug_dkim("headers rsa verify failed"); + ERR_clear_error(); + res->rcode = DKIM_REJECT; + res->fail_reason = "headers rsa verify failed"; + + msg_info_dkim( + "%s: headers RSA verification failure; " + "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s", + rspamd_dkim_type_to_string(ctx->common.type), + (int) (body_end - body_start), ctx->common.body_canonicalised, + ctx->common.headers_canonicalised, + ctx->domain, ctx->selector, + RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key), + ctx->dkim_header); + } + else { + res->rcode = DKIM_PERM_ERROR; + res->fail_reason = "openssl internal error"; + msg_err_dkim("internal OpenSSL error: %s", err->message); + msg_info_dkim( + "%s: headers RSA verification failure due to OpenSSL internal error; " + "body length %d->%d; headers length %d; d=%s; s=%s; key_md5=%*xs; orig header: %s", + rspamd_dkim_type_to_string(ctx->common.type), + (int) (body_end - body_start), ctx->common.body_canonicalised, + ctx->common.headers_canonicalised, + ctx->domain, ctx->selector, + RSPAMD_DKIM_KEY_ID_LEN, rspamd_dkim_key_id(key), + ctx->dkim_header); + + ERR_clear_error(); + g_error_free(err); + } } break; + } case RSPAMD_DKIM_KEY_ECDSA: if (rspamd_cryptobox_verify_evp_ecdsa(nid, ctx->b, ctx->blen, raw_digest, dlen, key->specific.key_ssl.key_evp) != 1) { diff --git a/src/libserver/ssl_util.c b/src/libserver/ssl_util.c index b739961a8..c0443ecd9 100644 --- a/src/libserver/ssl_util.c +++ b/src/libserver/ssl_util.c @@ -1,11 +1,11 @@ -/*- - * Copyright 2016 Vsevolod Stakhov +/* + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -1054,6 +1054,9 @@ gpointer rspamd_init_ssl_ctx_noverify(void) return ssl_ctx_noverify; } +#if defined(RSPAMD_LEGACY_SSL_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x30000000L +#include <openssl/provider.h> +#endif void rspamd_openssl_maybe_init(void) { @@ -1075,6 +1078,16 @@ void rspamd_openssl_maybe_init(void) #else OPENSSL_init_ssl(0, NULL); #endif +#if defined(RSPAMD_LEGACY_SSL_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x30000000L + if (OSSL_PROVIDER_load(NULL, "legacy") == NULL) { + msg_err("cannot load legacy OpenSSL provider: %s", ERR_lib_error_string(ERR_get_error())); + ERR_clear_error(); + } + if (OSSL_PROVIDER_load(NULL, "default") == NULL) { + msg_err("cannot load default OpenSSL provider: %s", ERR_lib_error_string(ERR_get_error())); + ERR_clear_error(); + } +#endif #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) OPENSSL_config(NULL); diff --git a/src/libstat/stat_internal.h b/src/libstat/stat_internal.h index 96d67cbf6..663c39df5 100644 --- a/src/libstat/stat_internal.h +++ b/src/libstat/stat_internal.h @@ -1,11 +1,11 @@ -/*- - * Copyright 2016 Vsevolod Stakhov +/* + * Copyright 2024 Vsevolod Stakhov * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -41,8 +41,8 @@ struct rspamd_classifier { GArray *statfiles_ids; /* int */ struct rspamd_stat_cache *cache; gpointer cachecf; - gulong spam_learns; - gulong ham_learns; + guint64 spam_learns; + guint64 ham_learns; int autolearn_cbref; struct rspamd_classifier_config *cfg; struct rspamd_stat_classifier *subrs; diff --git a/src/libstat/stat_process.c b/src/libstat/stat_process.c index 5db3af6ce..17caf4cc6 100644 --- a/src/libstat/stat_process.c +++ b/src/libstat/stat_process.c @@ -1017,6 +1017,9 @@ rspamd_stat_check_autolearn(struct rspamd_task *task) cl = g_ptr_array_index(st_ctx->classifiers, i); ret = FALSE; + rspamd_mempool_set_variable(task->task_pool, RSPAMD_MEMPOOL_HAM_LEARNS, (void *) &cl->ham_learns, NULL); + rspamd_mempool_set_variable(task->task_pool, RSPAMD_MEMPOOL_SPAM_LEARNS, (void *) &cl->spam_learns, NULL); + if (cl->cfg->opts) { obj = ucl_object_lookup(cl->cfg->opts, "autolearn"); diff --git a/src/rspamadm/CMakeLists.txt b/src/rspamadm/CMakeLists.txt index 5e88ec8dd..2f32a95f5 100644 --- a/src/rspamadm/CMakeLists.txt +++ b/src/rspamadm/CMakeLists.txt @@ -22,9 +22,9 @@ ENDIF() ADD_EXECUTABLE(rspamadm ${RSPAMADMSRC}) TARGET_LINK_LIBRARIES(rspamadm rspamd-server) -IF (NOT DEBIAN_BUILD) +IF (NOT NO_TARGET_VERSIONS) SET_TARGET_PROPERTIES(rspamadm PROPERTIES VERSION ${RSPAMD_VERSION}) -ENDIF (NOT DEBIAN_BUILD) +ENDIF () SET_TARGET_PROPERTIES(rspamadm PROPERTIES LINKER_LANGUAGE CXX) ADD_BACKWARD(rspamadm) |