X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/617d39327e65b7fccc41a12b4a5e2940d6327c9f..1d28cc061677bd07d9bed48dd84bd5c590247043:/src/src/pdkim/signing.c diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c index b182c9a20..07737ab41 100644 --- a/src/src/pdkim/signing.c +++ b/src/src/pdkim/signing.c @@ -1,7 +1,7 @@ /* * PDKIM - a RFC4871 (DKIM) implementation - * - * Copyright (C) 1995 - 2018 Exim maintainers + * Copyright (c) The Exim Maintainers 1995 - 2022 + * SPDX-License-Identifier: GPL-2.0-or-later * * signing/verification interface */ @@ -28,8 +28,8 @@ features_crypto(void) #ifndef DISABLE_DKIM /* rest of file */ -#ifndef SUPPORT_TLS -# error Need SUPPORT_TLS for DKIM +#ifdef DISABLE_TLS +# error Must no DISABLE_TLS, for DKIM #endif @@ -37,6 +37,10 @@ features_crypto(void) #ifdef SIGN_GNUTLS # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL 3 +# ifndef GNUTLS_VERIFY_ALLOW_BROKEN +# define GNUTLS_VERIFY_ALLOW_BROKEN 0 +# endif + /* Logging function which can be registered with * gnutls_global_set_log_function() @@ -88,16 +92,19 @@ Return: NULL for success, or an error string */ const uschar * exim_dkim_signing_init(const uschar * privkey_pem, es_ctx * sign_ctx) { -gnutls_datum_t k = { .data = privkey_pem, .size = Ustrlen(privkey_pem) }; +gnutls_datum_t k = { .data = (void *)privkey_pem, .size = Ustrlen(privkey_pem) }; gnutls_x509_privkey_t x509_key; +const uschar * where; int rc; -if ( (rc = gnutls_x509_privkey_init(&x509_key)) - || (rc = gnutls_x509_privkey_import(x509_key, &k, GNUTLS_X509_FMT_PEM)) +if ( (where = US"internal init", rc = gnutls_x509_privkey_init(&x509_key)) || (rc = gnutls_privkey_init(&sign_ctx->key)) - || (rc = gnutls_privkey_import_x509(sign_ctx->key, x509_key, 0)) + || (where = US"privkey PEM-block import", + rc = gnutls_x509_privkey_import(x509_key, &k, GNUTLS_X509_FMT_PEM)) + || (where = US"internal privkey transfer", + rc = gnutls_privkey_import_x509(sign_ctx->key, x509_key, 0)) ) - return CUS gnutls_strerror(rc); + return string_sprintf("%s: %s", where, gnutls_strerror(rc)); switch (rc = gnutls_privkey_get_pk_algorithm(sign_ctx->key, NULL)) { @@ -152,7 +159,8 @@ return NULL; Return: NULL for success, or an error string */ const uschar * -exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx) +exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx, + unsigned * bits) { gnutls_datum_t k; int rc; @@ -166,19 +174,20 @@ switch(fmt) { case KEYFMT_DER: if ((rc = gnutls_pubkey_import(verify_ctx->key, &k, GNUTLS_X509_FMT_DER))) - ret = gnutls_strerror(rc); + ret = US gnutls_strerror(rc); break; #ifdef SIGN_HAVE_ED25519 case KEYFMT_ED25519_BARE: if ((rc = gnutls_pubkey_import_ecc_raw(verify_ctx->key, GNUTLS_ECC_CURVE_ED25519, &k, NULL))) - ret = gnutls_strerror(rc); + ret = US gnutls_strerror(rc); break; #endif default: ret = US"pubkey format not handled"; break; } +if (!ret && bits) gnutls_pubkey_get_pk_algorithm(verify_ctx->key, bits); return ret; } @@ -200,7 +209,7 @@ if (verify_ctx->keytype == KEYTYPE_ED25519) { if ((rc = gnutls_pubkey_verify_data2(verify_ctx->key, GNUTLS_SIGN_EDDSA_ED25519, 0, &k, &s)) < 0) - ret = gnutls_strerror(rc); + ret = US gnutls_strerror(rc); } else #endif @@ -214,8 +223,9 @@ else default: return US"nonhandled hash type"; } - if ((rc = gnutls_pubkey_verify_hash2(verify_ctx->key, algo, 0, &k, &s)) < 0) - ret = gnutls_strerror(rc); + if ((rc = gnutls_pubkey_verify_hash2(verify_ctx->key, algo, + GNUTLS_VERIFY_ALLOW_BROKEN, &k, &s)) < 0) + ret = US gnutls_strerror(rc); } gnutls_pubkey_deinit(verify_ctx->key); @@ -409,8 +419,9 @@ if ( !(s1 = Ustrstr(CS privkey_pem, "-----BEGIN RSA PRIVATE KEY-----")) *s2 = '\0'; -if ((der.len = b64decode(s1, &der.data)) < 0) +if ((rc = b64decode(s1, &der.data) < 0)) return US"Bad PEM-DER b64 decode"; +der.len = rc; /* untangle asn.1 */ @@ -496,7 +507,7 @@ switch (hash) } #define SIGSPACE 128 -sig->data = store_get(SIGSPACE); +sig->data = store_get(SIGSPACE, GET_UNTAINTED); if (gcry_mpi_cmp (sign_ctx->p, sign_ctx->q) > 0) { @@ -548,7 +559,8 @@ return NULL; Return: NULL for success, or an error string */ const uschar * -exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx) +exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx, + unsigned * bits) { /* in code sequence per b81207d2bfa92 rsa_parse_public_key() and asn1_get_mpi() @@ -556,6 +568,7 @@ in code sequence per b81207d2bfa92 rsa_parse_public_key() and asn1_get_mpi() uschar tag_class; int taglen; long alen; +unsigned nbits; int rc; uschar * errstr; gcry_error_t gerr; @@ -604,10 +617,10 @@ if ((rc = as_tag(pubkey, ASN1_CLASS_STRUCTURED, ASN1_TAG_SEQUENCE, NULL)) /* read two integers */ DEBUG(D_acl) stage = US"MPI"; -if ( (errstr = as_mpi(pubkey, &verify_ctx->n)) - || (errstr = as_mpi(pubkey, &verify_ctx->e)) - ) - return errstr; +nbits = pubkey->len; +if ((errstr = as_mpi(pubkey, &verify_ctx->n))) return errstr; +nbits = (nbits - pubkey->len) * 8; +if ((errstr = as_mpi(pubkey, &verify_ctx->e))) return errstr; #ifdef extreme_debug DEBUG(D_acl) debug_printf_indent("rsa_verify_init:\n"); @@ -620,6 +633,7 @@ DEBUG(D_acl) debug_printf_indent("rsa_verify_init:\n"); } #endif +if (bits) *bits = nbits; return NULL; asn_err: @@ -709,14 +723,15 @@ Return: NULL for success, or an error string */ const uschar * exim_dkim_signing_init(const uschar * privkey_pem, es_ctx * sign_ctx) { -BIO * bp = BIO_new_mem_buf(privkey_pem, -1); +BIO * bp = BIO_new_mem_buf((void *)privkey_pem, -1); if (!(sign_ctx->key = PEM_read_bio_PrivateKey(bp, NULL, NULL, NULL))) - return US ERR_error_string(ERR_get_error(), NULL); + return string_sprintf("privkey PEM-block import: %s", + ERR_error_string(ERR_get_error(), NULL)); sign_ctx->keytype = #ifdef SIGN_HAVE_ED25519 - EVP_PKEY_type(EVP_PKEY_id(sign_ctx->key)) == EVP_PKEY_EC + EVP_PKEY_type(EVP_PKEY_id(sign_ctx->key)) == EVP_PKEY_ED25519 ? KEYTYPE_ED25519 : KEYTYPE_RSA; #else KEYTYPE_RSA; @@ -727,7 +742,7 @@ return NULL; /* allocate mem for signature (when signing) */ -/* hash & sign data. Could be incremental +/* hash & sign data. Incremental not supported. Return: NULL for success with the signaature in the sig blob, or an error string */ @@ -740,31 +755,36 @@ size_t siglen; switch (hash) { + case HASH_NULL: md = NULL; break; /* Ed25519 signing */ case HASH_SHA1: md = EVP_sha1(); break; case HASH_SHA2_256: md = EVP_sha256(); break; case HASH_SHA2_512: md = EVP_sha512(); break; default: return US"nonhandled hash type"; } -/* Create the Message Digest Context */ -/*XXX renamed to EVP_MD_CTX_new() in 1.1.0 */ -if( (ctx = EVP_MD_CTX_create()) - -/* Initialise the DigestSign operation */ - && EVP_DigestSignInit(ctx, NULL, md, NULL, sign_ctx->key) > 0 +#ifdef SIGN_HAVE_ED25519 +if ( (ctx = EVP_MD_CTX_new()) + && EVP_DigestSignInit(ctx, NULL, md, NULL, sign_ctx->key) > 0 + && EVP_DigestSign(ctx, NULL, &siglen, NULL, 0) > 0 + && (sig->data = store_get(siglen, GET_UNTAINTED)) - /* Call update with the message */ + /* Obtain the signature (slen could change here!) */ + && EVP_DigestSign(ctx, sig->data, &siglen, data->data, data->len) > 0 + ) + { + EVP_MD_CTX_destroy(ctx); + sig->len = siglen; + return NULL; + } +#else +/*XXX renamed to EVP_MD_CTX_new() in 1.1.0 */ +if ( (ctx = EVP_MD_CTX_create()) + && EVP_DigestSignInit(ctx, NULL, md, NULL, sign_ctx->key) > 0 && EVP_DigestSignUpdate(ctx, data->data, data->len) > 0 - - /* Finalise the DigestSign operation */ - /* First call EVP_DigestSignFinal with a NULL sig parameter to obtain the length of the - * signature. Length is returned in slen */ && EVP_DigestSignFinal(ctx, NULL, &siglen) > 0 - - /* Allocate memory for the signature based on size in slen */ - && (sig->data = store_get(siglen)) - - /* Obtain the signature (slen could change here!) */ + && (sig->data = store_get(siglen, GET_UNTAINTED)) + + /* Obtain the signature (slen could change here!) */ && EVP_DigestSignFinal(ctx, sig->data, &siglen) > 0 ) { @@ -772,6 +792,7 @@ if( (ctx = EVP_MD_CTX_create()) sig->len = siglen; return NULL; } +#endif if (ctx) EVP_MD_CTX_destroy(ctx); return US ERR_error_string(ERR_get_error(), NULL); @@ -783,36 +804,24 @@ return US ERR_error_string(ERR_get_error(), NULL); Return: NULL for success, or an error string */ const uschar * -exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx) +exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx, + unsigned * bits) { const uschar * s = pubkey->data; uschar * ret = NULL; -if (fmt != KEYFMT_DER) return US"pubkey format not handled"; switch(fmt) { case KEYFMT_DER: - /*XXX ok, this fails for EC: - error:0609E09C:digital envelope routines:pkey_set_type:unsupported algorithm - */ - /*XXX hmm, we never free this */ if (!(verify_ctx->key = d2i_PUBKEY(NULL, &s, pubkey->len))) ret = US ERR_error_string(ERR_get_error(), NULL); break; #ifdef SIGN_HAVE_ED25519 case KEYFMT_ED25519_BARE: - { - BIGNUM * x; - EC_KEY * eck; - if ( !(x = BN_bin2bn(s, pubkey->len, NULL)) - || !(eck = EC_KEY_new_by_curve_name(NID_ED25519)) - || !EC_KEY_set_public_key_affine_coordinates(eck, x, NULL) - || !(verify_ctx->key = EVP_PKEY_new()) - || !EVP_PKEY_assign_EC_KEY(verify_ctx->key, eck) - ) + if (!(verify_ctx->key = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL, + s, pubkey->len))) ret = US ERR_error_string(ERR_get_error(), NULL); - } break; #endif default: @@ -820,14 +829,14 @@ switch(fmt) break; } +if (!ret && bits) *bits = EVP_PKEY_bits(verify_ctx->key); return ret; } -/* verify signature (of hash) -(pre-EC coding; of data if "notyet" code, The latter could be incremental) +/* verify signature (of hash, except Ed25519 where of-data) (given pubkey & alleged sig) Return: NULL for success, or an error string */ @@ -836,61 +845,53 @@ exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data, blob * sig) { const EVP_MD * md; -/*XXX OpenSSL does not seem to have Ed25519 support yet. Reportedly BoringSSL does, -but that's a nonstable API and not recommended (by its owner, Google) for external use. */ - switch (hash) { + case HASH_NULL: md = NULL; break; case HASH_SHA1: md = EVP_sha1(); break; case HASH_SHA2_256: md = EVP_sha256(); break; case HASH_SHA2_512: md = EVP_sha512(); break; default: return US"nonhandled hash type"; } -#ifdef notyet_SIGN_HAVE_ED25519 +#ifdef SIGN_HAVE_ED25519 +if (!md) { EVP_MD_CTX * ctx; - /*XXX renamed to EVP_MD_CTX_new() in 1.1.0 */ - if ( - (ctx = EVP_MD_CTX_create()) - - /* Initialize `key` with a public key */ - && EVP_DigestVerifyInit(ctx, NULL, md, NULL, verify_ctx->key) > 0 - - /* add data to be hashed (call multiple times if needed) */ - - && EVP_DigestVerifyUpdate(ctx, data->data, data->len) > 0 - - /* finish off the hash and check the offered signature */ - - && EVP_DigestVerifyFinal(ctx, sig->data, sig->len) > 0 - ) + if ((ctx = EVP_MD_CTX_new())) { - EVP_MD_CTX_destroy(ctx); /* renamed to _free in 1.1.0 */ - return NULL; + if ( EVP_DigestVerifyInit(ctx, NULL, md, NULL, verify_ctx->key) > 0 + && EVP_DigestVerify(ctx, sig->data, sig->len, data->data, data->len) > 0 + ) + { EVP_MD_CTX_free(ctx); return NULL; } + EVP_MD_CTX_free(ctx); } - - if (ctx) EVP_MD_CTX_free(ctx); - return US ERR_error_string(ERR_get_error(), NULL); } -#else +else +#endif { EVP_PKEY_CTX * ctx; - if ( (ctx = EVP_PKEY_CTX_new(verify_ctx->key, NULL)) - && EVP_PKEY_verify_init(ctx) > 0 - && EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > 0 - && EVP_PKEY_CTX_set_signature_md(ctx, md) > 0 - && EVP_PKEY_verify(ctx, sig->data, sig->len, - data->data, data->len) == 1 - ) - { EVP_PKEY_CTX_free(ctx); return NULL; } - - if (ctx) EVP_PKEY_CTX_free(ctx); - return US ERR_error_string(ERR_get_error(), NULL); + if ((ctx = EVP_PKEY_CTX_new(verify_ctx->key, NULL))) + { + if ( EVP_PKEY_verify_init(ctx) > 0 + && EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > 0 + && EVP_PKEY_CTX_set_signature_md(ctx, md) > 0 + && EVP_PKEY_verify(ctx, sig->data, sig->len, + data->data, data->len) == 1 + ) + { EVP_PKEY_CTX_free(ctx); return NULL; } + EVP_PKEY_CTX_free(ctx); + + DEBUG(D_tls) + if (Ustrcmp(ERR_reason_error_string(ERR_peek_error()), "wrong signature length") == 0) + debug_printf("sig len (from msg hdr): %d, expected (from dns pubkey) %d\n", + (int) sig->len, EVP_PKEY_size(verify_ctx->key)); + } } -#endif + +return US ERR_error_string(ERR_get_error(), NULL); }