From 260958d632506e2789fc632381f560f5a0c77ed7 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 9 Feb 2018 21:59:49 +0000
Subject: [PATCH] Builtin macros for sha3-hash and ed25519-signing support

---
 doc/doc-docbook/spec.xfpt |  8 ++++++--
 doc/doc-txt/NewStuff      |  3 +++
 src/OS/Makefile-Base      |  9 ++++++---
 src/src/macro_predef.c    |  2 ++
 src/src/macro_predef.h    |  1 +
 src/src/pdkim/crypt_ver.h |  2 +-
 src/src/pdkim/signing.c   | 24 ++++++++++++++++++++----
 src/src/sha_ver.h         |  2 +-
 src/src/tls-openssl.c     |  4 ++--
 9 files changed, 42 insertions(+), 13 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b5865e966..972cdc76e 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -10648,6 +10648,7 @@ The &%sha3%& expansion item is only supported if Exim has been
 compiled with GnuTLS 3.5.0 or later,
 .new
 or OpenSSL 1.1.1 or later.
+The macro "_CRYPTO_HASH_SHA3" will be defined if it is supported.
 .wen
 
 
@@ -38663,7 +38664,6 @@ for the former it is the base64 of the ASN.1 for the RSA public key
 (equivalent to the private-key .pem with the header/trailer stripped)
 but for EC keys it is the base64 of the pure key; no ASN.1 wrapping.
 .wen
-.wen
 
 Signing is enabled by setting private options on the SMTP transport.
 These options take (expandable) strings as arguments.
@@ -38710,6 +38710,7 @@ Note that RFC 8301 says:
 .code
 Signers MUST use RSA keys of at least 1024 bits for all keys.
 Signers SHOULD use RSA keys of at least 2048 bits.
+.endd
 
 Support for EC keys is being developed under
 &url(https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-crypto/).
@@ -38717,7 +38718,8 @@ They are considerably smaller than RSA keys for equivalent protection.
 As they are a recent development, users should consider dual-signing
 (by setting a list of selectors, and an expansion for this option)
 for some transition period.
-.endd
+The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
+for EC keys.
 .wen
 
 .option dkim_hash smtp string&!! sha256
@@ -38902,6 +38904,8 @@ The key record selector string.
 The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'.
 .new
 If running under GnuTLS 3.6.0 or later, may also be 'ed25519-sha256'.
+The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
+for EC keys.
 .wen
 
 .new
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index ee40553a6..8464872b4 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -36,6 +36,9 @@ Version 4.91
  9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under
     GnuTLS 3.6.0 or later.
 
+10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library
+    version dependent.
+
 
 Version 4.90
 ------------
diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base
index c96f46f0e..11ba19e61 100644
--- a/src/OS/Makefile-Base
+++ b/src/OS/Makefile-Base
@@ -134,8 +134,8 @@ OBJ_MACRO = macro_predef.o \
 	macro-smtp.o macro-accept.o macro-dnslookup.o macro-ipliteral.o macro-iplookup.o \
 	macro-manualroute.o macro-queryprogram.o macro-redirect.o \
 	macro-auth-spa.o macro-cram_md5.o macro-cyrus_sasl.o macro-dovecot.o macro-gsasl_exim.o \
-	macro-heimdal_gssapi.o macro-plaintext.o macro-spa.o macro-tls.o\
-	macro-dkim.o macro-malware.o macro-macro.o macro-tree.o
+	macro-heimdal_gssapi.o macro-plaintext.o macro-spa.o macro-authtls.o \
+	macro-dkim.o macro-malware.o macro-macro.o macro-tree.o macro-signing.o
 
 $(OBJ_MACRO):	$(MACRO_HSRC)
 
@@ -220,7 +220,7 @@ macro-plaintext.o :	auths/plaintext.c
 macro-spa.o :		auths/spa.c
 	@echo "$(CC) -DMACRO_PREDEF auths/spa.c"
 	$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/spa.c
-macro-tls.o:		auths/tls.c
+macro-authtls.o:	auths/tls.c
 	@echo "$(CC) -DMACRO_PREDEF auths/tls.c"
 	$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/tls.c
 macro-dkim.o:		dkim.c
@@ -235,6 +235,9 @@ macro-macro.o:	macro.c
 macro-tree.o:	tree.c
 	@echo "$(CC) -DMACRO_PREDEF tree.c"
 	$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ tree.c
+macro-signing.o:	pdkim/signing.c
+	@echo "$(CC) -DMACRO_PREDEF pdkim/signing.c"
+	$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ pdkim/signing.c
 
 macro_predef: $(OBJ_MACRO)
 	@echo "$(LNCC) -o $@"
diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c
index b594d5bfd..2485072f4 100644
--- a/src/src/macro_predef.c
+++ b/src/src/macro_predef.c
@@ -258,6 +258,8 @@ due to conflicts with other common macros. */
 #ifdef WITH_CONTENT_SCAN
 features_malware();
 #endif
+
+features_crypto();
 }
 
 
diff --git a/src/src/macro_predef.h b/src/src/macro_predef.h
index bfa201068..50b61a897 100644
--- a/src/src/macro_predef.h
+++ b/src/src/macro_predef.h
@@ -13,6 +13,7 @@ extern void builtin_macro_create_var(const uschar *, const uschar *);
 extern void options_from_list(optionlist *, unsigned, const uschar *, uschar *);
 
 extern void features_malware(void);
+extern void features_crypto(void);
 extern void options_main(void);
 extern void options_routers(void);
 extern void options_transports(void);
diff --git a/src/src/pdkim/crypt_ver.h b/src/src/pdkim/crypt_ver.h
index 7b0ddf92a..ad7db025e 100644
--- a/src/src/pdkim/crypt_ver.h
+++ b/src/src/pdkim/crypt_ver.h
@@ -17,7 +17,7 @@
 # if GNUTLS_VERSION_NUMBER >= 0x030000
 #  define SIGN_GNUTLS
 #  if GNUTLS_VERSION_NUMBER >= 0x030600
-#   define SIGN_HAVE_ED25519
+#   define SIGN_HAVE_ED25519		/*MMMM*/
 #  endif
 # else
 #  define SIGN_GCRYPT
diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c
index f73fa9cc8..b61b42832 100644
--- a/src/src/pdkim/signing.c
+++ b/src/src/pdkim/signing.c
@@ -7,16 +7,31 @@
  */
 
 #include "../exim.h"
+#include "crypt_ver.h"
+#include "signing.h"
+
+
+#ifdef MACRO_PREDEF
+# include "../macro_predef.h"
+
+void
+features_crypto(void)
+{
+# ifdef SIGN_HAVE_ED25519
+  builtin_macro_create(US"_CRYPTO_SIGN_ED25519");
+# endif
+# ifdef EXIM_HAVE_SHA3
+  builtin_macro_create(US"_CRYPTO_HASH_SHA3");
+# endif
+}
+#else
 
-#ifndef DISABLE_DKIM	/* entire file */
+#ifndef DISABLE_DKIM	/* rest of file */
 
 #ifndef SUPPORT_TLS
 # error Need SUPPORT_TLS for DKIM
 #endif
 
-#include "crypt_ver.h"
-#include "signing.h"
-
 
 /******************************************************************************/
 #ifdef SIGN_GNUTLS
@@ -884,4 +899,5 @@ switch (hash)
 /******************************************************************************/
 
 #endif	/*DISABLE_DKIM*/
+#endif	/*MACRO_PREDEF*/
 /* End of File */
diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index b86e9a831..61408788b 100644
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -26,7 +26,7 @@
 #  if GNUTLS_VERSION_NUMBER >= 0x020a00
 #   define SHA_GNUTLS
 #   if GNUTLS_VERSION_NUMBER >= 0x030500
-#    define EXIM_HAVE_SHA3
+#    define EXIM_HAVE_SHA3		/*MMMM*/
 #   endif
 #  else
 #   define SHA_GCRYPT
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index a542d4db0..00b5a7349 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -51,7 +51,7 @@ functions from the OpenSSL library. */
 # define EXIM_HAVE_RAND_PSEUDO
 #endif
 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
-# define EXIM_HAVE_SHA256
+# define EXIM_HAVE_SHA256	/*MMMM*/
 #endif
 
 /*
@@ -81,7 +81,7 @@ functions from the OpenSSL library. */
     || LIBRESSL_VERSION_NUMBER >= 0x20010000L
 # if !defined(OPENSSL_NO_ECDH)
 #  if OPENSSL_VERSION_NUMBER >= 0x0090800fL
-#   define EXIM_HAVE_ECDH
+#   define EXIM_HAVE_ECDH	/*MMMM*/
 #  endif
 #  if OPENSSL_VERSION_NUMBER >= 0x10002000L
 #   define EXIM_HAVE_OPENSSL_EC_NIST2NID
-- 
2.30.2