From: Jeremy Harris Date: Sat, 22 Dec 2018 13:36:07 +0000 (+0000) Subject: DKIM: better debug for key/signature size mismatch X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/c8b2f3749e953b254b4d6ac1ea047451eb771953?ds=sidebyside DKIM: better debug for key/signature size mismatch --- diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c index 2a086b1e2..a47f824b8 100644 --- a/src/src/pdkim/signing.c +++ b/src/src/pdkim/signing.c @@ -831,7 +831,6 @@ const uschar * exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data, blob * sig) { const EVP_MD * md; -const uschar * where; switch (hash) { @@ -847,38 +846,39 @@ if (!md) { EVP_MD_CTX * ctx; - if ( (ctx = EVP_MD_CTX_new()) - && EVP_DigestVerifyInit(ctx, NULL, md, NULL, verify_ctx->key) > 0 - && EVP_DigestVerify(ctx, sig->data, sig->len, data->data, data->len) > 0 - ) - { EVP_MD_CTX_free(ctx); return NULL; } - - if (ctx) EVP_MD_CTX_free(ctx); + if ((ctx = EVP_MD_CTX_new())) + { + if ( EVP_DigestVerifyInit(ctx, NULL, md, NULL, verify_ctx->key) > 0 + && EVP_DigestVerify(ctx, sig->data, sig->len, data->data, data->len) > 0 + ) + { EVP_MD_CTX_free(ctx); return NULL; } + EVP_MD_CTX_free(ctx); + } } else #endif { EVP_PKEY_CTX * ctx; - if ((where = US"EVP_PKEY_CTX_new", - (ctx = EVP_PKEY_CTX_new(verify_ctx->key, NULL)))) + if ((ctx = EVP_PKEY_CTX_new(verify_ctx->key, NULL))) { - if ( (where = US"EVP_PKEY_verify_init", - EVP_PKEY_verify_init(ctx) > 0) - && (where = US"EVP_PKEY_CTX_set_rsa_padding", - EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > 0) - && (where = US"EVP_PKEY_CTX_set_signature_md", - EVP_PKEY_CTX_set_signature_md(ctx, md) > 0) - && (where = US"EVP_PKEY_verify", - EVP_PKEY_verify(ctx, sig->data, sig->len, - data->data, data->len) == 1) + if ( EVP_PKEY_verify_init(ctx) > 0 + && EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > 0 + && EVP_PKEY_CTX_set_signature_md(ctx, md) > 0 + && EVP_PKEY_verify(ctx, sig->data, sig->len, + data->data, data->len) == 1 ) { EVP_PKEY_CTX_free(ctx); return NULL; } - EVP_PKEY_CTX_free(ctx); + + DEBUG(D_tls) + if (Ustrcmp(ERR_reason_error_string(ERR_peek_error()), "wrong signature length") == 0) + debug_printf("sig len (from msg hdr): %d, expected (from dns pubkey) %d\n", + (int) sig->len, EVP_PKEY_size(verify_ctx->key)); } } -return string_sprintf("%s: %s", where, ERR_error_string(ERR_get_error(), NULL)); + +return US ERR_error_string(ERR_get_error(), NULL); }