git://git.exim.org
/
users
/
jgh
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
165acdd
)
Builtin macros for sha3-hash and ed25519-signing support
author
Jeremy Harris
<jgh146exb@wizmail.org>
Fri, 9 Feb 2018 21:59:49 +0000
(21:59 +0000)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Fri, 9 Feb 2018 23:35:19 +0000
(23:35 +0000)
doc/doc-docbook/spec.xfpt
patch
|
blob
|
history
doc/doc-txt/NewStuff
patch
|
blob
|
history
src/OS/Makefile-Base
patch
|
blob
|
history
src/src/macro_predef.c
patch
|
blob
|
history
src/src/macro_predef.h
patch
|
blob
|
history
src/src/pdkim/crypt_ver.h
patch
|
blob
|
history
src/src/pdkim/signing.c
patch
|
blob
|
history
src/src/sha_ver.h
patch
|
blob
|
history
src/src/tls-openssl.c
patch
|
blob
|
history
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index b5865e966fce06e1bf24e96309e5b7a378f54007..972cdc76e9d02c542221249cf59e634300e70d4a 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-10648,6
+10648,7
@@
The &%sha3%& expansion item is only supported if Exim has been
compiled with GnuTLS 3.5.0 or later,
.new
or OpenSSL 1.1.1 or later.
compiled with GnuTLS 3.5.0 or later,
.new
or OpenSSL 1.1.1 or later.
+The macro "_CRYPTO_HASH_SHA3" will be defined if it is supported.
.wen
.wen
@@
-38663,7
+38664,6
@@
for the former it is the base64 of the ASN.1 for the RSA public key
(equivalent to the private-key .pem with the header/trailer stripped)
but for EC keys it is the base64 of the pure key; no ASN.1 wrapping.
.wen
(equivalent to the private-key .pem with the header/trailer stripped)
but for EC keys it is the base64 of the pure key; no ASN.1 wrapping.
.wen
-.wen
Signing is enabled by setting private options on the SMTP transport.
These options take (expandable) strings as arguments.
Signing is enabled by setting private options on the SMTP transport.
These options take (expandable) strings as arguments.
@@
-38710,6
+38710,7
@@
Note that RFC 8301 says:
.code
Signers MUST use RSA keys of at least 1024 bits for all keys.
Signers SHOULD use RSA keys of at least 2048 bits.
.code
Signers MUST use RSA keys of at least 1024 bits for all keys.
Signers SHOULD use RSA keys of at least 2048 bits.
+.endd
Support for EC keys is being developed under
&url(https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-crypto/).
Support for EC keys is being developed under
&url(https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-crypto/).
@@
-38717,7
+38718,8
@@
They are considerably smaller than RSA keys for equivalent protection.
As they are a recent development, users should consider dual-signing
(by setting a list of selectors, and an expansion for this option)
for some transition period.
As they are a recent development, users should consider dual-signing
(by setting a list of selectors, and an expansion for this option)
for some transition period.
-.endd
+The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
+for EC keys.
.wen
.option dkim_hash smtp string&!! sha256
.wen
.option dkim_hash smtp string&!! sha256
@@
-38902,6
+38904,8
@@
The key record selector string.
The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'.
.new
If running under GnuTLS 3.6.0 or later, may also be 'ed25519-sha256'.
The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'.
.new
If running under GnuTLS 3.6.0 or later, may also be 'ed25519-sha256'.
+The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
+for EC keys.
.wen
.new
.wen
.new
diff --git
a/doc/doc-txt/NewStuff
b/doc/doc-txt/NewStuff
index ee40553a613d15c8bb998c144960e892b6b0f1c9..8464872b4bd505f29e4cddd53d234799a75672de 100644
(file)
--- a/
doc/doc-txt/NewStuff
+++ b/
doc/doc-txt/NewStuff
@@
-36,6
+36,9
@@
Version 4.91
9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under
GnuTLS 3.6.0 or later.
9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under
GnuTLS 3.6.0 or later.
+10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library
+ version dependent.
+
Version 4.90
------------
Version 4.90
------------
diff --git
a/src/OS/Makefile-Base
b/src/OS/Makefile-Base
index c96f46f0edf3e8f4b4c4d1986b3282803a4edd08..11ba19e615d3c299c952a4a9703e7b2bb075aed0 100644
(file)
--- a/
src/OS/Makefile-Base
+++ b/
src/OS/Makefile-Base
@@
-134,8
+134,8
@@
OBJ_MACRO = macro_predef.o \
macro-smtp.o macro-accept.o macro-dnslookup.o macro-ipliteral.o macro-iplookup.o \
macro-manualroute.o macro-queryprogram.o macro-redirect.o \
macro-auth-spa.o macro-cram_md5.o macro-cyrus_sasl.o macro-dovecot.o macro-gsasl_exim.o \
macro-smtp.o macro-accept.o macro-dnslookup.o macro-ipliteral.o macro-iplookup.o \
macro-manualroute.o macro-queryprogram.o macro-redirect.o \
macro-auth-spa.o macro-cram_md5.o macro-cyrus_sasl.o macro-dovecot.o macro-gsasl_exim.o \
- macro-heimdal_gssapi.o macro-plaintext.o macro-spa.o macro-
tls.o
\
- macro-dkim.o macro-malware.o macro-macro.o macro-tree.o
+ macro-heimdal_gssapi.o macro-plaintext.o macro-spa.o macro-
authtls.o
\
+ macro-dkim.o macro-malware.o macro-macro.o macro-tree.o
macro-signing.o
$(OBJ_MACRO): $(MACRO_HSRC)
$(OBJ_MACRO): $(MACRO_HSRC)
@@
-220,7
+220,7
@@
macro-plaintext.o : auths/plaintext.c
macro-spa.o : auths/spa.c
@echo "$(CC) -DMACRO_PREDEF auths/spa.c"
$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/spa.c
macro-spa.o : auths/spa.c
@echo "$(CC) -DMACRO_PREDEF auths/spa.c"
$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/spa.c
-macro-
tls.o:
auths/tls.c
+macro-
authtls.o:
auths/tls.c
@echo "$(CC) -DMACRO_PREDEF auths/tls.c"
$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/tls.c
macro-dkim.o: dkim.c
@echo "$(CC) -DMACRO_PREDEF auths/tls.c"
$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/tls.c
macro-dkim.o: dkim.c
@@
-235,6
+235,9
@@
macro-macro.o: macro.c
macro-tree.o: tree.c
@echo "$(CC) -DMACRO_PREDEF tree.c"
$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ tree.c
macro-tree.o: tree.c
@echo "$(CC) -DMACRO_PREDEF tree.c"
$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ tree.c
+macro-signing.o: pdkim/signing.c
+ @echo "$(CC) -DMACRO_PREDEF pdkim/signing.c"
+ $(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ pdkim/signing.c
macro_predef: $(OBJ_MACRO)
@echo "$(LNCC) -o $@"
macro_predef: $(OBJ_MACRO)
@echo "$(LNCC) -o $@"
diff --git
a/src/src/macro_predef.c
b/src/src/macro_predef.c
index b594d5bfd23e4f4ce54ab5e9c337e7633b694b1c..2485072f4edd3272be89612957fe4f70ff0def13 100644
(file)
--- a/
src/src/macro_predef.c
+++ b/
src/src/macro_predef.c
@@
-258,6
+258,8
@@
due to conflicts with other common macros. */
#ifdef WITH_CONTENT_SCAN
features_malware();
#endif
#ifdef WITH_CONTENT_SCAN
features_malware();
#endif
+
+features_crypto();
}
}
diff --git
a/src/src/macro_predef.h
b/src/src/macro_predef.h
index bfa20106862bf240b6a4c631fbaf0b7d2235a870..50b61a897a67ab873909ea22e29f06a0c3d3f047 100644
(file)
--- a/
src/src/macro_predef.h
+++ b/
src/src/macro_predef.h
@@
-13,6
+13,7
@@
extern void builtin_macro_create_var(const uschar *, const uschar *);
extern void options_from_list(optionlist *, unsigned, const uschar *, uschar *);
extern void features_malware(void);
extern void options_from_list(optionlist *, unsigned, const uschar *, uschar *);
extern void features_malware(void);
+extern void features_crypto(void);
extern void options_main(void);
extern void options_routers(void);
extern void options_transports(void);
extern void options_main(void);
extern void options_routers(void);
extern void options_transports(void);
diff --git
a/src/src/pdkim/crypt_ver.h
b/src/src/pdkim/crypt_ver.h
index 7b0ddf92a97045df109b9e08a8ddcb4440b39a7c..ad7db025ec1ec6d2e4cce710d2d3fe4cdb6a970a 100644
(file)
--- a/
src/src/pdkim/crypt_ver.h
+++ b/
src/src/pdkim/crypt_ver.h
@@
-17,7
+17,7
@@
# if GNUTLS_VERSION_NUMBER >= 0x030000
# define SIGN_GNUTLS
# if GNUTLS_VERSION_NUMBER >= 0x030600
# if GNUTLS_VERSION_NUMBER >= 0x030000
# define SIGN_GNUTLS
# if GNUTLS_VERSION_NUMBER >= 0x030600
-# define SIGN_HAVE_ED25519
+# define SIGN_HAVE_ED25519
/*MMMM*/
# endif
# else
# define SIGN_GCRYPT
# endif
# else
# define SIGN_GCRYPT
diff --git
a/src/src/pdkim/signing.c
b/src/src/pdkim/signing.c
index f73fa9cc8f00631f0cd158abd6a854877afd7ffb..b61b428327292cf6bad504a44bdf824b26e2245f 100644
(file)
--- a/
src/src/pdkim/signing.c
+++ b/
src/src/pdkim/signing.c
@@
-7,16
+7,31
@@
*/
#include "../exim.h"
*/
#include "../exim.h"
+#include "crypt_ver.h"
+#include "signing.h"
+
+
+#ifdef MACRO_PREDEF
+# include "../macro_predef.h"
+
+void
+features_crypto(void)
+{
+# ifdef SIGN_HAVE_ED25519
+ builtin_macro_create(US"_CRYPTO_SIGN_ED25519");
+# endif
+# ifdef EXIM_HAVE_SHA3
+ builtin_macro_create(US"_CRYPTO_HASH_SHA3");
+# endif
+}
+#else
-#ifndef DISABLE_DKIM /*
entire
file */
+#ifndef DISABLE_DKIM /*
rest of
file */
#ifndef SUPPORT_TLS
# error Need SUPPORT_TLS for DKIM
#endif
#ifndef SUPPORT_TLS
# error Need SUPPORT_TLS for DKIM
#endif
-#include "crypt_ver.h"
-#include "signing.h"
-
/******************************************************************************/
#ifdef SIGN_GNUTLS
/******************************************************************************/
#ifdef SIGN_GNUTLS
@@
-884,4
+899,5
@@
switch (hash)
/******************************************************************************/
#endif /*DISABLE_DKIM*/
/******************************************************************************/
#endif /*DISABLE_DKIM*/
+#endif /*MACRO_PREDEF*/
/* End of File */
/* End of File */
diff --git
a/src/src/sha_ver.h
b/src/src/sha_ver.h
index b86e9a831d4ac22827a76772107d5bc2c215d825..61408788b948d9c58ec03bcbc9e6d69920c0f1c7 100644
(file)
--- a/
src/src/sha_ver.h
+++ b/
src/src/sha_ver.h
@@
-26,7
+26,7
@@
# if GNUTLS_VERSION_NUMBER >= 0x020a00
# define SHA_GNUTLS
# if GNUTLS_VERSION_NUMBER >= 0x030500
# if GNUTLS_VERSION_NUMBER >= 0x020a00
# define SHA_GNUTLS
# if GNUTLS_VERSION_NUMBER >= 0x030500
-# define EXIM_HAVE_SHA3
+# define EXIM_HAVE_SHA3
/*MMMM*/
# endif
# else
# define SHA_GCRYPT
# endif
# else
# define SHA_GCRYPT
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index a542d4db06584aa732cd3f814ced7498cf0ccddb..00b5a7349668e21f21ec16a01be674ce551c82f0 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-51,7
+51,7
@@
functions from the OpenSSL library. */
# define EXIM_HAVE_RAND_PSEUDO
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
# define EXIM_HAVE_RAND_PSEUDO
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
-# define EXIM_HAVE_SHA256
+# define EXIM_HAVE_SHA256
/*MMMM*/
#endif
/*
#endif
/*
@@
-81,7
+81,7
@@
functions from the OpenSSL library. */
|| LIBRESSL_VERSION_NUMBER >= 0x20010000L
# if !defined(OPENSSL_NO_ECDH)
# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|| LIBRESSL_VERSION_NUMBER >= 0x20010000L
# if !defined(OPENSSL_NO_ECDH)
# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
-# define EXIM_HAVE_ECDH
+# define EXIM_HAVE_ECDH
/*MMMM*/
# endif
# if OPENSSL_VERSION_NUMBER >= 0x10002000L
# define EXIM_HAVE_OPENSSL_EC_NIST2NID
# endif
# if OPENSSL_VERSION_NUMBER >= 0x10002000L
# define EXIM_HAVE_OPENSSL_EC_NIST2NID