From 260958d632506e2789fc632381f560f5a0c77ed7 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 9 Feb 2018 21:59:49 +0000 Subject: [PATCH] Builtin macros for sha3-hash and ed25519-signing support --- doc/doc-docbook/spec.xfpt | 8 ++++++-- doc/doc-txt/NewStuff | 3 +++ src/OS/Makefile-Base | 9 ++++++--- src/src/macro_predef.c | 2 ++ src/src/macro_predef.h | 1 + src/src/pdkim/crypt_ver.h | 2 +- src/src/pdkim/signing.c | 24 ++++++++++++++++++++---- src/src/sha_ver.h | 2 +- src/src/tls-openssl.c | 4 ++-- 9 files changed, 42 insertions(+), 13 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index b5865e966..972cdc76e 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -10648,6 +10648,7 @@ The &%sha3%& expansion item is only supported if Exim has been compiled with GnuTLS 3.5.0 or later, .new or OpenSSL 1.1.1 or later. +The macro "_CRYPTO_HASH_SHA3" will be defined if it is supported. .wen @@ -38663,7 +38664,6 @@ for the former it is the base64 of the ASN.1 for the RSA public key (equivalent to the private-key .pem with the header/trailer stripped) but for EC keys it is the base64 of the pure key; no ASN.1 wrapping. .wen -.wen Signing is enabled by setting private options on the SMTP transport. These options take (expandable) strings as arguments. @@ -38710,6 +38710,7 @@ Note that RFC 8301 says: .code Signers MUST use RSA keys of at least 1024 bits for all keys. Signers SHOULD use RSA keys of at least 2048 bits. +.endd Support for EC keys is being developed under &url(https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-crypto/). @@ -38717,7 +38718,8 @@ They are considerably smaller than RSA keys for equivalent protection. As they are a recent development, users should consider dual-signing (by setting a list of selectors, and an expansion for this option) for some transition period. -.endd +The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present +for EC keys. .wen .option dkim_hash smtp string&!! sha256 @@ -38902,6 +38904,8 @@ The key record selector string. The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'. .new If running under GnuTLS 3.6.0 or later, may also be 'ed25519-sha256'. +The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present +for EC keys. .wen .new diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index ee40553a6..8464872b4 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -36,6 +36,9 @@ Version 4.91 9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under GnuTLS 3.6.0 or later. +10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library + version dependent. + Version 4.90 ------------ diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base index c96f46f0e..11ba19e61 100644 --- a/src/OS/Makefile-Base +++ b/src/OS/Makefile-Base @@ -134,8 +134,8 @@ OBJ_MACRO = macro_predef.o \ macro-smtp.o macro-accept.o macro-dnslookup.o macro-ipliteral.o macro-iplookup.o \ macro-manualroute.o macro-queryprogram.o macro-redirect.o \ macro-auth-spa.o macro-cram_md5.o macro-cyrus_sasl.o macro-dovecot.o macro-gsasl_exim.o \ - macro-heimdal_gssapi.o macro-plaintext.o macro-spa.o macro-tls.o\ - macro-dkim.o macro-malware.o macro-macro.o macro-tree.o + macro-heimdal_gssapi.o macro-plaintext.o macro-spa.o macro-authtls.o \ + macro-dkim.o macro-malware.o macro-macro.o macro-tree.o macro-signing.o $(OBJ_MACRO): $(MACRO_HSRC) @@ -220,7 +220,7 @@ macro-plaintext.o : auths/plaintext.c macro-spa.o : auths/spa.c @echo "$(CC) -DMACRO_PREDEF auths/spa.c" $(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/spa.c -macro-tls.o: auths/tls.c +macro-authtls.o: auths/tls.c @echo "$(CC) -DMACRO_PREDEF auths/tls.c" $(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ auths/tls.c macro-dkim.o: dkim.c @@ -235,6 +235,9 @@ macro-macro.o: macro.c macro-tree.o: tree.c @echo "$(CC) -DMACRO_PREDEF tree.c" $(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ tree.c +macro-signing.o: pdkim/signing.c + @echo "$(CC) -DMACRO_PREDEF pdkim/signing.c" + $(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ pdkim/signing.c macro_predef: $(OBJ_MACRO) @echo "$(LNCC) -o $@" diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c index b594d5bfd..2485072f4 100644 --- a/src/src/macro_predef.c +++ b/src/src/macro_predef.c @@ -258,6 +258,8 @@ due to conflicts with other common macros. */ #ifdef WITH_CONTENT_SCAN features_malware(); #endif + +features_crypto(); } diff --git a/src/src/macro_predef.h b/src/src/macro_predef.h index bfa201068..50b61a897 100644 --- a/src/src/macro_predef.h +++ b/src/src/macro_predef.h @@ -13,6 +13,7 @@ extern void builtin_macro_create_var(const uschar *, const uschar *); extern void options_from_list(optionlist *, unsigned, const uschar *, uschar *); extern void features_malware(void); +extern void features_crypto(void); extern void options_main(void); extern void options_routers(void); extern void options_transports(void); diff --git a/src/src/pdkim/crypt_ver.h b/src/src/pdkim/crypt_ver.h index 7b0ddf92a..ad7db025e 100644 --- a/src/src/pdkim/crypt_ver.h +++ b/src/src/pdkim/crypt_ver.h @@ -17,7 +17,7 @@ # if GNUTLS_VERSION_NUMBER >= 0x030000 # define SIGN_GNUTLS # if GNUTLS_VERSION_NUMBER >= 0x030600 -# define SIGN_HAVE_ED25519 +# define SIGN_HAVE_ED25519 /*MMMM*/ # endif # else # define SIGN_GCRYPT diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c index f73fa9cc8..b61b42832 100644 --- a/src/src/pdkim/signing.c +++ b/src/src/pdkim/signing.c @@ -7,16 +7,31 @@ */ #include "../exim.h" +#include "crypt_ver.h" +#include "signing.h" + + +#ifdef MACRO_PREDEF +# include "../macro_predef.h" + +void +features_crypto(void) +{ +# ifdef SIGN_HAVE_ED25519 + builtin_macro_create(US"_CRYPTO_SIGN_ED25519"); +# endif +# ifdef EXIM_HAVE_SHA3 + builtin_macro_create(US"_CRYPTO_HASH_SHA3"); +# endif +} +#else -#ifndef DISABLE_DKIM /* entire file */ +#ifndef DISABLE_DKIM /* rest of file */ #ifndef SUPPORT_TLS # error Need SUPPORT_TLS for DKIM #endif -#include "crypt_ver.h" -#include "signing.h" - /******************************************************************************/ #ifdef SIGN_GNUTLS @@ -884,4 +899,5 @@ switch (hash) /******************************************************************************/ #endif /*DISABLE_DKIM*/ +#endif /*MACRO_PREDEF*/ /* End of File */ diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h index b86e9a831..61408788b 100644 --- a/src/src/sha_ver.h +++ b/src/src/sha_ver.h @@ -26,7 +26,7 @@ # if GNUTLS_VERSION_NUMBER >= 0x020a00 # define SHA_GNUTLS # if GNUTLS_VERSION_NUMBER >= 0x030500 -# define EXIM_HAVE_SHA3 +# define EXIM_HAVE_SHA3 /*MMMM*/ # endif # else # define SHA_GCRYPT diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index a542d4db0..00b5a7349 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -51,7 +51,7 @@ functions from the OpenSSL library. */ # define EXIM_HAVE_RAND_PSEUDO #endif #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) -# define EXIM_HAVE_SHA256 +# define EXIM_HAVE_SHA256 /*MMMM*/ #endif /* @@ -81,7 +81,7 @@ functions from the OpenSSL library. */ || LIBRESSL_VERSION_NUMBER >= 0x20010000L # if !defined(OPENSSL_NO_ECDH) # if OPENSSL_VERSION_NUMBER >= 0x0090800fL -# define EXIM_HAVE_ECDH +# define EXIM_HAVE_ECDH /*MMMM*/ # endif # if OPENSSL_VERSION_NUMBER >= 0x10002000L # define EXIM_HAVE_OPENSSL_EC_NIST2NID -- 2.30.2