signing.c source code [exim/src/pdkim/signing.c]

1	/*
2	* PDKIM - a RFC4871 (DKIM) implementation
3	*
4	* Copyright (C) 2017 Exim maintainers
5	*
6	* signing/verification interface
7	*/
8
9	#include "../exim.h"
10	#include "crypt_ver.h"
11	#include "signing.h"
12
13
14	#ifdef MACRO_PREDEF
15	# include "../macro_predef.h"
16
17	void
18	features_crypto(void)
19	{
20	# ifdef SIGN_HAVE_ED25519
21	builtin_macro_create(US"_CRYPTO_SIGN_ED25519");
22	# endif
23	# ifdef EXIM_HAVE_SHA3
24	builtin_macro_create(US"_CRYPTO_HASH_SHA3");
25	# endif
26	}
27	#else
28
29	#ifndef DISABLE_DKIM /* rest of file */
30
31	#ifndef SUPPORT_TLS
32	# error Need SUPPORT_TLS for DKIM
33	#endif
34
35
36	/****************************************************************************/
37	#ifdef SIGN_GNUTLS
38	# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL 3
39
40
41	/ Logging function which can be registered with*
42	* gnutls_global_set_log_function()
43	* gnutls_global_set_log_level() 0..9
44	*/
45	#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
46	static void
47	exim_gnutls_logger_cb(int level, const char *message)
48	{
49	size_t len = strlen(message);
50	if (len < `1`)
51	{
52	DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
53	return;
54	}
55	DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
56	message[len-`1`] == `'\n'` ? "" : "\n");
57	}
58	#endif
59
60
61
62	void
63	exim_dkim_init(void)
64	{
65	#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
66	DEBUG(D_tls)
67	{
68	gnutls_global_set_log_function(exim_gnutls_logger_cb);
69	/ arbitrarily chosen level; bump upto 9 for more /
70	gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
71	}
72	#endif
73	}
74
75
76	/ accumulate data (gnutls-only). String to be appended must be nul-terminated. /
77	gstring *
78	exim_dkim_data_append(gstring * g, uschar * s)
79	{
80	return string_cat(g, s);
81	}
82
83
84
85	/ import private key from PEM string in memory.*
86	Return: NULL for success, or an error string /*
87
88	const uschar *
89	exim_dkim_signing_init(uschar * privkey_pem, es_ctx * sign_ctx)
90	{
91	gnutls_datum_t k = { .data = privkey_pem, .size = Ustrlen(privkey_pem) };
92	gnutls_x509_privkey_t x509_key;
93	int rc;
94
95	if ( (rc = gnutls_x509_privkey_init(&x509_key))
96	\|\| (rc = gnutls_x509_privkey_import(x509_key, &k, GNUTLS_X509_FMT_PEM))
97	\|\| (rc = gnutls_privkey_init(&sign_ctx->key))
98	\|\| (rc = gnutls_privkey_import_x509(sign_ctx->key, x509_key, `0`))
99	)
100	return CUS gnutls_strerror(rc);
101
102	switch (rc = gnutls_privkey_get_pk_algorithm(sign_ctx->key, NULL))
103	{
104	case GNUTLS_PK_RSA: sign_ctx->keytype = KEYTYPE_RSA; break;
105	#ifdef SIGN_HAVE_ED25519
106	case GNUTLS_PK_EDDSA_ED25519: sign_ctx->keytype = KEYTYPE_ED25519; break;
107	#endif
108	default: return rc < `0`
109	? CUS gnutls_strerror(rc)
110	: string_sprintf("Unhandled key type: %d '%s'", rc, gnutls_pk_get_name(rc));
111	}
112
113	return NULL;
114	}
115
116
117
118	/ allocate mem for signature (when signing) /
119	/ hash & sign data. No way to do incremental.*
120
121	Return: NULL for success, or an error string /*
122
123	const uschar *
124	exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig)
125	{
126	gnutls_datum_t k_data = { .data = data->data, .size = data->len };
127	gnutls_digest_algorithm_t dig;
128	gnutls_datum_t k_sig;
129	int rc;
130
131	switch (hash)
132	{
133	case HASH_SHA1: dig = GNUTLS_DIG_SHA1; break;
134	case HASH_SHA2_256: dig = GNUTLS_DIG_SHA256; break;
135	case HASH_SHA2_512: dig = GNUTLS_DIG_SHA512; break;
136	default: return US"nonhandled hash type";
137	}
138
139	if ((rc = gnutls_privkey_sign_data(sign_ctx->key, dig, `0`, &k_data, &k_sig)))
140	return CUS gnutls_strerror(rc);
141
142	/ Don't care about deinit for the key; shortlived process /
143
144	sig->data = k_sig.data;
145	sig->len = k_sig.size;
146	return NULL;
147	}
148
149
150
151	/ import public key (from blob in memory)*
152	Return: NULL for success, or an error string /*
153
154	const uschar *
155	exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx)
156	{
157	gnutls_datum_t k;
158	int rc;
159	const uschar * ret = NULL;
160
161	gnutls_pubkey_init(&verify_ctx->key);
162	k.data = pubkey->data;
163	k.size = pubkey->len;
164
165	switch(fmt)
166	{
167	case KEYFMT_DER:
168	if ((rc = gnutls_pubkey_import(verify_ctx->key, &k, GNUTLS_X509_FMT_DER)))
169	ret = gnutls_strerror(rc);
170	break;
171	#ifdef SIGN_HAVE_ED25519
172	case KEYFMT_ED25519_BARE:
173	if ((rc = gnutls_pubkey_import_ecc_raw(verify_ctx->key,
174	GNUTLS_ECC_CURVE_ED25519, &k, NULL)))
175	ret = gnutls_strerror(rc);
176	break;
177	#endif
178	default:
179	ret = US"pubkey format not handled";
180	break;
181	}
182	return ret;
183	}
184
185
186	/ verify signature (of hash if RSA sig, of data if EC sig. No way to do incremental)*
187	(given pubkey & alleged sig)
188	Return: NULL for success, or an error string /*
189
190	const uschar *
191	exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data_hash, blob * sig)
192	{
193	gnutls_datum_t k = { .data = data_hash->data, .size = data_hash->len };
194	gnutls_datum_t s = { .data = sig->data, .size = sig->len };
195	int rc;
196	const uschar * ret = NULL;
197
198	#ifdef SIGN_HAVE_ED25519
199	if (verify_ctx->keytype == KEYTYPE_ED25519)
200	{
201	if ((rc = gnutls_pubkey_verify_data2(verify_ctx->key,
202	GNUTLS_SIGN_EDDSA_ED25519, `0`, &k, &s)) < `0`)
203	ret = gnutls_strerror(rc);
204	}
205	else
206	#endif
207	{
208	gnutls_sign_algorithm_t algo;
209	switch (hash)
210	{
211	case HASH_SHA1: algo = GNUTLS_SIGN_RSA_SHA1; break;
212	case HASH_SHA2_256: algo = GNUTLS_SIGN_RSA_SHA256; break;
213	case HASH_SHA2_512: algo = GNUTLS_SIGN_RSA_SHA512; break;
214	default: return US"nonhandled hash type";
215	}
216
217	if ((rc = gnutls_pubkey_verify_hash2(verify_ctx->key, algo, `0`, &k, &s)) < `0`)
218	ret = gnutls_strerror(rc);
219	}
220
221	gnutls_pubkey_deinit(verify_ctx->key);
222	return ret;
223	}
224
225
226
227
228	#elif defined(SIGN_GCRYPT)
229	/****************************************************************************/
230	/ This variant is used under pre-3.0.0 GnuTLS. Only rsa-sha1 and rsa-sha256 /
231
232
233	/ Internal service routine:*
234	Read and move past an asn.1 header, checking class & tag,
235	optionally returning the data-length /*
236
237	static int
238	as_tag(blob * der, uschar req_cls, long req_tag, long * alen)
239	{
240	int rc;
241	uschar tag_class;
242	int taglen;
243	long tag, len;
244
245	debug_printf_indent("as_tag: %02x %02x %02x %02x\n",
246	der->data[`0`], der->data[`1`], der->data[`2`], der->data[`3`]);
247
248	if ((rc = asn1_get_tag_der(der->data++, der->len--, &tag_class, &taglen, &tag))
249	!= ASN1_SUCCESS)
250	return rc;
251
252	if (tag_class != req_cls \|\| tag != req_tag) return ASN1_ELEMENT_NOT_FOUND;
253
254	if ((len = asn1_get_length_der(der->data, der->len, &taglen)) < `0`)
255	return ASN1_DER_ERROR;
256	if (alen) *alen = len;
257
258	/ debug_printf_indent("as_tag: tlen %d dlen %d\n", taglen, (int)len); /
259
260	der->data += taglen;
261	der->len -= taglen;
262	return rc;
263	}
264
265	/ Internal service routine:*
266	Read and move over an asn.1 integer, setting an MPI to the value
267	*/
268
269	static uschar *
270	as_mpi(blob * der, gcry_mpi_t * mpi)
271	{
272	long alen;
273	int rc;
274	gcry_error_t gerr;
275
276	debug_printf_indent("%s\n", __FUNCTION__);
277
278	/ integer; move past the header /
279	if ((rc = as_tag(der, `0`, ASN1_TAG_INTEGER, &alen)) != ASN1_SUCCESS)
280	return US asn1_strerror(rc);
281
282	/ read to an MPI /
283	if ((gerr = gcry_mpi_scan(mpi, GCRYMPI_FMT_STD, der->data, alen, NULL)))
284	return US gcry_strerror(gerr);
285
286	/ move over the data /
287	der->data += alen; der->len -= alen;
288	return NULL;
289	}
290
291
292
293	void
294	exim_dkim_init(void)
295	{
296	/ Version check should be the very first call because it*
297	makes sure that important subsystems are initialized. /*
298	if (!gcry_check_version (GCRYPT_VERSION))
299	{
300	fputs ("libgcrypt version mismatch\n", stderr);
301	exit (`2`);
302	}
303
304	/ We don't want to see any warnings, e.g. because we have not yet*
305	parsed program options which might be used to suppress such
306	warnings. /*
307	gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
308
309	/ ... If required, other initialization goes here. Note that the*
310	process might still be running with increased privileges and that
311	the secure memory has not been initialized. /*
312
313	/ Allocate a pool of 16k secure memory. This make the secure memory*
314	available and also drops privileges where needed. /*
315	gcry_control (GCRYCTL_INIT_SECMEM, `16384`, `0`);
316
317	/ It is now okay to let Libgcrypt complain when there was/is*
318	a problem with the secure memory. /*
319	gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
320
321	/ ... If required, other initialization goes here. /
322
323	/ Tell Libgcrypt that initialization has completed. /
324	gcry_control (GCRYCTL_INITIALIZATION_FINISHED, `0`);
325
326	return;
327	}
328
329
330
331
332	/ Accumulate data (gnutls-only).*
333	String to be appended must be nul-terminated. /*
334
335	gstring *
336	exim_dkim_data_append(gstring * g, uschar * s)
337	{
338	return g; /dummy/
339	}
340
341
342
343	/ import private key from PEM string in memory.*
344	Only handles RSA keys.
345	Return: NULL for success, or an error string /*
346
347	const uschar *
348	exim_dkim_signing_init(uschar * privkey_pem, es_ctx * sign_ctx)
349	{
350	uschar * s1, * s2;
351	blob der;
352	long alen;
353	int rc;
354
355	/XXX will need extension to _spot_ as well as handle a*
356	non-RSA key? I think...
357	So... this is not a PrivateKeyInfo - which would have a field
358	identifying the keytype - PrivateKeyAlgorithmIdentifier -
359	but a plain RSAPrivateKey (wrapped in PEM-headers. Can we
360	use those as a type tag? What forms are there? "BEGIN EC PRIVATE KEY" (cf. ec(1ssl))
361
362	How does OpenSSL PEM_read_bio_PrivateKey() deal with it?
363	gnutls_x509_privkey_import() ?
364	*/
365
366	/*
367	* RSAPrivateKey ::= SEQUENCE
368	* version Version,
369	* modulus INTEGER, -- n
370	* publicExponent INTEGER, -- e
371	* privateExponent INTEGER, -- d
372	* prime1 INTEGER, -- p
373	* prime2 INTEGER, -- q
374	* exponent1 INTEGER, -- d mod (p-1)
375	* exponent2 INTEGER, -- d mod (q-1)
376	* coefficient INTEGER, -- (inverse of q) mod p
377	* otherPrimeInfos OtherPrimeInfos OPTIONAL
378
379	* ECPrivateKey ::= SEQUENCE {
380	* version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
381	* privateKey OCTET STRING,
382	* parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
383	* publicKey [1] BIT STRING OPTIONAL
384	* }
385	* Hmm, only 1 useful item, and not even an integer? Wonder how we might use it...
386
387	- actually, gnutls_x509_privkey_import() appears to require a curve name parameter
388	value for that is an OID? a local-only integer (it's an enum in GnuTLS)?
389
390
391	Useful cmds:
392	ssh-keygen -t ecdsa -f foo.privkey
393	ssh-keygen -t ecdsa -b384 -f foo.privkey
394	ssh-keygen -t ecdsa -b521 -f foo.privkey
395	ssh-keygen -t ed25519 -f foo.privkey
396
397	< foo openssl pkcs8 -in /dev/stdin -inform PEM -nocrypt -topk8 -outform DER \| od -x
398
399	openssl asn1parse -in foo -inform PEM -dump
400	openssl asn1parse -in foo -inform PEM -dump -stroffset 24 (??)
401	(not good for ed25519)
402
403	*/
404
405	if ( !(s1 = Ustrstr(CS privkey_pem, "-----BEGIN RSA PRIVATE KEY-----"))
406	\|\| !(s2 = Ustrstr(CS (s1+=`31`), "-----END RSA PRIVATE KEY-----" ))
407	)
408	return US"Bad PEM wrapper";
409
410	*s2 = `'\0'`;
411
412	if ((der.len = b64decode(s1, &der.data)) < `0`)
413	return US"Bad PEM-DER b64 decode";
414
415	/ untangle asn.1 /
416
417	/ sequence; just move past the header /
418	if ((rc = as_tag(&der, ASN1_CLASS_STRUCTURED, ASN1_TAG_SEQUENCE, NULL))
419	!= ASN1_SUCCESS) goto asn_err;
420
421	/ integer version; move past the header, check is zero /
422	if ((rc = as_tag(&der, `0`, ASN1_TAG_INTEGER, &alen)) != ASN1_SUCCESS)
423	goto asn_err;
424	if (alen != `1` \|\| *der.data != `0`)
425	return US"Bad version number";
426	der.data++; der.len--;
427
428	if ( (s1 = as_mpi(&der, &sign_ctx->n))
429	\|\| (s1 = as_mpi(&der, &sign_ctx->e))
430	\|\| (s1 = as_mpi(&der, &sign_ctx->d))
431	\|\| (s1 = as_mpi(&der, &sign_ctx->p))
432	\|\| (s1 = as_mpi(&der, &sign_ctx->q))
433	\|\| (s1 = as_mpi(&der, &sign_ctx->dp))
434	\|\| (s1 = as_mpi(&der, &sign_ctx->dq))
435	\|\| (s1 = as_mpi(&der, &sign_ctx->qp))
436	)
437	return s1;
438
439	#ifdef extreme_debug
440	DEBUG(D_acl) debug_printf_indent("rsa_signing_init:\n");
441	{
442	uschar * s;
443	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->n);
444	debug_printf_indent(" N : %s\n", s);
445	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->e);
446	debug_printf_indent(" E : %s\n", s);
447	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->d);
448	debug_printf_indent(" D : %s\n", s);
449	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->p);
450	debug_printf_indent(" P : %s\n", s);
451	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->q);
452	debug_printf_indent(" Q : %s\n", s);
453	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->dp);
454	debug_printf_indent(" DP: %s\n", s);
455	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->dq);
456	debug_printf_indent(" DQ: %s\n", s);
457	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->qp);
458	debug_printf_indent(" QP: %s\n", s);
459	}
460	#endif
461
462	sign_ctx->keytype = KEYTYPE_RSA;
463	return NULL;
464
465	asn_err: return US asn1_strerror(rc);
466	}
467
468
469
470	/ allocate mem for signature (when signing) /
471	/ sign already-hashed data.*
472
473	Return: NULL for success, or an error string /*
474
475	const uschar *
476	exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig)
477	{
478	char * sexp_hash;
479	gcry_sexp_t s_hash = NULL, s_key = NULL, s_sig = NULL;
480	gcry_mpi_t m_sig;
481	uschar * errstr;
482	gcry_error_t gerr;
483
484	/XXX will need extension for hash types (though, possibly, should*
485	be re-specced to not rehash but take an already-hashed value? Actually
486	current impl looks WRONG - it _is_ given a hash so should not be
487	re-hashing. Has this been tested?
488
489	Will need extension for non-RSA sugning algos. /*
490
491	switch (hash)
492	{
493	case HASH_SHA1: sexp_hash = "(data(flags pkcs1)(hash sha1 %b))"; break;
494	case HASH_SHA2_256: sexp_hash = "(data(flags pkcs1)(hash sha256 %b))"; break;
495	default: return US"nonhandled hash type";
496	}
497
498	#define SIGSPACE 128
499	sig->data = store_get(SIGSPACE);
500
501	if (gcry_mpi_cmp (sign_ctx->p, sign_ctx->q) > `0`)
502	{
503	gcry_mpi_swap (sign_ctx->p, sign_ctx->q);
504	gcry_mpi_invm (sign_ctx->qp, sign_ctx->p, sign_ctx->q);
505	}
506
507	if ( (gerr = gcry_sexp_build (&s_key, NULL,
508	"(private-key (rsa (n%m)(e%m)(d%m)(p%m)(q%m)(u%m)))",
509	sign_ctx->n, sign_ctx->e,
510	sign_ctx->d, sign_ctx->p,
511	sign_ctx->q, sign_ctx->qp))
512	\|\| (gerr = gcry_sexp_build (&s_hash, NULL, sexp_hash,
513	(int) data->len, CS data->data))
514	\|\| (gerr = gcry_pk_sign (&s_sig, s_hash, s_key))
515	)
516	return US gcry_strerror(gerr);
517
518	/ gcry_sexp_dump(s_sig); /
519
520	if ( !(s_sig = gcry_sexp_find_token(s_sig, "s", `0`))
521	)
522	return US"no sig result";
523
524	m_sig = gcry_sexp_nth_mpi(s_sig, `1`, GCRYMPI_FMT_USG);
525
526	#ifdef extreme_debug
527	DEBUG(D_acl)
528	{
529	uschar * s;
530	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, m_sig);
531	debug_printf_indent(" SG: %s\n", s);
532	}
533	#endif
534
535	gerr = gcry_mpi_print(GCRYMPI_FMT_USG, sig->data, SIGSPACE, &sig->len, m_sig);
536	if (gerr)
537	{
538	debug_printf_indent("signature conversion from MPI to buffer failed\n");
539	return US gcry_strerror(gerr);
540	}
541	#undef SIGSPACE
542
543	return NULL;
544	}
545
546
547	/ import public key (from blob in memory)*
548	Return: NULL for success, or an error string /*
549
550	const uschar *
551	exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx)
552	{
553	/*
554	in code sequence per b81207d2bfa92 rsa_parse_public_key() and asn1_get_mpi()
555	*/
556	uschar tag_class;
557	int taglen;
558	long alen;
559	int rc;
560	uschar * errstr;
561	gcry_error_t gerr;
562	uschar * stage = US"S1";
563
564	if (fmt != KEYFMT_DER) return US"pubkey format not handled";
565
566	/*
567	sequence
568	sequence
569	OBJECT:rsaEncryption
570	NULL
571	BIT STRING:RSAPublicKey
572	sequence
573	INTEGER:Public modulus
574	INTEGER:Public exponent
575
576	openssl rsa -in aux-fixed/dkim/dkim.private -pubout -outform DER \| od -t x1 \| head;
577	openssl rsa -in aux-fixed/dkim/dkim.private -pubout \| openssl asn1parse -dump;
578	openssl rsa -in aux-fixed/dkim/dkim.private -pubout \| openssl asn1parse -dump -offset 22;
579	*/
580
581	/ sequence; just move past the header /
582	if ((rc = as_tag(pubkey, ASN1_CLASS_STRUCTURED, ASN1_TAG_SEQUENCE, NULL))
583	!= ASN1_SUCCESS) goto asn_err;
584
585	/ sequence; skip the entire thing /
586	DEBUG(D_acl) stage = US"S2";
587	if ((rc = as_tag(pubkey, ASN1_CLASS_STRUCTURED, ASN1_TAG_SEQUENCE, &alen))
588	!= ASN1_SUCCESS) goto asn_err;
589	pubkey->data += alen; pubkey->len -= alen;
590
591
592	/ bitstring: limit range to size of bitstring;*
593	move over header + content wrapper /*
594	DEBUG(D_acl) stage = US"BS";
595	if ((rc = as_tag(pubkey, `0`, ASN1_TAG_BIT_STRING, &alen)) != ASN1_SUCCESS)
596	goto asn_err;
597	pubkey->len = alen;
598	pubkey->data++; pubkey->len--;
599
600	/ sequence; just move past the header /
601	DEBUG(D_acl) stage = US"S3";
602	if ((rc = as_tag(pubkey, ASN1_CLASS_STRUCTURED, ASN1_TAG_SEQUENCE, NULL))
603	!= ASN1_SUCCESS) goto asn_err;
604
605	/ read two integers /
606	DEBUG(D_acl) stage = US"MPI";
607	if ( (errstr = as_mpi(pubkey, &verify_ctx->n))
608	\|\| (errstr = as_mpi(pubkey, &verify_ctx->e))
609	)
610	return errstr;
611
612	#ifdef extreme_debug
613	DEBUG(D_acl) debug_printf_indent("rsa_verify_init:\n");
614	{
615	uschar * s;
616	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, verify_ctx->n);
617	debug_printf_indent(" N : %s\n", s);
618	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, verify_ctx->e);
619	debug_printf_indent(" E : %s\n", s);
620	}
621
622	#endif
623	return NULL;
624
625	asn_err:
626	DEBUG(D_acl) return string_sprintf("%s: %s", stage, asn1_strerror(rc));
627	return US asn1_strerror(rc);
628	}
629
630
631	/ verify signature (of hash)*
632	XXX though we appear to be doing a hash, too!
633	(given pubkey & alleged sig)
634	Return: NULL for success, or an error string /*
635
636	const uschar *
637	exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data_hash, blob * sig)
638	{
639	/*
640	cf. libgnutls 2.8.5 _wrap_gcry_pk_verify()
641	*/
642	char * sexp_hash;
643	gcry_mpi_t m_sig;
644	gcry_sexp_t s_sig = NULL, s_hash = NULL, s_pkey = NULL;
645	gcry_error_t gerr;
646	uschar * stage;
647
648	/XXX needs extension for SHA512 /
649	switch (hash)
650	{
651	case HASH_SHA1: sexp_hash = "(data(flags pkcs1)(hash sha1 %b))"; break;
652	case HASH_SHA2_256: sexp_hash = "(data(flags pkcs1)(hash sha256 %b))"; break;
653	default: return US"nonhandled hash type";
654	}
655
656	if ( (stage = US"pkey sexp build",
657	gerr = gcry_sexp_build (&s_pkey, NULL, "(public-key(rsa(n%m)(e%m)))",
658	verify_ctx->n, verify_ctx->e))
659	\|\| (stage = US"data sexp build",
660	gerr = gcry_sexp_build (&s_hash, NULL, sexp_hash,
661	(int) data_hash->len, CS data_hash->data))
662	\|\| (stage = US"sig mpi scan",
663	gerr = gcry_mpi_scan(&m_sig, GCRYMPI_FMT_USG, sig->data, sig->len, NULL))
664	\|\| (stage = US"sig sexp build",
665	gerr = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%m)))", m_sig))
666	\|\| (stage = US"verify",
667	gerr = gcry_pk_verify (s_sig, s_hash, s_pkey))
668	)
669	{
670	DEBUG(D_acl) debug_printf_indent("verify: error in stage '%s'\n", stage);
671	return US gcry_strerror(gerr);
672	}
673
674	if (s_sig) gcry_sexp_release (s_sig);
675	if (s_hash) gcry_sexp_release (s_hash);
676	if (s_pkey) gcry_sexp_release (s_pkey);
677	gcry_mpi_release (m_sig);
678	gcry_mpi_release (verify_ctx->n);
679	gcry_mpi_release (verify_ctx->e);
680
681	return NULL;
682	}
683
684
685
686
687	#elif defined(SIGN_OPENSSL)
688	/****************************************************************************/
689
690	void
691	exim_dkim_init(void)
692	{
693	ERR_load_crypto_strings();
694	}
695
696
697	/ accumulate data (was gnutls-onl but now needed for OpenSSL non-EC too*
698	because now using hash-and-sign interface) /*
699	gstring *
700	exim_dkim_data_append(gstring * g, uschar * s)
701	{
702	return string_cat(g, s);
703	}
704
705
706	/ import private key from PEM string in memory.*
707	Return: NULL for success, or an error string /*
708
709	const uschar *
710	exim_dkim_signing_init(uschar * privkey_pem, es_ctx * sign_ctx)
711	{
712	BIO * bp = BIO_new_mem_buf(privkey_pem, -`1`);
713
714	if (!(sign_ctx->key = PEM_read_bio_PrivateKey(bp, NULL, NULL, NULL)))
715	return US ERR_error_string(ERR_get_error(), NULL);
716
717	sign_ctx->keytype =
718	#ifdef SIGN_HAVE_ED25519
719	EVP_PKEY_type(EVP_PKEY_id(sign_ctx->key)) == EVP_PKEY_EC
720	? KEYTYPE_ED25519 : KEYTYPE_RSA;
721	#else
722	KEYTYPE_RSA;
723	#endif
724	return NULL;
725	}
726
727
728
729	/ allocate mem for signature (when signing) /
730	/ hash & sign data. Could be incremental*
731
732	Return: NULL for success with the signaature in the sig blob, or an error string /*
733
734	const uschar *
735	exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig)
736	{
737	const EVP_MD * md;
738	EVP_MD_CTX * ctx;
739	size_t siglen;
740
741	switch (hash)
742	{
743	case HASH_SHA1: md = EVP_sha1(); break;
744	case HASH_SHA2_256: md = EVP_sha256(); break;
745	case HASH_SHA2_512: md = EVP_sha512(); break;
746	default: return US"nonhandled hash type";
747	}
748
749	/ Create the Message Digest Context /
750	/XXX renamed to EVP_MD_CTX_new() in 1.1.0 /
751	if( (ctx = EVP_MD_CTX_create())
752
753	/ Initialise the DigestSign operation /
754	&& EVP_DigestSignInit(ctx, NULL, md, NULL, sign_ctx->key) > `0`
755
756	/ Call update with the message /
757	&& EVP_DigestSignUpdate(ctx, data->data, data->len) > `0`
758
759	/ Finalise the DigestSign operation /
760	/ First call EVP_DigestSignFinal with a NULL sig parameter to obtain the length of the*
761	* signature. Length is returned in slen */
762	&& EVP_DigestSignFinal(ctx, NULL, &siglen) > `0`
763
764	/ Allocate memory for the signature based on size in slen /
765	&& (sig->data = store_get(siglen))
766
767	/ Obtain the signature (slen could change here!) /
768	&& EVP_DigestSignFinal(ctx, sig->data, &siglen) > `0`
769	)
770	{
771	EVP_MD_CTX_destroy(ctx);
772	sig->len = siglen;
773	return NULL;
774	}
775
776	if (ctx) EVP_MD_CTX_destroy(ctx);
777	return US ERR_error_string(ERR_get_error(), NULL);
778	}
779
780
781
782	/ import public key (from blob in memory)*
783	Return: NULL for success, or an error string /*
784
785	const uschar *
786	exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx)
787	{
788	const uschar * s = pubkey->data;
789	uschar * ret = NULL;
790
791	if (fmt != KEYFMT_DER) return US"pubkey format not handled";
792	switch(fmt)
793	{
794	case KEYFMT_DER:
795	/XXX ok, this fails for EC:*
796	error:0609E09C:digital envelope routines:pkey_set_type:unsupported algorithm
797	*/
798
799	/XXX hmm, we never free this /
800	if (!(verify_ctx->key = d2i_PUBKEY(NULL, &s, pubkey->len)))
801	ret = US ERR_error_string(ERR_get_error(), NULL);
802	break;
803	#ifdef SIGN_HAVE_ED25519
804	case KEYFMT_ED25519_BARE:
805	{
806	BIGNUM * x;
807	EC_KEY * eck;
808	if ( !(x = BN_bin2bn(s, pubkey->len, NULL))
809	\|\| !(eck = EC_KEY_new_by_curve_name(NID_ED25519))
810	\|\| !EC_KEY_set_public_key_affine_coordinates(eck, x, NULL)
811	\|\| !(verify_ctx->key = EVP_PKEY_new())
812	\|\| !EVP_PKEY_assign_EC_KEY(verify_ctx->key, eck)
813	)
814	ret = US ERR_error_string(ERR_get_error(), NULL);
815	}
816	break;
817	#endif
818	default:
819	ret = US"pubkey format not handled";
820	break;
821	}
822
823	return ret;
824	}
825
826
827
828
829	/ verify signature (of hash)*
830	(pre-EC coding; of data if "notyet" code, The latter could be incremental)
831	(given pubkey & alleged sig)
832	Return: NULL for success, or an error string /*
833
834	const uschar *
835	exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data, blob * sig)
836	{
837	const EVP_MD * md;
838
839	/XXX OpenSSL does not seem to have Ed25519 support yet. Reportedly BoringSSL does,*
840	but that's a nonstable API and not recommended (by its owner, Google) for external use. /*
841
842	switch (hash)
843	{
844	case HASH_SHA1: md = EVP_sha1(); break;
845	case HASH_SHA2_256: md = EVP_sha256(); break;
846	case HASH_SHA2_512: md = EVP_sha512(); break;
847	default: return US"nonhandled hash type";
848	}
849
850	#ifdef notyet_SIGN_HAVE_ED25519
851	{
852	EVP_MD_CTX * ctx;
853
854	/XXX renamed to EVP_MD_CTX_new() in 1.1.0 /
855	if (
856	(ctx = EVP_MD_CTX_create())
857
858	/ Initialize `key` with a public key /
859	&& EVP_DigestVerifyInit(ctx, NULL, md, NULL, verify_ctx->key) > `0`
860
861	/ add data to be hashed (call multiple times if needed) /
862
863	&& EVP_DigestVerifyUpdate(ctx, data->data, data->len) > `0`
864
865	/ finish off the hash and check the offered signature /
866
867	&& EVP_DigestVerifyFinal(ctx, sig->data, sig->len) > `0`
868	)
869	{
870	EVP_MD_CTX_destroy(ctx); / renamed to _free in 1.1.0 /
871	return NULL;
872	}
873
874	if (ctx) EVP_MD_CTX_free(ctx);
875	return US ERR_error_string(ERR_get_error(), NULL);
876	}
877	#else
878	{
879	EVP_PKEY_CTX * ctx;
880
881	if ( (ctx = EVP_PKEY_CTX_new(verify_ctx->key, NULL))
882	&& EVP_PKEY_verify_init(ctx) > `0`
883	&& EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > `0`
884	&& EVP_PKEY_CTX_set_signature_md(ctx, md) > `0`
885	&& EVP_PKEY_verify(ctx, sig->data, sig->len,
886	data->data, data->len) == `1`
887	)
888	{ EVP_PKEY_CTX_free(ctx); return NULL; }
889
890	if (ctx) EVP_PKEY_CTX_free(ctx);
891	return US ERR_error_string(ERR_get_error(), NULL);
892	}
893	#endif
894	}
895
896
897
898	#endif
899	/****************************************************************************/
900
901	#endif /DISABLE_DKIM/
902	#endif /MACRO_PREDEF/
903	/ End of File /
904

Browse the source code of exim/src/pdkim/signing.c