static gboolean
rspamd_map_check_sig_pk_mem (const guchar *sig,
gsize siglen,
struct rspamd_map *map,
const guchar *input,
gsize inlen,
struct rspamd_cryptobox_pubkey *pk)
{
GString *b32_key;
gboolean ret = TRUE;
if (siglen != rspamd_cryptobox_signature_bytes (RSPAMD_CRYPTOBOX_MODE_25519)) {
msg_err_map ("can't open signature for %s: invalid size: %z", map->name, siglen);
ret = FALSE;
}
if (ret && !rspamd_cryptobox_verify (sig, input, inlen,
rspamd_pubkey_get_pk (pk, NULL), RSPAMD_CRYPTOBOX_MODE_25519)) {
msg_err_map ("can't verify signature for %s: incorrect signature", map->name);
ret = FALSE;
}
if (ret) {
b32_key = rspamd_pubkey_print (pk,
RSPAMD_KEYPAIR_BASE32|RSPAMD_KEYPAIR_PUBKEY);
msg_info_map ("verified signature for %s using trusted key %v",
map->name, b32_key);
g_string_free (b32_key, TRUE);
}
return ret;
}
static gboolean
rspamd_map_check_file_sig (const char *fname,
struct rspamd_map *map,
struct rspamd_map_backend *bk,
const guchar *input,
gsize inlen)
{
gchar fpath[PATH_MAX];
guchar *data;
struct rspamd_cryptobox_pubkey *pk = NULL;
GString *b32_key;
gboolean ret;
gsize len = 0;
if (bk->trusted_pubkey == NULL) {
/* Try to load and check pubkey */
rspamd_snprintf (fpath, sizeof (fpath), "%s.pub", fname);
data = rspamd_file_xmap (fpath, PROT_READ, &len);
if (data == NULL) {
msg_err_map ("can't open pubkey %s: %s", fpath, strerror (errno));
return FALSE;
}
pk = rspamd_pubkey_from_base32 (data, len, RSPAMD_KEYPAIR_SIGN,
RSPAMD_CRYPTOBOX_MODE_25519);
munmap (data, len);
if (pk == NULL) {
msg_err_map ("can't load pubkey %s", fpath);
return FALSE;
}
/* We just check pk against the trusted db of keys */
b32_key = rspamd_pubkey_print (pk,
RSPAMD_KEYPAIR_BASE32|RSPAMD_KEYPAIR_PUBKEY);
g_assert (b32_key != NULL);
if (g_hash_table_lookup (map->cfg->trusted_keys, b32_key->str) == NULL) {
msg_err_map ("pubkey loaded from %s is untrusted: %v", fpath,
b32_key);
g_string_free (b32_key, TRUE);
rspamd_pubkey_unref (pk);
return FALSE;
}
g_string_free (b32_key, TRUE);
}
else {
pk = rspamd_pubkey_ref (bk->trusted_pubkey);
}
ret = rspamd_map_check_sig_pk (fname, map, input, inlen, pk);
rspamd_pubkey_unref (pk);
return ret;
}
static gboolean
rspamd_map_check_sig_pk (const char *fname,
struct rspamd_map *map,
const guchar *input,
gsize inlen,
struct rspamd_cryptobox_pubkey *pk)
{
gchar fpath[PATH_MAX];
rspamd_mempool_t *pool = map->pool;
guchar *data;
GString *b32_key;
gsize len = 0;
/* Now load signature */
rspamd_snprintf (fpath, sizeof (fpath), "%s.sig", fname);
data = rspamd_file_xmap (fpath, PROT_READ, &len);
if (data == NULL) {
msg_err_pool ("can't open signature %s: %s", fpath, strerror (errno));
return FALSE;
}
if (len != rspamd_cryptobox_signature_bytes (RSPAMD_CRYPTOBOX_MODE_25519)) {
msg_err_pool ("can't open signature %s: invalid signature", fpath);
munmap (data, len);
return FALSE;
}
if (!rspamd_cryptobox_verify (data, input, inlen,
rspamd_pubkey_get_pk (pk, NULL), RSPAMD_CRYPTOBOX_MODE_25519)) {
msg_err_pool ("can't verify signature %s: incorrect signature", fpath);
munmap (data, len);
return FALSE;
}
b32_key = rspamd_pubkey_print (pk,
RSPAMD_KEYPAIR_BASE32|RSPAMD_KEYPAIR_PUBKEY);
msg_info_pool ("verified signature in file %s using trusted key %v",
fpath, b32_key);
g_string_free (b32_key, TRUE);
munmap (data, len);
return TRUE;
}