1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) Jeremy Harris 2014 */
7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
8 one of the available supported implementations. This file is #included into
9 tls.c when USE_GNUTLS has been set.
12 #include <gnutls/gnutls.h>
13 /* needed for cert checks in verification and DN extraction: */
14 #include <gnutls/x509.h>
15 /* needed to disable PKCS11 autoload unless requested */
16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
17 # include <gnutls/pkcs11.h>
21 /*****************************************************
22 * Export/import a certificate, binary/printable
23 *****************************************************/
25 tls_export_cert(uschar
* buf
, size_t buflen
, void * cert
)
28 void * reset_point
= store_get(0);
32 if (gnutls_x509_crt_export((gnutls_x509_crt_t
)cert
,
33 GNUTLS_X509_FMT_PEM
, buf
, &sz
))
35 if ((cp
= string_printing(buf
)) != buf
)
37 Ustrncpy(buf
, cp
, buflen
);
41 store_reset(reset_point
);
46 tls_import_cert(const uschar
* buf
, void ** cert
)
48 void * reset_point
= store_get(0);
50 gnutls_x509_crt_t crt
;
54 gnutls_x509_crt_init(&crt
);
56 datum
.data
= string_unprinting(US buf
);
57 datum
.size
= Ustrlen(datum
.data
);
58 if (gnutls_x509_crt_import(crt
, &datum
, GNUTLS_X509_FMT_PEM
))
63 store_reset(reset_point
);
68 tls_free_cert(void * cert
)
70 gnutls_x509_crt_deinit((gnutls_x509_crt_t
) cert
);
71 gnutls_global_deinit();
74 /*****************************************************
75 * Certificate field extraction routines
76 *****************************************************/
80 uschar
* cp
= store_get(32);
81 struct tm
* tp
= gmtime(&t
);
82 size_t len
= strftime(CS cp
, 32, "%b %e %T %Y %Z", tp
);
83 return len
> 0 ? cp
: NULL
;
89 tls_cert_issuer(void * cert
, uschar
* mod
)
92 size_t sz
= sizeof(txt
);
93 return ( gnutls_x509_crt_get_issuer_dn(cert
, CS txt
, &sz
) == 0 )
94 ? string_copy(txt
) : NULL
;
98 tls_cert_not_after(void * cert
, uschar
* mod
)
101 gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t
)cert
));
105 tls_cert_not_before(void * cert
, uschar
* mod
)
108 gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t
)cert
));
112 tls_cert_serial_number(void * cert
, uschar
* mod
)
114 uschar bin
[50], txt
[150];
115 size_t sz
= sizeof(bin
);
119 if (gnutls_x509_crt_get_serial((gnutls_x509_crt_t
)cert
,
120 bin
, &sz
) || sz
> sizeof(bin
))
122 for(dp
= txt
, sp
= bin
; sz
; dp
+= 2, sp
++, sz
--)
123 sprintf(dp
, "%.2x", *sp
);
124 for(sp
= txt
; sp
[0]=='0' && sp
[1]; ) sp
++; /* leading zeroes */
125 return string_copy(sp
);
129 tls_cert_signature(void * cert
, uschar
* mod
)
137 if ((ret
= gnutls_x509_crt_get_signature((gnutls_x509_crt_t
)cert
, cp1
, &len
)) !=
138 GNUTLS_E_SHORT_MEMORY_BUFFER
)
140 fprintf(stderr
, "%s: gs0 fail: %s\n", __FUNCTION__
, gnutls_strerror(ret
));
144 cp1
= store_get(len
*4+1);
146 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t
)cert
, cp1
, &len
) != 0)
148 fprintf(stderr
, "%s: gs1 fail\n", __FUNCTION__
);
152 for(cp3
= cp2
= cp1
+len
; cp1
< cp2
; cp3
+= 3, cp1
++)
153 sprintf(cp3
, "%.2x ", *cp1
);
160 tls_cert_signature_algorithm(void * cert
, uschar
* mod
)
162 gnutls_sign_algorithm_t algo
=
163 gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t
)cert
);
164 return algo
< 0 ? NULL
: string_copy(gnutls_sign_get_name(algo
));
168 tls_cert_subject(void * cert
, uschar
* mod
)
170 static uschar txt
[256];
171 size_t sz
= sizeof(txt
);
172 return ( gnutls_x509_crt_get_dn(cert
, CS txt
, &sz
) == 0 )
173 ? string_copy(txt
) : NULL
;
177 tls_cert_version(void * cert
, uschar
* mod
)
179 return string_sprintf("%d", gnutls_x509_crt_get_version(cert
));
183 tls_cert_ext_by_oid(void * cert
, uschar
* oid
, int idx
)
192 ret
= gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t
)cert
,
193 oid
, idx
, cp1
, &siz
, &crit
);
194 if (ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
196 fprintf(stderr
, "%s: ge0 fail: %s\n", __FUNCTION__
, gnutls_strerror(ret
));
200 cp1
= store_get(siz
*4 + 1);
202 ret
= gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t
)cert
,
203 oid
, idx
, cp1
, &siz
, &crit
);
206 fprintf(stderr
, "%s: ge1 fail: %s\n", __FUNCTION__
, gnutls_strerror(ret
));
210 /* binary data, DER encoded */
212 /* just dump for now */
213 for(cp3
= cp2
= cp1
+siz
; cp1
< cp2
; cp3
+= 3, cp1
++)
214 sprintf(cp3
, "%.2x ", *cp1
);
221 tls_cert_subject_altname(void * cert
, uschar
* mod
)
223 uschar
* list
= NULL
;
234 if (*mod
== '>' && *++mod
) sep
= *mod
++;
235 else if (Ustrcmp(mod
, "dns")==0) { match
= GNUTLS_SAN_DNSNAME
; mod
+= 3; }
236 else if (Ustrcmp(mod
, "uri")==0) { match
= GNUTLS_SAN_URI
; mod
+= 3; }
237 else if (Ustrcmp(mod
, "mail")==0) { match
= GNUTLS_SAN_RFC822NAME
; mod
+= 4; }
244 for(index
= 0;; index
++)
247 switch(ret
= gnutls_x509_crt_get_subject_alt_name(
248 (gnutls_x509_crt_t
)cert
, index
, NULL
, &siz
, NULL
))
250 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
:
251 return list
; /* no more elements; normal exit */
253 case GNUTLS_E_SHORT_MEMORY_BUFFER
:
257 expand_string_message
=
258 string_sprintf("%s: gs0 fail: %d %s\n", __FUNCTION__
,
259 ret
, gnutls_strerror(ret
));
263 ele
= store_get(siz
+1);
264 if ((ret
= gnutls_x509_crt_get_subject_alt_name(
265 (gnutls_x509_crt_t
)cert
, index
, ele
, &siz
, NULL
)) < 0)
267 expand_string_message
=
268 string_sprintf("%s: gs1 fail: %d %s\n", __FUNCTION__
,
269 ret
, gnutls_strerror(ret
));
274 if (match
!= -1 && match
!= ret
)
278 case GNUTLS_SAN_DNSNAME
: tag
= US
"DNS"; break;
279 case GNUTLS_SAN_URI
: tag
= US
"URI"; break;
280 case GNUTLS_SAN_RFC822NAME
: tag
= US
"MAIL"; break;
281 default: continue; /* ignore unrecognised types */
283 list
= string_append_listele(list
, sep
,
284 match
== -1 ? string_sprintf("%s=%s", tag
, ele
) : ele
);
290 tls_cert_ocsp_uri(void * cert
, uschar
* mod
)
292 #if GNUTLS_VERSION_NUMBER >= 0x030000
297 uschar
* list
= NULL
;
300 if (*mod
== '>' && *++mod
) sep
= *mod
++;
302 for(index
= 0;; index
++)
304 ret
= gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t
)cert
,
305 index
, GNUTLS_IA_OCSP_URI
, &uri
, NULL
);
307 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
311 expand_string_message
=
312 string_sprintf("%s: gai fail: %d %s\n", __FUNCTION__
,
313 ret
, gnutls_strerror(ret
));
317 list
= string_append_listele(list
, sep
,
318 string_copyn(uri
.data
, uri
.size
));
324 expand_string_message
=
325 string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
333 tls_cert_crl_uri(void * cert
, uschar
* mod
)
339 uschar
* list
= NULL
;
343 if (*mod
== '>' && *++mod
) sep
= *mod
++;
345 for(index
= 0;; index
++)
348 switch(ret
= gnutls_x509_crt_get_crl_dist_points(
349 (gnutls_x509_crt_t
)cert
, index
, NULL
, &siz
, NULL
, NULL
))
351 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
:
353 case GNUTLS_E_SHORT_MEMORY_BUFFER
:
356 expand_string_message
=
357 string_sprintf("%s: gc0 fail: %d %s\n", __FUNCTION__
,
358 ret
, gnutls_strerror(ret
));
362 ele
= store_get(siz
+1);
363 if ((ret
= gnutls_x509_crt_get_crl_dist_points(
364 (gnutls_x509_crt_t
)cert
, index
, ele
, &siz
, NULL
, NULL
)) < 0)
366 expand_string_message
=
367 string_sprintf("%s: gc1 fail: %d %s\n", __FUNCTION__
,
368 ret
, gnutls_strerror(ret
));
372 list
= string_append_listele(list
, sep
, ele
);
378 /*****************************************************
379 * Certificate operator routines
380 *****************************************************/
382 fingerprint(gnutls_x509_crt_t cert
, gnutls_digest_algorithm_t algo
)
390 if ((ret
= gnutls_x509_crt_get_fingerprint(cert
, algo
, NULL
, &siz
))
391 != GNUTLS_E_SHORT_MEMORY_BUFFER
)
393 expand_string_message
=
394 string_sprintf("%s: gf0 fail: %d %s\n", __FUNCTION__
,
395 ret
, gnutls_strerror(ret
));
398 cp
= store_get(siz
*3+1);
399 if ((ret
= gnutls_x509_crt_get_fingerprint(cert
, algo
, cp
, &siz
)) < 0)
401 expand_string_message
=
402 string_sprintf("%s: gf1 fail: %d %s\n", __FUNCTION__
,
403 ret
, gnutls_strerror(ret
));
406 for (cp3
= cp2
= cp
+siz
; cp
< cp2
; cp
++, cp3
+=2)
407 sprintf(cp3
, "%02X",*cp
);
413 tls_cert_fprt_md5(void * cert
)
415 return fingerprint((gnutls_x509_crt_t
)cert
, GNUTLS_DIG_MD5
);
419 tls_cert_fprt_sha1(void * cert
)
421 return fingerprint((gnutls_x509_crt_t
)cert
, GNUTLS_DIG_SHA1
);
425 tls_cert_fprt_sha256(void * cert
)
427 return fingerprint((gnutls_x509_crt_t
)cert
, GNUTLS_DIG_SHA256
);
433 /* End of tlscert-gnu.c */