1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) Jeremy Harris 2014 - 2018 */
7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
8 one of the available supported implementations. This file is #included into
9 tls.c when USE_GNUTLS has been set.
12 #include <gnutls/gnutls.h>
13 /* needed for cert checks in verification and DN extraction: */
14 #include <gnutls/x509.h>
15 /* needed to disable PKCS11 autoload unless requested */
16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
17 # include <gnutls/pkcs11.h>
21 /*****************************************************
22 * Export/import a certificate, binary/printable
23 ******************************************************
24 Return: boolean success
28 tls_export_cert(uschar
* buf
, size_t buflen
, void * cert
)
31 rmark reset_point
= store_mark();
35 if ((fail
= gnutls_x509_crt_export((gnutls_x509_crt_t
)cert
,
36 GNUTLS_X509_FMT_PEM
, buf
, &sz
)))
38 log_write(0, LOG_MAIN
, "TLS error in certificate export: %s",
39 gnutls_strerror(fail
));
42 if ((cp
= string_printing(buf
)) != buf
)
44 Ustrncpy(buf
, cp
, buflen
);
48 store_reset(reset_point
);
52 /* On error, NULL out the destination */
54 tls_import_cert(const uschar
* buf
, void ** cert
)
56 rmark reset_point
= store_mark();
58 gnutls_x509_crt_t crt
= *(gnutls_x509_crt_t
*)cert
;
62 gnutls_x509_crt_deinit(crt
);
66 gnutls_x509_crt_init(&crt
);
68 datum
.data
= string_unprinting(US buf
);
69 datum
.size
= Ustrlen(datum
.data
);
70 if ((rc
= gnutls_x509_crt_import(crt
, &datum
, GNUTLS_X509_FMT_PEM
)))
72 log_write(0, LOG_MAIN
, "TLS error in certificate import: %s",
77 store_reset(reset_point
);
82 tls_free_cert(void ** cert
)
84 gnutls_x509_crt_t crt
= *(gnutls_x509_crt_t
*)cert
;
87 gnutls_x509_crt_deinit(crt
);
88 gnutls_global_deinit();
93 /*****************************************************
94 * Certificate field extraction routines
95 *****************************************************/
97 /* First, some internal service functions */
100 g_err(const char * tag
, const char * from
, int gnutls_err
)
102 expand_string_message
= string_sprintf("%s: %s fail: %s\n",
103 from
, tag
, gnutls_strerror(gnutls_err
));
109 time_copy(time_t t
, uschar
* mod
)
114 if (mod
&& Ustrcmp(mod
, "int") == 0)
115 return string_sprintf("%u", (unsigned)t
);
117 cp
= store_get(len
, FALSE
);
118 if (f
.timestamps_utc
)
120 uschar
* tz
= to_tz(US
"GMT0");
121 len
= strftime(CS cp
, len
, "%b %e %T %Y %Z", gmtime(&t
));
125 len
= strftime(CS cp
, len
, "%b %e %T %Y %Z", localtime(&t
));
126 return len
> 0 ? cp
: NULL
;
131 /* Now the extractors, called from expand.c
134 mod Optional modifiers for the operator
137 Allocated string with extracted value
141 tls_cert_issuer(void * cert
, uschar
* mod
)
147 if ((ret
= gnutls_x509_crt_get_issuer_dn(cert
, CS cp
, &siz
))
148 != GNUTLS_E_SHORT_MEMORY_BUFFER
)
149 return g_err("gi0", __FUNCTION__
, ret
);
151 cp
= store_get(siz
, TRUE
);
152 if ((ret
= gnutls_x509_crt_get_issuer_dn(cert
, CS cp
, &siz
)) < 0)
153 return g_err("gi1", __FUNCTION__
, ret
);
155 return mod
? tls_field_from_dn(cp
, mod
) : cp
;
159 tls_cert_not_after(void * cert
, uschar
* mod
)
162 gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t
)cert
),
167 tls_cert_not_before(void * cert
, uschar
* mod
)
170 gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t
)cert
),
175 tls_cert_serial_number(void * cert
, uschar
* mod
)
177 uschar bin
[50], txt
[150];
179 size_t sz
= sizeof(bin
);
182 if ((ret
= gnutls_x509_crt_get_serial((gnutls_x509_crt_t
)cert
,
184 return g_err("gs0", __FUNCTION__
, ret
);
186 for(uschar
* dp
= txt
; sz
; sz
--)
187 dp
+= sprintf(CS dp
, "%.2x", *sp
++);
188 for(sp
= txt
; sp
[0]=='0' && sp
[1]; ) sp
++; /* leading zeroes */
189 return string_copy(sp
);
193 tls_cert_signature(void * cert
, uschar
* mod
)
201 if ((ret
= gnutls_x509_crt_get_signature((gnutls_x509_crt_t
)cert
, CS cp1
, &len
))
202 != GNUTLS_E_SHORT_MEMORY_BUFFER
)
203 return g_err("gs0", __FUNCTION__
, ret
);
205 cp1
= store_get(len
*4+1, TRUE
);
206 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t
)cert
, CS cp1
, &len
) != 0)
207 return g_err("gs1", __FUNCTION__
, ret
);
209 for(cp3
= cp2
= cp1
+len
; cp1
< cp2
; cp1
++)
210 cp3
+= sprintf(CS cp3
, "%.2x ", *cp1
);
217 tls_cert_signature_algorithm(void * cert
, uschar
* mod
)
219 gnutls_sign_algorithm_t algo
=
220 gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t
)cert
);
221 return algo
< 0 ? NULL
: string_copy(US
gnutls_sign_get_name(algo
));
225 tls_cert_subject(void * cert
, uschar
* mod
)
231 if ((ret
= gnutls_x509_crt_get_dn(cert
, CS cp
, &siz
))
232 != GNUTLS_E_SHORT_MEMORY_BUFFER
)
233 return g_err("gs0", __FUNCTION__
, ret
);
235 cp
= store_get(siz
, TRUE
);
236 if ((ret
= gnutls_x509_crt_get_dn(cert
, CS cp
, &siz
)) < 0)
237 return g_err("gs1", __FUNCTION__
, ret
);
239 return mod
? tls_field_from_dn(cp
, mod
) : cp
;
243 tls_cert_version(void * cert
, uschar
* mod
)
245 return string_sprintf("%d", gnutls_x509_crt_get_version(cert
));
249 tls_cert_ext_by_oid(void * cert
, uschar
* oid
, int idx
)
258 ret
= gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t
)cert
,
259 CS oid
, idx
, CS cp1
, &siz
, &crit
);
260 if (ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
261 return g_err("ge0", __FUNCTION__
, ret
);
263 cp1
= store_get(siz
*4 + 1, TRUE
);
265 ret
= gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t
)cert
,
266 CS oid
, idx
, CS cp1
, &siz
, &crit
);
268 return g_err("ge1", __FUNCTION__
, ret
);
270 /* binary data, DER encoded */
272 /* just dump for now */
273 for(cp3
= cp2
= cp1
+siz
; cp1
< cp2
; cp1
++)
274 cp3
+= sprintf(CS cp3
, "%.2x ", *cp1
);
281 tls_cert_subject_altname(void * cert
, uschar
* mod
)
283 gstring
* list
= NULL
;
293 if (*mod
== '>' && *++mod
) sep
= *mod
++;
294 else if (Ustrcmp(mod
, "dns")==0) { match
= GNUTLS_SAN_DNSNAME
; mod
+= 3; }
295 else if (Ustrcmp(mod
, "uri")==0) { match
= GNUTLS_SAN_URI
; mod
+= 3; }
296 else if (Ustrcmp(mod
, "mail")==0) { match
= GNUTLS_SAN_RFC822NAME
; mod
+= 4; }
303 for (int index
= 0;; index
++)
306 switch(ret
= gnutls_x509_crt_get_subject_alt_name(
307 (gnutls_x509_crt_t
)cert
, index
, NULL
, &siz
, NULL
))
309 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
:
310 return string_from_gstring(list
); /* no more elements; normal exit */
312 case GNUTLS_E_SHORT_MEMORY_BUFFER
:
316 return g_err("gs0", __FUNCTION__
, ret
);
319 ele
= store_get(siz
+1, TRUE
);
320 if ((ret
= gnutls_x509_crt_get_subject_alt_name(
321 (gnutls_x509_crt_t
)cert
, index
, ele
, &siz
, NULL
)) < 0)
322 return g_err("gs1", __FUNCTION__
, ret
);
325 if ( match
!= -1 && match
!= ret
/* wrong type of SAN */
326 || Ustrlen(ele
) != siz
) /* contains a NUL */
330 case GNUTLS_SAN_DNSNAME
: tag
= US
"DNS"; break;
331 case GNUTLS_SAN_URI
: tag
= US
"URI"; break;
332 case GNUTLS_SAN_RFC822NAME
: tag
= US
"MAIL"; break;
333 default: continue; /* ignore unrecognised types */
335 list
= string_append_listele(list
, sep
,
336 match
== -1 ? string_sprintf("%s=%s", tag
, ele
) : ele
);
342 tls_cert_ocsp_uri(void * cert
, uschar
* mod
)
344 #if GNUTLS_VERSION_NUMBER >= 0x030000
348 gstring
* list
= NULL
;
351 if (*mod
== '>' && *++mod
) sep
= *mod
++;
353 for (int index
= 0;; index
++)
355 ret
= gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t
)cert
,
356 index
, GNUTLS_IA_OCSP_URI
, &uri
, NULL
);
358 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
359 return string_from_gstring(list
);
361 return g_err("gai", __FUNCTION__
, ret
);
363 list
= string_append_listele_n(list
, sep
, uri
.data
, uri
.size
);
369 expand_string_message
=
370 string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
378 tls_cert_crl_uri(void * cert
, uschar
* mod
)
382 gstring
* list
= NULL
;
386 if (*mod
== '>' && *++mod
) sep
= *mod
++;
388 for (int index
= 0;; index
++)
391 switch(ret
= gnutls_x509_crt_get_crl_dist_points(
392 (gnutls_x509_crt_t
)cert
, index
, NULL
, &siz
, NULL
, NULL
))
394 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
:
395 return string_from_gstring(list
);
396 case GNUTLS_E_SHORT_MEMORY_BUFFER
:
399 return g_err("gc0", __FUNCTION__
, ret
);
402 ele
= store_get(siz
, TRUE
);
403 if ((ret
= gnutls_x509_crt_get_crl_dist_points(
404 (gnutls_x509_crt_t
)cert
, index
, ele
, &siz
, NULL
, NULL
)) < 0)
405 return g_err("gc1", __FUNCTION__
, ret
);
407 list
= string_append_listele_n(list
, sep
, ele
, siz
);
413 /*****************************************************
414 * Certificate operator routines
415 *****************************************************/
417 tls_cert_der_b64(void * cert
)
423 if ( (fail
= gnutls_x509_crt_export((gnutls_x509_crt_t
)cert
,
424 GNUTLS_X509_FMT_DER
, cp
, &len
)) != GNUTLS_E_SHORT_MEMORY_BUFFER
425 || !(cp
= store_get((int)len
, TRUE
), TRUE
) /* tainted */
426 || (fail
= gnutls_x509_crt_export((gnutls_x509_crt_t
)cert
,
427 GNUTLS_X509_FMT_DER
, cp
, &len
))
430 log_write(0, LOG_MAIN
, "TLS error in certificate export: %s",
431 gnutls_strerror(fail
));
434 return b64encode(CUS cp
, (int)len
);
439 fingerprint(gnutls_x509_crt_t cert
, gnutls_digest_algorithm_t algo
)
446 if ((ret
= gnutls_x509_crt_get_fingerprint(cert
, algo
, NULL
, &siz
))
447 != GNUTLS_E_SHORT_MEMORY_BUFFER
)
448 return g_err("gf0", __FUNCTION__
, ret
);
450 cp
= store_get(siz
*3+1, TRUE
);
451 if ((ret
= gnutls_x509_crt_get_fingerprint(cert
, algo
, cp
, &siz
)) < 0)
452 return g_err("gf1", __FUNCTION__
, ret
);
454 for (uschar
* cp3
= cp2
= cp
+siz
; cp
< cp2
; cp
++)
455 cp3
+= sprintf(CS cp3
, "%02X", *cp
);
461 tls_cert_fprt_md5(void * cert
)
463 return fingerprint((gnutls_x509_crt_t
)cert
, GNUTLS_DIG_MD5
);
467 tls_cert_fprt_sha1(void * cert
)
469 return fingerprint((gnutls_x509_crt_t
)cert
, GNUTLS_DIG_SHA1
);
473 tls_cert_fprt_sha256(void * cert
)
475 return fingerprint((gnutls_x509_crt_t
)cert
, GNUTLS_DIG_SHA256
);
481 /* End of tlscert-gnu.c */