src/src/tlscert-gnu.c

   1 /*************************************************
   2 *     Exim - an Internet mail transport agent    *
   3 *************************************************/
   4
   5 /* Copyright (c) Jeremy Harris 2014 */
   6
   7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
   8 one of the available supported implementations.  This file is #included into
   9 tls.c when USE_GNUTLS has been set.
  10 */
  11
  12 #include <gnutls/gnutls.h>
  13 /* needed for cert checks in verification and DN extraction: */
  14 #include <gnutls/x509.h>
  15 /* needed to disable PKCS11 autoload unless requested */
  16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
  17 # include <gnutls/pkcs11.h>
  18 #endif
  19
  20
  21 /*****************************************************
  22 *  Export/import a certificate, binary/printable
  23 *****************************************************/
  24 int
  25 tls_export_cert(uschar * buf, size_t buflen, void * cert)
  26 {
  27 size_t sz = buflen;
  28 void * reset_point = store_get(0);
  29 int fail = 0;
  30 uschar * cp;
  31
  32 if (gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
  33     GNUTLS_X509_FMT_PEM, buf, &sz))
  34   return 1;
  35 if ((cp = string_printing(buf)) != buf)
  36   {
  37   Ustrncpy(buf, cp, buflen);
  38   if (buf[buflen-1])
  39     fail = 1;
  40   }
  41 store_reset(reset_point);
  42 return fail;
  43 }
  44
  45 int
  46 tls_import_cert(const uschar * buf, void ** cert)
  47 {
  48 void * reset_point = store_get(0);
  49 gnutls_datum_t datum;
  50 gnutls_x509_crt_t crt;
  51 int fail = 0;
  52
  53 gnutls_global_init();
  54 gnutls_x509_crt_init(&crt);
  55
  56 datum.data = string_unprinting(US buf);
  57 datum.size = Ustrlen(datum.data);
  58 if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM))
  59   fail = 1;
  60 else
  61   *cert = (void *)crt;
  62
  63 store_reset(reset_point);
  64 return fail;
  65 }
  66
  67 void
  68 tls_free_cert(void * cert)
  69 {
  70 gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert);
  71 gnutls_global_deinit();
  72 }
  73
  74 /*****************************************************
  75 *  Certificate field extraction routines
  76 *****************************************************/
  77 static uschar *
  78 g_err(const char * tag, const char * from, int gnutls_err)
  79 {
  80 expand_string_message = string_sprintf("%s: %s fail: %s\n",
  81   from, tag, gnutls_strerror(gnutls_err));
  82 return NULL;
  83 }
  84
  85
  86 static uschar *
  87 time_copy(time_t t)
  88 {
  89 uschar * cp = store_get(32);
  90 struct tm * tp = gmtime(&t);
  91 size_t len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp);
  92 return len > 0 ? cp : NULL;
  93 }
  94
  95 /**/
  96
  97 uschar *
  98 tls_cert_issuer(void * cert, uschar * mod)
  99 {
 100 uschar * cp = NULL;
 101 int ret;
 102 size_t siz = 0;
 103
 104 if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz))
 105     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 106   return g_err("gi0", __FUNCTION__, ret);
 107
 108 cp = store_get(siz);
 109 if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) < 0)
 110   return g_err("gi1", __FUNCTION__, ret);
 111
 112 return mod ? tls_field_from_dn(cp, mod) : cp;
 113 }
 114
 115 uschar *
 116 tls_cert_not_after(void * cert, uschar * mod)
 117 {
 118 return time_copy(
 119   gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert));
 120 }
 121
 122 uschar *
 123 tls_cert_not_before(void * cert, uschar * mod)
 124 {
 125 return time_copy(
 126   gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert));
 127 }
 128
 129 uschar *
 130 tls_cert_serial_number(void * cert, uschar * mod)
 131 {
 132 uschar bin[50], txt[150];
 133 size_t sz = sizeof(bin);
 134 uschar * sp;
 135 uschar * dp;
 136
 137 if (gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
 138     bin, &sz) || sz > sizeof(bin))
 139   return NULL;
 140 for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
 141   sprintf(dp, "%.2x", *sp);
 142 for(sp = txt; sp[0]=='0' && sp[1]; ) sp++;      /* leading zeroes */
 143 return string_copy(sp);
 144 }
 145
 146 uschar *
 147 tls_cert_signature(void * cert, uschar * mod)
 148 {
 149 uschar * cp1;
 150 uschar * cp2;
 151 uschar * cp3;
 152 size_t len = 0;
 153 int ret;
 154
 155 if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len))
 156     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 157   return g_err("gs0", __FUNCTION__, ret);
 158
 159 cp1 = store_get(len*4+1);
 160 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0)
 161   return g_err("gs1", __FUNCTION__, ret);
 162
 163 for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++)
 164   sprintf(cp3, "%.2x ", *cp1);
 165 cp3[-1]= '\0';
 166
 167 return cp2;
 168 }
 169
 170 uschar *
 171 tls_cert_signature_algorithm(void * cert, uschar * mod)
 172 {
 173 gnutls_sign_algorithm_t algo =
 174   gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
 175 return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo));
 176 }
 177
 178 uschar *
 179 tls_cert_subject(void * cert, uschar * mod)
 180 {
 181 uschar * cp = NULL;
 182 int ret;
 183 size_t siz = 0;
 184
 185 if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz))
 186     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 187   return g_err("gs0", __FUNCTION__, ret);
 188
 189 cp = store_get(siz);
 190 if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) < 0)
 191   return g_err("gs1", __FUNCTION__, ret);
 192
 193 return mod ? tls_field_from_dn(cp, mod) : cp;
 194 }
 195
 196 uschar *
 197 tls_cert_version(void * cert, uschar * mod)
 198 {
 199 return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
 200 }
 201
 202 uschar *
 203 tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
 204 {
 205 uschar * cp1 = NULL;
 206 uschar * cp2;
 207 uschar * cp3;
 208 size_t siz = 0;
 209 unsigned int crit;
 210 int ret;
 211
 212 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
 213   oid, idx, cp1, &siz, &crit);
 214 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
 215   return g_err("ge0", __FUNCTION__, ret);
 216
 217 cp1 = store_get(siz*4 + 1);
 218
 219 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
 220   oid, idx, cp1, &siz, &crit);
 221 if (ret < 0)
 222   return g_err("ge1", __FUNCTION__, ret);
 223
 224 /* binary data, DER encoded */
 225
 226 /* just dump for now */
 227 for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++)
 228   sprintf(cp3, "%.2x ", *cp1);
 229 cp3[-1]= '\0';
 230
 231 return cp2;
 232 }
 233
 234 uschar *
 235 tls_cert_subject_altname(void * cert, uschar * mod)
 236 {
 237 uschar * list = NULL;
 238 int index;
 239 size_t siz;
 240 int ret;
 241 uschar sep = '\n';
 242 uschar * tag = US"";
 243 uschar * ele;
 244 int match = -1;
 245
 246 while (mod)
 247   {
 248   if (*mod == '>' && *++mod) sep = *mod++;
 249   else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
 250   else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
 251   else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
 252   else continue;
 253
 254   if (*mod++ != ',')
 255     break;
 256   }
 257
 258 for(index = 0;; index++)
 259   {
 260   siz = 0;
 261   switch(ret = gnutls_x509_crt_get_subject_alt_name(
 262     (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
 263     {
 264     case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
 265       return list;      /* no more elements; normal exit */
 266
 267     case GNUTLS_E_SHORT_MEMORY_BUFFER:
 268       break;
 269
 270     default:
 271       return g_err("gs0", __FUNCTION__, ret);
 272     }
 273
 274   ele = store_get(siz+1);
 275   if ((ret = gnutls_x509_crt_get_subject_alt_name(
 276     (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
 277     return g_err("gs1", __FUNCTION__, ret);
 278   ele[siz] = '\0';
 279
 280   if (match != -1 && match != ret)
 281     continue;
 282   switch (ret)
 283     {
 284     case GNUTLS_SAN_DNSNAME:    tag = US"DNS";  break;
 285     case GNUTLS_SAN_URI:        tag = US"URI";  break;
 286     case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
 287     default: continue;        /* ignore unrecognised types */
 288     }
 289   list = string_append_listele(list, sep,
 290           match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
 291   }
 292 /*NOTREACHED*/
 293 }
 294
 295 uschar *
 296 tls_cert_ocsp_uri(void * cert, uschar * mod)
 297 {
 298 #if GNUTLS_VERSION_NUMBER >= 0x030000
 299 gnutls_datum_t uri;
 300 int ret;
 301 uschar sep = '\n';
 302 int index;
 303 uschar * list = NULL;
 304
 305 if (mod)
 306   if (*mod == '>' && *++mod) sep = *mod++;
 307
 308 for(index = 0;; index++)
 309   {
 310   ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
 311           index, GNUTLS_IA_OCSP_URI, &uri, NULL);
 312
 313   if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
 314     return list;
 315   if (ret < 0)
 316     return g_err("gai", __FUNCTION__, ret);
 317
 318   list = string_append_listele(list, sep,
 319             string_copyn(uri.data, uri.size));
 320   }
 321 /*NOTREACHED*/
 322
 323 #else
 324
 325 expand_string_message =
 326   string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
 327     __FUNCTION__);
 328 return NULL;
 329
 330 #endif
 331 }
 332
 333 uschar *
 334 tls_cert_crl_uri(void * cert, uschar * mod)
 335 {
 336 int ret;
 337 size_t siz;
 338 uschar sep = '\n';
 339 int index;
 340 uschar * list = NULL;
 341 uschar * ele;
 342
 343 if (mod)
 344   if (*mod == '>' && *++mod) sep = *mod++;
 345
 346 for(index = 0;; index++)
 347   {
 348   siz = 0;
 349   switch(ret = gnutls_x509_crt_get_crl_dist_points(
 350     (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
 351     {
 352     case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
 353       return list;
 354     case GNUTLS_E_SHORT_MEMORY_BUFFER:
 355       break;
 356     default:
 357       return g_err("gc0", __FUNCTION__, ret);
 358     }
 359
 360   ele = store_get(siz+1);
 361   if ((ret = gnutls_x509_crt_get_crl_dist_points(
 362       (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
 363     return g_err("gc1", __FUNCTION__, ret);
 364
 365   ele[siz] = '\0';
 366   list = string_append_listele(list, sep, ele);
 367   }
 368 /*NOTREACHED*/
 369 }
 370
 371
 372 /*****************************************************
 373 *  Certificate operator routines
 374 *****************************************************/
 375 static uschar *
 376 fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
 377 {
 378 int ret;
 379 size_t siz = 0;
 380 uschar * cp;
 381 uschar * cp2;
 382 uschar * cp3;
 383
 384 if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
 385     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 386   return g_err("gf0", __FUNCTION__, ret);
 387
 388 cp = store_get(siz*3+1);
 389 if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
 390   return g_err("gf1", __FUNCTION__, ret);
 391
 392 for (cp3 = cp2 = cp+siz; cp < cp2; cp++, cp3+=2)
 393   sprintf(cp3, "%02X",*cp);
 394 return cp2;
 395 }
 396
 397
 398 uschar *
 399 tls_cert_fprt_md5(void * cert)
 400 {
 401 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
 402 }
 403
 404 uschar *
 405 tls_cert_fprt_sha1(void * cert)
 406 {
 407 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
 408 }
 409
 410 uschar *
 411 tls_cert_fprt_sha256(void * cert)
 412 {
 413 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
 414 }
 415
 416
 417 /* vi: aw ai sw=2
 418 */
 419 /* End of tlscert-gnu.c */