Before importing a certificate, free any previous one. Bug 1648
[exim.git] / src / src / tlscert-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) Jeremy Harris 2014 - 2015 */
6
7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
8 one of the available supported implementations. This file is #included into
9 tls.c when USE_GNUTLS has been set.
10 */
11
12 #include <gnutls/gnutls.h>
13 /* needed for cert checks in verification and DN extraction: */
14 #include <gnutls/x509.h>
15 /* needed to disable PKCS11 autoload unless requested */
16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
17 # include <gnutls/pkcs11.h>
18 #endif
19
20
21 /*****************************************************
22 * Export/import a certificate, binary/printable
23 *****************************************************/
24 int
25 tls_export_cert(uschar * buf, size_t buflen, void * cert)
26 {
27 size_t sz = buflen;
28 void * reset_point = store_get(0);
29 int fail;
30 const uschar * cp;
31
32 if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
33 GNUTLS_X509_FMT_PEM, buf, &sz)))
34 {
35 log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
36 gnutls_strerror(fail));
37 return 1;
38 }
39 if ((cp = string_printing(buf)) != buf)
40 {
41 Ustrncpy(buf, cp, buflen);
42 if (buf[buflen-1])
43 fail = 1;
44 }
45 store_reset(reset_point);
46 return fail;
47 }
48
49 int
50 tls_import_cert(const uschar * buf, void ** cert)
51 {
52 void * reset_point = store_get(0);
53 gnutls_datum_t datum;
54 gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
55 int fail = 0;
56
57 if (crt)
58 gnutls_x509_crt_deinit(crt);
59 else
60 gnutls_global_init();
61
62 gnutls_x509_crt_init(&crt);
63
64 datum.data = string_unprinting(US buf);
65 datum.size = Ustrlen(datum.data);
66 if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
67 {
68 log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
69 gnutls_strerror(fail));
70 fail = 1;
71 }
72 else
73 *cert = (void *)crt;
74
75 store_reset(reset_point);
76 return fail;
77 }
78
79 void
80 tls_free_cert(void * cert)
81 {
82 gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert);
83 gnutls_global_deinit();
84 }
85
86 /*****************************************************
87 * Certificate field extraction routines
88 *****************************************************/
89
90 /* First, some internal service functions */
91
92 static uschar *
93 g_err(const char * tag, const char * from, int gnutls_err)
94 {
95 expand_string_message = string_sprintf("%s: %s fail: %s\n",
96 from, tag, gnutls_strerror(gnutls_err));
97 return NULL;
98 }
99
100
101 static uschar *
102 time_copy(time_t t, uschar * mod)
103 {
104 uschar * cp;
105 size_t len = 32;
106
107 if (mod && Ustrcmp(mod, "int") == 0)
108 return string_sprintf("%u", (unsigned)t);
109
110 cp = store_get(len);
111 if (timestamps_utc)
112 {
113 uschar * tz = to_tz(US"GMT0");
114 len = strftime(CS cp, len, "%b %e %T %Y %Z", gmtime(&t));
115 restore_tz(tz);
116 }
117 else
118 len = strftime(CS cp, len, "%b %e %T %Y %Z", localtime(&t));
119 return len > 0 ? cp : NULL;
120 }
121
122
123 /**/
124 /* Now the extractors, called from expand.c
125 Arguments:
126 cert The certificate
127 mod Optional modifiers for the operator
128
129 Return:
130 Allocated string with extracted value
131 */
132
133 uschar *
134 tls_cert_issuer(void * cert, uschar * mod)
135 {
136 uschar * cp = NULL;
137 int ret;
138 size_t siz = 0;
139
140 if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz))
141 != GNUTLS_E_SHORT_MEMORY_BUFFER)
142 return g_err("gi0", __FUNCTION__, ret);
143
144 cp = store_get(siz);
145 if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) < 0)
146 return g_err("gi1", __FUNCTION__, ret);
147
148 return mod ? tls_field_from_dn(cp, mod) : cp;
149 }
150
151 uschar *
152 tls_cert_not_after(void * cert, uschar * mod)
153 {
154 return time_copy(
155 gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert),
156 mod);
157 }
158
159 uschar *
160 tls_cert_not_before(void * cert, uschar * mod)
161 {
162 return time_copy(
163 gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert),
164 mod);
165 }
166
167 uschar *
168 tls_cert_serial_number(void * cert, uschar * mod)
169 {
170 uschar bin[50], txt[150];
171 size_t sz = sizeof(bin);
172 uschar * sp;
173 uschar * dp;
174 int ret;
175
176 if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
177 bin, &sz)))
178 return g_err("gs0", __FUNCTION__, ret);
179
180 for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
181 sprintf(dp, "%.2x", *sp);
182 for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */
183 return string_copy(sp);
184 }
185
186 uschar *
187 tls_cert_signature(void * cert, uschar * mod)
188 {
189 uschar * cp1 = NULL;
190 uschar * cp2;
191 uschar * cp3;
192 size_t len = 0;
193 int ret;
194
195 if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len))
196 != GNUTLS_E_SHORT_MEMORY_BUFFER)
197 return g_err("gs0", __FUNCTION__, ret);
198
199 cp1 = store_get(len*4+1);
200 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0)
201 return g_err("gs1", __FUNCTION__, ret);
202
203 for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++)
204 sprintf(cp3, "%.2x ", *cp1);
205 cp3[-1]= '\0';
206
207 return cp2;
208 }
209
210 uschar *
211 tls_cert_signature_algorithm(void * cert, uschar * mod)
212 {
213 gnutls_sign_algorithm_t algo =
214 gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
215 return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo));
216 }
217
218 uschar *
219 tls_cert_subject(void * cert, uschar * mod)
220 {
221 uschar * cp = NULL;
222 int ret;
223 size_t siz = 0;
224
225 if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz))
226 != GNUTLS_E_SHORT_MEMORY_BUFFER)
227 return g_err("gs0", __FUNCTION__, ret);
228
229 cp = store_get(siz);
230 if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) < 0)
231 return g_err("gs1", __FUNCTION__, ret);
232
233 return mod ? tls_field_from_dn(cp, mod) : cp;
234 }
235
236 uschar *
237 tls_cert_version(void * cert, uschar * mod)
238 {
239 return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
240 }
241
242 uschar *
243 tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
244 {
245 uschar * cp1 = NULL;
246 uschar * cp2;
247 uschar * cp3;
248 size_t siz = 0;
249 unsigned int crit;
250 int ret;
251
252 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
253 oid, idx, cp1, &siz, &crit);
254 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
255 return g_err("ge0", __FUNCTION__, ret);
256
257 cp1 = store_get(siz*4 + 1);
258
259 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
260 oid, idx, cp1, &siz, &crit);
261 if (ret < 0)
262 return g_err("ge1", __FUNCTION__, ret);
263
264 /* binary data, DER encoded */
265
266 /* just dump for now */
267 for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++)
268 sprintf(cp3, "%.2x ", *cp1);
269 cp3[-1]= '\0';
270
271 return cp2;
272 }
273
274 uschar *
275 tls_cert_subject_altname(void * cert, uschar * mod)
276 {
277 uschar * list = NULL;
278 int index;
279 size_t siz;
280 int ret;
281 uschar sep = '\n';
282 uschar * tag = US"";
283 uschar * ele;
284 int match = -1;
285
286 while (mod)
287 {
288 if (*mod == '>' && *++mod) sep = *mod++;
289 else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
290 else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
291 else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
292 else continue;
293
294 if (*mod++ != ',')
295 break;
296 }
297
298 for(index = 0;; index++)
299 {
300 siz = 0;
301 switch(ret = gnutls_x509_crt_get_subject_alt_name(
302 (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
303 {
304 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
305 return list; /* no more elements; normal exit */
306
307 case GNUTLS_E_SHORT_MEMORY_BUFFER:
308 break;
309
310 default:
311 return g_err("gs0", __FUNCTION__, ret);
312 }
313
314 ele = store_get(siz+1);
315 if ((ret = gnutls_x509_crt_get_subject_alt_name(
316 (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
317 return g_err("gs1", __FUNCTION__, ret);
318 ele[siz] = '\0';
319
320 if ( match != -1 && match != ret /* wrong type of SAN */
321 || Ustrlen(ele) != siz) /* contains a NUL */
322 continue;
323 switch (ret)
324 {
325 case GNUTLS_SAN_DNSNAME: tag = US"DNS"; break;
326 case GNUTLS_SAN_URI: tag = US"URI"; break;
327 case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
328 default: continue; /* ignore unrecognised types */
329 }
330 list = string_append_listele(list, sep,
331 match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
332 }
333 /*NOTREACHED*/
334 }
335
336 uschar *
337 tls_cert_ocsp_uri(void * cert, uschar * mod)
338 {
339 #if GNUTLS_VERSION_NUMBER >= 0x030000
340 gnutls_datum_t uri;
341 int ret;
342 uschar sep = '\n';
343 int index;
344 uschar * list = NULL;
345
346 if (mod)
347 if (*mod == '>' && *++mod) sep = *mod++;
348
349 for(index = 0;; index++)
350 {
351 ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
352 index, GNUTLS_IA_OCSP_URI, &uri, NULL);
353
354 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
355 return list;
356 if (ret < 0)
357 return g_err("gai", __FUNCTION__, ret);
358
359 list = string_append_listele(list, sep,
360 string_copyn(uri.data, uri.size));
361 }
362 /*NOTREACHED*/
363
364 #else
365
366 expand_string_message =
367 string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
368 __FUNCTION__);
369 return NULL;
370
371 #endif
372 }
373
374 uschar *
375 tls_cert_crl_uri(void * cert, uschar * mod)
376 {
377 int ret;
378 size_t siz;
379 uschar sep = '\n';
380 int index;
381 uschar * list = NULL;
382 uschar * ele;
383
384 if (mod)
385 if (*mod == '>' && *++mod) sep = *mod++;
386
387 for(index = 0;; index++)
388 {
389 siz = 0;
390 switch(ret = gnutls_x509_crt_get_crl_dist_points(
391 (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
392 {
393 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
394 return list;
395 case GNUTLS_E_SHORT_MEMORY_BUFFER:
396 break;
397 default:
398 return g_err("gc0", __FUNCTION__, ret);
399 }
400
401 ele = store_get(siz+1);
402 if ((ret = gnutls_x509_crt_get_crl_dist_points(
403 (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
404 return g_err("gc1", __FUNCTION__, ret);
405
406 ele[siz] = '\0';
407 list = string_append_listele(list, sep, ele);
408 }
409 /*NOTREACHED*/
410 }
411
412
413 /*****************************************************
414 * Certificate operator routines
415 *****************************************************/
416 static uschar *
417 fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
418 {
419 int ret;
420 size_t siz = 0;
421 uschar * cp;
422 uschar * cp2;
423 uschar * cp3;
424
425 if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
426 != GNUTLS_E_SHORT_MEMORY_BUFFER)
427 return g_err("gf0", __FUNCTION__, ret);
428
429 cp = store_get(siz*3+1);
430 if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
431 return g_err("gf1", __FUNCTION__, ret);
432
433 for (cp3 = cp2 = cp+siz; cp < cp2; cp++, cp3+=2)
434 sprintf(cp3, "%02X",*cp);
435 return cp2;
436 }
437
438
439 uschar *
440 tls_cert_fprt_md5(void * cert)
441 {
442 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
443 }
444
445 uschar *
446 tls_cert_fprt_sha1(void * cert)
447 {
448 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
449 }
450
451 uschar *
452 tls_cert_fprt_sha256(void * cert)
453 {
454 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
455 }
456
457
458 /* vi: aw ai sw=2
459 */
460 /* End of tlscert-gnu.c */