src/src/tlscert-gnu.c

   1 /*************************************************
   2 *     Exim - an Internet mail transport agent    *
   3 *************************************************/
   4
   5 /* Copyright (c) Jeremy Harris 2014 - 2018 */
   6
   7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
   8 one of the available supported implementations.  This file is #included into
   9 tls.c when USE_GNUTLS has been set.
  10 */
  11
  12 #include <gnutls/gnutls.h>
  13 /* needed for cert checks in verification and DN extraction: */
  14 #include <gnutls/x509.h>
  15 /* needed to disable PKCS11 autoload unless requested */
  16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
  17 # include <gnutls/pkcs11.h>
  18 #endif
  19
  20
  21 /*****************************************************
  22 *  Export/import a certificate, binary/printable
  23 *****************************************************/
  24 int
  25 tls_export_cert(uschar * buf, size_t buflen, void * cert)
  26 {
  27 size_t sz = buflen;
  28 rmark reset_point = store_mark();
  29 int fail;
  30 const uschar * cp;
  31
  32 if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
  33     GNUTLS_X509_FMT_PEM, buf, &sz)))
  34   {
  35   log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
  36     gnutls_strerror(fail));
  37   return 1;
  38   }
  39 if ((cp = string_printing(buf)) != buf)
  40   {
  41   Ustrncpy(buf, cp, buflen);
  42   if (buf[buflen-1])
  43     fail = 1;
  44   }
  45 store_reset(reset_point);
  46 return fail;
  47 }
  48
  49 int
  50 tls_import_cert(const uschar * buf, void ** cert)
  51 {
  52 rmark reset_point = store_mark();
  53 gnutls_datum_t datum;
  54 gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
  55 int fail = 0;
  56
  57 if (crt)
  58   gnutls_x509_crt_deinit(crt);
  59 else
  60   gnutls_global_init();
  61
  62 gnutls_x509_crt_init(&crt);
  63
  64 datum.data = string_unprinting(US buf);
  65 datum.size = Ustrlen(datum.data);
  66 if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
  67   {
  68   log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
  69     gnutls_strerror(fail));
  70   fail = 1;
  71   }
  72 else
  73   *cert = (void *)crt;
  74
  75 store_reset(reset_point);
  76 return fail;
  77 }
  78
  79 void
  80 tls_free_cert(void ** cert)
  81 {
  82 gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
  83 if (crt)
  84   {
  85   gnutls_x509_crt_deinit(crt);
  86   gnutls_global_deinit();
  87   *cert = NULL;
  88   }
  89 }
  90
  91 /*****************************************************
  92 *  Certificate field extraction routines
  93 *****************************************************/
  94
  95 /* First, some internal service functions */
  96
  97 static uschar *
  98 g_err(const char * tag, const char * from, int gnutls_err)
  99 {
 100 expand_string_message = string_sprintf("%s: %s fail: %s\n",
 101   from, tag, gnutls_strerror(gnutls_err));
 102 return NULL;
 103 }
 104
 105
 106 static uschar *
 107 time_copy(time_t t, uschar * mod)
 108 {
 109 uschar * cp;
 110 size_t len = 32;
 111
 112 if (mod && Ustrcmp(mod, "int") == 0)
 113   return string_sprintf("%u", (unsigned)t);
 114
 115 cp = store_get(len, FALSE);
 116 if (f.timestamps_utc)
 117   {
 118   uschar * tz = to_tz(US"GMT0");
 119   len = strftime(CS cp, len, "%b %e %T %Y %Z", gmtime(&t));
 120   restore_tz(tz);
 121   }
 122 else
 123   len = strftime(CS cp, len, "%b %e %T %Y %Z", localtime(&t));
 124 return len > 0 ? cp : NULL;
 125 }
 126
 127
 128 /**/
 129 /* Now the extractors, called from expand.c
 130 Arguments:
 131   cert          The certificate
 132   mod           Optional modifiers for the operator
 133
 134 Return:
 135   Allocated string with extracted value
 136 */
 137
 138 uschar *
 139 tls_cert_issuer(void * cert, uschar * mod)
 140 {
 141 uschar * cp = NULL;
 142 int ret;
 143 size_t siz = 0;
 144
 145 if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz))
 146     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 147   return g_err("gi0", __FUNCTION__, ret);
 148
 149 cp = store_get(siz, TRUE);
 150 if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) < 0)
 151   return g_err("gi1", __FUNCTION__, ret);
 152
 153 return mod ? tls_field_from_dn(cp, mod) : cp;
 154 }
 155
 156 uschar *
 157 tls_cert_not_after(void * cert, uschar * mod)
 158 {
 159 return time_copy(
 160   gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert),
 161   mod);
 162 }
 163
 164 uschar *
 165 tls_cert_not_before(void * cert, uschar * mod)
 166 {
 167 return time_copy(
 168   gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert),
 169   mod);
 170 }
 171
 172 uschar *
 173 tls_cert_serial_number(void * cert, uschar * mod)
 174 {
 175 uschar bin[50], txt[150];
 176 uschar * sp = bin;
 177 size_t sz = sizeof(bin);
 178 int ret;
 179
 180 if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
 181     bin, &sz)))
 182   return g_err("gs0", __FUNCTION__, ret);
 183
 184 for(uschar * dp = txt; sz; sz--)
 185   dp += sprintf(CS dp, "%.2x", *sp++);
 186 for(sp = txt; sp[0]=='0' && sp[1]; ) sp++;      /* leading zeroes */
 187 return string_copy(sp);
 188 }
 189
 190 uschar *
 191 tls_cert_signature(void * cert, uschar * mod)
 192 {
 193 uschar * cp1 = NULL;
 194 uschar * cp2;
 195 uschar * cp3;
 196 size_t len = 0;
 197 int ret;
 198
 199 if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len))
 200     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 201   return g_err("gs0", __FUNCTION__, ret);
 202
 203 cp1 = store_get(len*4+1, TRUE);
 204 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len) != 0)
 205   return g_err("gs1", __FUNCTION__, ret);
 206
 207 for(cp3 = cp2 = cp1+len; cp1 < cp2; cp1++)
 208   cp3 += sprintf(CS cp3, "%.2x ", *cp1);
 209 cp3[-1]= '\0';
 210
 211 return cp2;
 212 }
 213
 214 uschar *
 215 tls_cert_signature_algorithm(void * cert, uschar * mod)
 216 {
 217 gnutls_sign_algorithm_t algo =
 218   gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
 219 return algo < 0 ? NULL : string_copy(US gnutls_sign_get_name(algo));
 220 }
 221
 222 uschar *
 223 tls_cert_subject(void * cert, uschar * mod)
 224 {
 225 uschar * cp = NULL;
 226 int ret;
 227 size_t siz = 0;
 228
 229 if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz))
 230     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 231   return g_err("gs0", __FUNCTION__, ret);
 232
 233 cp = store_get(siz, TRUE);
 234 if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) < 0)
 235   return g_err("gs1", __FUNCTION__, ret);
 236
 237 return mod ? tls_field_from_dn(cp, mod) : cp;
 238 }
 239
 240 uschar *
 241 tls_cert_version(void * cert, uschar * mod)
 242 {
 243 return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
 244 }
 245
 246 uschar *
 247 tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
 248 {
 249 uschar * cp1 = NULL;
 250 uschar * cp2;
 251 uschar * cp3;
 252 size_t siz = 0;
 253 unsigned int crit;
 254 int ret;
 255
 256 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
 257   CS oid, idx, CS cp1, &siz, &crit);
 258 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
 259   return g_err("ge0", __FUNCTION__, ret);
 260
 261 cp1 = store_get(siz*4 + 1, TRUE);
 262
 263 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
 264   CS oid, idx, CS cp1, &siz, &crit);
 265 if (ret < 0)
 266   return g_err("ge1", __FUNCTION__, ret);
 267
 268 /* binary data, DER encoded */
 269
 270 /* just dump for now */
 271 for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp1++)
 272   cp3 += sprintf(CS cp3, "%.2x ", *cp1);
 273 cp3[-1]= '\0';
 274
 275 return cp2;
 276 }
 277
 278 uschar *
 279 tls_cert_subject_altname(void * cert, uschar * mod)
 280 {
 281 gstring * list = NULL;
 282 size_t siz;
 283 int ret;
 284 uschar sep = '\n';
 285 uschar * tag = US"";
 286 uschar * ele;
 287 int match = -1;
 288
 289 while (mod)
 290   {
 291   if (*mod == '>' && *++mod) sep = *mod++;
 292   else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
 293   else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
 294   else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
 295   else continue;
 296
 297   if (*mod++ != ',')
 298     break;
 299   }
 300
 301 for (int index = 0;; index++)
 302   {
 303   siz = 0;
 304   switch(ret = gnutls_x509_crt_get_subject_alt_name(
 305       (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
 306     {
 307     case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
 308       return string_from_gstring(list); /* no more elements; normal exit */
 309
 310     case GNUTLS_E_SHORT_MEMORY_BUFFER:
 311       break;
 312
 313     default:
 314       return g_err("gs0", __FUNCTION__, ret);
 315     }
 316
 317   ele = store_get(siz+1, TRUE);
 318   if ((ret = gnutls_x509_crt_get_subject_alt_name(
 319     (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
 320     return g_err("gs1", __FUNCTION__, ret);
 321   ele[siz] = '\0';
 322
 323   if (  match != -1 && match != ret     /* wrong type of SAN */
 324      || Ustrlen(ele) != siz)            /* contains a NUL */
 325     continue;
 326   switch (ret)
 327     {
 328     case GNUTLS_SAN_DNSNAME:    tag = US"DNS";  break;
 329     case GNUTLS_SAN_URI:        tag = US"URI";  break;
 330     case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
 331     default: continue;        /* ignore unrecognised types */
 332     }
 333   list = string_append_listele(list, sep,
 334           match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
 335   }
 336 /*NOTREACHED*/
 337 }
 338
 339 uschar *
 340 tls_cert_ocsp_uri(void * cert, uschar * mod)
 341 {
 342 #if GNUTLS_VERSION_NUMBER >= 0x030000
 343 gnutls_datum_t uri;
 344 int ret;
 345 uschar sep = '\n';
 346 gstring * list = NULL;
 347
 348 if (mod)
 349   if (*mod == '>' && *++mod) sep = *mod++;
 350
 351 for (int index = 0;; index++)
 352   {
 353   ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
 354           index, GNUTLS_IA_OCSP_URI, &uri, NULL);
 355
 356   if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
 357     return string_from_gstring(list);
 358   if (ret < 0)
 359     return g_err("gai", __FUNCTION__, ret);
 360
 361   list = string_append_listele_n(list, sep, uri.data, uri.size);
 362   }
 363 /*NOTREACHED*/
 364
 365 #else
 366
 367 expand_string_message =
 368   string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
 369     __FUNCTION__);
 370 return NULL;
 371
 372 #endif
 373 }
 374
 375 uschar *
 376 tls_cert_crl_uri(void * cert, uschar * mod)
 377 {
 378 int ret;
 379 uschar sep = '\n';
 380 gstring * list = NULL;
 381 uschar * ele;
 382
 383 if (mod)
 384   if (*mod == '>' && *++mod) sep = *mod++;
 385
 386 for (int index = 0;; index++)
 387   {
 388   size_t siz = 0;
 389   switch(ret = gnutls_x509_crt_get_crl_dist_points(
 390     (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
 391     {
 392     case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
 393       return string_from_gstring(list);
 394     case GNUTLS_E_SHORT_MEMORY_BUFFER:
 395       break;
 396     default:
 397       return g_err("gc0", __FUNCTION__, ret);
 398     }
 399
 400   ele = store_get(siz, TRUE);
 401   if ((ret = gnutls_x509_crt_get_crl_dist_points(
 402       (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
 403     return g_err("gc1", __FUNCTION__, ret);
 404
 405   list = string_append_listele_n(list, sep, ele, siz);
 406   }
 407 /*NOTREACHED*/
 408 }
 409
 410
 411 /*****************************************************
 412 *  Certificate operator routines
 413 *****************************************************/
 414 uschar *
 415 tls_cert_der_b64(void * cert)
 416 {
 417 size_t len = 0;
 418 uschar * cp = NULL;
 419 int fail;
 420
 421 if (  (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
 422         GNUTLS_X509_FMT_DER, cp, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER
 423    || !(cp = store_get((int)len, TRUE), TRUE)   /* tainted */
 424    || (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
 425         GNUTLS_X509_FMT_DER, cp, &len))
 426    )
 427   {
 428   log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
 429     gnutls_strerror(fail));
 430   return NULL;
 431   }
 432 return b64encode(CUS cp, (int)len);
 433 }
 434
 435
 436 static uschar *
 437 fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
 438 {
 439 int ret;
 440 size_t siz = 0;
 441 uschar * cp;
 442 uschar * cp2;
 443
 444 if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
 445     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 446   return g_err("gf0", __FUNCTION__, ret);
 447
 448 cp = store_get(siz*3+1, TRUE);
 449 if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
 450   return g_err("gf1", __FUNCTION__, ret);
 451
 452 for (uschar * cp3 = cp2 = cp+siz; cp < cp2; cp++)
 453   cp3 += sprintf(CS cp3, "%02X", *cp);
 454 return cp2;
 455 }
 456
 457
 458 uschar *
 459 tls_cert_fprt_md5(void * cert)
 460 {
 461 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
 462 }
 463
 464 uschar *
 465 tls_cert_fprt_sha1(void * cert)
 466 {
 467 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
 468 }
 469
 470 uschar *
 471 tls_cert_fprt_sha256(void * cert)
 472 {
 473 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
 474 }
 475
 476
 477 /* vi: aw ai sw=2
 478 */
 479 /* End of tlscert-gnu.c */