projects / exim.git / blob
? search:


61b526a69431fe1db2c9644a9986001f646ddf9e
[exim.git] / src / src / tlscert-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) Jeremy Harris 2014 */
6
7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
8 one of the available supported implementations. This file is #included into
9 tls.c when USE_GNUTLS has been set.
10 */
11
12 #include <gnutls/gnutls.h>
13 /* needed for cert checks in verification and DN extraction: */
14 #include <gnutls/x509.h>
15 /* needed to disable PKCS11 autoload unless requested */
16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
17 # include <gnutls/pkcs11.h>
18 #endif
19
20
21 /*****************************************************
22 * Export/import a certificate, binary/printable
23 *****************************************************/
24 int
25 tls_export_cert(uschar * buf, size_t buflen, void * cert)
26 {
27 size_t sz = buflen;
28 void * reset_point = store_get(0);
29 int fail = 0;
30 uschar * cp;
31
32 if (gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
33 GNUTLS_X509_FMT_PEM, buf, &sz))
34 return 1;
35 if ((cp = string_printing(buf)) != buf)
36 {
37 Ustrncpy(buf, cp, buflen);
38 if (buf[buflen-1])
39 fail = 1;
40 }
41 store_reset(reset_point);
42 return fail;
43 }
44
45 int
46 tls_import_cert(const uschar * buf, void ** cert)
47 {
48 void * reset_point = store_get(0);
49 gnutls_datum_t datum;
50 gnutls_x509_crt_t crt;
51 int fail = 0;
52
53 gnutls_global_init();
54 gnutls_x509_crt_init(&crt);
55
56 datum.data = string_unprinting(US buf);
57 datum.size = Ustrlen(datum.data);
58 if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM))
59 fail = 1;
60 else
61 *cert = (void *)crt;
62
63 store_reset(reset_point);
64 return fail;
65 }
66
67 void
68 tls_free_cert(void * cert)
69 {
70 gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert);
71 gnutls_global_deinit();
72 }
73
74 /*****************************************************
75 * Certificate field extraction routines
76 *****************************************************/
77 static uschar *
78 time_copy(time_t t)
79 {
80 uschar * cp = store_get(32);
81 struct tm * tp = gmtime(&t);
82 size_t len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp);
83 return len > 0 ? cp : NULL;
84 }
85
86 /**/
87
88 uschar *
89 tls_cert_issuer(void * cert, uschar * mod)
90 {
91 uschar txt[256];
92 size_t sz = sizeof(txt);
93 return ( gnutls_x509_crt_get_issuer_dn(cert, CS txt, &sz) == 0 )
94 ? string_copy(txt) : NULL;
95 }
96
97 uschar *
98 tls_cert_not_after(void * cert, uschar * mod)
99 {
100 return time_copy(
101 gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert));
102 }
103
104 uschar *
105 tls_cert_not_before(void * cert, uschar * mod)
106 {
107 return time_copy(
108 gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert));
109 }
110
111 uschar *
112 tls_cert_serial_number(void * cert, uschar * mod)
113 {
114 uschar bin[50], txt[150];
115 size_t sz = sizeof(bin);
116 uschar * sp;
117 uschar * dp;
118
119 if (gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
120 bin, &sz) || sz > sizeof(bin))
121 return NULL;
122 for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
123 sprintf(dp, "%.2x", *sp);
124 for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */
125 return string_copy(sp);
126 }
127
128 uschar *
129 tls_cert_signature(void * cert, uschar * mod)
130 {
131 uschar * cp1;
132 uschar * cp2;
133 uschar * cp3;
134 size_t len = 0;
135 int ret;
136
137 if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len)) !=
138 GNUTLS_E_SHORT_MEMORY_BUFFER)
139 {
140 fprintf(stderr, "%s: gs0 fail: %s\n", __FUNCTION__, gnutls_strerror(ret));
141 return NULL;
142 }
143
144 cp1 = store_get(len*4+1);
145
146 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0)
147 {
148 fprintf(stderr, "%s: gs1 fail\n", __FUNCTION__);
149 return NULL;
150 }
151
152 for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++)
153 sprintf(cp3, "%.2x ", *cp1);
154 cp3[-1]= '\0';
155
156 return cp2;
157 }
158
159 uschar *
160 tls_cert_signature_algorithm(void * cert, uschar * mod)
161 {
162 gnutls_sign_algorithm_t algo =
163 gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
164 return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo));
165 }
166
167 uschar *
168 tls_cert_subject(void * cert, uschar * mod)
169 {
170 static uschar txt[256];
171 size_t sz = sizeof(txt);
172 return ( gnutls_x509_crt_get_dn(cert, CS txt, &sz) == 0 )
173 ? string_copy(txt) : NULL;
174 }
175
176 uschar *
177 tls_cert_version(void * cert, uschar * mod)
178 {
179 return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
180 }
181
182 uschar *
183 tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
184 {
185 uschar * cp1 = NULL;
186 uschar * cp2;
187 uschar * cp3;
188 size_t siz = 0;
189 unsigned int crit;
190 int ret;
191
192 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
193 oid, idx, cp1, &siz, &crit);
194 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
195 {
196 fprintf(stderr, "%s: ge0 fail: %s\n", __FUNCTION__, gnutls_strerror(ret));
197 return NULL;
198 }
199
200 cp1 = store_get(siz*4 + 1);
201
202 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
203 oid, idx, cp1, &siz, &crit);
204 if (ret < 0)
205 {
206 fprintf(stderr, "%s: ge1 fail: %s\n", __FUNCTION__, gnutls_strerror(ret));
207 return NULL;
208 }
209
210 /* binary data, DER encoded */
211
212 /* just dump for now */
213 for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++)
214 sprintf(cp3, "%.2x ", *cp1);
215 cp3[-1]= '\0';
216
217 return cp2;
218 }
219
220 uschar *
221 tls_cert_subject_altname(void * cert, uschar * mod)
222 {
223 uschar * list = NULL;
224 int index;
225 size_t siz;
226 int ret;
227 uschar sep = '\n';
228 uschar * tag = US"";
229 uschar * ele;
230 int match = -1;
231
232 while (mod)
233 {
234 if (*mod == '>' && *++mod) sep = *mod++;
235 else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
236 else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
237 else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
238 else continue;
239
240 if (*mod++ != ',')
241 break;
242 }
243
244 for(index = 0;; index++)
245 {
246 siz = 0;
247 switch(ret = gnutls_x509_crt_get_subject_alt_name(
248 (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
249 {
250 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
251 return list; /* no more elements; normal exit */
252
253 case GNUTLS_E_SHORT_MEMORY_BUFFER:
254 break;
255
256 default:
257 expand_string_message =
258 string_sprintf("%s: gs0 fail: %d %s\n", __FUNCTION__,
259 ret, gnutls_strerror(ret));
260 return NULL;
261 }
262
263 ele = store_get(siz+1);
264 if ((ret = gnutls_x509_crt_get_subject_alt_name(
265 (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
266 {
267 expand_string_message =
268 string_sprintf("%s: gs1 fail: %d %s\n", __FUNCTION__,
269 ret, gnutls_strerror(ret));
270 return NULL;
271 }
272 ele[siz] = '\0';
273
274 if (match != -1 && match != ret)
275 continue;
276 switch (ret)
277 {
278 case GNUTLS_SAN_DNSNAME: tag = US"DNS"; break;
279 case GNUTLS_SAN_URI: tag = US"URI"; break;
280 case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
281 default: continue; /* ignore unrecognised types */
282 }
283 list = string_append_listele(list, sep,
284 match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
285 }
286 /*NOTREACHED*/
287 }
288
289 uschar *
290 tls_cert_ocsp_uri(void * cert, uschar * mod)
291 {
292 #if GNUTLS_VERSION_NUMBER >= 0x030000
293 gnutls_datum_t uri;
294 int ret;
295 uschar sep = '\n';
296 int index;
297 uschar * list = NULL;
298
299 if (mod)
300 if (*mod == '>' && *++mod) sep = *mod++;
301
302 for(index = 0;; index++)
303 {
304 ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
305 index, GNUTLS_IA_OCSP_URI, &uri, NULL);
306
307 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
308 return list;
309 if (ret < 0)
310 {
311 expand_string_message =
312 string_sprintf("%s: gai fail: %d %s\n", __FUNCTION__,
313 ret, gnutls_strerror(ret));
314 return NULL;
315 }
316
317 list = string_append_listele(list, sep,
318 string_copyn(uri.data, uri.size));
319 }
320 /*NOTREACHED*/
321
322 #else
323
324 expand_string_message =
325 string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
326 __FUNCTION__);
327 return NULL;
328
329 #endif
330 }
331
332 uschar *
333 tls_cert_crl_uri(void * cert, uschar * mod)
334 {
335 int ret;
336 size_t siz;
337 uschar sep = '\n';
338 int index;
339 uschar * list = NULL;
340 uschar * ele;
341
342 if (mod)
343 if (*mod == '>' && *++mod) sep = *mod++;
344
345 for(index = 0;; index++)
346 {
347 siz = 0;
348 switch(ret = gnutls_x509_crt_get_crl_dist_points(
349 (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
350 {
351 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
352 return list;
353 case GNUTLS_E_SHORT_MEMORY_BUFFER:
354 break;
355 default:
356 expand_string_message =
357 string_sprintf("%s: gc0 fail: %d %s\n", __FUNCTION__,
358 ret, gnutls_strerror(ret));
359 return NULL;
360 }
361
362 ele = store_get(siz+1);
363 if ((ret = gnutls_x509_crt_get_crl_dist_points(
364 (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
365 {
366 expand_string_message =
367 string_sprintf("%s: gc1 fail: %d %s\n", __FUNCTION__,
368 ret, gnutls_strerror(ret));
369 return NULL;
370 }
371 ele[siz] = '\0';
372 list = string_append_listele(list, sep, ele);
373 }
374 /*NOTREACHED*/
375 }
376
377
378 /* vi: aw ai sw=2
379 */
380 /* End of tlscert-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.