src/src/tlscert-gnu.c

   1 /*************************************************
   2 *     Exim - an Internet mail transport agent    *
   3 *************************************************/
   4
   5 /* Copyright (c) Jeremy Harris 2014 */
   6
   7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
   8 one of the available supported implementations.  This file is #included into
   9 tls.c when USE_GNUTLS has been set.
  10 */
  11
  12 #include <gnutls/gnutls.h>
  13 /* needed for cert checks in verification and DN extraction: */
  14 #include <gnutls/x509.h>
  15 /* needed to disable PKCS11 autoload unless requested */
  16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
  17 # include <gnutls/pkcs11.h>
  18 #endif
  19
  20
  21 /*****************************************************
  22 *  Export/import a certificate, binary/printable
  23 *****************************************************/
  24 int
  25 tls_export_cert(uschar * buf, size_t buflen, void * cert)
  26 {
  27 size_t sz = buflen;
  28 void * reset_point = store_get(0);
  29 int fail;
  30 uschar * cp;
  31
  32 if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
  33     GNUTLS_X509_FMT_PEM, buf, &sz)))
  34   {
  35   log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
  36     gnutls_strerror(fail));
  37   return 1;
  38   }
  39 if ((cp = string_printing(buf)) != buf)
  40   {
  41   Ustrncpy(buf, cp, buflen);
  42   if (buf[buflen-1])
  43     fail = 1;
  44   }
  45 store_reset(reset_point);
  46 return fail;
  47 }
  48
  49 int
  50 tls_import_cert(const uschar * buf, void ** cert)
  51 {
  52 void * reset_point = store_get(0);
  53 gnutls_datum_t datum;
  54 gnutls_x509_crt_t crt;
  55 int fail = 0;
  56
  57 gnutls_global_init();
  58 gnutls_x509_crt_init(&crt);
  59
  60 datum.data = string_unprinting(US buf);
  61 datum.size = Ustrlen(datum.data);
  62 if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
  63   {
  64   log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
  65     gnutls_strerror(fail));
  66   fail = 1;
  67   }
  68 else
  69   *cert = (void *)crt;
  70
  71 store_reset(reset_point);
  72 return fail;
  73 }
  74
  75 void
  76 tls_free_cert(void * cert)
  77 {
  78 gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert);
  79 gnutls_global_deinit();
  80 }
  81
  82 /*****************************************************
  83 *  Certificate field extraction routines
  84 *****************************************************/
  85
  86 /* First, some internal service functions */
  87
  88 static uschar *
  89 g_err(const char * tag, const char * from, int gnutls_err)
  90 {
  91 expand_string_message = string_sprintf("%s: %s fail: %s\n",
  92   from, tag, gnutls_strerror(gnutls_err));
  93 return NULL;
  94 }
  95
  96
  97 static uschar *
  98 time_copy(time_t t, uschar * mod)
  99 {
 100 uschar * cp;
 101 size_t len = 32;
 102
 103 if (mod && Ustrcmp(mod, "int") == 0)
 104   return string_sprintf("%u", (unsigned)t);
 105
 106 cp = store_get(len);
 107 if (timestamps_utc)
 108   {
 109   char * tz = to_tz("GMT0");
 110   len = strftime(CS cp, len, "%b %e %T %Y %Z", gmtime(&t));
 111   restore_tz(tz);
 112   }
 113 else
 114   len = strftime(CS cp, len, "%b %e %T %Y %Z", localtime(&t));
 115 return len > 0 ? cp : NULL;
 116 }
 117
 118
 119 /**/
 120 /* Now the extractors, called from expand.c
 121 Arguments:
 122   cert          The certificate
 123   mod           Optional modifiers for the operator
 124
 125 Return:
 126   Allocated string with extracted value
 127 */
 128
 129 uschar *
 130 tls_cert_issuer(void * cert, uschar * mod)
 131 {
 132 uschar * cp = NULL;
 133 int ret;
 134 size_t siz = 0;
 135
 136 if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz))
 137     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 138   return g_err("gi0", __FUNCTION__, ret);
 139
 140 cp = store_get(siz);
 141 if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) < 0)
 142   return g_err("gi1", __FUNCTION__, ret);
 143
 144 return mod ? tls_field_from_dn(cp, mod) : cp;
 145 }
 146
 147 uschar *
 148 tls_cert_not_after(void * cert, uschar * mod)
 149 {
 150 return time_copy(
 151   gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert),
 152   mod);
 153 }
 154
 155 uschar *
 156 tls_cert_not_before(void * cert, uschar * mod)
 157 {
 158 return time_copy(
 159   gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert),
 160   mod);
 161 }
 162
 163 uschar *
 164 tls_cert_serial_number(void * cert, uschar * mod)
 165 {
 166 uschar bin[50], txt[150];
 167 size_t sz = sizeof(bin);
 168 uschar * sp;
 169 uschar * dp;
 170 int ret;
 171
 172 if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
 173     bin, &sz)))
 174   return g_err("gs0", __FUNCTION__, ret);
 175
 176 for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
 177   sprintf(dp, "%.2x", *sp);
 178 for(sp = txt; sp[0]=='0' && sp[1]; ) sp++;      /* leading zeroes */
 179 return string_copy(sp);
 180 }
 181
 182 uschar *
 183 tls_cert_signature(void * cert, uschar * mod)
 184 {
 185 uschar * cp1;
 186 uschar * cp2;
 187 uschar * cp3;
 188 size_t len = 0;
 189 int ret;
 190
 191 if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len))
 192     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 193   return g_err("gs0", __FUNCTION__, ret);
 194
 195 cp1 = store_get(len*4+1);
 196 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0)
 197   return g_err("gs1", __FUNCTION__, ret);
 198
 199 for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++)
 200   sprintf(cp3, "%.2x ", *cp1);
 201 cp3[-1]= '\0';
 202
 203 return cp2;
 204 }
 205
 206 uschar *
 207 tls_cert_signature_algorithm(void * cert, uschar * mod)
 208 {
 209 gnutls_sign_algorithm_t algo =
 210   gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
 211 return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo));
 212 }
 213
 214 uschar *
 215 tls_cert_subject(void * cert, uschar * mod)
 216 {
 217 uschar * cp = NULL;
 218 int ret;
 219 size_t siz = 0;
 220
 221 if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz))
 222     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 223   return g_err("gs0", __FUNCTION__, ret);
 224
 225 cp = store_get(siz);
 226 if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) < 0)
 227   return g_err("gs1", __FUNCTION__, ret);
 228
 229 return mod ? tls_field_from_dn(cp, mod) : cp;
 230 }
 231
 232 uschar *
 233 tls_cert_version(void * cert, uschar * mod)
 234 {
 235 return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
 236 }
 237
 238 uschar *
 239 tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
 240 {
 241 uschar * cp1 = NULL;
 242 uschar * cp2;
 243 uschar * cp3;
 244 size_t siz = 0;
 245 unsigned int crit;
 246 int ret;
 247
 248 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
 249   oid, idx, cp1, &siz, &crit);
 250 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
 251   return g_err("ge0", __FUNCTION__, ret);
 252
 253 cp1 = store_get(siz*4 + 1);
 254
 255 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
 256   oid, idx, cp1, &siz, &crit);
 257 if (ret < 0)
 258   return g_err("ge1", __FUNCTION__, ret);
 259
 260 /* binary data, DER encoded */
 261
 262 /* just dump for now */
 263 for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++)
 264   sprintf(cp3, "%.2x ", *cp1);
 265 cp3[-1]= '\0';
 266
 267 return cp2;
 268 }
 269
 270 uschar *
 271 tls_cert_subject_altname(void * cert, uschar * mod)
 272 {
 273 uschar * list = NULL;
 274 int index;
 275 size_t siz;
 276 int ret;
 277 uschar sep = '\n';
 278 uschar * tag = US"";
 279 uschar * ele;
 280 int match = -1;
 281
 282 while (mod)
 283   {
 284   if (*mod == '>' && *++mod) sep = *mod++;
 285   else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
 286   else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
 287   else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
 288   else continue;
 289
 290   if (*mod++ != ',')
 291     break;
 292   }
 293
 294 for(index = 0;; index++)
 295   {
 296   siz = 0;
 297   switch(ret = gnutls_x509_crt_get_subject_alt_name(
 298       (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
 299     {
 300     case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
 301       return list;      /* no more elements; normal exit */
 302
 303     case GNUTLS_E_SHORT_MEMORY_BUFFER:
 304       break;
 305
 306     default:
 307       return g_err("gs0", __FUNCTION__, ret);
 308     }
 309
 310   ele = store_get(siz+1);
 311   if ((ret = gnutls_x509_crt_get_subject_alt_name(
 312     (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
 313     return g_err("gs1", __FUNCTION__, ret);
 314   ele[siz] = '\0';
 315
 316   if (  match != -1 && match != ret     /* wrong type of SAN */
 317      || Ustrlen(ele) != siz)            /* contains a NUL */
 318     continue;
 319   switch (ret)
 320     {
 321     case GNUTLS_SAN_DNSNAME:    tag = US"DNS";  break;
 322     case GNUTLS_SAN_URI:        tag = US"URI";  break;
 323     case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
 324     default: continue;        /* ignore unrecognised types */
 325     }
 326   list = string_append_listele(list, sep,
 327           match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
 328   }
 329 /*NOTREACHED*/
 330 }
 331
 332 uschar *
 333 tls_cert_ocsp_uri(void * cert, uschar * mod)
 334 {
 335 #if GNUTLS_VERSION_NUMBER >= 0x030000
 336 gnutls_datum_t uri;
 337 int ret;
 338 uschar sep = '\n';
 339 int index;
 340 uschar * list = NULL;
 341
 342 if (mod)
 343   if (*mod == '>' && *++mod) sep = *mod++;
 344
 345 for(index = 0;; index++)
 346   {
 347   ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
 348           index, GNUTLS_IA_OCSP_URI, &uri, NULL);
 349
 350   if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
 351     return list;
 352   if (ret < 0)
 353     return g_err("gai", __FUNCTION__, ret);
 354
 355   list = string_append_listele(list, sep,
 356             string_copyn(uri.data, uri.size));
 357   }
 358 /*NOTREACHED*/
 359
 360 #else
 361
 362 expand_string_message =
 363   string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
 364     __FUNCTION__);
 365 return NULL;
 366
 367 #endif
 368 }
 369
 370 uschar *
 371 tls_cert_crl_uri(void * cert, uschar * mod)
 372 {
 373 int ret;
 374 size_t siz;
 375 uschar sep = '\n';
 376 int index;
 377 uschar * list = NULL;
 378 uschar * ele;
 379
 380 if (mod)
 381   if (*mod == '>' && *++mod) sep = *mod++;
 382
 383 for(index = 0;; index++)
 384   {
 385   siz = 0;
 386   switch(ret = gnutls_x509_crt_get_crl_dist_points(
 387     (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
 388     {
 389     case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
 390       return list;
 391     case GNUTLS_E_SHORT_MEMORY_BUFFER:
 392       break;
 393     default:
 394       return g_err("gc0", __FUNCTION__, ret);
 395     }
 396
 397   ele = store_get(siz+1);
 398   if ((ret = gnutls_x509_crt_get_crl_dist_points(
 399       (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
 400     return g_err("gc1", __FUNCTION__, ret);
 401
 402   ele[siz] = '\0';
 403   list = string_append_listele(list, sep, ele);
 404   }
 405 /*NOTREACHED*/
 406 }
 407
 408
 409 /*****************************************************
 410 *  Certificate operator routines
 411 *****************************************************/
 412 static uschar *
 413 fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
 414 {
 415 int ret;
 416 size_t siz = 0;
 417 uschar * cp;
 418 uschar * cp2;
 419 uschar * cp3;
 420
 421 if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
 422     != GNUTLS_E_SHORT_MEMORY_BUFFER)
 423   return g_err("gf0", __FUNCTION__, ret);
 424
 425 cp = store_get(siz*3+1);
 426 if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
 427   return g_err("gf1", __FUNCTION__, ret);
 428
 429 for (cp3 = cp2 = cp+siz; cp < cp2; cp++, cp3+=2)
 430   sprintf(cp3, "%02X",*cp);
 431 return cp2;
 432 }
 433
 434
 435 uschar *
 436 tls_cert_fprt_md5(void * cert)
 437 {
 438 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
 439 }
 440
 441 uschar *
 442 tls_cert_fprt_sha1(void * cert)
 443 {
 444 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
 445 }
 446
 447 uschar *
 448 tls_cert_fprt_sha256(void * cert)
 449 {
 450 return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
 451 }
 452
 453
 454 /* vi: aw ai sw=2
 455 */
 456 /* End of tlscert-gnu.c */