HCoop / hcoop / debian / exim4.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Import Upstream version 4.89
[hcoop/debian/exim4.git] / src / tlscert-gnu.c
CommitLineData
420a0d19
CE		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
2813c06e 5/* Copyright (c) Jeremy Harris 2014 - 2015 */
420a0d19
CE		 6
7/* This file provides TLS/SSL support for Exim using the GnuTLS library,
8one of the available supported implementations. This file is #included into
9tls.c when USE_GNUTLS has been set.
10*/
11
12#include <gnutls/gnutls.h>
13/* needed for cert checks in verification and DN extraction: */
14#include <gnutls/x509.h>
15/* needed to disable PKCS11 autoload unless requested */
16#if GNUTLS_VERSION_NUMBER >= 0x020c00
17# include <gnutls/pkcs11.h>
18#endif
19
20
21/*****************************************************
22* Export/import a certificate, binary/printable
23*****************************************************/
24int
25tls_export_cert(uschar * buf, size_t buflen, void * cert)
26{
27size_t sz = buflen;
28void * reset_point = store_get(0);
29int fail;
2813c06e 30const uschar * cp;
420a0d19
CE		 31
32if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
33 GNUTLS_X509_FMT_PEM, buf, &sz)))
34 {
35 log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
36 gnutls_strerror(fail));
37 return 1;
38 }
39if ((cp = string_printing(buf)) != buf)
40 {
41 Ustrncpy(buf, cp, buflen);
42 if (buf[buflen-1])
43 fail = 1;
44 }
45store_reset(reset_point);
46return fail;
47}
48
49int
50tls_import_cert(const uschar * buf, void ** cert)
51{
52void * reset_point = store_get(0);
53gnutls_datum_t datum;
2813c06e 54gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
420a0d19
CE		 55int fail = 0;
56
2813c06e
CE		 57if (crt)
58 gnutls_x509_crt_deinit(crt);
59else
60 gnutls_global_init();
61
420a0d19
CE		 62gnutls_x509_crt_init(&crt);
63
64datum.data = string_unprinting(US buf);
65datum.size = Ustrlen(datum.data);
66if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
67 {
68 log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
69 gnutls_strerror(fail));
70 fail = 1;
71 }
72else
73 *cert = (void *)crt;
74
75store_reset(reset_point);
76return fail;
77}
78
79void
2813c06e 80tls_free_cert(void ** cert)
420a0d19 81{
2813c06e
CE		 82gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
83if (crt)
84 {
85 gnutls_x509_crt_deinit(crt);
86 gnutls_global_deinit();
87 *cert = NULL;
88 }
420a0d19
CE		 89}
90
91/*****************************************************
92* Certificate field extraction routines
93*****************************************************/
94
95/* First, some internal service functions */
96
97static uschar *
98g_err(const char * tag, const char * from, int gnutls_err)
99{
100expand_string_message = string_sprintf("%s: %s fail: %s\n",
101 from, tag, gnutls_strerror(gnutls_err));
102return NULL;
103}
104
105
106static uschar *
107time_copy(time_t t, uschar * mod)
108{
109uschar * cp;
2813c06e 110size_t len = 32;
420a0d19
CE		 111
112if (mod && Ustrcmp(mod, "int") == 0)
113 return string_sprintf("%u", (unsigned)t);
114
2813c06e
CE		 115cp = store_get(len);
116if (timestamps_utc)
117 {
118 uschar * tz = to_tz(US"GMT0");
119 len = strftime(CS cp, len, "%b %e %T %Y %Z", gmtime(&t));
120 restore_tz(tz);
121 }
122else
123 len = strftime(CS cp, len, "%b %e %T %Y %Z", localtime(&t));
420a0d19
CE		 124return len > 0 ? cp : NULL;
125}
126
127
128/**/
129/* Now the extractors, called from expand.c
130Arguments:
131 cert The certificate
132 mod Optional modifiers for the operator
133
134Return:
135 Allocated string with extracted value
136*/
137
138uschar *
139tls_cert_issuer(void * cert, uschar * mod)
140{
141uschar * cp = NULL;
142int ret;
143size_t siz = 0;
144
2813c06e 145if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz))
420a0d19
CE		 146 != GNUTLS_E_SHORT_MEMORY_BUFFER)
147 return g_err("gi0", __FUNCTION__, ret);
148
149cp = store_get(siz);
2813c06e 150if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) < 0)
420a0d19
CE		 151 return g_err("gi1", __FUNCTION__, ret);
152
153return mod ? tls_field_from_dn(cp, mod) : cp;
154}
155
156uschar *
157tls_cert_not_after(void * cert, uschar * mod)
158{
159return time_copy(
160 gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert),
161 mod);
162}
163
164uschar *
165tls_cert_not_before(void * cert, uschar * mod)
166{
167return time_copy(
168 gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert),
169 mod);
170}
171
172uschar *
173tls_cert_serial_number(void * cert, uschar * mod)
174{
175uschar bin[50], txt[150];
176size_t sz = sizeof(bin);
177uschar * sp;
178uschar * dp;
179int ret;
180
181if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
182 bin, &sz)))
183 return g_err("gs0", __FUNCTION__, ret);
184
185for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
2813c06e 186 sprintf(CS dp, "%.2x", *sp);
420a0d19
CE		 187for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */
188return string_copy(sp);
189}
190
191uschar *
192tls_cert_signature(void * cert, uschar * mod)
193{
2813c06e 194uschar * cp1 = NULL;
420a0d19
CE		 195uschar * cp2;
196uschar * cp3;
197size_t len = 0;
198int ret;
199
2813c06e 200if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len))
420a0d19
CE		 201 != GNUTLS_E_SHORT_MEMORY_BUFFER)
202 return g_err("gs0", __FUNCTION__, ret);
203
204cp1 = store_get(len*4+1);
2813c06e 205if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len) != 0)
420a0d19
CE		 206 return g_err("gs1", __FUNCTION__, ret);
207
208for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++)
2813c06e 209 sprintf(CS cp3, "%.2x ", *cp1);
420a0d19
CE		 210cp3[-1]= '\0';
211
212return cp2;
213}
214
215uschar *
216tls_cert_signature_algorithm(void * cert, uschar * mod)
217{
218gnutls_sign_algorithm_t algo =
219 gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
2813c06e 220return algo < 0 ? NULL : string_copy(US gnutls_sign_get_name(algo));
420a0d19
CE		 221}
222
223uschar *
224tls_cert_subject(void * cert, uschar * mod)
225{
226uschar * cp = NULL;
227int ret;
228size_t siz = 0;
229
2813c06e 230if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz))
420a0d19
CE		 231 != GNUTLS_E_SHORT_MEMORY_BUFFER)
232 return g_err("gs0", __FUNCTION__, ret);
233
234cp = store_get(siz);
2813c06e 235if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) < 0)
420a0d19
CE		 236 return g_err("gs1", __FUNCTION__, ret);
237
238return mod ? tls_field_from_dn(cp, mod) : cp;
239}
240
241uschar *
242tls_cert_version(void * cert, uschar * mod)
243{
244return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
245}
246
247uschar *
248tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
249{
250uschar * cp1 = NULL;
251uschar * cp2;
252uschar * cp3;
253size_t siz = 0;
254unsigned int crit;
255int ret;
256
257ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
2813c06e 258 oid, idx, CS cp1, &siz, &crit);
420a0d19
CE		 259if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
260 return g_err("ge0", __FUNCTION__, ret);
261
262cp1 = store_get(siz*4 + 1);
263
264ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
2813c06e 265 oid, idx, CS cp1, &siz, &crit);
420a0d19
CE		 266if (ret < 0)
267 return g_err("ge1", __FUNCTION__, ret);
268
269/* binary data, DER encoded */
270
271/* just dump for now */
272for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++)
2813c06e 273 sprintf(CS cp3, "%.2x ", *cp1);
420a0d19
CE		 274cp3[-1]= '\0';
275
276return cp2;
277}
278
279uschar *
280tls_cert_subject_altname(void * cert, uschar * mod)
281{
282uschar * list = NULL;
283int index;
284size_t siz;
285int ret;
286uschar sep = '\n';
287uschar * tag = US"";
288uschar * ele;
289int match = -1;
290
291while (mod)
292 {
293 if (*mod == '>' && *++mod) sep = *mod++;
294 else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
295 else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
296 else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
297 else continue;
298
299 if (*mod++ != ',')
300 break;
301 }
302
303for(index = 0;; index++)
304 {
305 siz = 0;
306 switch(ret = gnutls_x509_crt_get_subject_alt_name(
307 (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
308 {
309 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
310 return list; /* no more elements; normal exit */
311
312 case GNUTLS_E_SHORT_MEMORY_BUFFER:
313 break;
314
315 default:
316 return g_err("gs0", __FUNCTION__, ret);
317 }
318
319 ele = store_get(siz+1);
320 if ((ret = gnutls_x509_crt_get_subject_alt_name(
321 (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
322 return g_err("gs1", __FUNCTION__, ret);
323 ele[siz] = '\0';
324
325 if ( match != -1 && match != ret /* wrong type of SAN */
326 || Ustrlen(ele) != siz) /* contains a NUL */
327 continue;
328 switch (ret)
329 {
330 case GNUTLS_SAN_DNSNAME: tag = US"DNS"; break;
2813c06e 331 case GNUTLS_SAN_URI: tag = US"URI"; break;
420a0d19
CE		 332 case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
333 default: continue; /* ignore unrecognised types */
334 }
2813c06e 335 list = string_append_listele(list, sep,
420a0d19
CE		 336 match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
337 }
338/*NOTREACHED*/
339}
340
341uschar *
342tls_cert_ocsp_uri(void * cert, uschar * mod)
343{
344#if GNUTLS_VERSION_NUMBER >= 0x030000
345gnutls_datum_t uri;
346int ret;
347uschar sep = '\n';
348int index;
349uschar * list = NULL;
350
351if (mod)
352 if (*mod == '>' && *++mod) sep = *mod++;
353
354for(index = 0;; index++)
355 {
356 ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
357 index, GNUTLS_IA_OCSP_URI, &uri, NULL);
358
359 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
360 return list;
361 if (ret < 0)
362 return g_err("gai", __FUNCTION__, ret);
363
364 list = string_append_listele(list, sep,
365 string_copyn(uri.data, uri.size));
366 }
367/*NOTREACHED*/
368
369#else
370
2813c06e 371expand_string_message =
420a0d19
CE		 372 string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
373 __FUNCTION__);
374return NULL;
375
376#endif
377}
378
379uschar *
380tls_cert_crl_uri(void * cert, uschar * mod)
381{
382int ret;
383size_t siz;
384uschar sep = '\n';
385int index;
386uschar * list = NULL;
387uschar * ele;
388
389if (mod)
390 if (*mod == '>' && *++mod) sep = *mod++;
391
392for(index = 0;; index++)
393 {
394 siz = 0;
395 switch(ret = gnutls_x509_crt_get_crl_dist_points(
396 (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
397 {
398 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
399 return list;
400 case GNUTLS_E_SHORT_MEMORY_BUFFER:
401 break;
402 default:
403 return g_err("gc0", __FUNCTION__, ret);
404 }
405
406 ele = store_get(siz+1);
407 if ((ret = gnutls_x509_crt_get_crl_dist_points(
408 (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
409 return g_err("gc1", __FUNCTION__, ret);
410
411 ele[siz] = '\0';
412 list = string_append_listele(list, sep, ele);
413 }
414/*NOTREACHED*/
415}
416
417
418/*****************************************************
419* Certificate operator routines
420*****************************************************/
2813c06e
CE		 421uschar *
422tls_cert_der_b64(void * cert)
423{
424size_t len = 0;
425uschar * cp = NULL;
426int fail;
427
428if ( (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
429 GNUTLS_X509_FMT_DER, cp, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER
430 || !(cp = store_get((int)len))
431 || (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
432 GNUTLS_X509_FMT_DER, cp, &len))
433 )
434 {
435 log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
436 gnutls_strerror(fail));
437 return NULL;
438 }
439return b64encode(cp, (int)len);
440}
441
442
420a0d19
CE		 443static uschar *
444fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
445{
446int ret;
447size_t siz = 0;
448uschar * cp;
449uschar * cp2;
450uschar * cp3;
451
452if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
453 != GNUTLS_E_SHORT_MEMORY_BUFFER)
454 return g_err("gf0", __FUNCTION__, ret);
455
456cp = store_get(siz*3+1);
457if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
458 return g_err("gf1", __FUNCTION__, ret);
459
460for (cp3 = cp2 = cp+siz; cp < cp2; cp++, cp3+=2)
2813c06e 461 sprintf(CS cp3, "%02X",*cp);
420a0d19
CE		 462return cp2;
463}
464
465
466uschar *
467tls_cert_fprt_md5(void * cert)
468{
469return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
470}
471
472uschar *
473tls_cert_fprt_sha1(void * cert)
474{
475return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
476}
477
478uschar *
479tls_cert_fprt_sha256(void * cert)
480{
481return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
482}
483
484
485/* vi: aw ai sw=2
486*/
487/* End of tlscert-gnu.c */
exim4 packaging