1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) Jeremy Harris 2014 */
7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
8 one of the available supported implementations. This file is #included into
9 tls.c when USE_GNUTLS has been set.
12 #include <gnutls/gnutls.h>
13 /* needed for cert checks in verification and DN extraction: */
14 #include <gnutls/x509.h>
15 /* needed to disable PKCS11 autoload unless requested */
16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
17 # include <gnutls/pkcs11.h>
21 /*****************************************************
22 * Export/import a certificate, binary/printable
23 *****************************************************/
25 tls_export_cert(uschar
* buf
, size_t buflen
, void * cert
)
28 void * reset_point
= store_get(0);
32 if ((fail
= gnutls_x509_crt_export((gnutls_x509_crt_t
)cert
,
33 GNUTLS_X509_FMT_PEM
, buf
, &sz
)))
35 log_write(0, LOG_MAIN
, "TLS error in certificate export: %s",
36 gnutls_strerror(fail
));
39 if ((cp
= string_printing(buf
)) != buf
)
41 Ustrncpy(buf
, cp
, buflen
);
45 store_reset(reset_point
);
50 tls_import_cert(const uschar
* buf
, void ** cert
)
52 void * reset_point
= store_get(0);
54 gnutls_x509_crt_t crt
;
58 gnutls_x509_crt_init(&crt
);
60 datum
.data
= string_unprinting(US buf
);
61 datum
.size
= Ustrlen(datum
.data
);
62 if ((fail
= gnutls_x509_crt_import(crt
, &datum
, GNUTLS_X509_FMT_PEM
)))
64 log_write(0, LOG_MAIN
, "TLS error in certificate import: %s",
65 gnutls_strerror(fail
));
71 store_reset(reset_point
);
76 tls_free_cert(void * cert
)
78 gnutls_x509_crt_deinit((gnutls_x509_crt_t
) cert
);
79 gnutls_global_deinit();
82 /*****************************************************
83 * Certificate field extraction routines
84 *****************************************************/
86 /* First, some internal service functions */
89 g_err(const char * tag
, const char * from
, int gnutls_err
)
91 expand_string_message
= string_sprintf("%s: %s fail: %s\n",
92 from
, tag
, gnutls_strerror(gnutls_err
));
98 time_copy(time_t t
, uschar
* mod
)
104 if (mod
&& Ustrcmp(mod
, "int") == 0)
105 return string_sprintf("%u", (unsigned)t
);
109 len
= strftime(CS cp
, 32, "%b %e %T %Y %Z", tp
);
110 return len
> 0 ? cp
: NULL
;
115 /* Now the extractors, called from expand.c
118 mod Optional modifiers for the operator
121 Allocated string with extracted value
125 tls_cert_issuer(void * cert
, uschar
* mod
)
131 if ((ret
= gnutls_x509_crt_get_issuer_dn(cert
, cp
, &siz
))
132 != GNUTLS_E_SHORT_MEMORY_BUFFER
)
133 return g_err("gi0", __FUNCTION__
, ret
);
136 if ((ret
= gnutls_x509_crt_get_issuer_dn(cert
, cp
, &siz
)) < 0)
137 return g_err("gi1", __FUNCTION__
, ret
);
139 return mod
? tls_field_from_dn(cp
, mod
) : cp
;
143 tls_cert_not_after(void * cert
, uschar
* mod
)
146 gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t
)cert
),
151 tls_cert_not_before(void * cert
, uschar
* mod
)
154 gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t
)cert
),
159 tls_cert_serial_number(void * cert
, uschar
* mod
)
161 uschar bin
[50], txt
[150];
162 size_t sz
= sizeof(bin
);
167 if ((ret
= gnutls_x509_crt_get_serial((gnutls_x509_crt_t
)cert
,
169 return g_err("gs0", __FUNCTION__
, ret
);
171 for(dp
= txt
, sp
= bin
; sz
; dp
+= 2, sp
++, sz
--)
172 sprintf(dp
, "%.2x", *sp
);
173 for(sp
= txt
; sp
[0]=='0' && sp
[1]; ) sp
++; /* leading zeroes */
174 return string_copy(sp
);
178 tls_cert_signature(void * cert
, uschar
* mod
)
186 if ((ret
= gnutls_x509_crt_get_signature((gnutls_x509_crt_t
)cert
, cp1
, &len
))
187 != GNUTLS_E_SHORT_MEMORY_BUFFER
)
188 return g_err("gs0", __FUNCTION__
, ret
);
190 cp1
= store_get(len
*4+1);
191 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t
)cert
, cp1
, &len
) != 0)
192 return g_err("gs1", __FUNCTION__
, ret
);
194 for(cp3
= cp2
= cp1
+len
; cp1
< cp2
; cp3
+= 3, cp1
++)
195 sprintf(cp3
, "%.2x ", *cp1
);
202 tls_cert_signature_algorithm(void * cert
, uschar
* mod
)
204 gnutls_sign_algorithm_t algo
=
205 gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t
)cert
);
206 return algo
< 0 ? NULL
: string_copy(gnutls_sign_get_name(algo
));
210 tls_cert_subject(void * cert
, uschar
* mod
)
216 if ((ret
= gnutls_x509_crt_get_dn(cert
, cp
, &siz
))
217 != GNUTLS_E_SHORT_MEMORY_BUFFER
)
218 return g_err("gs0", __FUNCTION__
, ret
);
221 if ((ret
= gnutls_x509_crt_get_dn(cert
, cp
, &siz
)) < 0)
222 return g_err("gs1", __FUNCTION__
, ret
);
224 return mod
? tls_field_from_dn(cp
, mod
) : cp
;
228 tls_cert_version(void * cert
, uschar
* mod
)
230 return string_sprintf("%d", gnutls_x509_crt_get_version(cert
));
234 tls_cert_ext_by_oid(void * cert
, uschar
* oid
, int idx
)
243 ret
= gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t
)cert
,
244 oid
, idx
, cp1
, &siz
, &crit
);
245 if (ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
246 return g_err("ge0", __FUNCTION__
, ret
);
248 cp1
= store_get(siz
*4 + 1);
250 ret
= gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t
)cert
,
251 oid
, idx
, cp1
, &siz
, &crit
);
253 return g_err("ge1", __FUNCTION__
, ret
);
255 /* binary data, DER encoded */
257 /* just dump for now */
258 for(cp3
= cp2
= cp1
+siz
; cp1
< cp2
; cp3
+= 3, cp1
++)
259 sprintf(cp3
, "%.2x ", *cp1
);
266 tls_cert_subject_altname(void * cert
, uschar
* mod
)
268 uschar
* list
= NULL
;
279 if (*mod
== '>' && *++mod
) sep
= *mod
++;
280 else if (Ustrcmp(mod
, "dns")==0) { match
= GNUTLS_SAN_DNSNAME
; mod
+= 3; }
281 else if (Ustrcmp(mod
, "uri")==0) { match
= GNUTLS_SAN_URI
; mod
+= 3; }
282 else if (Ustrcmp(mod
, "mail")==0) { match
= GNUTLS_SAN_RFC822NAME
; mod
+= 4; }
289 for(index
= 0;; index
++)
292 switch(ret
= gnutls_x509_crt_get_subject_alt_name(
293 (gnutls_x509_crt_t
)cert
, index
, NULL
, &siz
, NULL
))
295 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
:
296 return list
; /* no more elements; normal exit */
298 case GNUTLS_E_SHORT_MEMORY_BUFFER
:
302 return g_err("gs0", __FUNCTION__
, ret
);
305 ele
= store_get(siz
+1);
306 if ((ret
= gnutls_x509_crt_get_subject_alt_name(
307 (gnutls_x509_crt_t
)cert
, index
, ele
, &siz
, NULL
)) < 0)
308 return g_err("gs1", __FUNCTION__
, ret
);
311 if ( match
!= -1 && match
!= ret
/* wrong type of SAN */
312 || Ustrlen(ele
) != siz
) /* contains a NUL */
316 case GNUTLS_SAN_DNSNAME
: tag
= US
"DNS"; break;
317 case GNUTLS_SAN_URI
: tag
= US
"URI"; break;
318 case GNUTLS_SAN_RFC822NAME
: tag
= US
"MAIL"; break;
319 default: continue; /* ignore unrecognised types */
321 list
= string_append_listele(list
, sep
,
322 match
== -1 ? string_sprintf("%s=%s", tag
, ele
) : ele
);
328 tls_cert_ocsp_uri(void * cert
, uschar
* mod
)
330 #if GNUTLS_VERSION_NUMBER >= 0x030000
335 uschar
* list
= NULL
;
338 if (*mod
== '>' && *++mod
) sep
= *mod
++;
340 for(index
= 0;; index
++)
342 ret
= gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t
)cert
,
343 index
, GNUTLS_IA_OCSP_URI
, &uri
, NULL
);
345 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
348 return g_err("gai", __FUNCTION__
, ret
);
350 list
= string_append_listele(list
, sep
,
351 string_copyn(uri
.data
, uri
.size
));
357 expand_string_message
=
358 string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
366 tls_cert_crl_uri(void * cert
, uschar
* mod
)
372 uschar
* list
= NULL
;
376 if (*mod
== '>' && *++mod
) sep
= *mod
++;
378 for(index
= 0;; index
++)
381 switch(ret
= gnutls_x509_crt_get_crl_dist_points(
382 (gnutls_x509_crt_t
)cert
, index
, NULL
, &siz
, NULL
, NULL
))
384 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
:
386 case GNUTLS_E_SHORT_MEMORY_BUFFER
:
389 return g_err("gc0", __FUNCTION__
, ret
);
392 ele
= store_get(siz
+1);
393 if ((ret
= gnutls_x509_crt_get_crl_dist_points(
394 (gnutls_x509_crt_t
)cert
, index
, ele
, &siz
, NULL
, NULL
)) < 0)
395 return g_err("gc1", __FUNCTION__
, ret
);
398 list
= string_append_listele(list
, sep
, ele
);
404 /*****************************************************
405 * Certificate operator routines
406 *****************************************************/
408 fingerprint(gnutls_x509_crt_t cert
, gnutls_digest_algorithm_t algo
)
416 if ((ret
= gnutls_x509_crt_get_fingerprint(cert
, algo
, NULL
, &siz
))
417 != GNUTLS_E_SHORT_MEMORY_BUFFER
)
418 return g_err("gf0", __FUNCTION__
, ret
);
420 cp
= store_get(siz
*3+1);
421 if ((ret
= gnutls_x509_crt_get_fingerprint(cert
, algo
, cp
, &siz
)) < 0)
422 return g_err("gf1", __FUNCTION__
, ret
);
424 for (cp3
= cp2
= cp
+siz
; cp
< cp2
; cp
++, cp3
+=2)
425 sprintf(cp3
, "%02X",*cp
);
431 tls_cert_fprt_md5(void * cert
)
433 return fingerprint((gnutls_x509_crt_t
)cert
, GNUTLS_DIG_MD5
);
437 tls_cert_fprt_sha1(void * cert
)
439 return fingerprint((gnutls_x509_crt_t
)cert
, GNUTLS_DIG_SHA1
);
443 tls_cert_fprt_sha256(void * cert
)
445 return fingerprint((gnutls_x509_crt_t
)cert
, GNUTLS_DIG_SHA256
);
451 /* End of tlscert-gnu.c */