diff options
Diffstat (limited to 'src/tls.h')
-rw-r--r-- | src/tls.h | 237 |
1 files changed, 237 insertions, 0 deletions
diff --git a/src/tls.h b/src/tls.h new file mode 100644 index 000000000000..0e03b81933a9 --- /dev/null +++ b/src/tls.h @@ -0,0 +1,237 @@ +/* + * Copyright (c) 2015 Proofpoint, Inc. and its suppliers. + * All rights reserved. + * + * By using this file, you agree to the terms and conditions set + * forth in the LICENSE file which can be found at the top level of + * the sendmail distribution. + */ + + +#ifndef _TLS_H +# define _TLS_H 1 + + +#if STARTTLS +# include <openssl/ssl.h> +# if !TLS_NO_RSA +# if _FFR_FIPSMODE +# define RSA_KEYLENGTH 1024 +# else +# define RSA_KEYLENGTH 512 +# endif +# endif /* !TLS_NO_RSA */ + +# if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L +# define TLS_version_num OpenSSL_version_num +# else +# define TLS_version_num SSLeay +# endif + +#ifdef _DEFINE +# define EXTERN +#else +# define EXTERN extern +#endif + +#if _FFR_TLS_EC && !defined(TLS_EC) +# define TLS_EC _FFR_TLS_EC +#endif + +#if DANE +extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int)); +# define MAX_TLSA_RR 8 + +# define DANE_VRFY_NONE 0 /* no TLSAs */ +# define DANE_VRFY_OK 1 /* TLSA check was ok */ +# define DANE_VRFY_FAIL (-1) /* TLSA check failed */ + +/* return values for dane_tlsa_chk() */ +# define TLSA_BOGUS (-10) +# define TLSA_UNSUPP (-1) +/* note: anything >= 0 is ok and refers to the hash algorithm */ +# define TLSA_IS_KNOWN(r) ((r) >= 0) +# define TLSA_IS_VALID(r) ((r) >= TLSA_UNSUPP) + +struct dane_tlsa_S +{ + time_t dane_tlsa_exp; + int dane_tlsa_n; + int dane_tlsa_dnsrc; + unsigned long dane_tlsa_flags; + unsigned char dane_tlsa_usage[MAX_TLSA_RR]; + unsigned char dane_tlsa_selector[MAX_TLSA_RR]; + unsigned char dane_tlsa_digest[MAX_TLSA_RR]; + void *dane_tlsa_rr[MAX_TLSA_RR]; + int dane_tlsa_len[MAX_TLSA_RR]; + char *dane_tlsa_sni; +}; + +# define TLSAFLNONE 0x00000000 /* currently unused */ +/* Dane Mode */ +# define TLSAFLALWAYS 0x00000001 +# define TLSAFLSECURE 0x00000002 +# define DANEMODE(fl) ((fl) & 0x3) +# define TLSAFLNOEXP 0x00000010 /* do not check expiration */ + +# define TLSAFLADMX 0x00000100 +# define TLSAFLADTLSA 0x00000200 /* currently unused */ + +/* could be used to replace DNSRC */ +# define TLSAFLTEMP 0x00001000 +/* no TLSA? -- _n == 0 */ +# define TLSAFLNOTLSA 0x00002000 /* currently unused */ + +/* +** Do not use this record, and do not look up new TLSA RRs because +** the MX/host lookup was not secure. +** XXX: to determine: interaction with DANE=always +*/ + +# define TLSAFLNOADMX 0x00010000 +# define TLSAFLNOADTLSA 0x00020000 /* TLSA: no AD - for DANE=always? */ + +# define TLSA_SET_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags |= (fl) +# define TLSA_CLR_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags &= ~(fl) +# define TLSA_IS_FL(dane_tlsa, fl) ((dane_tlsa)->dane_tlsa_flags & (fl)) +# define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP) + +# define GETTLSA(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNONE, 0, port) +# define GETTLSANOX(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNOEXP, 0, port) + +/* values for DANE option and dane_vrfy_chk */ +# define DANE_NEVER TLSAFLNONE +# define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */ +# define DANE_SECURE TLSAFLSECURE +# define CHK_DANE(dane) ((dane) != DANE_NEVER) + +/* temp fails? others? */ +# define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN) + +#endif /* DANE */ + +/* +** TLS +*/ + +/* what to do in the TLS initialization */ +#define TLS_I_NONE 0x00000000 /* no requirements... */ +#define TLS_I_CERT_EX 0x00000001 /* cert must exist */ +#define TLS_I_CERT_UNR 0x00000002 /* cert must be g/o unreadable */ +#define TLS_I_KEY_EX 0x00000004 /* key must exist */ +#define TLS_I_KEY_UNR 0x00000008 /* key must be g/o unreadable */ +#define TLS_I_CERTP_EX 0x00000010 /* CA cert path must exist */ +#define TLS_I_CERTP_UNR 0x00000020 /* CA cert path must be g/o unreadable */ +#define TLS_I_CERTF_EX 0x00000040 /* CA cert file must exist */ +#define TLS_I_CERTF_UNR 0x00000080 /* CA cert file must be g/o unreadable */ +#define TLS_I_RSA_TMP 0x00000100 /* RSA TMP must be generated */ +#define TLS_I_USE_KEY 0x00000200 /* private key must usable */ +#define TLS_I_USE_CERT 0x00000400 /* certificate must be usable */ +#define TLS_I_VRFY_PATH 0x00000800 /* load verify path must succeed */ +#define TLS_I_VRFY_LOC 0x00001000 /* load verify default must succeed */ +#define TLS_I_CACHE 0x00002000 /* require cache */ +#define TLS_I_TRY_DH 0x00004000 /* try DH certificate */ +#define TLS_I_REQ_DH 0x00008000 /* require DH certificate */ +#define TLS_I_DHPAR_EX 0x00010000 /* require DH parameters */ +#define TLS_I_DHPAR_UNR 0x00020000 /* DH param. must be g/o unreadable */ +#define TLS_I_DH512 0x00040000 /* generate 512bit DH param */ +#define TLS_I_DH1024 0x00080000 /* generate 1024bit DH param */ +#define TLS_I_DH2048 0x00100000 /* generate 2048bit DH param */ +#define TLS_I_NO_VRFY 0x00200000 /* do not require authentication */ +#define TLS_I_KEY_OUNR 0x00400000 /* Key must be other unreadable */ +#define TLS_I_CRLF_EX 0x00800000 /* CRL file must exist */ +#define TLS_I_CRLF_UNR 0x01000000 /* CRL file must be g/o unreadable */ +#define TLS_I_DHFIXED 0x02000000 /* use fixed DH param */ + +/* require server cert */ +#define TLS_I_SRV_CERT (TLS_I_CERT_EX | TLS_I_KEY_EX | \ + TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \ + TLS_I_CERTP_EX | TLS_I_CERTF_EX | \ + TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE) + +/* server requirements */ +#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \ + TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE) + +/* client requirements */ +#define TLS_I_CLT (TLS_I_KEY_UNR | TLS_I_KEY_OUNR) + +#define TLS_AUTH_OK 0 +#define TLS_AUTH_NO 1 +#define TLS_AUTH_FAIL (-1) + +# ifndef TLS_VRFY_PER_CTX +# define TLS_VRFY_PER_CTX 1 +# endif + +#define SM_SSL_FREE(ssl) \ + do { \ + if (ssl != NULL) \ + { \ + SSL_free(ssl); \ + ssl = NULL; \ + } \ + } while (0) + +/* functions */ +extern int endtls __P((SSL **, const char *)); +extern int get_tls_se_options __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool)); +extern int init_tls_library __P((bool _fipsmode)); +extern bool inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *)); +extern bool initclttls __P((bool)); +extern bool initsrvtls __P((bool)); +extern bool load_certkey __P((SSL *, bool, char *, char *)); +/* extern bool load_crlpath __P((SSL_CTX *, bool , char *)); */ +extern void setclttls __P((bool)); +extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool)); +extern void tlslogerr __P((int, int, const char *)); +extern void tls_set_verify __P((SSL_CTX *, SSL *, bool)); +# if DANE +extern int dane_tlsa_chk __P((const char *, int, const char *, bool)); +extern int dane_tlsa_clr __P((dane_tlsa_P)); +extern int dane_tlsa_free __P((dane_tlsa_P)); +# endif + +EXTERN char *CACertPath; /* path to CA certificates (dir. with hashes) */ +EXTERN char *CACertFile; /* file with CA certificate */ +#if _FFR_CLIENTCA +EXTERN char *CltCACertPath; /* path to CA certificates (dir. with hashes) */ +EXTERN char *CltCACertFile; /* file with CA certificate */ +#endif +EXTERN char *CltCertFile; /* file with client certificate */ +EXTERN char *CltKeyFile; /* file with client private key */ +EXTERN char *CipherList; /* list of ciphers */ +EXTERN char *CertFingerprintAlgorithm; /* name of fingerprint alg */ +EXTERN const EVP_MD *EVP_digest; /* digest for cert fp */ +EXTERN char *DHParams; /* file with DH parameters */ +EXTERN char *RandFile; /* source of random data */ +EXTERN char *SrvCertFile; /* file with server certificate */ +EXTERN char *SrvKeyFile; /* file with server private key */ +EXTERN char *CRLFile; /* file CRLs */ +EXTERN char *CRLPath; /* path to CRLs (dir. with hashes) */ +EXTERN unsigned long TLS_Srv_Opts; /* TLS server options */ +EXTERN unsigned long Srv_SSL_Options, Clt_SSL_Options; /* SSL options */ +EXTERN bool TLSFallbacktoClear; + +EXTERN char *SSLEngine; +EXTERN char *SSLEnginePath; +EXTERN bool SSLEngineprefork; + +# if USE_OPENSSL_ENGINE +#define TLS_set_engine(id, prefork) SSL_set_engine(id) +# else +int TLS_set_engine __P((const char *, bool)); +# endif + +extern int set_tls_rd_tmo __P((int)); +extern int data2hex __P((unsigned char *, int, unsigned char *, int)); +# if DANE +extern int pubkey_fp __P((X509 *, const char*, char **)); +extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P)); +# endif + +#else /* STARTTLS */ +# define set_tls_rd_tmo(rd_tmo) 0 +#endif /* STARTTLS */ +#undef EXTERN +#endif /* ! _TLS_H */ |