aboutsummaryrefslogtreecommitdiff
path: root/contrib/sendmail/src/tls.h
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/sendmail/src/tls.h')
-rw-r--r--contrib/sendmail/src/tls.h91
1 files changed, 64 insertions, 27 deletions
diff --git a/contrib/sendmail/src/tls.h b/contrib/sendmail/src/tls.h
index 5ca6d7eab734..8ab2a774d231 100644
--- a/contrib/sendmail/src/tls.h
+++ b/contrib/sendmail/src/tls.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 2015, 2020-2023 Proofpoint, Inc. and its suppliers.
* All rights reserved.
*
* By using this file, you agree to the terms and conditions set
@@ -7,7 +7,6 @@
* the sendmail distribution.
*/
-
#ifndef _TLS_H
# define _TLS_H 1
@@ -21,7 +20,7 @@
# endif
# endif /* !TLS_NO_RSA */
-# if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L
+# if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L
# define TLS_version_num OpenSSL_version_num
# else
# define TLS_version_num SSLeay
@@ -48,18 +47,37 @@
#endif
#if DANE
+
+# ifndef HAVE_SSL_CTX_dane_enable
+# if (OPENSSL_VERSION_NUMBER >= 0x10101000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L
+# define HAVE_SSL_CTX_dane_enable 1
+# endif
+# endif
+
+extern int ssl_dane_enable __P((dane_vrfy_ctx_P, SSL *));
+# define SM_NOTDONE 1
+# define SM_FULL 2
+
extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int));
-# define MAX_TLSA_RR 8
+# ifndef MAX_TLSA_RR
+# if HAVE_SSL_CTX_dane_enable
+# define MAX_TLSA_RR 64
+# else
+# define MAX_TLSA_RR 16
+# endif
+# endif
-# define DANE_VRFY_NONE 0 /* no TLSAs */
-# define DANE_VRFY_OK 1 /* TLSA check was ok */
-# define DANE_VRFY_FAIL (-1) /* TLSA check failed */
+# define DANE_VRFY_NONE 0 /* no DANE */
+/* # define DANE_VRFY_NO 1 * no TLSAs */
+# define DANE_VRFY_FAIL 2 /* TLSA check failed */
+# define DANE_VRFY_OK 3 /* TLSA check was ok */
+# define DANE_VRFY_TEMP 4 /* TLSA check failed temporarily */
/* return values for dane_tlsa_chk() */
# define TLSA_BOGUS (-10)
# define TLSA_UNSUPP (-1)
/* note: anything >= 0 is ok and refers to the hash algorithm */
-# define TLSA_IS_KNOWN(r) ((r) >= 0)
+# define TLSA_IS_SUPPORTED(r) ((r) >= 0)
# define TLSA_IS_VALID(r) ((r) >= TLSA_UNSUPP)
struct dane_tlsa_S
@@ -68,10 +86,13 @@ struct dane_tlsa_S
int dane_tlsa_n;
int dane_tlsa_dnsrc;
unsigned long dane_tlsa_flags;
- unsigned char dane_tlsa_usage[MAX_TLSA_RR];
- unsigned char dane_tlsa_selector[MAX_TLSA_RR];
- unsigned char dane_tlsa_digest[MAX_TLSA_RR];
- void *dane_tlsa_rr[MAX_TLSA_RR];
+
+ /*
+ ** Note: all "valid" TLSA RRs are stored,
+ ** not just those which are "supported"
+ */
+
+ unsigned char *dane_tlsa_rr[MAX_TLSA_RR];
int dane_tlsa_len[MAX_TLSA_RR];
char *dane_tlsa_sni;
};
@@ -83,40 +104,54 @@ struct dane_tlsa_S
# define DANEMODE(fl) ((fl) & 0x3)
# define TLSAFLNOEXP 0x00000010 /* do not check expiration */
+# define TLSAFLNEW 0x00000020
# define TLSAFLADMX 0x00000100
-# define TLSAFLADTLSA 0x00000200 /* currently unused */
+# define TLSAFLADIP 0x00000200 /* changes with each IP lookup! */
+# define TLSAFLNOTLS 0x00000400 /* starttls() failed */
+/* treat IPv4 and IPv6 the same - the ad flag should be identical */
+/* # define TLSAFLADTLSA * currently unused */
+/* NOTE: "flags" >= TLSAFLTEMP are stored, see TLSA_STORE_FL()! */
/* could be used to replace DNSRC */
-# define TLSAFLTEMP 0x00001000
-/* no TLSA? -- _n == 0 */
-# define TLSAFLNOTLSA 0x00002000 /* currently unused */
+# define TLSAFLTEMP 0x00001000 /* TLSA RR lookup tempfailed */
+# define TLSAFL2MANY 0x00004000 /* too many TLSA RRs */
/*
** Do not use this record, and do not look up new TLSA RRs because
** the MX/host lookup was not secure.
+** XXX: host->MX lookup info can NOT be stored in dane_tlsa!
** XXX: to determine: interaction with DANE=always
*/
-# define TLSAFLNOADMX 0x00010000
-# define TLSAFLNOADTLSA 0x00020000 /* TLSA: no AD - for DANE=always? */
+/* # define TLSAFLNOADMX 0x00010000 */
+/* # define TLSAFLNOADTLSA 0x00020000 * TLSA: no AD - for DANE=always? */
+
+# define TLSAFLTEMPVRFY 0x00008000 /* temporary DANE verification failure */
+# define TLSAFLNOVRFY 0x00080000 /* do NOT perform DANE verification */
+
+# define TLSAFLUNS 0x00100000 /* has unsupported TLSA RRs */
+# define TLSAFLSUP 0x00200000 /* has supported TLSA RRs */
# define TLSA_SET_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags |= (fl)
# define TLSA_CLR_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags &= ~(fl)
-# define TLSA_IS_FL(dane_tlsa, fl) ((dane_tlsa)->dane_tlsa_flags & (fl))
-# define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP)
+# define TLSA_IS_FL(dane_tlsa, fl) (((dane_tlsa)->dane_tlsa_flags & (fl)) != 0)
-# define GETTLSA(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNONE, 0, port)
-# define GETTLSANOX(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNOEXP, 0, port)
+/* any TLSA RRs? */
+# define TLSA_HAS_RRs(dane_tlsa) TLSA_IS_FL(dane_tlsa, TLSAFLUNS|TLSAFLSUP)
+
+# define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP)
/* values for DANE option and dane_vrfy_chk */
-# define DANE_NEVER TLSAFLNONE
-# define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */
+# define DANE_NEVER TLSAFLNONE /* XREF: see sendmail.h: #define Dane */
+# define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */
# define DANE_SECURE TLSAFLSECURE
-# define CHK_DANE(dane) ((dane) != DANE_NEVER)
+# define CHK_DANE(dane) (DANEMODE((dane)) != DANE_NEVER)
+# define VRFY_DANE(dane_vrfy_chk) (0 == ((dane_vrfy_chk) & TLSAFLNOVRFY))
/* temp fails? others? */
# define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN)
+# define ONLYUNSUPTLSARR ", status=all TLSA RRs are unsupported"
#endif /* DANE */
/*
@@ -154,6 +189,7 @@ not "read" anywhere
#define TLS_I_CRLF_EX 0x00800000 /* CRL file must exist */
#define TLS_I_CRLF_UNR 0x01000000 /* CRL file must be g/o unreadable */
#define TLS_I_DHFIXED 0x02000000 /* use fixed DH param */
+#define TLS_I_DHAUTO 0x04000000 /* */
/* require server cert */
#define TLS_I_SRV_CERT (TLS_I_CERT_EX | TLS_I_KEY_EX | \
@@ -170,6 +206,7 @@ not "read" anywhere
#define TLS_AUTH_OK 0
#define TLS_AUTH_NO 1
+#define TLS_AUTH_TEMP 2
#define TLS_AUTH_FAIL (-1)
# ifndef TLS_VRFY_PER_CTX
@@ -199,7 +236,7 @@ extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
extern void tlslogerr __P((int, int, const char *));
extern void tls_set_verify __P((SSL_CTX *, SSL *, bool));
# if DANE
-extern int dane_tlsa_chk __P((const char *, int, const char *, bool));
+extern int dane_tlsa_chk __P((const unsigned char *, int, const char *, bool));
extern int dane_tlsa_clr __P((dane_tlsa_P));
extern int dane_tlsa_free __P((dane_tlsa_P));
# endif
@@ -245,7 +282,7 @@ int TLS_set_engine __P((const char *, bool));
extern int set_tls_rd_tmo __P((int));
extern int data2hex __P((unsigned char *, int, unsigned char *, int));
# if DANE
-extern int pubkey_fp __P((X509 *, const char*, char **));
+extern int pubkey_fp __P((X509 *, const char*, unsigned char **));
extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P));
# endif
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-18 18:26:29 +0000