diff options
Diffstat (limited to 'contrib/sendmail/src/tls.h')
-rw-r--r-- | contrib/sendmail/src/tls.h | 91 |
1 files changed, 64 insertions, 27 deletions
diff --git a/contrib/sendmail/src/tls.h b/contrib/sendmail/src/tls.h index 5ca6d7eab734..8ab2a774d231 100644 --- a/contrib/sendmail/src/tls.h +++ b/contrib/sendmail/src/tls.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Proofpoint, Inc. and its suppliers. + * Copyright (c) 2015, 2020-2023 Proofpoint, Inc. and its suppliers. * All rights reserved. * * By using this file, you agree to the terms and conditions set @@ -7,7 +7,6 @@ * the sendmail distribution. */ - #ifndef _TLS_H # define _TLS_H 1 @@ -21,7 +20,7 @@ # endif # endif /* !TLS_NO_RSA */ -# if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L +# if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L # define TLS_version_num OpenSSL_version_num # else # define TLS_version_num SSLeay @@ -48,18 +47,37 @@ #endif #if DANE + +# ifndef HAVE_SSL_CTX_dane_enable +# if (OPENSSL_VERSION_NUMBER >= 0x10101000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L +# define HAVE_SSL_CTX_dane_enable 1 +# endif +# endif + +extern int ssl_dane_enable __P((dane_vrfy_ctx_P, SSL *)); +# define SM_NOTDONE 1 +# define SM_FULL 2 + extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int)); -# define MAX_TLSA_RR 8 +# ifndef MAX_TLSA_RR +# if HAVE_SSL_CTX_dane_enable +# define MAX_TLSA_RR 64 +# else +# define MAX_TLSA_RR 16 +# endif +# endif -# define DANE_VRFY_NONE 0 /* no TLSAs */ -# define DANE_VRFY_OK 1 /* TLSA check was ok */ -# define DANE_VRFY_FAIL (-1) /* TLSA check failed */ +# define DANE_VRFY_NONE 0 /* no DANE */ +/* # define DANE_VRFY_NO 1 * no TLSAs */ +# define DANE_VRFY_FAIL 2 /* TLSA check failed */ +# define DANE_VRFY_OK 3 /* TLSA check was ok */ +# define DANE_VRFY_TEMP 4 /* TLSA check failed temporarily */ /* return values for dane_tlsa_chk() */ # define TLSA_BOGUS (-10) # define TLSA_UNSUPP (-1) /* note: anything >= 0 is ok and refers to the hash algorithm */ -# define TLSA_IS_KNOWN(r) ((r) >= 0) +# define TLSA_IS_SUPPORTED(r) ((r) >= 0) # define TLSA_IS_VALID(r) ((r) >= TLSA_UNSUPP) struct dane_tlsa_S @@ -68,10 +86,13 @@ struct dane_tlsa_S int dane_tlsa_n; int dane_tlsa_dnsrc; unsigned long dane_tlsa_flags; - unsigned char dane_tlsa_usage[MAX_TLSA_RR]; - unsigned char dane_tlsa_selector[MAX_TLSA_RR]; - unsigned char dane_tlsa_digest[MAX_TLSA_RR]; - void *dane_tlsa_rr[MAX_TLSA_RR]; + + /* + ** Note: all "valid" TLSA RRs are stored, + ** not just those which are "supported" + */ + + unsigned char *dane_tlsa_rr[MAX_TLSA_RR]; int dane_tlsa_len[MAX_TLSA_RR]; char *dane_tlsa_sni; }; @@ -83,40 +104,54 @@ struct dane_tlsa_S # define DANEMODE(fl) ((fl) & 0x3) # define TLSAFLNOEXP 0x00000010 /* do not check expiration */ +# define TLSAFLNEW 0x00000020 # define TLSAFLADMX 0x00000100 -# define TLSAFLADTLSA 0x00000200 /* currently unused */ +# define TLSAFLADIP 0x00000200 /* changes with each IP lookup! */ +# define TLSAFLNOTLS 0x00000400 /* starttls() failed */ +/* treat IPv4 and IPv6 the same - the ad flag should be identical */ +/* # define TLSAFLADTLSA * currently unused */ +/* NOTE: "flags" >= TLSAFLTEMP are stored, see TLSA_STORE_FL()! */ /* could be used to replace DNSRC */ -# define TLSAFLTEMP 0x00001000 -/* no TLSA? -- _n == 0 */ -# define TLSAFLNOTLSA 0x00002000 /* currently unused */ +# define TLSAFLTEMP 0x00001000 /* TLSA RR lookup tempfailed */ +# define TLSAFL2MANY 0x00004000 /* too many TLSA RRs */ /* ** Do not use this record, and do not look up new TLSA RRs because ** the MX/host lookup was not secure. +** XXX: host->MX lookup info can NOT be stored in dane_tlsa! ** XXX: to determine: interaction with DANE=always */ -# define TLSAFLNOADMX 0x00010000 -# define TLSAFLNOADTLSA 0x00020000 /* TLSA: no AD - for DANE=always? */ +/* # define TLSAFLNOADMX 0x00010000 */ +/* # define TLSAFLNOADTLSA 0x00020000 * TLSA: no AD - for DANE=always? */ + +# define TLSAFLTEMPVRFY 0x00008000 /* temporary DANE verification failure */ +# define TLSAFLNOVRFY 0x00080000 /* do NOT perform DANE verification */ + +# define TLSAFLUNS 0x00100000 /* has unsupported TLSA RRs */ +# define TLSAFLSUP 0x00200000 /* has supported TLSA RRs */ # define TLSA_SET_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags |= (fl) # define TLSA_CLR_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags &= ~(fl) -# define TLSA_IS_FL(dane_tlsa, fl) ((dane_tlsa)->dane_tlsa_flags & (fl)) -# define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP) +# define TLSA_IS_FL(dane_tlsa, fl) (((dane_tlsa)->dane_tlsa_flags & (fl)) != 0) -# define GETTLSA(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNONE, 0, port) -# define GETTLSANOX(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNOEXP, 0, port) +/* any TLSA RRs? */ +# define TLSA_HAS_RRs(dane_tlsa) TLSA_IS_FL(dane_tlsa, TLSAFLUNS|TLSAFLSUP) + +# define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP) /* values for DANE option and dane_vrfy_chk */ -# define DANE_NEVER TLSAFLNONE -# define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */ +# define DANE_NEVER TLSAFLNONE /* XREF: see sendmail.h: #define Dane */ +# define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */ # define DANE_SECURE TLSAFLSECURE -# define CHK_DANE(dane) ((dane) != DANE_NEVER) +# define CHK_DANE(dane) (DANEMODE((dane)) != DANE_NEVER) +# define VRFY_DANE(dane_vrfy_chk) (0 == ((dane_vrfy_chk) & TLSAFLNOVRFY)) /* temp fails? others? */ # define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN) +# define ONLYUNSUPTLSARR ", status=all TLSA RRs are unsupported" #endif /* DANE */ /* @@ -154,6 +189,7 @@ not "read" anywhere #define TLS_I_CRLF_EX 0x00800000 /* CRL file must exist */ #define TLS_I_CRLF_UNR 0x01000000 /* CRL file must be g/o unreadable */ #define TLS_I_DHFIXED 0x02000000 /* use fixed DH param */ +#define TLS_I_DHAUTO 0x04000000 /* */ /* require server cert */ #define TLS_I_SRV_CERT (TLS_I_CERT_EX | TLS_I_KEY_EX | \ @@ -170,6 +206,7 @@ not "read" anywhere #define TLS_AUTH_OK 0 #define TLS_AUTH_NO 1 +#define TLS_AUTH_TEMP 2 #define TLS_AUTH_FAIL (-1) # ifndef TLS_VRFY_PER_CTX @@ -199,7 +236,7 @@ extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool)); extern void tlslogerr __P((int, int, const char *)); extern void tls_set_verify __P((SSL_CTX *, SSL *, bool)); # if DANE -extern int dane_tlsa_chk __P((const char *, int, const char *, bool)); +extern int dane_tlsa_chk __P((const unsigned char *, int, const char *, bool)); extern int dane_tlsa_clr __P((dane_tlsa_P)); extern int dane_tlsa_free __P((dane_tlsa_P)); # endif @@ -245,7 +282,7 @@ int TLS_set_engine __P((const char *, bool)); extern int set_tls_rd_tmo __P((int)); extern int data2hex __P((unsigned char *, int, unsigned char *, int)); # if DANE -extern int pubkey_fp __P((X509 *, const char*, char **)); +extern int pubkey_fp __P((X509 *, const char*, unsigned char **)); extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P)); # endif |