1/* 2 * Copyright (c) 2015 Proofpoint, Inc. and its suppliers. 3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 */ 9 10 11#ifndef _TLS_H 12# define _TLS_H 1 13 14 15#if STARTTLS 16# include <openssl/ssl.h> 17# if !TLS_NO_RSA 18# if _FFR_FIPSMODE 19# define RSA_KEYLENGTH 1024 20# else 21# define RSA_KEYLENGTH 512 22# endif 23# endif /* !TLS_NO_RSA */ 24 25# if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L 26# define TLS_version_num OpenSSL_version_num 27# else 28# define TLS_version_num SSLeay 29# endif 30 31#ifdef _DEFINE 32# define EXTERN 33#else 34# define EXTERN extern 35#endif 36 37#if _FFR_TLS_EC && !defined(TLS_EC) 38# define TLS_EC _FFR_TLS_EC 39#endif 40 41#if DANE 42extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int)); 43# define MAX_TLSA_RR 8 44 45# define DANE_VRFY_NONE 0 /* no TLSAs */ 46# define DANE_VRFY_OK 1 /* TLSA check was ok */ 47# define DANE_VRFY_FAIL (-1) /* TLSA check failed */ 48 49/* return values for dane_tlsa_chk() */ 50# define TLSA_BOGUS (-10) 51# define TLSA_UNSUPP (-1) 52/* note: anything >= 0 is ok and refers to the hash algorithm */ 53# define TLSA_IS_KNOWN(r) ((r) >= 0) 54# define TLSA_IS_VALID(r) ((r) >= TLSA_UNSUPP) 55 56struct dane_tlsa_S 57{ 58 time_t dane_tlsa_exp; 59 int dane_tlsa_n; 60 int dane_tlsa_dnsrc; 61 unsigned long dane_tlsa_flags; 62 unsigned char dane_tlsa_usage[MAX_TLSA_RR]; 63 unsigned char dane_tlsa_selector[MAX_TLSA_RR]; 64 unsigned char dane_tlsa_digest[MAX_TLSA_RR]; 65 void *dane_tlsa_rr[MAX_TLSA_RR]; 66 int dane_tlsa_len[MAX_TLSA_RR]; 67 char *dane_tlsa_sni; 68}; 69 70# define TLSAFLNONE 0x00000000 /* currently unused */ 71/* Dane Mode */ 72# define TLSAFLALWAYS 0x00000001 73# define TLSAFLSECURE 0x00000002 74# define DANEMODE(fl) ((fl) & 0x3) 75# define TLSAFLNOEXP 0x00000010 /* do not check expiration */ 76 77# define TLSAFLADMX 0x00000100 78# define TLSAFLADTLSA 0x00000200 /* currently unused */ 79 80/* could be used to replace DNSRC */ 81# define TLSAFLTEMP 0x00001000 82/* no TLSA? -- _n == 0 */ 83# define TLSAFLNOTLSA 0x00002000 /* currently unused */ 84 85/* 86** Do not use this record, and do not look up new TLSA RRs because 87** the MX/host lookup was not secure. 88** XXX: to determine: interaction with DANE=always 89*/ 90 91# define TLSAFLNOADMX 0x00010000 92# define TLSAFLNOADTLSA 0x00020000 /* TLSA: no AD - for DANE=always? */ 93 94# define TLSA_SET_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags |= (fl) 95# define TLSA_CLR_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags &= ~(fl) 96# define TLSA_IS_FL(dane_tlsa, fl) ((dane_tlsa)->dane_tlsa_flags & (fl)) 97# define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP) 98 99# define GETTLSA(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNONE, 0, port) 100# define GETTLSANOX(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNOEXP, 0, port) 101 102/* values for DANE option and dane_vrfy_chk */ 103# define DANE_NEVER TLSAFLNONE 104# define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */ 105# define DANE_SECURE TLSAFLSECURE 106# define CHK_DANE(dane) ((dane) != DANE_NEVER) 107 108/* temp fails? others? */ 109# define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN) 110 111#endif /* DANE */ 112 113/* 114** TLS 115*/ 116 117/* what to do in the TLS initialization */ 118#define TLS_I_NONE 0x00000000 /* no requirements... */ 119#define TLS_I_CERT_EX 0x00000001 /* cert must exist */ 120#define TLS_I_CERT_UNR 0x00000002 /* cert must be g/o unreadable */ 121#define TLS_I_KEY_EX 0x00000004 /* key must exist */ 122#define TLS_I_KEY_UNR 0x00000008 /* key must be g/o unreadable */ 123#define TLS_I_CERTP_EX 0x00000010 /* CA cert path must exist */ 124#define TLS_I_CERTP_UNR 0x00000020 /* CA cert path must be g/o unreadable */ 125#define TLS_I_CERTF_EX 0x00000040 /* CA cert file must exist */ 126#define TLS_I_CERTF_UNR 0x00000080 /* CA cert file must be g/o unreadable */ 127#define TLS_I_RSA_TMP 0x00000100 /* RSA TMP must be generated */ 128#define TLS_I_USE_KEY 0x00000200 /* private key must usable */ 129#define TLS_I_USE_CERT 0x00000400 /* certificate must be usable */ 130#define TLS_I_VRFY_PATH 0x00000800 /* load verify path must succeed */ 131#define TLS_I_VRFY_LOC 0x00001000 /* load verify default must succeed */ 132#define TLS_I_CACHE 0x00002000 /* require cache */ 133#define TLS_I_TRY_DH 0x00004000 /* try DH certificate */ 134#define TLS_I_REQ_DH 0x00008000 /* require DH certificate */ 135#define TLS_I_DHPAR_EX 0x00010000 /* require DH parameters */ 136#define TLS_I_DHPAR_UNR 0x00020000 /* DH param. must be g/o unreadable */ 137#define TLS_I_DH512 0x00040000 /* generate 512bit DH param */ 138#define TLS_I_DH1024 0x00080000 /* generate 1024bit DH param */ 139#define TLS_I_DH2048 0x00100000 /* generate 2048bit DH param */ 140#define TLS_I_NO_VRFY 0x00200000 /* do not require authentication */ 141#define TLS_I_KEY_OUNR 0x00400000 /* Key must be other unreadable */ 142#define TLS_I_CRLF_EX 0x00800000 /* CRL file must exist */ 143#define TLS_I_CRLF_UNR 0x01000000 /* CRL file must be g/o unreadable */ 144#define TLS_I_DHFIXED 0x02000000 /* use fixed DH param */ 145 146/* require server cert */ 147#define TLS_I_SRV_CERT (TLS_I_CERT_EX | TLS_I_KEY_EX | \ 148 TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \ 149 TLS_I_CERTP_EX | TLS_I_CERTF_EX | \ 150 TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE) 151 152/* server requirements */ 153#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \ 154 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE) 155 156/* client requirements */ 157#define TLS_I_CLT (TLS_I_KEY_UNR | TLS_I_KEY_OUNR) 158 159#define TLS_AUTH_OK 0 160#define TLS_AUTH_NO 1 161#define TLS_AUTH_FAIL (-1) 162 163# ifndef TLS_VRFY_PER_CTX 164# define TLS_VRFY_PER_CTX 1 165# endif 166 167#define SM_SSL_FREE(ssl) \ 168 do { \ 169 if (ssl != NULL) \ 170 { \ 171 SSL_free(ssl); \ 172 ssl = NULL; \ 173 } \ 174 } while (0) 175 176/* functions */ 177extern int endtls __P((SSL **, const char *)); 178extern int get_tls_se_options __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool)); 179extern int init_tls_library __P((bool _fipsmode)); 180extern bool inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *)); 181extern bool initclttls __P((bool)); 182extern bool initsrvtls __P((bool)); 183extern bool load_certkey __P((SSL *, bool, char *, char *)); 184/* extern bool load_crlpath __P((SSL_CTX *, bool , char *)); */ 185extern void setclttls __P((bool)); 186extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool)); 187extern void tlslogerr __P((int, int, const char *)); 188extern void tls_set_verify __P((SSL_CTX *, SSL *, bool)); 189# if DANE 190extern int dane_tlsa_chk __P((const char *, int, const char *, bool)); 191extern int dane_tlsa_clr __P((dane_tlsa_P)); 192extern int dane_tlsa_free __P((dane_tlsa_P)); 193# endif 194 195EXTERN char *CACertPath; /* path to CA certificates (dir. with hashes) */ 196EXTERN char *CACertFile; /* file with CA certificate */ 197#if _FFR_CLIENTCA 198EXTERN char *CltCACertPath; /* path to CA certificates (dir. with hashes) */ 199EXTERN char *CltCACertFile; /* file with CA certificate */ 200#endif 201EXTERN char *CltCertFile; /* file with client certificate */ 202EXTERN char *CltKeyFile; /* file with client private key */ 203EXTERN char *CipherList; /* list of ciphers */ 204EXTERN char *CertFingerprintAlgorithm; /* name of fingerprint alg */ 205EXTERN const EVP_MD *EVP_digest; /* digest for cert fp */ 206EXTERN char *DHParams; /* file with DH parameters */ 207EXTERN char *RandFile; /* source of random data */ 208EXTERN char *SrvCertFile; /* file with server certificate */ 209EXTERN char *SrvKeyFile; /* file with server private key */ 210EXTERN char *CRLFile; /* file CRLs */ 211EXTERN char *CRLPath; /* path to CRLs (dir. with hashes) */ 212EXTERN unsigned long TLS_Srv_Opts; /* TLS server options */ 213EXTERN unsigned long Srv_SSL_Options, Clt_SSL_Options; /* SSL options */ 214EXTERN bool TLSFallbacktoClear; 215 216EXTERN char *SSLEngine; 217EXTERN char *SSLEnginePath; 218EXTERN bool SSLEngineprefork; 219 220# if USE_OPENSSL_ENGINE 221#define TLS_set_engine(id, prefork) SSL_set_engine(id) 222# else 223int TLS_set_engine __P((const char *, bool)); 224# endif 225 226extern int set_tls_rd_tmo __P((int)); 227extern int data2hex __P((unsigned char *, int, unsigned char *, int)); 228# if DANE 229extern int pubkey_fp __P((X509 *, const char*, char **)); 230extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P)); 231# endif 232 233#else /* STARTTLS */ 234# define set_tls_rd_tmo(rd_tmo) 0 235#endif /* STARTTLS */ 236#undef EXTERN 237#endif /* ! _TLS_H */ 238