1/*
2 * Copyright (c) 2015 Proofpoint, Inc. and its suppliers.
3 *	All rights reserved.
4 *
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
8 */
9
10
11#ifndef _TLS_H
12# define _TLS_H 1
13
14
15#if STARTTLS
16# include <openssl/ssl.h>
17# if !TLS_NO_RSA
18#  if _FFR_FIPSMODE
19#   define RSA_KEYLENGTH	1024
20#  else
21#   define RSA_KEYLENGTH	512
22#  endif
23# endif /* !TLS_NO_RSA */
24
25# if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L
26#  define TLS_version_num OpenSSL_version_num
27# else
28#  define TLS_version_num SSLeay
29# endif
30
31#ifdef _DEFINE
32# define EXTERN
33#else
34# define EXTERN extern
35#endif
36
37#if _FFR_TLS_EC && !defined(TLS_EC)
38# define TLS_EC _FFR_TLS_EC
39#endif
40
41#if DANE
42extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int));
43# define MAX_TLSA_RR	8
44
45# define DANE_VRFY_NONE	0	/* no TLSAs */
46# define DANE_VRFY_OK		1	/* TLSA check was ok */
47# define DANE_VRFY_FAIL	(-1)	/* TLSA check failed */
48
49/* return values for dane_tlsa_chk() */
50# define TLSA_BOGUS	(-10)
51# define TLSA_UNSUPP	(-1)
52/* note: anything >= 0 is ok and refers to the hash algorithm */
53# define TLSA_IS_KNOWN(r)	((r) >= 0)
54# define TLSA_IS_VALID(r)	((r) >= TLSA_UNSUPP)
55
56struct dane_tlsa_S
57{
58	time_t		 dane_tlsa_exp;
59	int		 dane_tlsa_n;
60	int		 dane_tlsa_dnsrc;
61	unsigned long	 dane_tlsa_flags;
62	unsigned char	 dane_tlsa_usage[MAX_TLSA_RR];
63	unsigned char	 dane_tlsa_selector[MAX_TLSA_RR];
64	unsigned char	 dane_tlsa_digest[MAX_TLSA_RR];
65	void		*dane_tlsa_rr[MAX_TLSA_RR];
66	int		 dane_tlsa_len[MAX_TLSA_RR];
67	char		*dane_tlsa_sni;
68};
69
70# define TLSAFLNONE	0x00000000	/* currently unused */
71/* Dane Mode */
72# define TLSAFLALWAYS	0x00000001
73# define TLSAFLSECURE	0x00000002
74# define DANEMODE(fl)	((fl) & 0x3)
75# define TLSAFLNOEXP	0x00000010	/* do not check expiration */
76
77# define TLSAFLADMX	0x00000100
78# define TLSAFLADTLSA	0x00000200	/* currently unused */
79
80/* could be used to replace DNSRC */
81# define TLSAFLTEMP	0x00001000
82/* no TLSA? -- _n == 0 */
83# define TLSAFLNOTLSA	0x00002000	/* currently unused */
84
85/*
86**  Do not use this record, and do not look up new TLSA RRs because
87**  the MX/host lookup was not secure.
88**  XXX: to determine: interaction with DANE=always
89*/
90
91# define TLSAFLNOADMX	0x00010000
92# define TLSAFLNOADTLSA	0x00020000	/* TLSA: no AD - for DANE=always? */
93
94# define TLSA_SET_FL(dane_tlsa, fl)	(dane_tlsa)->dane_tlsa_flags |= (fl)
95# define TLSA_CLR_FL(dane_tlsa, fl)	(dane_tlsa)->dane_tlsa_flags &= ~(fl)
96# define TLSA_IS_FL(dane_tlsa, fl)	((dane_tlsa)->dane_tlsa_flags & (fl))
97# define TLSA_STORE_FL(fl)	((fl) >= TLSAFLTEMP)
98
99# define GETTLSA(host, pste, port)	gettlsa(host, NULL, pste, TLSAFLNONE, 0, port)
100# define GETTLSANOX(host, pste, port)	gettlsa(host, NULL, pste, TLSAFLNOEXP, 0, port)
101
102/* values for DANE option and dane_vrfy_chk */
103# define DANE_NEVER	TLSAFLNONE
104# define DANE_ALWAYS	TLSAFLALWAYS		/* NOT documented, testing... */
105# define DANE_SECURE	TLSAFLSECURE
106# define CHK_DANE(dane)	((dane) != DANE_NEVER)
107
108/* temp fails? others? */
109# define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN)
110
111#endif /* DANE */
112
113/*
114**  TLS
115*/
116
117/* what to do in the TLS initialization */
118#define TLS_I_NONE	0x00000000	/* no requirements... */
119#define TLS_I_CERT_EX	0x00000001	/* cert must exist */
120#define TLS_I_CERT_UNR	0x00000002	/* cert must be g/o unreadable */
121#define TLS_I_KEY_EX	0x00000004	/* key must exist */
122#define TLS_I_KEY_UNR	0x00000008	/* key must be g/o unreadable */
123#define TLS_I_CERTP_EX	0x00000010	/* CA cert path must exist */
124#define TLS_I_CERTP_UNR	0x00000020	/* CA cert path must be g/o unreadable */
125#define TLS_I_CERTF_EX	0x00000040	/* CA cert file must exist */
126#define TLS_I_CERTF_UNR	0x00000080	/* CA cert file must be g/o unreadable */
127#define TLS_I_RSA_TMP	0x00000100	/* RSA TMP must be generated */
128#define TLS_I_USE_KEY	0x00000200	/* private key must usable */
129#define TLS_I_USE_CERT	0x00000400	/* certificate must be usable */
130#define TLS_I_VRFY_PATH	0x00000800	/* load verify path must succeed */
131#define TLS_I_VRFY_LOC	0x00001000	/* load verify default must succeed */
132#define TLS_I_CACHE	0x00002000	/* require cache */
133#define TLS_I_TRY_DH	0x00004000	/* try DH certificate */
134#define TLS_I_REQ_DH	0x00008000	/* require DH certificate */
135#define TLS_I_DHPAR_EX	0x00010000	/* require DH parameters */
136#define TLS_I_DHPAR_UNR	0x00020000	/* DH param. must be g/o unreadable */
137#define TLS_I_DH512	0x00040000	/* generate 512bit DH param */
138#define TLS_I_DH1024	0x00080000	/* generate 1024bit DH param */
139#define TLS_I_DH2048	0x00100000	/* generate 2048bit DH param */
140#define TLS_I_NO_VRFY	0x00200000	/* do not require authentication */
141#define TLS_I_KEY_OUNR	0x00400000	/* Key must be other unreadable */
142#define TLS_I_CRLF_EX	0x00800000	/* CRL file must exist */
143#define TLS_I_CRLF_UNR	0x01000000	/* CRL file must be g/o unreadable */
144#define TLS_I_DHFIXED	0x02000000	/* use fixed DH param */
145
146/* require server cert */
147#define TLS_I_SRV_CERT	 (TLS_I_CERT_EX | TLS_I_KEY_EX | \
148			  TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \
149			  TLS_I_CERTP_EX | TLS_I_CERTF_EX | \
150			  TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE)
151
152/* server requirements */
153#define TLS_I_SRV	(TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
154			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE)
155
156/* client requirements */
157#define TLS_I_CLT	(TLS_I_KEY_UNR | TLS_I_KEY_OUNR)
158
159#define TLS_AUTH_OK	0
160#define TLS_AUTH_NO	1
161#define TLS_AUTH_FAIL	(-1)
162
163# ifndef TLS_VRFY_PER_CTX
164#  define TLS_VRFY_PER_CTX 1
165# endif
166
167#define SM_SSL_FREE(ssl)			\
168	do {					\
169		if (ssl != NULL)		\
170		{				\
171			SSL_free(ssl);		\
172			ssl = NULL;		\
173		}				\
174	} while (0)
175
176/* functions */
177extern int	endtls __P((SSL **, const char *));
178extern int	get_tls_se_options __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool));
179extern int	init_tls_library __P((bool _fipsmode));
180extern bool	inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *));
181extern bool	initclttls __P((bool));
182extern bool	initsrvtls __P((bool));
183extern bool	load_certkey __P((SSL *, bool, char *, char *));
184/* extern bool	load_crlpath __P((SSL_CTX *, bool , char *)); */
185extern void	setclttls __P((bool));
186extern int	tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
187extern void	tlslogerr __P((int, int, const char *));
188extern void	tls_set_verify __P((SSL_CTX *, SSL *, bool));
189# if DANE
190extern int dane_tlsa_chk __P((const char *, int, const char *, bool));
191extern int dane_tlsa_clr __P((dane_tlsa_P));
192extern int dane_tlsa_free __P((dane_tlsa_P));
193# endif
194
195EXTERN char	*CACertPath;	/* path to CA certificates (dir. with hashes) */
196EXTERN char	*CACertFile;	/* file with CA certificate */
197#if _FFR_CLIENTCA
198EXTERN char	*CltCACertPath;	/* path to CA certificates (dir. with hashes) */
199EXTERN char	*CltCACertFile;	/* file with CA certificate */
200#endif
201EXTERN char	*CltCertFile;	/* file with client certificate */
202EXTERN char	*CltKeyFile;	/* file with client private key */
203EXTERN char	*CipherList;	/* list of ciphers */
204EXTERN char	*CertFingerprintAlgorithm;	/* name of fingerprint alg */
205EXTERN const EVP_MD	*EVP_digest;	/* digest for cert fp */
206EXTERN char	*DHParams;	/* file with DH parameters */
207EXTERN char	*RandFile;	/* source of random data */
208EXTERN char	*SrvCertFile;	/* file with server certificate */
209EXTERN char	*SrvKeyFile;	/* file with server private key */
210EXTERN char	*CRLFile;	/* file CRLs */
211EXTERN char	*CRLPath;	/* path to CRLs (dir. with hashes) */
212EXTERN unsigned long	TLS_Srv_Opts;	/* TLS server options */
213EXTERN unsigned long	Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
214EXTERN bool	TLSFallbacktoClear;
215
216EXTERN char	*SSLEngine;
217EXTERN char	*SSLEnginePath;
218EXTERN bool	SSLEngineprefork;
219
220# if USE_OPENSSL_ENGINE
221#define TLS_set_engine(id, prefork) SSL_set_engine(id)
222# else
223int TLS_set_engine __P((const char *, bool));
224# endif
225
226extern int	set_tls_rd_tmo __P((int));
227extern int data2hex __P((unsigned char *, int, unsigned char *, int));
228# if DANE
229extern int pubkey_fp __P((X509 *, const char*, char **));
230extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P));
231# endif
232
233#else /* STARTTLS */
234# define set_tls_rd_tmo(rd_tmo)	0
235#endif /* STARTTLS */
236#undef EXTERN
237#endif /* ! _TLS_H */
238