1#ifndef _TLS_H_INCLUDED_ 2#define _TLS_H_INCLUDED_ 3 4/*++ 5/* NAME 6/* tls 3h 7/* SUMMARY 8/* libtls internal interfaces 9/* SYNOPSIS 10/* #include <tls.h> 11/* DESCRIPTION 12/* .nf 13 14 /* 15 * Utility library. 16 */ 17#include <name_code.h> 18#include <argv.h> 19 20 /* 21 * TLS enforcement levels. Non-sentinel values may also be used to indicate 22 * the actual security level of a session. 23 * 24 * XXX TLS_LEV_NOTFOUND no longer belongs in this list. The SMTP client will 25 * have to use something else to report that policy table lookup failed. 26 * 27 * The order of levels matters, but we hide most of the details in macros. 28 * 29 * "dane" vs. "fingerprint", both must lie between "encrypt" and "verify". 30 * 31 * - With "may" and higher, TLS is enabled. 32 * 33 * - With "encrypt" and higher, TLS encryption must be applied. 34 * 35 * - Strictly above "encrypt", the peer certificate must match. 36 * 37 * - At "dane" and higher, the peer certificate must also be trusted. With 38 * "dane" the trust may be self-asserted, so we only log trust verification 39 * errors when TA associations are involved. 40 */ 41#define TLS_LEV_INVALID -2 /* sentinel */ 42#define TLS_LEV_NOTFOUND -1 /* XXX not in policy table */ 43#define TLS_LEV_NONE 0 /* plain-text only */ 44#define TLS_LEV_MAY 1 /* wildcard */ 45#define TLS_LEV_ENCRYPT 2 /* encrypted connection */ 46#define TLS_LEV_FPRINT 3 /* "peer" CA-less verification */ 47#define TLS_LEV_DANE 4 /* Opportunistic TLSA policy */ 48#define TLS_LEV_DANE_ONLY 5 /* Required TLSA policy */ 49#define TLS_LEV_VERIFY 6 /* certificate verified */ 50#define TLS_LEV_SECURE 7 /* "secure" verification */ 51 52#define TLS_REQUIRED(l) ((l) > TLS_LEV_MAY) 53#define TLS_MUST_MATCH(l) ((l) > TLS_LEV_ENCRYPT) 54#define TLS_MUST_TRUST(l) ((l) >= TLS_LEV_DANE) 55#define TLS_MUST_PKIX(l) ((l) >= TLS_LEV_VERIFY) 56 57extern const NAME_CODE tls_level_table[]; 58 59#define tls_level_lookup(s) name_code(tls_level_table, NAME_CODE_FLAG_NONE, (s)) 60#define str_tls_level(l) str_name_code(tls_level_table, (l)) 61 62#ifdef USE_TLS 63 64 /* 65 * OpenSSL library. 66 */ 67#include <openssl/lhash.h> 68#include <openssl/bn.h> 69#include <openssl/err.h> 70#include <openssl/pem.h> 71#include <openssl/x509.h> 72#include <openssl/x509v3.h> 73#include <openssl/rand.h> 74#include <openssl/ssl.h> 75 76 /* Appease indent(1) */ 77#define x509_stack_t STACK_OF(X509) 78#define x509_extension_stack_t STACK_OF(X509_EXTENSION) 79#define general_name_stack_t STACK_OF(GENERAL_NAME) 80#define ssl_cipher_stack_t STACK_OF(SSL_CIPHER) 81#define ssl_comp_stack_t STACK_OF(SSL_COMP) 82 83#if (OPENSSL_VERSION_NUMBER < 0x00090700f) 84#error "need OpenSSL version 0.9.7 or later" 85#endif 86 87/* SSL_CIPHER_get_name() got constified in 0.9.7g */ 88#if OPENSSL_VERSION_NUMBER >= 0x0090707fL /* constification */ 89#define SSL_CIPHER_const const 90#else 91#define SSL_CIPHER_const 92#endif 93 94/* d2i_X509() got constified in 0.9.8a */ 95#if OPENSSL_VERSION_NUMBER >= 0x0090801fL 96#define D2I_const const 97#else 98#define D2I_const 99#endif 100 101 /* 102 * Utility library. 103 */ 104#include <vstream.h> 105#include <name_mask.h> 106#include <name_code.h> 107#include <dns.h> 108 109 /* 110 * Names of valid tlsmgr(8) session caches. 111 */ 112#define TLS_MGR_SCACHE_SMTPD "smtpd" 113#define TLS_MGR_SCACHE_SMTP "smtp" 114#define TLS_MGR_SCACHE_LMTP "lmtp" 115 116 /* 117 * RFC 6698 DANE 118 */ 119#define TLS_DANE_TA 0 /* Match trust-anchor digests */ 120#define TLS_DANE_EE 1 /* Match end-entity digests */ 121 122#define TLS_DANE_CERT 0 /* Match the certificate digest */ 123#define TLS_DANE_PKEY 1 /* Match the public key digest */ 124 125#define TLS_DANE_FLAG_NORRS (1<<0) /* Nothing found in DNS */ 126#define TLS_DANE_FLAG_EMPTY (1<<1) /* Nothing usable found in DNS */ 127#define TLS_DANE_FLAG_ERROR (1<<2) /* TLSA record lookup error */ 128 129#define tls_dane_unusable(dane) ((dane)->flags & TLS_DANE_FLAG_EMPTY) 130#define tls_dane_notfound(dane) ((dane)->flags & TLS_DANE_FLAG_NORRS) 131 132#define TLS_DANE_CACHE_TTL_MIN 1 /* A lot can happen in ~2 seconds */ 133#define TLS_DANE_CACHE_TTL_MAX 100 /* Comparable to max_idle */ 134 135 /* 136 * Certificate and public key digests (typically from TLSA RRs), grouped by 137 * algorithm. 138 */ 139typedef struct TLS_TLSA { 140 char *mdalg; /* Algorithm for this digest list */ 141 ARGV *certs; /* Complete certificate digests */ 142 ARGV *pkeys; /* SubjectPublicKeyInfo digests */ 143 struct TLS_TLSA *next; /* Chain to next algorithm */ 144} TLS_TLSA; 145 146 /* 147 * Linked list of full X509 trust-anchor certs. 148 */ 149typedef struct TLS_CERTS { 150 X509 *cert; 151 struct TLS_CERTS *next; 152} TLS_CERTS; 153 154 /* 155 * Linked list of full EVP_PKEY trust-anchor public keys. 156 */ 157typedef struct TLS_PKEYS { 158 EVP_PKEY *pkey; 159 struct TLS_PKEYS *next; 160} TLS_PKEYS; 161 162typedef struct TLS_DANE { 163 TLS_TLSA *ta; /* Trust-anchor cert/pubkey digests */ 164 TLS_TLSA *ee; /* End-entity cert/pubkey digests */ 165 TLS_CERTS *certs; /* Full trust-anchor certificates */ 166 TLS_PKEYS *pkeys; /* Full trust-anchor public keys */ 167 char *base_domain; /* Base domain of TLSA RRset */ 168 int flags; /* Conflate cert and pkey digests */ 169 time_t expires; /* Expiration time of this record */ 170 int refs; /* Reference count */ 171} TLS_DANE; 172 173#define TLS_DANE_HASTA(d) ((d) ? (d)->ta : 0) 174#define TLS_DANE_HASEE(d) ((d) ? (d)->ee : 0) 175 176 /* 177 * tls_dane.c 178 */ 179extern int tls_dane_avail(void); 180extern void tls_dane_flush(void); 181extern void tls_dane_verbose(int); 182extern TLS_DANE *tls_dane_alloc(void); 183extern void tls_dane_add_ee_digests(TLS_DANE *, const char *, const char *, 184 const char *); 185extern void tls_dane_free(TLS_DANE *); 186extern TLS_DANE *tls_dane_resolve(unsigned, const char *, DNS_RR *, int); 187extern int tls_dane_load_trustfile(TLS_DANE *, const char *); 188 189 /* 190 * TLS session context, also used by the VSTREAM call-back routines for SMTP 191 * input/output, and by OpenSSL call-back routines for key verification. 192 * 193 * Only some members are (read-only) accessible by the public. 194 */ 195#define CCERT_BUFSIZ 256 196 197typedef struct { 198 /* Public, read-only. */ 199 char *peer_CN; /* Peer Common Name */ 200 char *issuer_CN; /* Issuer Common Name */ 201 char *peer_cert_fprint; /* ASCII certificate fingerprint */ 202 char *peer_pkey_fprint; /* ASCII public key fingerprint */ 203 int peer_status; /* Certificate and match status */ 204 const char *protocol; 205 const char *cipher_name; 206 int cipher_usebits; 207 int cipher_algbits; 208 /* Private. */ 209 SSL *con; 210 char *cache_type; /* tlsmgr(8) cache type if enabled */ 211 int ticketed; /* Session ticket issued */ 212 char *serverid; /* unique server identifier */ 213 char *namaddr; /* nam[addr] for logging */ 214 int log_mask; /* What to log */ 215 int session_reused; /* this session was reused */ 216 int am_server; /* Are we an SSL server or client? */ 217 const char *mdalg; /* default message digest algorithm */ 218 /* Built-in vs external SSL_accept/read/write/shutdown support. */ 219 VSTREAM *stream; /* Blocking-mode SMTP session */ 220 /* RFC 6698 DANE trust input and verification state */ 221 const TLS_DANE *dane; /* DANE TLSA digests */ 222 int errordepth; /* Chain depth of error cert */ 223 int tadepth; /* Chain depth of trust anchor */ 224 int errorcode; /* First error at error depth */ 225 X509 *errorcert; /* Error certificate closest to leaf */ 226 x509_stack_t *untrusted; /* Certificate chain fodder */ 227 x509_stack_t *trusted; /* Internal root CA list */ 228} TLS_SESS_STATE; 229 230 /* 231 * Peer status bits. TLS_CERT_FLAG_MATCHED implies TLS_CERT_FLAG_TRUSTED 232 * only in the case of a hostname match. 233 */ 234#define TLS_CERT_FLAG_PRESENT (1<<0) 235#define TLS_CERT_FLAG_ALTNAME (1<<1) 236#define TLS_CERT_FLAG_TRUSTED (1<<2) 237#define TLS_CERT_FLAG_MATCHED (1<<3) 238 239#define TLS_CERT_IS_PRESENT(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_PRESENT)) 240#define TLS_CERT_IS_ALTNAME(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_ALTNAME)) 241#define TLS_CERT_IS_TRUSTED(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_TRUSTED)) 242#define TLS_CERT_IS_MATCHED(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_MATCHED)) 243 244 /* 245 * Opaque client context handle. 246 */ 247typedef struct TLS_APPL_STATE TLS_APPL_STATE; 248 249#ifdef TLS_INTERNAL 250 251 /* 252 * Log mask details are internal to the library. 253 */ 254extern int tls_log_mask(const char *, const char *); 255 256 /* 257 * What to log. 258 */ 259#define TLS_LOG_NONE (1<<0) 260#define TLS_LOG_SUMMARY (1<<1) 261#define TLS_LOG_UNTRUSTED (1<<2) 262#define TLS_LOG_PEERCERT (1<<3) 263#define TLS_LOG_CERTMATCH (1<<4) 264#define TLS_LOG_VERBOSE (1<<5) 265#define TLS_LOG_CACHE (1<<6) 266#define TLS_LOG_DEBUG (1<<7) 267#define TLS_LOG_TLSPKTS (1<<8) 268#define TLS_LOG_ALLPKTS (1<<9) 269#define TLS_LOG_SESSTKT (1<<10) 270 271 /* 272 * Client and Server application contexts 273 */ 274struct TLS_APPL_STATE { 275 SSL_CTX *ssl_ctx; 276 int log_mask; 277 char *cache_type; 278 char *cipher_exclusions; /* Last cipher selection state */ 279 char *cipher_list; /* Last cipher selection state */ 280 int cipher_grade; /* Last cipher selection state */ 281 VSTRING *why; 282}; 283 284 /* 285 * tls_misc.c Application-context update and disposal. 286 */ 287extern void tls_update_app_logmask(TLS_APPL_STATE *, int); 288extern void tls_free_app_context(TLS_APPL_STATE *); 289 290 /* 291 * tls_misc.c 292 */ 293 294extern void tls_param_init(void); 295 296 /* 297 * Protocol selection. 298 */ 299#define TLS_PROTOCOL_INVALID (~0) /* All protocol bits masked */ 300#define TLS_PROTOCOL_SSLv2 (1<<0) /* SSLv2 */ 301#define TLS_PROTOCOL_SSLv3 (1<<1) /* SSLv3 */ 302#define TLS_PROTOCOL_TLSv1 (1<<2) /* TLSv1 */ 303#ifdef SSL_TXT_TLSV1_1 304#define TLS_PROTOCOL_TLSv1_1 (1<<3) /* TLSv1_1 */ 305#else 306#define TLS_PROTOCOL_TLSv1_1 0 /* Unknown */ 307#undef SSL_OP_NO_TLSv1_1 308#define SSL_OP_NO_TLSv1_1 0L /* Noop */ 309#endif 310#ifdef SSL_TXT_TLSV1_2 311#define TLS_PROTOCOL_TLSv1_2 (1<<4) /* TLSv1_2 */ 312#else 313#define TLS_PROTOCOL_TLSv1_2 0 /* Unknown */ 314#undef SSL_OP_NO_TLSv1_2 315#define SSL_OP_NO_TLSv1_2 0L /* Noop */ 316#endif 317#define TLS_KNOWN_PROTOCOLS \ 318 ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ 319 | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 ) 320#define TLS_SSL_OP_PROTOMASK(m) \ 321 ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \ 322 | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \ 323 | (((m) & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) \ 324 | (((m) & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) \ 325 | (((m) & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)) 326 327/* 328 * SSL options that are managed via dedicated Postfix features, rather than 329 * just exposed via hex codes or named elements of tls_ssl_options. 330 */ 331#define TLS_SSL_OP_MANAGED_BITS \ 332 (SSL_OP_CIPHER_SERVER_PREFERENCE | TLS_SSL_OP_PROTOMASK(~0)) 333 334extern int tls_protocol_mask(const char *); 335 336 /* 337 * Cipher grade selection. 338 */ 339#define TLS_CIPHER_NONE 0 340#define TLS_CIPHER_NULL 1 341#define TLS_CIPHER_EXPORT 2 342#define TLS_CIPHER_LOW 3 343#define TLS_CIPHER_MEDIUM 4 344#define TLS_CIPHER_HIGH 5 345 346extern const NAME_CODE tls_cipher_grade_table[]; 347 348#define tls_cipher_grade(str) \ 349 name_code(tls_cipher_grade_table, NAME_CODE_FLAG_NONE, (str)) 350#define str_tls_cipher_grade(gr) \ 351 str_name_code(tls_cipher_grade_table, (gr)) 352 353 /* 354 * Cipher lists with exclusions. 355 */ 356extern const char *tls_set_ciphers(TLS_APPL_STATE *, const char *, 357 const char *, const char *); 358 359#endif 360 361 /* 362 * tls_client.c 363 */ 364typedef struct { 365 const char *log_param; 366 const char *log_level; 367 int verifydepth; 368 const char *cache_type; 369 const char *cert_file; 370 const char *key_file; 371 const char *dcert_file; 372 const char *dkey_file; 373 const char *eccert_file; 374 const char *eckey_file; 375 const char *CAfile; 376 const char *CApath; 377 const char *mdalg; /* default message digest algorithm */ 378} TLS_CLIENT_INIT_PROPS; 379 380typedef struct { 381 TLS_APPL_STATE *ctx; 382 VSTREAM *stream; 383 int timeout; 384 int tls_level; /* Security level */ 385 const char *nexthop; /* destination domain */ 386 const char *host; /* MX hostname */ 387 const char *namaddr; /* nam[addr] for logging */ 388 const char *serverid; /* Session cache key */ 389 const char *helo; /* Server name from EHLO response */ 390 const char *protocols; /* Enabled protocols */ 391 const char *cipher_grade; /* Minimum cipher grade */ 392 const char *cipher_exclusions; /* Ciphers to exclude */ 393 const ARGV *matchargv; /* Cert match patterns */ 394 const char *mdalg; /* default message digest algorithm */ 395 const TLS_DANE *dane; /* RFC 6698 verification */ 396} TLS_CLIENT_START_PROPS; 397 398extern TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *); 399extern TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *); 400 401#define tls_client_stop(ctx, stream, timeout, failure, TLScontext) \ 402 tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext)) 403 404#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ 405 a10, a11, a12, a13) \ 406 tls_client_init((((props)->a1), ((props)->a2), ((props)->a3), \ 407 ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ 408 ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ 409 ((props)->a12), ((props)->a13), (props))) 410 411#define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ 412 a10, a11, a12, a13, a14, a15) \ 413 tls_client_start((((props)->a1), ((props)->a2), ((props)->a3), \ 414 ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ 415 ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ 416 ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), (props))) 417 418 /* 419 * tls_server.c 420 */ 421typedef struct { 422 const char *log_param; 423 const char *log_level; 424 int verifydepth; 425 const char *cache_type; 426 int set_sessid; 427 const char *cert_file; 428 const char *key_file; 429 const char *dcert_file; 430 const char *dkey_file; 431 const char *eccert_file; 432 const char *eckey_file; 433 const char *CAfile; 434 const char *CApath; 435 const char *protocols; 436 const char *eecdh_grade; 437 const char *dh1024_param_file; 438 const char *dh512_param_file; 439 int ask_ccert; 440 const char *mdalg; /* default message digest algorithm */ 441} TLS_SERVER_INIT_PROPS; 442 443typedef struct { 444 TLS_APPL_STATE *ctx; /* TLS application context */ 445 VSTREAM *stream; /* Client stream */ 446 int fd; /* Event-driven file descriptor */ 447 int timeout; /* TLS handshake timeout */ 448 int requirecert; /* Insist on client cert? */ 449 const char *serverid; /* Server instance (salt cache key) */ 450 const char *namaddr; /* Client nam[addr] for logging */ 451 const char *cipher_grade; 452 const char *cipher_exclusions; 453 const char *mdalg; /* default message digest algorithm */ 454} TLS_SERVER_START_PROPS; 455 456extern TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *); 457extern TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props); 458extern TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *); 459 460#define tls_server_stop(ctx, stream, timeout, failure, TLScontext) \ 461 tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext)) 462 463#define TLS_SERVER_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ 464 a10, a11, a12, a13, a14, a15, a16, a17, a18, a19) \ 465 tls_server_init((((props)->a1), ((props)->a2), ((props)->a3), \ 466 ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ 467 ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ 468 ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \ 469 ((props)->a16), ((props)->a17), ((props)->a18), ((props)->a19), (props))) 470 471#define TLS_SERVER_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10) \ 472 tls_server_start((((props)->a1), ((props)->a2), ((props)->a3), \ 473 ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ 474 ((props)->a8), ((props)->a9), ((props)->a10), (props))) 475 476 /* 477 * tls_session.c 478 */ 479extern void tls_session_stop(TLS_APPL_STATE *, VSTREAM *, int, int, TLS_SESS_STATE *); 480 481#ifdef TLS_INTERNAL 482 483#include <vstring.h> 484 485extern VSTRING *tls_session_passivate(SSL_SESSION *); 486extern SSL_SESSION *tls_session_activate(const char *, int); 487 488 /* 489 * tls_stream.c. 490 */ 491extern void tls_stream_start(VSTREAM *, TLS_SESS_STATE *); 492extern void tls_stream_stop(VSTREAM *); 493 494 /* 495 * tls_bio_ops.c: a generic multi-personality driver that retries SSL 496 * operations until they are satisfied or until a hard error happens. 497 * Because of its ugly multi-personality user interface we invoke it via 498 * not-so-ugly single-personality wrappers. 499 */ 500extern int tls_bio(int, int, TLS_SESS_STATE *, 501 int (*) (SSL *), /* handshake */ 502 int (*) (SSL *, void *, int), /* read */ 503 int (*) (SSL *, const void *, int), /* write */ 504 void *, int); 505 506#define tls_bio_connect(fd, timeout, context) \ 507 tls_bio((fd), (timeout), (context), SSL_connect, \ 508 NULL, NULL, NULL, 0) 509#define tls_bio_accept(fd, timeout, context) \ 510 tls_bio((fd), (timeout), (context), SSL_accept, \ 511 NULL, NULL, NULL, 0) 512#define tls_bio_shutdown(fd, timeout, context) \ 513 tls_bio((fd), (timeout), (context), SSL_shutdown, \ 514 NULL, NULL, NULL, 0) 515#define tls_bio_read(fd, buf, len, timeout, context) \ 516 tls_bio((fd), (timeout), (context), NULL, \ 517 SSL_read, NULL, (buf), (len)) 518#define tls_bio_write(fd, buf, len, timeout, context) \ 519 tls_bio((fd), (timeout), (context), NULL, \ 520 NULL, SSL_write, (buf), (len)) 521 522 /* 523 * tls_dh.c 524 */ 525extern void tls_set_dh_from_file(const char *, int); 526extern DH *tls_tmp_dh_cb(SSL *, int, int); 527extern int tls_set_eecdh_curve(SSL_CTX *, const char *); 528 529 /* 530 * tls_rsa.c 531 */ 532extern RSA *tls_tmp_rsa_cb(SSL *, int, int); 533 534 /* 535 * tls_verify.c 536 */ 537extern char *tls_peer_CN(X509 *, const TLS_SESS_STATE *); 538extern char *tls_issuer_CN(X509 *, const TLS_SESS_STATE *); 539extern const char *tls_dns_name(const GENERAL_NAME *, const TLS_SESS_STATE *); 540extern int tls_verify_certificate_callback(int, X509_STORE_CTX *); 541extern void tls_log_verify_error(TLS_SESS_STATE *); 542 543 /* 544 * tls_dane.c 545 */ 546extern int tls_dane_match(TLS_SESS_STATE *, int, X509 *, int); 547extern void tls_dane_set_callback(SSL_CTX *, TLS_SESS_STATE *); 548 549 /* 550 * tls_fprint.c 551 */ 552extern char *tls_digest_encode(const unsigned char *, int); 553extern char *tls_data_fprint(const char *, int, const char *); 554extern char *tls_cert_fprint(X509 *, const char *); 555extern char *tls_pkey_fprint(X509 *, const char *); 556extern char *tls_serverid_digest(const TLS_CLIENT_START_PROPS *, long, 557 const char *); 558 559 /* 560 * tls_certkey.c 561 */ 562extern int tls_set_ca_certificate_info(SSL_CTX *, const char *, const char *); 563extern int tls_set_my_certificate_key_info(SSL_CTX *, 564 /* RSA */ const char *, const char *, 565 /* DSA */ const char *, const char *, 566 /* ECDSA */ const char *, const char *); 567 568 /* 569 * tls_misc.c 570 */ 571extern int TLScontext_index; 572 573extern TLS_APPL_STATE *tls_alloc_app_context(SSL_CTX *, int); 574extern TLS_SESS_STATE *tls_alloc_sess_context(int, const char *); 575extern void tls_free_context(TLS_SESS_STATE *); 576extern void tls_check_version(void); 577extern long tls_bug_bits(void); 578extern void tls_print_errors(void); 579extern void tls_info_callback(const SSL *, int, int); 580extern long tls_bio_dump_cb(BIO *, int, const char *, int, long, long); 581extern int tls_validate_digest(const char *); 582 583 /* 584 * tls_seed.c 585 */ 586extern void tls_int_seed(void); 587extern int tls_ext_seed(int); 588 589#endif /* TLS_INTERNAL */ 590 591/* LICENSE 592/* .ad 593/* .fi 594/* The Secure Mailer license must be distributed with this software. 595/* AUTHOR(S) 596/* Wietse Venema 597/* IBM T.J. Watson Research 598/* P.O. Box 704 599/* Yorktown Heights, NY 10598, USA 600/* 601/* Victor Duchovni 602/* Morgan Stanley 603/*--*/ 604 605#endif /* USE_TLS */ 606#endif /* _TLS_H_INCLUDED_ */ 607