1/*++ 2/* NAME 3/* tls_level 3 4/* SUMMARY 5/* TLS security level conversion 6/* SYNOPSIS 7/* #include <tls.h> 8/* 9/* int tls_level_lookup(name) 10/* const char *name; 11/* 12/* const char *str_tls_level(level) 13/* int level; 14/* DESCRIPTION 15/* The macros in this module convert TLS levels from symbolic 16/* name to internal form and vice versa. The macros are safe 17/* because they evaluate their arguments only once. 18/* 19/* tls_level_lookup() converts a TLS level from symbolic name 20/* to internal form. When an unknown level is specified, 21/* tls_level_lookup() logs no warning, and returns TLS_LEV_INVALID. 22/* 23/* str_tls_level() converts a TLS level from internal form to 24/* symbolic name. The result is a null pointer for an unknown 25/* level. 26/* SEE ALSO 27/* name_code(3) name to number mapping 28/* LICENSE 29/* .ad 30/* .fi 31/* The Secure Mailer license must be distributed with this software. 32/* AUTHOR(S) 33/* Wietse Venema 34/* IBM T.J. Watson Research 35/* P.O. Box 704 36/* Yorktown Heights, NY 10598, USA 37/* 38/* Victor Duchovni 39/* Morgan Stanley 40/*--*/ 41 42/* System library. */ 43 44#include <sys_defs.h> 45 46/* Utility library. */ 47 48#include <name_code.h> 49 50/* TLS library. */ 51 52#include <tls.h> 53 54/* Application-specific. */ 55 56 /* 57 * Numerical order of levels is critical (see tls.h): 58 * 59 * - With "may" and higher, TLS is enabled. 60 * 61 * - With "encrypt" and higher, TLS is required. 62 * 63 * - With "fingerprint" and higher, the peer certificate must match. 64 * 65 * - With "dane" and higher, the peer certificate must also be trusted, 66 * possibly via TLSA RRs that make it its own authority. 67 * 68 * The smtp(8) client will report trust failure in preference to reporting 69 * failure to match, so we make "dane" larger than "fingerprint". 70 */ 71const NAME_CODE tls_level_table[] = { 72 "none", TLS_LEV_NONE, 73 "may", TLS_LEV_MAY, 74 "encrypt", TLS_LEV_ENCRYPT, 75 "fingerprint", TLS_LEV_FPRINT, 76 "dane", TLS_LEV_DANE, 77 "dane-only", TLS_LEV_DANE_ONLY, 78 "verify", TLS_LEV_VERIFY, 79 "secure", TLS_LEV_SECURE, 80 0, TLS_LEV_INVALID, 81}; 82