1/* $NetBSD: tls_level.c,v 1.2 2017/02/14 01:16:48 christos Exp $ */ 2 3/*++ 4/* NAME 5/* tls_level 3 6/* SUMMARY 7/* TLS security level conversion 8/* SYNOPSIS 9/* #include <tls.h> 10/* 11/* int tls_level_lookup(name) 12/* const char *name; 13/* 14/* const char *str_tls_level(level) 15/* int level; 16/* DESCRIPTION 17/* The functions in this module convert TLS levels from symbolic 18/* name to internal form and vice versa. 19/* 20/* tls_level_lookup() converts a TLS level from symbolic name 21/* to internal form. When an unknown level is specified, 22/* tls_level_lookup() logs no warning, and returns TLS_LEV_INVALID. 23/* 24/* str_tls_level() converts a TLS level from internal form to 25/* symbolic name. The result is a null pointer for an unknown 26/* level. The "halfdane" level is not a valid user-selected TLS level, 27/* it is generated internally and is only valid output for the 28/* str_tls_level() function. 29/* SEE ALSO 30/* name_code(3) name to number mapping 31/* LICENSE 32/* .ad 33/* .fi 34/* The Secure Mailer license must be distributed with this software. 35/* AUTHOR(S) 36/* Wietse Venema 37/* IBM T.J. Watson Research 38/* P.O. Box 704 39/* Yorktown Heights, NY 10598, USA 40/* 41/* Victor Duchovni 42/* Morgan Stanley 43/*--*/ 44 45/* System library. */ 46 47#include <sys_defs.h> 48 49/* Utility library. */ 50 51#include <name_code.h> 52 53/* TLS library. */ 54 55#include <tls.h> 56 57/* Application-specific. */ 58 59 /* 60 * Numerical order of levels is critical (see tls.h): 61 * 62 * - With "may" and higher, TLS is enabled. 63 * 64 * - With "encrypt" and higher, TLS is required. 65 * 66 * - With "fingerprint" and higher, the peer certificate must match. 67 * 68 * - With "dane" and higher, the peer certificate must also be trusted, 69 * possibly via TLSA RRs that make it its own authority. 70 * 71 * The smtp(8) client will report trust failure in preference to reporting 72 * failure to match, so we make "dane" larger than "fingerprint". 73 */ 74static const NAME_CODE tls_level_table[] = { 75 "none", TLS_LEV_NONE, 76 "may", TLS_LEV_MAY, 77 "encrypt", TLS_LEV_ENCRYPT, 78 "fingerprint", TLS_LEV_FPRINT, 79 "halfdane", TLS_LEV_HALF_DANE, /* output only */ 80 "dane", TLS_LEV_DANE, 81 "dane-only", TLS_LEV_DANE_ONLY, 82 "verify", TLS_LEV_VERIFY, 83 "secure", TLS_LEV_SECURE, 84 0, TLS_LEV_INVALID, 85}; 86 87int tls_level_lookup(const char *name) 88{ 89 int level = name_code(tls_level_table, NAME_CODE_FLAG_NONE, name); 90 91 return ((level != TLS_LEV_HALF_DANE) ? level : TLS_LEV_INVALID); 92} 93 94const char *str_tls_level(int level) 95{ 96 return (str_name_code(tls_level_table, level)); 97} 98