1 /* 2 * Copyright (c) 2015, 2020-2023 Proofpoint, Inc. and its suppliers. 3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 */ 9 10 #ifndef _TLS_H 11 # define _TLS_H 1 12 13 #if STARTTLS 14 # include <openssl/ssl.h> 15 # if !TLS_NO_RSA 16 # if _FFR_FIPSMODE 17 # define RSA_KEYLENGTH 1024 18 # else 19 # define RSA_KEYLENGTH 512 20 # endif 21 # endif /* !TLS_NO_RSA */ 22 23 # if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L 24 # define TLS_version_num OpenSSL_version_num 25 # else 26 # define TLS_version_num SSLeay 27 # endif 28 29 #ifndef MTA_HAVE_TLSv1_3 30 /* 31 ** HACK: if openssl can disable TLSv1_3 then "assume" it supports all 32 ** related functions! 33 */ 34 # ifdef SSL_OP_NO_TLSv1_3 35 # define MTA_HAVE_TLSv1_3 1 36 # endif 37 #endif 38 39 #ifdef _DEFINE 40 # define EXTERN 41 #else 42 # define EXTERN extern 43 #endif 44 45 #if _FFR_TLS_EC && !defined(TLS_EC) 46 # define TLS_EC _FFR_TLS_EC 47 #endif 48 49 #if DANE 50 51 # ifndef HAVE_SSL_CTX_dane_enable 52 # if (OPENSSL_VERSION_NUMBER >= 0x10101000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L 53 # define HAVE_SSL_CTX_dane_enable 1 54 # endif 55 # endif 56 57 extern int ssl_dane_enable __P((dane_vrfy_ctx_P, SSL *)); 58 # define SM_NOTDONE 1 59 # define SM_FULL 2 60 61 extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int)); 62 # ifndef MAX_TLSA_RR 63 # if HAVE_SSL_CTX_dane_enable 64 # define MAX_TLSA_RR 64 65 # else 66 # define MAX_TLSA_RR 16 67 # endif 68 # endif 69 70 # define DANE_VRFY_NONE 0 /* no DANE */ 71 /* # define DANE_VRFY_NO 1 * no TLSAs */ 72 # define DANE_VRFY_FAIL 2 /* TLSA check failed */ 73 # define DANE_VRFY_OK 3 /* TLSA check was ok */ 74 # define DANE_VRFY_TEMP 4 /* TLSA check failed temporarily */ 75 76 /* return values for dane_tlsa_chk() */ 77 # define TLSA_BOGUS (-10) 78 # define TLSA_UNSUPP (-1) 79 /* note: anything >= 0 is ok and refers to the hash algorithm */ 80 # define TLSA_IS_SUPPORTED(r) ((r) >= 0) 81 # define TLSA_IS_VALID(r) ((r) >= TLSA_UNSUPP) 82 83 struct dane_tlsa_S 84 { 85 time_t dane_tlsa_exp; 86 int dane_tlsa_n; 87 int dane_tlsa_dnsrc; 88 unsigned long dane_tlsa_flags; 89 90 /* 91 ** Note: all "valid" TLSA RRs are stored, 92 ** not just those which are "supported" 93 */ 94 95 unsigned char *dane_tlsa_rr[MAX_TLSA_RR]; 96 int dane_tlsa_len[MAX_TLSA_RR]; 97 char *dane_tlsa_sni; 98 }; 99 100 # define TLSAFLNONE 0x00000000 101 /* Dane Mode */ 102 # define TLSAFLALWAYS 0x00000001 103 # define TLSAFLSECURE 0x00000002 104 # define DANEMODE(fl) ((fl) & 0x3) 105 # define TLSAFLNOEXP 0x00000010 /* do not check expiration */ 106 107 # define TLSAFLNEW 0x00000020 108 # define TLSAFLADMX 0x00000100 109 # define TLSAFLADIP 0x00000200 /* changes with each IP lookup! */ 110 # define TLSAFLNOTLS 0x00000400 /* starttls() failed */ 111 /* treat IPv4 and IPv6 the same - the ad flag should be identical */ 112 /* # define TLSAFLADTLSA * currently unused */ 113 114 /* NOTE: "flags" >= TLSAFLTEMP are stored, see TLSA_STORE_FL()! */ 115 /* could be used to replace DNSRC */ 116 # define TLSAFLTEMP 0x00001000 /* TLSA RR lookup tempfailed */ 117 # define TLSAFL2MANY 0x00004000 /* too many TLSA RRs */ 118 119 /* 120 ** Do not use this record, and do not look up new TLSA RRs because 121 ** the MX/host lookup was not secure. 122 ** XXX: host->MX lookup info can NOT be stored in dane_tlsa! 123 ** XXX: to determine: interaction with DANE=always 124 */ 125 126 /* # define TLSAFLNOADMX 0x00010000 */ 127 /* # define TLSAFLNOADTLSA 0x00020000 * TLSA: no AD - for DANE=always? */ 128 129 # define TLSAFLTEMPVRFY 0x00008000 /* temporary DANE verification failure */ 130 # define TLSAFLNOVRFY 0x00080000 /* do NOT perform DANE verification */ 131 132 # define TLSAFLUNS 0x00100000 /* has unsupported TLSA RRs */ 133 # define TLSAFLSUP 0x00200000 /* has supported TLSA RRs */ 134 135 # define TLSA_SET_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags |= (fl) 136 # define TLSA_CLR_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags &= ~(fl) 137 # define TLSA_IS_FL(dane_tlsa, fl) (((dane_tlsa)->dane_tlsa_flags & (fl)) != 0) 138 139 /* any TLSA RRs? */ 140 # define TLSA_HAS_RRs(dane_tlsa) TLSA_IS_FL(dane_tlsa, TLSAFLUNS|TLSAFLSUP) 141 142 # define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP) 143 144 /* values for DANE option and dane_vrfy_chk */ 145 # define DANE_NEVER TLSAFLNONE /* XREF: see sendmail.h: #define Dane */ 146 # define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */ 147 # define DANE_SECURE TLSAFLSECURE 148 # define CHK_DANE(dane) (DANEMODE((dane)) != DANE_NEVER) 149 # define VRFY_DANE(dane_vrfy_chk) (0 == ((dane_vrfy_chk) & TLSAFLNOVRFY)) 150 151 /* temp fails? others? */ 152 # define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN) 153 154 # define ONLYUNSUPTLSARR ", status=all TLSA RRs are unsupported" 155 #endif /* DANE */ 156 157 /* 158 ** TLS 159 */ 160 161 /* what to do in the TLS initialization */ 162 #define TLS_I_NONE 0x00000000 /* no requirements... */ 163 #define TLS_I_CERT_EX 0x00000001 /* cert must exist */ 164 #define TLS_I_CERT_UNR 0x00000002 /* cert must be g/o unreadable */ 165 #define TLS_I_KEY_EX 0x00000004 /* key must exist */ 166 #define TLS_I_KEY_UNR 0x00000008 /* key must be g/o unreadable */ 167 #define TLS_I_CERTP_EX 0x00000010 /* CA cert path must exist */ 168 #define TLS_I_CERTP_UNR 0x00000020 /* CA cert path must be g/o unreadable */ 169 #define TLS_I_CERTF_EX 0x00000040 /* CA cert file must exist */ 170 #define TLS_I_CERTF_UNR 0x00000080 /* CA cert file must be g/o unreadable */ 171 #define TLS_I_RSA_TMP 0x00000100 /* RSA TMP must be generated */ 172 #define TLS_I_USE_KEY 0x00000200 /* private key must usable */ 173 #define TLS_I_USE_CERT 0x00000400 /* certificate must be usable */ 174 /* 175 not "read" anywhere 176 #define TLS_I_VRFY_PATH 0x00000800 * load verify path must succeed * 177 */ 178 #define TLS_I_VRFY_LOC 0x00001000 /* load verify default must succeed */ 179 #define TLS_I_CACHE 0x00002000 /* require cache */ 180 #define TLS_I_TRY_DH 0x00004000 /* try DH certificate */ 181 #define TLS_I_REQ_DH 0x00008000 /* require DH certificate */ 182 #define TLS_I_DHPAR_EX 0x00010000 /* require DH parameters */ 183 #define TLS_I_DHPAR_UNR 0x00020000 /* DH param. must be g/o unreadable */ 184 #define TLS_I_DH512 0x00040000 /* generate 512bit DH param */ 185 #define TLS_I_DH1024 0x00080000 /* generate 1024bit DH param */ 186 #define TLS_I_DH2048 0x00100000 /* generate 2048bit DH param */ 187 #define TLS_I_NO_VRFY 0x00200000 /* do not require authentication */ 188 #define TLS_I_KEY_OUNR 0x00400000 /* Key must be other unreadable */ 189 #define TLS_I_CRLF_EX 0x00800000 /* CRL file must exist */ 190 #define TLS_I_CRLF_UNR 0x01000000 /* CRL file must be g/o unreadable */ 191 #define TLS_I_DHFIXED 0x02000000 /* use fixed DH param */ 192 #define TLS_I_DHAUTO 0x04000000 /* */ 193 194 /* require server cert */ 195 #define TLS_I_SRV_CERT (TLS_I_CERT_EX | TLS_I_KEY_EX | \ 196 TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \ 197 TLS_I_CERTP_EX | TLS_I_CERTF_EX | \ 198 TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE) 199 200 /* server requirements */ 201 #define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | /*TLS_I_VRFY_PATH|*/ \ 202 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE) 203 204 /* client requirements */ 205 #define TLS_I_CLT (TLS_I_KEY_UNR | TLS_I_KEY_OUNR) 206 207 #define TLS_AUTH_OK 0 208 #define TLS_AUTH_NO 1 209 #define TLS_AUTH_TEMP 2 210 #define TLS_AUTH_FAIL (-1) 211 212 # ifndef TLS_VRFY_PER_CTX 213 # define TLS_VRFY_PER_CTX 1 214 # endif 215 216 #define SM_SSL_FREE(ssl) \ 217 do { \ 218 if (ssl != NULL) \ 219 { \ 220 SSL_free(ssl); \ 221 ssl = NULL; \ 222 } \ 223 } while (0) 224 225 /* functions */ 226 extern int endtls __P((SSL **, const char *)); 227 extern int get_tls_se_features __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool)); 228 extern int init_tls_library __P((bool _fipsmode)); 229 extern bool inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *)); 230 extern bool initclttls __P((bool)); 231 extern bool initsrvtls __P((bool)); 232 extern bool load_certkey __P((SSL *, bool, char *, char *)); 233 /* extern bool load_crlpath __P((SSL_CTX *, bool , char *)); */ 234 extern void setclttls __P((bool)); 235 extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool)); 236 extern void tlslogerr __P((int, int, const char *)); 237 extern void tls_set_verify __P((SSL_CTX *, SSL *, bool)); 238 # if DANE 239 extern int dane_tlsa_chk __P((const unsigned char *, int, const char *, bool)); 240 extern int dane_tlsa_clr __P((dane_tlsa_P)); 241 extern int dane_tlsa_free __P((dane_tlsa_P)); 242 # endif 243 244 EXTERN char *CACertPath; /* path to CA certificates (dir. with hashes) */ 245 EXTERN char *CACertFile; /* file with CA certificate */ 246 #if _FFR_CLIENTCA 247 EXTERN char *CltCACertPath; /* path to CA certificates (dir. with hashes) */ 248 EXTERN char *CltCACertFile; /* file with CA certificate */ 249 #endif 250 EXTERN char *CltCertFile; /* file with client certificate */ 251 EXTERN char *CltKeyFile; /* file with client private key */ 252 EXTERN char *CipherList; /* list of ciphers */ 253 #if MTA_HAVE_TLSv1_3 254 EXTERN char *CipherSuites; /* cipher suites */ 255 #endif 256 EXTERN char *CertFingerprintAlgorithm; /* name of fingerprint alg */ 257 EXTERN const EVP_MD *EVP_digest; /* digest for cert fp */ 258 EXTERN char *DHParams; /* file with DH parameters */ 259 EXTERN char *RandFile; /* source of random data */ 260 EXTERN char *SrvCertFile; /* file with server certificate */ 261 EXTERN char *SrvKeyFile; /* file with server private key */ 262 EXTERN char *CRLFile; /* file CRLs */ 263 EXTERN char *CRLPath; /* path to CRLs (dir. with hashes) */ 264 EXTERN unsigned long TLS_Srv_Opts; /* TLS server options */ 265 EXTERN unsigned long Srv_SSL_Options, Clt_SSL_Options; /* SSL options */ 266 EXTERN bool TLSFallbacktoClear; 267 268 EXTERN char *SSLEngine; 269 EXTERN char *SSLEnginePath; 270 EXTERN bool SSLEngineprefork; 271 272 # if USE_OPENSSL_ENGINE 273 #define TLS_set_engine(id, prefork) SSL_set_engine(id) 274 # else 275 # if !defined(OPENSSL_NO_ENGINE) 276 int TLS_set_engine __P((const char *, bool)); 277 # else 278 #define TLS_set_engine(id, prefork) 1 279 # endif 280 # endif 281 282 extern int set_tls_rd_tmo __P((int)); 283 extern int data2hex __P((unsigned char *, int, unsigned char *, int)); 284 # if DANE 285 extern int pubkey_fp __P((X509 *, const char*, unsigned char **)); 286 extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P)); 287 # endif 288 289 #else /* STARTTLS */ 290 # define set_tls_rd_tmo(rd_tmo) 0 291 #endif /* STARTTLS */ 292 #undef EXTERN 293 #endif /* ! _TLS_H */ 294