xref: /freebsd/contrib/sendmail/src/tls.h (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*
2  * Copyright (c) 2015, 2020-2023 Proofpoint, Inc. and its suppliers.
3  *	All rights reserved.
4  *
5  * By using this file, you agree to the terms and conditions set
6  * forth in the LICENSE file which can be found at the top level of
7  * the sendmail distribution.
8  */
9 
10 #ifndef _TLS_H
11 # define _TLS_H 1
12 
13 #if STARTTLS
14 # include <openssl/ssl.h>
15 # if !TLS_NO_RSA
16 #  if _FFR_FIPSMODE
17 #   define RSA_KEYLENGTH	1024
18 #  else
19 #   define RSA_KEYLENGTH	512
20 #  endif
21 # endif /* !TLS_NO_RSA */
22 
23 # if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L
24 #  define TLS_version_num OpenSSL_version_num
25 # else
26 #  define TLS_version_num SSLeay
27 # endif
28 
29 #ifndef MTA_HAVE_TLSv1_3
30 /*
31 **  HACK: if openssl can disable TLSv1_3 then "assume" it supports all
32 **   related functions!
33 */
34 # ifdef SSL_OP_NO_TLSv1_3
35 #  define MTA_HAVE_TLSv1_3 1
36 # endif
37 #endif
38 
39 #ifdef _DEFINE
40 # define EXTERN
41 #else
42 # define EXTERN extern
43 #endif
44 
45 #if _FFR_TLS_EC && !defined(TLS_EC)
46 # define TLS_EC _FFR_TLS_EC
47 #endif
48 
49 #if DANE
50 
51 # ifndef HAVE_SSL_CTX_dane_enable
52 #  if (OPENSSL_VERSION_NUMBER >= 0x10101000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L
53 #   define HAVE_SSL_CTX_dane_enable 1
54 #  endif
55 # endif
56 
57 extern int ssl_dane_enable __P((dane_vrfy_ctx_P, SSL *));
58 # define SM_NOTDONE 1
59 # define SM_FULL 2
60 
61 extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int));
62 # ifndef MAX_TLSA_RR
63 #  if HAVE_SSL_CTX_dane_enable
64 #   define MAX_TLSA_RR	64
65 #  else
66 #   define MAX_TLSA_RR	16
67 #  endif
68 # endif
69 
70 # define DANE_VRFY_NONE	0	/* no DANE */
71 /* # define DANE_VRFY_NO	1	* no TLSAs */
72 # define DANE_VRFY_FAIL	2	/* TLSA check failed */
73 # define DANE_VRFY_OK	3	/* TLSA check was ok */
74 # define DANE_VRFY_TEMP	4	/* TLSA check failed temporarily */
75 
76 /* return values for dane_tlsa_chk() */
77 # define TLSA_BOGUS	(-10)
78 # define TLSA_UNSUPP	(-1)
79 /* note: anything >= 0 is ok and refers to the hash algorithm */
80 # define TLSA_IS_SUPPORTED(r)	((r) >= 0)
81 # define TLSA_IS_VALID(r)	((r) >= TLSA_UNSUPP)
82 
83 struct dane_tlsa_S
84 {
85 	time_t		 dane_tlsa_exp;
86 	int		 dane_tlsa_n;
87 	int		 dane_tlsa_dnsrc;
88 	unsigned long	 dane_tlsa_flags;
89 
90 	/*
91 	**  Note: all "valid" TLSA RRs are stored,
92 	**  not just those which are "supported"
93 	*/
94 
95 	unsigned char	*dane_tlsa_rr[MAX_TLSA_RR];
96 	int		 dane_tlsa_len[MAX_TLSA_RR];
97 	char		*dane_tlsa_sni;
98 };
99 
100 # define TLSAFLNONE	0x00000000
101 /* Dane Mode */
102 # define TLSAFLALWAYS	0x00000001
103 # define TLSAFLSECURE	0x00000002
104 # define DANEMODE(fl)	((fl) & 0x3)
105 # define TLSAFLNOEXP	0x00000010	/* do not check expiration */
106 
107 # define TLSAFLNEW	0x00000020
108 # define TLSAFLADMX	0x00000100
109 # define TLSAFLADIP	0x00000200	/* changes with each IP lookup! */
110 # define TLSAFLNOTLS	0x00000400	/* starttls() failed */
111 /* treat IPv4 and IPv6 the same - the ad flag should be identical */
112 /* # define TLSAFLADTLSA		* currently unused */
113 
114 /* NOTE: "flags" >= TLSAFLTEMP are stored, see TLSA_STORE_FL()! */
115 /* could be used to replace DNSRC */
116 # define TLSAFLTEMP	0x00001000	/* TLSA RR lookup tempfailed */
117 # define TLSAFL2MANY	0x00004000	/* too many TLSA RRs */
118 
119 /*
120 **  Do not use this record, and do not look up new TLSA RRs because
121 **  the MX/host lookup was not secure.
122 **  XXX: host->MX lookup info can NOT be stored in dane_tlsa!
123 **  XXX: to determine: interaction with DANE=always
124 */
125 
126 /* # define TLSAFLNOADMX	0x00010000 */
127 /* # define TLSAFLNOADTLSA	0x00020000	* TLSA: no AD - for DANE=always? */
128 
129 # define TLSAFLTEMPVRFY	0x00008000	/* temporary DANE verification failure */
130 # define TLSAFLNOVRFY	0x00080000	/* do NOT perform DANE verification */
131 
132 # define TLSAFLUNS	0x00100000	/* has unsupported TLSA RRs */
133 # define TLSAFLSUP	0x00200000	/* has supported TLSA RRs */
134 
135 # define TLSA_SET_FL(dane_tlsa, fl)	(dane_tlsa)->dane_tlsa_flags |= (fl)
136 # define TLSA_CLR_FL(dane_tlsa, fl)	(dane_tlsa)->dane_tlsa_flags &= ~(fl)
137 # define TLSA_IS_FL(dane_tlsa, fl)	(((dane_tlsa)->dane_tlsa_flags & (fl)) != 0)
138 
139 /* any TLSA RRs? */
140 # define TLSA_HAS_RRs(dane_tlsa)	TLSA_IS_FL(dane_tlsa, TLSAFLUNS|TLSAFLSUP)
141 
142 # define TLSA_STORE_FL(fl)	((fl) >= TLSAFLTEMP)
143 
144 /* values for DANE option and dane_vrfy_chk */
145 # define DANE_NEVER	TLSAFLNONE /* XREF: see sendmail.h: #define Dane */
146 # define DANE_ALWAYS	TLSAFLALWAYS	/* NOT documented, testing... */
147 # define DANE_SECURE	TLSAFLSECURE
148 # define CHK_DANE(dane)	(DANEMODE((dane)) != DANE_NEVER)
149 # define VRFY_DANE(dane_vrfy_chk) (0 == ((dane_vrfy_chk) & TLSAFLNOVRFY))
150 
151 /* temp fails? others? */
152 # define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN)
153 
154 # define ONLYUNSUPTLSARR ", status=all TLSA RRs are unsupported"
155 #endif /* DANE */
156 
157 /*
158 **  TLS
159 */
160 
161 /* what to do in the TLS initialization */
162 #define TLS_I_NONE	0x00000000	/* no requirements... */
163 #define TLS_I_CERT_EX	0x00000001	/* cert must exist */
164 #define TLS_I_CERT_UNR	0x00000002	/* cert must be g/o unreadable */
165 #define TLS_I_KEY_EX	0x00000004	/* key must exist */
166 #define TLS_I_KEY_UNR	0x00000008	/* key must be g/o unreadable */
167 #define TLS_I_CERTP_EX	0x00000010	/* CA cert path must exist */
168 #define TLS_I_CERTP_UNR	0x00000020	/* CA cert path must be g/o unreadable */
169 #define TLS_I_CERTF_EX	0x00000040	/* CA cert file must exist */
170 #define TLS_I_CERTF_UNR	0x00000080	/* CA cert file must be g/o unreadable */
171 #define TLS_I_RSA_TMP	0x00000100	/* RSA TMP must be generated */
172 #define TLS_I_USE_KEY	0x00000200	/* private key must usable */
173 #define TLS_I_USE_CERT	0x00000400	/* certificate must be usable */
174 /*
175 not "read" anywhere
176 #define TLS_I_VRFY_PATH	0x00000800	* load verify path must succeed *
177 */
178 #define TLS_I_VRFY_LOC	0x00001000	/* load verify default must succeed */
179 #define TLS_I_CACHE	0x00002000	/* require cache */
180 #define TLS_I_TRY_DH	0x00004000	/* try DH certificate */
181 #define TLS_I_REQ_DH	0x00008000	/* require DH certificate */
182 #define TLS_I_DHPAR_EX	0x00010000	/* require DH parameters */
183 #define TLS_I_DHPAR_UNR	0x00020000	/* DH param. must be g/o unreadable */
184 #define TLS_I_DH512	0x00040000	/* generate 512bit DH param */
185 #define TLS_I_DH1024	0x00080000	/* generate 1024bit DH param */
186 #define TLS_I_DH2048	0x00100000	/* generate 2048bit DH param */
187 #define TLS_I_NO_VRFY	0x00200000	/* do not require authentication */
188 #define TLS_I_KEY_OUNR	0x00400000	/* Key must be other unreadable */
189 #define TLS_I_CRLF_EX	0x00800000	/* CRL file must exist */
190 #define TLS_I_CRLF_UNR	0x01000000	/* CRL file must be g/o unreadable */
191 #define TLS_I_DHFIXED	0x02000000	/* use fixed DH param */
192 #define TLS_I_DHAUTO	0x04000000	/* */
193 
194 /* require server cert */
195 #define TLS_I_SRV_CERT	 (TLS_I_CERT_EX | TLS_I_KEY_EX | \
196 			  TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \
197 			  TLS_I_CERTP_EX | TLS_I_CERTF_EX | \
198 			  TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE)
199 
200 /* server requirements */
201 #define TLS_I_SRV	(TLS_I_SRV_CERT | TLS_I_RSA_TMP | /*TLS_I_VRFY_PATH|*/ \
202 			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE)
203 
204 /* client requirements */
205 #define TLS_I_CLT	(TLS_I_KEY_UNR | TLS_I_KEY_OUNR)
206 
207 #define TLS_AUTH_OK	0
208 #define TLS_AUTH_NO	1
209 #define TLS_AUTH_TEMP	2
210 #define TLS_AUTH_FAIL	(-1)
211 
212 # ifndef TLS_VRFY_PER_CTX
213 #  define TLS_VRFY_PER_CTX 1
214 # endif
215 
216 #define SM_SSL_FREE(ssl)			\
217 	do {					\
218 		if (ssl != NULL)		\
219 		{				\
220 			SSL_free(ssl);		\
221 			ssl = NULL;		\
222 		}				\
223 	} while (0)
224 
225 /* functions */
226 extern int	endtls __P((SSL **, const char *));
227 extern int	get_tls_se_features __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool));
228 extern int	init_tls_library __P((bool _fipsmode));
229 extern bool	inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *));
230 extern bool	initclttls __P((bool));
231 extern bool	initsrvtls __P((bool));
232 extern bool	load_certkey __P((SSL *, bool, char *, char *));
233 /* extern bool	load_crlpath __P((SSL_CTX *, bool , char *)); */
234 extern void	setclttls __P((bool));
235 extern int	tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
236 extern void	tlslogerr __P((int, int, const char *));
237 extern void	tls_set_verify __P((SSL_CTX *, SSL *, bool));
238 # if DANE
239 extern int dane_tlsa_chk __P((const unsigned char *, int, const char *, bool));
240 extern int dane_tlsa_clr __P((dane_tlsa_P));
241 extern int dane_tlsa_free __P((dane_tlsa_P));
242 # endif
243 
244 EXTERN char	*CACertPath;	/* path to CA certificates (dir. with hashes) */
245 EXTERN char	*CACertFile;	/* file with CA certificate */
246 #if _FFR_CLIENTCA
247 EXTERN char	*CltCACertPath;	/* path to CA certificates (dir. with hashes) */
248 EXTERN char	*CltCACertFile;	/* file with CA certificate */
249 #endif
250 EXTERN char	*CltCertFile;	/* file with client certificate */
251 EXTERN char	*CltKeyFile;	/* file with client private key */
252 EXTERN char	*CipherList;	/* list of ciphers */
253 #if MTA_HAVE_TLSv1_3
254 EXTERN char	*CipherSuites;	/* cipher suites */
255 #endif
256 EXTERN char	*CertFingerprintAlgorithm;	/* name of fingerprint alg */
257 EXTERN const EVP_MD	*EVP_digest;	/* digest for cert fp */
258 EXTERN char	*DHParams;	/* file with DH parameters */
259 EXTERN char	*RandFile;	/* source of random data */
260 EXTERN char	*SrvCertFile;	/* file with server certificate */
261 EXTERN char	*SrvKeyFile;	/* file with server private key */
262 EXTERN char	*CRLFile;	/* file CRLs */
263 EXTERN char	*CRLPath;	/* path to CRLs (dir. with hashes) */
264 EXTERN unsigned long	TLS_Srv_Opts;	/* TLS server options */
265 EXTERN unsigned long	Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
266 EXTERN bool	TLSFallbacktoClear;
267 
268 EXTERN char	*SSLEngine;
269 EXTERN char	*SSLEnginePath;
270 EXTERN bool	SSLEngineprefork;
271 
272 # if USE_OPENSSL_ENGINE
273 #define TLS_set_engine(id, prefork) SSL_set_engine(id)
274 # else
275 #  if !defined(OPENSSL_NO_ENGINE)
276 int TLS_set_engine __P((const char *, bool));
277 #  else
278 #define TLS_set_engine(id, prefork)	1
279 #  endif
280 # endif
281 
282 extern int	set_tls_rd_tmo __P((int));
283 extern int data2hex __P((unsigned char *, int, unsigned char *, int));
284 # if DANE
285 extern int pubkey_fp __P((X509 *, const char*, unsigned char **));
286 extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P));
287 # endif
288 
289 #else /* STARTTLS */
290 # define set_tls_rd_tmo(rd_tmo)	0
291 #endif /* STARTTLS */
292 #undef EXTERN
293 #endif /* ! _TLS_H */
294