xref: /freebsd/contrib/sendmail/src/tls.h (revision af23369a6deaaeb612ab266eb88b8bb8d560c322)
1 /*
2  * Copyright (c) 2015 Proofpoint, Inc. and its suppliers.
3  *	All rights reserved.
4  *
5  * By using this file, you agree to the terms and conditions set
6  * forth in the LICENSE file which can be found at the top level of
7  * the sendmail distribution.
8  */
9 
10 
11 #ifndef _TLS_H
12 # define _TLS_H 1
13 
14 #if STARTTLS
15 # include <openssl/ssl.h>
16 # if !TLS_NO_RSA
17 #  if _FFR_FIPSMODE
18 #   define RSA_KEYLENGTH	1024
19 #  else
20 #   define RSA_KEYLENGTH	512
21 #  endif
22 # endif /* !TLS_NO_RSA */
23 
24 # if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L
25 #  define TLS_version_num OpenSSL_version_num
26 # else
27 #  define TLS_version_num SSLeay
28 # endif
29 
30 #ifndef MTA_HAVE_TLSv1_3
31 /*
32 **  HACK: if openssl can disable TLSv1_3 then "assume" it supports all
33 **   related functions!
34 */
35 # ifdef SSL_OP_NO_TLSv1_3
36 #  define MTA_HAVE_TLSv1_3 1
37 # endif
38 #endif
39 
40 #ifdef _DEFINE
41 # define EXTERN
42 #else
43 # define EXTERN extern
44 #endif
45 
46 #if _FFR_TLS_EC && !defined(TLS_EC)
47 # define TLS_EC _FFR_TLS_EC
48 #endif
49 
50 #if DANE
51 extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int));
52 # define MAX_TLSA_RR	8
53 
54 # define DANE_VRFY_NONE	0	/* no TLSAs */
55 # define DANE_VRFY_OK		1	/* TLSA check was ok */
56 # define DANE_VRFY_FAIL	(-1)	/* TLSA check failed */
57 
58 /* return values for dane_tlsa_chk() */
59 # define TLSA_BOGUS	(-10)
60 # define TLSA_UNSUPP	(-1)
61 /* note: anything >= 0 is ok and refers to the hash algorithm */
62 # define TLSA_IS_KNOWN(r)	((r) >= 0)
63 # define TLSA_IS_VALID(r)	((r) >= TLSA_UNSUPP)
64 
65 struct dane_tlsa_S
66 {
67 	time_t		 dane_tlsa_exp;
68 	int		 dane_tlsa_n;
69 	int		 dane_tlsa_dnsrc;
70 	unsigned long	 dane_tlsa_flags;
71 	unsigned char	 dane_tlsa_usage[MAX_TLSA_RR];
72 	unsigned char	 dane_tlsa_selector[MAX_TLSA_RR];
73 	unsigned char	 dane_tlsa_digest[MAX_TLSA_RR];
74 	void		*dane_tlsa_rr[MAX_TLSA_RR];
75 	int		 dane_tlsa_len[MAX_TLSA_RR];
76 	char		*dane_tlsa_sni;
77 };
78 
79 # define TLSAFLNONE	0x00000000
80 /* Dane Mode */
81 # define TLSAFLALWAYS	0x00000001
82 # define TLSAFLSECURE	0x00000002
83 # define DANEMODE(fl)	((fl) & 0x3)
84 # define TLSAFLNOEXP	0x00000010	/* do not check expiration */
85 
86 # define TLSAFLADMX	0x00000100
87 # define TLSAFLADTLSA	0x00000200	/* currently unused */
88 
89 /* could be used to replace DNSRC */
90 # define TLSAFLTEMP	0x00001000
91 /* no TLSA? -- _n == 0 */
92 # define TLSAFLNOTLSA	0x00002000	/* currently unused */
93 
94 /*
95 **  Do not use this record, and do not look up new TLSA RRs because
96 **  the MX/host lookup was not secure.
97 **  XXX: to determine: interaction with DANE=always
98 */
99 
100 # define TLSAFLNOADMX	0x00010000
101 # define TLSAFLNOADTLSA	0x00020000	/* TLSA: no AD - for DANE=always? */
102 
103 # define TLSA_SET_FL(dane_tlsa, fl)	(dane_tlsa)->dane_tlsa_flags |= (fl)
104 # define TLSA_CLR_FL(dane_tlsa, fl)	(dane_tlsa)->dane_tlsa_flags &= ~(fl)
105 # define TLSA_IS_FL(dane_tlsa, fl)	((dane_tlsa)->dane_tlsa_flags & (fl))
106 # define TLSA_STORE_FL(fl)	((fl) >= TLSAFLTEMP)
107 
108 # define GETTLSA(host, pste, port)	gettlsa(host, NULL, pste, TLSAFLNONE, 0, port)
109 # define GETTLSANOX(host, pste, port)	gettlsa(host, NULL, pste, TLSAFLNOEXP, 0, port)
110 
111 /* values for DANE option and dane_vrfy_chk */
112 # define DANE_NEVER	TLSAFLNONE
113 # define DANE_ALWAYS	TLSAFLALWAYS		/* NOT documented, testing... */
114 # define DANE_SECURE	TLSAFLSECURE
115 # define CHK_DANE(dane)	((dane) != DANE_NEVER)
116 
117 /* temp fails? others? */
118 # define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN)
119 
120 #endif /* DANE */
121 
122 /*
123 **  TLS
124 */
125 
126 /* what to do in the TLS initialization */
127 #define TLS_I_NONE	0x00000000	/* no requirements... */
128 #define TLS_I_CERT_EX	0x00000001	/* cert must exist */
129 #define TLS_I_CERT_UNR	0x00000002	/* cert must be g/o unreadable */
130 #define TLS_I_KEY_EX	0x00000004	/* key must exist */
131 #define TLS_I_KEY_UNR	0x00000008	/* key must be g/o unreadable */
132 #define TLS_I_CERTP_EX	0x00000010	/* CA cert path must exist */
133 #define TLS_I_CERTP_UNR	0x00000020	/* CA cert path must be g/o unreadable */
134 #define TLS_I_CERTF_EX	0x00000040	/* CA cert file must exist */
135 #define TLS_I_CERTF_UNR	0x00000080	/* CA cert file must be g/o unreadable */
136 #define TLS_I_RSA_TMP	0x00000100	/* RSA TMP must be generated */
137 #define TLS_I_USE_KEY	0x00000200	/* private key must usable */
138 #define TLS_I_USE_CERT	0x00000400	/* certificate must be usable */
139 /*
140 not "read" anywhere
141 #define TLS_I_VRFY_PATH	0x00000800	* load verify path must succeed *
142 */
143 #define TLS_I_VRFY_LOC	0x00001000	/* load verify default must succeed */
144 #define TLS_I_CACHE	0x00002000	/* require cache */
145 #define TLS_I_TRY_DH	0x00004000	/* try DH certificate */
146 #define TLS_I_REQ_DH	0x00008000	/* require DH certificate */
147 #define TLS_I_DHPAR_EX	0x00010000	/* require DH parameters */
148 #define TLS_I_DHPAR_UNR	0x00020000	/* DH param. must be g/o unreadable */
149 #define TLS_I_DH512	0x00040000	/* generate 512bit DH param */
150 #define TLS_I_DH1024	0x00080000	/* generate 1024bit DH param */
151 #define TLS_I_DH2048	0x00100000	/* generate 2048bit DH param */
152 #define TLS_I_NO_VRFY	0x00200000	/* do not require authentication */
153 #define TLS_I_KEY_OUNR	0x00400000	/* Key must be other unreadable */
154 #define TLS_I_CRLF_EX	0x00800000	/* CRL file must exist */
155 #define TLS_I_CRLF_UNR	0x01000000	/* CRL file must be g/o unreadable */
156 #define TLS_I_DHFIXED	0x02000000	/* use fixed DH param */
157 
158 /* require server cert */
159 #define TLS_I_SRV_CERT	 (TLS_I_CERT_EX | TLS_I_KEY_EX | \
160 			  TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \
161 			  TLS_I_CERTP_EX | TLS_I_CERTF_EX | \
162 			  TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE)
163 
164 /* server requirements */
165 #define TLS_I_SRV	(TLS_I_SRV_CERT | TLS_I_RSA_TMP | /*TLS_I_VRFY_PATH|*/ \
166 			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE)
167 
168 /* client requirements */
169 #define TLS_I_CLT	(TLS_I_KEY_UNR | TLS_I_KEY_OUNR)
170 
171 #define TLS_AUTH_OK	0
172 #define TLS_AUTH_NO	1
173 #define TLS_AUTH_FAIL	(-1)
174 
175 # ifndef TLS_VRFY_PER_CTX
176 #  define TLS_VRFY_PER_CTX 1
177 # endif
178 
179 #define SM_SSL_FREE(ssl)			\
180 	do {					\
181 		if (ssl != NULL)		\
182 		{				\
183 			SSL_free(ssl);		\
184 			ssl = NULL;		\
185 		}				\
186 	} while (0)
187 
188 /* functions */
189 extern int	endtls __P((SSL **, const char *));
190 extern int	get_tls_se_features __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool));
191 extern int	init_tls_library __P((bool _fipsmode));
192 extern bool	inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *));
193 extern bool	initclttls __P((bool));
194 extern bool	initsrvtls __P((bool));
195 extern bool	load_certkey __P((SSL *, bool, char *, char *));
196 /* extern bool	load_crlpath __P((SSL_CTX *, bool , char *)); */
197 extern void	setclttls __P((bool));
198 extern int	tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
199 extern void	tlslogerr __P((int, int, const char *));
200 extern void	tls_set_verify __P((SSL_CTX *, SSL *, bool));
201 # if DANE
202 extern int dane_tlsa_chk __P((const char *, int, const char *, bool));
203 extern int dane_tlsa_clr __P((dane_tlsa_P));
204 extern int dane_tlsa_free __P((dane_tlsa_P));
205 # endif
206 
207 EXTERN char	*CACertPath;	/* path to CA certificates (dir. with hashes) */
208 EXTERN char	*CACertFile;	/* file with CA certificate */
209 #if _FFR_CLIENTCA
210 EXTERN char	*CltCACertPath;	/* path to CA certificates (dir. with hashes) */
211 EXTERN char	*CltCACertFile;	/* file with CA certificate */
212 #endif
213 EXTERN char	*CltCertFile;	/* file with client certificate */
214 EXTERN char	*CltKeyFile;	/* file with client private key */
215 EXTERN char	*CipherList;	/* list of ciphers */
216 #if MTA_HAVE_TLSv1_3
217 EXTERN char	*CipherSuites;	/* cipher suites */
218 #endif
219 EXTERN char	*CertFingerprintAlgorithm;	/* name of fingerprint alg */
220 EXTERN const EVP_MD	*EVP_digest;	/* digest for cert fp */
221 EXTERN char	*DHParams;	/* file with DH parameters */
222 EXTERN char	*RandFile;	/* source of random data */
223 EXTERN char	*SrvCertFile;	/* file with server certificate */
224 EXTERN char	*SrvKeyFile;	/* file with server private key */
225 EXTERN char	*CRLFile;	/* file CRLs */
226 EXTERN char	*CRLPath;	/* path to CRLs (dir. with hashes) */
227 EXTERN unsigned long	TLS_Srv_Opts;	/* TLS server options */
228 EXTERN unsigned long	Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
229 EXTERN bool	TLSFallbacktoClear;
230 
231 EXTERN char	*SSLEngine;
232 EXTERN char	*SSLEnginePath;
233 EXTERN bool	SSLEngineprefork;
234 
235 # if USE_OPENSSL_ENGINE
236 #define TLS_set_engine(id, prefork) SSL_set_engine(id)
237 # else
238 #  if !defined(OPENSSL_NO_ENGINE)
239 int TLS_set_engine __P((const char *, bool));
240 #  else
241 #define TLS_set_engine(id, prefork)	1
242 #  endif
243 # endif
244 
245 extern int	set_tls_rd_tmo __P((int));
246 extern int data2hex __P((unsigned char *, int, unsigned char *, int));
247 # if DANE
248 extern int pubkey_fp __P((X509 *, const char*, char **));
249 extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P));
250 # endif
251 
252 #else /* STARTTLS */
253 # define set_tls_rd_tmo(rd_tmo)	0
254 #endif /* STARTTLS */
255 #undef EXTERN
256 #endif /* ! _TLS_H */
257