1 /* 2 * Copyright (c) 2015 Proofpoint, Inc. and its suppliers. 3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 */ 9 10 11 #ifndef _TLS_H 12 # define _TLS_H 1 13 14 15 #if STARTTLS 16 # include <openssl/ssl.h> 17 # if !TLS_NO_RSA 18 # if _FFR_FIPSMODE 19 # define RSA_KEYLENGTH 1024 20 # else 21 # define RSA_KEYLENGTH 512 22 # endif 23 # endif /* !TLS_NO_RSA */ 24 25 # if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L 26 # define TLS_version_num OpenSSL_version_num 27 # else 28 # define TLS_version_num SSLeay 29 # endif 30 31 #ifdef _DEFINE 32 # define EXTERN 33 #else 34 # define EXTERN extern 35 #endif 36 37 #if _FFR_TLS_EC && !defined(TLS_EC) 38 # define TLS_EC _FFR_TLS_EC 39 #endif 40 41 #if DANE 42 extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int)); 43 # define MAX_TLSA_RR 8 44 45 # define DANE_VRFY_NONE 0 /* no TLSAs */ 46 # define DANE_VRFY_OK 1 /* TLSA check was ok */ 47 # define DANE_VRFY_FAIL (-1) /* TLSA check failed */ 48 49 /* return values for dane_tlsa_chk() */ 50 # define TLSA_BOGUS (-10) 51 # define TLSA_UNSUPP (-1) 52 /* note: anything >= 0 is ok and refers to the hash algorithm */ 53 # define TLSA_IS_KNOWN(r) ((r) >= 0) 54 # define TLSA_IS_VALID(r) ((r) >= TLSA_UNSUPP) 55 56 struct dane_tlsa_S 57 { 58 time_t dane_tlsa_exp; 59 int dane_tlsa_n; 60 int dane_tlsa_dnsrc; 61 unsigned long dane_tlsa_flags; 62 unsigned char dane_tlsa_usage[MAX_TLSA_RR]; 63 unsigned char dane_tlsa_selector[MAX_TLSA_RR]; 64 unsigned char dane_tlsa_digest[MAX_TLSA_RR]; 65 void *dane_tlsa_rr[MAX_TLSA_RR]; 66 int dane_tlsa_len[MAX_TLSA_RR]; 67 char *dane_tlsa_sni; 68 }; 69 70 # define TLSAFLNONE 0x00000000 /* currently unused */ 71 /* Dane Mode */ 72 # define TLSAFLALWAYS 0x00000001 73 # define TLSAFLSECURE 0x00000002 74 # define DANEMODE(fl) ((fl) & 0x3) 75 # define TLSAFLNOEXP 0x00000010 /* do not check expiration */ 76 77 # define TLSAFLADMX 0x00000100 78 # define TLSAFLADTLSA 0x00000200 /* currently unused */ 79 80 /* could be used to replace DNSRC */ 81 # define TLSAFLTEMP 0x00001000 82 /* no TLSA? -- _n == 0 */ 83 # define TLSAFLNOTLSA 0x00002000 /* currently unused */ 84 85 /* 86 ** Do not use this record, and do not look up new TLSA RRs because 87 ** the MX/host lookup was not secure. 88 ** XXX: to determine: interaction with DANE=always 89 */ 90 91 # define TLSAFLNOADMX 0x00010000 92 # define TLSAFLNOADTLSA 0x00020000 /* TLSA: no AD - for DANE=always? */ 93 94 # define TLSA_SET_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags |= (fl) 95 # define TLSA_CLR_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags &= ~(fl) 96 # define TLSA_IS_FL(dane_tlsa, fl) ((dane_tlsa)->dane_tlsa_flags & (fl)) 97 # define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP) 98 99 # define GETTLSA(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNONE, 0, port) 100 # define GETTLSANOX(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNOEXP, 0, port) 101 102 /* values for DANE option and dane_vrfy_chk */ 103 # define DANE_NEVER TLSAFLNONE 104 # define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */ 105 # define DANE_SECURE TLSAFLSECURE 106 # define CHK_DANE(dane) ((dane) != DANE_NEVER) 107 108 /* temp fails? others? */ 109 # define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN) 110 111 #endif /* DANE */ 112 113 /* 114 ** TLS 115 */ 116 117 /* what to do in the TLS initialization */ 118 #define TLS_I_NONE 0x00000000 /* no requirements... */ 119 #define TLS_I_CERT_EX 0x00000001 /* cert must exist */ 120 #define TLS_I_CERT_UNR 0x00000002 /* cert must be g/o unreadable */ 121 #define TLS_I_KEY_EX 0x00000004 /* key must exist */ 122 #define TLS_I_KEY_UNR 0x00000008 /* key must be g/o unreadable */ 123 #define TLS_I_CERTP_EX 0x00000010 /* CA cert path must exist */ 124 #define TLS_I_CERTP_UNR 0x00000020 /* CA cert path must be g/o unreadable */ 125 #define TLS_I_CERTF_EX 0x00000040 /* CA cert file must exist */ 126 #define TLS_I_CERTF_UNR 0x00000080 /* CA cert file must be g/o unreadable */ 127 #define TLS_I_RSA_TMP 0x00000100 /* RSA TMP must be generated */ 128 #define TLS_I_USE_KEY 0x00000200 /* private key must usable */ 129 #define TLS_I_USE_CERT 0x00000400 /* certificate must be usable */ 130 #define TLS_I_VRFY_PATH 0x00000800 /* load verify path must succeed */ 131 #define TLS_I_VRFY_LOC 0x00001000 /* load verify default must succeed */ 132 #define TLS_I_CACHE 0x00002000 /* require cache */ 133 #define TLS_I_TRY_DH 0x00004000 /* try DH certificate */ 134 #define TLS_I_REQ_DH 0x00008000 /* require DH certificate */ 135 #define TLS_I_DHPAR_EX 0x00010000 /* require DH parameters */ 136 #define TLS_I_DHPAR_UNR 0x00020000 /* DH param. must be g/o unreadable */ 137 #define TLS_I_DH512 0x00040000 /* generate 512bit DH param */ 138 #define TLS_I_DH1024 0x00080000 /* generate 1024bit DH param */ 139 #define TLS_I_DH2048 0x00100000 /* generate 2048bit DH param */ 140 #define TLS_I_NO_VRFY 0x00200000 /* do not require authentication */ 141 #define TLS_I_KEY_OUNR 0x00400000 /* Key must be other unreadable */ 142 #define TLS_I_CRLF_EX 0x00800000 /* CRL file must exist */ 143 #define TLS_I_CRLF_UNR 0x01000000 /* CRL file must be g/o unreadable */ 144 #define TLS_I_DHFIXED 0x02000000 /* use fixed DH param */ 145 146 /* require server cert */ 147 #define TLS_I_SRV_CERT (TLS_I_CERT_EX | TLS_I_KEY_EX | \ 148 TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \ 149 TLS_I_CERTP_EX | TLS_I_CERTF_EX | \ 150 TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE) 151 152 /* server requirements */ 153 #define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \ 154 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE) 155 156 /* client requirements */ 157 #define TLS_I_CLT (TLS_I_KEY_UNR | TLS_I_KEY_OUNR) 158 159 #define TLS_AUTH_OK 0 160 #define TLS_AUTH_NO 1 161 #define TLS_AUTH_FAIL (-1) 162 163 # ifndef TLS_VRFY_PER_CTX 164 # define TLS_VRFY_PER_CTX 1 165 # endif 166 167 #define SM_SSL_FREE(ssl) \ 168 do { \ 169 if (ssl != NULL) \ 170 { \ 171 SSL_free(ssl); \ 172 ssl = NULL; \ 173 } \ 174 } while (0) 175 176 /* functions */ 177 extern int endtls __P((SSL **, const char *)); 178 extern int get_tls_se_options __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool)); 179 extern int init_tls_library __P((bool _fipsmode)); 180 extern bool inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *)); 181 extern bool initclttls __P((bool)); 182 extern bool initsrvtls __P((bool)); 183 extern bool load_certkey __P((SSL *, bool, char *, char *)); 184 /* extern bool load_crlpath __P((SSL_CTX *, bool , char *)); */ 185 extern void setclttls __P((bool)); 186 extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool)); 187 extern void tlslogerr __P((int, int, const char *)); 188 extern void tls_set_verify __P((SSL_CTX *, SSL *, bool)); 189 # if DANE 190 extern int dane_tlsa_chk __P((const char *, int, const char *, bool)); 191 extern int dane_tlsa_clr __P((dane_tlsa_P)); 192 extern int dane_tlsa_free __P((dane_tlsa_P)); 193 # endif 194 195 EXTERN char *CACertPath; /* path to CA certificates (dir. with hashes) */ 196 EXTERN char *CACertFile; /* file with CA certificate */ 197 #if _FFR_CLIENTCA 198 EXTERN char *CltCACertPath; /* path to CA certificates (dir. with hashes) */ 199 EXTERN char *CltCACertFile; /* file with CA certificate */ 200 #endif 201 EXTERN char *CltCertFile; /* file with client certificate */ 202 EXTERN char *CltKeyFile; /* file with client private key */ 203 EXTERN char *CipherList; /* list of ciphers */ 204 EXTERN char *CertFingerprintAlgorithm; /* name of fingerprint alg */ 205 EXTERN const EVP_MD *EVP_digest; /* digest for cert fp */ 206 EXTERN char *DHParams; /* file with DH parameters */ 207 EXTERN char *RandFile; /* source of random data */ 208 EXTERN char *SrvCertFile; /* file with server certificate */ 209 EXTERN char *SrvKeyFile; /* file with server private key */ 210 EXTERN char *CRLFile; /* file CRLs */ 211 EXTERN char *CRLPath; /* path to CRLs (dir. with hashes) */ 212 EXTERN unsigned long TLS_Srv_Opts; /* TLS server options */ 213 EXTERN unsigned long Srv_SSL_Options, Clt_SSL_Options; /* SSL options */ 214 EXTERN bool TLSFallbacktoClear; 215 216 EXTERN char *SSLEngine; 217 EXTERN char *SSLEnginePath; 218 EXTERN bool SSLEngineprefork; 219 220 # if USE_OPENSSL_ENGINE 221 #define TLS_set_engine(id, prefork) SSL_set_engine(id) 222 # else 223 int TLS_set_engine __P((const char *, bool)); 224 # endif 225 226 extern int set_tls_rd_tmo __P((int)); 227 extern int data2hex __P((unsigned char *, int, unsigned char *, int)); 228 # if DANE 229 extern int pubkey_fp __P((X509 *, const char*, char **)); 230 extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P)); 231 # endif 232 233 #else /* STARTTLS */ 234 # define set_tls_rd_tmo(rd_tmo) 0 235 #endif /* STARTTLS */ 236 #undef EXTERN 237 #endif /* ! _TLS_H */ 238