2 * Copyright (c) 2015 Proofpoint, Inc. and its suppliers.
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
16 # include <openssl/ssl.h>
19 # define RSA_KEYLENGTH 1024
21 # define RSA_KEYLENGTH 512
23 # endif /* !TLS_NO_RSA */
25 # if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L
26 # define TLS_version_num OpenSSL_version_num
28 # define TLS_version_num SSLeay
34 # define EXTERN extern
37 #if _FFR_TLS_EC && !defined(TLS_EC)
38 # define TLS_EC _FFR_TLS_EC
42 extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int));
43 # define MAX_TLSA_RR 8
45 # define DANE_VRFY_NONE 0 /* no TLSAs */
46 # define DANE_VRFY_OK 1 /* TLSA check was ok */
47 # define DANE_VRFY_FAIL (-1) /* TLSA check failed */
49 /* return values for dane_tlsa_chk() */
50 # define TLSA_BOGUS (-10)
51 # define TLSA_UNSUPP (-1)
52 /* note: anything >= 0 is ok and refers to the hash algorithm */
53 # define TLSA_IS_KNOWN(r) ((r) >= 0)
54 # define TLSA_IS_VALID(r) ((r) >= TLSA_UNSUPP)
61 unsigned long dane_tlsa_flags;
62 unsigned char dane_tlsa_usage[MAX_TLSA_RR];
63 unsigned char dane_tlsa_selector[MAX_TLSA_RR];
64 unsigned char dane_tlsa_digest[MAX_TLSA_RR];
65 void *dane_tlsa_rr[MAX_TLSA_RR];
66 int dane_tlsa_len[MAX_TLSA_RR];
70 # define TLSAFLNONE 0x00000000 /* currently unused */
72 # define TLSAFLALWAYS 0x00000001
73 # define TLSAFLSECURE 0x00000002
74 # define DANEMODE(fl) ((fl) & 0x3)
75 # define TLSAFLNOEXP 0x00000010 /* do not check expiration */
77 # define TLSAFLADMX 0x00000100
78 # define TLSAFLADTLSA 0x00000200 /* currently unused */
80 /* could be used to replace DNSRC */
81 # define TLSAFLTEMP 0x00001000
82 /* no TLSA? -- _n == 0 */
83 # define TLSAFLNOTLSA 0x00002000 /* currently unused */
86 ** Do not use this record, and do not look up new TLSA RRs because
87 ** the MX/host lookup was not secure.
88 ** XXX: to determine: interaction with DANE=always
91 # define TLSAFLNOADMX 0x00010000
92 # define TLSAFLNOADTLSA 0x00020000 /* TLSA: no AD - for DANE=always? */
94 # define TLSA_SET_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags |= (fl)
95 # define TLSA_CLR_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags &= ~(fl)
96 # define TLSA_IS_FL(dane_tlsa, fl) ((dane_tlsa)->dane_tlsa_flags & (fl))
97 # define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP)
99 # define GETTLSA(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNONE, 0, port)
100 # define GETTLSANOX(host, pste, port) gettlsa(host, NULL, pste, TLSAFLNOEXP, 0, port)
102 /* values for DANE option and dane_vrfy_chk */
103 # define DANE_NEVER TLSAFLNONE
104 # define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */
105 # define DANE_SECURE TLSAFLSECURE
106 # define CHK_DANE(dane) ((dane) != DANE_NEVER)
108 /* temp fails? others? */
109 # define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN)
117 /* what to do in the TLS initialization */
118 #define TLS_I_NONE 0x00000000 /* no requirements... */
119 #define TLS_I_CERT_EX 0x00000001 /* cert must exist */
120 #define TLS_I_CERT_UNR 0x00000002 /* cert must be g/o unreadable */
121 #define TLS_I_KEY_EX 0x00000004 /* key must exist */
122 #define TLS_I_KEY_UNR 0x00000008 /* key must be g/o unreadable */
123 #define TLS_I_CERTP_EX 0x00000010 /* CA cert path must exist */
124 #define TLS_I_CERTP_UNR 0x00000020 /* CA cert path must be g/o unreadable */
125 #define TLS_I_CERTF_EX 0x00000040 /* CA cert file must exist */
126 #define TLS_I_CERTF_UNR 0x00000080 /* CA cert file must be g/o unreadable */
127 #define TLS_I_RSA_TMP 0x00000100 /* RSA TMP must be generated */
128 #define TLS_I_USE_KEY 0x00000200 /* private key must usable */
129 #define TLS_I_USE_CERT 0x00000400 /* certificate must be usable */
130 #define TLS_I_VRFY_PATH 0x00000800 /* load verify path must succeed */
131 #define TLS_I_VRFY_LOC 0x00001000 /* load verify default must succeed */
132 #define TLS_I_CACHE 0x00002000 /* require cache */
133 #define TLS_I_TRY_DH 0x00004000 /* try DH certificate */
134 #define TLS_I_REQ_DH 0x00008000 /* require DH certificate */
135 #define TLS_I_DHPAR_EX 0x00010000 /* require DH parameters */
136 #define TLS_I_DHPAR_UNR 0x00020000 /* DH param. must be g/o unreadable */
137 #define TLS_I_DH512 0x00040000 /* generate 512bit DH param */
138 #define TLS_I_DH1024 0x00080000 /* generate 1024bit DH param */
139 #define TLS_I_DH2048 0x00100000 /* generate 2048bit DH param */
140 #define TLS_I_NO_VRFY 0x00200000 /* do not require authentication */
141 #define TLS_I_KEY_OUNR 0x00400000 /* Key must be other unreadable */
142 #define TLS_I_CRLF_EX 0x00800000 /* CRL file must exist */
143 #define TLS_I_CRLF_UNR 0x01000000 /* CRL file must be g/o unreadable */
144 #define TLS_I_DHFIXED 0x02000000 /* use fixed DH param */
146 /* require server cert */
147 #define TLS_I_SRV_CERT (TLS_I_CERT_EX | TLS_I_KEY_EX | \
148 TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \
149 TLS_I_CERTP_EX | TLS_I_CERTF_EX | \
150 TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE)
152 /* server requirements */
153 #define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
154 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE)
156 /* client requirements */
157 #define TLS_I_CLT (TLS_I_KEY_UNR | TLS_I_KEY_OUNR)
159 #define TLS_AUTH_OK 0
160 #define TLS_AUTH_NO 1
161 #define TLS_AUTH_FAIL (-1)
163 # ifndef TLS_VRFY_PER_CTX
164 # define TLS_VRFY_PER_CTX 1
167 #define SM_SSL_FREE(ssl) \
177 extern int endtls __P((SSL **, const char *));
178 extern int get_tls_se_options __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool));
179 extern int init_tls_library __P((bool _fipsmode));
180 extern bool inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *));
181 extern bool initclttls __P((bool));
182 extern bool initsrvtls __P((bool));
183 extern bool load_certkey __P((SSL *, bool, char *, char *));
184 /* extern bool load_crlpath __P((SSL_CTX *, bool , char *)); */
185 extern void setclttls __P((bool));
186 extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
187 extern void tlslogerr __P((int, int, const char *));
188 extern void tls_set_verify __P((SSL_CTX *, SSL *, bool));
190 extern int dane_tlsa_chk __P((const char *, int, const char *, bool));
191 extern int dane_tlsa_clr __P((dane_tlsa_P));
192 extern int dane_tlsa_free __P((dane_tlsa_P));
195 EXTERN char *CACertPath; /* path to CA certificates (dir. with hashes) */
196 EXTERN char *CACertFile; /* file with CA certificate */
198 EXTERN char *CltCACertPath; /* path to CA certificates (dir. with hashes) */
199 EXTERN char *CltCACertFile; /* file with CA certificate */
201 EXTERN char *CltCertFile; /* file with client certificate */
202 EXTERN char *CltKeyFile; /* file with client private key */
203 EXTERN char *CipherList; /* list of ciphers */
204 EXTERN char *CertFingerprintAlgorithm; /* name of fingerprint alg */
205 EXTERN const EVP_MD *EVP_digest; /* digest for cert fp */
206 EXTERN char *DHParams; /* file with DH parameters */
207 EXTERN char *RandFile; /* source of random data */
208 EXTERN char *SrvCertFile; /* file with server certificate */
209 EXTERN char *SrvKeyFile; /* file with server private key */
210 EXTERN char *CRLFile; /* file CRLs */
211 EXTERN char *CRLPath; /* path to CRLs (dir. with hashes) */
212 EXTERN unsigned long TLS_Srv_Opts; /* TLS server options */
213 EXTERN unsigned long Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
214 EXTERN bool TLSFallbacktoClear;
216 EXTERN char *SSLEngine;
217 EXTERN char *SSLEnginePath;
218 EXTERN bool SSLEngineprefork;
220 # if USE_OPENSSL_ENGINE
221 #define TLS_set_engine(id, prefork) SSL_set_engine(id)
223 int TLS_set_engine __P((const char *, bool));
226 extern int set_tls_rd_tmo __P((int));
227 extern int data2hex __P((unsigned char *, int, unsigned char *, int));
229 extern int pubkey_fp __P((X509 *, const char*, char **));
230 extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P));
234 # define set_tls_rd_tmo(rd_tmo) 0
235 #endif /* STARTTLS */
237 #endif /* ! _TLS_H */