MFC: Merge sendmail 8.16.1 to HEAD: See contrib/sendmail/RELEASE_NOTES for

[FreeBSD/FreeBSD.git] / contrib / sendmail / src / tls.h

/*
 * Copyright (c) 2015 Proofpoint, Inc. and its suppliers.
 *      All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
 * forth in the LICENSE file which can be found at the top level of
 * the sendmail distribution.
 */


#ifndef _TLS_H
# define _TLS_H 1


#if STARTTLS
# include <openssl/ssl.h>
# if !TLS_NO_RSA
#  if _FFR_FIPSMODE
#   define RSA_KEYLENGTH        1024
#  else
#   define RSA_KEYLENGTH        512
#  endif
# endif /* !TLS_NO_RSA */

# if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L
#  define TLS_version_num OpenSSL_version_num
# else
#  define TLS_version_num SSLeay
# endif

#ifdef _DEFINE
# define EXTERN
#else
# define EXTERN extern
#endif

#if _FFR_TLS_EC && !defined(TLS_EC)
# define TLS_EC _FFR_TLS_EC
#endif

#if DANE
extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int));
# define MAX_TLSA_RR    8

# define DANE_VRFY_NONE 0       /* no TLSAs */
# define DANE_VRFY_OK           1       /* TLSA check was ok */
# define DANE_VRFY_FAIL (-1)    /* TLSA check failed */

/* return values for dane_tlsa_chk() */
# define TLSA_BOGUS     (-10)
# define TLSA_UNSUPP    (-1)
/* note: anything >= 0 is ok and refers to the hash algorithm */
# define TLSA_IS_KNOWN(r)       ((r) >= 0)
# define TLSA_IS_VALID(r)       ((r) >= TLSA_UNSUPP)

struct dane_tlsa_S
{
        time_t           dane_tlsa_exp;
        int              dane_tlsa_n;
        int              dane_tlsa_dnsrc;
        unsigned long    dane_tlsa_flags;
        unsigned char    dane_tlsa_usage[MAX_TLSA_RR];
        unsigned char    dane_tlsa_selector[MAX_TLSA_RR];
        unsigned char    dane_tlsa_digest[MAX_TLSA_RR];
        void            *dane_tlsa_rr[MAX_TLSA_RR];
        int              dane_tlsa_len[MAX_TLSA_RR];
        char            *dane_tlsa_sni;
};

# define TLSAFLNONE     0x00000000      /* currently unused */
/* Dane Mode */
# define TLSAFLALWAYS   0x00000001
# define TLSAFLSECURE   0x00000002
# define DANEMODE(fl)   ((fl) & 0x3)
# define TLSAFLNOEXP    0x00000010      /* do not check expiration */

# define TLSAFLADMX     0x00000100
# define TLSAFLADTLSA   0x00000200      /* currently unused */

/* could be used to replace DNSRC */
# define TLSAFLTEMP     0x00001000
/* no TLSA? -- _n == 0 */
# define TLSAFLNOTLSA   0x00002000      /* currently unused */

/*
**  Do not use this record, and do not look up new TLSA RRs because
**  the MX/host lookup was not secure.
**  XXX: to determine: interaction with DANE=always
*/

# define TLSAFLNOADMX   0x00010000
# define TLSAFLNOADTLSA 0x00020000      /* TLSA: no AD - for DANE=always? */

# define TLSA_SET_FL(dane_tlsa, fl)     (dane_tlsa)->dane_tlsa_flags |= (fl)
# define TLSA_CLR_FL(dane_tlsa, fl)     (dane_tlsa)->dane_tlsa_flags &= ~(fl)
# define TLSA_IS_FL(dane_tlsa, fl)      ((dane_tlsa)->dane_tlsa_flags & (fl))
# define TLSA_STORE_FL(fl)      ((fl) >= TLSAFLTEMP)

# define GETTLSA(host, pste, port)      gettlsa(host, NULL, pste, TLSAFLNONE, 0, port)
# define GETTLSANOX(host, pste, port)   gettlsa(host, NULL, pste, TLSAFLNOEXP, 0, port)

/* values for DANE option and dane_vrfy_chk */
# define DANE_NEVER     TLSAFLNONE
# define DANE_ALWAYS    TLSAFLALWAYS            /* NOT documented, testing... */
# define DANE_SECURE    TLSAFLSECURE
# define CHK_DANE(dane) ((dane) != DANE_NEVER)

/* temp fails? others? */
# define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN)

#endif /* DANE */

/*
**  TLS
*/

/* what to do in the TLS initialization */
#define TLS_I_NONE      0x00000000      /* no requirements... */
#define TLS_I_CERT_EX   0x00000001      /* cert must exist */
#define TLS_I_CERT_UNR  0x00000002      /* cert must be g/o unreadable */
#define TLS_I_KEY_EX    0x00000004      /* key must exist */
#define TLS_I_KEY_UNR   0x00000008      /* key must be g/o unreadable */
#define TLS_I_CERTP_EX  0x00000010      /* CA cert path must exist */
#define TLS_I_CERTP_UNR 0x00000020      /* CA cert path must be g/o unreadable */
#define TLS_I_CERTF_EX  0x00000040      /* CA cert file must exist */
#define TLS_I_CERTF_UNR 0x00000080      /* CA cert file must be g/o unreadable */
#define TLS_I_RSA_TMP   0x00000100      /* RSA TMP must be generated */
#define TLS_I_USE_KEY   0x00000200      /* private key must usable */
#define TLS_I_USE_CERT  0x00000400      /* certificate must be usable */
#define TLS_I_VRFY_PATH 0x00000800      /* load verify path must succeed */
#define TLS_I_VRFY_LOC  0x00001000      /* load verify default must succeed */
#define TLS_I_CACHE     0x00002000      /* require cache */
#define TLS_I_TRY_DH    0x00004000      /* try DH certificate */
#define TLS_I_REQ_DH    0x00008000      /* require DH certificate */
#define TLS_I_DHPAR_EX  0x00010000      /* require DH parameters */
#define TLS_I_DHPAR_UNR 0x00020000      /* DH param. must be g/o unreadable */
#define TLS_I_DH512     0x00040000      /* generate 512bit DH param */
#define TLS_I_DH1024    0x00080000      /* generate 1024bit DH param */
#define TLS_I_DH2048    0x00100000      /* generate 2048bit DH param */
#define TLS_I_NO_VRFY   0x00200000      /* do not require authentication */
#define TLS_I_KEY_OUNR  0x00400000      /* Key must be other unreadable */
#define TLS_I_CRLF_EX   0x00800000      /* CRL file must exist */
#define TLS_I_CRLF_UNR  0x01000000      /* CRL file must be g/o unreadable */
#define TLS_I_DHFIXED   0x02000000      /* use fixed DH param */

/* require server cert */
#define TLS_I_SRV_CERT   (TLS_I_CERT_EX | TLS_I_KEY_EX | \
                          TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \
                          TLS_I_CERTP_EX | TLS_I_CERTF_EX | \
                          TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE)

/* server requirements */
#define TLS_I_SRV       (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
                         TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE)

/* client requirements */
#define TLS_I_CLT       (TLS_I_KEY_UNR | TLS_I_KEY_OUNR)

#define TLS_AUTH_OK     0
#define TLS_AUTH_NO     1
#define TLS_AUTH_FAIL   (-1)

# ifndef TLS_VRFY_PER_CTX
#  define TLS_VRFY_PER_CTX 1
# endif

#define SM_SSL_FREE(ssl)                        \
        do {                                    \
                if (ssl != NULL)                \
                {                               \
                        SSL_free(ssl);          \
                        ssl = NULL;             \
                }                               \
        } while (0)

/* functions */
extern int      endtls __P((SSL **, const char *));
extern int      get_tls_se_options __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool));
extern int      init_tls_library __P((bool _fipsmode));
extern bool     inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *));
extern bool     initclttls __P((bool));
extern bool     initsrvtls __P((bool));
extern bool     load_certkey __P((SSL *, bool, char *, char *));
/* extern bool  load_crlpath __P((SSL_CTX *, bool , char *)); */
extern void     setclttls __P((bool));
extern int      tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
extern void     tlslogerr __P((int, int, const char *));
extern void     tls_set_verify __P((SSL_CTX *, SSL *, bool));
# if DANE
extern int dane_tlsa_chk __P((const char *, int, const char *, bool));
extern int dane_tlsa_clr __P((dane_tlsa_P));
extern int dane_tlsa_free __P((dane_tlsa_P));
# endif

EXTERN char     *CACertPath;    /* path to CA certificates (dir. with hashes) */
EXTERN char     *CACertFile;    /* file with CA certificate */
#if _FFR_CLIENTCA
EXTERN char     *CltCACertPath; /* path to CA certificates (dir. with hashes) */
EXTERN char     *CltCACertFile; /* file with CA certificate */
#endif
EXTERN char     *CltCertFile;   /* file with client certificate */
EXTERN char     *CltKeyFile;    /* file with client private key */
EXTERN char     *CipherList;    /* list of ciphers */
EXTERN char     *CertFingerprintAlgorithm;      /* name of fingerprint alg */
EXTERN const EVP_MD     *EVP_digest;    /* digest for cert fp */
EXTERN char     *DHParams;      /* file with DH parameters */
EXTERN char     *RandFile;      /* source of random data */
EXTERN char     *SrvCertFile;   /* file with server certificate */
EXTERN char     *SrvKeyFile;    /* file with server private key */
EXTERN char     *CRLFile;       /* file CRLs */
EXTERN char     *CRLPath;       /* path to CRLs (dir. with hashes) */
EXTERN unsigned long    TLS_Srv_Opts;   /* TLS server options */
EXTERN unsigned long    Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
EXTERN bool     TLSFallbacktoClear;

EXTERN char     *SSLEngine;
EXTERN char     *SSLEnginePath;
EXTERN bool     SSLEngineprefork;

# if USE_OPENSSL_ENGINE
#define TLS_set_engine(id, prefork) SSL_set_engine(id)
# else
int TLS_set_engine __P((const char *, bool));
# endif

extern int      set_tls_rd_tmo __P((int));
extern int data2hex __P((unsigned char *, int, unsigned char *, int));
# if DANE
extern int pubkey_fp __P((X509 *, const char*, char **));
extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P));
# endif

#else /* STARTTLS */
# define set_tls_rd_tmo(rd_tmo) 0
#endif /* STARTTLS */
#undef EXTERN
#endif /* ! _TLS_H */