2 * Copyright (c) 2015, 2020-2023 Proofpoint, Inc. and its suppliers.
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
14 # include <openssl/ssl.h>
17 # define RSA_KEYLENGTH 1024
19 # define RSA_KEYLENGTH 512
21 # endif /* !TLS_NO_RSA */
23 # if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L
24 # define TLS_version_num OpenSSL_version_num
26 # define TLS_version_num SSLeay
29 #ifndef MTA_HAVE_TLSv1_3
31 ** HACK: if openssl can disable TLSv1_3 then "assume" it supports all
34 # ifdef SSL_OP_NO_TLSv1_3
35 # define MTA_HAVE_TLSv1_3 1
42 # define EXTERN extern
45 #if _FFR_TLS_EC && !defined(TLS_EC)
46 # define TLS_EC _FFR_TLS_EC
51 # ifndef HAVE_SSL_CTX_dane_enable
52 # if (OPENSSL_VERSION_NUMBER >= 0x10101000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L
53 # define HAVE_SSL_CTX_dane_enable 1
57 extern int ssl_dane_enable __P((dane_vrfy_ctx_P, SSL *));
61 extern int gettlsa __P((char *, char *, STAB **, unsigned long, unsigned int, unsigned int));
63 # if HAVE_SSL_CTX_dane_enable
64 # define MAX_TLSA_RR 64
66 # define MAX_TLSA_RR 16
70 # define DANE_VRFY_NONE 0 /* no DANE */
71 /* # define DANE_VRFY_NO 1 * no TLSAs */
72 # define DANE_VRFY_FAIL 2 /* TLSA check failed */
73 # define DANE_VRFY_OK 3 /* TLSA check was ok */
74 # define DANE_VRFY_TEMP 4 /* TLSA check failed temporarily */
76 /* return values for dane_tlsa_chk() */
77 # define TLSA_BOGUS (-10)
78 # define TLSA_UNSUPP (-1)
79 /* note: anything >= 0 is ok and refers to the hash algorithm */
80 # define TLSA_IS_SUPPORTED(r) ((r) >= 0)
81 # define TLSA_IS_VALID(r) ((r) >= TLSA_UNSUPP)
88 unsigned long dane_tlsa_flags;
91 ** Note: all "valid" TLSA RRs are stored,
92 ** not just those which are "supported"
95 unsigned char *dane_tlsa_rr[MAX_TLSA_RR];
96 int dane_tlsa_len[MAX_TLSA_RR];
100 # define TLSAFLNONE 0x00000000
102 # define TLSAFLALWAYS 0x00000001
103 # define TLSAFLSECURE 0x00000002
104 # define DANEMODE(fl) ((fl) & 0x3)
105 # define TLSAFLNOEXP 0x00000010 /* do not check expiration */
107 # define TLSAFLNEW 0x00000020
108 # define TLSAFLADMX 0x00000100
109 # define TLSAFLADIP 0x00000200 /* changes with each IP lookup! */
110 # define TLSAFLNOTLS 0x00000400 /* starttls() failed */
111 /* treat IPv4 and IPv6 the same - the ad flag should be identical */
112 /* # define TLSAFLADTLSA * currently unused */
114 /* NOTE: "flags" >= TLSAFLTEMP are stored, see TLSA_STORE_FL()! */
115 /* could be used to replace DNSRC */
116 # define TLSAFLTEMP 0x00001000 /* TLSA RR lookup tempfailed */
117 # define TLSAFL2MANY 0x00004000 /* too many TLSA RRs */
120 ** Do not use this record, and do not look up new TLSA RRs because
121 ** the MX/host lookup was not secure.
122 ** XXX: host->MX lookup info can NOT be stored in dane_tlsa!
123 ** XXX: to determine: interaction with DANE=always
126 /* # define TLSAFLNOADMX 0x00010000 */
127 /* # define TLSAFLNOADTLSA 0x00020000 * TLSA: no AD - for DANE=always? */
129 # define TLSAFLTEMPVRFY 0x00008000 /* temporary DANE verification failure */
130 # define TLSAFLNOVRFY 0x00080000 /* do NOT perform DANE verification */
132 # define TLSAFLUNS 0x00100000 /* has unsupported TLSA RRs */
133 # define TLSAFLSUP 0x00200000 /* has supported TLSA RRs */
135 # define TLSA_SET_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags |= (fl)
136 # define TLSA_CLR_FL(dane_tlsa, fl) (dane_tlsa)->dane_tlsa_flags &= ~(fl)
137 # define TLSA_IS_FL(dane_tlsa, fl) (((dane_tlsa)->dane_tlsa_flags & (fl)) != 0)
140 # define TLSA_HAS_RRs(dane_tlsa) TLSA_IS_FL(dane_tlsa, TLSAFLUNS|TLSAFLSUP)
142 # define TLSA_STORE_FL(fl) ((fl) >= TLSAFLTEMP)
144 /* values for DANE option and dane_vrfy_chk */
145 # define DANE_NEVER TLSAFLNONE /* XREF: see sendmail.h: #define Dane */
146 # define DANE_ALWAYS TLSAFLALWAYS /* NOT documented, testing... */
147 # define DANE_SECURE TLSAFLSECURE
148 # define CHK_DANE(dane) (DANEMODE((dane)) != DANE_NEVER)
149 # define VRFY_DANE(dane_vrfy_chk) (0 == ((dane_vrfy_chk) & TLSAFLNOVRFY))
151 /* temp fails? others? */
152 # define TLSA_RR_TEMPFAIL(dane_tlsa) (((dane_tlsa) != NULL) && (dane_tlsa)->dane_tlsa_dnsrc == TRY_AGAIN)
154 # define ONLYUNSUPTLSARR ", status=all TLSA RRs are unsupported"
161 /* what to do in the TLS initialization */
162 #define TLS_I_NONE 0x00000000 /* no requirements... */
163 #define TLS_I_CERT_EX 0x00000001 /* cert must exist */
164 #define TLS_I_CERT_UNR 0x00000002 /* cert must be g/o unreadable */
165 #define TLS_I_KEY_EX 0x00000004 /* key must exist */
166 #define TLS_I_KEY_UNR 0x00000008 /* key must be g/o unreadable */
167 #define TLS_I_CERTP_EX 0x00000010 /* CA cert path must exist */
168 #define TLS_I_CERTP_UNR 0x00000020 /* CA cert path must be g/o unreadable */
169 #define TLS_I_CERTF_EX 0x00000040 /* CA cert file must exist */
170 #define TLS_I_CERTF_UNR 0x00000080 /* CA cert file must be g/o unreadable */
171 #define TLS_I_RSA_TMP 0x00000100 /* RSA TMP must be generated */
172 #define TLS_I_USE_KEY 0x00000200 /* private key must usable */
173 #define TLS_I_USE_CERT 0x00000400 /* certificate must be usable */
176 #define TLS_I_VRFY_PATH 0x00000800 * load verify path must succeed *
178 #define TLS_I_VRFY_LOC 0x00001000 /* load verify default must succeed */
179 #define TLS_I_CACHE 0x00002000 /* require cache */
180 #define TLS_I_TRY_DH 0x00004000 /* try DH certificate */
181 #define TLS_I_REQ_DH 0x00008000 /* require DH certificate */
182 #define TLS_I_DHPAR_EX 0x00010000 /* require DH parameters */
183 #define TLS_I_DHPAR_UNR 0x00020000 /* DH param. must be g/o unreadable */
184 #define TLS_I_DH512 0x00040000 /* generate 512bit DH param */
185 #define TLS_I_DH1024 0x00080000 /* generate 1024bit DH param */
186 #define TLS_I_DH2048 0x00100000 /* generate 2048bit DH param */
187 #define TLS_I_NO_VRFY 0x00200000 /* do not require authentication */
188 #define TLS_I_KEY_OUNR 0x00400000 /* Key must be other unreadable */
189 #define TLS_I_CRLF_EX 0x00800000 /* CRL file must exist */
190 #define TLS_I_CRLF_UNR 0x01000000 /* CRL file must be g/o unreadable */
191 #define TLS_I_DHFIXED 0x02000000 /* use fixed DH param */
192 #define TLS_I_DHAUTO 0x04000000 /* */
194 /* require server cert */
195 #define TLS_I_SRV_CERT (TLS_I_CERT_EX | TLS_I_KEY_EX | \
196 TLS_I_KEY_UNR | TLS_I_KEY_OUNR | \
197 TLS_I_CERTP_EX | TLS_I_CERTF_EX | \
198 TLS_I_USE_KEY | TLS_I_USE_CERT | TLS_I_CACHE)
200 /* server requirements */
201 #define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | /*TLS_I_VRFY_PATH|*/ \
202 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE)
204 /* client requirements */
205 #define TLS_I_CLT (TLS_I_KEY_UNR | TLS_I_KEY_OUNR)
207 #define TLS_AUTH_OK 0
208 #define TLS_AUTH_NO 1
209 #define TLS_AUTH_TEMP 2
210 #define TLS_AUTH_FAIL (-1)
212 # ifndef TLS_VRFY_PER_CTX
213 # define TLS_VRFY_PER_CTX 1
216 #define SM_SSL_FREE(ssl) \
226 extern int endtls __P((SSL **, const char *));
227 extern int get_tls_se_features __P((ENVELOPE *, SSL *, tlsi_ctx_T *, bool));
228 extern int init_tls_library __P((bool _fipsmode));
229 extern bool inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *));
230 extern bool initclttls __P((bool));
231 extern bool initsrvtls __P((bool));
232 extern bool load_certkey __P((SSL *, bool, char *, char *));
233 /* extern bool load_crlpath __P((SSL_CTX *, bool , char *)); */
234 extern void setclttls __P((bool));
235 extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
236 extern void tlslogerr __P((int, int, const char *));
237 extern void tls_set_verify __P((SSL_CTX *, SSL *, bool));
239 extern int dane_tlsa_chk __P((const unsigned char *, int, const char *, bool));
240 extern int dane_tlsa_clr __P((dane_tlsa_P));
241 extern int dane_tlsa_free __P((dane_tlsa_P));
244 EXTERN char *CACertPath; /* path to CA certificates (dir. with hashes) */
245 EXTERN char *CACertFile; /* file with CA certificate */
247 EXTERN char *CltCACertPath; /* path to CA certificates (dir. with hashes) */
248 EXTERN char *CltCACertFile; /* file with CA certificate */
250 EXTERN char *CltCertFile; /* file with client certificate */
251 EXTERN char *CltKeyFile; /* file with client private key */
252 EXTERN char *CipherList; /* list of ciphers */
254 EXTERN char *CipherSuites; /* cipher suites */
256 EXTERN char *CertFingerprintAlgorithm; /* name of fingerprint alg */
257 EXTERN const EVP_MD *EVP_digest; /* digest for cert fp */
258 EXTERN char *DHParams; /* file with DH parameters */
259 EXTERN char *RandFile; /* source of random data */
260 EXTERN char *SrvCertFile; /* file with server certificate */
261 EXTERN char *SrvKeyFile; /* file with server private key */
262 EXTERN char *CRLFile; /* file CRLs */
263 EXTERN char *CRLPath; /* path to CRLs (dir. with hashes) */
264 EXTERN unsigned long TLS_Srv_Opts; /* TLS server options */
265 EXTERN unsigned long Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
266 EXTERN bool TLSFallbacktoClear;
268 EXTERN char *SSLEngine;
269 EXTERN char *SSLEnginePath;
270 EXTERN bool SSLEngineprefork;
272 # if USE_OPENSSL_ENGINE
273 #define TLS_set_engine(id, prefork) SSL_set_engine(id)
275 # if !defined(OPENSSL_NO_ENGINE)
276 int TLS_set_engine __P((const char *, bool));
278 #define TLS_set_engine(id, prefork) 1
282 extern int set_tls_rd_tmo __P((int));
283 extern int data2hex __P((unsigned char *, int, unsigned char *, int));
285 extern int pubkey_fp __P((X509 *, const char*, unsigned char **));
286 extern dane_tlsa_P dane_get_tlsa __P((dane_vrfy_ctx_P));
290 # define set_tls_rd_tmo(rd_tmo) 0
291 #endif /* STARTTLS */
293 #endif /* ! _TLS_H */