2 * Copyright (c) 2015 Proofpoint, Inc. and its suppliers.
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
13 SM_RCSID("@(#)$Id: tls.c,v 8.127 2013-11-27 02:51:11 gshapiro Exp $")
19 ** DATA2HEX -- create a printable hex string from binary data ("%02X:")
23 ** len -- length of data
24 ** hex -- output buffer
25 ** hlen -- length of output buffer
29 ** >0: length of data in hex
33 data2hex(buf, blen, hex, hlen)
40 static const char hexcodes[] = "0123456789ABCDEF";
42 SM_REQUIRE(buf != NULL);
43 SM_REQUIRE(hex != NULL);
44 if (blen * 3 + 2 > hlen)
47 for (r = 0, h = 0; r < blen && h + 3 < hlen; r++)
49 hex[h++] = hexcodes[(buf[r] & 0xf0) >> 4];
50 hex[h++] = hexcodes[(buf[r] & 0x0f)];
61 ** TLS_DATA_MD -- calculate MD for data
64 ** buf -- data (in and out!)
65 ** len -- length of data
66 ** md -- digest algorithm
69 ** <=0: cert fp calculation failed
73 ** writes digest to buf
77 tls_data_md(buf, len, md)
84 unsigned char md_buf[EVP_MAX_MD_SIZE];
86 SM_REQUIRE(buf != NULL);
87 SM_REQUIRE(md != NULL);
88 SM_REQUIRE(len >= EVP_MAX_MD_SIZE);
90 mdctx = EVP_MD_CTX_create();
91 if (EVP_DigestInit_ex(mdctx, md, NULL) != 1)
93 if (EVP_DigestUpdate(mdctx, (void *)buf, len) != 1)
95 if (EVP_DigestFinal_ex(mdctx, md_buf, &md_len) != 1)
97 EVP_MD_CTX_destroy(mdctx);
101 (void) memcpy(buf, md_buf, md_len);
108 ** PUBKEY_FP -- get public key fingerprint
112 ** mdalg -- name of digest algorithm
113 ** fp -- (pointer to) fingerprint buffer
116 ** <=0: cert fp calculation failed
121 pubkey_fp(cert, mdalg, fp)
127 unsigned char *buf, *end;
130 SM_ASSERT(cert != NULL);
131 SM_ASSERT(fp != NULL);
132 SM_ASSERT(mdalg != NULL);
134 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
136 /* what's an acceptable upper limit? */
137 if (len <= 0 || len >= 8192)
139 if (len < EVP_MAX_MD_SIZE)
140 len = EVP_MAX_MD_SIZE;
141 end = buf = sm_malloc(len);
145 if ('\0' == mdalg[0])
147 r = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &end);
148 if (r <= 0 || r != len)
154 md = EVP_get_digestbyname(mdalg);
156 return DANE_VRFY_FAIL;
157 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &end);
158 r = tls_data_md(buf, len, md);
167 ** DANE_TLSA_CHK -- check whether a TLSA RR is ok to use
171 ** len -- length of RR
172 ** host -- name of host for RR (only for logging)
173 ** log -- whether to log problems
180 dane_tlsa_chk(rr, len, host, log)
190 if (log && LogLevel > 8)
191 sm_syslog(LOG_WARNING, NOQID,
192 "TLSA=%s, len=%d, status=bogus",
196 SM_ASSERT(rr != NULL);
199 if ((int)rr[0] == 3 && (int)rr[1] == 1 && (alg >= 0 || alg <= 2))
201 if (log && LogLevel > 9)
202 sm_syslog(LOG_NOTICE, NOQID,
203 "TLSA=%s, type=%d-%d-%d:%02x, status=unsupported",
204 host, (int)rr[0], (int)rr[1], (int)rr[2],
210 ** DANE_TLSA_CLR -- clear data in a dane_tlsa structure (for use)
213 ** dane_tlsa -- dane_tlsa to clear
221 dane_tlsa_clr(dane_tlsa)
222 dane_tlsa_P dane_tlsa;
226 if (dane_tlsa == NULL)
228 for (i = 0; i < dane_tlsa->dane_tlsa_n; i++)
230 SM_FREE(dane_tlsa->dane_tlsa_rr[i]);
231 dane_tlsa->dane_tlsa_len[i] = 0;
233 SM_FREE(dane_tlsa->dane_tlsa_sni);
234 memset(dane_tlsa, '\0', sizeof(*dane_tlsa));
240 ** DANE_TLSA_FREE -- free a dane_tlsa structure
243 ** dane_tlsa -- dane_tlsa to free
251 dane_tlsa_free(dane_tlsa)
252 dane_tlsa_P dane_tlsa;
254 if (dane_tlsa == NULL)
256 dane_tlsa_clr(dane_tlsa);
263 #endif /* STARTTLS */