1 /* $NetBSD: tls_level.c,v 1.2 2017/02/14 01:16:48 christos Exp $ */
2
3 /*++
4 /* NAME
5 /* tls_level 3
6 /* SUMMARY
7 /* TLS security level conversion
8 /* SYNOPSIS
9 /* #include <tls.h>
10 /*
11 /* int tls_level_lookup(name)
12 /* const char *name;
13 /*
14 /* const char *str_tls_level(level)
15 /* int level;
16 /* DESCRIPTION
17 /* The functions in this module convert TLS levels from symbolic
18 /* name to internal form and vice versa.
19 /*
20 /* tls_level_lookup() converts a TLS level from symbolic name
21 /* to internal form. When an unknown level is specified,
22 /* tls_level_lookup() logs no warning, and returns TLS_LEV_INVALID.
23 /*
24 /* str_tls_level() converts a TLS level from internal form to
25 /* symbolic name. The result is a null pointer for an unknown
26 /* level. The "halfdane" level is not a valid user-selected TLS level,
27 /* it is generated internally and is only valid output for the
28 /* str_tls_level() function.
29 /* SEE ALSO
30 /* name_code(3) name to number mapping
31 /* LICENSE
32 /* .ad
33 /* .fi
34 /* The Secure Mailer license must be distributed with this software.
35 /* AUTHOR(S)
36 /* Wietse Venema
37 /* IBM T.J. Watson Research
38 /* P.O. Box 704
39 /* Yorktown Heights, NY 10598, USA
40 /*
41 /* Victor Duchovni
42 /* Morgan Stanley
43 /*--*/
44
45 /* System library. */
46
47 #include <sys_defs.h>
48
49 /* Utility library. */
50
51 #include <name_code.h>
52
53 /* TLS library. */
54
55 #include <tls.h>
56
57 /* Application-specific. */
58
59 /*
60 * Numerical order of levels is critical (see tls.h):
61 *
62 * - With "may" and higher, TLS is enabled.
63 *
64 * - With "encrypt" and higher, TLS is required.
65 *
66 * - With "fingerprint" and higher, the peer certificate must match.
67 *
68 * - With "dane" and higher, the peer certificate must also be trusted,
69 * possibly via TLSA RRs that make it its own authority.
70 *
71 * The smtp(8) client will report trust failure in preference to reporting
72 * failure to match, so we make "dane" larger than "fingerprint".
73 */
74 static const NAME_CODE tls_level_table[] = {
75 "none", TLS_LEV_NONE,
76 "may", TLS_LEV_MAY,
77 "encrypt", TLS_LEV_ENCRYPT,
78 "fingerprint", TLS_LEV_FPRINT,
79 "halfdane", TLS_LEV_HALF_DANE, /* output only */
80 "dane", TLS_LEV_DANE,
81 "dane-only", TLS_LEV_DANE_ONLY,
82 "verify", TLS_LEV_VERIFY,
83 "secure", TLS_LEV_SECURE,
84 0, TLS_LEV_INVALID,
85 };
86
tls_level_lookup(const char * name)87 int tls_level_lookup(const char *name)
88 {
89 int level = name_code(tls_level_table, NAME_CODE_FLAG_NONE, name);
90
91 return ((level != TLS_LEV_HALF_DANE) ? level : TLS_LEV_INVALID);
92 }
93
str_tls_level(int level)94 const char *str_tls_level(int level)
95 {
96 return (str_name_code(tls_level_table, level));
97 }
98