1 /* $NetBSD: tls.h,v 1.1.1.5 2014/07/06 19:27:54 tron Exp $ */ 2 3 #ifndef _TLS_H_INCLUDED_ 4 #define _TLS_H_INCLUDED_ 5 6 /*++ 7 /* NAME 8 /* tls 3h 9 /* SUMMARY 10 /* libtls internal interfaces 11 /* SYNOPSIS 12 /* #include <tls.h> 13 /* DESCRIPTION 14 /* .nf 15 16 /* 17 * Utility library. 18 */ 19 #include <name_code.h> 20 #include <argv.h> 21 22 /* 23 * TLS enforcement levels. Non-sentinel values may also be used to indicate 24 * the actual security level of a session. 25 * 26 * XXX TLS_LEV_NOTFOUND no longer belongs in this list. The SMTP client will 27 * have to use something else to report that policy table lookup failed. 28 * 29 * The order of levels matters, but we hide most of the details in macros. 30 * 31 * "dane" vs. "fingerprint", both must lie between "encrypt" and "verify". 32 * 33 * - With "may" and higher, TLS is enabled. 34 * 35 * - With "encrypt" and higher, TLS encryption must be applied. 36 * 37 * - Strictly above "encrypt", the peer certificate must match. 38 * 39 * - At "dane" and higher, the peer certificate must also be trusted. With 40 * "dane" the trust may be self-asserted, so we only log trust verification 41 * errors when TA associations are involved. 42 */ 43 #define TLS_LEV_INVALID -2 /* sentinel */ 44 #define TLS_LEV_NOTFOUND -1 /* XXX not in policy table */ 45 #define TLS_LEV_NONE 0 /* plain-text only */ 46 #define TLS_LEV_MAY 1 /* wildcard */ 47 #define TLS_LEV_ENCRYPT 2 /* encrypted connection */ 48 #define TLS_LEV_FPRINT 3 /* "peer" CA-less verification */ 49 #define TLS_LEV_DANE 4 /* Opportunistic TLSA policy */ 50 #define TLS_LEV_DANE_ONLY 5 /* Required TLSA policy */ 51 #define TLS_LEV_VERIFY 6 /* certificate verified */ 52 #define TLS_LEV_SECURE 7 /* "secure" verification */ 53 54 #define TLS_REQUIRED(l) ((l) > TLS_LEV_MAY) 55 #define TLS_MUST_MATCH(l) ((l) > TLS_LEV_ENCRYPT) 56 #define TLS_MUST_TRUST(l) ((l) >= TLS_LEV_DANE) 57 #define TLS_MUST_PKIX(l) ((l) >= TLS_LEV_VERIFY) 58 59 extern const NAME_CODE tls_level_table[]; 60 61 #define tls_level_lookup(s) name_code(tls_level_table, NAME_CODE_FLAG_NONE, (s)) 62 #define str_tls_level(l) str_name_code(tls_level_table, (l)) 63 64 #ifdef USE_TLS 65 66 /* 67 * OpenSSL library. 68 */ 69 #include <openssl/lhash.h> 70 #include <openssl/bn.h> 71 #include <openssl/err.h> 72 #include <openssl/pem.h> 73 #include <openssl/x509.h> 74 #include <openssl/x509v3.h> 75 #include <openssl/rand.h> 76 #include <openssl/ssl.h> 77 78 /* Appease indent(1) */ 79 #define x509_stack_t STACK_OF(X509) 80 #define x509_extension_stack_t STACK_OF(X509_EXTENSION) 81 #define general_name_stack_t STACK_OF(GENERAL_NAME) 82 #define ssl_cipher_stack_t STACK_OF(SSL_CIPHER) 83 #define ssl_comp_stack_t STACK_OF(SSL_COMP) 84 85 #if (OPENSSL_VERSION_NUMBER < 0x00090700f) 86 #error "need OpenSSL version 0.9.7 or later" 87 #endif 88 89 /* SSL_CIPHER_get_name() got constified in 0.9.7g */ 90 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL /* constification */ 91 #define SSL_CIPHER_const const 92 #else 93 #define SSL_CIPHER_const 94 #endif 95 96 /* d2i_X509() got constified in 0.9.8a */ 97 #if OPENSSL_VERSION_NUMBER >= 0x0090801fL 98 #define D2I_const const 99 #else 100 #define D2I_const 101 #endif 102 103 /* 104 * Utility library. 105 */ 106 #include <vstream.h> 107 #include <name_mask.h> 108 #include <name_code.h> 109 #include <dns.h> 110 111 /* 112 * Names of valid tlsmgr(8) session caches. 113 */ 114 #define TLS_MGR_SCACHE_SMTPD "smtpd" 115 #define TLS_MGR_SCACHE_SMTP "smtp" 116 #define TLS_MGR_SCACHE_LMTP "lmtp" 117 118 /* 119 * RFC 6698 DANE 120 */ 121 #define TLS_DANE_TA 0 /* Match trust-anchor digests */ 122 #define TLS_DANE_EE 1 /* Match end-entity digests */ 123 124 #define TLS_DANE_CERT 0 /* Match the certificate digest */ 125 #define TLS_DANE_PKEY 1 /* Match the public key digest */ 126 127 #define TLS_DANE_FLAG_NORRS (1<<0) /* Nothing found in DNS */ 128 #define TLS_DANE_FLAG_EMPTY (1<<1) /* Nothing usable found in DNS */ 129 #define TLS_DANE_FLAG_ERROR (1<<2) /* TLSA record lookup error */ 130 131 #define tls_dane_unusable(dane) ((dane)->flags & TLS_DANE_FLAG_EMPTY) 132 #define tls_dane_notfound(dane) ((dane)->flags & TLS_DANE_FLAG_NORRS) 133 134 #define TLS_DANE_CACHE_TTL_MIN 1 /* A lot can happen in ~2 seconds */ 135 #define TLS_DANE_CACHE_TTL_MAX 100 /* Comparable to max_idle */ 136 137 /* 138 * Certificate and public key digests (typically from TLSA RRs), grouped by 139 * algorithm. 140 */ 141 typedef struct TLS_TLSA { 142 char *mdalg; /* Algorithm for this digest list */ 143 ARGV *certs; /* Complete certificate digests */ 144 ARGV *pkeys; /* SubjectPublicKeyInfo digests */ 145 struct TLS_TLSA *next; /* Chain to next algorithm */ 146 } TLS_TLSA; 147 148 /* 149 * Linked list of full X509 trust-anchor certs. 150 */ 151 typedef struct TLS_CERTS { 152 X509 *cert; 153 struct TLS_CERTS *next; 154 } TLS_CERTS; 155 156 /* 157 * Linked list of full EVP_PKEY trust-anchor public keys. 158 */ 159 typedef struct TLS_PKEYS { 160 EVP_PKEY *pkey; 161 struct TLS_PKEYS *next; 162 } TLS_PKEYS; 163 164 typedef struct TLS_DANE { 165 TLS_TLSA *ta; /* Trust-anchor cert/pubkey digests */ 166 TLS_TLSA *ee; /* End-entity cert/pubkey digests */ 167 TLS_CERTS *certs; /* Full trust-anchor certificates */ 168 TLS_PKEYS *pkeys; /* Full trust-anchor public keys */ 169 char *base_domain; /* Base domain of TLSA RRset */ 170 int flags; /* Conflate cert and pkey digests */ 171 time_t expires; /* Expiration time of this record */ 172 int refs; /* Reference count */ 173 } TLS_DANE; 174 175 #define TLS_DANE_HASTA(d) ((d) ? (d)->ta : 0) 176 #define TLS_DANE_HASEE(d) ((d) ? (d)->ee : 0) 177 178 /* 179 * tls_dane.c 180 */ 181 extern int tls_dane_avail(void); 182 extern void tls_dane_flush(void); 183 extern void tls_dane_verbose(int); 184 extern TLS_DANE *tls_dane_alloc(void); 185 extern void tls_dane_add_ee_digests(TLS_DANE *, const char *, const char *, 186 const char *); 187 extern void tls_dane_free(TLS_DANE *); 188 extern TLS_DANE *tls_dane_resolve(unsigned, const char *, DNS_RR *, int); 189 extern int tls_dane_load_trustfile(TLS_DANE *, const char *); 190 191 /* 192 * TLS session context, also used by the VSTREAM call-back routines for SMTP 193 * input/output, and by OpenSSL call-back routines for key verification. 194 * 195 * Only some members are (read-only) accessible by the public. 196 */ 197 #define CCERT_BUFSIZ 256 198 199 typedef struct { 200 /* Public, read-only. */ 201 char *peer_CN; /* Peer Common Name */ 202 char *issuer_CN; /* Issuer Common Name */ 203 char *peer_cert_fprint; /* ASCII certificate fingerprint */ 204 char *peer_pkey_fprint; /* ASCII public key fingerprint */ 205 int peer_status; /* Certificate and match status */ 206 const char *protocol; 207 const char *cipher_name; 208 int cipher_usebits; 209 int cipher_algbits; 210 /* Private. */ 211 SSL *con; 212 char *cache_type; /* tlsmgr(8) cache type if enabled */ 213 int ticketed; /* Session ticket issued */ 214 char *serverid; /* unique server identifier */ 215 char *namaddr; /* nam[addr] for logging */ 216 int log_mask; /* What to log */ 217 int session_reused; /* this session was reused */ 218 int am_server; /* Are we an SSL server or client? */ 219 const char *mdalg; /* default message digest algorithm */ 220 /* Built-in vs external SSL_accept/read/write/shutdown support. */ 221 VSTREAM *stream; /* Blocking-mode SMTP session */ 222 /* RFC 6698 DANE trust input and verification state */ 223 const TLS_DANE *dane; /* DANE TLSA digests */ 224 int errordepth; /* Chain depth of error cert */ 225 int tadepth; /* Chain depth of trust anchor */ 226 int errorcode; /* First error at error depth */ 227 X509 *errorcert; /* Error certificate closest to leaf */ 228 x509_stack_t *untrusted; /* Certificate chain fodder */ 229 x509_stack_t *trusted; /* Internal root CA list */ 230 } TLS_SESS_STATE; 231 232 /* 233 * Peer status bits. TLS_CERT_FLAG_MATCHED implies TLS_CERT_FLAG_TRUSTED 234 * only in the case of a hostname match. 235 */ 236 #define TLS_CERT_FLAG_PRESENT (1<<0) 237 #define TLS_CERT_FLAG_ALTNAME (1<<1) 238 #define TLS_CERT_FLAG_TRUSTED (1<<2) 239 #define TLS_CERT_FLAG_MATCHED (1<<3) 240 241 #define TLS_CERT_IS_PRESENT(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_PRESENT)) 242 #define TLS_CERT_IS_ALTNAME(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_ALTNAME)) 243 #define TLS_CERT_IS_TRUSTED(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_TRUSTED)) 244 #define TLS_CERT_IS_MATCHED(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_MATCHED)) 245 246 /* 247 * Opaque client context handle. 248 */ 249 typedef struct TLS_APPL_STATE TLS_APPL_STATE; 250 251 #ifdef TLS_INTERNAL 252 253 /* 254 * Log mask details are internal to the library. 255 */ 256 extern int tls_log_mask(const char *, const char *); 257 258 /* 259 * What to log. 260 */ 261 #define TLS_LOG_NONE (1<<0) 262 #define TLS_LOG_SUMMARY (1<<1) 263 #define TLS_LOG_UNTRUSTED (1<<2) 264 #define TLS_LOG_PEERCERT (1<<3) 265 #define TLS_LOG_CERTMATCH (1<<4) 266 #define TLS_LOG_VERBOSE (1<<5) 267 #define TLS_LOG_CACHE (1<<6) 268 #define TLS_LOG_DEBUG (1<<7) 269 #define TLS_LOG_TLSPKTS (1<<8) 270 #define TLS_LOG_ALLPKTS (1<<9) 271 #define TLS_LOG_SESSTKT (1<<10) 272 273 /* 274 * Client and Server application contexts 275 */ 276 struct TLS_APPL_STATE { 277 SSL_CTX *ssl_ctx; 278 int log_mask; 279 char *cache_type; 280 char *cipher_exclusions; /* Last cipher selection state */ 281 char *cipher_list; /* Last cipher selection state */ 282 int cipher_grade; /* Last cipher selection state */ 283 VSTRING *why; 284 }; 285 286 /* 287 * tls_misc.c Application-context update and disposal. 288 */ 289 extern void tls_update_app_logmask(TLS_APPL_STATE *, int); 290 extern void tls_free_app_context(TLS_APPL_STATE *); 291 292 /* 293 * tls_misc.c 294 */ 295 296 extern void tls_param_init(void); 297 298 /* 299 * Protocol selection. 300 */ 301 #define TLS_PROTOCOL_INVALID (~0) /* All protocol bits masked */ 302 #define TLS_PROTOCOL_SSLv2 (1<<0) /* SSLv2 */ 303 #define TLS_PROTOCOL_SSLv3 (1<<1) /* SSLv3 */ 304 #define TLS_PROTOCOL_TLSv1 (1<<2) /* TLSv1 */ 305 #ifdef SSL_TXT_TLSV1_1 306 #define TLS_PROTOCOL_TLSv1_1 (1<<3) /* TLSv1_1 */ 307 #else 308 #define TLS_PROTOCOL_TLSv1_1 0 /* Unknown */ 309 #undef SSL_OP_NO_TLSv1_1 310 #define SSL_OP_NO_TLSv1_1 0L /* Noop */ 311 #endif 312 #ifdef SSL_TXT_TLSV1_2 313 #define TLS_PROTOCOL_TLSv1_2 (1<<4) /* TLSv1_2 */ 314 #else 315 #define TLS_PROTOCOL_TLSv1_2 0 /* Unknown */ 316 #undef SSL_OP_NO_TLSv1_2 317 #define SSL_OP_NO_TLSv1_2 0L /* Noop */ 318 #endif 319 #define TLS_KNOWN_PROTOCOLS \ 320 ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ 321 | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 ) 322 #define TLS_SSL_OP_PROTOMASK(m) \ 323 ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \ 324 | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \ 325 | (((m) & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) \ 326 | (((m) & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) \ 327 | (((m) & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)) 328 329 /* 330 * SSL options that are managed via dedicated Postfix features, rather than 331 * just exposed via hex codes or named elements of tls_ssl_options. 332 */ 333 #define TLS_SSL_OP_MANAGED_BITS \ 334 (SSL_OP_CIPHER_SERVER_PREFERENCE | TLS_SSL_OP_PROTOMASK(~0)) 335 336 extern int tls_protocol_mask(const char *); 337 338 /* 339 * Cipher grade selection. 340 */ 341 #define TLS_CIPHER_NONE 0 342 #define TLS_CIPHER_NULL 1 343 #define TLS_CIPHER_EXPORT 2 344 #define TLS_CIPHER_LOW 3 345 #define TLS_CIPHER_MEDIUM 4 346 #define TLS_CIPHER_HIGH 5 347 348 extern const NAME_CODE tls_cipher_grade_table[]; 349 350 #define tls_cipher_grade(str) \ 351 name_code(tls_cipher_grade_table, NAME_CODE_FLAG_NONE, (str)) 352 #define str_tls_cipher_grade(gr) \ 353 str_name_code(tls_cipher_grade_table, (gr)) 354 355 /* 356 * Cipher lists with exclusions. 357 */ 358 extern const char *tls_set_ciphers(TLS_APPL_STATE *, const char *, 359 const char *, const char *); 360 361 #endif 362 363 /* 364 * tls_client.c 365 */ 366 typedef struct { 367 const char *log_param; 368 const char *log_level; 369 int verifydepth; 370 const char *cache_type; 371 const char *cert_file; 372 const char *key_file; 373 const char *dcert_file; 374 const char *dkey_file; 375 const char *eccert_file; 376 const char *eckey_file; 377 const char *CAfile; 378 const char *CApath; 379 const char *mdalg; /* default message digest algorithm */ 380 } TLS_CLIENT_INIT_PROPS; 381 382 typedef struct { 383 TLS_APPL_STATE *ctx; 384 VSTREAM *stream; 385 int timeout; 386 int tls_level; /* Security level */ 387 const char *nexthop; /* destination domain */ 388 const char *host; /* MX hostname */ 389 const char *namaddr; /* nam[addr] for logging */ 390 const char *serverid; /* Session cache key */ 391 const char *helo; /* Server name from EHLO response */ 392 const char *protocols; /* Enabled protocols */ 393 const char *cipher_grade; /* Minimum cipher grade */ 394 const char *cipher_exclusions; /* Ciphers to exclude */ 395 const ARGV *matchargv; /* Cert match patterns */ 396 const char *mdalg; /* default message digest algorithm */ 397 const TLS_DANE *dane; /* RFC 6698 verification */ 398 } TLS_CLIENT_START_PROPS; 399 400 extern TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *); 401 extern TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *); 402 403 #define tls_client_stop(ctx, stream, timeout, failure, TLScontext) \ 404 tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext)) 405 406 #define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ 407 a10, a11, a12, a13) \ 408 tls_client_init((((props)->a1), ((props)->a2), ((props)->a3), \ 409 ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ 410 ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ 411 ((props)->a12), ((props)->a13), (props))) 412 413 #define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ 414 a10, a11, a12, a13, a14, a15) \ 415 tls_client_start((((props)->a1), ((props)->a2), ((props)->a3), \ 416 ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ 417 ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ 418 ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), (props))) 419 420 /* 421 * tls_server.c 422 */ 423 typedef struct { 424 const char *log_param; 425 const char *log_level; 426 int verifydepth; 427 const char *cache_type; 428 int set_sessid; 429 const char *cert_file; 430 const char *key_file; 431 const char *dcert_file; 432 const char *dkey_file; 433 const char *eccert_file; 434 const char *eckey_file; 435 const char *CAfile; 436 const char *CApath; 437 const char *protocols; 438 const char *eecdh_grade; 439 const char *dh1024_param_file; 440 const char *dh512_param_file; 441 int ask_ccert; 442 const char *mdalg; /* default message digest algorithm */ 443 } TLS_SERVER_INIT_PROPS; 444 445 typedef struct { 446 TLS_APPL_STATE *ctx; /* TLS application context */ 447 VSTREAM *stream; /* Client stream */ 448 int fd; /* Event-driven file descriptor */ 449 int timeout; /* TLS handshake timeout */ 450 int requirecert; /* Insist on client cert? */ 451 const char *serverid; /* Server instance (salt cache key) */ 452 const char *namaddr; /* Client nam[addr] for logging */ 453 const char *cipher_grade; 454 const char *cipher_exclusions; 455 const char *mdalg; /* default message digest algorithm */ 456 } TLS_SERVER_START_PROPS; 457 458 extern TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *); 459 extern TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props); 460 extern TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *); 461 462 #define tls_server_stop(ctx, stream, timeout, failure, TLScontext) \ 463 tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext)) 464 465 #define TLS_SERVER_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ 466 a10, a11, a12, a13, a14, a15, a16, a17, a18, a19) \ 467 tls_server_init((((props)->a1), ((props)->a2), ((props)->a3), \ 468 ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ 469 ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ 470 ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \ 471 ((props)->a16), ((props)->a17), ((props)->a18), ((props)->a19), (props))) 472 473 #define TLS_SERVER_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10) \ 474 tls_server_start((((props)->a1), ((props)->a2), ((props)->a3), \ 475 ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ 476 ((props)->a8), ((props)->a9), ((props)->a10), (props))) 477 478 /* 479 * tls_session.c 480 */ 481 extern void tls_session_stop(TLS_APPL_STATE *, VSTREAM *, int, int, TLS_SESS_STATE *); 482 483 #ifdef TLS_INTERNAL 484 485 #include <vstring.h> 486 487 extern VSTRING *tls_session_passivate(SSL_SESSION *); 488 extern SSL_SESSION *tls_session_activate(const char *, int); 489 490 /* 491 * tls_stream.c. 492 */ 493 extern void tls_stream_start(VSTREAM *, TLS_SESS_STATE *); 494 extern void tls_stream_stop(VSTREAM *); 495 496 /* 497 * tls_bio_ops.c: a generic multi-personality driver that retries SSL 498 * operations until they are satisfied or until a hard error happens. 499 * Because of its ugly multi-personality user interface we invoke it via 500 * not-so-ugly single-personality wrappers. 501 */ 502 extern int tls_bio(int, int, TLS_SESS_STATE *, 503 int (*) (SSL *), /* handshake */ 504 int (*) (SSL *, void *, int), /* read */ 505 int (*) (SSL *, const void *, int), /* write */ 506 void *, int); 507 508 #define tls_bio_connect(fd, timeout, context) \ 509 tls_bio((fd), (timeout), (context), SSL_connect, \ 510 NULL, NULL, NULL, 0) 511 #define tls_bio_accept(fd, timeout, context) \ 512 tls_bio((fd), (timeout), (context), SSL_accept, \ 513 NULL, NULL, NULL, 0) 514 #define tls_bio_shutdown(fd, timeout, context) \ 515 tls_bio((fd), (timeout), (context), SSL_shutdown, \ 516 NULL, NULL, NULL, 0) 517 #define tls_bio_read(fd, buf, len, timeout, context) \ 518 tls_bio((fd), (timeout), (context), NULL, \ 519 SSL_read, NULL, (buf), (len)) 520 #define tls_bio_write(fd, buf, len, timeout, context) \ 521 tls_bio((fd), (timeout), (context), NULL, \ 522 NULL, SSL_write, (buf), (len)) 523 524 /* 525 * tls_dh.c 526 */ 527 extern void tls_set_dh_from_file(const char *, int); 528 extern DH *tls_tmp_dh_cb(SSL *, int, int); 529 extern int tls_set_eecdh_curve(SSL_CTX *, const char *); 530 531 /* 532 * tls_rsa.c 533 */ 534 extern RSA *tls_tmp_rsa_cb(SSL *, int, int); 535 536 /* 537 * tls_verify.c 538 */ 539 extern char *tls_peer_CN(X509 *, const TLS_SESS_STATE *); 540 extern char *tls_issuer_CN(X509 *, const TLS_SESS_STATE *); 541 extern const char *tls_dns_name(const GENERAL_NAME *, const TLS_SESS_STATE *); 542 extern int tls_verify_certificate_callback(int, X509_STORE_CTX *); 543 extern void tls_log_verify_error(TLS_SESS_STATE *); 544 545 /* 546 * tls_dane.c 547 */ 548 extern int tls_dane_match(TLS_SESS_STATE *, int, X509 *, int); 549 extern void tls_dane_set_callback(SSL_CTX *, TLS_SESS_STATE *); 550 551 /* 552 * tls_fprint.c 553 */ 554 extern char *tls_digest_encode(const unsigned char *, int); 555 extern char *tls_data_fprint(const char *, int, const char *); 556 extern char *tls_cert_fprint(X509 *, const char *); 557 extern char *tls_pkey_fprint(X509 *, const char *); 558 extern char *tls_serverid_digest(const TLS_CLIENT_START_PROPS *, long, 559 const char *); 560 561 /* 562 * tls_certkey.c 563 */ 564 extern int tls_set_ca_certificate_info(SSL_CTX *, const char *, const char *); 565 extern int tls_set_my_certificate_key_info(SSL_CTX *, 566 /* RSA */ const char *, const char *, 567 /* DSA */ const char *, const char *, 568 /* ECDSA */ const char *, const char *); 569 570 /* 571 * tls_misc.c 572 */ 573 extern int TLScontext_index; 574 575 extern TLS_APPL_STATE *tls_alloc_app_context(SSL_CTX *, int); 576 extern TLS_SESS_STATE *tls_alloc_sess_context(int, const char *); 577 extern void tls_free_context(TLS_SESS_STATE *); 578 extern void tls_check_version(void); 579 extern long tls_bug_bits(void); 580 extern void tls_print_errors(void); 581 extern void tls_info_callback(const SSL *, int, int); 582 extern long tls_bio_dump_cb(BIO *, int, const char *, int, long, long); 583 extern int tls_validate_digest(const char *); 584 585 /* 586 * tls_seed.c 587 */ 588 extern void tls_int_seed(void); 589 extern int tls_ext_seed(int); 590 591 #endif /* TLS_INTERNAL */ 592 593 /* LICENSE 594 /* .ad 595 /* .fi 596 /* The Secure Mailer license must be distributed with this software. 597 /* AUTHOR(S) 598 /* Wietse Venema 599 /* IBM T.J. Watson Research 600 /* P.O. Box 704 601 /* Yorktown Heights, NY 10598, USA 602 /* 603 /* Victor Duchovni 604 /* Morgan Stanley 605 /*--*/ 606 607 #endif /* USE_TLS */ 608 #endif /* _TLS_H_INCLUDED_ */ 609