xref: /netbsd-src/external/ibm-public/postfix/dist/src/tls/tls_level.c (revision bdc22b2e01993381dcefeff2bc9b56ca75a4235c) 
1 /*	$NetBSD: tls_level.c,v 1.2 2017/02/14 01:16:48 christos Exp $	*/
2 
3 /*++
4 /* NAME
5 /*	tls_level 3
6 /* SUMMARY
7 /*	TLS security level conversion
8 /* SYNOPSIS
9 /*	#include <tls.h>
10 /*
11 /*	int	tls_level_lookup(name)
12 /*	const char *name;
13 /*
14 /*	const char *str_tls_level(level)
15 /*	int	level;
16 /* DESCRIPTION
17 /*	The functions in this module convert TLS levels from symbolic
18 /*	name to internal form and vice versa.
19 /*
20 /*	tls_level_lookup() converts a TLS level from symbolic name
21 /*	to internal form. When an unknown level is specified,
22 /*	tls_level_lookup() logs no warning, and returns TLS_LEV_INVALID.
23 /*
24 /*	str_tls_level() converts a TLS level from internal form to
25 /*	symbolic name. The result is a null pointer for an unknown
26 /*	level.  The "halfdane" level is not a valid user-selected TLS level,
27 /*	it is generated internally and is only valid output for the
28 /*	str_tls_level() function.
29 /* SEE ALSO
30 /*	name_code(3) name to number mapping
31 /* LICENSE
32 /* .ad
33 /* .fi
34 /*	The Secure Mailer license must be distributed with this software.
35 /* AUTHOR(S)
36 /*	Wietse Venema
37 /*	IBM T.J. Watson Research
38 /*	P.O. Box 704
39 /*	Yorktown Heights, NY 10598, USA
40 /*
41 /*	Victor Duchovni
42 /*	Morgan Stanley
43 /*--*/
44 
45 /* System library. */
46 
47 #include <sys_defs.h>
48 
49 /* Utility library. */
50 
51 #include <name_code.h>
52 
53 /* TLS library. */
54 
55 #include <tls.h>
56 
57 /* Application-specific. */
58 
59  /*
60   * Numerical order of levels is critical (see tls.h):
61   *
62   * - With "may" and higher, TLS is enabled.
63   *
64   * - With "encrypt" and higher, TLS is required.
65   *
66   * - With "fingerprint" and higher, the peer certificate must match.
67   *
68   * - With "dane" and higher, the peer certificate must also be trusted,
69   * possibly via TLSA RRs that make it its own authority.
70   *
71   * The smtp(8) client will report trust failure in preference to reporting
72   * failure to match, so we make "dane" larger than "fingerprint".
73   */
74 static const NAME_CODE tls_level_table[] = {
75     "none", TLS_LEV_NONE,
76     "may", TLS_LEV_MAY,
77     "encrypt", TLS_LEV_ENCRYPT,
78     "fingerprint", TLS_LEV_FPRINT,
79     "halfdane", TLS_LEV_HALF_DANE,	/* output only */
80     "dane", TLS_LEV_DANE,
81     "dane-only", TLS_LEV_DANE_ONLY,
82     "verify", TLS_LEV_VERIFY,
83     "secure", TLS_LEV_SECURE,
84     0, TLS_LEV_INVALID,
85 };
86 
87 int     tls_level_lookup(const char *name)
88 {
89     int     level = name_code(tls_level_table, NAME_CODE_FLAG_NONE, name);
90 
91     return ((level != TLS_LEV_HALF_DANE) ? level : TLS_LEV_INVALID);
92 }
93 
94 const char *str_tls_level(int level)
95 {
96     return (str_name_code(tls_level_table, level));
97 }
98