xref: /netbsd-src/external/ibm-public/postfix/dist/src/tls/tls_level.c (revision d909946ca08dceb44d7d0f22ec9488679695d976) 
1 /*	$NetBSD: tls_level.c,v 1.1.1.2 2014/07/06 19:27:54 tron Exp $	*/
2 
3 /*++
4 /* NAME
5 /*	tls_level 3
6 /* SUMMARY
7 /*	TLS security level conversion
8 /* SYNOPSIS
9 /*	#include <tls.h>
10 /*
11 /*	int	tls_level_lookup(name)
12 /*	const char *name;
13 /*
14 /*	const char *str_tls_level(level)
15 /*	int	level;
16 /* DESCRIPTION
17 /*	The macros in this module convert TLS levels from symbolic
18 /*	name to internal form and vice versa. The macros are safe
19 /*	because they evaluate their arguments only once.
20 /*
21 /*	tls_level_lookup() converts a TLS level from symbolic name
22 /*	to internal form. When an unknown level is specified,
23 /*	tls_level_lookup() logs no warning, and returns TLS_LEV_INVALID.
24 /*
25 /*	str_tls_level() converts a TLS level from internal form to
26 /*	symbolic name. The result is a null pointer for an unknown
27 /*	level.
28 /* SEE ALSO
29 /*	name_code(3) name to number mapping
30 /* LICENSE
31 /* .ad
32 /* .fi
33 /*	The Secure Mailer license must be distributed with this software.
34 /* AUTHOR(S)
35 /*	Wietse Venema
36 /*	IBM T.J. Watson Research
37 /*	P.O. Box 704
38 /*	Yorktown Heights, NY 10598, USA
39 /*
40 /*	Victor Duchovni
41 /*	Morgan Stanley
42 /*--*/
43 
44 /* System library. */
45 
46 #include <sys_defs.h>
47 
48 /* Utility library. */
49 
50 #include <name_code.h>
51 
52 /* TLS library. */
53 
54 #include <tls.h>
55 
56 /* Application-specific. */
57 
58  /*
59   * Numerical order of levels is critical (see tls.h):
60   *
61   * - With "may" and higher, TLS is enabled.
62   *
63   * - With "encrypt" and higher, TLS is required.
64   *
65   * - With "fingerprint" and higher, the peer certificate must match.
66   *
67   * - With "dane" and higher, the peer certificate must also be trusted,
68   * possibly via TLSA RRs that make it its own authority.
69   *
70   * The smtp(8) client will report trust failure in preference to reporting
71   * failure to match, so we make "dane" larger than "fingerprint".
72   */
73 const NAME_CODE tls_level_table[] = {
74     "none", TLS_LEV_NONE,
75     "may", TLS_LEV_MAY,
76     "encrypt", TLS_LEV_ENCRYPT,
77     "fingerprint", TLS_LEV_FPRINT,
78     "dane", TLS_LEV_DANE,
79     "dane-only", TLS_LEV_DANE_ONLY,
80     "verify", TLS_LEV_VERIFY,
81     "secure", TLS_LEV_SECURE,
82     0, TLS_LEV_INVALID,
83 };
84