1 /* $NetBSD: tls_proxy_client_print.c,v 1.4 2023/12/23 20:30:45 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* tls_proxy_client_print 3 6 /* SUMMARY 7 /* write TLS_CLIENT_XXX structures to stream 8 /* SYNOPSIS 9 /* #include <tls_proxy.h> 10 /* 11 /* int tls_proxy_client_param_print(print_fn, stream, flags, ptr) 12 /* ATTR_PRINT_COMMON_FN print_fn; 13 /* VSTREAM *stream; 14 /* int flags; 15 /* const void *ptr; 16 /* 17 /* int tls_proxy_client_init_print(print_fn, stream, flags, ptr) 18 /* ATTR_PRINT_COMMON_FN print_fn; 19 /* VSTREAM *stream; 20 /* int flags; 21 /* const void *ptr; 22 /* 23 /* int tls_proxy_client_start_print(print_fn, stream, flags, ptr) 24 /* ATTR_PRINT_COMMON_FN print_fn; 25 /* VSTREAM *stream; 26 /* int flags; 27 /* const void *ptr; 28 /* DESCRIPTION 29 /* tls_proxy_client_param_print() writes a TLS_CLIENT_PARAMS structure to 30 /* the named stream using the specified attribute print routine. 31 /* tls_proxy_client_param_print() is meant to be passed as a call-back to 32 /* attr_print(), thusly: 33 /* 34 /* SEND_ATTR_FUNC(tls_proxy_client_param_print, (const void *) param), ... 35 /* 36 /* tls_proxy_client_init_print() writes a full TLS_CLIENT_INIT_PROPS 37 /* structure to the named stream using the specified attribute 38 /* print routine. tls_proxy_client_init_print() is meant to 39 /* be passed as a call-back to attr_print(), thusly: 40 /* 41 /* SEND_ATTR_FUNC(tls_proxy_client_init_print, (const void *) init_props), ... 42 /* 43 /* tls_proxy_client_start_print() writes a TLS_CLIENT_START_PROPS 44 /* structure, without stream or file descriptor members, to 45 /* the named stream using the specified attribute print routine. 46 /* tls_proxy_client_start_print() is meant to be passed as a 47 /* call-back to attr_print(), thusly: 48 /* 49 /* SEND_ATTR_FUNC(tls_proxy_client_start_print, (const void *) start_props), ... 50 /* DIAGNOSTICS 51 /* Fatal: out of memory. 52 /* LICENSE 53 /* .ad 54 /* .fi 55 /* The Secure Mailer license must be distributed with this software. 56 /* AUTHOR(S) 57 /* Wietse Venema 58 /* Google, Inc. 59 /* 111 8th Avenue 60 /* New York, NY 10011, USA 61 /*--*/ 62 63 #ifdef USE_TLS 64 65 /* System library. */ 66 67 #include <sys_defs.h> 68 69 /* Utility library */ 70 71 #include <argv_attr.h> 72 #include <attr.h> 73 #include <msg.h> 74 75 /* Global library. */ 76 77 #include <mail_params.h> 78 79 /* TLS library. */ 80 81 #include <tls.h> 82 #include <tls_proxy.h> 83 84 85 #define STR(x) vstring_str(x) 86 #define LEN(x) VSTRING_LEN(x) 87 88 /* tls_proxy_client_param_print - send TLS_CLIENT_PARAMS over stream */ 89 90 int tls_proxy_client_param_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp, 91 int flags, const void *ptr) 92 { 93 const TLS_CLIENT_PARAMS *params = (const TLS_CLIENT_PARAMS *) ptr; 94 int ret; 95 96 if (msg_verbose) 97 msg_info("begin tls_proxy_client_param_print"); 98 99 ret = print_fn(fp, flags | ATTR_FLAG_MORE, 100 SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file), 101 SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name), 102 SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist), 103 SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST, 104 params->tls_medium_clist), 105 SEND_ATTR_STR(VAR_TLS_NULL_CLIST, params->tls_null_clist), 106 SEND_ATTR_STR(VAR_TLS_EECDH_AUTO, params->tls_eecdh_auto), 107 SEND_ATTR_STR(VAR_TLS_EECDH_STRONG, 108 params->tls_eecdh_strong), 109 SEND_ATTR_STR(VAR_TLS_EECDH_ULTRA, 110 params->tls_eecdh_ultra), 111 SEND_ATTR_STR(VAR_TLS_FFDHE_AUTO, params->tls_ffdhe_auto), 112 SEND_ATTR_STR(VAR_TLS_BUG_TWEAKS, params->tls_bug_tweaks), 113 SEND_ATTR_STR(VAR_TLS_SSL_OPTIONS, 114 params->tls_ssl_options), 115 SEND_ATTR_STR(VAR_TLS_DANE_DIGESTS, 116 params->tls_dane_digests), 117 SEND_ATTR_STR(VAR_TLS_MGR_SERVICE, 118 params->tls_mgr_service), 119 SEND_ATTR_STR(VAR_TLS_TKT_CIPHER, params->tls_tkt_cipher), 120 SEND_ATTR_INT(VAR_TLS_DAEMON_RAND_BYTES, 121 params->tls_daemon_rand_bytes), 122 SEND_ATTR_INT(VAR_TLS_APPEND_DEF_CA, 123 params->tls_append_def_CA), 124 SEND_ATTR_INT(VAR_TLS_BC_PKEY_FPRINT, 125 params->tls_bc_pkey_fprint), 126 SEND_ATTR_INT(VAR_TLS_PREEMPT_CLIST, 127 params->tls_preempt_clist), 128 SEND_ATTR_INT(VAR_TLS_MULTI_WILDCARD, 129 params->tls_multi_wildcard), 130 ATTR_TYPE_END); 131 /* Do not flush the stream. */ 132 if (msg_verbose) 133 msg_info("tls_proxy_client_param_print ret=%d", ret); 134 return (ret); 135 } 136 137 /* tls_proxy_client_init_print - send TLS_CLIENT_INIT_PROPS over stream */ 138 139 int tls_proxy_client_init_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp, 140 int flags, const void *ptr) 141 { 142 const TLS_CLIENT_INIT_PROPS *props = (const TLS_CLIENT_INIT_PROPS *) ptr; 143 int ret; 144 145 if (msg_verbose) 146 msg_info("begin tls_proxy_client_init_print"); 147 148 #define STRING_OR_EMPTY(s) ((s) ? (s) : "") 149 150 ret = print_fn(fp, flags | ATTR_FLAG_MORE, 151 SEND_ATTR_STR(TLS_ATTR_LOG_PARAM, 152 STRING_OR_EMPTY(props->log_param)), 153 SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL, 154 STRING_OR_EMPTY(props->log_level)), 155 SEND_ATTR_INT(TLS_ATTR_VERIFYDEPTH, props->verifydepth), 156 SEND_ATTR_STR(TLS_ATTR_CACHE_TYPE, 157 STRING_OR_EMPTY(props->cache_type)), 158 SEND_ATTR_STR(TLS_ATTR_CHAIN_FILES, 159 STRING_OR_EMPTY(props->chain_files)), 160 SEND_ATTR_STR(TLS_ATTR_CERT_FILE, 161 STRING_OR_EMPTY(props->cert_file)), 162 SEND_ATTR_STR(TLS_ATTR_KEY_FILE, 163 STRING_OR_EMPTY(props->key_file)), 164 SEND_ATTR_STR(TLS_ATTR_DCERT_FILE, 165 STRING_OR_EMPTY(props->dcert_file)), 166 SEND_ATTR_STR(TLS_ATTR_DKEY_FILE, 167 STRING_OR_EMPTY(props->dkey_file)), 168 SEND_ATTR_STR(TLS_ATTR_ECCERT_FILE, 169 STRING_OR_EMPTY(props->eccert_file)), 170 SEND_ATTR_STR(TLS_ATTR_ECKEY_FILE, 171 STRING_OR_EMPTY(props->eckey_file)), 172 SEND_ATTR_STR(TLS_ATTR_CAFILE, 173 STRING_OR_EMPTY(props->CAfile)), 174 SEND_ATTR_STR(TLS_ATTR_CAPATH, 175 STRING_OR_EMPTY(props->CApath)), 176 SEND_ATTR_STR(TLS_ATTR_MDALG, 177 STRING_OR_EMPTY(props->mdalg)), 178 ATTR_TYPE_END); 179 /* Do not flush the stream. */ 180 if (msg_verbose) 181 msg_info("tls_proxy_client_init_print ret=%d", ret); 182 return (ret); 183 } 184 185 /* tls_proxy_client_tlsa_print - send TLS_TLSA over stream */ 186 187 static int tls_proxy_client_tlsa_print(ATTR_PRINT_COMMON_FN print_fn, 188 VSTREAM *fp, int flags, const void *ptr) 189 { 190 const TLS_TLSA *head = (const TLS_TLSA *) ptr; 191 const TLS_TLSA *tp; 192 int count; 193 int ret; 194 195 for (tp = head, count = 0; tp != 0; tp = tp->next) 196 ++count; 197 if (msg_verbose) 198 msg_info("tls_proxy_client_tlsa_print count=%d", count); 199 200 ret = print_fn(fp, flags | ATTR_FLAG_MORE, 201 SEND_ATTR_INT(TLS_ATTR_COUNT, count), 202 ATTR_TYPE_END); 203 204 for (tp = head; ret == 0 && tp != 0; tp = tp->next) 205 ret = print_fn(fp, flags | ATTR_FLAG_MORE, 206 SEND_ATTR_INT(TLS_ATTR_USAGE, tp->usage), 207 SEND_ATTR_INT(TLS_ATTR_SELECTOR, tp->selector), 208 SEND_ATTR_INT(TLS_ATTR_MTYPE, tp->mtype), 209 SEND_ATTR_DATA(TLS_ATTR_DATA, tp->length, tp->data), 210 ATTR_TYPE_END); 211 212 /* Do not flush the stream. */ 213 if (msg_verbose) 214 msg_info("tls_proxy_client_tlsa_print ret=%d", count); 215 return (ret); 216 } 217 218 /* tls_proxy_client_dane_print - send TLS_DANE over stream */ 219 220 static int tls_proxy_client_dane_print(ATTR_PRINT_COMMON_FN print_fn, 221 VSTREAM *fp, int flags, const void *ptr) 222 { 223 const TLS_DANE *dane = (const TLS_DANE *) ptr; 224 int ret; 225 226 ret = print_fn(fp, flags | ATTR_FLAG_MORE, 227 SEND_ATTR_INT(TLS_ATTR_DANE, dane != 0), 228 ATTR_TYPE_END); 229 if (msg_verbose) 230 msg_info("tls_proxy_client_dane_print dane=%d", dane != 0); 231 232 if (ret == 0 && dane != 0) { 233 /* Send the base_domain and RRs, we don't need the other fields */ 234 ret = print_fn(fp, flags | ATTR_FLAG_MORE, 235 SEND_ATTR_STR(TLS_ATTR_DOMAIN, 236 STRING_OR_EMPTY(dane->base_domain)), 237 SEND_ATTR_FUNC(tls_proxy_client_tlsa_print, 238 (const void *) dane->tlsa), 239 ATTR_TYPE_END); 240 } 241 /* Do not flush the stream. */ 242 if (msg_verbose) 243 msg_info("tls_proxy_client_dane_print ret=%d", ret); 244 return (ret); 245 } 246 247 /* tls_proxy_client_start_print - send TLS_CLIENT_START_PROPS over stream */ 248 249 int tls_proxy_client_start_print(ATTR_PRINT_COMMON_FN print_fn, 250 VSTREAM *fp, int flags, const void *ptr) 251 { 252 const TLS_CLIENT_START_PROPS *props = (const TLS_CLIENT_START_PROPS *) ptr; 253 int ret; 254 255 if (msg_verbose) 256 msg_info("begin tls_proxy_client_start_print"); 257 258 #define STRING_OR_EMPTY(s) ((s) ? (s) : "") 259 260 ret = print_fn(fp, flags | ATTR_FLAG_MORE, 261 SEND_ATTR_INT(TLS_ATTR_TIMEOUT, props->timeout), 262 SEND_ATTR_INT(TLS_ATTR_TLS_LEVEL, props->tls_level), 263 SEND_ATTR_STR(TLS_ATTR_NEXTHOP, 264 STRING_OR_EMPTY(props->nexthop)), 265 SEND_ATTR_STR(TLS_ATTR_HOST, 266 STRING_OR_EMPTY(props->host)), 267 SEND_ATTR_STR(TLS_ATTR_NAMADDR, 268 STRING_OR_EMPTY(props->namaddr)), 269 SEND_ATTR_STR(TLS_ATTR_SNI, 270 STRING_OR_EMPTY(props->sni)), 271 SEND_ATTR_STR(TLS_ATTR_SERVERID, 272 STRING_OR_EMPTY(props->serverid)), 273 SEND_ATTR_STR(TLS_ATTR_HELO, 274 STRING_OR_EMPTY(props->helo)), 275 SEND_ATTR_STR(TLS_ATTR_PROTOCOLS, 276 STRING_OR_EMPTY(props->protocols)), 277 SEND_ATTR_STR(TLS_ATTR_CIPHER_GRADE, 278 STRING_OR_EMPTY(props->cipher_grade)), 279 SEND_ATTR_STR(TLS_ATTR_CIPHER_EXCLUSIONS, 280 STRING_OR_EMPTY(props->cipher_exclusions)), 281 SEND_ATTR_FUNC(argv_attr_print, 282 (const void *) props->matchargv), 283 SEND_ATTR_STR(TLS_ATTR_MDALG, 284 STRING_OR_EMPTY(props->mdalg)), 285 SEND_ATTR_FUNC(tls_proxy_client_dane_print, 286 (const void *) props->dane), 287 ATTR_TYPE_END); 288 /* Do not flush the stream. */ 289 if (msg_verbose) 290 msg_info("tls_proxy_client_start_print ret=%d", ret); 291 return (ret); 292 } 293 294 #endif 295