diff options
Diffstat (limited to '')
-rw-r--r-- | src/tls/tls_level.c | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/src/tls/tls_level.c b/src/tls/tls_level.c new file mode 100644 index 0000000..eec15fd --- /dev/null +++ b/src/tls/tls_level.c @@ -0,0 +1,95 @@ +/*++ +/* NAME +/* tls_level 3 +/* SUMMARY +/* TLS security level conversion +/* SYNOPSIS +/* #include <tls.h> +/* +/* int tls_level_lookup(name) +/* const char *name; +/* +/* const char *str_tls_level(level) +/* int level; +/* DESCRIPTION +/* The functions in this module convert TLS levels from symbolic +/* name to internal form and vice versa. +/* +/* tls_level_lookup() converts a TLS level from symbolic name +/* to internal form. When an unknown level is specified, +/* tls_level_lookup() logs no warning, and returns TLS_LEV_INVALID. +/* +/* str_tls_level() converts a TLS level from internal form to +/* symbolic name. The result is a null pointer for an unknown +/* level. The "halfdane" level is not a valid user-selected TLS level, +/* it is generated internally and is only valid output for the +/* str_tls_level() function. +/* SEE ALSO +/* name_code(3) name to number mapping +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/* +/* Victor Duchovni +/* Morgan Stanley +/*--*/ + +/* System library. */ + +#include <sys_defs.h> + +/* Utility library. */ + +#include <name_code.h> + +/* TLS library. */ + +#include <tls.h> + +/* Application-specific. */ + + /* + * Numerical order of levels is critical (see tls.h): + * + * - With "may" and higher, TLS is enabled. + * + * - With "encrypt" and higher, TLS is required. + * + * - With "fingerprint" and higher, the peer certificate must match. + * + * - With "dane" and higher, the peer certificate must also be trusted, + * possibly via TLSA RRs that make it its own authority. + * + * The smtp(8) client will report trust failure in preference to reporting + * failure to match, so we make "dane" larger than "fingerprint". + */ +static const NAME_CODE tls_level_table[] = { + "none", TLS_LEV_NONE, + "may", TLS_LEV_MAY, + "encrypt", TLS_LEV_ENCRYPT, + "fingerprint", TLS_LEV_FPRINT, + "halfdane", TLS_LEV_HALF_DANE, /* output only */ + "dane", TLS_LEV_DANE, + "dane-only", TLS_LEV_DANE_ONLY, + "verify", TLS_LEV_VERIFY, + "secure", TLS_LEV_SECURE, + 0, TLS_LEV_INVALID, +}; + +int tls_level_lookup(const char *name) +{ + int level = name_code(tls_level_table, NAME_CODE_FLAG_NONE, name); + + return ((level != TLS_LEV_HALF_DANE) ? level : TLS_LEV_INVALID); +} + +const char *str_tls_level(int level) +{ + return (str_name_code(tls_level_table, level)); +} |