1/* 2 * Copyright (c) 2002-2013 Apple Inc. All rights reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24#ifndef _EAP8021X_EAPTLSUTIL_H 25#define _EAP8021X_EAPTLSUTIL_H 26 27/* 28 * EAPTLSUtil.h 29 * - utility functions for dealing with Secure Transport API's 30 */ 31 32/* 33 * Modification History 34 * 35 * August 26, 2002 Dieter Siegmund (dieter@apple) 36 * - created 37 */ 38 39#include <Security/SecureTransport.h> 40#include <Security/SecCertificate.h> 41#include <Security/SecPolicy.h> 42#include <CoreFoundation/CFBase.h> 43#include <CoreFoundation/CFData.h> 44#include <CoreFoundation/CFArray.h> 45#include <CoreFoundation/CFDictionary.h> 46#include <stdbool.h> 47#include <EAP8021X/EAP.h> 48#include <EAP8021X/EAPTLS.h> 49#include <EAP8021X/EAPClientTypes.h> 50#include <TargetConditionals.h> 51 52typedef struct memoryBuffer_s { 53 void * data; 54 size_t length; 55 size_t offset; 56 bool complete; 57} memoryBuffer, *memoryBufferRef; 58 59typedef struct { 60 bool debug; 61 memoryBufferRef read; 62 memoryBufferRef write; 63} memoryIO, * memoryIORef; 64 65SSLContextRef 66EAPSSLContextCreate(SSLProtocol protocol, bool is_server, 67 SSLReadFunc func_read, SSLWriteFunc func_write, 68 void * handle, char * peername, OSStatus * ret_status); 69 70SSLContextRef 71EAPTLSMemIOContextCreate(bool is_server, memoryIORef mem_io, 72 char * peername, OSStatus * ret_status); 73#if 0 74OSStatus 75EAPSSLContextSetCipherRestrictions(SSLContextRef ctx, char cipherRestrict); 76 77const char * 78EAPSSLCipherSuiteString(SSLCipherSuite cs); 79 80const char * 81EAPSSLProtocolVersionString(SSLProtocol prot); 82 83#endif /* 0 */ 84 85const char * 86EAPSSLErrorString(OSStatus err); 87 88OSStatus 89EAPSSLMemoryIORead(SSLConnectionRef connection, void * data_buf, 90 size_t * data_length); 91 92OSStatus 93EAPSSLMemoryIOWrite(SSLConnectionRef connection, const void * data_buf, 94 size_t * data_length); 95 96OSStatus 97EAPTLSComputeKeyData(SSLContextRef ssl_context, 98 const void * label, int label_length, 99 void * key, int key_length); 100 101void 102memoryBufferClear(memoryBufferRef buf); 103 104void 105memoryBufferInit(memoryBufferRef buf); 106 107void 108memoryBufferAllocate(memoryBufferRef buf, size_t length); 109 110bool 111memoryBufferIsComplete(memoryBufferRef buf); 112 113bool 114memoryBufferAddData(memoryBufferRef buf, const void * data, size_t length); 115 116void 117memoryIOClearBuffers(memoryIORef mem_io); 118 119void 120memoryIOInit(memoryIORef mem_io, memoryBufferRef read_buf, 121 memoryBufferRef write_buf); 122 123void 124memoryIOSetDebug(memoryIORef mem_io, bool debug); 125 126EAPPacketRef 127EAPTLSPacketCreate(EAPCode code, int type, u_char identifier, int mtu, 128 memoryBufferRef buf, int * ret_fraglen); 129 130EAPPacketRef 131EAPTLSPacketCreate2(EAPCode code, int type, u_char identifier, int mtu, 132 memoryBufferRef buf, int * ret_fraglen, 133 bool always_mark_first); 134 135/* 136 * Function: EAPSSLCopyPeerCertificates 137 * 138 * Purpose: 139 * A wrapper for SSLGetPeerCertificates that matches the CF function 140 * naming conventions, and allows the certificate array to be released 141 * by simply calling CFRelease on the array. SSLGetPeerCertificates does 142 * not CFRelease each certificate after adding it to the array. 143 */ 144OSStatus 145EAPSSLCopyPeerCertificates(SSLContextRef context, CFArrayRef * certs); 146 147/* 148 * Function: EAPTLSVerifyServerCertificateChain 149 * Purpose: 150 * Given the configured EAP client properties and the server certificate 151 * determine whether to proceed or not. 152 * Returns: 153 * kEAPClientStatusOK if it's OK to proceed. 154 */ 155EAPClientStatus 156EAPTLSVerifyServerCertificateChain(CFDictionaryRef properties, 157 CFArrayRef server_certs, 158 OSStatus * ret_status); 159 160/* 161 * Function: EAPSecPolicyCopy 162 * Purpose: 163 * Copies the EAP security policy object. 164 * Returns: 165 * noErr if successful. 166 */ 167OSStatus 168EAPSecPolicyCopy(SecPolicyRef * ret_policy); 169 170CFStringRef 171EAPTLSPacketCopyDescription(EAPTLSPacketRef eaptls_pkt, bool * packet_is_valid); 172 173 174#if TARGET_OS_EMBEDDED 175/* 176 * Function: EAPTLSSecTrustSaveExceptionsBinding 177 * Purpose: 178 * Given the evaluated SecTrustRef object, save an exceptions binding for the 179 * given domain, identifier, and server_hash_str, all of which must be 180 * specified. 181 * Returns: 182 * FALSE if the trust object was not in a valid state, 183 * TRUE otherwise. 184 */ 185bool 186EAPTLSSecTrustSaveExceptionsBinding(SecTrustRef trust, 187 CFStringRef domain, CFStringRef identifier, 188 CFStringRef server_hash_str); 189/* 190 * Function: EAPTLSSecTrustApplyExceptionsBinding 191 * Purpose: 192 * Finds a stored trust exceptions object for the given domain, identifier, 193 * and server_cert_hash. If it exists, applies the exceptions to the given 194 * trust object. 195 */ 196void 197EAPTLSSecTrustApplyExceptionsBinding(SecTrustRef trust, CFStringRef domain, 198 CFStringRef identifier, 199 CFStringRef server_cert_hash); 200 201/* 202 * Function: EAPTLSRemoveTrustExceptionsBindings 203 * Purpose: 204 * Remove all of the trust exceptions bindings for the given 205 * trust domain and identifier. 206 * Example: 207 * EAPTLSRemoveTrustExceptionsBindings(kEAPTLSTrustExceptionsDomainWirelessSSID, 208 * current_SSID); 209 */ 210void 211EAPTLSRemoveTrustExceptionsBindings(CFStringRef domain, 212 CFStringRef identifier); 213 214/* 215 * Function: EAPTLSCreateSecTrust 216 * Purpose: 217 * Allocates and configures a SecTrustRef object using the 218 * EAPClientConfiguration dictionary 'properties', the server certificate 219 * chain 'server_certs', the trust execptions domain 'domain', and the 220 * trust exceptions identifier 'identifier'. 221 * Returns: 222 * non-NULL SecTrustRef on success, NULL otherwise 223 */ 224SecTrustRef 225EAPTLSCreateSecTrust(CFDictionaryRef properties, CFArrayRef server_certs, 226 CFStringRef domain, CFStringRef identifier); 227 228#endif /* TARGET_OS_EMBEDDED */ 229 230/* 231 * Function: EAPTLSCopyIdentityChain 232 * Purpose: 233 * Copy the trust chain corresponding to the given SecIdentityRef, or if NULL, 234 * the one specified in the given properties dictionary. 235 */ 236OSStatus 237EAPTLSCopyIdentityTrustChain(SecIdentityRef sec_identity, 238 CFDictionaryRef properties, 239 CFArrayRef * ret_array); 240 241#endif /* _EAP8021X_EAPTLSUTIL_H */ 242