1/* 2 * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 25#include <Security/Security.h> 26#include <AssertMacros.h> 27 28#include "ssl-utils.h" 29 30#if TARGET_OS_IPHONE 31 32#include <Security/SecRSAKey.h> 33#include <Security/SecECKey.h> 34#include <Security/SecCertificatePriv.h> 35#include <Security/SecIdentityPriv.h> 36 37#include "privkey-1.h" 38#include "cert-1.h" 39 40static 41CFArrayRef chain_from_der(const unsigned char *pkey_der, size_t pkey_der_len, const unsigned char *cert_der, size_t cert_der_len) 42{ 43 SecKeyRef pkey = NULL; 44 SecCertificateRef cert = NULL; 45 SecIdentityRef ident = NULL; 46 CFArrayRef items = NULL; 47 48 require(pkey = SecKeyCreateRSAPrivateKey(kCFAllocatorDefault, pkey_der, pkey_der_len, kSecKeyEncodingPkcs1), errOut); 49 require(cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, cert_der, cert_der_len), errOut); 50 require(ident = SecIdentityCreate(kCFAllocatorDefault, cert, pkey), errOut); 51 require(items = CFArrayCreate(kCFAllocatorDefault, (const void **)&ident, 1, &kCFTypeArrayCallBacks), errOut); 52 53errOut: 54 CFReleaseSafe(pkey); 55 CFReleaseSafe(cert); 56 CFReleaseSafe(ident); 57 return items; 58} 59 60#else 61 62#include "identity-1.h" 63#define P12_PASSWORD "password" 64 65static 66CFArrayRef chain_from_p12(const unsigned char *p12_data, size_t p12_len) 67{ 68 char keychain_path[] = "/tmp/keychain.XXXXXX"; 69 70 SecKeychainRef keychain = NULL; 71 CFArrayRef list = NULL; 72 CFDataRef data = NULL; 73 74 SecExternalFormat format=kSecFormatPKCS12; 75 SecExternalItemType type=kSecItemTypeAggregate; 76 SecItemImportExportFlags flags=0; 77 SecKeyImportExportParameters params = {0,}; 78 CFArrayRef out = NULL; 79 80 require_noerr(SecKeychainCopyDomainSearchList(kSecPreferencesDomainUser, &list), errOut); 81 require(mktemp(keychain_path), errOut); 82 require_noerr(SecKeychainCreate (keychain_path, strlen(P12_PASSWORD), P12_PASSWORD, 83 FALSE, NULL, &keychain), errOut); 84 require_noerr(SecKeychainSetDomainSearchList(kSecPreferencesDomainUser, list), errOut); // restores the previous search list 85 require(data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, p12_data, p12_len, kCFAllocatorNull), errOut); 86 87 88 params.passphrase=CFSTR("password"); 89 params.keyAttributes = CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_SENSITIVE; 90 91 require_noerr(SecKeychainItemImport(data, CFSTR(".p12"), &format, &type, flags, 92 ¶ms, keychain, &out), errOut); 93 94errOut: 95 CFReleaseSafe(data); 96 CFReleaseSafe(keychain); 97 CFReleaseSafe(list); 98 99 return out; 100} 101 102#endif 103 104CFArrayRef server_chain(void) 105{ 106#if TARGET_OS_IPHONE 107 return chain_from_der(privkey_1_der, privkey_1_der_len, cert_1_der, cert_1_der_len); 108#else 109 return chain_from_p12(identity_1_p12, identity_1_p12_len); 110#endif 111} 112 113CFArrayRef client_chain(void) 114{ 115#if TARGET_OS_IPHONE 116 return chain_from_der(privkey_1_der, privkey_1_der_len, cert_1_der, cert_1_der_len); 117#else 118 return chain_from_p12(identity_1_p12, identity_1_p12_len); 119#endif 120} 121 122const char *ciphersuite_name(SSLCipherSuite cs) 123{ 124 125#define C(x) case x: return #x; 126 switch (cs) { 127 128 /* TLS 1.2 addenda, RFC 5246 */ 129 130 /* Initial state. */ 131 C(TLS_NULL_WITH_NULL_NULL) 132 133 /* Server provided RSA certificate for key exchange. */ 134 C(TLS_RSA_WITH_NULL_MD5) 135 C(TLS_RSA_WITH_NULL_SHA) 136 C(TLS_RSA_WITH_RC4_128_MD5) 137 C(TLS_RSA_WITH_RC4_128_SHA) 138 C(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 139 C(TLS_RSA_WITH_AES_128_CBC_SHA) 140 C(TLS_RSA_WITH_AES_256_CBC_SHA) 141 C(TLS_RSA_WITH_NULL_SHA256) 142 C(TLS_RSA_WITH_AES_128_CBC_SHA256) 143 C(TLS_RSA_WITH_AES_256_CBC_SHA256) 144 145 /* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */ 146 C(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA) 147 C(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA) 148 C(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA) 149 C(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 150 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA) 151 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA) 152 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA) 153 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) 154 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA) 155 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA) 156 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA) 157 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) 158 C(TLS_DH_DSS_WITH_AES_128_CBC_SHA256) 159 C(TLS_DH_RSA_WITH_AES_128_CBC_SHA256) 160 C(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256) 161 C(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) 162 C(TLS_DH_DSS_WITH_AES_256_CBC_SHA256) 163 C(TLS_DH_RSA_WITH_AES_256_CBC_SHA256) 164 C(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256) 165 C(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) 166 167 /* Completely anonymous Diffie-Hellman */ 168 C(TLS_DH_anon_WITH_RC4_128_MD5) 169 C(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA) 170 C(TLS_DH_anon_WITH_AES_128_CBC_SHA) 171 C(TLS_DH_anon_WITH_AES_256_CBC_SHA) 172 C(TLS_DH_anon_WITH_AES_128_CBC_SHA256) 173 C(TLS_DH_anon_WITH_AES_256_CBC_SHA256) 174 175 /* Addenda from rfc 5288 AES Galois Counter Mode (GCM) Cipher Suites 176 for TLS. */ 177 C(TLS_RSA_WITH_AES_128_GCM_SHA256) 178 C(TLS_RSA_WITH_AES_256_GCM_SHA384) 179 C(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) 180 C(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) 181 C(TLS_DH_RSA_WITH_AES_128_GCM_SHA256) 182 C(TLS_DH_RSA_WITH_AES_256_GCM_SHA384) 183 C(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256) 184 C(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384) 185 C(TLS_DH_DSS_WITH_AES_128_GCM_SHA256) 186 C(TLS_DH_DSS_WITH_AES_256_GCM_SHA384) 187 C(TLS_DH_anon_WITH_AES_128_GCM_SHA256) 188 C(TLS_DH_anon_WITH_AES_256_GCM_SHA384) 189 190 /* ECDSA addenda, RFC 4492 */ 191 C(TLS_ECDH_ECDSA_WITH_NULL_SHA) 192 C(TLS_ECDH_ECDSA_WITH_RC4_128_SHA) 193 C(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA) 194 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA) 195 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA) 196 C(TLS_ECDHE_ECDSA_WITH_NULL_SHA) 197 C(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA) 198 C(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA) 199 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) 200 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) 201 C(TLS_ECDH_RSA_WITH_NULL_SHA) 202 C(TLS_ECDH_RSA_WITH_RC4_128_SHA) 203 C(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA) 204 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA) 205 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA) 206 C(TLS_ECDHE_RSA_WITH_NULL_SHA) 207 C(TLS_ECDHE_RSA_WITH_RC4_128_SHA) 208 C(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) 209 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) 210 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) 211 C(TLS_ECDH_anon_WITH_NULL_SHA) 212 C(TLS_ECDH_anon_WITH_RC4_128_SHA) 213 C(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA) 214 C(TLS_ECDH_anon_WITH_AES_128_CBC_SHA) 215 C(TLS_ECDH_anon_WITH_AES_256_CBC_SHA) 216 217 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with 218 HMAC SHA-256/384. */ 219 C(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) 220 C(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384) 221 C(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256) 222 C(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384) 223 C(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) 224 C(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) 225 C(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256) 226 C(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384) 227 228 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with 229 SHA-256/384 and AES Galois Counter Mode (GCM) */ 230 C(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) 231 C(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) 232 C(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256) 233 C(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384) 234 C(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) 235 C(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 236 C(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256) 237 C(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384) 238 239 /* RFC 5746 - Secure Renegotiation */ 240 C(TLS_EMPTY_RENEGOTIATION_INFO_SCSV) 241 242 /* 243 * Tags for SSL 2 cipher kinds which are not specified 244 * for SSL 3. 245 */ 246 C(SSL_RSA_WITH_RC2_CBC_MD5) 247 C(SSL_RSA_WITH_IDEA_CBC_MD5) 248 C(SSL_RSA_WITH_DES_CBC_MD5) 249 C(SSL_RSA_WITH_3DES_EDE_CBC_MD5) 250 C(SSL_NO_SUCH_CIPHERSUITE) 251 252 C(SSL_RSA_EXPORT_WITH_RC4_40_MD5) 253 C(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5) 254 C(SSL_RSA_WITH_IDEA_CBC_SHA) 255 C(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA) 256 C(SSL_RSA_WITH_DES_CBC_SHA) 257 C(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA) 258 C(SSL_DH_DSS_WITH_DES_CBC_SHA) 259 C(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA) 260 C(SSL_DH_RSA_WITH_DES_CBC_SHA) 261 C(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA) 262 C(SSL_DHE_DSS_WITH_DES_CBC_SHA) 263 C(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA) 264 C(SSL_DHE_RSA_WITH_DES_CBC_SHA) 265 C(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5) 266 C(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA) 267 C(SSL_DH_anon_WITH_DES_CBC_SHA) 268 C(SSL_FORTEZZA_DMS_WITH_NULL_SHA) 269 C(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA) 270 271 272 default: 273 return "Unknown Ciphersuite"; 274 } 275 276} 277