1/* 2 * Copyright (c) 2006-2008,2010-2012,2014 Apple Inc. All Rights Reserved. 3 */ 4 5#ifndef _SSLS_APP_UTILS_H_ 6#define _SSLS_APP_UTILS_H_ 1 7 8#include <Security/SecureTransport.h> 9#include <Security/SecureTransportPriv.h> 10#include <CoreFoundation/CFArray.h> 11#include <stdbool.h> 12#include <Security/SecCertificate.h> 13 14#include <TargetConditionals.h> 15 16#if TARGET_OS_IPHONE 17typedef void *SecKeychainRef; 18#endif 19 20#ifdef __cplusplus 21extern "C" { 22#endif 23 24const char *sslGetCipherSuiteString(SSLCipherSuite cs); 25const char *sslGetProtocolVersionString(SSLProtocol prot); 26const char *sslGetSSLErrString(OSStatus err); 27void printSslErrStr(const char *op, OSStatus err); 28const char *sslGetClientCertStateString(SSLClientCertificateState state); 29const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType); 30 31CFArrayRef getSslCerts( 32 const char *kcName, // may be NULL, i.e., use default 33 bool encryptOnly, 34 bool completeCertChain, 35 const char *anchorFile, // optional trusted anchor 36 SecKeychainRef *pKcRef); // RETURNED 37OSStatus sslCompleteCertChain( 38 SecIdentityRef identity, 39 SecCertificateRef trustedAnchor, // optional additional trusted anchor 40 bool includeRoot, // include the root in outArray 41// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL 42 CFArrayRef *outArray); // created and RETURNED 43CFArrayRef sslKcRefToCertArray( 44 SecKeychainRef kcRef, 45 bool encryptOnly, 46 bool completeCertChain, 47// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete 48 const char *trustedAnchorFile); 49 50OSStatus addTrustedSecCert( 51 SSLContextRef ctx, 52 SecCertificateRef secCert, 53 bool replaceAnchors); 54OSStatus sslReadAnchor( 55 const char *anchorFile, 56 SecCertificateRef *certRef); 57OSStatus sslAddTrustedRoot( 58 SSLContextRef ctx, 59 const char *anchorFile, 60 bool replaceAnchors); 61 62/* 63 * Assume incoming identity contains a root (e.g., created by 64 * certtool) and add that cert to ST's trusted anchors. This 65 * enables ST's verify of the incoming chain to succeed without 66 * a kludgy "AllowAnyRoot" specification. 67 */ 68OSStatus addIdentityAsTrustedRoot( 69 SSLContextRef ctx, 70 CFArrayRef identArray); 71 72OSStatus sslAddTrustedRoots( 73 SSLContextRef ctx, 74 SecKeychainRef keychain, 75 bool *foundOne); 76 77void sslOutputDot(); 78 79/* 80 * Lists of SSLCipherSuites used in sslSetCipherRestrictions. 81 */ 82extern const SSLCipherSuite suites40[]; 83extern const SSLCipherSuite suitesDES[]; 84extern const SSLCipherSuite suitesDES40[]; 85extern const SSLCipherSuite suites3DES[]; 86extern const SSLCipherSuite suitesRC4[]; 87extern const SSLCipherSuite suitesRC4_40[]; 88extern const SSLCipherSuite suitesRC2[]; 89extern const SSLCipherSuite suitesAES128[]; 90extern const SSLCipherSuite suitesAES256[]; 91extern const SSLCipherSuite suitesDH[]; 92extern const SSLCipherSuite suitesDHAnon[]; 93extern const SSLCipherSuite suitesDH_RSA[]; 94extern const SSLCipherSuite suitesDH_DSS[]; 95extern const SSLCipherSuite suites_SHA1[]; 96extern const SSLCipherSuite suites_MD5[]; 97extern const SSLCipherSuite suites_ECDHE[]; 98extern const SSLCipherSuite suites_ECDH[]; 99 100/* 101 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by 102 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library 103 * supports and do a SSLSetEnabledCiphers() specifying those. 104 */ 105OSStatus sslSetEnabledCiphers( 106 SSLContextRef ctx, 107 const SSLCipherSuite *ciphers); 108 109/* 110 * Specify restricted sets of cipherspecs and protocols. 111 */ 112OSStatus sslSetCipherRestrictions( 113 SSLContextRef ctx, 114 char cipherRestrict); 115 116#ifndef SPHINX 117OSStatus sslSetProtocols( 118 SSLContextRef ctx, 119 const char *acceptedProts, 120 SSLProtocol tryVersion); // only used if acceptedProts NULL 121#endif 122 123int sslVerifyRtn( 124 const char *whichSide, // "client" or "server" 125 OSStatus expectRtn, 126 OSStatus gotRtn); 127int sslVerifyProtVers( 128 const char *whichSide, // "client" or "server" 129 SSLProtocol expectProt, 130 SSLProtocol gotProt); 131int sslVerifyClientCertState( 132 const char *whichSide, // "client" or "server" 133 SSLClientCertificateState expectState, 134 SSLClientCertificateState gotState); 135int sslVerifyCipher( 136 const char *whichSide, // "client" or "server" 137 SSLCipherSuite expectCipher, 138 SSLCipherSuite gotCipher); 139 140 141/* 142 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename. 143 */ 144OSStatus sslIdentityPicker( 145 SecKeychainRef kcRef, // NULL means use default list 146 const char *trustedAnchor, // optional additional trusted anchor 147 bool includeRoot, // true --> root is appended to outArray 148 // false --> root not included 149// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL 150 CFArrayRef *outArray); // created and RETURNED 151 152void sslKeychainPath( 153 const char *kcName, 154 char *kcPath); // allocd by caller, MAXPATHLEN 155 156/* Verify presence of required file. Returns nonzero if not found. */ 157int sslCheckFile(const char *path); 158 159/* Stringify a SSL_ECDSA_NamedCurve */ 160extern const char *sslCurveString( 161 SSL_ECDSA_NamedCurve namedCurve); 162 163#ifdef __cplusplus 164} 165#endif 166 167#endif /* _SSLS_APP_UTILS_H_ */ 168