1/*
2 * Copyright (c) 2006-2008,2010-2012,2014 Apple Inc. All Rights Reserved.
3 */
4
5#ifndef _SSLS_APP_UTILS_H_
6#define _SSLS_APP_UTILS_H_ 1
7
8#include <Security/SecureTransport.h>
9#include <Security/SecureTransportPriv.h>
10#include <CoreFoundation/CFArray.h>
11#include <stdbool.h>
12#include <Security/SecCertificate.h>
13
14#include <TargetConditionals.h>
15
16#if TARGET_OS_IPHONE
17typedef void *SecKeychainRef;
18#endif
19
20#ifdef	__cplusplus
21extern "C" {
22#endif
23
24const char *sslGetCipherSuiteString(SSLCipherSuite cs);
25const char *sslGetProtocolVersionString(SSLProtocol prot);
26const char *sslGetSSLErrString(OSStatus err);
27void printSslErrStr(const char *op, OSStatus err);
28const char *sslGetClientCertStateString(SSLClientCertificateState state);
29const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType);
30
31CFArrayRef getSslCerts(
32	const char			*kcName,				// may be NULL, i.e., use default
33	bool                encryptOnly,
34	bool                completeCertChain,
35	const char			*anchorFile,			// optional trusted anchor
36	SecKeychainRef		*pKcRef);				// RETURNED
37OSStatus sslCompleteCertChain(
38	SecIdentityRef 		identity,
39	SecCertificateRef	trustedAnchor,	// optional additional trusted anchor
40	bool 				includeRoot, 	// include the root in outArray
41//	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL
42	CFArrayRef			*outArray);		// created and RETURNED
43CFArrayRef sslKcRefToCertArray(
44	SecKeychainRef		kcRef,
45	bool                encryptOnly,
46	bool                completeCertChain,
47//	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL policy to complete
48	const char			*trustedAnchorFile);
49
50OSStatus addTrustedSecCert(
51	SSLContextRef 		ctx,
52	SecCertificateRef 	secCert,
53	bool                replaceAnchors);
54OSStatus sslReadAnchor(
55	const char 			*anchorFile,
56	SecCertificateRef 	*certRef);
57OSStatus sslAddTrustedRoot(
58	SSLContextRef 		ctx,
59	const char 			*anchorFile,
60	bool                replaceAnchors);
61
62/*
63 * Assume incoming identity contains a root (e.g., created by
64 * certtool) and add that cert to ST's trusted anchors. This
65 * enables ST's verify of the incoming chain to succeed without
66 * a kludgy "AllowAnyRoot" specification.
67 */
68OSStatus addIdentityAsTrustedRoot(
69	SSLContextRef 	ctx,
70	CFArrayRef		identArray);
71
72OSStatus sslAddTrustedRoots(
73	SSLContextRef 	ctx,
74	SecKeychainRef	keychain,
75	bool			*foundOne);
76
77void sslOutputDot();
78
79/*
80 * Lists of SSLCipherSuites used in sslSetCipherRestrictions.
81 */
82extern const SSLCipherSuite suites40[];
83extern const SSLCipherSuite suitesDES[];
84extern const SSLCipherSuite suitesDES40[];
85extern const SSLCipherSuite suites3DES[];
86extern const SSLCipherSuite suitesRC4[];
87extern const SSLCipherSuite suitesRC4_40[];
88extern const SSLCipherSuite suitesRC2[];
89extern const SSLCipherSuite suitesAES128[];
90extern const SSLCipherSuite suitesAES256[];
91extern const SSLCipherSuite suitesDH[];
92extern const SSLCipherSuite suitesDHAnon[];
93extern const SSLCipherSuite suitesDH_RSA[];
94extern const SSLCipherSuite suitesDH_DSS[];
95extern const SSLCipherSuite suites_SHA1[];
96extern const SSLCipherSuite suites_MD5[];
97extern const SSLCipherSuite suites_ECDHE[];
98extern const SSLCipherSuite suites_ECDH[];
99
100/*
101 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
102 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
103 * supports and do a SSLSetEnabledCiphers() specifying those.
104 */
105OSStatus sslSetEnabledCiphers(
106	SSLContextRef ctx,
107	const SSLCipherSuite *ciphers);
108
109/*
110 * Specify restricted sets of cipherspecs and protocols.
111 */
112OSStatus sslSetCipherRestrictions(
113	SSLContextRef ctx,
114	char cipherRestrict);
115
116#ifndef	SPHINX
117OSStatus sslSetProtocols(
118	SSLContextRef 	ctx,
119	const char		*acceptedProts,
120	SSLProtocol		tryVersion);			// only used if acceptedProts NULL
121#endif
122
123int sslVerifyRtn(
124	const char	*whichSide,		// "client" or "server"
125	OSStatus	expectRtn,
126	OSStatus	gotRtn);
127int sslVerifyProtVers(
128	const char	*whichSide,		// "client" or "server"
129	SSLProtocol	expectProt,
130	SSLProtocol	gotProt);
131int sslVerifyClientCertState(
132	const char					*whichSide,		// "client" or "server"
133	SSLClientCertificateState	expectState,
134	SSLClientCertificateState	gotState);
135int sslVerifyCipher(
136	const char		*whichSide,		// "client" or "server"
137	SSLCipherSuite	expectCipher,
138	SSLCipherSuite	gotCipher);
139
140
141/*
142 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
143 */
144OSStatus sslIdentityPicker(
145	SecKeychainRef		kcRef,			// NULL means use default list
146	const char			*trustedAnchor,	// optional additional trusted anchor
147	bool				includeRoot,	// true --> root is appended to outArray
148										// false --> root not included
149//	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL
150	CFArrayRef			*outArray);		// created and RETURNED
151
152void sslKeychainPath(
153	const char *kcName,
154	char *kcPath);			// allocd by caller, MAXPATHLEN
155
156/* Verify presence of required file. Returns nonzero if not found. */
157int sslCheckFile(const char *path);
158
159/* Stringify a SSL_ECDSA_NamedCurve */
160extern const char *sslCurveString(
161	SSL_ECDSA_NamedCurve namedCurve);
162
163#ifdef	__cplusplus
164}
165#endif
166
167#endif	/* _SSLS_APP_UTILS_H_ */
168