1#ifndef _SSLS_APP_UTILS_H_ 2#define _SSLS_APP_UTILS_H_ 1 3 4#include <Security/SecureTransport.h> 5#include <Security/SecureTransportPriv.h> 6#include <Security/Security.h> 7#include <security_utilities/threading.h> 8 9#ifdef __cplusplus 10extern "C" { 11#endif 12 13/* disable some Panther-only features */ 14#define JAGUAR_BUILD 0 15 16const char *sslGetCipherSuiteString(SSLCipherSuite cs); 17const char *sslGetProtocolVersionString(SSLProtocol prot); 18const char *sslGetSSLErrString(OSStatus err); 19void printSslErrStr(const char *op, OSStatus err); 20const char *sslGetClientCertStateString(SSLClientCertificateState state); 21const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType); 22 23CFArrayRef getSslCerts( 24 const char *kcName, // may be NULL, i.e., use default 25 CSSM_BOOL encryptOnly, 26 CSSM_BOOL completeCertChain, 27 const char *anchorFile, // optional trusted anchor 28 SecKeychainRef *pKcRef); // RETURNED 29OSStatus sslCompleteCertChain( 30 SecIdentityRef identity, 31 SecCertificateRef trustedAnchor, // optional additional trusted anchor 32 bool includeRoot, // include the root in outArray 33 const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL 34 CFArrayRef *outArray); // created and RETURNED 35CFArrayRef sslKcRefToCertArray( 36 SecKeychainRef kcRef, 37 CSSM_BOOL encryptOnly, 38 CSSM_BOOL completeCertChain, 39 const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete 40 const char *trustedAnchorFile); 41 42OSStatus addTrustedSecCert( 43 SSLContextRef ctx, 44 SecCertificateRef secCert, 45 CSSM_BOOL replaceAnchors); 46OSStatus sslReadAnchor( 47 const char *anchorFile, 48 SecCertificateRef *certRef); 49OSStatus sslAddTrustedRoot( 50 SSLContextRef ctx, 51 const char *anchorFile, 52 CSSM_BOOL replaceAnchors); 53 54/* 55 * Assume incoming identity contains a root (e.g., created by 56 * certtool) and add that cert to ST's trusted anchors. This 57 * enables ST's verify of the incoming chain to succeed without 58 * a kludgy "AllowAnyRoot" specification. 59 */ 60OSStatus addIdentityAsTrustedRoot( 61 SSLContextRef ctx, 62 CFArrayRef identArray); 63 64OSStatus sslAddTrustedRoots( 65 SSLContextRef ctx, 66 SecKeychainRef keychain, 67 bool *foundOne); 68 69void sslOutputDot(); 70 71/* 72 * Lists of SSLCipherSuites used in sslSetCipherRestrictions. 73 */ 74extern const SSLCipherSuite suites40[]; 75extern const SSLCipherSuite suitesDES[]; 76extern const SSLCipherSuite suitesDES40[]; 77extern const SSLCipherSuite suites3DES[]; 78extern const SSLCipherSuite suitesRC4[]; 79extern const SSLCipherSuite suitesRC4_40[]; 80extern const SSLCipherSuite suitesRC2[]; 81extern const SSLCipherSuite suitesAES128[]; 82extern const SSLCipherSuite suitesAES256[]; 83extern const SSLCipherSuite suitesDH[]; 84extern const SSLCipherSuite suitesDHAnon[]; 85extern const SSLCipherSuite suitesDH_RSA[]; 86extern const SSLCipherSuite suitesDH_DSS[]; 87extern const SSLCipherSuite suites_SHA1[]; 88extern const SSLCipherSuite suites_MD5[]; 89extern const SSLCipherSuite suites_ECDHE[]; 90extern const SSLCipherSuite suites_ECDH[]; 91 92/* 93 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by 94 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library 95 * supports and do a SSLSetEnabledCiphers() specifying those. 96 */ 97OSStatus sslSetEnabledCiphers( 98 SSLContextRef ctx, 99 const SSLCipherSuite *ciphers); 100 101/* 102 * Specify restricted sets of cipherspecs and protocols. 103 */ 104OSStatus sslSetCipherRestrictions( 105 SSLContextRef ctx, 106 char cipherRestrict); 107 108#ifndef SPHINX 109OSStatus sslSetProtocols( 110 SSLContextRef ctx, 111 const char *acceptedProts, 112 SSLProtocol tryVersion); // only used if acceptedProts NULL 113#endif 114 115int sslVerifyRtn( 116 const char *whichSide, // "client" or "server" 117 OSStatus expectRtn, 118 OSStatus gotRtn); 119int sslVerifyProtVers( 120 const char *whichSide, // "client" or "server" 121 SSLProtocol expectProt, 122 SSLProtocol gotProt); 123int sslVerifyClientCertState( 124 const char *whichSide, // "client" or "server" 125 SSLClientCertificateState expectState, 126 SSLClientCertificateState gotState); 127int sslVerifyCipher( 128 const char *whichSide, // "client" or "server" 129 SSLCipherSuite expectCipher, 130 SSLCipherSuite gotCipher); 131 132 133/* 134 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename. 135 */ 136OSStatus sslIdentityPicker( 137 SecKeychainRef kcRef, // NULL means use default list 138 const char *trustedAnchor, // optional additional trusted anchor 139 bool includeRoot, // true --> root is appended to outArray 140 // false --> root not included 141 const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL 142 CFArrayRef *outArray); // created and RETURNED 143 144void sslKeychainPath( 145 const char *kcName, 146 char *kcPath); // allocd by caller, MAXPATHLEN 147 148/* Verify presence of required file. Returns nonzero if not found. */ 149int sslCheckFile(const char *path); 150 151/* Stringify a SSL_ECDSA_NamedCurve */ 152extern const char *sslCurveString( 153 SSL_ECDSA_NamedCurve namedCurve); 154 155#ifdef __cplusplus 156} 157#endif 158 159#endif /* _SSLS_APP_UTILS_H_ */ 160