1#ifndef _SSLS_APP_UTILS_H_
2#define _SSLS_APP_UTILS_H_ 1
3
4#include <Security/SecureTransport.h>
5#include <Security/SecureTransportPriv.h>
6#include <Security/Security.h>
7#include <security_utilities/threading.h>
8
9#ifdef	__cplusplus
10extern "C" {
11#endif
12
13/* disable some Panther-only features */
14#define JAGUAR_BUILD	0
15
16const char *sslGetCipherSuiteString(SSLCipherSuite cs);
17const char *sslGetProtocolVersionString(SSLProtocol prot);
18const char *sslGetSSLErrString(OSStatus err);
19void printSslErrStr(const char *op, OSStatus err);
20const char *sslGetClientCertStateString(SSLClientCertificateState state);
21const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType);
22
23CFArrayRef getSslCerts(
24	const char			*kcName,				// may be NULL, i.e., use default
25	CSSM_BOOL			encryptOnly,
26	CSSM_BOOL			completeCertChain,
27	const char			*anchorFile,			// optional trusted anchor
28	SecKeychainRef		*pKcRef);				// RETURNED
29OSStatus sslCompleteCertChain(
30	SecIdentityRef 		identity,
31	SecCertificateRef	trustedAnchor,	// optional additional trusted anchor
32	bool 				includeRoot, 	// include the root in outArray
33	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL
34	CFArrayRef			*outArray);		// created and RETURNED
35CFArrayRef sslKcRefToCertArray(
36	SecKeychainRef		kcRef,
37	CSSM_BOOL			encryptOnly,
38	CSSM_BOOL			completeCertChain,
39	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL policy to complete
40	const char			*trustedAnchorFile);
41
42OSStatus addTrustedSecCert(
43	SSLContextRef 		ctx,
44	SecCertificateRef 	secCert,
45	CSSM_BOOL 			replaceAnchors);
46OSStatus sslReadAnchor(
47	const char 			*anchorFile,
48	SecCertificateRef 	*certRef);
49OSStatus sslAddTrustedRoot(
50	SSLContextRef 		ctx,
51	const char 			*anchorFile,
52	CSSM_BOOL 			replaceAnchors);
53
54/*
55 * Assume incoming identity contains a root (e.g., created by
56 * certtool) and add that cert to ST's trusted anchors. This
57 * enables ST's verify of the incoming chain to succeed without
58 * a kludgy "AllowAnyRoot" specification.
59 */
60OSStatus addIdentityAsTrustedRoot(
61	SSLContextRef 	ctx,
62	CFArrayRef		identArray);
63
64OSStatus sslAddTrustedRoots(
65	SSLContextRef 	ctx,
66	SecKeychainRef	keychain,
67	bool			*foundOne);
68
69void sslOutputDot();
70
71/*
72 * Lists of SSLCipherSuites used in sslSetCipherRestrictions.
73 */
74extern const SSLCipherSuite suites40[];
75extern const SSLCipherSuite suitesDES[];
76extern const SSLCipherSuite suitesDES40[];
77extern const SSLCipherSuite suites3DES[];
78extern const SSLCipherSuite suitesRC4[];
79extern const SSLCipherSuite suitesRC4_40[];
80extern const SSLCipherSuite suitesRC2[];
81extern const SSLCipherSuite suitesAES128[];
82extern const SSLCipherSuite suitesAES256[];
83extern const SSLCipherSuite suitesDH[];
84extern const SSLCipherSuite suitesDHAnon[];
85extern const SSLCipherSuite suitesDH_RSA[];
86extern const SSLCipherSuite suitesDH_DSS[];
87extern const SSLCipherSuite suites_SHA1[];
88extern const SSLCipherSuite suites_MD5[];
89extern const SSLCipherSuite suites_ECDHE[];
90extern const SSLCipherSuite suites_ECDH[];
91
92/*
93 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
94 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
95 * supports and do a SSLSetEnabledCiphers() specifying those.
96 */
97OSStatus sslSetEnabledCiphers(
98	SSLContextRef ctx,
99	const SSLCipherSuite *ciphers);
100
101/*
102 * Specify restricted sets of cipherspecs and protocols.
103 */
104OSStatus sslSetCipherRestrictions(
105	SSLContextRef ctx,
106	char cipherRestrict);
107
108#ifndef	SPHINX
109OSStatus sslSetProtocols(
110	SSLContextRef 	ctx,
111	const char		*acceptedProts,
112	SSLProtocol		tryVersion);			// only used if acceptedProts NULL
113#endif
114
115int sslVerifyRtn(
116	const char	*whichSide,		// "client" or "server"
117	OSStatus	expectRtn,
118	OSStatus	gotRtn);
119int sslVerifyProtVers(
120	const char	*whichSide,		// "client" or "server"
121	SSLProtocol	expectProt,
122	SSLProtocol	gotProt);
123int sslVerifyClientCertState(
124	const char					*whichSide,		// "client" or "server"
125	SSLClientCertificateState	expectState,
126	SSLClientCertificateState	gotState);
127int sslVerifyCipher(
128	const char		*whichSide,		// "client" or "server"
129	SSLCipherSuite	expectCipher,
130	SSLCipherSuite	gotCipher);
131
132
133/*
134 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
135 */
136OSStatus sslIdentityPicker(
137	SecKeychainRef		kcRef,			// NULL means use default list
138	const char			*trustedAnchor,	// optional additional trusted anchor
139	bool				includeRoot,	// true --> root is appended to outArray
140										// false --> root not included
141	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL
142	CFArrayRef			*outArray);		// created and RETURNED
143
144void sslKeychainPath(
145	const char *kcName,
146	char *kcPath);			// allocd by caller, MAXPATHLEN
147
148/* Verify presence of required file. Returns nonzero if not found. */
149int sslCheckFile(const char *path);
150
151/* Stringify a SSL_ECDSA_NamedCurve */
152extern const char *sslCurveString(
153	SSL_ECDSA_NamedCurve namedCurve);
154
155#ifdef	__cplusplus
156}
157#endif
158
159#endif	/* _SSLS_APP_UTILS_H_ */
160