1/* 2 * Copyright (c) 2006-2008,2010 Apple Inc. All Rights Reserved. 3 */ 4 5#ifndef _SSLS_APP_UTILS_H_ 6#define _SSLS_APP_UTILS_H_ 1 7 8#include <Security/SecureTransport.h> 9#include <Security/SecureTransportPriv.h> 10#include <CoreFoundation/CFArray.h> 11#include <stdbool.h> 12#include <Security/SecCertificate.h> 13 14#ifdef __cplusplus 15extern "C" { 16#endif 17 18typedef struct OpaqueSecKeychainRef *SecKeychainRef; 19 20/* disable some Panther-only features */ 21#define JAGUAR_BUILD 0 22 23const char *sslGetCipherSuiteString(SSLCipherSuite cs); 24const char *sslGetProtocolVersionString(SSLProtocol prot); 25const char *sslGetSSLErrString(OSStatus err); 26void printSslErrStr(const char *op, OSStatus err); 27const char *sslGetClientCertStateString(SSLClientCertificateState state); 28const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType); 29 30CFArrayRef getSslCerts( 31 const char *kcName, // may be NULL, i.e., use default 32 bool encryptOnly, 33 bool completeCertChain, 34 const char *anchorFile, // optional trusted anchor 35 SecKeychainRef *pKcRef); // RETURNED 36OSStatus sslCompleteCertChain( 37 SecIdentityRef identity, 38 SecCertificateRef trustedAnchor, // optional additional trusted anchor 39 bool includeRoot, // include the root in outArray 40// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL 41 CFArrayRef *outArray); // created and RETURNED 42CFArrayRef sslKcRefToCertArray( 43 SecKeychainRef kcRef, 44 bool encryptOnly, 45 bool completeCertChain, 46// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete 47 const char *trustedAnchorFile); 48 49OSStatus addTrustedSecCert( 50 SSLContextRef ctx, 51 SecCertificateRef secCert, 52 bool replaceAnchors); 53OSStatus sslReadAnchor( 54 const char *anchorFile, 55 SecCertificateRef *certRef); 56OSStatus sslAddTrustedRoot( 57 SSLContextRef ctx, 58 const char *anchorFile, 59 bool replaceAnchors); 60 61/* 62 * Assume incoming identity contains a root (e.g., created by 63 * certtool) and add that cert to ST's trusted anchors. This 64 * enables ST's verify of the incoming chain to succeed without 65 * a kludgy "AllowAnyRoot" specification. 66 */ 67OSStatus addIdentityAsTrustedRoot( 68 SSLContextRef ctx, 69 CFArrayRef identArray); 70 71OSStatus sslAddTrustedRoots( 72 SSLContextRef ctx, 73 SecKeychainRef keychain, 74 bool *foundOne); 75 76void sslOutputDot(); 77 78/* 79 * Lists of SSLCipherSuites used in sslSetCipherRestrictions. 80 */ 81extern const SSLCipherSuite suites40[]; 82extern const SSLCipherSuite suitesDES[]; 83extern const SSLCipherSuite suitesDES40[]; 84extern const SSLCipherSuite suites3DES[]; 85extern const SSLCipherSuite suitesRC4[]; 86extern const SSLCipherSuite suitesRC4_40[]; 87extern const SSLCipherSuite suitesRC2[]; 88extern const SSLCipherSuite suitesAES128[]; 89extern const SSLCipherSuite suitesAES256[]; 90extern const SSLCipherSuite suitesDH[]; 91extern const SSLCipherSuite suitesDHAnon[]; 92extern const SSLCipherSuite suitesDH_RSA[]; 93extern const SSLCipherSuite suitesDH_DSS[]; 94extern const SSLCipherSuite suites_SHA1[]; 95extern const SSLCipherSuite suites_MD5[]; 96extern const SSLCipherSuite suites_ECDHE[]; 97extern const SSLCipherSuite suites_ECDH[]; 98 99/* 100 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by 101 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library 102 * supports and do a SSLSetEnabledCiphers() specifying those. 103 */ 104OSStatus sslSetEnabledCiphers( 105 SSLContextRef ctx, 106 const SSLCipherSuite *ciphers); 107 108/* 109 * Specify restricted sets of cipherspecs and protocols. 110 */ 111OSStatus sslSetCipherRestrictions( 112 SSLContextRef ctx, 113 char cipherRestrict); 114 115#ifndef SPHINX 116OSStatus sslSetProtocols( 117 SSLContextRef ctx, 118 const char *acceptedProts, 119 SSLProtocol tryVersion); // only used if acceptedProts NULL 120#endif 121 122int sslVerifyRtn( 123 const char *whichSide, // "client" or "server" 124 OSStatus expectRtn, 125 OSStatus gotRtn); 126int sslVerifyProtVers( 127 const char *whichSide, // "client" or "server" 128 SSLProtocol expectProt, 129 SSLProtocol gotProt); 130int sslVerifyClientCertState( 131 const char *whichSide, // "client" or "server" 132 SSLClientCertificateState expectState, 133 SSLClientCertificateState gotState); 134int sslVerifyCipher( 135 const char *whichSide, // "client" or "server" 136 SSLCipherSuite expectCipher, 137 SSLCipherSuite gotCipher); 138 139 140/* 141 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename. 142 */ 143OSStatus sslIdentityPicker( 144 SecKeychainRef kcRef, // NULL means use default list 145 const char *trustedAnchor, // optional additional trusted anchor 146 bool includeRoot, // true --> root is appended to outArray 147 // false --> root not included 148// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL 149 CFArrayRef *outArray); // created and RETURNED 150 151void sslKeychainPath( 152 const char *kcName, 153 char *kcPath); // allocd by caller, MAXPATHLEN 154 155/* Verify presence of required file. Returns nonzero if not found. */ 156int sslCheckFile(const char *path); 157 158/* Stringify a SSL_ECDSA_NamedCurve */ 159extern const char *sslCurveString( 160 SSL_ECDSA_NamedCurve namedCurve); 161 162#ifdef __cplusplus 163} 164#endif 165 166#endif /* _SSLS_APP_UTILS_H_ */ 167