1/*
2 * Copyright (c) 2006-2008,2010 Apple Inc. All Rights Reserved.
3 */
4
5#ifndef _SSLS_APP_UTILS_H_
6#define _SSLS_APP_UTILS_H_ 1
7
8#include <Security/SecureTransport.h>
9#include <Security/SecureTransportPriv.h>
10#include <CoreFoundation/CFArray.h>
11#include <stdbool.h>
12#include <Security/SecCertificate.h>
13
14#ifdef	__cplusplus
15extern "C" {
16#endif
17
18typedef struct OpaqueSecKeychainRef *SecKeychainRef;
19
20/* disable some Panther-only features */
21#define JAGUAR_BUILD	0
22
23const char *sslGetCipherSuiteString(SSLCipherSuite cs);
24const char *sslGetProtocolVersionString(SSLProtocol prot);
25const char *sslGetSSLErrString(OSStatus err);
26void printSslErrStr(const char *op, OSStatus err);
27const char *sslGetClientCertStateString(SSLClientCertificateState state);
28const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType);
29
30CFArrayRef getSslCerts(
31	const char			*kcName,				// may be NULL, i.e., use default
32	bool                encryptOnly,
33	bool                completeCertChain,
34	const char			*anchorFile,			// optional trusted anchor
35	SecKeychainRef		*pKcRef);				// RETURNED
36OSStatus sslCompleteCertChain(
37	SecIdentityRef 		identity,
38	SecCertificateRef	trustedAnchor,	// optional additional trusted anchor
39	bool 				includeRoot, 	// include the root in outArray
40//	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL
41	CFArrayRef			*outArray);		// created and RETURNED
42CFArrayRef sslKcRefToCertArray(
43	SecKeychainRef		kcRef,
44	bool                encryptOnly,
45	bool                completeCertChain,
46//	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL policy to complete
47	const char			*trustedAnchorFile);
48
49OSStatus addTrustedSecCert(
50	SSLContextRef 		ctx,
51	SecCertificateRef 	secCert,
52	bool                replaceAnchors);
53OSStatus sslReadAnchor(
54	const char 			*anchorFile,
55	SecCertificateRef 	*certRef);
56OSStatus sslAddTrustedRoot(
57	SSLContextRef 		ctx,
58	const char 			*anchorFile,
59	bool                replaceAnchors);
60
61/*
62 * Assume incoming identity contains a root (e.g., created by
63 * certtool) and add that cert to ST's trusted anchors. This
64 * enables ST's verify of the incoming chain to succeed without
65 * a kludgy "AllowAnyRoot" specification.
66 */
67OSStatus addIdentityAsTrustedRoot(
68	SSLContextRef 	ctx,
69	CFArrayRef		identArray);
70
71OSStatus sslAddTrustedRoots(
72	SSLContextRef 	ctx,
73	SecKeychainRef	keychain,
74	bool			*foundOne);
75
76void sslOutputDot();
77
78/*
79 * Lists of SSLCipherSuites used in sslSetCipherRestrictions.
80 */
81extern const SSLCipherSuite suites40[];
82extern const SSLCipherSuite suitesDES[];
83extern const SSLCipherSuite suitesDES40[];
84extern const SSLCipherSuite suites3DES[];
85extern const SSLCipherSuite suitesRC4[];
86extern const SSLCipherSuite suitesRC4_40[];
87extern const SSLCipherSuite suitesRC2[];
88extern const SSLCipherSuite suitesAES128[];
89extern const SSLCipherSuite suitesAES256[];
90extern const SSLCipherSuite suitesDH[];
91extern const SSLCipherSuite suitesDHAnon[];
92extern const SSLCipherSuite suitesDH_RSA[];
93extern const SSLCipherSuite suitesDH_DSS[];
94extern const SSLCipherSuite suites_SHA1[];
95extern const SSLCipherSuite suites_MD5[];
96extern const SSLCipherSuite suites_ECDHE[];
97extern const SSLCipherSuite suites_ECDH[];
98
99/*
100 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
101 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
102 * supports and do a SSLSetEnabledCiphers() specifying those.
103 */
104OSStatus sslSetEnabledCiphers(
105	SSLContextRef ctx,
106	const SSLCipherSuite *ciphers);
107
108/*
109 * Specify restricted sets of cipherspecs and protocols.
110 */
111OSStatus sslSetCipherRestrictions(
112	SSLContextRef ctx,
113	char cipherRestrict);
114
115#ifndef	SPHINX
116OSStatus sslSetProtocols(
117	SSLContextRef 	ctx,
118	const char		*acceptedProts,
119	SSLProtocol		tryVersion);			// only used if acceptedProts NULL
120#endif
121
122int sslVerifyRtn(
123	const char	*whichSide,		// "client" or "server"
124	OSStatus	expectRtn,
125	OSStatus	gotRtn);
126int sslVerifyProtVers(
127	const char	*whichSide,		// "client" or "server"
128	SSLProtocol	expectProt,
129	SSLProtocol	gotProt);
130int sslVerifyClientCertState(
131	const char					*whichSide,		// "client" or "server"
132	SSLClientCertificateState	expectState,
133	SSLClientCertificateState	gotState);
134int sslVerifyCipher(
135	const char		*whichSide,		// "client" or "server"
136	SSLCipherSuite	expectCipher,
137	SSLCipherSuite	gotCipher);
138
139
140/*
141 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
142 */
143OSStatus sslIdentityPicker(
144	SecKeychainRef		kcRef,			// NULL means use default list
145	const char			*trustedAnchor,	// optional additional trusted anchor
146	bool				includeRoot,	// true --> root is appended to outArray
147										// false --> root not included
148//	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL
149	CFArrayRef			*outArray);		// created and RETURNED
150
151void sslKeychainPath(
152	const char *kcName,
153	char *kcPath);			// allocd by caller, MAXPATHLEN
154
155/* Verify presence of required file. Returns nonzero if not found. */
156int sslCheckFile(const char *path);
157
158/* Stringify a SSL_ECDSA_NamedCurve */
159extern const char *sslCurveString(
160	SSL_ECDSA_NamedCurve namedCurve);
161
162#ifdef	__cplusplus
163}
164#endif
165
166#endif	/* _SSLS_APP_UTILS_H_ */
167