[apple/security.git] / libsecurity_ssl / sslViewer / sslAppUtils.h

/*
 * Copyright (c) 2006-2008,2010-2012 Apple Inc. All Rights Reserved.
 */

#ifndef _SSLS_APP_UTILS_H_
#define _SSLS_APP_UTILS_H_ 1

#include <Security/SecureTransport.h>
#include <Security/SecureTransportPriv.h>
#include <CoreFoundation/CFArray.h>
#include <stdbool.h>
#include <Security/SecCertificate.h>

#ifdef	__cplusplus
extern "C" {
#endif

typedef struct OpaqueSecKeychainRef *SecKeychainRef;

const char *sslGetCipherSuiteString(SSLCipherSuite cs);
const char *sslGetProtocolVersionString(SSLProtocol prot);
const char *sslGetSSLErrString(OSStatus err);
void printSslErrStr(const char *op, OSStatus err);
const char *sslGetClientCertStateString(SSLClientCertificateState state);
const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType);

CFArrayRef getSslCerts(
	const char			*kcName,				// may be NULL, i.e., use default
	bool                encryptOnly,
	bool                completeCertChain,
	const char			*anchorFile,			// optional trusted anchor
	SecKeychainRef		*pKcRef);				// RETURNED
OSStatus sslCompleteCertChain(
	SecIdentityRef 		identity,
	SecCertificateRef	trustedAnchor,	// optional additional trusted anchor
	bool 				includeRoot, 	// include the root in outArray
//	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL
	CFArrayRef			*outArray);		// created and RETURNED
CFArrayRef sslKcRefToCertArray(
	SecKeychainRef		kcRef,
	bool                encryptOnly,
	bool                completeCertChain,
//	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL policy to complete
	const char			*trustedAnchorFile);

OSStatus addTrustedSecCert(
	SSLContextRef 		ctx,
	SecCertificateRef 	secCert,
	bool                replaceAnchors);
OSStatus sslReadAnchor(
	const char 			*anchorFile,
	SecCertificateRef 	*certRef);
OSStatus sslAddTrustedRoot(
	SSLContextRef 		ctx,
	const char 			*anchorFile,
	bool                replaceAnchors);

/*
 * Assume incoming identity contains a root (e.g., created by
 * certtool) and add that cert to ST's trusted anchors. This
 * enables ST's verify of the incoming chain to succeed without
 * a kludgy "AllowAnyRoot" specification.
 */
OSStatus addIdentityAsTrustedRoot(
	SSLContextRef 	ctx,
	CFArrayRef		identArray);

OSStatus sslAddTrustedRoots(
	SSLContextRef 	ctx,
	SecKeychainRef	keychain,
	bool			*foundOne);

void sslOutputDot();

/*
 * Lists of SSLCipherSuites used in sslSetCipherRestrictions.
 */
extern const SSLCipherSuite suites40[];
extern const SSLCipherSuite suitesDES[];
extern const SSLCipherSuite suitesDES40[];
extern const SSLCipherSuite suites3DES[];
extern const SSLCipherSuite suitesRC4[];
extern const SSLCipherSuite suitesRC4_40[];
extern const SSLCipherSuite suitesRC2[];
extern const SSLCipherSuite suitesAES128[];
extern const SSLCipherSuite suitesAES256[];
extern const SSLCipherSuite suitesDH[];
extern const SSLCipherSuite suitesDHAnon[];
extern const SSLCipherSuite suitesDH_RSA[];
extern const SSLCipherSuite suitesDH_DSS[];
extern const SSLCipherSuite suites_SHA1[];
extern const SSLCipherSuite suites_MD5[];
extern const SSLCipherSuite suites_ECDHE[];
extern const SSLCipherSuite suites_ECDH[];

/*
 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
 * supports and do a SSLSetEnabledCiphers() specifying those.
 */
OSStatus sslSetEnabledCiphers(
	SSLContextRef ctx,
	const SSLCipherSuite *ciphers);

/*
 * Specify restricted sets of cipherspecs and protocols.
 */
OSStatus sslSetCipherRestrictions(
	SSLContextRef ctx,
	char cipherRestrict);

#ifndef	SPHINX
OSStatus sslSetProtocols(
	SSLContextRef 	ctx,
	const char		*acceptedProts,
	SSLProtocol		tryVersion);			// only used if acceptedProts NULL
#endif

int sslVerifyRtn(
	const char	*whichSide,		// "client" or "server"
	OSStatus	expectRtn,
	OSStatus	gotRtn);
int sslVerifyProtVers(
	const char	*whichSide,		// "client" or "server"
	SSLProtocol	expectProt,
	SSLProtocol	gotProt);
int sslVerifyClientCertState(
	const char					*whichSide,		// "client" or "server"
	SSLClientCertificateState	expectState,
	SSLClientCertificateState	gotState);
int sslVerifyCipher(
	const char		*whichSide,		// "client" or "server"
	SSLCipherSuite	expectCipher,
	SSLCipherSuite	gotCipher);


/*
 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
 */
OSStatus sslIdentityPicker(
	SecKeychainRef		kcRef,			// NULL means use default list
	const char			*trustedAnchor,	// optional additional trusted anchor
	bool				includeRoot,	// true --> root is appended to outArray
										// false --> root not included
//	const CSSM_OID		*vfyPolicy,		// optional - if NULL, use SSL
	CFArrayRef			*outArray);		// created and RETURNED

void sslKeychainPath(
	const char *kcName,
	char *kcPath);			// allocd by caller, MAXPATHLEN

/* Verify presence of required file. Returns nonzero if not found. */
int sslCheckFile(const char *path);

/* Stringify a SSL_ECDSA_NamedCurve */
extern const char *sslCurveString(
	SSL_ECDSA_NamedCurve namedCurve);

#ifdef	__cplusplus
}
#endif

#endif	/* _SSLS_APP_UTILS_H_ */
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2006-2008,2010-2012 Apple Inc. All Rights Reserved.
	3	*/
	4
	5	#ifndef _SSLS_APP_UTILS_H_
	6	#define _SSLS_APP_UTILS_H_ 1
	7
	8	#include <Security/SecureTransport.h>
	9	#include <Security/SecureTransportPriv.h>
	10	#include <CoreFoundation/CFArray.h>
	11	#include <stdbool.h>
	12	#include <Security/SecCertificate.h>
	13
	14	#ifdef __cplusplus
	15	extern "C" {
	16	#endif
	17
	18	typedef struct OpaqueSecKeychainRef *SecKeychainRef;
	19
	20	const char *sslGetCipherSuiteString(SSLCipherSuite cs);
	21	const char *sslGetProtocolVersionString(SSLProtocol prot);
	22	const char *sslGetSSLErrString(OSStatus err);
	23	void printSslErrStr(const char *op, OSStatus err);
	24	const char *sslGetClientCertStateString(SSLClientCertificateState state);
	25	const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType);
	26
	27	CFArrayRef getSslCerts(
	28	const char *kcName, // may be NULL, i.e., use default
	29	bool encryptOnly,
	30	bool completeCertChain,
	31	const char *anchorFile, // optional trusted anchor
	32	SecKeychainRef *pKcRef); // RETURNED
	33	OSStatus sslCompleteCertChain(
	34	SecIdentityRef identity,
	35	SecCertificateRef trustedAnchor, // optional additional trusted anchor
	36	bool includeRoot, // include the root in outArray
	37	// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
	38	CFArrayRef *outArray); // created and RETURNED
	39	CFArrayRef sslKcRefToCertArray(
	40	SecKeychainRef kcRef,
	41	bool encryptOnly,
	42	bool completeCertChain,
	43	// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete
	44	const char *trustedAnchorFile);
	45
	46	OSStatus addTrustedSecCert(
	47	SSLContextRef ctx,
	48	SecCertificateRef secCert,
	49	bool replaceAnchors);
	50	OSStatus sslReadAnchor(
	51	const char *anchorFile,
	52	SecCertificateRef *certRef);
	53	OSStatus sslAddTrustedRoot(
	54	SSLContextRef ctx,
	55	const char *anchorFile,
	56	bool replaceAnchors);
	57
	58	/*
	59	* Assume incoming identity contains a root (e.g., created by
	60	* certtool) and add that cert to ST's trusted anchors. This
	61	* enables ST's verify of the incoming chain to succeed without
	62	* a kludgy "AllowAnyRoot" specification.
	63	*/
	64	OSStatus addIdentityAsTrustedRoot(
65	SSLContextRef ctx,
66	CFArrayRef identArray);
67
68	OSStatus sslAddTrustedRoots(
69	SSLContextRef ctx,
70	SecKeychainRef keychain,
71	bool *foundOne);
72
73	void sslOutputDot();
74
75	/*
76	* Lists of SSLCipherSuites used in sslSetCipherRestrictions.
77	*/
78	extern const SSLCipherSuite suites40[];
79	extern const SSLCipherSuite suitesDES[];
80	extern const SSLCipherSuite suitesDES40[];
81	extern const SSLCipherSuite suites3DES[];
82	extern const SSLCipherSuite suitesRC4[];
83	extern const SSLCipherSuite suitesRC4_40[];
84	extern const SSLCipherSuite suitesRC2[];
85	extern const SSLCipherSuite suitesAES128[];
86	extern const SSLCipherSuite suitesAES256[];
87	extern const SSLCipherSuite suitesDH[];
88	extern const SSLCipherSuite suitesDHAnon[];
89	extern const SSLCipherSuite suitesDH_RSA[];
90	extern const SSLCipherSuite suitesDH_DSS[];
91	extern const SSLCipherSuite suites_SHA1[];
92	extern const SSLCipherSuite suites_MD5[];
93	extern const SSLCipherSuite suites_ECDHE[];
94	extern const SSLCipherSuite suites_ECDH[];
95
96	/*
97	* Given an SSLContextRef and an array of SSLCipherSuites, terminated by
98	* SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
99	* supports and do a SSLSetEnabledCiphers() specifying those.
100	*/
101	OSStatus sslSetEnabledCiphers(
102	SSLContextRef ctx,
103	const SSLCipherSuite *ciphers);
104
105	/*
106	* Specify restricted sets of cipherspecs and protocols.
107	*/
108	OSStatus sslSetCipherRestrictions(
109	SSLContextRef ctx,
110	char cipherRestrict);
111
112	#ifndef SPHINX
113	OSStatus sslSetProtocols(
114	SSLContextRef ctx,
115	const char *acceptedProts,
116	SSLProtocol tryVersion); // only used if acceptedProts NULL
117	#endif
118
119	int sslVerifyRtn(
120	const char *whichSide, // "client" or "server"
121	OSStatus expectRtn,
122	OSStatus gotRtn);
123	int sslVerifyProtVers(
124	const char *whichSide, // "client" or "server"
125	SSLProtocol expectProt,
126	SSLProtocol gotProt);
127	int sslVerifyClientCertState(
128	const char *whichSide, // "client" or "server"
129	SSLClientCertificateState expectState,
130	SSLClientCertificateState gotState);
131	int sslVerifyCipher(
132	const char *whichSide, // "client" or "server"
133	SSLCipherSuite expectCipher,
134	SSLCipherSuite gotCipher);
135
136
137	/*
138	* Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
139	*/
140	OSStatus sslIdentityPicker(
141	SecKeychainRef kcRef, // NULL means use default list
142	const char *trustedAnchor, // optional additional trusted anchor
143	bool includeRoot, // true --> root is appended to outArray
144	// false --> root not included
145	// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
146	CFArrayRef *outArray); // created and RETURNED
147
148	void sslKeychainPath(
149	const char *kcName,
150	char *kcPath); // allocd by caller, MAXPATHLEN
151
152	/* Verify presence of required file. Returns nonzero if not found. */
153	int sslCheckFile(const char *path);
154
155	/* Stringify a SSL_ECDSA_NamedCurve */
156	extern const char *sslCurveString(
157	SSL_ECDSA_NamedCurve namedCurve);
158
159	#ifdef __cplusplus
160	}
161	#endif
162
163	#endif /* _SSLS_APP_UTILS_H_ */