[apple/security.git] / OSX / libsecurity_ssl / lib / sslCipherSpecs.c

/*
 * Copyright (c) 1999-2001,2005-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * cipherSpecs.c - SSLCipherSpec declarations
 */

#include "sslBuildFlags.h"
#include "sslContext.h"
#include "sslCipherSpecs.h"
#include "sslDebug.h"
#include "sslMemory.h"
#include "sslDebug.h"
#include "sslPriv.h"

#include <tls_handshake.h>

#include <string.h>
#include <assert.h>
#include <Security/SecBase.h>

#include <TargetConditionals.h>


/* SecureTransport needs it's own copy of KnownCipherSuites for now, there is a copy in coreTLS,
   that is exported, but it actually should only included the "default" not the supported */

#define ENABLE_ECDH                 1
#define ENABLE_AES_GCM              1
#define ENABLE_PSK                  1
#define ENABLE_CHACHA20_POLY1305    1
#define ENABLE_AES_CCM              0


static const uint16_t STKnownCipherSuites[] = {
#if ENABLE_AES_GCM
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
#if ENABLE_AES_GCM
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
#if ENABLE_ECDH
#if ENABLE_AES_GCM
    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
#if ENABLE_AES_GCM
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
#endif

#if ENABLE_AES_GCM
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
#endif // ENABLE_AES_GCM
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,

#if ENABLE_AES_GCM
    TLS_RSA_WITH_AES_256_GCM_SHA384,
    TLS_RSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    SSL_RSA_WITH_3DES_EDE_CBC_SHA,

#if ENABLE_RC4
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
    TLS_ECDH_RSA_WITH_RC4_128_SHA,
    SSL_RSA_WITH_RC4_128_SHA,
    SSL_RSA_WITH_RC4_128_MD5,
#endif

    /* TLS 1.3 ciphersuites */
#if ENABLE_AES_GCM
    TLS_AES_128_GCM_SHA256,
    TLS_AES_256_GCM_SHA384,
#endif
#if ENABLE_CHACHA20_POLY1305
    TLS_CHACHA20_POLY1305_SHA256,
#endif
#if ENABLE_AES_CCM
    TLS_AES_128_CCM_SHA256,
    TLS_AES_128_CCM_8_SHA256,
#endif

    /* Unsafe ciphersuites */

#if ENABLE_AES_GCM
    TLS_DH_anon_WITH_AES_256_GCM_SHA384,
    TLS_DH_anon_WITH_AES_128_GCM_SHA256,
#endif
    TLS_DH_anon_WITH_AES_128_CBC_SHA256,
    TLS_DH_anon_WITH_AES_256_CBC_SHA256,
    TLS_DH_anon_WITH_AES_128_CBC_SHA,
    TLS_DH_anon_WITH_AES_256_CBC_SHA,
    SSL_DH_anon_WITH_RC4_128_MD5,
    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,

    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
    TLS_ECDHE_RSA_WITH_NULL_SHA,
#if ENABLE_ECDH
    TLS_ECDH_ECDSA_WITH_NULL_SHA,
    TLS_ECDH_RSA_WITH_NULL_SHA,
#endif

#if ENABLE_PSK
    TLS_PSK_WITH_AES_256_CBC_SHA384,
    TLS_PSK_WITH_AES_128_CBC_SHA256,
    TLS_PSK_WITH_AES_256_CBC_SHA,
    TLS_PSK_WITH_AES_128_CBC_SHA,
    TLS_PSK_WITH_RC4_128_SHA,
    TLS_PSK_WITH_3DES_EDE_CBC_SHA,
    TLS_PSK_WITH_NULL_SHA384,
    TLS_PSK_WITH_NULL_SHA256,
    TLS_PSK_WITH_NULL_SHA,
#endif

    TLS_RSA_WITH_NULL_SHA256,
    SSL_RSA_WITH_NULL_SHA,
    SSL_RSA_WITH_NULL_MD5

};

static const unsigned STCipherSuiteCount = sizeof(STKnownCipherSuites)/sizeof(STKnownCipherSuites[0]);


/*
 * Convert an array of uint16_t
 * to an array of SSLCipherSuites.
 */
static OSStatus
cipherSuitesToCipherSuites(
                          size_t				numCipherSuites,
                          const uint16_t        *cipherSuites,
                          SSLCipherSuite		*ciphers,		/* RETURNED */
                          size_t				*numCiphers)	/* IN/OUT */
{
    size_t i;
	if(*numCiphers < numCipherSuites) {
		return errSSLBufferOverflow;
	}

    /* NOTE: this is required to go from uint16_t to SSLCipherSuite 
       which is either 32 or 16 bits, depending on the platform */
    for(i=0;i<numCipherSuites; i++) {
        ciphers[i]=cipherSuites[i];
    }
	*numCiphers = numCipherSuites;
	return errSecSuccess;
}

/***
 *** Publically exported functions declared in SecureTransport.h
 ***/

/*
 * Determine number and values of all of the SSLCipherSuites we support.
 * Caller allocates output buffer for SSLGetSupportedCiphers() and passes in
 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
 * will be returned.
 */
OSStatus
SSLGetNumberSupportedCiphers (SSLContextRef	ctx,
							  size_t		*numCiphers)
{
	if((ctx == NULL) || (numCiphers == NULL)) {
		return errSecParam;
	}
	*numCiphers = STCipherSuiteCount;
	return errSecSuccess;
}

OSStatus
SSLGetSupportedCiphers		 (SSLContextRef		ctx,
							  SSLCipherSuite	*ciphers,		/* RETURNED */
							  size_t			*numCiphers)	/* IN/OUT */
{
	if((ctx == NULL) || (ciphers == NULL) || (numCiphers == NULL)) {
		return errSecParam;
	}
	return cipherSuitesToCipherSuites(STCipherSuiteCount,
		STKnownCipherSuites,
		ciphers,
		numCiphers);
}

/*
 * Specify a (typically) restricted set of SSLCipherSuites to be enabled by
 * the current SSLContext. Can only be called when no session is active. Default
 * set of enabled SSLCipherSuites is NOT the same as the complete set of supported
 * SSLCipherSuites as obtained by SSLGetSupportedCiphers().
 */
OSStatus
SSLSetEnabledCiphers		(SSLContextRef			ctx,
							 const SSLCipherSuite	*ciphers,
							 size_t					numCiphers)
{
    uint16_t *cs;

	if((ctx == NULL) || (ciphers == NULL) || (numCiphers == 0)) {
		return errSecParam;
	}

	if(sslIsSessionActive(ctx)) {
		/* can't do this with an active session */
		return errSecBadReq;
	}

    int matchCount = 0;
    for(int i=0; i<numCiphers; i++) {
        for (int j=0; j < STCipherSuiteCount; j++) {
            if (STKnownCipherSuites[j] == ciphers[i]) {
                matchCount++;
                break;
            }
        }
    }

    // If the caller specified no ciphersuites that we actually support, return an error code.
    if (matchCount == 0) {
        return errSecParam;
    }

    cs = (uint16_t *)sslMalloc(matchCount * sizeof(uint16_t));
    if(cs == NULL) {
		return errSecAllocate;
	}

    matchCount = 0;
    for(int i=0; i<numCiphers; i++) {
        for (int j=0; j < STCipherSuiteCount; j++) {
            if (STKnownCipherSuites[j] == ciphers[i]) {
                cs[matchCount++] = ciphers[i];
                break;
            }
        }
    }


    OSStatus result = tls_handshake_set_ciphersuites(ctx->hdsk, cs, (unsigned) matchCount);

    sslFree(cs);

    return result;
}

/*
 * Determine number and values of all of the SSLCipherSuites currently enabled.
 * Caller allocates output buffer for SSLGetEnabledCiphers() and passes in
 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
 * will be returned.
 */
OSStatus
SSLGetNumberEnabledCiphers 	(SSLContextRef			ctx,
							 size_t					*numCiphers)
{
	if((ctx == NULL) || (numCiphers == NULL)) {
		return errSecParam;
	}

    unsigned n;
    const uint16_t *ciphersuites;
    int err;

    err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);

    if(err) {
        return err;
    } else {
        *numCiphers = n;
        return errSecSuccess;
    }
}

OSStatus
SSLGetEnabledCiphers		(SSLContextRef			ctx,
							 SSLCipherSuite			*ciphers,		/* RETURNED */
							 size_t					*numCiphers)	/* IN/OUT */
{
	if((ctx == NULL) || (ciphers == NULL) || (numCiphers == NULL)) {
		return errSecParam;
	}

    unsigned n;
    const uint16_t *ciphersuites;
    int err;

    err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);

    if(err) {
        return err;
    } else {
        return cipherSuitesToCipherSuites(n,
                                          ciphersuites,
                                          ciphers,
                                          numCiphers);
    }
}

OSStatus
SSLSetSessionTicketsEnabled     (SSLContextRef          context,
                                 Boolean                enabled)
{
    if (context == NULL) {
        return errSecParam;
    }

    return tls_handshake_set_session_ticket_enabled(context->hdsk, enabled);
}
Commit	Line	Data
427c49bc	1	/*
d8f41ccd	2	* Copyright (c) 1999-2001,2005-2014 Apple Inc. All Rights Reserved.
427c49bc A	3	*
427c49bc A	4	* @APPLE_LICENSE_HEADER_START@
d8f41ccd	5	*
427c49bc A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
d8f41ccd	12	*
427c49bc A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
d8f41ccd	20	*
427c49bc A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* cipherSpecs.c - SSLCipherSpec declarations
	26	*/
	27
	28	#include "sslBuildFlags.h"
427c49bc A	29	#include "sslContext.h"
	30	#include "sslCipherSpecs.h"
	31	#include "sslDebug.h"
	32	#include "sslMemory.h"
	33	#include "sslDebug.h"
427c49bc	34	#include "sslPriv.h"
d8f41ccd A	35
d8f41ccd A	36	#include <tls_handshake.h>
427c49bc A	37
	38	#include <string.h>
	39	#include <assert.h>
	40	#include <Security/SecBase.h>
427c49bc A	41
	42	#include <TargetConditionals.h>
	43
	44
d8f41ccd A	45	/* SecureTransport needs it's own copy of KnownCipherSuites for now, there is a copy in coreTLS,
d8f41ccd A	46	that is exported, but it actually should only included the "default" not the supported */
427c49bc	47
866f8763 A	48	#define ENABLE_ECDH 1
	49	#define ENABLE_AES_GCM 1
	50	#define ENABLE_PSK 1
	51	#define ENABLE_CHACHA20_POLY1305 1
	52	#define ENABLE_AES_CCM 0
	53
427c49bc	54
d8f41ccd	55	static const uint16_t STKnownCipherSuites[] = {
427c49bc A	56	#if ENABLE_AES_GCM
	57	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
	58	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
	59	#endif
	60	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
	61	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
	62	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
	63	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
427c49bc A	64	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
	65	#if ENABLE_AES_GCM
	66	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
	67	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
	68	#endif
	69	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
	70	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
	71	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
	72	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
427c49bc A	73	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
	74	#if ENABLE_ECDH
	75	#if ENABLE_AES_GCM
	76	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
	77	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
	78	#endif
	79	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
	80	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
d8f41ccd A	81	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
	82	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
	83	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
427c49bc A	84	#if ENABLE_AES_GCM
	85	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
	86	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
	87	#endif
	88	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
	89	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
427c49bc A	90	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
427c49bc A	91	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
427c49bc A	92	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
427c49bc A	93	#endif
d8f41ccd A	94
	95	#if ENABLE_AES_GCM
	96	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
	97	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
	98	#endif // ENABLE_AES_GCM
	99	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
	100	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
	101	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
	102	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
	103	SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
	104
427c49bc A	105	#if ENABLE_AES_GCM
	106	TLS_RSA_WITH_AES_256_GCM_SHA384,
	107	TLS_RSA_WITH_AES_128_GCM_SHA256,
	108	#endif
	109	TLS_RSA_WITH_AES_256_CBC_SHA256,
	110	TLS_RSA_WITH_AES_128_CBC_SHA256,
d8f41ccd	111	TLS_RSA_WITH_AES_256_CBC_SHA,
427c49bc	112	TLS_RSA_WITH_AES_128_CBC_SHA,
d8f41ccd A	113	SSL_RSA_WITH_3DES_EDE_CBC_SHA,
	114
	115	#if ENABLE_RC4
	116	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
	117	TLS_ECDHE_RSA_WITH_RC4_128_SHA,
	118	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
	119	TLS_ECDH_RSA_WITH_RC4_128_SHA,
427c49bc A	120	SSL_RSA_WITH_RC4_128_SHA,
427c49bc A	121	SSL_RSA_WITH_RC4_128_MD5,
427c49bc	122	#endif
d8f41ccd	123
866f8763 A	124	/* TLS 1.3 ciphersuites */
	125	#if ENABLE_AES_GCM
	126	TLS_AES_128_GCM_SHA256,
	127	TLS_AES_256_GCM_SHA384,
	128	#endif
	129	#if ENABLE_CHACHA20_POLY1305
	130	TLS_CHACHA20_POLY1305_SHA256,
	131	#endif
	132	#if ENABLE_AES_CCM
	133	TLS_AES_128_CCM_SHA256,
	134	TLS_AES_128_CCM_8_SHA256,
	135	#endif
d8f41ccd A	136
	137	/* Unsafe ciphersuites */
	138
427c49bc A	139	#if ENABLE_AES_GCM
	140	TLS_DH_anon_WITH_AES_256_GCM_SHA384,
	141	TLS_DH_anon_WITH_AES_128_GCM_SHA256,
	142	#endif
	143	TLS_DH_anon_WITH_AES_128_CBC_SHA256,
	144	TLS_DH_anon_WITH_AES_256_CBC_SHA256,
	145	TLS_DH_anon_WITH_AES_128_CBC_SHA,
	146	TLS_DH_anon_WITH_AES_256_CBC_SHA,
	147	SSL_DH_anon_WITH_RC4_128_MD5,
	148	SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
d8f41ccd	149
427c49bc A	150	TLS_ECDHE_ECDSA_WITH_NULL_SHA,
	151	TLS_ECDHE_RSA_WITH_NULL_SHA,
	152	#if ENABLE_ECDH
	153	TLS_ECDH_ECDSA_WITH_NULL_SHA,
	154	TLS_ECDH_RSA_WITH_NULL_SHA,
	155	#endif
	156
	157	#if ENABLE_PSK
	158	TLS_PSK_WITH_AES_256_CBC_SHA384,
	159	TLS_PSK_WITH_AES_128_CBC_SHA256,
	160	TLS_PSK_WITH_AES_256_CBC_SHA,
	161	TLS_PSK_WITH_AES_128_CBC_SHA,
	162	TLS_PSK_WITH_RC4_128_SHA,
	163	TLS_PSK_WITH_3DES_EDE_CBC_SHA,
	164	TLS_PSK_WITH_NULL_SHA384,
	165	TLS_PSK_WITH_NULL_SHA256,
	166	TLS_PSK_WITH_NULL_SHA,
	167	#endif
	168
	169	TLS_RSA_WITH_NULL_SHA256,
	170	SSL_RSA_WITH_NULL_SHA,
	171	SSL_RSA_WITH_NULL_MD5
	172
427c49bc A	173	};
427c49bc A	174
d8f41ccd	175	static const unsigned STCipherSuiteCount = sizeof(STKnownCipherSuites)/sizeof(STKnownCipherSuites[0]);
427c49bc	176
d8f41ccd	177
427c49bc	178	/*
5c19dc3a	179	* Convert an array of uint16_t
427c49bc A	180	* to an array of SSLCipherSuites.
	181	*/
	182	static OSStatus
	183	cipherSuitesToCipherSuites(
	184	size_t numCipherSuites,
d8f41ccd	185	const uint16_t *cipherSuites,
427c49bc A	186	SSLCipherSuite ciphers, / RETURNED */
	187	size_t numCiphers) / IN/OUT */
	188	{
d8f41ccd	189	size_t i;
427c49bc A	190	if(*numCiphers < numCipherSuites) {
	191	return errSSLBufferOverflow;
	192	}
d8f41ccd A	193
	194	/* NOTE: this is required to go from uint16_t to SSLCipherSuite
	195	which is either 32 or 16 bits, depending on the platform */
	196	for(i=0;i<numCipherSuites; i++) {
	197	ciphers[i]=cipherSuites[i];
	198	}
427c49bc A	199	*numCiphers = numCipherSuites;
	200	return errSecSuccess;
	201	}
	202
	203	/***
	204	*** Publically exported functions declared in SecureTransport.h
	205	***/
	206
	207	/*
	208	* Determine number and values of all of the SSLCipherSuites we support.
	209	* Caller allocates output buffer for SSLGetSupportedCiphers() and passes in
	210	* its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
	211	* will be returned.
	212	*/
	213	OSStatus
	214	SSLGetNumberSupportedCiphers (SSLContextRef ctx,
	215	size_t *numCiphers)
	216	{
	217	if((ctx == NULL) \|\| (numCiphers == NULL)) {
	218	return errSecParam;
	219	}
d8f41ccd	220	*numCiphers = STCipherSuiteCount;
427c49bc A	221	return errSecSuccess;
	222	}
	223
	224	OSStatus
	225	SSLGetSupportedCiphers (SSLContextRef ctx,
	226	SSLCipherSuite ciphers, / RETURNED */
	227	size_t numCiphers) / IN/OUT */
	228	{
	229	if((ctx == NULL) \|\| (ciphers == NULL) \|\| (numCiphers == NULL)) {
	230	return errSecParam;
	231	}
d8f41ccd A	232	return cipherSuitesToCipherSuites(STCipherSuiteCount,
d8f41ccd A	233	STKnownCipherSuites,
427c49bc A	234	ciphers,
	235	numCiphers);
	236	}
	237
	238	/*
	239	* Specify a (typically) restricted set of SSLCipherSuites to be enabled by
	240	* the current SSLContext. Can only be called when no session is active. Default
	241	* set of enabled SSLCipherSuites is NOT the same as the complete set of supported
	242	* SSLCipherSuites as obtained by SSLGetSupportedCiphers().
	243	*/
	244	OSStatus
	245	SSLSetEnabledCiphers (SSLContextRef ctx,
	246	const SSLCipherSuite *ciphers,
	247	size_t numCiphers)
	248	{
822b670c	249	uint16_t *cs;
427c49bc A	250
	251	if((ctx == NULL) \|\| (ciphers == NULL) \|\| (numCiphers == 0)) {
	252	return errSecParam;
	253	}
866f8763	254
427c49bc A	255	if(sslIsSessionActive(ctx)) {
	256	/* can't do this with an active session */
	257	return errSecBadReq;
	258	}
822b670c	259
866f8763 A	260	int matchCount = 0;
	261	for(int i=0; i<numCiphers; i++) {
	262	for (int j=0; j < STCipherSuiteCount; j++) {
	263	if (STKnownCipherSuites[j] == ciphers[i]) {
	264	matchCount++;
	265	break;
	266	}
	267	}
	268	}
	269
	270	// If the caller specified no ciphersuites that we actually support, return an error code.
	271	if (matchCount == 0) {
	272	return errSecParam;
	273	}
	274
	275	cs = (uint16_t )sslMalloc(matchCount sizeof(uint16_t));
822b670c	276	if(cs == NULL) {
427c49bc A	277	return errSecAllocate;
	278	}
	279
866f8763 A	280	matchCount = 0;
	281	for(int i=0; i<numCiphers; i++) {
	282	for (int j=0; j < STCipherSuiteCount; j++) {
	283	if (STKnownCipherSuites[j] == ciphers[i]) {
	284	cs[matchCount++] = ciphers[i];
	285	break;
	286	}
	287	}
	288	}
	289
427c49bc	290
866f8763	291	OSStatus result = tls_handshake_set_ciphersuites(ctx->hdsk, cs, (unsigned) matchCount);
d8f41ccd	292
822b670c	293	sslFree(cs);
d8f41ccd	294
866f8763	295	return result;
427c49bc A	296	}
	297
	298	/*
	299	* Determine number and values of all of the SSLCipherSuites currently enabled.
	300	* Caller allocates output buffer for SSLGetEnabledCiphers() and passes in
	301	* its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
	302	* will be returned.
	303	*/
	304	OSStatus
	305	SSLGetNumberEnabledCiphers (SSLContextRef ctx,
	306	size_t *numCiphers)
	307	{
	308	if((ctx == NULL) \|\| (numCiphers == NULL)) {
	309	return errSecParam;
	310	}
5c19dc3a A	311
	312	unsigned n;
	313	const uint16_t *ciphersuites;
	314	int err;
	315
	316	err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);
	317
	318	if(err) {
	319	return err;
	320	} else {
	321	*numCiphers = n;
	322	return errSecSuccess;
	323	}
427c49bc A	324	}
	325
	326	OSStatus
	327	SSLGetEnabledCiphers (SSLContextRef ctx,
	328	SSLCipherSuite ciphers, / RETURNED */
	329	size_t numCiphers) / IN/OUT */
	330	{
	331	if((ctx == NULL) \|\| (ciphers == NULL) \|\| (numCiphers == NULL)) {
	332	return errSecParam;
	333	}
5c19dc3a A	334
	335	unsigned n;
	336	const uint16_t *ciphersuites;
	337	int err;
	338
	339	err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);
	340
fa7225c8 A	341	if(err) {
	342	return err;
	343	} else {
	344	return cipherSuitesToCipherSuites(n,
	345	ciphersuites,
	346	ciphers,
	347	numCiphers);
	348	}
427c49bc	349	}
866f8763 A	350
	351	OSStatus
	352	SSLSetSessionTicketsEnabled (SSLContextRef context,
	353	Boolean enabled)
	354	{
	355	if (context == NULL) {
	356	return errSecParam;
	357	}
	358
	359	return tls_handshake_set_session_ticket_enabled(context->hdsk, enabled);
	360	}