[apple/security.git] / OSX / libsecurity_ssl / lib / sslCipherSpecs.c

/*
 * Copyright (c) 1999-2001,2005-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * cipherSpecs.c - SSLCipherSpec declarations
 */

#include "sslBuildFlags.h"
#include "sslContext.h"
#include "sslCipherSpecs.h"
#include "sslDebug.h"
#include "sslMemory.h"
#include "sslDebug.h"
#include "sslPriv.h"

#include <tls_handshake.h>

#include <string.h>
#include <assert.h>
#include <Security/SecBase.h>

#include <TargetConditionals.h>


/* SecureTransport needs it's own copy of KnownCipherSuites for now, there is a copy in coreTLS,
   that is exported, but it actually should only included the "default" not the supported */

#define ENABLE_ECDH      		1
#define ENABLE_AES_GCM          1
#define ENABLE_PSK              1

static const uint16_t STKnownCipherSuites[] = {
#if ENABLE_AES_GCM
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
#if ENABLE_AES_GCM
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
#if ENABLE_ECDH
#if ENABLE_AES_GCM
    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
#if ENABLE_AES_GCM
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
#endif

#if ENABLE_AES_GCM
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
#endif // ENABLE_AES_GCM
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,

#if ENABLE_AES_GCM
    TLS_RSA_WITH_AES_256_GCM_SHA384,
    TLS_RSA_WITH_AES_128_GCM_SHA256,
#endif
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    SSL_RSA_WITH_3DES_EDE_CBC_SHA,

#if ENABLE_RC4
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
    TLS_ECDH_RSA_WITH_RC4_128_SHA,
    SSL_RSA_WITH_RC4_128_SHA,
    SSL_RSA_WITH_RC4_128_MD5,
#endif


    /* Unsafe ciphersuites */

#if ENABLE_AES_GCM
    TLS_DH_anon_WITH_AES_256_GCM_SHA384,
    TLS_DH_anon_WITH_AES_128_GCM_SHA256,
#endif
    TLS_DH_anon_WITH_AES_128_CBC_SHA256,
    TLS_DH_anon_WITH_AES_256_CBC_SHA256,
    TLS_DH_anon_WITH_AES_128_CBC_SHA,
    TLS_DH_anon_WITH_AES_256_CBC_SHA,
    SSL_DH_anon_WITH_RC4_128_MD5,
    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,

    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
    TLS_ECDHE_RSA_WITH_NULL_SHA,
#if ENABLE_ECDH
    TLS_ECDH_ECDSA_WITH_NULL_SHA,
    TLS_ECDH_RSA_WITH_NULL_SHA,
#endif

#if ENABLE_PSK
    TLS_PSK_WITH_AES_256_CBC_SHA384,
    TLS_PSK_WITH_AES_128_CBC_SHA256,
    TLS_PSK_WITH_AES_256_CBC_SHA,
    TLS_PSK_WITH_AES_128_CBC_SHA,
    TLS_PSK_WITH_RC4_128_SHA,
    TLS_PSK_WITH_3DES_EDE_CBC_SHA,
    TLS_PSK_WITH_NULL_SHA384,
    TLS_PSK_WITH_NULL_SHA256,
    TLS_PSK_WITH_NULL_SHA,
#endif

    TLS_RSA_WITH_NULL_SHA256,
    SSL_RSA_WITH_NULL_SHA,
    SSL_RSA_WITH_NULL_MD5

};

static const unsigned STCipherSuiteCount = sizeof(STKnownCipherSuites)/sizeof(STKnownCipherSuites[0]);


/*
 * Convert an array of uint16_t
 * to an array of SSLCipherSuites.
 */
static OSStatus
cipherSuitesToCipherSuites(
                          size_t				numCipherSuites,
                          const uint16_t        *cipherSuites,
                          SSLCipherSuite		*ciphers,		/* RETURNED */
                          size_t				*numCiphers)	/* IN/OUT */
{
    size_t i;
	if(*numCiphers < numCipherSuites) {
		return errSSLBufferOverflow;
	}

    /* NOTE: this is required to go from uint16_t to SSLCipherSuite 
       which is either 32 or 16 bits, depending on the platform */
    for(i=0;i<numCipherSuites; i++) {
        ciphers[i]=cipherSuites[i];
    }
	*numCiphers = numCipherSuites;
	return errSecSuccess;
}

/***
 *** Publically exported functions declared in SecureTransport.h
 ***/

/*
 * Determine number and values of all of the SSLCipherSuites we support.
 * Caller allocates output buffer for SSLGetSupportedCiphers() and passes in
 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
 * will be returned.
 */
OSStatus
SSLGetNumberSupportedCiphers (SSLContextRef	ctx,
							  size_t		*numCiphers)
{
	if((ctx == NULL) || (numCiphers == NULL)) {
		return errSecParam;
	}
	*numCiphers = STCipherSuiteCount;
	return errSecSuccess;
}

OSStatus
SSLGetSupportedCiphers		 (SSLContextRef		ctx,
							  SSLCipherSuite	*ciphers,		/* RETURNED */
							  size_t			*numCiphers)	/* IN/OUT */
{
	if((ctx == NULL) || (ciphers == NULL) || (numCiphers == NULL)) {
		return errSecParam;
	}
	return cipherSuitesToCipherSuites(STCipherSuiteCount,
		STKnownCipherSuites,
		ciphers,
		numCiphers);
}

/*
 * Specify a (typically) restricted set of SSLCipherSuites to be enabled by
 * the current SSLContext. Can only be called when no session is active. Default
 * set of enabled SSLCipherSuites is NOT the same as the complete set of supported
 * SSLCipherSuites as obtained by SSLGetSupportedCiphers().
 */
OSStatus
SSLSetEnabledCiphers		(SSLContextRef			ctx,
							 const SSLCipherSuite	*ciphers,
							 size_t					numCiphers)
{
    uint16_t *cs;

	if((ctx == NULL) || (ciphers == NULL) || (numCiphers == 0)) {
		return errSecParam;
	}
	if(sslIsSessionActive(ctx)) {
		/* can't do this with an active session */
		return errSecBadReq;
	}

    cs = (uint16_t *)sslMalloc(numCiphers * sizeof(uint16_t));
    if(cs == NULL) {
		return errSecAllocate;
	}

    for(int i=0; i<numCiphers; i++)
    {
        cs[i] = ciphers[i];
	}

    tls_handshake_set_ciphersuites(ctx->hdsk, cs, (unsigned) numCiphers);

    sslFree(cs);

    return errSecSuccess;
}

/*
 * Determine number and values of all of the SSLCipherSuites currently enabled.
 * Caller allocates output buffer for SSLGetEnabledCiphers() and passes in
 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
 * will be returned.
 */
OSStatus
SSLGetNumberEnabledCiphers 	(SSLContextRef			ctx,
							 size_t					*numCiphers)
{
	if((ctx == NULL) || (numCiphers == NULL)) {
		return errSecParam;
	}

    unsigned n;
    const uint16_t *ciphersuites;
    int err;

    err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);

    if(err) {
        return err;
    } else {
        *numCiphers = n;
        return errSecSuccess;
    }
}

OSStatus
SSLGetEnabledCiphers		(SSLContextRef			ctx,
							 SSLCipherSuite			*ciphers,		/* RETURNED */
							 size_t					*numCiphers)	/* IN/OUT */
{
	if((ctx == NULL) || (ciphers == NULL) || (numCiphers == NULL)) {
		return errSecParam;
	}

    unsigned n;
    const uint16_t *ciphersuites;
    int err;

    err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);

    if(err) {
        return err;
    } else {
        return cipherSuitesToCipherSuites(n,
                                          ciphersuites,
                                          ciphers,
                                          numCiphers);
    }
}
Commit	Line	Data
427c49bc	1	/*
d8f41ccd	2	* Copyright (c) 1999-2001,2005-2014 Apple Inc. All Rights Reserved.
427c49bc A	3	*
427c49bc A	4	* @APPLE_LICENSE_HEADER_START@
d8f41ccd	5	*
427c49bc A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
d8f41ccd	12	*
427c49bc A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
d8f41ccd	20	*
427c49bc A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* cipherSpecs.c - SSLCipherSpec declarations
	26	*/
	27
	28	#include "sslBuildFlags.h"
427c49bc A	29	#include "sslContext.h"
	30	#include "sslCipherSpecs.h"
	31	#include "sslDebug.h"
	32	#include "sslMemory.h"
	33	#include "sslDebug.h"
427c49bc	34	#include "sslPriv.h"
d8f41ccd A	35
d8f41ccd A	36	#include <tls_handshake.h>
427c49bc A	37
	38	#include <string.h>
	39	#include <assert.h>
	40	#include <Security/SecBase.h>
427c49bc A	41
	42	#include <TargetConditionals.h>
	43
	44
d8f41ccd A	45	/* SecureTransport needs it's own copy of KnownCipherSuites for now, there is a copy in coreTLS,
d8f41ccd A	46	that is exported, but it actually should only included the "default" not the supported */
427c49bc A	47
427c49bc A	48	#define ENABLE_ECDH 1
5c19dc3a	49	#define ENABLE_AES_GCM 1
d8f41ccd	50	#define ENABLE_PSK 1
427c49bc	51
d8f41ccd	52	static const uint16_t STKnownCipherSuites[] = {
427c49bc A	53	#if ENABLE_AES_GCM
	54	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
	55	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
	56	#endif
	57	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
	58	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
	59	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
	60	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
427c49bc A	61	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
	62	#if ENABLE_AES_GCM
	63	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
	64	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
	65	#endif
	66	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
	67	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
	68	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
	69	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
427c49bc A	70	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
	71	#if ENABLE_ECDH
	72	#if ENABLE_AES_GCM
	73	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
	74	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
	75	#endif
	76	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
	77	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
d8f41ccd A	78	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
	79	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
	80	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
427c49bc A	81	#if ENABLE_AES_GCM
	82	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
	83	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
	84	#endif
	85	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
	86	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
427c49bc A	87	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
427c49bc A	88	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
427c49bc A	89	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
427c49bc A	90	#endif
d8f41ccd A	91
	92	#if ENABLE_AES_GCM
	93	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
	94	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
	95	#endif // ENABLE_AES_GCM
	96	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
	97	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
	98	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
	99	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
	100	SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
	101
427c49bc A	102	#if ENABLE_AES_GCM
	103	TLS_RSA_WITH_AES_256_GCM_SHA384,
	104	TLS_RSA_WITH_AES_128_GCM_SHA256,
	105	#endif
	106	TLS_RSA_WITH_AES_256_CBC_SHA256,
	107	TLS_RSA_WITH_AES_128_CBC_SHA256,
d8f41ccd	108	TLS_RSA_WITH_AES_256_CBC_SHA,
427c49bc	109	TLS_RSA_WITH_AES_128_CBC_SHA,
d8f41ccd A	110	SSL_RSA_WITH_3DES_EDE_CBC_SHA,
	111
	112	#if ENABLE_RC4
	113	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
	114	TLS_ECDHE_RSA_WITH_RC4_128_SHA,
	115	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
	116	TLS_ECDH_RSA_WITH_RC4_128_SHA,
427c49bc A	117	SSL_RSA_WITH_RC4_128_SHA,
427c49bc A	118	SSL_RSA_WITH_RC4_128_MD5,
427c49bc	119	#endif
d8f41ccd A	120
	121
	122	/* Unsafe ciphersuites */
	123
427c49bc A	124	#if ENABLE_AES_GCM
	125	TLS_DH_anon_WITH_AES_256_GCM_SHA384,
	126	TLS_DH_anon_WITH_AES_128_GCM_SHA256,
	127	#endif
	128	TLS_DH_anon_WITH_AES_128_CBC_SHA256,
	129	TLS_DH_anon_WITH_AES_256_CBC_SHA256,
	130	TLS_DH_anon_WITH_AES_128_CBC_SHA,
	131	TLS_DH_anon_WITH_AES_256_CBC_SHA,
	132	SSL_DH_anon_WITH_RC4_128_MD5,
	133	SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
d8f41ccd	134
427c49bc A	135	TLS_ECDHE_ECDSA_WITH_NULL_SHA,
	136	TLS_ECDHE_RSA_WITH_NULL_SHA,
	137	#if ENABLE_ECDH
	138	TLS_ECDH_ECDSA_WITH_NULL_SHA,
	139	TLS_ECDH_RSA_WITH_NULL_SHA,
	140	#endif
	141
	142	#if ENABLE_PSK
	143	TLS_PSK_WITH_AES_256_CBC_SHA384,
	144	TLS_PSK_WITH_AES_128_CBC_SHA256,
	145	TLS_PSK_WITH_AES_256_CBC_SHA,
	146	TLS_PSK_WITH_AES_128_CBC_SHA,
	147	TLS_PSK_WITH_RC4_128_SHA,
	148	TLS_PSK_WITH_3DES_EDE_CBC_SHA,
	149	TLS_PSK_WITH_NULL_SHA384,
	150	TLS_PSK_WITH_NULL_SHA256,
	151	TLS_PSK_WITH_NULL_SHA,
	152	#endif
	153
	154	TLS_RSA_WITH_NULL_SHA256,
	155	SSL_RSA_WITH_NULL_SHA,
	156	SSL_RSA_WITH_NULL_MD5
	157
427c49bc A	158	};
427c49bc A	159
d8f41ccd	160	static const unsigned STCipherSuiteCount = sizeof(STKnownCipherSuites)/sizeof(STKnownCipherSuites[0]);
427c49bc	161
d8f41ccd	162
427c49bc	163	/*
5c19dc3a	164	* Convert an array of uint16_t
427c49bc A	165	* to an array of SSLCipherSuites.
	166	*/
	167	static OSStatus
	168	cipherSuitesToCipherSuites(
	169	size_t numCipherSuites,
d8f41ccd	170	const uint16_t *cipherSuites,
427c49bc A	171	SSLCipherSuite ciphers, / RETURNED */
	172	size_t numCiphers) / IN/OUT */
	173	{
d8f41ccd	174	size_t i;
427c49bc A	175	if(*numCiphers < numCipherSuites) {
	176	return errSSLBufferOverflow;
	177	}
d8f41ccd A	178
	179	/* NOTE: this is required to go from uint16_t to SSLCipherSuite
	180	which is either 32 or 16 bits, depending on the platform */
	181	for(i=0;i<numCipherSuites; i++) {
	182	ciphers[i]=cipherSuites[i];
	183	}
427c49bc A	184	*numCiphers = numCipherSuites;
	185	return errSecSuccess;
	186	}
	187
	188	/***
	189	*** Publically exported functions declared in SecureTransport.h
	190	***/
	191
	192	/*
	193	* Determine number and values of all of the SSLCipherSuites we support.
	194	* Caller allocates output buffer for SSLGetSupportedCiphers() and passes in
	195	* its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
	196	* will be returned.
	197	*/
	198	OSStatus
	199	SSLGetNumberSupportedCiphers (SSLContextRef ctx,
	200	size_t *numCiphers)
	201	{
	202	if((ctx == NULL) \|\| (numCiphers == NULL)) {
	203	return errSecParam;
	204	}
d8f41ccd	205	*numCiphers = STCipherSuiteCount;
427c49bc A	206	return errSecSuccess;
	207	}
	208
	209	OSStatus
	210	SSLGetSupportedCiphers (SSLContextRef ctx,
	211	SSLCipherSuite ciphers, / RETURNED */
	212	size_t numCiphers) / IN/OUT */
	213	{
	214	if((ctx == NULL) \|\| (ciphers == NULL) \|\| (numCiphers == NULL)) {
	215	return errSecParam;
	216	}
d8f41ccd A	217	return cipherSuitesToCipherSuites(STCipherSuiteCount,
d8f41ccd A	218	STKnownCipherSuites,
427c49bc A	219	ciphers,
	220	numCiphers);
	221	}
	222
	223	/*
	224	* Specify a (typically) restricted set of SSLCipherSuites to be enabled by
	225	* the current SSLContext. Can only be called when no session is active. Default
	226	* set of enabled SSLCipherSuites is NOT the same as the complete set of supported
	227	* SSLCipherSuites as obtained by SSLGetSupportedCiphers().
	228	*/
	229	OSStatus
	230	SSLSetEnabledCiphers (SSLContextRef ctx,
	231	const SSLCipherSuite *ciphers,
	232	size_t numCiphers)
	233	{
822b670c	234	uint16_t *cs;
427c49bc A	235
	236	if((ctx == NULL) \|\| (ciphers == NULL) \|\| (numCiphers == 0)) {
	237	return errSecParam;
	238	}
	239	if(sslIsSessionActive(ctx)) {
	240	/* can't do this with an active session */
	241	return errSecBadReq;
	242	}
822b670c A	243
	244	cs = (uint16_t )sslMalloc(numCiphers sizeof(uint16_t));
	245	if(cs == NULL) {
427c49bc A	246	return errSecAllocate;
	247	}
	248
822b670c A	249	for(int i=0; i<numCiphers; i++)
	250	{
	251	cs[i] = ciphers[i];
427c49bc A	252	}
427c49bc A	253
822b670c	254	tls_handshake_set_ciphersuites(ctx->hdsk, cs, (unsigned) numCiphers);
d8f41ccd	255
822b670c	256	sslFree(cs);
d8f41ccd A	257
d8f41ccd A	258	return errSecSuccess;
427c49bc A	259	}
	260
	261	/*
	262	* Determine number and values of all of the SSLCipherSuites currently enabled.
	263	* Caller allocates output buffer for SSLGetEnabledCiphers() and passes in
	264	* its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
	265	* will be returned.
	266	*/
	267	OSStatus
	268	SSLGetNumberEnabledCiphers (SSLContextRef ctx,
	269	size_t *numCiphers)
	270	{
	271	if((ctx == NULL) \|\| (numCiphers == NULL)) {
	272	return errSecParam;
	273	}
5c19dc3a A	274
	275	unsigned n;
	276	const uint16_t *ciphersuites;
	277	int err;
	278
	279	err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);
	280
	281	if(err) {
	282	return err;
	283	} else {
	284	*numCiphers = n;
	285	return errSecSuccess;
	286	}
427c49bc A	287	}
	288
	289	OSStatus
	290	SSLGetEnabledCiphers (SSLContextRef ctx,
	291	SSLCipherSuite ciphers, / RETURNED */
	292	size_t numCiphers) / IN/OUT */
	293	{
	294	if((ctx == NULL) \|\| (ciphers == NULL) \|\| (numCiphers == NULL)) {
	295	return errSecParam;
	296	}
5c19dc3a A	297
	298	unsigned n;
	299	const uint16_t *ciphersuites;
	300	int err;
	301
	302	err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);
	303
fa7225c8 A	304	if(err) {
	305	return err;
	306	} else {
	307	return cipherSuitesToCipherSuites(n,
	308	ciphersuites,
	309	ciphers,
	310	numCiphers);
	311	}
427c49bc	312	}