]> git.saurik.com Git - apple/security.git/blob - sslViewer/sslAppUtils.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57336.1.9.tar.gz
[apple/security.git] / sslViewer / sslAppUtils.cpp
1 /*
2 * Copyright (c) 2006-2008,2010-2013 Apple Inc. All Rights Reserved.
3 */
4
5 #include "sslAppUtils.h"
6 //#include "sslThreading.h"
7 //#include "identPicker.h"
8 //#include <utilLib/common.h>
9 #include <stdlib.h>
10 #include <stdio.h>
11 #include <sys/param.h>
12 #include <Security/SecBase.h>
13
14 #include <CoreFoundation/CoreFoundation.h>
15 #include <Security/Security.h>
16 #include <Security/SecIdentityPriv.h>
17 #include <AssertMacros.h>
18 #include <sys/time.h>
19
20 #include "utilities/SecCFRelease.h"
21
22 /* Set true when PR-3074739 is merged to TOT */
23 #define NEW_SSL_ERRS_3074739 1
24
25
26 const char *sslGetCipherSuiteString(SSLCipherSuite cs)
27 {
28 static char noSuite[40];
29
30 switch (cs) {
31 /* TLS cipher suites, RFC 2246 */
32 case SSL_NULL_WITH_NULL_NULL: return "TLS_NULL_WITH_NULL_NULL";
33 case SSL_RSA_WITH_NULL_MD5: return "TLS_RSA_WITH_NULL_MD5";
34 case SSL_RSA_WITH_NULL_SHA: return "TLS_RSA_WITH_NULL_SHA";
35 case SSL_RSA_EXPORT_WITH_RC4_40_MD5: return "TLS_RSA_EXPORT_WITH_RC4_40_MD5";
36 case SSL_RSA_WITH_RC4_128_MD5: return "TLS_RSA_WITH_RC4_128_MD5";
37 case SSL_RSA_WITH_RC4_128_SHA: return "TLS_RSA_WITH_RC4_128_SHA";
38 case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: return "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5";
39 case SSL_RSA_WITH_IDEA_CBC_SHA: return "TLS_RSA_WITH_IDEA_CBC_SHA";
40 case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA";
41 case SSL_RSA_WITH_DES_CBC_SHA: return "TLS_RSA_WITH_DES_CBC_SHA";
42 case SSL_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
43 case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA";
44 case SSL_DH_DSS_WITH_DES_CBC_SHA: return "TLS_DH_DSS_WITH_DES_CBC_SHA";
45 case SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA: return "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
46 case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA";
47 case SSL_DH_RSA_WITH_DES_CBC_SHA: return "TLS_DH_RSA_WITH_DES_CBC_SHA";
48 case SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
49 case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA";
50 case SSL_DHE_DSS_WITH_DES_CBC_SHA: return "TLS_DHE_DSS_WITH_DES_CBC_SHA";
51 case SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA: return "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
52 case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA";
53 case SSL_DHE_RSA_WITH_DES_CBC_SHA: return "TLS_DHE_RSA_WITH_DES_CBC_SHA";
54 case SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
55 case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5: return "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5";
56 case SSL_DH_anon_WITH_RC4_128_MD5: return "TLS_DH_anon_WITH_RC4_128_MD5";
57 case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA";
58 case SSL_DH_anon_WITH_DES_CBC_SHA: return "TLS_DH_anon_WITH_DES_CBC_SHA";
59 case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA: return "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
60
61 /* SSLv3 Fortezza cipher suites, from NSS */
62 case SSL_FORTEZZA_DMS_WITH_NULL_SHA: return "SSL_FORTEZZA_DMS_WITH_NULL_SHA";
63 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:return "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA";
64
65 /* TLS addenda using AES-CBC, RFC 3268 */
66 case TLS_RSA_WITH_AES_128_CBC_SHA: return "TLS_RSA_WITH_AES_128_CBC_SHA";
67 case TLS_DH_DSS_WITH_AES_128_CBC_SHA: return "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
68 case TLS_DH_RSA_WITH_AES_128_CBC_SHA: return "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
69 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
70 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
71 case TLS_DH_anon_WITH_AES_128_CBC_SHA: return "TLS_DH_anon_WITH_AES_128_CBC_SHA";
72 case TLS_RSA_WITH_AES_256_CBC_SHA: return "TLS_RSA_WITH_AES_256_CBC_SHA";
73 case TLS_DH_DSS_WITH_AES_256_CBC_SHA: return "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
74 case TLS_DH_RSA_WITH_AES_256_CBC_SHA: return "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
75 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
76 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
77 case TLS_DH_anon_WITH_AES_256_CBC_SHA: return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
78
79 /* ECDSA addenda, RFC 4492 */
80 case TLS_ECDH_ECDSA_WITH_NULL_SHA: return "TLS_ECDH_ECDSA_WITH_NULL_SHA";
81 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
82 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
83 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
84 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
85 case TLS_ECDHE_ECDSA_WITH_NULL_SHA: return "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
86 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
87 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
88 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
89 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
90 case TLS_ECDH_RSA_WITH_NULL_SHA: return "TLS_ECDH_RSA_WITH_NULL_SHA";
91 case TLS_ECDH_RSA_WITH_RC4_128_SHA: return "TLS_ECDH_RSA_WITH_RC4_128_SHA";
92 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
93 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
94 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
95 case TLS_ECDHE_RSA_WITH_NULL_SHA: return "TLS_ECDHE_RSA_WITH_NULL_SHA";
96 case TLS_ECDHE_RSA_WITH_RC4_128_SHA: return "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
97 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
98 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
99 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
100 case TLS_ECDH_anon_WITH_NULL_SHA: return "TLS_ECDH_anon_WITH_NULL_SHA";
101 case TLS_ECDH_anon_WITH_RC4_128_SHA: return "TLS_ECDH_anon_WITH_RC4_128_SHA";
102 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
103 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA: return "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
104 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA: return "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
105
106 /* TLS 1.2 addenda, RFC 5246 */
107 case TLS_RSA_WITH_AES_128_CBC_SHA256: return "TLS_RSA_WITH_AES_128_CBC_SHA256";
108 case TLS_RSA_WITH_AES_256_CBC_SHA256: return "TLS_RSA_WITH_AES_256_CBC_SHA256";
109 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256: return "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
110 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256: return "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
111 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
112 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
113 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256: return "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
114 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256: return "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
115 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
116 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
117 case TLS_DH_anon_WITH_AES_128_CBC_SHA256: return "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
118 case TLS_DH_anon_WITH_AES_256_CBC_SHA256: return "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
119
120 /* TLS addenda using AES-GCM, RFC 5288 */
121 case TLS_RSA_WITH_AES_128_GCM_SHA256: return "TLS_RSA_WITH_AES_128_GCM_SHA256";
122 case TLS_RSA_WITH_AES_256_GCM_SHA384: return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
123 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
124 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
125 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256: return "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
126 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384: return "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
127 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: return "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
128 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: return "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
129 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256: return "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
130 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384: return "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
131 case TLS_DH_anon_WITH_AES_128_GCM_SHA256: return "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
132 case TLS_DH_anon_WITH_AES_256_GCM_SHA384: return "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
133
134 /* ECDSA addenda, RFC 5289 */
135 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
136 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
137 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
138 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
139 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
140 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
141 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
142 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
143 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
144 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
145 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
146 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
147 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
148 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
149 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
150 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
151
152 /*
153 * Tags for SSL 2 cipher kinds which are not specified for SSL 3.
154 */
155 case SSL_RSA_WITH_RC2_CBC_MD5: return "TLS_RSA_WITH_RC2_CBC_MD5";
156 case SSL_RSA_WITH_IDEA_CBC_MD5: return "TLS_RSA_WITH_IDEA_CBC_MD5";
157 case SSL_RSA_WITH_DES_CBC_MD5: return "TLS_RSA_WITH_DES_CBC_MD5";
158 case SSL_RSA_WITH_3DES_EDE_CBC_MD5: return "TLS_RSA_WITH_3DES_EDE_CBC_MD5";
159 case SSL_NO_SUCH_CIPHERSUITE: return "SSL_NO_SUCH_CIPHERSUITE";
160
161 default:
162 snprintf(noSuite, sizeof(noSuite), "Unknown ciphersuite 0x%04x", (unsigned)cs);
163 return noSuite;
164 }
165 }
166
167 /*
168 * Given a SSLProtocolVersion - typically from SSLGetProtocolVersion -
169 * return a string representation.
170 */
171 const char *sslGetProtocolVersionString(SSLProtocol prot)
172 {
173 static char noProt[20];
174
175 switch(prot) {
176 case kSSLProtocolUnknown:
177 return "kSSLProtocolUnknown";
178 case kSSLProtocol2:
179 return "kSSLProtocol2";
180 case kSSLProtocol3:
181 return "kSSLProtocol3";
182 case kSSLProtocol3Only:
183 return "kSSLProtocol3Only";
184 case kTLSProtocol1:
185 return "kTLSProtocol1";
186 case kTLSProtocol1Only:
187 return "kTLSProtocol1Only";
188 case kTLSProtocol11:
189 return "kTLSProtocol11";
190 case kTLSProtocol12:
191 return "kTLSProtocol12";
192 default:
193 sprintf(noProt, "Unknown (%d)", (unsigned)prot);
194 return noProt;
195 }
196 }
197
198 /*
199 * Return string representation of SecureTransport-related OSStatus.
200 */
201 const char *sslGetSSLErrString(OSStatus err)
202 {
203 static char errSecSuccessStr[20];
204
205 switch(err) {
206 case errSecSuccess:
207 return "errSecSuccess";
208 case errSecAllocate:
209 return "errSecAllocate";
210 case errSecParam:
211 return "errSecParam";
212 case errSecUnimplemented:
213 return "errSecUnimplemented";
214 case errSecIO:
215 return "errSecIO";
216 case errSecBadReq:
217 return "errSecBadReq";
218 case errSSLProtocol:
219 return "errSSLProtocol";
220 case errSSLNegotiation:
221 return "errSSLNegotiation";
222 case errSSLFatalAlert:
223 return "errSSLFatalAlert";
224 case errSSLWouldBlock:
225 return "errSSLWouldBlock";
226 case errSSLSessionNotFound:
227 return "errSSLSessionNotFound";
228 case errSSLClosedGraceful:
229 return "errSSLClosedGraceful";
230 case errSSLClosedAbort:
231 return "errSSLClosedAbort";
232 case errSSLXCertChainInvalid:
233 return "errSSLXCertChainInvalid";
234 case errSSLBadCert:
235 return "errSSLBadCert";
236 case errSSLCrypto:
237 return "errSSLCrypto";
238 case errSSLInternal:
239 return "errSSLInternal";
240 case errSSLModuleAttach:
241 return "errSSLModuleAttach";
242 case errSSLUnknownRootCert:
243 return "errSSLUnknownRootCert";
244 case errSSLNoRootCert:
245 return "errSSLNoRootCert";
246 case errSSLCertExpired:
247 return "errSSLCertExpired";
248 case errSSLCertNotYetValid:
249 return "errSSLCertNotYetValid";
250 case errSSLClosedNoNotify:
251 return "errSSLClosedNoNotify";
252 case errSSLBufferOverflow:
253 return "errSSLBufferOverflow";
254 case errSSLBadCipherSuite:
255 return "errSSLBadCipherSuite";
256 /* TLS/Panther addenda */
257 case errSSLPeerUnexpectedMsg:
258 return "errSSLPeerUnexpectedMsg";
259 case errSSLPeerBadRecordMac:
260 return "errSSLPeerBadRecordMac";
261 case errSSLPeerDecryptionFail:
262 return "errSSLPeerDecryptionFail";
263 case errSSLPeerRecordOverflow:
264 return "errSSLPeerRecordOverflow";
265 case errSSLPeerDecompressFail:
266 return "errSSLPeerDecompressFail";
267 case errSSLPeerHandshakeFail:
268 return "errSSLPeerHandshakeFail";
269 case errSSLPeerBadCert:
270 return "errSSLPeerBadCert";
271 case errSSLPeerUnsupportedCert:
272 return "errSSLPeerUnsupportedCert";
273 case errSSLPeerCertRevoked:
274 return "errSSLPeerCertRevoked";
275 case errSSLPeerCertExpired:
276 return "errSSLPeerCertExpired";
277 case errSSLPeerCertUnknown:
278 return "errSSLPeerCertUnknown";
279 case errSSLIllegalParam:
280 return "errSSLIllegalParam";
281 case errSSLPeerUnknownCA:
282 return "errSSLPeerUnknownCA";
283 case errSSLPeerAccessDenied:
284 return "errSSLPeerAccessDenied";
285 case errSSLPeerDecodeError:
286 return "errSSLPeerDecodeError";
287 case errSSLPeerDecryptError:
288 return "errSSLPeerDecryptError";
289 case errSSLPeerExportRestriction:
290 return "errSSLPeerExportRestriction";
291 case errSSLPeerProtocolVersion:
292 return "errSSLPeerProtocolVersion";
293 case errSSLPeerInsufficientSecurity:
294 return "errSSLPeerInsufficientSecurity";
295 case errSSLPeerInternalError:
296 return "errSSLPeerInternalError";
297 case errSSLPeerUserCancelled:
298 return "errSSLPeerUserCancelled";
299 case errSSLPeerNoRenegotiation:
300 return "errSSLPeerNoRenegotiation";
301 case errSSLHostNameMismatch:
302 return "errSSLHostNameMismatch";
303 case errSSLConnectionRefused:
304 return "errSSLConnectionRefused";
305 case errSSLDecryptionFail:
306 return "errSSLDecryptionFail";
307 case errSSLBadRecordMac:
308 return "errSSLBadRecordMac";
309 case errSSLRecordOverflow:
310 return "errSSLRecordOverflow";
311 case errSSLBadConfiguration:
312 return "errSSLBadConfiguration";
313
314 /* some from the Sec layer */
315 case errSecNotAvailable: return "errSecNotAvailable";
316 case errSecDuplicateItem: return "errSecDuplicateItem";
317 case errSecItemNotFound: return "errSecItemNotFound";
318 #if 0
319 case errSessionInvalidId: return "errSessionInvalidId";
320 case errSessionInvalidAttributes: return "errSessionInvalidAttributes";
321 case errSessionAuthorizationDenied: return "errSessionAuthorizationDenied";
322 case errSessionInternal: return "errSessionInternal";
323 case errSessionInvalidFlags: return "errSessionInvalidFlags";
324 #endif
325
326 default:
327 #if 0
328 if (err < (CSSM_BASE_ERROR +
329 (CSSM_ERRORCODE_MODULE_EXTENT * 8)))
330 {
331 /* assume CSSM error */
332 return cssmErrToStr(err);
333 }
334 else
335 #endif
336 {
337 sprintf(errSecSuccessStr, "Unknown (%d)", (unsigned)err);
338 return errSecSuccessStr;
339 }
340 }
341 }
342
343 void printSslErrStr(
344 const char *op,
345 OSStatus err)
346 {
347 printf("*** %s: %s\n", op, sslGetSSLErrString(err));
348 }
349
350 const char *sslGetClientCertStateString(SSLClientCertificateState state)
351 {
352 static char noState[20];
353
354 switch(state) {
355 case kSSLClientCertNone:
356 return "ClientCertNone";
357 case kSSLClientCertRequested:
358 return "CertRequested";
359 case kSSLClientCertSent:
360 return "ClientCertSent";
361 case kSSLClientCertRejected:
362 return "ClientCertRejected";
363 default:
364 sprintf(noState, "Unknown (%d)", (unsigned)state);
365 return noState;
366 }
367
368 }
369
370 /*
371 * Convert a keychain name (which may be NULL) into the CFArrayRef required
372 * by SSLSetCertificate. This is a bare-bones example of this operation,
373 * since it requires and assumes that there is exactly one SecIdentity
374 * in the keychain - i.e., there is exactly one matching cert/private key
375 * pair. A real world server would probably search a keychain for a SecIdentity
376 * matching some specific criteria.
377 */
378 CFArrayRef getSslCerts(
379 const char *kcName, // may be NULL, i.e., use default
380 bool encryptOnly,
381 bool completeCertChain,
382 const char *anchorFile, // optional trusted anchor
383 SecKeychainRef *pKcRef) // RETURNED
384 {
385 #if 0
386 SecKeychainRef kcRef = nil;
387 OSStatus ortn;
388
389 *pKcRef = nil;
390
391 /* pick a keychain */
392 if(kcName) {
393 ortn = SecKeychainOpen(kcName, &kcRef);
394 if(ortn) {
395 printf("SecKeychainOpen returned %d.\n", (int)ortn);
396 printf("Cannot open keychain at %s. Aborting.\n", kcName);
397 return NULL;
398 }
399 }
400 else {
401 /* use default keychain */
402 ortn = SecKeychainCopyDefault(&kcRef);
403 if(ortn) {
404 printf("SecKeychainCopyDefault returned %d; aborting.\n", (int)ortn);
405 return nil;
406 }
407 }
408 *pKcRef = kcRef;
409 return sslKcRefToCertArray(kcRef, encryptOnly, completeCertChain, anchorFile);
410 #else
411 SecCertificateRef cert = NULL;
412 SecIdentityRef identity = NULL;
413 CFMutableArrayRef certificates = NULL, result = NULL;
414 CFMutableDictionaryRef certQuery = NULL, keyQuery = NULL, keyResult = NULL;
415 SecTrustRef trust = NULL;
416 SecKeyRef key = NULL;
417 CFTypeRef pkdigest = NULL;
418
419 // Find the first private key in the keychain and return both it's
420 // attributes and a ref to it.
421 require(keyQuery = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
422 CFDictionaryAddValue(keyQuery, kSecClass, kSecClassKey);
423 CFDictionaryAddValue(keyQuery, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
424 CFDictionaryAddValue(keyQuery, kSecReturnRef, kCFBooleanTrue);
425 CFDictionaryAddValue(keyQuery, kSecReturnAttributes, kCFBooleanTrue);
426 require_noerr(SecItemCopyMatching(keyQuery, (CFTypeRef *)&keyResult),
427 errOut);
428 require(key = (SecKeyRef)CFDictionaryGetValue(keyResult, kSecValueRef),
429 errOut);
430 require(pkdigest = CFDictionaryGetValue(keyResult, kSecAttrApplicationLabel),
431 errOut);
432
433 // Find the first certificate that has the same public key hash as the
434 // returned private key and return it as a ref.
435 require(certQuery = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
436 CFDictionaryAddValue(certQuery, kSecClass, kSecClassCertificate);
437 CFDictionaryAddValue(certQuery, kSecAttrPublicKeyHash, pkdigest);
438 CFDictionaryAddValue(certQuery, kSecReturnRef, kCFBooleanTrue);
439 require_noerr(SecItemCopyMatching(certQuery, (CFTypeRef *)&cert), errOut);
440
441 // Create an identity from the key and certificate.
442 require(identity = SecIdentityCreate(NULL, cert, key), errOut);
443
444 // Build a (partial) certificate chain from cert
445 require(certificates = CFArrayCreateMutable(NULL, 0,
446 &kCFTypeArrayCallBacks), errOut);
447 CFArrayAppendValue(certificates, cert);
448 require_noerr(SecTrustCreateWithCertificates(certificates, NULL, &trust),
449 errOut);
450 SecTrustResultType tresult;
451 require_noerr(SecTrustEvaluate(trust, &tresult), errOut);
452
453 CFIndex certCount, ix;
454 // We need at least 1 certificate
455 require(certCount = SecTrustGetCertificateCount(trust), errOut);
456
457 // Build a result where element 0 is the identity and the other elements
458 // are the certs in the chain starting at the first intermediate up to the
459 // anchor, if we found one, or as far as we were able to build the chain
460 // if not.
461 require(result = CFArrayCreateMutable(NULL, certCount, &kCFTypeArrayCallBacks),
462 errOut);
463
464 // We are commited to returning a result now, so do not use require below
465 // this line without setting result to NULL again.
466 CFArrayAppendValue(result, identity);
467 for (ix = 1; ix < certCount; ++ix) {
468 CFArrayAppendValue(result, SecTrustGetCertificateAtIndex(trust, ix));
469 }
470
471 errOut:
472 CFReleaseSafe(trust);
473 CFReleaseSafe(certificates);
474 CFReleaseSafe(identity);
475 CFReleaseSafe(cert);
476 CFReleaseSafe(certQuery);
477 CFReleaseSafe(keyResult);
478 CFReleaseSafe(keyQuery);
479
480 return result;
481 #endif
482 }
483
484 #if 0
485 /*
486 * Determine if specified SecCertificateRef is a self-signed cert.
487 * We do this by comparing the subject and issuerr names; no cryptographic
488 * verification is performed.
489 *
490 * Returns true if the cert appears to be a root.
491 */
492 static bool isCertRefRoot(
493 SecCertificateRef certRef)
494 {
495 bool brtn = false;
496 #if 0
497 /* just search for the two attrs we want */
498 UInt32 tags[2] = {kSecSubjectItemAttr, kSecIssuerItemAttr};
499 SecKeychainAttributeInfo attrInfo;
500 attrInfo.count = 2;
501 attrInfo.tag = tags;
502 attrInfo.format = NULL;
503 SecKeychainAttributeList *attrList = NULL;
504 SecKeychainAttribute *attr1 = NULL;
505 SecKeychainAttribute *attr2 = NULL;
506
507 OSStatus ortn = SecKeychainItemCopyAttributesAndData(
508 (SecKeychainItemRef)certRef,
509 &attrInfo,
510 NULL, // itemClass
511 &attrList,
512 NULL, // length - don't need the data
513 NULL); // outData
514 if(ortn) {
515 cssmPerror("SecKeychainItemCopyAttributesAndData", ortn);
516 /* may want to be a bit more robust here, but this should
517 * never happen */
518 return false;
519 }
520 /* subsequent errors to errOut: */
521
522 if((attrList == NULL) || (attrList->count != 2)) {
523 printf("***Unexpected result fetching label attr\n");
524 goto errOut;
525 }
526
527 /* rootness is just byte-for-byte compare of the two names */
528 attr1 = &attrList->attr[0];
529 attr2 = &attrList->attr[1];
530 if(attr1->length == attr2->length) {
531 if(memcmp(attr1->data, attr2->data, attr1->length) == 0) {
532 brtn = true;
533 }
534 }
535 errOut:
536 SecKeychainItemFreeAttributesAndData(attrList, NULL);
537 #endif
538 return brtn;
539 }
540 #endif
541
542 #if 0
543 /*
544 * Given a SecIdentityRef, do our best to construct a complete, ordered, and
545 * verified cert chain, returning the result in a CFArrayRef. The result is
546 * suitable for use when calling SSLSetCertificate().
547 */
548 OSStatus sslCompleteCertChain(
549 SecIdentityRef identity,
550 SecCertificateRef trustedAnchor, // optional additional trusted anchor
551 bool includeRoot, // include the root in outArray
552 CFArrayRef *outArray) // created and RETURNED
553 {
554 CFMutableArrayRef certArray;
555 SecTrustRef secTrust = NULL;
556 SecPolicyRef policy = NULL;
557 SecPolicySearchRef policySearch = NULL;
558 SecTrustResultType secTrustResult;
559 CSSM_TP_APPLE_EVIDENCE_INFO *dummyEv; // not used
560 CFArrayRef certChain = NULL; // constructed chain
561 CFIndex numResCerts;
562
563 certArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
564 CFArrayAppendValue(certArray, identity);
565
566 /*
567 * Case 1: identity is a root; we're done. Note that this case
568 * overrides the includeRoot argument.
569 */
570 SecCertificateRef certRef;
571 OSStatus ortn = SecIdentityCopyCertificate(identity, &certRef);
572 if(ortn) {
573 /* should never happen */
574 cssmPerror("SecIdentityCopyCertificate", ortn);
575 return ortn;
576 }
577 bool isRoot = isCertRefRoot(certRef);
578 if(isRoot) {
579 *outArray = certArray;
580 CFRelease(certRef);
581 return errSecSuccess;
582 }
583
584 /*
585 * Now use SecTrust to get a complete cert chain, using all of the
586 * user's keychains to look for intermediate certs.
587 * NOTE this does NOT handle root certs which are not in the system
588 * root cert DB. (The above case, where the identity is a root cert, does.)
589 */
590 CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks);
591 CFArraySetValueAtIndex(subjCerts, 0, certRef);
592
593 /* the array owns the subject cert ref now */
594 CFRelease(certRef);
595
596 /* Get a SecPolicyRef for generic X509 cert chain verification */
597 ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
598 &CSSMOID_APPLE_X509_BASIC,
599 NULL, // value
600 &policySearch);
601 if(ortn) {
602 cssmPerror("SecPolicySearchCreate", ortn);
603 goto errOut;
604 }
605 ortn = SecPolicySearchCopyNext(policySearch, &policy);
606 if(ortn) {
607 cssmPerror("SecPolicySearchCopyNext", ortn);
608 goto errOut;
609 }
610
611 /* build a SecTrustRef for specified policy and certs */
612 ortn = SecTrustCreateWithCertificates(subjCerts,
613 policy, &secTrust);
614 if(ortn) {
615 cssmPerror("SecTrustCreateWithCertificates", ortn);
616 goto errOut;
617 }
618
619 if(trustedAnchor) {
620 /*
621 * Tell SecTrust to trust this one in addition to the current
622 * trusted system-wide anchors.
623 */
624 CFMutableArrayRef newAnchors;
625 CFArrayRef currAnchors;
626
627 ortn = SecTrustCopyAnchorCertificates(&currAnchors);
628 if(ortn) {
629 /* should never happen */
630 cssmPerror("SecTrustCopyAnchorCertificates", ortn);
631 goto errOut;
632 }
633 newAnchors = CFArrayCreateMutableCopy(NULL,
634 CFArrayGetCount(currAnchors) + 1,
635 currAnchors);
636 CFRelease(currAnchors);
637 CFArrayAppendValue(newAnchors, trustedAnchor);
638 ortn = SecTrustSetAnchorCertificates(secTrust, newAnchors);
639 CFRelease(newAnchors);
640 if(ortn) {
641 cssmPerror("SecTrustSetAnchorCertificates", ortn);
642 goto errOut;
643 }
644 }
645 /* evaluate: GO */
646 ortn = SecTrustEvaluate(secTrust, &secTrustResult);
647 if(ortn) {
648 cssmPerror("SecTrustEvaluate", ortn);
649 goto errOut;
650 }
651 switch(secTrustResult) {
652 case kSecTrustResultUnspecified:
653 /* cert chain valid, no special UserTrust assignments */
654 case kSecTrustResultProceed:
655 /* cert chain valid AND user explicitly trusts this */
656 break;
657 default:
658 /*
659 * Cert chain construction failed.
660 * Just go with the single subject cert we were given.
661 */
662 printf("***Warning: could not construct completed cert chain\n");
663 ortn = errSecSuccess;
664 goto errOut;
665 }
666
667 /* get resulting constructed cert chain */
668 ortn = SecTrustGetResult(secTrust, &secTrustResult, &certChain, &dummyEv);
669 if(ortn) {
670 cssmPerror("SecTrustEvaluate", ortn);
671 goto errOut;
672 }
673
674 /*
675 * Copy certs from constructed chain to our result array, skipping
676 * the leaf (which is already there, as a SecIdentityRef) and possibly
677 * a root.
678 */
679 numResCerts = CFArrayGetCount(certChain);
680 if(numResCerts < 2) {
681 /*
682 * Can't happen: if subject was a root, we'd already have returned.
683 * If chain doesn't verify to a root, we'd have bailed after
684 * SecTrustEvaluate().
685 */
686 printf("***sslCompleteCertChain screwup: numResCerts %d\n",
687 (int)numResCerts);
688 ortn = errSecSuccess;
689 goto errOut;
690 }
691 if(!includeRoot) {
692 /* skip the last (root) cert) */
693 numResCerts--;
694 }
695 for(CFIndex dex=1; dex<numResCerts; dex++) {
696 certRef = (SecCertificateRef)CFArrayGetValueAtIndex(certChain, dex);
697 CFArrayAppendValue(certArray, certRef);
698 }
699 errOut:
700 /* clean up */
701 if(secTrust) {
702 CFRelease(secTrust);
703 }
704 if(subjCerts) {
705 CFRelease(subjCerts);
706 }
707 if(policy) {
708 CFRelease(policy);
709 }
710 if(policySearch) {
711 CFRelease(policySearch);
712 }
713 *outArray = certArray;
714 return ortn;
715 }
716
717
718 /*
719 * Given an open keychain, find a SecIdentityRef and munge it into
720 * a CFArrayRef required by SSLSetCertificate().
721 */
722 CFArrayRef sslKcRefToCertArray(
723 SecKeychainRef kcRef,
724 bool encryptOnly,
725 bool completeCertChain,
726 const char *trustedAnchorFile)
727 {
728 /* quick check to make sure the keychain exists */
729 SecKeychainStatus kcStat;
730 OSStatus ortn = SecKeychainGetStatus(kcRef, &kcStat);
731 if(ortn) {
732 printSslErrStr("SecKeychainGetStatus", ortn);
733 printf("Can not open keychain. Aborting.\n");
734 return nil;
735 }
736
737 /*
738 * Search for "any" identity matching specified key use;
739 * in this app, we expect there to be exactly one.
740 */
741 SecIdentitySearchRef srchRef = nil;
742 ortn = SecIdentitySearchCreate(kcRef,
743 encryptOnly ? CSSM_KEYUSE_DECRYPT : CSSM_KEYUSE_SIGN,
744 &srchRef);
745 if(ortn) {
746 printf("SecIdentitySearchCreate returned %d.\n", (int)ortn);
747 printf("Cannot find signing key in keychain. Aborting.\n");
748 return nil;
749 }
750 SecIdentityRef identity = nil;
751 ortn = SecIdentitySearchCopyNext(srchRef, &identity);
752 if(ortn) {
753 printf("SecIdentitySearchCopyNext returned %d.\n", (int)ortn);
754 printf("Cannot find signing key in keychain. Aborting.\n");
755 return nil;
756 }
757 if(CFGetTypeID(identity) != SecIdentityGetTypeID()) {
758 printf("SecIdentitySearchCopyNext CFTypeID failure!\n");
759 return nil;
760 }
761
762 /*
763 * Found one.
764 */
765 if(completeCertChain) {
766 /*
767 * Place it and the other certs needed to verify it -
768 * up to but not including the root - in a CFArray.
769 */
770 SecCertificateRef anchorCert = NULL;
771 if(trustedAnchorFile) {
772 ortn = sslReadAnchor(trustedAnchorFile, &anchorCert);
773 if(ortn) {
774 printf("***Error reading anchor file\n");
775 }
776 }
777 CFArrayRef ca;
778 ortn = sslCompleteCertChain(identity, anchorCert, false, &ca);
779 if(anchorCert) {
780 CFRelease(anchorCert);
781 }
782 return ca;
783 }
784 else {
785 /* simple case, just this one identity */
786 CFArrayRef ca = CFArrayCreate(NULL,
787 (const void **)&identity,
788 1,
789 NULL);
790 if(ca == nil) {
791 printf("CFArrayCreate error\n");
792 }
793 return ca;
794 }
795 }
796 #endif
797
798 OSStatus addTrustedSecCert(
799 SSLContextRef ctx,
800 SecCertificateRef secCert,
801 bool replaceAnchors)
802 {
803 OSStatus ortn;
804 CFMutableArrayRef array;
805
806 if(secCert == NULL) {
807 printf("***addTrustedSecCert screwup\n");
808 return errSecParam;
809 }
810 array = CFArrayCreateMutable(kCFAllocatorDefault,
811 (CFIndex)1, &kCFTypeArrayCallBacks);
812 if(array == NULL) {
813 return errSecAllocate;
814 }
815 CFArrayAppendValue(array, secCert);
816 ortn = SSLSetTrustedRoots(ctx, array, replaceAnchors ? true : false);
817 if(ortn) {
818 printSslErrStr("SSLSetTrustedRoots", ortn);
819 }
820 CFRelease(array);
821 return ortn;
822 }
823
824 OSStatus sslAddTrustedRoot(
825 SSLContextRef ctx,
826 const char *anchorFile,
827 bool replaceAnchors)
828 {
829 return 0;
830 }
831
832 OSStatus addIdentityAsTrustedRoot(
833 SSLContextRef ctx,
834 CFArrayRef identArray)
835 {
836 return errSecSuccess;
837 }
838
839 /*
840 * Lists of SSLCipherSuites used in sslSetCipherRestrictions. Note that the
841 * SecureTransport library does not implement all of these; we only specify
842 * the ones it claims to support.
843 */
844 const SSLCipherSuite suites40[] = {
845 SSL_RSA_EXPORT_WITH_RC4_40_MD5,
846 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
847 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
848 SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
849 SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
850 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
851 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
852 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
853 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
854 SSL_NO_SUCH_CIPHERSUITE
855 };
856 const SSLCipherSuite suitesDES[] = {
857 SSL_RSA_WITH_DES_CBC_SHA,
858 SSL_DH_DSS_WITH_DES_CBC_SHA,
859 SSL_DH_RSA_WITH_DES_CBC_SHA,
860 SSL_DHE_DSS_WITH_DES_CBC_SHA,
861 SSL_DHE_RSA_WITH_DES_CBC_SHA,
862 SSL_DH_anon_WITH_DES_CBC_SHA,
863 SSL_RSA_WITH_DES_CBC_MD5,
864 SSL_NO_SUCH_CIPHERSUITE
865 };
866 const SSLCipherSuite suitesDES40[] = {
867 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
868 SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
869 SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
870 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
871 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
872 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
873 SSL_NO_SUCH_CIPHERSUITE
874 };
875 const SSLCipherSuite suites3DES[] = {
876 SSL_RSA_WITH_3DES_EDE_CBC_SHA,
877 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
878 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
879 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
880 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
881 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
882 SSL_RSA_WITH_3DES_EDE_CBC_MD5,
883 SSL_NO_SUCH_CIPHERSUITE
884 };
885 const SSLCipherSuite suitesRC4[] = {
886 SSL_RSA_WITH_RC4_128_MD5,
887 SSL_RSA_WITH_RC4_128_SHA,
888 SSL_DH_anon_WITH_RC4_128_MD5,
889 SSL_NO_SUCH_CIPHERSUITE
890 };
891 const SSLCipherSuite suitesRC4_40[] = {
892 SSL_RSA_EXPORT_WITH_RC4_40_MD5,
893 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
894 SSL_NO_SUCH_CIPHERSUITE
895 };
896 const SSLCipherSuite suitesRC2[] = {
897 SSL_RSA_WITH_RC2_CBC_MD5,
898 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
899 SSL_NO_SUCH_CIPHERSUITE
900 };
901 const SSLCipherSuite suitesAES128[] = {
902 TLS_RSA_WITH_AES_128_CBC_SHA,
903 TLS_DH_DSS_WITH_AES_128_CBC_SHA,
904 TLS_DH_RSA_WITH_AES_128_CBC_SHA,
905 TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
906 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
907 TLS_DH_anon_WITH_AES_128_CBC_SHA,
908 SSL_NO_SUCH_CIPHERSUITE
909 };
910 const SSLCipherSuite suitesAES256[] = {
911 TLS_RSA_WITH_AES_256_CBC_SHA,
912 TLS_DH_DSS_WITH_AES_256_CBC_SHA,
913 TLS_DH_RSA_WITH_AES_256_CBC_SHA,
914 TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
915 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
916 TLS_DH_anon_WITH_AES_256_CBC_SHA,
917 SSL_NO_SUCH_CIPHERSUITE
918 };
919 const SSLCipherSuite suitesDH[] = {
920 SSL_DH_DSS_WITH_DES_CBC_SHA,
921 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
922 SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
923 SSL_DH_RSA_WITH_DES_CBC_SHA,
924 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
925 SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
926 SSL_DHE_DSS_WITH_DES_CBC_SHA,
927 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
928 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
929 SSL_DHE_RSA_WITH_DES_CBC_SHA,
930 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
931 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
932 SSL_DH_anon_WITH_RC4_128_MD5,
933 SSL_DH_anon_WITH_DES_CBC_SHA,
934 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
935 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
936 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
937 TLS_DH_DSS_WITH_AES_128_CBC_SHA,
938 TLS_DH_RSA_WITH_AES_128_CBC_SHA,
939 TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
940 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
941 TLS_DH_anon_WITH_AES_128_CBC_SHA,
942 TLS_DH_DSS_WITH_AES_256_CBC_SHA,
943 TLS_DH_RSA_WITH_AES_256_CBC_SHA,
944 TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
945 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
946 TLS_DH_anon_WITH_AES_256_CBC_SHA,
947 SSL_NO_SUCH_CIPHERSUITE
948 };
949 const SSLCipherSuite suitesDHAnon[] = {
950 SSL_DH_anon_WITH_RC4_128_MD5,
951 SSL_DH_anon_WITH_DES_CBC_SHA,
952 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
953 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
954 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
955 TLS_DH_anon_WITH_AES_128_CBC_SHA,
956 TLS_DH_anon_WITH_AES_256_CBC_SHA,
957 SSL_NO_SUCH_CIPHERSUITE
958 };
959 const SSLCipherSuite suitesDH_RSA[] = {
960 SSL_DH_RSA_WITH_DES_CBC_SHA,
961 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
962 SSL_DHE_RSA_WITH_DES_CBC_SHA,
963 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
964 SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
965 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
966 TLS_DH_RSA_WITH_AES_128_CBC_SHA,
967 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
968 TLS_DH_RSA_WITH_AES_256_CBC_SHA,
969 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
970 SSL_NO_SUCH_CIPHERSUITE
971 };
972 const SSLCipherSuite suitesDH_DSS[] = {
973 SSL_DH_DSS_WITH_DES_CBC_SHA,
974 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
975 SSL_DHE_DSS_WITH_DES_CBC_SHA,
976 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
977 SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
978 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
979 TLS_DH_DSS_WITH_AES_128_CBC_SHA,
980 TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
981 TLS_DH_DSS_WITH_AES_256_CBC_SHA,
982 TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
983 SSL_NO_SUCH_CIPHERSUITE
984 };
985 const SSLCipherSuite suites_SHA1[] = {
986 SSL_RSA_WITH_RC4_128_SHA,
987 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
988 SSL_RSA_WITH_IDEA_CBC_SHA,
989 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
990 SSL_RSA_WITH_DES_CBC_SHA,
991 SSL_RSA_WITH_3DES_EDE_CBC_SHA,
992 SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
993 SSL_DH_DSS_WITH_DES_CBC_SHA,
994 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
995 SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
996 SSL_DH_RSA_WITH_DES_CBC_SHA,
997 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
998 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
999 SSL_DHE_DSS_WITH_DES_CBC_SHA,
1000 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
1001 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
1002 SSL_DHE_RSA_WITH_DES_CBC_SHA,
1003 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
1004 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
1005 SSL_DH_anon_WITH_DES_CBC_SHA,
1006 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
1007 SSL_FORTEZZA_DMS_WITH_NULL_SHA,
1008 SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
1009 TLS_RSA_WITH_AES_128_CBC_SHA,
1010 TLS_DH_DSS_WITH_AES_128_CBC_SHA,
1011 TLS_DH_RSA_WITH_AES_128_CBC_SHA,
1012 TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
1013 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
1014 TLS_DH_anon_WITH_AES_128_CBC_SHA,
1015 TLS_RSA_WITH_AES_256_CBC_SHA,
1016 TLS_DH_DSS_WITH_AES_256_CBC_SHA,
1017 TLS_DH_RSA_WITH_AES_256_CBC_SHA,
1018 TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
1019 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
1020 TLS_DH_anon_WITH_AES_256_CBC_SHA,
1021 SSL_NO_SUCH_CIPHERSUITE
1022 };
1023 const SSLCipherSuite suites_MD5[] = {
1024 SSL_RSA_EXPORT_WITH_RC4_40_MD5,
1025 SSL_RSA_WITH_RC4_128_MD5,
1026 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
1027 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
1028 SSL_DH_anon_WITH_RC4_128_MD5,
1029 SSL_NO_SUCH_CIPHERSUITE
1030 };
1031
1032
1033 /*
1034 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
1035 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
1036 * supports and do a SSLSetEnabledCiphers() specifying those.
1037 */
1038 OSStatus sslSetEnabledCiphers(
1039 SSLContextRef ctx,
1040 const SSLCipherSuite *ciphers)
1041 {
1042 size_t numSupported;
1043 OSStatus ortn;
1044 SSLCipherSuite *supported = NULL;
1045 SSLCipherSuite *enabled = NULL;
1046 unsigned enabledDex = 0; // index into enabled
1047 unsigned supportedDex = 0; // index into supported
1048 unsigned inDex = 0; // index into ciphers
1049
1050 /* first get all the supported ciphers */
1051 ortn = SSLGetNumberSupportedCiphers(ctx, &numSupported);
1052 if(ortn) {
1053 printSslErrStr("SSLGetNumberSupportedCiphers", ortn);
1054 return ortn;
1055 }
1056 supported = (SSLCipherSuite *)malloc(numSupported * sizeof(SSLCipherSuite));
1057 ortn = SSLGetSupportedCiphers(ctx, supported, &numSupported);
1058 if(ortn) {
1059 printSslErrStr("SSLGetSupportedCiphers", ortn);
1060 return ortn;
1061 }
1062
1063 /*
1064 * Malloc an array we'll use for SSLGetEnabledCiphers - this will be
1065 * bigger than the number of suites we actually specify
1066 */
1067 enabled = (SSLCipherSuite *)malloc(numSupported * sizeof(SSLCipherSuite));
1068
1069 /*
1070 * For each valid suite in ciphers, see if it's in the list of
1071 * supported ciphers. If it is, add it to the list of ciphers to be
1072 * enabled.
1073 */
1074 for(inDex=0; ciphers[inDex] != SSL_NO_SUCH_CIPHERSUITE; inDex++) {
1075 for(supportedDex=0; supportedDex<numSupported; supportedDex++) {
1076 if(ciphers[inDex] == supported[supportedDex]) {
1077 enabled[enabledDex++] = ciphers[inDex];
1078 break;
1079 }
1080 }
1081 }
1082
1083 /* send it on down. */
1084 ortn = SSLSetEnabledCiphers(ctx, enabled, enabledDex);
1085 if(ortn) {
1086 printSslErrStr("SSLSetEnabledCiphers", ortn);
1087 }
1088 free(enabled);
1089 free(supported);
1090 return ortn;
1091 }
1092
1093 /*
1094 * Specify a restricted set of cipherspecs.
1095 */
1096 OSStatus sslSetCipherRestrictions(
1097 SSLContextRef ctx,
1098 char cipherRestrict)
1099 {
1100 OSStatus ortn;
1101
1102 if(cipherRestrict == '\0') {
1103 return errSecSuccess; // actually should not have been called
1104 }
1105 switch(cipherRestrict) {
1106 case 'e':
1107 ortn = sslSetEnabledCiphers(ctx, suites40);
1108 break;
1109 case 'd':
1110 ortn = sslSetEnabledCiphers(ctx, suitesDES);
1111 break;
1112 case 'D':
1113 ortn = sslSetEnabledCiphers(ctx, suitesDES40);
1114 break;
1115 case '3':
1116 ortn = sslSetEnabledCiphers(ctx, suites3DES);
1117 break;
1118 case '4':
1119 ortn = sslSetEnabledCiphers(ctx, suitesRC4);
1120 break;
1121 case '$':
1122 ortn = sslSetEnabledCiphers(ctx, suitesRC4_40);
1123 break;
1124 case '2':
1125 ortn = sslSetEnabledCiphers(ctx, suitesRC2);
1126 break;
1127 case 'a':
1128 ortn = sslSetEnabledCiphers(ctx, suitesAES128);
1129 break;
1130 case 'A':
1131 ortn = sslSetEnabledCiphers(ctx, suitesAES256);
1132 break;
1133 case 'h':
1134 ortn = sslSetEnabledCiphers(ctx, suitesDH);
1135 break;
1136 case 'H':
1137 ortn = sslSetEnabledCiphers(ctx, suitesDHAnon);
1138 break;
1139 case 'r':
1140 ortn = sslSetEnabledCiphers(ctx, suitesDH_RSA);
1141 break;
1142 case 's':
1143 ortn = sslSetEnabledCiphers(ctx, suitesDH_DSS);
1144 break;
1145 default:
1146 printf("***bad cipherSpec***\n");
1147 exit(1);
1148 }
1149 return ortn;
1150 }
1151
1152 #if 0
1153 int sslVerifyClientCertState(
1154 char *whichSide, // "client" or "server"
1155 SSLClientCertificateState expectState,
1156 SSLClientCertificateState gotState)
1157 {
1158 if(expectState == SSL_CLIENT_CERT_IGNORE) {
1159 /* app says "don't bopther checking" */
1160 return 0;
1161 }
1162 if(expectState == gotState) {
1163 return 0;
1164 }
1165 printf("***%s: Expected clientCertState %s; got %s\n", whichSide,
1166 sslGetClientCertStateString(expectState),
1167 sslGetClientCertStateString(gotState));
1168 return 1;
1169 }
1170
1171 int sslVerifyRtn(
1172 char *whichSide, // "client" or "server"
1173 OSStatus expectRtn,
1174 OSStatus gotRtn)
1175 {
1176 if(expectRtn == gotRtn) {
1177 return 0;
1178 }
1179 printf("***%s: Expected return %s; got %s\n", whichSide,
1180 sslGetSSLErrString(expectRtn),
1181 sslGetSSLErrString(gotRtn));
1182 return 1;
1183 }
1184
1185 int sslVerifyProtVers(
1186 char *whichSide, // "client" or "server"
1187 SSLProtocol expectProt,
1188 SSLProtocol gotProt)
1189 {
1190 if(expectProt == SSL_PROTOCOL_IGNORE) {
1191 /* app says "don't bopther checking" */
1192 return 0;
1193 }
1194 if(expectProt == gotProt) {
1195 return 0;
1196 }
1197 printf("***%s: Expected return %s; got %s\n", whichSide,
1198 sslGetProtocolVersionString(expectProt),
1199 sslGetProtocolVersionString(gotProt));
1200 return 1;
1201 }
1202
1203 int sslVerifyCipher(
1204 char *whichSide, // "client" or "server"
1205 SSLCipherSuite expectCipher,
1206 SSLCipherSuite gotCipher)
1207 {
1208 if(expectCipher == SSL_CIPHER_IGNORE) {
1209 /* app says "don't bopther checking" */
1210 return 0;
1211 }
1212 if(expectCipher == gotCipher) {
1213 return 0;
1214 }
1215 printf("***%s: Expected return %s; got %s\n", whichSide,
1216 sslGetCipherSuiteString(expectCipher),
1217 sslGetCipherSuiteString(gotCipher));
1218 return 1;
1219 }
1220
1221
1222 OSStatus sslSetProtocols(
1223 SSLContextRef ctx,
1224 const char *acceptedProts,
1225 SSLProtocol tryVersion) // only used if acceptedProts NULL
1226 {
1227 OSStatus ortn;
1228
1229 if(acceptedProts) {
1230 #if JAGUAR_BUILD
1231 printf("***SSLSetProtocolVersionEnabled not supported in this config.\n");
1232 exit(1);
1233 #endif
1234 ortn = SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false);
1235 if(ortn) {
1236 printSslErrStr("SSLSetProtocolVersionEnabled(all off)", ortn);
1237 return ortn;
1238 }
1239 for(const char *cp = acceptedProts; *cp; cp++) {
1240 SSLProtocol prot;
1241 switch(*cp) {
1242 case '2':
1243 prot = kSSLProtocol2;
1244 break;
1245 case '3':
1246 prot = kSSLProtocol3;
1247 break;
1248 case 't':
1249 prot = kTLSProtocol1;
1250 break;
1251 default:
1252 printf("***BRRZAP! Bad acceptedProts string %s. Aborting.\n", acceptedProts);
1253 exit(1);
1254 }
1255 ortn = SSLSetProtocolVersionEnabled(ctx, prot, true);
1256 if(ortn) {
1257 printSslErrStr("SSLSetProtocolVersionEnabled", ortn);
1258 return ortn;
1259 }
1260 }
1261 }
1262 else {
1263 ortn = SSLSetProtocolVersion(ctx, tryVersion);
1264 if(ortn) {
1265 printSslErrStr("SSLSetProtocolVersion", ortn);
1266 return ortn;
1267 }
1268 }
1269 return errSecSuccess;
1270 }
1271
1272 void sslShowResult(
1273 char *whichSide, // "client" or "server"
1274 SslAppTestParams *params)
1275 {
1276 printf("%s status:\n", whichSide);
1277 if(params->acceptedProts) {
1278 printf(" Allowed SSL versions : %s\n", params->acceptedProts);
1279 }
1280 else {
1281 printf(" Attempted SSL version : %s\n",
1282 sslGetProtocolVersionString(params->tryVersion));
1283 }
1284 printf(" Result : %s\n", sslGetSSLErrString(params->ortn));
1285 printf(" Negotiated SSL version : %s\n",
1286 sslGetProtocolVersionString(params->negVersion));
1287 printf(" Negotiated CipherSuite : %s\n",
1288 sslGetCipherSuiteString(params->negCipher));
1289 if(params->certState != kSSLClientCertNone) {
1290 printf(" Client Cert State : %s\n",
1291 sslGetClientCertStateString(params->certState));
1292 }
1293 }
1294 #endif
1295
1296 /* print a '.' every few seconds to keep UI alive while connecting */
1297 static time_t lastTime = (time_t)0;
1298 #define TIME_INTERVAL 3
1299
1300 void sslOutputDot()
1301 {
1302 time_t thisTime = time(0);
1303
1304 if((thisTime - lastTime) >= TIME_INTERVAL) {
1305 printf("."); fflush(stdout);
1306 lastTime = thisTime;
1307 }
1308 }
1309
1310 #if 0
1311 /* main server pthread body */
1312 static void *sslServerThread(void *arg)
1313 {
1314 SslAppTestParams *testParams = (SslAppTestParams *)arg;
1315 OSStatus status;
1316
1317 status = sslAppServe(testParams);
1318 pthread_exit((void*)status);
1319 /* NOT REACHED */
1320 return (void *)status;
1321 }
1322
1323 /*
1324 * Run one session, with the server in a separate thread.
1325 * On entry, serverParams->port is the port we attempt to run on;
1326 * the server thread may overwrite that with a different port if it's
1327 * unable to open the port we specify. Whatever is left in
1328 * serverParams->port is what's used for the client side.
1329 */
1330 #define CLIENT_WAIT_SECONDS 1
1331 int sslRunSession(
1332 SslAppTestParams*serverParams,
1333 SslAppTestParams *clientParams,
1334 const char *testDesc)
1335 {
1336 pthread_t serverPthread;
1337 OSStatus clientRtn;
1338 void *serverRtn;
1339
1340 if(testDesc && !clientParams->quiet) {
1341 printf("===== %s =====\n", testDesc);
1342 }
1343
1344 if(pthread_mutex_init(&serverParams->pthreadMutex, NULL)) {
1345 printf("***Error initializing mutex; aborting.\n");
1346 return -1;
1347 }
1348 if(pthread_cond_init(&serverParams->pthreadCond, NULL)) {
1349 printf("***Error initializing pthreadCond; aborting.\n");
1350 return -1;
1351 }
1352 serverParams->serverReady = false; // server sets true
1353
1354 int result = pthread_create(&serverPthread, NULL,
1355 sslServerThread, serverParams);
1356 if(result) {
1357 printf("***Error starting up server thread; aborting.\n");
1358 return result;
1359 }
1360
1361 /* wait for server to set up a socket we can connect to */
1362 if(pthread_mutex_lock(&serverParams->pthreadMutex)) {
1363 printf("***Error acquiring server lock; aborting.\n");
1364 return -1;
1365 }
1366 while(!serverParams->serverReady) {
1367 if(pthread_cond_wait(&serverParams->pthreadCond, &serverParams->pthreadMutex)) {
1368 printf("***Error waiting server thread; aborting.\n");
1369 return -1;
1370 }
1371 }
1372 pthread_mutex_unlock(&serverParams->pthreadMutex);
1373 pthread_cond_destroy(&serverParams->pthreadCond);
1374 pthread_mutex_destroy(&serverParams->pthreadMutex);
1375
1376 clientParams->port = serverParams->port;
1377 clientRtn = sslAppClient(clientParams);
1378 /* server doesn't shut down its socket until it sees this */
1379 serverParams->clientDone = 1;
1380 result = pthread_join(serverPthread, &serverRtn);
1381 if(result) {
1382 printf("***pthread_join returned %d, aborting\n", result);
1383 return result;
1384 }
1385
1386 if(serverParams->verbose) {
1387 sslShowResult("server", serverParams);
1388 }
1389 if(clientParams->verbose) {
1390 sslShowResult("client", clientParams);
1391 }
1392
1393 /* verify results */
1394 int ourRtn = 0;
1395 ourRtn += sslVerifyRtn("server", serverParams->expectRtn, serverParams->ortn);
1396 ourRtn += sslVerifyRtn("client", clientParams->expectRtn, clientParams->ortn);
1397 ourRtn += sslVerifyProtVers("server", serverParams->expectVersion,
1398 serverParams->negVersion);
1399 ourRtn += sslVerifyProtVers("client", clientParams->expectVersion,
1400 clientParams->negVersion);
1401 ourRtn += sslVerifyClientCertState("server", serverParams->expectCertState,
1402 serverParams->certState);
1403 ourRtn += sslVerifyClientCertState("client", clientParams->expectCertState,
1404 clientParams->certState);
1405 if(serverParams->ortn == errSecSuccess) {
1406 ourRtn += sslVerifyCipher("server", serverParams->expectCipher,
1407 serverParams->negCipher);
1408 }
1409 if(clientParams->ortn == errSecSuccess) {
1410 ourRtn += sslVerifyCipher("client", clientParams->expectCipher,
1411 clientParams->negCipher);
1412 }
1413 return ourRtn;
1414 }
1415
1416 static bool isCertRoot(
1417 SecCertificateRef cert)
1418 {
1419 /* FIXME - per Radar 3247491, the Sec-level functions we'd like to use for this
1420 * haven't been written yet...
1421 CSSM_X509_NAME subject;
1422 CSSM_X509_NAME issuer;
1423 OSStatus ortn;
1424 ... */
1425 return true;
1426 }
1427
1428 /*
1429 * Add all of the roots in a given KC to SSL ctx's trusted anchors.
1430 */
1431 OSStatus sslAddTrustedRoots(
1432 SSLContextRef ctx,
1433 SecKeychainRef keychain,
1434 bool *foundOne) // RETURNED, true if we found
1435 // at least one root cert
1436 {
1437 OSStatus ortn;
1438 SecCertificateRef secCert;
1439 SecKeychainSearchRef srch;
1440
1441 *foundOne = false;
1442 ortn = SecKeychainSearchCreateFromAttributes(keychain,
1443 kSecCertificateItemClass,
1444 NULL, // any attrs
1445 &srch);
1446 if(ortn) {
1447 printSslErrStr("SecKeychainSearchCreateFromAttributes", ortn);
1448 return ortn;
1449 }
1450
1451 /*
1452 * Only use root certs. Not an error if we don't find any.
1453 */
1454 do {
1455 ortn = SecKeychainSearchCopyNext(srch,
1456 (SecKeychainItemRef *)&secCert);
1457 if(ortn) {
1458 break;
1459 }
1460
1461 /* see if it's a root */
1462 if(!isCertRoot(secCert)) {
1463 continue;
1464 }
1465
1466 /* Tell Secure Transport to trust this one. */
1467 ortn = addTrustedSecCert(ctx, secCert, false);
1468 if(ortn) {
1469 /* fatal */
1470 printSslErrStr("addTrustedSecCert", ortn);
1471 return ortn;
1472 }
1473 CFRelease(secCert);
1474 *foundOne = true;
1475 } while(ortn == errSecSuccess);
1476 CFRelease(srch);
1477 return errSecSuccess;
1478 }
1479
1480 /*
1481 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
1482 */
1483 OSStatus sslIdentityPicker(
1484 SecKeychainRef kcRef, // NULL means use default list
1485 const char *trustedAnchor, // optional additional trusted anchor
1486 bool includeRoot, // true --> root is appended to outArray
1487 // false --> root not included
1488 CFArrayRef *outArray) // created and RETURNED
1489 {
1490 SecCertificateRef trustedCert = NULL;
1491 OSStatus ortn;
1492
1493 if(trustedAnchor) {
1494 ortn = sslReadAnchor(trustedAnchor, &trustedCert);
1495 if(ortn) {
1496 printf("***Error reading %s. sslIdentityPicker proceeding with no anchor.\n",
1497 trustedAnchor);
1498 trustedCert = NULL;
1499 }
1500 }
1501 ortn = sslIdentPicker(kcRef, trustedCert, includeRoot, outArray);
1502 if(trustedCert) {
1503 CFRelease(trustedCert);
1504 }
1505 return ortn;
1506 }
1507
1508 /*
1509 * Given a keychain name, convert it into a full path using the "SSL regression
1510 * test suite algorithm". The Sec layer by default locates root root's keychains
1511 * in different places depending on whether we're actually logged in as root
1512 * or running via e.g. cron, so we force the location of root keychains to
1513 * a hard-coded path. User keychain names we leave alone.
1514 */
1515 void sslKeychainPath(
1516 const char *kcName,
1517 char *kcPath) // allocd by caller, MAXPATHLEN
1518 {
1519 if(kcName[0] == '\0') {
1520 kcPath[0] = '\0';
1521 }
1522 else if(geteuid() == 0) {
1523 /* root */
1524 sprintf(kcPath, "/Library/Keychains/%s", kcName);
1525 }
1526 else {
1527 /* user, leave alone */
1528 strcpy(kcPath, kcName);
1529 }
1530 }
1531
1532 /* Verify presence of required file. Returns nonzero if not found. */
1533 int sslCheckFile(const char *path)
1534 {
1535 struct stat sb;
1536
1537 if(stat(path, &sb)) {
1538 printf("***Can't find file %s.\n", path);
1539 printf(" Try running in the build directory, perhaps after running the\n"
1540 " makeLocalCert script.\n");
1541 return 1;
1542 }
1543 return 0;
1544 }
1545
1546 #endif
1547
1548 /* Stringify a SSL_ECDSA_NamedCurve */
1549 extern const char *sslCurveString(
1550 SSL_ECDSA_NamedCurve namedCurve)
1551 {
1552 static char unk[100];
1553
1554 switch(namedCurve) {
1555 case SSL_Curve_None: return "Curve_None";
1556 case SSL_Curve_secp256r1: return "secp256r1";
1557 case SSL_Curve_secp384r1: return "secp384r1";
1558 case SSL_Curve_secp521r1: return "secp521r1";
1559 default:
1560 sprintf(unk, "Unknown <%d>", (int)namedCurve);
1561 return unk;
1562 }
1563 }
mirror of Security