2 * Copyright (c) 1999-2002,2005-2007,2010-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * CipherSuite.h - SSL Cipher Suite definitions.
28 #ifndef _SECURITY_CIPHERSUITE_H_
29 #define _SECURITY_CIPHERSUITE_H_
31 #include <TargetConditionals.h>
33 #include <CoreFoundation/CFBase.h> /* CF_ENUM */
36 * Defined as enum for debugging, but in the protocol
37 * it is actually exactly two bytes
39 #if ((TARGET_OS_IPHONE && !TARGET_OS_MACCATALYST) || (TARGET_OS_OSX && TARGET_CPU_ARM64))
40 /* 16-bit value on iOS */
41 typedef uint16_t SSLCipherSuite
;
43 /* 32-bit value elsewhere */
44 typedef uint32_t SSLCipherSuite
;
47 CF_ENUM(SSLCipherSuite
)
48 { SSL_NULL_WITH_NULL_NULL
= 0x0000,
49 SSL_RSA_WITH_NULL_MD5
= 0x0001,
50 SSL_RSA_WITH_NULL_SHA
= 0x0002,
51 SSL_RSA_EXPORT_WITH_RC4_40_MD5
= 0x0003,
52 SSL_RSA_WITH_RC4_128_MD5
= 0x0004,
53 SSL_RSA_WITH_RC4_128_SHA
= 0x0005,
54 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
= 0x0006,
55 SSL_RSA_WITH_IDEA_CBC_SHA
= 0x0007,
56 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
= 0x0008,
57 SSL_RSA_WITH_DES_CBC_SHA
= 0x0009,
58 SSL_RSA_WITH_3DES_EDE_CBC_SHA
= 0x000A,
59 SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
= 0x000B,
60 SSL_DH_DSS_WITH_DES_CBC_SHA
= 0x000C,
61 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA
= 0x000D,
62 SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
= 0x000E,
63 SSL_DH_RSA_WITH_DES_CBC_SHA
= 0x000F,
64 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA
= 0x0010,
65 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
= 0x0011,
66 SSL_DHE_DSS_WITH_DES_CBC_SHA
= 0x0012,
67 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
= 0x0013,
68 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
= 0x0014,
69 SSL_DHE_RSA_WITH_DES_CBC_SHA
= 0x0015,
70 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
= 0x0016,
71 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
= 0x0017,
72 SSL_DH_anon_WITH_RC4_128_MD5
= 0x0018,
73 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
= 0x0019,
74 SSL_DH_anon_WITH_DES_CBC_SHA
= 0x001A,
75 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
= 0x001B,
76 SSL_FORTEZZA_DMS_WITH_NULL_SHA
= 0x001C,
77 SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
= 0x001D,
79 /* TLS addenda using AES, per RFC 3268 */
80 TLS_RSA_WITH_AES_128_CBC_SHA
= 0x002F,
81 TLS_DH_DSS_WITH_AES_128_CBC_SHA
= 0x0030,
82 TLS_DH_RSA_WITH_AES_128_CBC_SHA
= 0x0031,
83 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
= 0x0032,
84 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
= 0x0033,
85 TLS_DH_anon_WITH_AES_128_CBC_SHA
= 0x0034,
86 TLS_RSA_WITH_AES_256_CBC_SHA
= 0x0035,
87 TLS_DH_DSS_WITH_AES_256_CBC_SHA
= 0x0036,
88 TLS_DH_RSA_WITH_AES_256_CBC_SHA
= 0x0037,
89 TLS_DHE_DSS_WITH_AES_256_CBC_SHA
= 0x0038,
90 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
= 0x0039,
91 TLS_DH_anon_WITH_AES_256_CBC_SHA
= 0x003A,
93 /* ECDSA addenda, RFC 4492 */
94 TLS_ECDH_ECDSA_WITH_NULL_SHA
= 0xC001,
95 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
= 0xC002,
96 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
= 0xC003,
97 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
= 0xC004,
98 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
= 0xC005,
99 TLS_ECDHE_ECDSA_WITH_NULL_SHA
= 0xC006,
100 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
= 0xC007,
101 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
= 0xC008,
102 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
= 0xC009,
103 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
= 0xC00A,
104 TLS_ECDH_RSA_WITH_NULL_SHA
= 0xC00B,
105 TLS_ECDH_RSA_WITH_RC4_128_SHA
= 0xC00C,
106 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
= 0xC00D,
107 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
= 0xC00E,
108 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
= 0xC00F,
109 TLS_ECDHE_RSA_WITH_NULL_SHA
= 0xC010,
110 TLS_ECDHE_RSA_WITH_RC4_128_SHA
= 0xC011,
111 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
= 0xC012,
112 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
= 0xC013,
113 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
= 0xC014,
114 TLS_ECDH_anon_WITH_NULL_SHA
= 0xC015,
115 TLS_ECDH_anon_WITH_RC4_128_SHA
= 0xC016,
116 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
= 0xC017,
117 TLS_ECDH_anon_WITH_AES_128_CBC_SHA
= 0xC018,
118 TLS_ECDH_anon_WITH_AES_256_CBC_SHA
= 0xC019,
120 /* ECDHE_PSK Cipher Suites for Transport Layer Security (TLS), RFC 5489 */
121 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
= 0xC035,
122 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
= 0xC036,
124 /* ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS), RFC 7905 */
125 TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
= 0xCCAB,
127 /* TLS 1.2 addenda, RFC 5246 */
130 TLS_NULL_WITH_NULL_NULL
= 0x0000,
132 /* Server provided RSA certificate for key exchange. */
133 TLS_RSA_WITH_NULL_MD5
= 0x0001,
134 TLS_RSA_WITH_NULL_SHA
= 0x0002,
135 TLS_RSA_WITH_RC4_128_MD5
= 0x0004,
136 TLS_RSA_WITH_RC4_128_SHA
= 0x0005,
137 TLS_RSA_WITH_3DES_EDE_CBC_SHA
= 0x000A,
138 TLS_RSA_WITH_NULL_SHA256
= 0x003B,
139 TLS_RSA_WITH_AES_128_CBC_SHA256
= 0x003C,
140 TLS_RSA_WITH_AES_256_CBC_SHA256
= 0x003D,
142 /* Server-authenticated (and optionally client-authenticated) Diffie-Hellman. */
143 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
= 0x000D,
144 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
= 0x0010,
145 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
= 0x0013,
146 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
= 0x0016,
147 TLS_DH_DSS_WITH_AES_128_CBC_SHA256
= 0x003E,
148 TLS_DH_RSA_WITH_AES_128_CBC_SHA256
= 0x003F,
149 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
= 0x0040,
150 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
= 0x0067,
151 TLS_DH_DSS_WITH_AES_256_CBC_SHA256
= 0x0068,
152 TLS_DH_RSA_WITH_AES_256_CBC_SHA256
= 0x0069,
153 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
= 0x006A,
154 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
= 0x006B,
156 /* Completely anonymous Diffie-Hellman */
157 TLS_DH_anon_WITH_RC4_128_MD5
= 0x0018,
158 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
= 0x001B,
159 TLS_DH_anon_WITH_AES_128_CBC_SHA256
= 0x006C,
160 TLS_DH_anon_WITH_AES_256_CBC_SHA256
= 0x006D,
162 /* Addendum from RFC 4279, TLS PSK */
163 TLS_PSK_WITH_RC4_128_SHA
= 0x008A,
164 TLS_PSK_WITH_3DES_EDE_CBC_SHA
= 0x008B,
165 TLS_PSK_WITH_AES_128_CBC_SHA
= 0x008C,
166 TLS_PSK_WITH_AES_256_CBC_SHA
= 0x008D,
167 TLS_DHE_PSK_WITH_RC4_128_SHA
= 0x008E,
168 TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
= 0x008F,
169 TLS_DHE_PSK_WITH_AES_128_CBC_SHA
= 0x0090,
170 TLS_DHE_PSK_WITH_AES_256_CBC_SHA
= 0x0091,
171 TLS_RSA_PSK_WITH_RC4_128_SHA
= 0x0092,
172 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
= 0x0093,
173 TLS_RSA_PSK_WITH_AES_128_CBC_SHA
= 0x0094,
174 TLS_RSA_PSK_WITH_AES_256_CBC_SHA
= 0x0095,
176 /* RFC 4785 - Pre-Shared Key (PSK) Ciphersuites with NULL Encryption */
177 TLS_PSK_WITH_NULL_SHA
= 0x002C,
178 TLS_DHE_PSK_WITH_NULL_SHA
= 0x002D,
179 TLS_RSA_PSK_WITH_NULL_SHA
= 0x002E,
181 /* Addenda from rfc 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS. */
182 TLS_RSA_WITH_AES_128_GCM_SHA256
= 0x009C,
183 TLS_RSA_WITH_AES_256_GCM_SHA384
= 0x009D,
184 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
= 0x009E,
185 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
= 0x009F,
186 TLS_DH_RSA_WITH_AES_128_GCM_SHA256
= 0x00A0,
187 TLS_DH_RSA_WITH_AES_256_GCM_SHA384
= 0x00A1,
188 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
= 0x00A2,
189 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
= 0x00A3,
190 TLS_DH_DSS_WITH_AES_128_GCM_SHA256
= 0x00A4,
191 TLS_DH_DSS_WITH_AES_256_GCM_SHA384
= 0x00A5,
192 TLS_DH_anon_WITH_AES_128_GCM_SHA256
= 0x00A6,
193 TLS_DH_anon_WITH_AES_256_GCM_SHA384
= 0x00A7,
195 /* RFC 5487 - PSK with SHA-256/384 and AES GCM */
196 TLS_PSK_WITH_AES_128_GCM_SHA256
= 0x00A8,
197 TLS_PSK_WITH_AES_256_GCM_SHA384
= 0x00A9,
198 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
= 0x00AA,
199 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
= 0x00AB,
200 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
= 0x00AC,
201 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
= 0x00AD,
203 TLS_PSK_WITH_AES_128_CBC_SHA256
= 0x00AE,
204 TLS_PSK_WITH_AES_256_CBC_SHA384
= 0x00AF,
205 TLS_PSK_WITH_NULL_SHA256
= 0x00B0,
206 TLS_PSK_WITH_NULL_SHA384
= 0x00B1,
208 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
= 0x00B2,
209 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
= 0x00B3,
210 TLS_DHE_PSK_WITH_NULL_SHA256
= 0x00B4,
211 TLS_DHE_PSK_WITH_NULL_SHA384
= 0x00B5,
213 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
= 0x00B6,
214 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
= 0x00B7,
215 TLS_RSA_PSK_WITH_NULL_SHA256
= 0x00B8,
216 TLS_RSA_PSK_WITH_NULL_SHA384
= 0x00B9,
218 /* TLS 1.3 standard cipher suites for ChaCha20+Poly1305.
219 Note: TLS 1.3 ciphersuites do not specify the key exchange
220 algorithm -- they only specify the symmetric ciphers. */
221 TLS_AES_128_GCM_SHA256
= 0x1301,
222 TLS_AES_256_GCM_SHA384
= 0x1302,
223 TLS_CHACHA20_POLY1305_SHA256
= 0x1303,
224 TLS_AES_128_CCM_SHA256
= 0x1304,
225 TLS_AES_128_CCM_8_SHA256
= 0x1305,
227 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
229 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
= 0xC023,
230 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
= 0xC024,
231 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
= 0xC025,
232 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
= 0xC026,
233 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
= 0xC027,
234 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
= 0xC028,
235 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
= 0xC029,
236 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
= 0xC02A,
238 /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
239 SHA-256/384 and AES Galois Counter Mode (GCM) */
240 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
= 0xC02B,
241 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
= 0xC02C,
242 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
= 0xC02D,
243 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
= 0xC02E,
244 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
= 0xC02F,
245 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
= 0xC030,
246 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
= 0xC031,
247 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
= 0xC032,
249 /* Addenda from rfc 7905 ChaCha20-Poly1305 Cipher Suites for
250 Transport Layer Security (TLS). */
251 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
= 0xCCA8,
252 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
= 0xCCA9,
254 /* RFC 5746 - Secure Renegotiation */
255 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
= 0x00FF,
257 /* Tags for SSL 2 cipher kinds which are not specified
259 SSL_RSA_WITH_RC2_CBC_MD5
= 0xFF80,
260 SSL_RSA_WITH_IDEA_CBC_MD5
= 0xFF81,
261 SSL_RSA_WITH_DES_CBC_MD5
= 0xFF82,
262 SSL_RSA_WITH_3DES_EDE_CBC_MD5
= 0xFF83,
263 SSL_NO_SUCH_CIPHERSUITE
= 0xFFFF
267 * Convenience ciphersuite groups that collate ciphersuites of comparable security
268 * properties into a single alias.
270 typedef CF_ENUM(int, SSLCiphersuiteGroup
) {
271 kSSLCiphersuiteGroupDefault
,
272 kSSLCiphersuiteGroupCompatibility
,
273 kSSLCiphersuiteGroupLegacy
,
274 kSSLCiphersuiteGroupATS
,
275 kSSLCiphersuiteGroupATSCompatibility
,
278 #endif /* !_SECURITY_CIPHERSUITE_H_ */
projects / apple / security.git / blob