]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_ssl/lib/sslCipherSpecs.c
Security-57740.51.3.tar.gz
[apple/security.git] / OSX / libsecurity_ssl / lib / sslCipherSpecs.c
1 /*
2 * Copyright (c) 1999-2001,2005-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * cipherSpecs.c - SSLCipherSpec declarations
26 */
27
28 #include "sslBuildFlags.h"
29 #include "sslContext.h"
30 #include "sslCipherSpecs.h"
31 #include "sslDebug.h"
32 #include "sslMemory.h"
33 #include "sslDebug.h"
34 #include "sslPriv.h"
35
36 #include <tls_handshake.h>
37
38 #include <string.h>
39 #include <assert.h>
40 #include <Security/SecBase.h>
41
42 #include <TargetConditionals.h>
43
44
45 /* SecureTransport needs it's own copy of KnownCipherSuites for now, there is a copy in coreTLS,
46 that is exported, but it actually should only included the "default" not the supported */
47
48 #define ENABLE_ECDH 1
49 #define ENABLE_AES_GCM 1
50 #define ENABLE_PSK 1
51
52 static const uint16_t STKnownCipherSuites[] = {
53 #if ENABLE_AES_GCM
54 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
55 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
56 #endif
57 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
58 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
59 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
60 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
61 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
62 #if ENABLE_AES_GCM
63 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
64 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
65 #endif
66 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
67 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
68 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
69 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
70 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
71 #if ENABLE_ECDH
72 #if ENABLE_AES_GCM
73 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
74 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
75 #endif
76 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
77 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
78 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
79 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
80 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
81 #if ENABLE_AES_GCM
82 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
83 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
84 #endif
85 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
86 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
87 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
88 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
89 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
90 #endif
91
92 #if ENABLE_AES_GCM
93 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
94 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
95 #endif // ENABLE_AES_GCM
96 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
97 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
98 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
99 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
100 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
101
102 #if ENABLE_AES_GCM
103 TLS_RSA_WITH_AES_256_GCM_SHA384,
104 TLS_RSA_WITH_AES_128_GCM_SHA256,
105 #endif
106 TLS_RSA_WITH_AES_256_CBC_SHA256,
107 TLS_RSA_WITH_AES_128_CBC_SHA256,
108 TLS_RSA_WITH_AES_256_CBC_SHA,
109 TLS_RSA_WITH_AES_128_CBC_SHA,
110 SSL_RSA_WITH_3DES_EDE_CBC_SHA,
111
112 #if ENABLE_RC4
113 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
114 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
115 TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
116 TLS_ECDH_RSA_WITH_RC4_128_SHA,
117 SSL_RSA_WITH_RC4_128_SHA,
118 SSL_RSA_WITH_RC4_128_MD5,
119 #endif
120
121
122 /* Unsafe ciphersuites */
123
124 #if ENABLE_AES_GCM
125 TLS_DH_anon_WITH_AES_256_GCM_SHA384,
126 TLS_DH_anon_WITH_AES_128_GCM_SHA256,
127 #endif
128 TLS_DH_anon_WITH_AES_128_CBC_SHA256,
129 TLS_DH_anon_WITH_AES_256_CBC_SHA256,
130 TLS_DH_anon_WITH_AES_128_CBC_SHA,
131 TLS_DH_anon_WITH_AES_256_CBC_SHA,
132 SSL_DH_anon_WITH_RC4_128_MD5,
133 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
134
135 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
136 TLS_ECDHE_RSA_WITH_NULL_SHA,
137 #if ENABLE_ECDH
138 TLS_ECDH_ECDSA_WITH_NULL_SHA,
139 TLS_ECDH_RSA_WITH_NULL_SHA,
140 #endif
141
142 #if ENABLE_PSK
143 TLS_PSK_WITH_AES_256_CBC_SHA384,
144 TLS_PSK_WITH_AES_128_CBC_SHA256,
145 TLS_PSK_WITH_AES_256_CBC_SHA,
146 TLS_PSK_WITH_AES_128_CBC_SHA,
147 TLS_PSK_WITH_RC4_128_SHA,
148 TLS_PSK_WITH_3DES_EDE_CBC_SHA,
149 TLS_PSK_WITH_NULL_SHA384,
150 TLS_PSK_WITH_NULL_SHA256,
151 TLS_PSK_WITH_NULL_SHA,
152 #endif
153
154 TLS_RSA_WITH_NULL_SHA256,
155 SSL_RSA_WITH_NULL_SHA,
156 SSL_RSA_WITH_NULL_MD5
157
158 };
159
160 static const unsigned STCipherSuiteCount = sizeof(STKnownCipherSuites)/sizeof(STKnownCipherSuites[0]);
161
162
163 /*
164 * Convert an array of uint16_t
165 * to an array of SSLCipherSuites.
166 */
167 static OSStatus
168 cipherSuitesToCipherSuites(
169 size_t numCipherSuites,
170 const uint16_t *cipherSuites,
171 SSLCipherSuite *ciphers, /* RETURNED */
172 size_t *numCiphers) /* IN/OUT */
173 {
174 size_t i;
175 if(*numCiphers < numCipherSuites) {
176 return errSSLBufferOverflow;
177 }
178
179 /* NOTE: this is required to go from uint16_t to SSLCipherSuite
180 which is either 32 or 16 bits, depending on the platform */
181 for(i=0;i<numCipherSuites; i++) {
182 ciphers[i]=cipherSuites[i];
183 }
184 *numCiphers = numCipherSuites;
185 return errSecSuccess;
186 }
187
188 /***
189 *** Publically exported functions declared in SecureTransport.h
190 ***/
191
192 /*
193 * Determine number and values of all of the SSLCipherSuites we support.
194 * Caller allocates output buffer for SSLGetSupportedCiphers() and passes in
195 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
196 * will be returned.
197 */
198 OSStatus
199 SSLGetNumberSupportedCiphers (SSLContextRef ctx,
200 size_t *numCiphers)
201 {
202 if((ctx == NULL) || (numCiphers == NULL)) {
203 return errSecParam;
204 }
205 *numCiphers = STCipherSuiteCount;
206 return errSecSuccess;
207 }
208
209 OSStatus
210 SSLGetSupportedCiphers (SSLContextRef ctx,
211 SSLCipherSuite *ciphers, /* RETURNED */
212 size_t *numCiphers) /* IN/OUT */
213 {
214 if((ctx == NULL) || (ciphers == NULL) || (numCiphers == NULL)) {
215 return errSecParam;
216 }
217 return cipherSuitesToCipherSuites(STCipherSuiteCount,
218 STKnownCipherSuites,
219 ciphers,
220 numCiphers);
221 }
222
223 /*
224 * Specify a (typically) restricted set of SSLCipherSuites to be enabled by
225 * the current SSLContext. Can only be called when no session is active. Default
226 * set of enabled SSLCipherSuites is NOT the same as the complete set of supported
227 * SSLCipherSuites as obtained by SSLGetSupportedCiphers().
228 */
229 OSStatus
230 SSLSetEnabledCiphers (SSLContextRef ctx,
231 const SSLCipherSuite *ciphers,
232 size_t numCiphers)
233 {
234 uint16_t *cs;
235
236 if((ctx == NULL) || (ciphers == NULL) || (numCiphers == 0)) {
237 return errSecParam;
238 }
239 if(sslIsSessionActive(ctx)) {
240 /* can't do this with an active session */
241 return errSecBadReq;
242 }
243
244 cs = (uint16_t *)sslMalloc(numCiphers * sizeof(uint16_t));
245 if(cs == NULL) {
246 return errSecAllocate;
247 }
248
249 for(int i=0; i<numCiphers; i++)
250 {
251 cs[i] = ciphers[i];
252 }
253
254 tls_handshake_set_ciphersuites(ctx->hdsk, cs, (unsigned) numCiphers);
255
256 sslFree(cs);
257
258 return errSecSuccess;
259 }
260
261 /*
262 * Determine number and values of all of the SSLCipherSuites currently enabled.
263 * Caller allocates output buffer for SSLGetEnabledCiphers() and passes in
264 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
265 * will be returned.
266 */
267 OSStatus
268 SSLGetNumberEnabledCiphers (SSLContextRef ctx,
269 size_t *numCiphers)
270 {
271 if((ctx == NULL) || (numCiphers == NULL)) {
272 return errSecParam;
273 }
274
275 unsigned n;
276 const uint16_t *ciphersuites;
277 int err;
278
279 err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);
280
281 if(err) {
282 return err;
283 } else {
284 *numCiphers = n;
285 return errSecSuccess;
286 }
287 }
288
289 OSStatus
290 SSLGetEnabledCiphers (SSLContextRef ctx,
291 SSLCipherSuite *ciphers, /* RETURNED */
292 size_t *numCiphers) /* IN/OUT */
293 {
294 if((ctx == NULL) || (ciphers == NULL) || (numCiphers == NULL)) {
295 return errSecParam;
296 }
297
298 unsigned n;
299 const uint16_t *ciphersuites;
300 int err;
301
302 err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);
303
304 if(err) {
305 return err;
306 } else {
307 return cipherSuitesToCipherSuites(n,
308 ciphersuites,
309 ciphers,
310 numCiphers);
311 }
312 }