]> git.saurik.com Git - apple/security.git/blob - libsecurity_ssl/sslViewer/sslAppUtils.h
Security-55163.44.tar.gz
[apple/security.git] / libsecurity_ssl / sslViewer / sslAppUtils.h
1 /*
2 * Copyright (c) 2006-2008,2010-2012 Apple Inc. All Rights Reserved.
3 */
4
5 #ifndef _SSLS_APP_UTILS_H_
6 #define _SSLS_APP_UTILS_H_ 1
7
8 #include <Security/SecureTransport.h>
9 #include <Security/SecureTransportPriv.h>
10 #include <CoreFoundation/CFArray.h>
11 #include <stdbool.h>
12 #include <Security/SecCertificate.h>
13
14 #ifdef __cplusplus
15 extern "C" {
16 #endif
17
18 typedef struct OpaqueSecKeychainRef *SecKeychainRef;
19
20 const char *sslGetCipherSuiteString(SSLCipherSuite cs);
21 const char *sslGetProtocolVersionString(SSLProtocol prot);
22 const char *sslGetSSLErrString(OSStatus err);
23 void printSslErrStr(const char *op, OSStatus err);
24 const char *sslGetClientCertStateString(SSLClientCertificateState state);
25 const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType);
26
27 CFArrayRef getSslCerts(
28 const char *kcName, // may be NULL, i.e., use default
29 bool encryptOnly,
30 bool completeCertChain,
31 const char *anchorFile, // optional trusted anchor
32 SecKeychainRef *pKcRef); // RETURNED
33 OSStatus sslCompleteCertChain(
34 SecIdentityRef identity,
35 SecCertificateRef trustedAnchor, // optional additional trusted anchor
36 bool includeRoot, // include the root in outArray
37 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
38 CFArrayRef *outArray); // created and RETURNED
39 CFArrayRef sslKcRefToCertArray(
40 SecKeychainRef kcRef,
41 bool encryptOnly,
42 bool completeCertChain,
43 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete
44 const char *trustedAnchorFile);
45
46 OSStatus addTrustedSecCert(
47 SSLContextRef ctx,
48 SecCertificateRef secCert,
49 bool replaceAnchors);
50 OSStatus sslReadAnchor(
51 const char *anchorFile,
52 SecCertificateRef *certRef);
53 OSStatus sslAddTrustedRoot(
54 SSLContextRef ctx,
55 const char *anchorFile,
56 bool replaceAnchors);
57
58 /*
59 * Assume incoming identity contains a root (e.g., created by
60 * certtool) and add that cert to ST's trusted anchors. This
61 * enables ST's verify of the incoming chain to succeed without
62 * a kludgy "AllowAnyRoot" specification.
63 */
64 OSStatus addIdentityAsTrustedRoot(
65 SSLContextRef ctx,
66 CFArrayRef identArray);
67
68 OSStatus sslAddTrustedRoots(
69 SSLContextRef ctx,
70 SecKeychainRef keychain,
71 bool *foundOne);
72
73 void sslOutputDot();
74
75 /*
76 * Lists of SSLCipherSuites used in sslSetCipherRestrictions.
77 */
78 extern const SSLCipherSuite suites40[];
79 extern const SSLCipherSuite suitesDES[];
80 extern const SSLCipherSuite suitesDES40[];
81 extern const SSLCipherSuite suites3DES[];
82 extern const SSLCipherSuite suitesRC4[];
83 extern const SSLCipherSuite suitesRC4_40[];
84 extern const SSLCipherSuite suitesRC2[];
85 extern const SSLCipherSuite suitesAES128[];
86 extern const SSLCipherSuite suitesAES256[];
87 extern const SSLCipherSuite suitesDH[];
88 extern const SSLCipherSuite suitesDHAnon[];
89 extern const SSLCipherSuite suitesDH_RSA[];
90 extern const SSLCipherSuite suitesDH_DSS[];
91 extern const SSLCipherSuite suites_SHA1[];
92 extern const SSLCipherSuite suites_MD5[];
93 extern const SSLCipherSuite suites_ECDHE[];
94 extern const SSLCipherSuite suites_ECDH[];
95
96 /*
97 * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
98 * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
99 * supports and do a SSLSetEnabledCiphers() specifying those.
100 */
101 OSStatus sslSetEnabledCiphers(
102 SSLContextRef ctx,
103 const SSLCipherSuite *ciphers);
104
105 /*
106 * Specify restricted sets of cipherspecs and protocols.
107 */
108 OSStatus sslSetCipherRestrictions(
109 SSLContextRef ctx,
110 char cipherRestrict);
111
112 #ifndef SPHINX
113 OSStatus sslSetProtocols(
114 SSLContextRef ctx,
115 const char *acceptedProts,
116 SSLProtocol tryVersion); // only used if acceptedProts NULL
117 #endif
118
119 int sslVerifyRtn(
120 const char *whichSide, // "client" or "server"
121 OSStatus expectRtn,
122 OSStatus gotRtn);
123 int sslVerifyProtVers(
124 const char *whichSide, // "client" or "server"
125 SSLProtocol expectProt,
126 SSLProtocol gotProt);
127 int sslVerifyClientCertState(
128 const char *whichSide, // "client" or "server"
129 SSLClientCertificateState expectState,
130 SSLClientCertificateState gotState);
131 int sslVerifyCipher(
132 const char *whichSide, // "client" or "server"
133 SSLCipherSuite expectCipher,
134 SSLCipherSuite gotCipher);
135
136
137 /*
138 * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
139 */
140 OSStatus sslIdentityPicker(
141 SecKeychainRef kcRef, // NULL means use default list
142 const char *trustedAnchor, // optional additional trusted anchor
143 bool includeRoot, // true --> root is appended to outArray
144 // false --> root not included
145 // const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
146 CFArrayRef *outArray); // created and RETURNED
147
148 void sslKeychainPath(
149 const char *kcName,
150 char *kcPath); // allocd by caller, MAXPATHLEN
151
152 /* Verify presence of required file. Returns nonzero if not found. */
153 int sslCheckFile(const char *path);
154
155 /* Stringify a SSL_ECDSA_NamedCurve */
156 extern const char *sslCurveString(
157 SSL_ECDSA_NamedCurve namedCurve);
158
159 #ifdef __cplusplus
160 }
161 #endif
162
163 #endif /* _SSLS_APP_UTILS_H_ */