2 // SecProtocolInternal.h
6 #ifndef SecProtocolInternal_h
7 #define SecProtocolInternal_h
9 #include "SecProtocolPriv.h"
11 #define kATSInfoKey "NSAppTransportSecurity"
12 #define kAllowsArbitraryLoads "NSAllowsArbitraryLoads"
13 #define kAllowsArbitraryLoadsForMedia "NSAllowsArbitraryLoadsForMedia"
14 #define kAllowsArbitraryLoadsInWebContent "NSAllowsArbitraryLoadsInWebContent"
15 #define kAllowsLocalNetworking "NSAllowsLocalNetworking"
16 #define kExceptionDomains "NSExceptionDomains"
17 #define kIncludesSubdomains "NSIncludesSubdomains"
18 #define kExceptionAllowsInsecureHTTPLoads "NSExceptionAllowsInsecureHTTPLoads"
19 #define kExceptionMinimumTLSVersion "NSExceptionMinimumTLSVersion"
20 #define kExceptionRequiresForwardSecrecy "NSExceptionRequiresForwardSecrecy"
22 #define CiphersuitesTLS13 \
23 TLS_AES_128_GCM_SHA256, \
24 TLS_AES_256_GCM_SHA384, \
25 TLS_CHACHA20_POLY1305_SHA256
27 #define CiphersuitesPFS \
28 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
29 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \
30 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \
31 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \
32 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \
33 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \
34 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \
35 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \
36 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \
37 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
38 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
39 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
40 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
41 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
43 #define CiphersuitesNonPFS \
44 TLS_RSA_WITH_AES_256_GCM_SHA384, \
45 TLS_RSA_WITH_AES_128_GCM_SHA256, \
46 TLS_RSA_WITH_AES_256_CBC_SHA256, \
47 TLS_RSA_WITH_AES_128_CBC_SHA256, \
48 TLS_RSA_WITH_AES_256_CBC_SHA, \
49 TLS_RSA_WITH_AES_128_CBC_SHA
51 #define CiphersuitesTLS10 \
52 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \
53 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \
54 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
55 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
56 TLS_RSA_WITH_AES_256_CBC_SHA, \
57 TLS_RSA_WITH_AES_128_CBC_SHA
59 #define CiphersuitesTLS10_3DES \
60 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, \
61 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, \
62 SSL_RSA_WITH_3DES_EDE_CBC_SHA
64 #define CiphersuitesDHE \
65 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \
66 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \
67 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \
68 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \
69 TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \
70 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
71 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
73 SEC_RETURNS_RETAINED sec_protocol_configuration_builder_t
74 sec_protocol_configuration_builder_copy_default(void);
77 sec_protocol_configuration_builder_get_ats_dictionary(sec_protocol_configuration_builder_t builder
);
80 sec_protocol_configuration_builder_get_is_apple_bundle(sec_protocol_configuration_builder_t builder
);
82 SEC_RETURNS_RETAINED xpc_object_t
83 sec_protocol_configuration_get_map(sec_protocol_configuration_t configuration
);
86 sec_protocol_options_clear_tls_ciphersuites(sec_protocol_options_t options
);
89 sec_protocol_options_set_ats_non_pfs_ciphersuite_allowed(sec_protocol_options_t options
, bool ats_non_pfs_ciphersuite_allowed
);
92 sec_protocol_options_set_ats_minimum_tls_version_allowed(sec_protocol_options_t options
, bool ats_minimum_tls_version_allowed
);
95 sec_protocol_options_set_ats_required(sec_protocol_options_t options
, bool required
);
98 sec_protocol_options_set_minimum_rsa_key_size(sec_protocol_options_t options
, size_t minimum_key_size
);
101 sec_protocol_options_set_minimum_ecdsa_key_size(sec_protocol_options_t options
, size_t minimum_key_size
);
104 sec_protocol_options_set_minimum_signature_algorithm(sec_protocol_options_t options
, SecSignatureHashAlgorithm algorithm
);
107 sec_protocol_options_set_trusted_peer_certificate(sec_protocol_options_t options
, bool trusted_peer_certificate
);
110 sec_protocol_configuration_populate_insecure_defaults(sec_protocol_configuration_t configuration
);
113 sec_protocol_configuration_populate_secure_defaults(sec_protocol_configuration_t configuration
);
116 sec_protocol_configuration_register_builtin_exceptions(sec_protocol_configuration_t configuration
);
119 sec_protocol_helper_ciphersuite_group_contains_ciphersuite(tls_ciphersuite_group_t group
, tls_ciphersuite_t suite
);
121 tls_protocol_version_t
122 sec_protocol_helper_ciphersuite_minimum_TLS_version(tls_ciphersuite_t ciphersuite
);
124 tls_protocol_version_t
125 sec_protocol_helper_ciphersuite_maximum_TLS_version(tls_ciphersuite_t ciphersuite
);
128 sec_protocol_helper_get_ciphersuite_name(tls_ciphersuite_t ciphersuite
);
130 const tls_key_exchange_group_t
*
131 sec_protocol_helper_tls_key_exchange_group_set_to_key_exchange_group_list(tls_key_exchange_group_set_t set
, size_t *listSize
);
133 bool sec_protocol_helper_dispatch_data_equal(dispatch_data_t left
, dispatch_data_t right
);
135 #endif /* SecProtocolInternal_h */
projects / apple / security.git / blob