-/*
- * Copyright (c) 2006-2008,2010-2014 Apple Inc. All Rights Reserved.
- */
-
-#include "sslAppUtils.h"
-#include "fileIo.h"
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/param.h>
-#include <Security/SecBase.h>
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#include <Security/SecIdentityPriv.h>
-#include <AssertMacros.h>
-
-#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) CFRelease(_cf); }
-
-const char *sslGetCipherSuiteString(SSLCipherSuite cs)
-{
- static char noSuite[40];
-
- switch (cs) {
- /* TLS cipher suites, RFC 2246 */
- case SSL_NULL_WITH_NULL_NULL: return "TLS_NULL_WITH_NULL_NULL";
- case SSL_RSA_WITH_NULL_MD5: return "TLS_RSA_WITH_NULL_MD5";
- case SSL_RSA_WITH_NULL_SHA: return "TLS_RSA_WITH_NULL_SHA";
- case SSL_RSA_EXPORT_WITH_RC4_40_MD5: return "TLS_RSA_EXPORT_WITH_RC4_40_MD5";
- case SSL_RSA_WITH_RC4_128_MD5: return "TLS_RSA_WITH_RC4_128_MD5";
- case SSL_RSA_WITH_RC4_128_SHA: return "TLS_RSA_WITH_RC4_128_SHA";
- case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: return "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5";
- case SSL_RSA_WITH_IDEA_CBC_SHA: return "TLS_RSA_WITH_IDEA_CBC_SHA";
- case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_RSA_WITH_DES_CBC_SHA: return "TLS_RSA_WITH_DES_CBC_SHA";
- case SSL_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
- case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DH_DSS_WITH_DES_CBC_SHA: return "TLS_DH_DSS_WITH_DES_CBC_SHA";
- case SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA: return "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
- case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DH_RSA_WITH_DES_CBC_SHA: return "TLS_DH_RSA_WITH_DES_CBC_SHA";
- case SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
- case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DHE_DSS_WITH_DES_CBC_SHA: return "TLS_DHE_DSS_WITH_DES_CBC_SHA";
- case SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA: return "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
- case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DHE_RSA_WITH_DES_CBC_SHA: return "TLS_DHE_RSA_WITH_DES_CBC_SHA";
- case SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
- case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5: return "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5";
- case SSL_DH_anon_WITH_RC4_128_MD5: return "TLS_DH_anon_WITH_RC4_128_MD5";
- case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DH_anon_WITH_DES_CBC_SHA: return "TLS_DH_anon_WITH_DES_CBC_SHA";
- case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA: return "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
-
- /* SSLv3 Fortezza cipher suites, from NSS */
- case SSL_FORTEZZA_DMS_WITH_NULL_SHA: return "SSL_FORTEZZA_DMS_WITH_NULL_SHA";
- case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:return "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA";
-
- /* TLS addenda using AES-CBC, RFC 3268 */
- case TLS_RSA_WITH_AES_128_CBC_SHA: return "TLS_RSA_WITH_AES_128_CBC_SHA";
- case TLS_DH_DSS_WITH_AES_128_CBC_SHA: return "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
- case TLS_DH_RSA_WITH_AES_128_CBC_SHA: return "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
- case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
- case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
- case TLS_DH_anon_WITH_AES_128_CBC_SHA: return "TLS_DH_anon_WITH_AES_128_CBC_SHA";
- case TLS_RSA_WITH_AES_256_CBC_SHA: return "TLS_RSA_WITH_AES_256_CBC_SHA";
- case TLS_DH_DSS_WITH_AES_256_CBC_SHA: return "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
- case TLS_DH_RSA_WITH_AES_256_CBC_SHA: return "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
- case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
- case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
- case TLS_DH_anon_WITH_AES_256_CBC_SHA: return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
-
- /* ECDSA addenda, RFC 4492 */
- case TLS_ECDH_ECDSA_WITH_NULL_SHA: return "TLS_ECDH_ECDSA_WITH_NULL_SHA";
- case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
- case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
- case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
- case TLS_ECDHE_ECDSA_WITH_NULL_SHA: return "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
- case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
- case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
- case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
- case TLS_ECDH_RSA_WITH_NULL_SHA: return "TLS_ECDH_RSA_WITH_NULL_SHA";
- case TLS_ECDH_RSA_WITH_RC4_128_SHA: return "TLS_ECDH_RSA_WITH_RC4_128_SHA";
- case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
- case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
- case TLS_ECDHE_RSA_WITH_NULL_SHA: return "TLS_ECDHE_RSA_WITH_NULL_SHA";
- case TLS_ECDHE_RSA_WITH_RC4_128_SHA: return "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
- case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
- case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
- case TLS_ECDH_anon_WITH_NULL_SHA: return "TLS_ECDH_anon_WITH_NULL_SHA";
- case TLS_ECDH_anon_WITH_RC4_128_SHA: return "TLS_ECDH_anon_WITH_RC4_128_SHA";
- case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDH_anon_WITH_AES_128_CBC_SHA: return "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
- case TLS_ECDH_anon_WITH_AES_256_CBC_SHA: return "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
-
- /* TLS 1.2 addenda, RFC 5246 */
- case TLS_RSA_WITH_AES_128_CBC_SHA256: return "TLS_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_RSA_WITH_AES_256_CBC_SHA256: return "TLS_RSA_WITH_AES_256_CBC_SHA256";
- case TLS_DH_DSS_WITH_AES_128_CBC_SHA256: return "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
- case TLS_DH_RSA_WITH_AES_128_CBC_SHA256: return "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
- case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_DH_DSS_WITH_AES_256_CBC_SHA256: return "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
- case TLS_DH_RSA_WITH_AES_256_CBC_SHA256: return "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
- case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
- case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
- case TLS_DH_anon_WITH_AES_128_CBC_SHA256: return "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
- case TLS_DH_anon_WITH_AES_256_CBC_SHA256: return "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
-
- /* TLS addenda using AES-GCM, RFC 5288 */
- case TLS_RSA_WITH_AES_128_GCM_SHA256: return "TLS_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_RSA_WITH_AES_256_GCM_SHA384: return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
- case TLS_DH_RSA_WITH_AES_128_GCM_SHA256: return "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_DH_RSA_WITH_AES_256_GCM_SHA384: return "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
- case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: return "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
- case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: return "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
- case TLS_DH_DSS_WITH_AES_128_GCM_SHA256: return "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
- case TLS_DH_DSS_WITH_AES_256_GCM_SHA384: return "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
- case TLS_DH_anon_WITH_AES_128_GCM_SHA256: return "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
- case TLS_DH_anon_WITH_AES_256_GCM_SHA384: return "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
-
- /* ECDSA addenda, RFC 5289 */
- case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
- case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
- case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
- case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
- case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
- case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
- case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
- case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
- case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
- case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
- case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
- case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
-
- /*
- * Tags for SSL 2 cipher kinds which are not specified for SSL 3.
- */
- case SSL_RSA_WITH_RC2_CBC_MD5: return "TLS_RSA_WITH_RC2_CBC_MD5";
- case SSL_RSA_WITH_IDEA_CBC_MD5: return "TLS_RSA_WITH_IDEA_CBC_MD5";
- case SSL_RSA_WITH_DES_CBC_MD5: return "TLS_RSA_WITH_DES_CBC_MD5";
- case SSL_RSA_WITH_3DES_EDE_CBC_MD5: return "TLS_RSA_WITH_3DES_EDE_CBC_MD5";
- case SSL_NO_SUCH_CIPHERSUITE: return "SSL_NO_SUCH_CIPHERSUITE";
-
- default:
- snprintf(noSuite, sizeof(noSuite), "Unknown ciphersuite 0x%04x", (unsigned)cs);
- return noSuite;
- }
-}
-
-/*
- * Given a SSLProtocolVersion - typically from SSLGetProtocolVersion -
- * return a string representation.
- */
-const char *sslGetProtocolVersionString(SSLProtocol prot)
-{
- static char noProt[20];
-
- switch(prot) {
- case kSSLProtocolUnknown: return "kSSLProtocolUnknown";
- case kSSLProtocol2: return "kSSLProtocol2";
- case kSSLProtocol3: return "kSSLProtocol3";
- case kSSLProtocol3Only: return "kSSLProtocol3Only";
- case kTLSProtocol1: return "kTLSProtocol1";
- case kTLSProtocol1Only: return "kTLSProtocol1Only";
- case kTLSProtocol11: return "kTLSProtocol11";
- case kTLSProtocol12: return "kTLSProtocol12";
- default:
- sprintf(noProt, "Unknown (%d)", (unsigned)prot);
- return noProt;
- }
-}
-
-/*
- * Return string representation of SecureTransport-related OSStatus.
- */
-const char *sslGetSSLErrString(OSStatus err)
-{
- static char errSecSuccessStr[20];
-
- switch(err) {
- case errSecSuccess: return "errSecSuccess";
- case errSecAllocate: return "errSecAllocate";
- case errSecParam: return "errSecParam";
- case errSecUnimplemented: return "errSecUnimplemented";
- case errSecIO: return "errSecIO";
- case errSecBadReq: return "errSecBadReq";
- /* SSL errors */
- case errSSLProtocol: return "errSSLProtocol";
- case errSSLNegotiation: return "errSSLNegotiation";
- case errSSLFatalAlert: return "errSSLFatalAlert";
- case errSSLWouldBlock: return "errSSLWouldBlock";
- case errSSLSessionNotFound: return "errSSLSessionNotFound";
- case errSSLClosedGraceful: return "errSSLClosedGraceful";
- case errSSLClosedAbort: return "errSSLClosedAbort";
- case errSSLXCertChainInvalid: return "errSSLXCertChainInvalid";
- case errSSLBadCert: return "errSSLBadCert";
- case errSSLCrypto: return "errSSLCrypto";
- case errSSLInternal: return "errSSLInternal";
- case errSSLModuleAttach: return "errSSLModuleAttach";
- case errSSLUnknownRootCert: return "errSSLUnknownRootCert";
- case errSSLNoRootCert: return "errSSLNoRootCert";
- case errSSLCertExpired: return "errSSLCertExpired";
- case errSSLCertNotYetValid: return "errSSLCertNotYetValid";
- case errSSLClosedNoNotify: return "errSSLClosedNoNotify";
- case errSSLBufferOverflow: return "errSSLBufferOverflow";
- case errSSLBadCipherSuite: return "errSSLBadCipherSuite";
- /* TLS/Panther addenda */
- case errSSLPeerUnexpectedMsg: return "errSSLPeerUnexpectedMsg";
- case errSSLPeerBadRecordMac: return "errSSLPeerBadRecordMac";
- case errSSLPeerDecryptionFail: return "errSSLPeerDecryptionFail";
- case errSSLPeerRecordOverflow: return "errSSLPeerRecordOverflow";
- case errSSLPeerDecompressFail: return "errSSLPeerDecompressFail";
- case errSSLPeerHandshakeFail: return "errSSLPeerHandshakeFail";
- case errSSLPeerBadCert: return "errSSLPeerBadCert";
- case errSSLPeerUnsupportedCert: return "errSSLPeerUnsupportedCert";
- case errSSLPeerCertRevoked: return "errSSLPeerCertRevoked";
- case errSSLPeerCertExpired: return "errSSLPeerCertExpired";
- case errSSLPeerCertUnknown: return "errSSLPeerCertUnknown";
- case errSSLIllegalParam: return "errSSLIllegalParam";
- case errSSLPeerUnknownCA: return "errSSLPeerUnknownCA";
- case errSSLPeerAccessDenied: return "errSSLPeerAccessDenied";
- case errSSLPeerDecodeError: return "errSSLPeerDecodeError";
- case errSSLPeerDecryptError: return "errSSLPeerDecryptError";
- case errSSLPeerExportRestriction: return "errSSLPeerExportRestriction";
- case errSSLPeerProtocolVersion: return "errSSLPeerProtocolVersion";
- case errSSLPeerInsufficientSecurity:return "errSSLPeerInsufficientSecurity";
- case errSSLPeerInternalError: return "errSSLPeerInternalError";
- case errSSLPeerUserCancelled: return "errSSLPeerUserCancelled";
- case errSSLPeerNoRenegotiation: return "errSSLPeerNoRenegotiation";
- case errSSLHostNameMismatch: return "errSSLHostNameMismatch";
- case errSSLConnectionRefused: return "errSSLConnectionRefused";
- case errSSLDecryptionFail: return "errSSLDecryptionFail";
- case errSSLBadRecordMac: return "errSSLBadRecordMac";
- case errSSLRecordOverflow: return "errSSLRecordOverflow";
- case errSSLBadConfiguration: return "errSSLBadConfiguration";
-
- /* some from the Sec layer */
- case errSecNotAvailable: return "errSecNotAvailable";
- case errSecDuplicateItem: return "errSecDuplicateItem";
- case errSecItemNotFound: return "errSecItemNotFound";
-#if !TARGET_OS_IPHONE
- case errSecReadOnly: return "errSecReadOnly";
- case errSecAuthFailed: return "errSecAuthFailed";
- case errSecNoSuchKeychain: return "errSecNoSuchKeychain";
- case errSecInvalidKeychain: return "errSecInvalidKeychain";
- case errSecNoSuchAttr: return "errSecNoSuchAttr";
- case errSecInvalidItemRef: return "errSecInvalidItemRef";
- case errSecInvalidSearchRef: return "errSecInvalidSearchRef";
- case errSecNoSuchClass: return "errSecNoSuchClass";
- case errSecNoDefaultKeychain: return "errSecNoDefaultKeychain";
- case errSecWrongSecVersion: return "errSecWrongSecVersion";
- case errSecInvalidTrustSettings: return "errSecInvalidTrustSettings";
- case errSecNoTrustSettings: return "errSecNoTrustSettings";
-#endif
- default:
-#if 0
- if (err < (CSSM_BASE_ERROR +
- (CSSM_ERRORCODE_MODULE_EXTENT * 8)))
- {
- /* assume CSSM error */
- return cssmErrToStr(err);
- }
- else
-#endif
- {
- sprintf(errSecSuccessStr, "Unknown (%d)", (unsigned)err);
- return errSecSuccessStr;
- }
- }
-}
-
-void printSslErrStr(
- const char *op,
- OSStatus err)
-{
- printf("*** %s: %s\n", op, sslGetSSLErrString(err));
-}
-
-const char *sslGetClientCertStateString(SSLClientCertificateState state)
-{
- static char noState[20];
-
- switch(state) {
- case kSSLClientCertNone: return "ClientCertNone";
- case kSSLClientCertRequested: return "CertRequested";
- case kSSLClientCertSent: return "ClientCertSent";
- case kSSLClientCertRejected: return "ClientCertRejected";
- default:
- sprintf(noState, "Unknown (%d)", (unsigned)state);
- return noState;
- }
-
-}
-
-const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType)
-{
- static char noType[20];
-
- switch(authType) {
- case SSLClientAuthNone: return "None";
- case SSLClientAuth_RSASign: return "RSASign";
- case SSLClientAuth_DSSSign: return "DSSSign";
- case SSLClientAuth_RSAFixedDH: return "RSAFixedDH";
- case SSLClientAuth_DSS_FixedDH: return "DSS_FixedDH";
- case SSLClientAuth_ECDSASign: return "ECDSASign";
- case SSLClientAuth_RSAFixedECDH: return "RSAFixedECDH";
- case SSLClientAuth_ECDSAFixedECDH: return "ECDSAFixedECDH";
- default:
- sprintf(noType, "Unknown (%d)", (unsigned)authType);
- return noType;
- }
-}
-
-/*
- * Convert a keychain name (which may be NULL) into the CFArrayRef required
- * by SSLSetCertificate. This is a bare-bones example of this operation,
- * since it requires and assumes that there is exactly one SecIdentity
- * in the keychain - i.e., there is exactly one matching cert/private key
- * pair. A real world server would probably search a keychain for a SecIdentity
- * matching some specific criteria.
- */
-CFArrayRef getSslCerts(
- const char *kcName, // may be NULL, i.e., use default
- bool encryptOnly,
- bool completeCertChain,
- const char *anchorFile, // optional trusted anchor
- SecKeychainRef *pKcRef) // RETURNED
-{
-#if 0
- SecKeychainRef kcRef = nil;
- OSStatus ortn;
-
- *pKcRef = nil;
-
- /* pick a keychain */
- if(kcName) {
- ortn = SecKeychainOpen(kcName, &kcRef);
- if(ortn) {
- printf("SecKeychainOpen returned %d.\n", (int)ortn);
- printf("Cannot open keychain at %s. Aborting.\n", kcName);
- return NULL;
- }
- }
- else {
- /* use default keychain */
- ortn = SecKeychainCopyDefault(&kcRef);
- if(ortn) {
- printf("SecKeychainCopyDefault returned %d; aborting.\n", (int)ortn);
- return nil;
- }
- }
- *pKcRef = kcRef;
- return sslKcRefToCertArray(kcRef, encryptOnly, completeCertChain, anchorFile);
-#elif TARGET_OS_IOS
- SecCertificateRef cert = NULL;
- SecIdentityRef identity = NULL;
- CFMutableArrayRef certificates = NULL, result = NULL;
- CFMutableDictionaryRef certQuery = NULL, keyQuery = NULL, keyResult = NULL;
- SecTrustRef trust = NULL;
- SecKeyRef key = NULL;
- CFTypeRef pkdigest = NULL;
-
- // Find the first private key in the keychain and return both its
- // attributes and a ref to it.
- require(keyQuery = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
- CFDictionaryAddValue(keyQuery, kSecClass, kSecClassKey);
- CFDictionaryAddValue(keyQuery, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
- CFDictionaryAddValue(keyQuery, kSecReturnRef, kCFBooleanTrue);
- CFDictionaryAddValue(keyQuery, kSecReturnAttributes, kCFBooleanTrue);
- require_noerr(SecItemCopyMatching(keyQuery, (CFTypeRef *)&keyResult),
- errOut);
- require(key = (SecKeyRef)CFDictionaryGetValue(keyResult, kSecValueRef),
- errOut);
- require(pkdigest = CFDictionaryGetValue(keyResult, kSecAttrApplicationLabel),
- errOut);
-
- // Find the first certificate that has the same public key hash as the
- // returned private key and return it as a ref.
- require(certQuery = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
- CFDictionaryAddValue(certQuery, kSecClass, kSecClassCertificate);
- CFDictionaryAddValue(certQuery, kSecAttrPublicKeyHash, pkdigest);
- CFDictionaryAddValue(certQuery, kSecReturnRef, kCFBooleanTrue);
- require_noerr(SecItemCopyMatching(certQuery, (CFTypeRef *)&cert), errOut);
-
- // Create an identity from the key and certificate.
- require(identity = SecIdentityCreate(NULL, cert, key), errOut);
-
- // Build a (partial) certificate chain from cert
- require(certificates = CFArrayCreateMutable(NULL, 0,
- &kCFTypeArrayCallBacks), errOut);
- CFArrayAppendValue(certificates, cert);
- require_noerr(SecTrustCreateWithCertificates(certificates, NULL, &trust),
- errOut);
- SecTrustResultType tresult;
- require_noerr(SecTrustEvaluate(trust, &tresult), errOut);
-
- CFIndex certCount, ix;
- // We need at least 1 certificate
- require(certCount = SecTrustGetCertificateCount(trust), errOut);
-
- // Build a result where element 0 is the identity and the other elements
- // are the certs in the chain starting at the first intermediate up to the
- // anchor, if we found one, or as far as we were able to build the chain
- // if not.
- require(result = CFArrayCreateMutable(NULL, certCount, &kCFTypeArrayCallBacks),
- errOut);
-
- // We are commited to returning a result now, so do not use require below
- // this line without setting result to NULL again.
- CFArrayAppendValue(result, identity);
- for (ix = 1; ix < certCount; ++ix) {
- CFArrayAppendValue(result, SecTrustGetCertificateAtIndex(trust, ix));
- }
-
-errOut:
- CFReleaseSafe(trust);
- CFReleaseSafe(certificates);
- CFReleaseSafe(identity);
- CFReleaseSafe(cert);
- CFReleaseSafe(certQuery);
- CFReleaseSafe(keyResult);
- CFReleaseSafe(keyQuery);
-
- return result;
-
-#else /* !TARGET_OS_IOS */
- SecIdentityRef identity = NULL;
- CFMutableDictionaryRef query = NULL;
- CFArrayRef items = NULL;
- require(query = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
- CFDictionaryAddValue(query, kSecClass, kSecClassIdentity);
- CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
- require_noerr(SecItemCopyMatching(query, (CFTypeRef *)&identity), errOut);
-
- items = CFArrayCreate(kCFAllocatorDefault,
- (const void **)&identity, 1, &kCFTypeArrayCallBacks);
-
-errOut:
- CFReleaseSafe(identity);
- CFReleaseSafe(query);
-
- return items;
-
-#endif
-
-}
-
-#if 0
-/*
- * Determine if specified SecCertificateRef is a self-signed cert.
- * We do this by comparing the subject and issuerr names; no cryptographic
- * verification is performed.
- *
- * Returns true if the cert appears to be a root.
- */
-static bool isCertRefRoot(
- SecCertificateRef certRef)
-{
- bool brtn = false;
-#if 0
- /* just search for the two attrs we want */
- UInt32 tags[2] = {kSecSubjectItemAttr, kSecIssuerItemAttr};
- SecKeychainAttributeInfo attrInfo;
- attrInfo.count = 2;
- attrInfo.tag = tags;
- attrInfo.format = NULL;
- SecKeychainAttributeList *attrList = NULL;
- SecKeychainAttribute *attr1 = NULL;
- SecKeychainAttribute *attr2 = NULL;
-
- OSStatus ortn = SecKeychainItemCopyAttributesAndData(
- (SecKeychainItemRef)certRef,
- &attrInfo,
- NULL, // itemClass
- &attrList,
- NULL, // length - don't need the data
- NULL); // outData
- if(ortn) {
- cssmPerror("SecKeychainItemCopyAttributesAndData", ortn);
- /* may want to be a bit more robust here, but this should
- * never happen */
- return false;
- }
- /* subsequent errors to errOut: */
-
- if((attrList == NULL) || (attrList->count != 2)) {
- printf("***Unexpected result fetching label attr\n");
- goto errOut;
- }
-
- /* rootness is just byte-for-byte compare of the two names */
- attr1 = &attrList->attr[0];
- attr2 = &attrList->attr[1];
- if(attr1->length == attr2->length) {
- if(memcmp(attr1->data, attr2->data, attr1->length) == 0) {
- brtn = true;
- }
- }
-errOut:
- SecKeychainItemFreeAttributesAndData(attrList, NULL);
-#endif
- return brtn;
-}
-#endif
-
-#if 0
-/*
- * Given a SecIdentityRef, do our best to construct a complete, ordered, and
- * verified cert chain, returning the result in a CFArrayRef. The result is
- * suitable for use when calling SSLSetCertificate().
- */
-OSStatus sslCompleteCertChain(
- SecIdentityRef identity,
- SecCertificateRef trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // include the root in outArray
- CFArrayRef *outArray) // created and RETURNED
-{
- CFMutableArrayRef certArray;
- SecTrustRef secTrust = NULL;
- SecPolicyRef policy = NULL;
- SecPolicySearchRef policySearch = NULL;
- SecTrustResultType secTrustResult;
- CSSM_TP_APPLE_EVIDENCE_INFO *dummyEv; // not used
- CFArrayRef certChain = NULL; // constructed chain
- CFIndex numResCerts;
-
- certArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(certArray, identity);
-
- /*
- * Case 1: identity is a root; we're done. Note that this case
- * overrides the includeRoot argument.
- */
- SecCertificateRef certRef;
- OSStatus ortn = SecIdentityCopyCertificate(identity, &certRef);
- if(ortn) {
- /* should never happen */
- cssmPerror("SecIdentityCopyCertificate", ortn);
- return ortn;
- }
- bool isRoot = isCertRefRoot(certRef);
- if(isRoot) {
- *outArray = certArray;
- CFRelease(certRef);
- return errSecSuccess;
- }
-
- /*
- * Now use SecTrust to get a complete cert chain, using all of the
- * user's keychains to look for intermediate certs.
- * NOTE this does NOT handle root certs which are not in the system
- * root cert DB. (The above case, where the identity is a root cert, does.)
- */
- CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks);
- CFArraySetValueAtIndex(subjCerts, 0, certRef);
-
- /* the array owns the subject cert ref now */
- CFRelease(certRef);
-
- /* Get a SecPolicyRef for generic X509 cert chain verification */
- ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
- &CSSMOID_APPLE_X509_BASIC,
- NULL, // value
- &policySearch);
- if(ortn) {
- cssmPerror("SecPolicySearchCreate", ortn);
- goto errOut;
- }
- ortn = SecPolicySearchCopyNext(policySearch, &policy);
- if(ortn) {
- cssmPerror("SecPolicySearchCopyNext", ortn);
- goto errOut;
- }
-
- /* build a SecTrustRef for specified policy and certs */
- ortn = SecTrustCreateWithCertificates(subjCerts,
- policy, &secTrust);
- if(ortn) {
- cssmPerror("SecTrustCreateWithCertificates", ortn);
- goto errOut;
- }
-
- if(trustedAnchor) {
- /*
- * Tell SecTrust to trust this one in addition to the current
- * trusted system-wide anchors.
- */
- CFMutableArrayRef newAnchors;
- CFArrayRef currAnchors;
-
- ortn = SecTrustCopyAnchorCertificates(&currAnchors);
- if(ortn) {
- /* should never happen */
- cssmPerror("SecTrustCopyAnchorCertificates", ortn);
- goto errOut;
- }
- newAnchors = CFArrayCreateMutableCopy(NULL,
- CFArrayGetCount(currAnchors) + 1,
- currAnchors);
- CFRelease(currAnchors);
- CFArrayAppendValue(newAnchors, trustedAnchor);
- ortn = SecTrustSetAnchorCertificates(secTrust, newAnchors);
- CFRelease(newAnchors);
- if(ortn) {
- cssmPerror("SecTrustSetAnchorCertificates", ortn);
- goto errOut;
- }
- }
- /* evaluate: GO */
- ortn = SecTrustEvaluate(secTrust, &secTrustResult);
- if(ortn) {
- cssmPerror("SecTrustEvaluate", ortn);
- goto errOut;
- }
- switch(secTrustResult) {
- case kSecTrustResultUnspecified:
- /* cert chain valid, no special UserTrust assignments */
- case kSecTrustResultProceed:
- /* cert chain valid AND user explicitly trusts this */
- break;
- default:
- /*
- * Cert chain construction failed.
- * Just go with the single subject cert we were given.
- */
- printf("***Warning: could not construct completed cert chain\n");
- ortn = errSecSuccess;
- goto errOut;
- }
-
- /* get resulting constructed cert chain */
- ortn = SecTrustGetResult(secTrust, &secTrustResult, &certChain, &dummyEv);
- if(ortn) {
- cssmPerror("SecTrustEvaluate", ortn);
- goto errOut;
- }
-
- /*
- * Copy certs from constructed chain to our result array, skipping
- * the leaf (which is already there, as a SecIdentityRef) and possibly
- * a root.
- */
- numResCerts = CFArrayGetCount(certChain);
- if(numResCerts < 2) {
- /*
- * Can't happen: if subject was a root, we'd already have returned.
- * If chain doesn't verify to a root, we'd have bailed after
- * SecTrustEvaluate().
- */
- printf("***sslCompleteCertChain screwup: numResCerts %d\n",
- (int)numResCerts);
- ortn = errSecSuccess;
- goto errOut;
- }
- if(!includeRoot) {
- /* skip the last (root) cert) */
- numResCerts--;
- }
- for(CFIndex dex=1; dex<numResCerts; dex++) {
- certRef = (SecCertificateRef)CFArrayGetValueAtIndex(certChain, dex);
- CFArrayAppendValue(certArray, certRef);
- }
-errOut:
- /* clean up */
- if(secTrust) {
- CFRelease(secTrust);
- }
- if(subjCerts) {
- CFRelease(subjCerts);
- }
- if(policy) {
- CFRelease(policy);
- }
- if(policySearch) {
- CFRelease(policySearch);
- }
- *outArray = certArray;
- return ortn;
-}
-
-
-/*
- * Given an open keychain, find a SecIdentityRef and munge it into
- * a CFArrayRef required by SSLSetCertificate().
- */
-CFArrayRef sslKcRefToCertArray(
- SecKeychainRef kcRef,
- bool encryptOnly,
- bool completeCertChain,
- const char *trustedAnchorFile)
-{
- /* quick check to make sure the keychain exists */
- SecKeychainStatus kcStat;
- OSStatus ortn = SecKeychainGetStatus(kcRef, &kcStat);
- if(ortn) {
- printSslErrStr("SecKeychainGetStatus", ortn);
- printf("Can not open keychain. Aborting.\n");
- return nil;
- }
-
- /*
- * Search for "any" identity matching specified key use;
- * in this app, we expect there to be exactly one.
- */
- SecIdentitySearchRef srchRef = nil;
- ortn = SecIdentitySearchCreate(kcRef,
- encryptOnly ? CSSM_KEYUSE_DECRYPT : CSSM_KEYUSE_SIGN,
- &srchRef);
- if(ortn) {
- printf("SecIdentitySearchCreate returned %d.\n", (int)ortn);
- printf("Cannot find signing key in keychain. Aborting.\n");
- return nil;
- }
- SecIdentityRef identity = nil;
- ortn = SecIdentitySearchCopyNext(srchRef, &identity);
- if(ortn) {
- printf("SecIdentitySearchCopyNext returned %d.\n", (int)ortn);
- printf("Cannot find signing key in keychain. Aborting.\n");
- return nil;
- }
- if(CFGetTypeID(identity) != SecIdentityGetTypeID()) {
- printf("SecIdentitySearchCopyNext CFTypeID failure!\n");
- return nil;
- }
-
- /*
- * Found one.
- */
- if(completeCertChain) {
- /*
- * Place it and the other certs needed to verify it -
- * up to but not including the root - in a CFArray.
- */
- SecCertificateRef anchorCert = NULL;
- if(trustedAnchorFile) {
- ortn = sslReadAnchor(trustedAnchorFile, &anchorCert);
- if(ortn) {
- printf("***Error reading anchor file\n");
- }
- }
- CFArrayRef ca;
- ortn = sslCompleteCertChain(identity, anchorCert, false, &ca);
- if(anchorCert) {
- CFRelease(anchorCert);
- }
- return ca;
- }
- else {
- /* simple case, just this one identity */
- CFArrayRef ca = CFArrayCreate(NULL,
- (const void **)&identity,
- 1,
- NULL);
- if(ca == nil) {
- printf("CFArrayCreate error\n");
- }
- return ca;
- }
-}
-#endif
-
-OSStatus addTrustedSecCert(
- SSLContextRef ctx,
- SecCertificateRef secCert,
- bool replaceAnchors)
-{
- OSStatus ortn;
- CFMutableArrayRef array;
-
- if(secCert == NULL) {
- printf("***addTrustedSecCert screwup\n");
- return errSecParam;
- }
- array = CFArrayCreateMutable(kCFAllocatorDefault,
- (CFIndex)1, &kCFTypeArrayCallBacks);
- if(array == NULL) {
- return errSecAllocate;
- }
- CFArrayAppendValue(array, secCert);
- ortn = SSLSetTrustedRoots(ctx, array, replaceAnchors ? true : false);
- if(ortn) {
- printSslErrStr("SSLSetTrustedRoots", ortn);
- }
- CFRelease(array);
- return ortn;
-}
-
-OSStatus sslReadAnchor(
- const char *anchorFile,
- SecCertificateRef *certRef)
-{
- SecCertificateRef secCert;
- unsigned char *certData;
- unsigned certLen;
- CFDataRef dataRef;
-
- if(readFile(anchorFile, &certData, &certLen)) {
- return -1;
- }
- dataRef = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
- (const UInt8 *)certData, (CFIndex)certLen, kCFAllocatorNull);
- secCert = SecCertificateCreateWithData(kCFAllocatorDefault, dataRef);
- CFReleaseSafe(dataRef);
- free(certData);
- if(!secCert) {
- printf("***SecCertificateCreateWithData returned NULL\n");
- return errSecParam;
- }
- if (certRef) {
- *certRef = secCert;
- }
- return errSecSuccess;
-}
-
-OSStatus sslAddTrustedRoot(
- SSLContextRef ctx,
- const char *anchorFile,
- bool replaceAnchors)
-{
- return 0;
-}
-
-OSStatus addIdentityAsTrustedRoot(
- SSLContextRef ctx,
- CFArrayRef identArray)
-{
- return errSecSuccess;
-}
-
-/*
- * Lists of SSLCipherSuites used in sslSetCipherRestrictions. Note that the
- * SecureTransport library does not implement all of these; we only specify
- * the ones it claims to support.
- */
-const SSLCipherSuite suites40[] = {
- SSL_RSA_EXPORT_WITH_RC4_40_MD5,
- SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDES[] = {
- SSL_RSA_WITH_DES_CBC_SHA,
- SSL_DH_DSS_WITH_DES_CBC_SHA,
- SSL_DH_RSA_WITH_DES_CBC_SHA,
- SSL_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_DHE_RSA_WITH_DES_CBC_SHA,
- SSL_DH_anon_WITH_DES_CBC_SHA,
- SSL_RSA_WITH_DES_CBC_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDES40[] = {
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suites3DES[] = {
- SSL_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
- SSL_RSA_WITH_3DES_EDE_CBC_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesRC4[] = {
- SSL_RSA_WITH_RC4_128_MD5,
- SSL_RSA_WITH_RC4_128_SHA,
- SSL_DH_anon_WITH_RC4_128_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesRC4_40[] = {
- SSL_RSA_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesRC2[] = {
- SSL_RSA_WITH_RC2_CBC_MD5,
- SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesAES128[] = {
- TLS_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_DSS_WITH_AES_128_CBC_SHA,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_anon_WITH_AES_128_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesAES256[] = {
- TLS_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_anon_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDH[] = {
- SSL_DH_DSS_WITH_DES_CBC_SHA,
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_RSA_WITH_DES_CBC_SHA,
- SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_WITH_DES_CBC_SHA,
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_anon_WITH_RC4_128_MD5,
- SSL_DH_anon_WITH_DES_CBC_SHA,
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- TLS_DH_DSS_WITH_AES_128_CBC_SHA,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_anon_WITH_AES_128_CBC_SHA,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_anon_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDHAnon[] = {
- SSL_DH_anon_WITH_RC4_128_MD5,
- SSL_DH_anon_WITH_DES_CBC_SHA,
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- TLS_DH_anon_WITH_AES_128_CBC_SHA,
- TLS_DH_anon_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDH_RSA[] = {
- SSL_DH_RSA_WITH_DES_CBC_SHA,
- SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_RSA_WITH_DES_CBC_SHA,
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDH_DSS[] = {
- SSL_DH_DSS_WITH_DES_CBC_SHA,
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- TLS_DH_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suites_SHA1[] = {
- SSL_RSA_WITH_RC4_128_SHA,
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_RSA_WITH_IDEA_CBC_SHA,
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_RSA_WITH_DES_CBC_SHA,
- SSL_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_DSS_WITH_DES_CBC_SHA,
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_RSA_WITH_DES_CBC_SHA,
- SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_WITH_DES_CBC_SHA,
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_anon_WITH_DES_CBC_SHA,
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
- SSL_FORTEZZA_DMS_WITH_NULL_SHA,
- SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
- TLS_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_DSS_WITH_AES_128_CBC_SHA,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_anon_WITH_AES_128_CBC_SHA,
- TLS_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_anon_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suites_MD5[] = {
- SSL_RSA_EXPORT_WITH_RC4_40_MD5,
- SSL_RSA_WITH_RC4_128_MD5,
- SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_WITH_RC4_128_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suites_NULL[] = {
- SSL_RSA_WITH_NULL_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-
-const SSLCipherSuite suites_ECDHE[] = {
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_ECDHE_RSA_WITH_RC4_128_SHA,
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-
-const SSLCipherSuite suites_ECDH[] = {
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
- TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
- TLS_ECDH_RSA_WITH_RC4_128_SHA,
- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-
-/*
- * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
- * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
- * supports and do a SSLSetEnabledCiphers() specifying those.
- */
-OSStatus sslSetEnabledCiphers(
- SSLContextRef ctx,
- const SSLCipherSuite *ciphers)
-{
- size_t numSupported;
- OSStatus ortn;
- SSLCipherSuite *supported = NULL;
- SSLCipherSuite *enabled = NULL;
- unsigned enabledDex = 0; // index into enabled
- unsigned supportedDex = 0; // index into supported
- unsigned inDex = 0; // index into ciphers
-
- /* first get all the supported ciphers */
- ortn = SSLGetNumberSupportedCiphers(ctx, &numSupported);
- if(ortn) {
- printSslErrStr("SSLGetNumberSupportedCiphers", ortn);
- return ortn;
- }
- supported = (SSLCipherSuite *)malloc(numSupported * sizeof(SSLCipherSuite));
- ortn = SSLGetSupportedCiphers(ctx, supported, &numSupported);
- if(ortn) {
- printSslErrStr("SSLGetSupportedCiphers", ortn);
- return ortn;
- }
-
- /*
- * Malloc an array we'll use for SSLGetEnabledCiphers - this will be
- * bigger than the number of suites we actually specify
- */
- enabled = (SSLCipherSuite *)malloc(numSupported * sizeof(SSLCipherSuite));
-
- /*
- * For each valid suite in ciphers, see if it's in the list of
- * supported ciphers. If it is, add it to the list of ciphers to be
- * enabled.
- */
- for(inDex=0; ciphers[inDex] != SSL_NO_SUCH_CIPHERSUITE; inDex++) {
- for(supportedDex=0; supportedDex<numSupported; supportedDex++) {
- if(ciphers[inDex] == supported[supportedDex]) {
- enabled[enabledDex++] = ciphers[inDex];
- break;
- }
- }
- }
-
- /* send it on down. */
- ortn = SSLSetEnabledCiphers(ctx, enabled, enabledDex);
- if(ortn) {
- printSslErrStr("SSLSetEnabledCiphers", ortn);
- }
- free(enabled);
- free(supported);
- return ortn;
-}
-
-/*
- * Specify a restricted set of cipherspecs.
- */
-OSStatus sslSetCipherRestrictions(
- SSLContextRef ctx,
- char cipherRestrict)
-{
- OSStatus ortn;
-
- if(cipherRestrict == '\0') {
- return errSecSuccess; // actually should not have been called
- }
- switch(cipherRestrict) {
- case 'e':
- ortn = sslSetEnabledCiphers(ctx, suites40);
- break;
- case 'd':
- ortn = sslSetEnabledCiphers(ctx, suitesDES);
- break;
- case 'D':
- ortn = sslSetEnabledCiphers(ctx, suitesDES40);
- break;
- case '3':
- ortn = sslSetEnabledCiphers(ctx, suites3DES);
- break;
- case '4':
- ortn = sslSetEnabledCiphers(ctx, suitesRC4);
- break;
- case '$':
- ortn = sslSetEnabledCiphers(ctx, suitesRC4_40);
- break;
- case '2':
- ortn = sslSetEnabledCiphers(ctx, suitesRC2);
- break;
- case 'a':
- ortn = sslSetEnabledCiphers(ctx, suitesAES128);
- break;
- case 'A':
- ortn = sslSetEnabledCiphers(ctx, suitesAES256);
- break;
- case 'h':
- ortn = sslSetEnabledCiphers(ctx, suitesDH);
- break;
- case 'H':
- ortn = sslSetEnabledCiphers(ctx, suitesDHAnon);
- break;
- case 'r':
- ortn = sslSetEnabledCiphers(ctx, suitesDH_RSA);
- break;
- case 's':
- ortn = sslSetEnabledCiphers(ctx, suitesDH_DSS);
- break;
- case 'n':
- ortn = sslSetEnabledCiphers(ctx, suites_NULL);
- break;
- case 'E':
- ortn = sslSetEnabledCiphers(ctx, suites_ECDHE);
- break;
- case 'F':
- ortn = sslSetEnabledCiphers(ctx, suites_ECDH);
- break;
- default:
- printf("***bad cipherSpec***\n");
- exit(1);
- }
- return ortn;
-}
-
-#if 0
-int sslVerifyClientCertState(
- const char *whichSide, // "client" or "server"
- SSLClientCertificateState expectState,
- SSLClientCertificateState gotState)
-{
- if(expectState == SSL_CLIENT_CERT_IGNORE) {
- /* app says "don't bother checking" */
- return 0;
- }
- if(expectState == gotState) {
- return 0;
- }
- printf("***%s: Expected clientCertState %s; got %s\n", whichSide,
- sslGetClientCertStateString(expectState),
- sslGetClientCertStateString(gotState));
- return 1;
-}
-
-int sslVerifyRtn(
- char *whichSide, // "client" or "server"
- OSStatus expectRtn,
- OSStatus gotRtn)
-{
- if(expectRtn == gotRtn) {
- return 0;
- }
- printf("***%s: Expected return %s; got %s\n", whichSide,
- sslGetSSLErrString(expectRtn),
- sslGetSSLErrString(gotRtn));
- return 1;
-}
-
-int sslVerifyProtVers(
- char *whichSide, // "client" or "server"
- SSLProtocol expectProt,
- SSLProtocol gotProt)
-{
- if(expectProt == SSL_PROTOCOL_IGNORE) {
- /* app says "don't bopther checking" */
- return 0;
- }
- if(expectProt == gotProt) {
- return 0;
- }
- printf("***%s: Expected return %s; got %s\n", whichSide,
- sslGetProtocolVersionString(expectProt),
- sslGetProtocolVersionString(gotProt));
- return 1;
-}
-
-int sslVerifyCipher(
- char *whichSide, // "client" or "server"
- SSLCipherSuite expectCipher,
- SSLCipherSuite gotCipher)
-{
- if(expectCipher == SSL_CIPHER_IGNORE) {
- /* app says "don't bopther checking" */
- return 0;
- }
- if(expectCipher == gotCipher) {
- return 0;
- }
- printf("***%s: Expected return %s; got %s\n", whichSide,
- sslGetCipherSuiteString(expectCipher),
- sslGetCipherSuiteString(gotCipher));
- return 1;
-}
-
-
-OSStatus sslSetProtocols(
- SSLContextRef ctx,
- const char *acceptedProts,
- SSLProtocol tryVersion) // only used if acceptedProts NULL
-{
- OSStatus ortn;
-
- if(acceptedProts) {
- ortn = SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersionEnabled(all off)", ortn);
- return ortn;
- }
- for(const char *cp = acceptedProts; *cp; cp++) {
- SSLProtocol prot;
- switch(*cp) {
- case '2':
- prot = kSSLProtocol2;
- break;
- case '3':
- prot = kSSLProtocol3;
- break;
- case 't':
- prot = kTLSProtocol1;
- break;
- default:
- printf("***BRRZAP! Bad acceptedProts string %s. Aborting.\n", acceptedProts);
- exit(1);
- }
- ortn = SSLSetProtocolVersionEnabled(ctx, prot, true);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersionEnabled", ortn);
- return ortn;
- }
- }
- }
- else {
- ortn = SSLSetProtocolVersion(ctx, tryVersion);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersion", ortn);
- return ortn;
- }
- }
- return errSecSuccess;
-}
-
-void sslShowResult(
- const char *whichSide, // "client" or "server"
- SslAppTestParams *params)
-{
- printf("%s status:\n", whichSide);
- if(params->acceptedProts) {
- printf(" Allowed SSL versions : %s\n", params->acceptedProts);
- }
- else {
- printf(" Attempted SSL version : %s\n",
- sslGetProtocolVersionString(params->tryVersion));
- }
- printf(" Result : %s\n", sslGetSSLErrString(params->ortn));
- printf(" Negotiated SSL version : %s\n",
- sslGetProtocolVersionString(params->negVersion));
- printf(" Negotiated CipherSuite : %s\n",
- sslGetCipherSuiteString(params->negCipher));
- if(params->certState != kSSLClientCertNone) {
- printf(" Client Cert State : %s\n",
- sslGetClientCertStateString(params->certState));
- }
-}
-#endif
-
-/* print a '.' every few seconds to keep UI alive while connecting */
-static CFAbsoluteTime lastTime = (CFAbsoluteTime)0.0;
-#define TIME_INTERVAL 3.0
-
-void sslOutputDot()
-{
- CFAbsoluteTime thisTime = CFAbsoluteTimeGetCurrent();
-
- // throttle down.
- usleep(1000);
-
- if(lastTime == 0.0) {
- /* avoid printing first time thru */
- lastTime = thisTime;
- return;
- }
- if((thisTime - lastTime) >= TIME_INTERVAL) {
- printf("."); fflush(stdout);
- lastTime = thisTime;
- }
-}
-
-#if 0
-/* main server pthread body */
-static void *sslServerThread(void *arg)
-{
- SslAppTestParams *testParams = (SslAppTestParams *)arg;
- OSStatus status;
-
- status = sslAppServe(testParams);
- pthread_exit((void*)status);
- /* NOT REACHED */
- return (void *)status;
-}
-
-/*
- * Run one session, with the server in a separate thread.
- * On entry, serverParams->port is the port we attempt to run on;
- * the server thread may overwrite that with a different port if it's
- * unable to open the port we specify. Whatever is left in
- * serverParams->port is what's used for the client side.
- */
-#define CLIENT_WAIT_SECONDS 1
-int sslRunSession(
- SslAppTestParams*serverParams,
- SslAppTestParams *clientParams,
- const char *testDesc)
-{
- pthread_t serverPthread;
- OSStatus clientRtn;
- void *serverRtn;
-
- if(testDesc && !clientParams->quiet) {
- printf("===== %s =====\n", testDesc);
- }
-
- if(pthread_mutex_init(&serverParams->pthreadMutex, NULL)) {
- printf("***Error initializing mutex; aborting.\n");
- return -1;
- }
- if(pthread_cond_init(&serverParams->pthreadCond, NULL)) {
- printf("***Error initializing pthreadCond; aborting.\n");
- return -1;
- }
- serverParams->serverReady = false; // server sets true
-
- int result = pthread_create(&serverPthread, NULL,
- sslServerThread, serverParams);
- if(result) {
- printf("***Error starting up server thread; aborting.\n");
- return result;
- }
-
- /* wait for server to set up a socket we can connect to */
- if(pthread_mutex_lock(&serverParams->pthreadMutex)) {
- printf("***Error acquiring server lock; aborting.\n");
- return -1;
- }
- while(!serverParams->serverReady) {
- if(pthread_cond_wait(&serverParams->pthreadCond, &serverParams->pthreadMutex)) {
- printf("***Error waiting server thread; aborting.\n");
- return -1;
- }
- }
- pthread_mutex_unlock(&serverParams->pthreadMutex);
- pthread_cond_destroy(&serverParams->pthreadCond);
- pthread_mutex_destroy(&serverParams->pthreadMutex);
-
- clientParams->port = serverParams->port;
- clientRtn = sslAppClient(clientParams);
- /* server doesn't shut down its socket until it sees this */
- serverParams->clientDone = 1;
- result = pthread_join(serverPthread, &serverRtn);
- if(result) {
- printf("***pthread_join returned %d, aborting\n", result);
- return result;
- }
-
- if(serverParams->verbose) {
- sslShowResult("server", serverParams);
- }
- if(clientParams->verbose) {
- sslShowResult("client", clientParams);
- }
-
- /* verify results */
- int ourRtn = 0;
- ourRtn += sslVerifyRtn("server", serverParams->expectRtn, serverParams->ortn);
- ourRtn += sslVerifyRtn("client", clientParams->expectRtn, clientParams->ortn);
- ourRtn += sslVerifyProtVers("server", serverParams->expectVersion,
- serverParams->negVersion);
- ourRtn += sslVerifyProtVers("client", clientParams->expectVersion,
- clientParams->negVersion);
- ourRtn += sslVerifyClientCertState("server", serverParams->expectCertState,
- serverParams->certState);
- ourRtn += sslVerifyClientCertState("client", clientParams->expectCertState,
- clientParams->certState);
- if(serverParams->ortn == errSecSuccess) {
- ourRtn += sslVerifyCipher("server", serverParams->expectCipher,
- serverParams->negCipher);
- }
- if(clientParams->ortn == errSecSuccess) {
- ourRtn += sslVerifyCipher("client", clientParams->expectCipher,
- clientParams->negCipher);
- }
- return ourRtn;
-}
-
-/*
- * Add all of the roots in a given KC to SSL ctx's trusted anchors.
- */
-OSStatus sslAddTrustedRoots(
- SSLContextRef ctx,
- SecKeychainRef keychain,
- bool *foundOne) // RETURNED, true if we found
- // at least one root cert
-{
- OSStatus ortn;
- SecCertificateRef secCert;
- SecKeychainSearchRef srch;
-
- *foundOne = false;
- ortn = SecKeychainSearchCreateFromAttributes(keychain,
- kSecCertificateItemClass,
- NULL, // any attrs
- &srch);
- if(ortn) {
- printSslErrStr("SecKeychainSearchCreateFromAttributes", ortn);
- return ortn;
- }
-
- /*
- * Only use root certs. Not an error if we don't find any.
- */
- do {
- ortn = SecKeychainSearchCopyNext(srch,
- (SecKeychainItemRef *)&secCert);
- if(ortn) {
- break;
- }
-
- /* see if it's a root */
- if(!isCertRoot(secCert)) {
- continue;
- }
-
- /* Tell Secure Transport to trust this one. */
- ortn = addTrustedSecCert(ctx, secCert, false);
- if(ortn) {
- /* fatal */
- printSslErrStr("addTrustedSecCert", ortn);
- return ortn;
- }
- CFRelease(secCert);
- *foundOne = true;
- } while(ortn == errSecSuccess);
- CFRelease(srch);
- return errSecSuccess;
-}
-
-/*
- * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
- */
-OSStatus sslIdentityPicker(
- SecKeychainRef kcRef, // NULL means use default list
- const char *trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // true --> root is appended to outArray
- // false --> root not included
- CFArrayRef *outArray) // created and RETURNED
-{
- SecCertificateRef trustedCert = NULL;
- OSStatus ortn;
-
- if(trustedAnchor) {
- ortn = sslReadAnchor(trustedAnchor, &trustedCert);
- if(ortn) {
- printf("***Error reading %s. sslIdentityPicker proceeding with no anchor.\n",
- trustedAnchor);
- trustedCert = NULL;
- }
- }
- ortn = sslIdentPicker(kcRef, trustedCert, includeRoot, outArray);
- if(trustedCert) {
- CFRelease(trustedCert);
- }
- return ortn;
-}
-
-/*
- * Given a keychain name, convert it into a full path using the "SSL regression
- * test suite algorithm". The Sec layer by default locates root root's keychains
- * in different places depending on whether we're actually logged in as root
- * or running via e.g. cron, so we force the location of root keychains to
- * a hard-coded path. User keychain names we leave alone.
- */
-void sslKeychainPath(
- const char *kcName,
- char *kcPath) // allocd by caller, MAXPATHLEN
-{
- if(kcName[0] == '\0') {
- kcPath[0] = '\0';
- }
- else if(geteuid() == 0) {
- /* root */
- sprintf(kcPath, "/Library/Keychains/%s", kcName);
- }
- else {
- /* user, leave alone */
- strcpy(kcPath, kcName);
- }
-}
-
-/* Verify presence of required file. Returns nonzero if not found. */
-int sslCheckFile(const char *path)
-{
- struct stat sb;
-
- if(stat(path, &sb)) {
- printf("***Can't find file %s.\n", path);
- printf(" Try running in the build directory, perhaps after running the\n"
- " makeLocalCert script.\n");
- return 1;
- }
- return 0;
-}
-
-#endif
-
-/* Stringify a SSL_ECDSA_NamedCurve */
-extern const char *sslCurveString(
- SSL_ECDSA_NamedCurve namedCurve)
-{
- static char unk[100];
-
- switch(namedCurve) {
- case SSL_Curve_None: return "Curve_None";
- case SSL_Curve_secp256r1: return "secp256r1";
- case SSL_Curve_secp384r1: return "secp384r1";
- case SSL_Curve_secp521r1: return "secp521r1";
- default:
- sprintf(unk, "Unknown <%d>", (int)namedCurve);
- return unk;
- }
-}
projects / apple / security.git / blobdiff