-/*
- * Copyright (c) 2006-2008,2010-2012,2014 Apple Inc. All Rights Reserved.
- */
-
-#ifndef _SSLS_APP_UTILS_H_
-#define _SSLS_APP_UTILS_H_ 1
-
-#include <Security/SecureTransport.h>
-#include <Security/SecureTransportPriv.h>
-#include <CoreFoundation/CFArray.h>
-#include <stdbool.h>
-#include <Security/SecCertificate.h>
-
-#include <TargetConditionals.h>
-
-#if TARGET_OS_IPHONE
-typedef void *SecKeychainRef;
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-const char *sslGetCipherSuiteString(SSLCipherSuite cs);
-const char *sslGetProtocolVersionString(SSLProtocol prot);
-const char *sslGetSSLErrString(OSStatus err);
-void printSslErrStr(const char *op, OSStatus err);
-const char *sslGetClientCertStateString(SSLClientCertificateState state);
-const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType);
-
-CFArrayRef getSslCerts(
- const char *kcName, // may be NULL, i.e., use default
- bool encryptOnly,
- bool completeCertChain,
- const char *anchorFile, // optional trusted anchor
- SecKeychainRef *pKcRef); // RETURNED
-OSStatus sslCompleteCertChain(
- SecIdentityRef identity,
- SecCertificateRef trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // include the root in outArray
-// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
- CFArrayRef *outArray); // created and RETURNED
-CFArrayRef sslKcRefToCertArray(
- SecKeychainRef kcRef,
- bool encryptOnly,
- bool completeCertChain,
-// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete
- const char *trustedAnchorFile);
-
-OSStatus addTrustedSecCert(
- SSLContextRef ctx,
- SecCertificateRef secCert,
- bool replaceAnchors);
-OSStatus sslReadAnchor(
- const char *anchorFile,
- SecCertificateRef *certRef);
-OSStatus sslAddTrustedRoot(
- SSLContextRef ctx,
- const char *anchorFile,
- bool replaceAnchors);
-
-/*
- * Assume incoming identity contains a root (e.g., created by
- * certtool) and add that cert to ST's trusted anchors. This
- * enables ST's verify of the incoming chain to succeed without
- * a kludgy "AllowAnyRoot" specification.
- */
-OSStatus addIdentityAsTrustedRoot(
- SSLContextRef ctx,
- CFArrayRef identArray);
-
-OSStatus sslAddTrustedRoots(
- SSLContextRef ctx,
- SecKeychainRef keychain,
- bool *foundOne);
-
-void sslOutputDot();
-
-/*
- * Lists of SSLCipherSuites used in sslSetCipherRestrictions.
- */
-extern const SSLCipherSuite suites40[];
-extern const SSLCipherSuite suitesDES[];
-extern const SSLCipherSuite suitesDES40[];
-extern const SSLCipherSuite suites3DES[];
-extern const SSLCipherSuite suitesRC4[];
-extern const SSLCipherSuite suitesRC4_40[];
-extern const SSLCipherSuite suitesRC2[];
-extern const SSLCipherSuite suitesAES128[];
-extern const SSLCipherSuite suitesAES256[];
-extern const SSLCipherSuite suitesDH[];
-extern const SSLCipherSuite suitesDHAnon[];
-extern const SSLCipherSuite suitesDH_RSA[];
-extern const SSLCipherSuite suitesDH_DSS[];
-extern const SSLCipherSuite suites_SHA1[];
-extern const SSLCipherSuite suites_MD5[];
-extern const SSLCipherSuite suites_ECDHE[];
-extern const SSLCipherSuite suites_ECDH[];
-
-/*
- * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
- * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
- * supports and do a SSLSetEnabledCiphers() specifying those.
- */
-OSStatus sslSetEnabledCiphers(
- SSLContextRef ctx,
- const SSLCipherSuite *ciphers);
-
-/*
- * Specify restricted sets of cipherspecs and protocols.
- */
-OSStatus sslSetCipherRestrictions(
- SSLContextRef ctx,
- char cipherRestrict);
-
-#ifndef SPHINX
-OSStatus sslSetProtocols(
- SSLContextRef ctx,
- const char *acceptedProts,
- SSLProtocol tryVersion); // only used if acceptedProts NULL
-#endif
-
-int sslVerifyRtn(
- const char *whichSide, // "client" or "server"
- OSStatus expectRtn,
- OSStatus gotRtn);
-int sslVerifyProtVers(
- const char *whichSide, // "client" or "server"
- SSLProtocol expectProt,
- SSLProtocol gotProt);
-int sslVerifyClientCertState(
- const char *whichSide, // "client" or "server"
- SSLClientCertificateState expectState,
- SSLClientCertificateState gotState);
-int sslVerifyCipher(
- const char *whichSide, // "client" or "server"
- SSLCipherSuite expectCipher,
- SSLCipherSuite gotCipher);
-
-
-/*
- * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
- */
-OSStatus sslIdentityPicker(
- SecKeychainRef kcRef, // NULL means use default list
- const char *trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // true --> root is appended to outArray
- // false --> root not included
-// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
- CFArrayRef *outArray); // created and RETURNED
-
-void sslKeychainPath(
- const char *kcName,
- char *kcPath); // allocd by caller, MAXPATHLEN
-
-/* Verify presence of required file. Returns nonzero if not found. */
-int sslCheckFile(const char *path);
-
-/* Stringify a SSL_ECDSA_NamedCurve */
-extern const char *sslCurveString(
- SSL_ECDSA_NamedCurve namedCurve);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _SSLS_APP_UTILS_H_ */
projects / apple / security.git / blobdiff