X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/84aacf34eae6543be9f0280b2015385f91e5c2c6..b54c578e17e9bcbd74aa30ea75e25e955b9a6205:/protocol/SecProtocolInternal.h diff --git a/protocol/SecProtocolInternal.h b/protocol/SecProtocolInternal.h new file mode 100644 index 00000000..97fd5c0e --- /dev/null +++ b/protocol/SecProtocolInternal.h @@ -0,0 +1,135 @@ +// +// SecProtocolInternal.h +// Security +// + +#ifndef SecProtocolInternal_h +#define SecProtocolInternal_h + +#include "SecProtocolPriv.h" + +#define kATSInfoKey "NSAppTransportSecurity" +#define kAllowsArbitraryLoads "NSAllowsArbitraryLoads" +#define kAllowsArbitraryLoadsForMedia "NSAllowsArbitraryLoadsForMedia" +#define kAllowsArbitraryLoadsInWebContent "NSAllowsArbitraryLoadsInWebContent" +#define kAllowsLocalNetworking "NSAllowsLocalNetworking" +#define kExceptionDomains "NSExceptionDomains" +#define kIncludesSubdomains "NSIncludesSubdomains" +#define kExceptionAllowsInsecureHTTPLoads "NSExceptionAllowsInsecureHTTPLoads" +#define kExceptionMinimumTLSVersion "NSExceptionMinimumTLSVersion" +#define kExceptionRequiresForwardSecrecy "NSExceptionRequiresForwardSecrecy" + +#define CiphersuitesTLS13 \ + TLS_AES_128_GCM_SHA256, \ + TLS_AES_256_GCM_SHA384, \ + TLS_CHACHA20_POLY1305_SHA256 + +#define CiphersuitesPFS \ + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \ + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \ + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \ + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \ + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \ + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \ + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \ + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \ + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \ + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \ + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + +#define CiphersuitesNonPFS \ + TLS_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_RSA_WITH_AES_128_GCM_SHA256, \ + TLS_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_RSA_WITH_AES_256_CBC_SHA, \ + TLS_RSA_WITH_AES_128_CBC_SHA + +#define CiphersuitesTLS10 \ + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \ + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \ + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \ + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \ + TLS_RSA_WITH_AES_256_CBC_SHA, \ + TLS_RSA_WITH_AES_128_CBC_SHA + +#define CiphersuitesTLS10_3DES \ + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, \ + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, \ + SSL_RSA_WITH_3DES_EDE_CBC_SHA + +#define CiphersuitesDHE \ + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ + SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA + +SEC_RETURNS_RETAINED sec_protocol_configuration_builder_t +sec_protocol_configuration_builder_copy_default(void); + +CFDictionaryRef +sec_protocol_configuration_builder_get_ats_dictionary(sec_protocol_configuration_builder_t builder); + +bool +sec_protocol_configuration_builder_get_is_apple_bundle(sec_protocol_configuration_builder_t builder); + +SEC_RETURNS_RETAINED xpc_object_t +sec_protocol_configuration_get_map(sec_protocol_configuration_t configuration); + +void +sec_protocol_options_clear_tls_ciphersuites(sec_protocol_options_t options); + +void +sec_protocol_options_set_ats_non_pfs_ciphersuite_allowed(sec_protocol_options_t options, bool ats_non_pfs_ciphersuite_allowed); + +void +sec_protocol_options_set_ats_minimum_tls_version_allowed(sec_protocol_options_t options, bool ats_minimum_tls_version_allowed); + +void +sec_protocol_options_set_ats_required(sec_protocol_options_t options, bool required); + +void +sec_protocol_options_set_minimum_rsa_key_size(sec_protocol_options_t options, size_t minimum_key_size); + +void +sec_protocol_options_set_minimum_ecdsa_key_size(sec_protocol_options_t options, size_t minimum_key_size); + +void +sec_protocol_options_set_minimum_signature_algorithm(sec_protocol_options_t options, SecSignatureHashAlgorithm algorithm); + +void +sec_protocol_options_set_trusted_peer_certificate(sec_protocol_options_t options, bool trusted_peer_certificate); + +void +sec_protocol_configuration_populate_insecure_defaults(sec_protocol_configuration_t configuration); + +void +sec_protocol_configuration_populate_secure_defaults(sec_protocol_configuration_t configuration); + +void +sec_protocol_configuration_register_builtin_exceptions(sec_protocol_configuration_t configuration); + +bool +sec_protocol_helper_ciphersuite_group_contains_ciphersuite(tls_ciphersuite_group_t group, tls_ciphersuite_t suite); + +tls_protocol_version_t +sec_protocol_helper_ciphersuite_minimum_TLS_version(tls_ciphersuite_t ciphersuite); + +tls_protocol_version_t +sec_protocol_helper_ciphersuite_maximum_TLS_version(tls_ciphersuite_t ciphersuite); + +const char * +sec_protocol_helper_get_ciphersuite_name(tls_ciphersuite_t ciphersuite); + +const tls_key_exchange_group_t * +sec_protocol_helper_tls_key_exchange_group_set_to_key_exchange_group_list(tls_key_exchange_group_set_t set, size_t *listSize); + +bool sec_protocol_helper_dispatch_data_equal(dispatch_data_t left, dispatch_data_t right); + +#endif /* SecProtocolInternal_h */