2 * Mac OS X Secure Transport implementation of the schannel (SSL/TLS) provider.
4 * Copyright 2005 Juan Lang
5 * Copyright 2008 Henri Verbeet
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
23 #include "wine/port.h"
26 #ifdef HAVE_SECURITY_SECURITY_H
27 #include <Security/Security.h>
28 #define GetCurrentThread GetCurrentThread_Mac
29 #define LoadResource LoadResource_Mac
30 #include <CoreServices/CoreServices.h>
31 #undef GetCurrentThread
40 #include "secur32_priv.h"
41 #include "wine/debug.h"
42 #include "wine/library.h"
44 #ifdef HAVE_SECURITY_SECURITY_H
46 WINE_DEFAULT_DEBUG_CHANNEL(secur32
);
48 #if MAC_OS_X_VERSION_MAX_ALLOWED < 1060
49 /* Defined in <Security/CipherSuite.h> in the 10.6 SDK or later. */
51 TLS_ECDH_ECDSA_WITH_NULL_SHA
= 0xC001,
52 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
= 0xC002,
53 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
= 0xC003,
54 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
= 0xC004,
55 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
= 0xC005,
56 TLS_ECDHE_ECDSA_WITH_NULL_SHA
= 0xC006,
57 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
= 0xC007,
58 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
= 0xC008,
59 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
= 0xC009,
60 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
= 0xC00A,
61 TLS_ECDH_RSA_WITH_NULL_SHA
= 0xC00B,
62 TLS_ECDH_RSA_WITH_RC4_128_SHA
= 0xC00C,
63 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
= 0xC00D,
64 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
= 0xC00E,
65 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
= 0xC00F,
66 TLS_ECDHE_RSA_WITH_NULL_SHA
= 0xC010,
67 TLS_ECDHE_RSA_WITH_RC4_128_SHA
= 0xC011,
68 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
= 0xC012,
69 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
= 0xC013,
70 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
= 0xC014,
71 TLS_ECDH_anon_WITH_NULL_SHA
= 0xC015,
72 TLS_ECDH_anon_WITH_RC4_128_SHA
= 0xC016,
73 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
= 0xC017,
74 TLS_ECDH_anon_WITH_AES_128_CBC_SHA
= 0xC018,
75 TLS_ECDH_anon_WITH_AES_256_CBC_SHA
= 0xC019,
79 #if MAC_OS_X_VERSION_MAX_ALLOWED < 1080
80 /* Defined in <Security/CipherSuite.h> in the 10.8 SDK or later. */
82 TLS_NULL_WITH_NULL_NULL
= 0x0000,
83 TLS_RSA_WITH_NULL_MD5
= 0x0001,
84 TLS_RSA_WITH_NULL_SHA
= 0x0002,
85 TLS_RSA_WITH_RC4_128_MD5
= 0x0004,
86 TLS_RSA_WITH_RC4_128_SHA
= 0x0005,
87 TLS_RSA_WITH_3DES_EDE_CBC_SHA
= 0x000A,
88 TLS_RSA_WITH_NULL_SHA256
= 0x003B,
89 TLS_RSA_WITH_AES_128_CBC_SHA256
= 0x003C,
90 TLS_RSA_WITH_AES_256_CBC_SHA256
= 0x003D,
91 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
= 0x000D,
92 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
= 0x0010,
93 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
= 0x0013,
94 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
= 0x0016,
95 TLS_DH_DSS_WITH_AES_128_CBC_SHA256
= 0x003E,
96 TLS_DH_RSA_WITH_AES_128_CBC_SHA256
= 0x003F,
97 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
= 0x0040,
98 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
= 0x0067,
99 TLS_DH_DSS_WITH_AES_256_CBC_SHA256
= 0x0068,
100 TLS_DH_RSA_WITH_AES_256_CBC_SHA256
= 0x0069,
101 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
= 0x006A,
102 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
= 0x006B,
103 TLS_DH_anon_WITH_RC4_128_MD5
= 0x0018,
104 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
= 0x001B,
105 TLS_DH_anon_WITH_AES_128_CBC_SHA256
= 0x006C,
106 TLS_DH_anon_WITH_AES_256_CBC_SHA256
= 0x006D,
107 TLS_RSA_WITH_AES_128_GCM_SHA256
= 0x009C,
108 TLS_RSA_WITH_AES_256_GCM_SHA384
= 0x009D,
109 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
= 0x009E,
110 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
= 0x009F,
111 TLS_DH_RSA_WITH_AES_128_GCM_SHA256
= 0x00A0,
112 TLS_DH_RSA_WITH_AES_256_GCM_SHA384
= 0x00A1,
113 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
= 0x00A2,
114 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
= 0x00A3,
115 TLS_DH_DSS_WITH_AES_128_GCM_SHA256
= 0x00A4,
116 TLS_DH_DSS_WITH_AES_256_GCM_SHA384
= 0x00A5,
117 TLS_DH_anon_WITH_AES_128_GCM_SHA256
= 0x00A6,
118 TLS_DH_anon_WITH_AES_256_GCM_SHA384
= 0x00A7,
119 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
= 0xC023,
120 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
= 0xC024,
121 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
= 0xC025,
122 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
= 0xC026,
123 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
= 0xC027,
124 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
= 0xC028,
125 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
= 0xC029,
126 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
= 0xC02A,
127 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
= 0xC02B,
128 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
= 0xC02C,
129 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
= 0xC02D,
130 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
= 0xC02E,
131 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
= 0xC02F,
132 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
= 0xC030,
133 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
= 0xC031,
134 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
= 0xC032,
135 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
= 0x00FF,
138 /* Defined in <Security/SecureTransport.h> in the 10.8 SDK or later. */
140 kTLSProtocol11
= 7, /* TLS 1.1 */
141 kTLSProtocol12
= 8, /* TLS 1.2 */
145 #if MAC_OS_X_VERSION_MAX_ALLOWED < 1090
146 /* Defined in <Security/CipherSuite.h> in the 10.9 SDK or later. */
148 TLS_PSK_WITH_RC4_128_SHA
= 0x008A,
149 TLS_PSK_WITH_3DES_EDE_CBC_SHA
= 0x008B,
150 TLS_PSK_WITH_AES_128_CBC_SHA
= 0x008C,
151 TLS_PSK_WITH_AES_256_CBC_SHA
= 0x008D,
152 TLS_DHE_PSK_WITH_RC4_128_SHA
= 0x008E,
153 TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
= 0x008F,
154 TLS_DHE_PSK_WITH_AES_128_CBC_SHA
= 0x0090,
155 TLS_DHE_PSK_WITH_AES_256_CBC_SHA
= 0x0091,
156 TLS_RSA_PSK_WITH_RC4_128_SHA
= 0x0092,
157 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
= 0x0093,
158 TLS_RSA_PSK_WITH_AES_128_CBC_SHA
= 0x0094,
159 TLS_RSA_PSK_WITH_AES_256_CBC_SHA
= 0x0095,
160 TLS_PSK_WITH_NULL_SHA
= 0x002C,
161 TLS_DHE_PSK_WITH_NULL_SHA
= 0x002D,
162 TLS_RSA_PSK_WITH_NULL_SHA
= 0x002E,
163 TLS_PSK_WITH_AES_128_GCM_SHA256
= 0x00A8,
164 TLS_PSK_WITH_AES_256_GCM_SHA384
= 0x00A9,
165 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
= 0x00AA,
166 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
= 0x00AB,
167 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
= 0x00AC,
168 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
= 0x00AD,
169 TLS_PSK_WITH_AES_128_CBC_SHA256
= 0x00AE,
170 TLS_PSK_WITH_AES_256_CBC_SHA384
= 0x00AF,
171 TLS_PSK_WITH_NULL_SHA256
= 0x00B0,
172 TLS_PSK_WITH_NULL_SHA384
= 0x00B1,
173 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
= 0x00B2,
174 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
= 0x00B3,
175 TLS_DHE_PSK_WITH_NULL_SHA256
= 0x00B4,
176 TLS_DHE_PSK_WITH_NULL_SHA384
= 0x00B5,
177 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
= 0x00B6,
178 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
= 0x00B7,
179 TLS_RSA_PSK_WITH_NULL_SHA256
= 0x00B8,
180 TLS_RSA_PSK_WITH_NULL_SHA384
= 0x00B9,
186 SSLContextRef context
;
187 struct schan_transport
*transport
;
198 schan_kx_DH_anon_EXPORT
,
200 schan_kx_DH_DSS_EXPORT
,
202 schan_kx_DH_RSA_EXPORT
,
204 schan_kx_DHE_DSS_EXPORT
,
207 schan_kx_DHE_RSA_EXPORT
,
212 schan_kx_ECDHE_ECDSA
,
214 schan_kx_FORTEZZA_DMS
,
223 schan_enc_3DES_EDE_CBC
,
224 schan_enc_AES_128_CBC
,
225 schan_enc_AES_128_GCM
,
226 schan_enc_AES_256_CBC
,
227 schan_enc_AES_256_GCM
,
230 schan_enc_FORTEZZA_CBC
,
234 schan_enc_RC2_CBC_40
,
248 struct cipher_suite
{
249 SSLCipherSuite suite
;
256 /* This table corresponds to the enum in <Security/CipherSuite.h>. */
257 static const struct cipher_suite cipher_suites
[] = {
258 #define CIPHER_SUITE(p, kx, enc, mac) { p##_##kx##_WITH_##enc##_##mac, schan_proto_##p, \
259 schan_kx_##kx, schan_enc_##enc, schan_mac_##mac }
260 CIPHER_SUITE(SSL
, RSA
, NULL
, MD5
),
261 CIPHER_SUITE(SSL
, RSA
, NULL
, MD5
),
262 CIPHER_SUITE(SSL
, RSA
, NULL
, SHA
),
263 CIPHER_SUITE(SSL
, RSA_EXPORT
, RC4_40
, MD5
),
264 CIPHER_SUITE(SSL
, RSA
, RC4_128
, MD5
),
265 CIPHER_SUITE(SSL
, RSA
, RC4_128
, SHA
),
266 CIPHER_SUITE(SSL
, RSA_EXPORT
, RC2_CBC_40
, MD5
),
267 CIPHER_SUITE(SSL
, RSA
, IDEA_CBC
, SHA
),
268 CIPHER_SUITE(SSL
, RSA_EXPORT
, DES40_CBC
, SHA
),
269 CIPHER_SUITE(SSL
, RSA
, DES_CBC
, SHA
),
270 CIPHER_SUITE(SSL
, RSA
, 3DES_EDE_CBC
, SHA
),
271 CIPHER_SUITE(SSL
, DH_DSS_EXPORT
, DES40_CBC
, SHA
),
272 CIPHER_SUITE(SSL
, DH_DSS
, DES_CBC
, SHA
),
273 CIPHER_SUITE(SSL
, DH_DSS
, 3DES_EDE_CBC
, SHA
),
274 CIPHER_SUITE(SSL
, DH_RSA_EXPORT
, DES40_CBC
, SHA
),
275 CIPHER_SUITE(SSL
, DH_RSA
, DES_CBC
, SHA
),
276 CIPHER_SUITE(SSL
, DH_RSA
, 3DES_EDE_CBC
, SHA
),
277 CIPHER_SUITE(SSL
, DHE_DSS_EXPORT
, DES40_CBC
, SHA
),
278 CIPHER_SUITE(SSL
, DHE_DSS
, DES_CBC
, SHA
),
279 CIPHER_SUITE(SSL
, DHE_DSS
, 3DES_EDE_CBC
, SHA
),
280 CIPHER_SUITE(SSL
, DHE_RSA_EXPORT
, DES40_CBC
, SHA
),
281 CIPHER_SUITE(SSL
, DHE_RSA
, DES_CBC
, SHA
),
282 CIPHER_SUITE(SSL
, DHE_RSA
, 3DES_EDE_CBC
, SHA
),
283 CIPHER_SUITE(SSL
, DH_anon_EXPORT
, RC4_40
, MD5
),
284 CIPHER_SUITE(SSL
, DH_anon
, RC4_128
, MD5
),
285 CIPHER_SUITE(SSL
, DH_anon_EXPORT
, DES40_CBC
, SHA
),
286 CIPHER_SUITE(SSL
, DH_anon
, DES_CBC
, SHA
),
287 CIPHER_SUITE(SSL
, DH_anon
, 3DES_EDE_CBC
, SHA
),
288 CIPHER_SUITE(SSL
, FORTEZZA_DMS
, NULL
, SHA
),
289 CIPHER_SUITE(SSL
, FORTEZZA_DMS
, FORTEZZA_CBC
, SHA
),
291 CIPHER_SUITE(TLS
, RSA
, AES_128_CBC
, SHA
),
292 CIPHER_SUITE(TLS
, DH_DSS
, AES_128_CBC
, SHA
),
293 CIPHER_SUITE(TLS
, DH_RSA
, AES_128_CBC
, SHA
),
294 CIPHER_SUITE(TLS
, DHE_DSS
, AES_128_CBC
, SHA
),
295 CIPHER_SUITE(TLS
, DHE_RSA
, AES_128_CBC
, SHA
),
296 CIPHER_SUITE(TLS
, DH_anon
, AES_128_CBC
, SHA
),
297 CIPHER_SUITE(TLS
, RSA
, AES_256_CBC
, SHA
),
298 CIPHER_SUITE(TLS
, DH_DSS
, AES_256_CBC
, SHA
),
299 CIPHER_SUITE(TLS
, DH_RSA
, AES_256_CBC
, SHA
),
300 CIPHER_SUITE(TLS
, DHE_DSS
, AES_256_CBC
, SHA
),
301 CIPHER_SUITE(TLS
, DHE_RSA
, AES_256_CBC
, SHA
),
302 CIPHER_SUITE(TLS
, DH_anon
, AES_256_CBC
, SHA
),
304 CIPHER_SUITE(TLS
, ECDH_ECDSA
, NULL
, SHA
),
305 CIPHER_SUITE(TLS
, ECDH_ECDSA
, RC4_128
, SHA
),
306 CIPHER_SUITE(TLS
, ECDH_ECDSA
, 3DES_EDE_CBC
, SHA
),
307 CIPHER_SUITE(TLS
, ECDH_ECDSA
, AES_128_CBC
, SHA
),
308 CIPHER_SUITE(TLS
, ECDH_ECDSA
, AES_256_CBC
, SHA
),
309 CIPHER_SUITE(TLS
, ECDHE_ECDSA
, NULL
, SHA
),
310 CIPHER_SUITE(TLS
, ECDHE_ECDSA
, RC4_128
, SHA
),
311 CIPHER_SUITE(TLS
, ECDHE_ECDSA
, 3DES_EDE_CBC
, SHA
),
312 CIPHER_SUITE(TLS
, ECDHE_ECDSA
, AES_128_CBC
, SHA
),
313 CIPHER_SUITE(TLS
, ECDHE_ECDSA
, AES_256_CBC
, SHA
),
314 CIPHER_SUITE(TLS
, ECDH_RSA
, NULL
, SHA
),
315 CIPHER_SUITE(TLS
, ECDH_RSA
, RC4_128
, SHA
),
316 CIPHER_SUITE(TLS
, ECDH_RSA
, 3DES_EDE_CBC
, SHA
),
317 CIPHER_SUITE(TLS
, ECDH_RSA
, AES_128_CBC
, SHA
),
318 CIPHER_SUITE(TLS
, ECDH_RSA
, AES_256_CBC
, SHA
),
319 CIPHER_SUITE(TLS
, ECDHE_RSA
, NULL
, SHA
),
320 CIPHER_SUITE(TLS
, ECDHE_RSA
, RC4_128
, SHA
),
321 CIPHER_SUITE(TLS
, ECDHE_RSA
, 3DES_EDE_CBC
, SHA
),
322 CIPHER_SUITE(TLS
, ECDHE_RSA
, AES_128_CBC
, SHA
),
323 CIPHER_SUITE(TLS
, ECDHE_RSA
, AES_256_CBC
, SHA
),
324 CIPHER_SUITE(TLS
, ECDH_anon
, NULL
, SHA
),
325 CIPHER_SUITE(TLS
, ECDH_anon
, RC4_128
, SHA
),
326 CIPHER_SUITE(TLS
, ECDH_anon
, 3DES_EDE_CBC
, SHA
),
327 CIPHER_SUITE(TLS
, ECDH_anon
, AES_128_CBC
, SHA
),
328 CIPHER_SUITE(TLS
, ECDH_anon
, AES_256_CBC
, SHA
),
330 CIPHER_SUITE(TLS
, NULL
, NULL
, NULL
),
331 CIPHER_SUITE(TLS
, RSA
, NULL
, MD5
),
332 CIPHER_SUITE(TLS
, RSA
, NULL
, SHA
),
333 CIPHER_SUITE(TLS
, RSA
, RC4_128
, MD5
),
334 CIPHER_SUITE(TLS
, RSA
, RC4_128
, SHA
),
335 CIPHER_SUITE(TLS
, RSA
, 3DES_EDE_CBC
, SHA
),
336 CIPHER_SUITE(TLS
, RSA
, NULL
, SHA256
),
337 CIPHER_SUITE(TLS
, RSA
, AES_128_CBC
, SHA256
),
338 CIPHER_SUITE(TLS
, RSA
, AES_256_CBC
, SHA256
),
339 CIPHER_SUITE(TLS
, DH_DSS
, 3DES_EDE_CBC
, SHA
),
340 CIPHER_SUITE(TLS
, DH_RSA
, 3DES_EDE_CBC
, SHA
),
341 CIPHER_SUITE(TLS
, DHE_DSS
, 3DES_EDE_CBC
, SHA
),
342 CIPHER_SUITE(TLS
, DHE_RSA
, 3DES_EDE_CBC
, SHA
),
343 CIPHER_SUITE(TLS
, DH_DSS
, AES_128_CBC
, SHA256
),
344 CIPHER_SUITE(TLS
, DH_RSA
, AES_128_CBC
, SHA256
),
345 CIPHER_SUITE(TLS
, DHE_DSS
, AES_128_CBC
, SHA256
),
346 CIPHER_SUITE(TLS
, DHE_RSA
, AES_128_CBC
, SHA256
),
347 CIPHER_SUITE(TLS
, DH_DSS
, AES_256_CBC
, SHA256
),
348 CIPHER_SUITE(TLS
, DH_RSA
, AES_256_CBC
, SHA256
),
349 CIPHER_SUITE(TLS
, DHE_DSS
, AES_256_CBC
, SHA256
),
350 CIPHER_SUITE(TLS
, DHE_RSA
, AES_256_CBC
, SHA256
),
351 CIPHER_SUITE(TLS
, DH_anon
, RC4_128
, MD5
),
352 CIPHER_SUITE(TLS
, DH_anon
, 3DES_EDE_CBC
, SHA
),
353 CIPHER_SUITE(TLS
, DH_anon
, AES_128_CBC
, SHA256
),
354 CIPHER_SUITE(TLS
, DH_anon
, AES_256_CBC
, SHA256
),
356 CIPHER_SUITE(TLS
, PSK
, RC4_128
, SHA
),
357 CIPHER_SUITE(TLS
, PSK
, 3DES_EDE_CBC
, SHA
),
358 CIPHER_SUITE(TLS
, PSK
, AES_128_CBC
, SHA
),
359 CIPHER_SUITE(TLS
, PSK
, AES_256_CBC
, SHA
),
360 CIPHER_SUITE(TLS
, DHE_PSK
, RC4_128
, SHA
),
361 CIPHER_SUITE(TLS
, DHE_PSK
, 3DES_EDE_CBC
, SHA
),
362 CIPHER_SUITE(TLS
, DHE_PSK
, AES_128_CBC
, SHA
),
363 CIPHER_SUITE(TLS
, DHE_PSK
, AES_256_CBC
, SHA
),
364 CIPHER_SUITE(TLS
, RSA_PSK
, RC4_128
, SHA
),
365 CIPHER_SUITE(TLS
, RSA_PSK
, 3DES_EDE_CBC
, SHA
),
366 CIPHER_SUITE(TLS
, RSA_PSK
, AES_128_CBC
, SHA
),
367 CIPHER_SUITE(TLS
, RSA_PSK
, AES_256_CBC
, SHA
),
368 CIPHER_SUITE(TLS
, PSK
, NULL
, SHA
),
369 CIPHER_SUITE(TLS
, DHE_PSK
, NULL
, SHA
),
370 CIPHER_SUITE(TLS
, RSA_PSK
, NULL
, SHA
),
372 CIPHER_SUITE(TLS
, RSA
, AES_128_GCM
, SHA256
),
373 CIPHER_SUITE(TLS
, RSA
, AES_256_GCM
, SHA384
),
374 CIPHER_SUITE(TLS
, DHE_RSA
, AES_128_GCM
, SHA256
),
375 CIPHER_SUITE(TLS
, DHE_RSA
, AES_256_GCM
, SHA384
),
376 CIPHER_SUITE(TLS
, DH_RSA
, AES_128_GCM
, SHA256
),
377 CIPHER_SUITE(TLS
, DH_RSA
, AES_256_GCM
, SHA384
),
378 CIPHER_SUITE(TLS
, DHE_DSS
, AES_128_GCM
, SHA256
),
379 CIPHER_SUITE(TLS
, DHE_DSS
, AES_256_GCM
, SHA384
),
380 CIPHER_SUITE(TLS
, DH_DSS
, AES_128_GCM
, SHA256
),
381 CIPHER_SUITE(TLS
, DH_DSS
, AES_256_GCM
, SHA384
),
382 CIPHER_SUITE(TLS
, DH_anon
, AES_128_GCM
, SHA256
),
383 CIPHER_SUITE(TLS
, DH_anon
, AES_256_GCM
, SHA384
),
385 CIPHER_SUITE(TLS
, PSK
, AES_128_GCM
, SHA256
),
386 CIPHER_SUITE(TLS
, PSK
, AES_256_GCM
, SHA384
),
387 CIPHER_SUITE(TLS
, DHE_PSK
, AES_128_GCM
, SHA256
),
388 CIPHER_SUITE(TLS
, DHE_PSK
, AES_256_GCM
, SHA384
),
389 CIPHER_SUITE(TLS
, RSA_PSK
, AES_128_GCM
, SHA256
),
390 CIPHER_SUITE(TLS
, RSA_PSK
, AES_256_GCM
, SHA384
),
391 CIPHER_SUITE(TLS
, PSK
, AES_128_CBC
, SHA256
),
392 CIPHER_SUITE(TLS
, PSK
, AES_256_CBC
, SHA384
),
393 CIPHER_SUITE(TLS
, PSK
, NULL
, SHA256
),
394 CIPHER_SUITE(TLS
, PSK
, NULL
, SHA384
),
395 CIPHER_SUITE(TLS
, DHE_PSK
, AES_128_CBC
, SHA256
),
396 CIPHER_SUITE(TLS
, DHE_PSK
, AES_256_CBC
, SHA384
),
397 CIPHER_SUITE(TLS
, DHE_PSK
, NULL
, SHA256
),
398 CIPHER_SUITE(TLS
, DHE_PSK
, NULL
, SHA384
),
399 CIPHER_SUITE(TLS
, RSA_PSK
, AES_128_CBC
, SHA256
),
400 CIPHER_SUITE(TLS
, RSA_PSK
, AES_256_CBC
, SHA384
),
401 CIPHER_SUITE(TLS
, RSA_PSK
, NULL
, SHA256
),
402 CIPHER_SUITE(TLS
, RSA_PSK
, NULL
, SHA384
),
404 CIPHER_SUITE(TLS
, ECDHE_ECDSA
, AES_128_CBC
, SHA256
),
405 CIPHER_SUITE(TLS
, ECDHE_ECDSA
, AES_256_CBC
, SHA384
),
406 CIPHER_SUITE(TLS
, ECDH_ECDSA
, AES_128_CBC
, SHA256
),
407 CIPHER_SUITE(TLS
, ECDH_ECDSA
, AES_256_CBC
, SHA384
),
408 CIPHER_SUITE(TLS
, ECDHE_RSA
, AES_128_CBC
, SHA256
),
409 CIPHER_SUITE(TLS
, ECDHE_RSA
, AES_256_CBC
, SHA384
),
410 CIPHER_SUITE(TLS
, ECDH_RSA
, AES_128_CBC
, SHA256
),
411 CIPHER_SUITE(TLS
, ECDH_RSA
, AES_256_CBC
, SHA384
),
412 CIPHER_SUITE(TLS
, ECDHE_ECDSA
, AES_128_GCM
, SHA256
),
413 CIPHER_SUITE(TLS
, ECDHE_ECDSA
, AES_256_GCM
, SHA384
),
414 CIPHER_SUITE(TLS
, ECDH_ECDSA
, AES_128_GCM
, SHA256
),
415 CIPHER_SUITE(TLS
, ECDH_ECDSA
, AES_256_GCM
, SHA384
),
416 CIPHER_SUITE(TLS
, ECDHE_RSA
, AES_128_GCM
, SHA256
),
417 CIPHER_SUITE(TLS
, ECDHE_RSA
, AES_256_GCM
, SHA384
),
418 CIPHER_SUITE(TLS
, ECDH_RSA
, AES_128_GCM
, SHA256
),
419 CIPHER_SUITE(TLS
, ECDH_RSA
, AES_256_GCM
, SHA384
),
421 CIPHER_SUITE(SSL
, RSA
, RC2_CBC
, MD5
),
422 CIPHER_SUITE(SSL
, RSA
, IDEA_CBC
, MD5
),
423 CIPHER_SUITE(SSL
, RSA
, DES_CBC
, MD5
),
424 CIPHER_SUITE(SSL
, RSA
, 3DES_EDE_CBC
, MD5
),
429 static const struct cipher_suite
* get_cipher_suite(SSLCipherSuite cipher_suite
)
432 for (i
= 0; i
< sizeof(cipher_suites
)/sizeof(cipher_suites
[0]); i
++)
434 if (cipher_suites
[i
].suite
== cipher_suite
)
435 return &cipher_suites
[i
];
442 static DWORD
schan_get_session_protocol(struct mac_session
* s
)
444 SSLProtocol protocol
;
447 TRACE("(%p/%p)\n", s
, s
->context
);
449 status
= SSLGetNegotiatedProtocolVersion(s
->context
, &protocol
);
452 ERR("Failed to get session protocol: %d\n", status
);
456 TRACE("protocol %d\n", protocol
);
460 case kSSLProtocol2
: return SP_PROT_SSL2_CLIENT
;
461 case kSSLProtocol3
: return SP_PROT_SSL3_CLIENT
;
462 case kTLSProtocol1
: return SP_PROT_TLS1_CLIENT
;
463 case kTLSProtocol11
: return SP_PROT_TLS1_1_CLIENT
;
464 case kTLSProtocol12
: return SP_PROT_TLS1_2_CLIENT
;
466 FIXME("unknown protocol %d\n", protocol
);
471 static ALG_ID
schan_get_cipher_algid(const struct cipher_suite
* c
)
473 TRACE("(%#x)\n", (unsigned int)c
->suite
);
477 case schan_enc_3DES_EDE_CBC
: return CALG_3DES
;
478 case schan_enc_AES_128_CBC
: return CALG_AES_128
;
479 case schan_enc_AES_256_CBC
: return CALG_AES_256
;
480 case schan_enc_DES_CBC
: return CALG_DES
;
481 case schan_enc_DES40_CBC
: return CALG_DES
;
482 case schan_enc_NULL
: return 0;
483 case schan_enc_RC2_CBC_40
: return CALG_RC2
;
484 case schan_enc_RC2_CBC
: return CALG_RC2
;
485 case schan_enc_RC4_128
: return CALG_RC4
;
486 case schan_enc_RC4_40
: return CALG_RC4
;
488 case schan_enc_AES_128_GCM
:
489 case schan_enc_AES_256_GCM
:
490 case schan_enc_FORTEZZA_CBC
:
491 case schan_enc_IDEA_CBC
:
492 FIXME("Don't know CALG for encryption algorithm %d, returning 0\n", c
->enc_alg
);
496 FIXME("Unknown encryption algorithm %d for cipher suite %#x, returning 0\n", c
->enc_alg
, (unsigned int)c
->suite
);
501 static unsigned int schan_get_cipher_key_size(const struct cipher_suite
* c
)
503 TRACE("(%#x)\n", (unsigned int)c
->suite
);
507 case schan_enc_3DES_EDE_CBC
: return 168;
508 case schan_enc_AES_128_CBC
: return 128;
509 case schan_enc_AES_128_GCM
: return 128;
510 case schan_enc_AES_256_CBC
: return 256;
511 case schan_enc_AES_256_GCM
: return 256;
512 case schan_enc_DES_CBC
: return 56;
513 case schan_enc_DES40_CBC
: return 40;
514 case schan_enc_NULL
: return 0;
515 case schan_enc_RC2_CBC_40
: return 40;
516 case schan_enc_RC2_CBC
: return 128;
517 case schan_enc_RC4_128
: return 128;
518 case schan_enc_RC4_40
: return 40;
520 case schan_enc_FORTEZZA_CBC
:
521 case schan_enc_IDEA_CBC
:
522 FIXME("Don't know key size for encryption algorithm %d, returning 0\n", c
->enc_alg
);
526 FIXME("Unknown encryption algorithm %d for cipher suite %#x, returning 0\n", c
->enc_alg
, (unsigned int)c
->suite
);
531 static ALG_ID
schan_get_mac_algid(const struct cipher_suite
* c
)
533 TRACE("(%#x)\n", (unsigned int)c
->suite
);
537 case schan_mac_MD5
: return CALG_MD5
;
538 case schan_mac_NULL
: return 0;
539 case schan_mac_SHA
: return CALG_SHA
;
540 case schan_mac_SHA256
: return CALG_SHA_256
;
541 case schan_mac_SHA384
: return CALG_SHA_384
;
544 FIXME("Unknown hashing algorithm %d for cipher suite %#x, returning 0\n", c
->mac_alg
, (unsigned)c
->suite
);
549 static unsigned int schan_get_mac_key_size(const struct cipher_suite
* c
)
551 TRACE("(%#x)\n", (unsigned int)c
->suite
);
555 case schan_mac_MD5
: return 128;
556 case schan_mac_NULL
: return 0;
557 case schan_mac_SHA
: return 160;
558 case schan_mac_SHA256
: return 256;
559 case schan_mac_SHA384
: return 384;
562 FIXME("Unknown hashing algorithm %d for cipher suite %#x, returning 0\n", c
->mac_alg
, (unsigned)c
->suite
);
567 static ALG_ID
schan_get_kx_algid(const struct cipher_suite
* c
)
569 TRACE("(%#x)\n", (unsigned int)c
->suite
);
573 case schan_kx_DHE_DSS_EXPORT
:
574 case schan_kx_DHE_DSS
:
575 case schan_kx_DHE_PSK
:
576 case schan_kx_DHE_RSA_EXPORT
:
577 case schan_kx_DHE_RSA
: return CALG_DH_EPHEM
;
578 case schan_kx_ECDH_anon
:
579 case schan_kx_ECDH_ECDSA
:
580 case schan_kx_ECDH_RSA
: return CALG_ECDH
;
581 case schan_kx_ECDHE_ECDSA
:
582 case schan_kx_ECDHE_RSA
: return CALG_ECDH_EPHEM
;
583 case schan_kx_NULL
: return 0;
585 case schan_kx_RSA_EXPORT
:
586 case schan_kx_RSA_PSK
: return CALG_RSA_KEYX
;
588 case schan_kx_DH_anon_EXPORT
:
589 case schan_kx_DH_anon
:
590 case schan_kx_DH_DSS_EXPORT
:
591 case schan_kx_DH_DSS
:
592 case schan_kx_DH_RSA_EXPORT
:
593 case schan_kx_DH_RSA
:
594 case schan_kx_FORTEZZA_DMS
:
596 FIXME("Don't know CALG for key exchange algorithm %d for cipher suite %#x, returning 0\n", c
->kx_alg
, (unsigned)c
->suite
);
600 FIXME("Unknown key exchange algorithm %d for cipher suite %#x, returning 0\n", c
->kx_alg
, (unsigned)c
->suite
);
606 /* schan_pull_adapter
607 * Callback registered with SSLSetIOFuncs as the read function for a
608 * session. Reads data from the session connection. Conforms to the
611 * transport - The session connection
612 * buff - The buffer into which to store the read data. Must be at least
613 * *buff_len bytes in length.
614 * *buff_len - On input, the desired length to read. On successful return,
615 * the number of bytes actually read.
618 * noErr on complete success meaning the requested length was successfully
620 * errSSLWouldBlock when the requested length could not be read without
621 * blocking. *buff_len indicates how much was actually read. The
622 * caller should try again if/when they want to read more.
623 * errSSLClosedGraceful when the connection has closed and there's no
624 * more data to be read.
625 * other error code for failure.
627 static OSStatus
schan_pull_adapter(SSLConnectionRef transport
, void *buff
,
630 struct mac_session
*s
= (struct mac_session
*)transport
;
631 size_t requested
= *buff_len
;
635 TRACE("(%p/%p, %p, %p/%lu)\n", s
, s
->transport
, buff
, buff_len
, *buff_len
);
637 status
= schan_pull(s
->transport
, buff
, buff_len
);
642 TRACE("Connection closed\n");
643 ret
= errSSLClosedGraceful
;
645 else if (*buff_len
< requested
)
647 TRACE("Pulled %lu bytes before would block\n", *buff_len
);
648 ret
= errSSLWouldBlock
;
652 TRACE("Pulled %lu bytes\n", *buff_len
);
656 else if (status
== EAGAIN
)
658 TRACE("Would block before being able to pull anything\n");
659 ret
= errSSLWouldBlock
;
663 FIXME("Unknown status code from schan_pull: %d\n", status
);
670 /* schan_push_adapter
671 * Callback registered with SSLSetIOFuncs as the write function for a
672 * session. Writes data to the session connection. Conforms to the
675 * transport - The session connection
676 * buff - The buffer of data to write. Must be at least *buff_len bytes in length.
677 * *buff_len - On input, the desired length to write. On successful return,
678 * the number of bytes actually written.
681 * noErr on complete or partial success; *buff_len indicates how much data
682 * was actually written, which may be less than requested.
683 * errSSLWouldBlock when no data could be written without blocking. The
684 * caller should try again.
685 * other error code for failure.
687 static OSStatus
schan_push_adapter(SSLConnectionRef transport
, const void *buff
,
690 struct mac_session
*s
= (struct mac_session
*)transport
;
694 TRACE("(%p/%p, %p, %p/%lu)\n", s
, s
->transport
, buff
, buff_len
, *buff_len
);
696 status
= schan_push(s
->transport
, buff
, buff_len
);
699 TRACE("Pushed %lu bytes\n", *buff_len
);
702 else if (status
== EAGAIN
)
704 TRACE("Would block before being able to push anything\n");
705 ret
= errSSLWouldBlock
;
709 FIXME("Unknown status code from schan_push: %d\n", status
);
716 static const struct {
718 SSLProtocol mac_version
;
719 } protocol_priority_flags
[] = {
720 {SP_PROT_TLS1_2_CLIENT
, kTLSProtocol12
},
721 {SP_PROT_TLS1_1_CLIENT
, kTLSProtocol11
},
722 {SP_PROT_TLS1_0_CLIENT
, kTLSProtocol1
},
723 {SP_PROT_SSL3_CLIENT
, kSSLProtocol3
},
724 {SP_PROT_SSL2_CLIENT
, kSSLProtocol2
}
727 static DWORD supported_protocols
;
729 DWORD
schan_imp_enabled_protocols(void)
731 return supported_protocols
;
734 BOOL
schan_imp_create_session(schan_imp_session
*session
, schan_credentials
*cred
)
736 struct mac_session
*s
;
740 TRACE("(%p)\n", session
);
742 s
= heap_alloc(sizeof(*s
));
746 InitializeCriticalSection(&s
->cs
);
747 s
->cs
.DebugInfo
->Spare
[0] = (DWORD_PTR
)(__FILE__
": mac_session.cs");
749 status
= SSLNewContext(cred
->credential_use
== SECPKG_CRED_INBOUND
, &s
->context
);
752 ERR("Failed to create session context: %d\n", status
);
756 status
= SSLSetConnection(s
->context
, s
);
759 ERR("Failed to set session connection: %d\n", status
);
763 status
= SSLSetEnableCertVerify(s
->context
, FALSE
);
766 ERR("Failed to disable certificate verification: %d\n", status
);
770 for(i
=0; i
< sizeof(protocol_priority_flags
)/sizeof(*protocol_priority_flags
); i
++) {
771 if(!(protocol_priority_flags
[i
].enable_flag
& supported_protocols
))
774 status
= SSLSetProtocolVersionEnabled(s
->context
, protocol_priority_flags
[i
].mac_version
,
775 (cred
->enabled_protocols
& protocol_priority_flags
[i
].enable_flag
) != 0);
778 ERR("Failed to set SSL version %d: %d\n", protocol_priority_flags
[i
].mac_version
, status
);
783 status
= SSLSetIOFuncs(s
->context
, schan_pull_adapter
, schan_push_adapter
);
786 ERR("Failed to set session I/O funcs: %d\n", status
);
790 TRACE(" -> %p/%p\n", s
, s
->context
);
792 *session
= (schan_imp_session
)s
;
800 void schan_imp_dispose_session(schan_imp_session session
)
802 struct mac_session
*s
= (struct mac_session
*)session
;
805 TRACE("(%p/%p)\n", s
, s
->context
);
807 status
= SSLDisposeContext(s
->context
);
809 ERR("Failed to dispose of session context: %d\n", status
);
810 DeleteCriticalSection(&s
->cs
);
814 void schan_imp_set_session_transport(schan_imp_session session
,
815 struct schan_transport
*t
)
817 struct mac_session
*s
= (struct mac_session
*)session
;
819 TRACE("(%p/%p, %p)\n", s
, s
->context
, t
);
824 void schan_imp_set_session_target(schan_imp_session session
, const char *target
)
826 struct mac_session
*s
= (struct mac_session
*)session
;
828 TRACE("(%p/%p, %s)\n", s
, s
->context
, debugstr_a(target
));
830 SSLSetPeerDomainName( s
->context
, target
, strlen(target
) );
833 SECURITY_STATUS
schan_imp_handshake(schan_imp_session session
)
835 struct mac_session
*s
= (struct mac_session
*)session
;
838 TRACE("(%p/%p)\n", s
, s
->context
);
840 status
= SSLHandshake(s
->context
);
843 TRACE("Handshake completed\n");
846 else if (status
== errSSLWouldBlock
)
848 TRACE("Continue...\n");
849 return SEC_I_CONTINUE_NEEDED
;
851 else if (errSecErrnoBase
<= status
&& status
<= errSecErrnoLimit
)
853 ERR("Handshake failed: %s\n", strerror(status
));
854 return SEC_E_INTERNAL_ERROR
;
858 ERR("Handshake failed: %d\n", status
);
859 cssmPerror("SSLHandshake", status
);
860 return SEC_E_INTERNAL_ERROR
;
867 unsigned int schan_imp_get_session_cipher_block_size(schan_imp_session session
)
869 struct mac_session
* s
= (struct mac_session
*)session
;
870 SSLCipherSuite cipherSuite
;
871 const struct cipher_suite
* c
;
874 TRACE("(%p/%p)\n", s
, s
->context
);
876 status
= SSLGetNegotiatedCipher(s
->context
, &cipherSuite
);
879 ERR("Failed to get session cipher suite: %d\n", status
);
883 c
= get_cipher_suite(cipherSuite
);
886 ERR("Unknown session cipher suite: %#x\n", (unsigned int)cipherSuite
);
892 case schan_enc_3DES_EDE_CBC
: return 64;
893 case schan_enc_AES_128_CBC
: return 128;
894 case schan_enc_AES_128_GCM
: return 128;
895 case schan_enc_AES_256_CBC
: return 128;
896 case schan_enc_AES_256_GCM
: return 128;
897 case schan_enc_DES_CBC
: return 64;
898 case schan_enc_DES40_CBC
: return 64;
899 case schan_enc_NULL
: return 0;
900 case schan_enc_RC2_CBC_40
: return 64;
901 case schan_enc_RC2_CBC
: return 64;
902 case schan_enc_RC4_128
: return 0;
903 case schan_enc_RC4_40
: return 0;
905 case schan_enc_FORTEZZA_CBC
:
906 case schan_enc_IDEA_CBC
:
907 FIXME("Don't know block size for encryption algorithm %d, returning 0\n", c
->enc_alg
);
911 FIXME("Unknown encryption algorithm %d for cipher suite %#x, returning 0\n", c
->enc_alg
, (unsigned int)c
->suite
);
916 unsigned int schan_imp_get_max_message_size(schan_imp_session session
)
918 FIXME("Returning 1 << 14.\n");
922 ALG_ID
schan_imp_get_key_signature_algorithm(schan_imp_session session
)
924 struct mac_session
* s
= (struct mac_session
*)session
;
925 SSLCipherSuite cipherSuite
;
926 const struct cipher_suite
* c
;
929 TRACE("(%p/%p)\n", s
, s
->context
);
931 status
= SSLGetNegotiatedCipher(s
->context
, &cipherSuite
);
934 ERR("Failed to get session cipher suite: %d\n", status
);
938 c
= get_cipher_suite(cipherSuite
);
941 ERR("Unknown session cipher suite: %#x\n", (unsigned int)cipherSuite
);
947 case schan_kx_DH_DSS_EXPORT
:
948 case schan_kx_DH_DSS
:
949 case schan_kx_DHE_DSS_EXPORT
:
950 case schan_kx_DHE_DSS
:
951 return CALG_DSS_SIGN
;
953 case schan_kx_DH_RSA_EXPORT
:
954 case schan_kx_DH_RSA
:
955 case schan_kx_DHE_RSA_EXPORT
:
956 case schan_kx_DHE_RSA
:
957 case schan_kx_ECDH_RSA
:
958 case schan_kx_ECDHE_RSA
:
959 case schan_kx_RSA_EXPORT
:
961 return CALG_RSA_SIGN
;
963 case schan_kx_ECDH_ECDSA
:
964 case schan_kx_ECDHE_ECDSA
:
967 case schan_kx_DH_anon_EXPORT
:
968 case schan_kx_DH_anon
:
969 case schan_kx_DHE_PSK
:
970 case schan_kx_ECDH_anon
:
971 case schan_kx_FORTEZZA_DMS
:
974 case schan_kx_RSA_PSK
:
975 FIXME("Don't know key signature algorithm for key exchange algorithm %d, returning 0\n", c
->kx_alg
);
979 FIXME("Unknown key exchange algorithm %d for cipher suite %#x, returning 0\n", c
->kx_alg
, (unsigned int)c
->suite
);
984 SECURITY_STATUS
schan_imp_get_connection_info(schan_imp_session session
,
985 SecPkgContext_ConnectionInfo
*info
)
987 struct mac_session
* s
= (struct mac_session
*)session
;
988 SSLCipherSuite cipherSuite
;
989 const struct cipher_suite
* c
;
992 TRACE("(%p/%p, %p)\n", s
, s
->context
, info
);
994 status
= SSLGetNegotiatedCipher(s
->context
, &cipherSuite
);
997 ERR("Failed to get session cipher suite: %d\n", status
);
998 return SEC_E_INTERNAL_ERROR
;
1001 c
= get_cipher_suite(cipherSuite
);
1004 ERR("Unknown session cipher suite: %#x\n", (unsigned int)cipherSuite
);
1005 return SEC_E_INTERNAL_ERROR
;
1008 info
->dwProtocol
= schan_get_session_protocol(s
);
1009 info
->aiCipher
= schan_get_cipher_algid(c
);
1010 info
->dwCipherStrength
= schan_get_cipher_key_size(c
);
1011 info
->aiHash
= schan_get_mac_algid(c
);
1012 info
->dwHashStrength
= schan_get_mac_key_size(c
);
1013 info
->aiExch
= schan_get_kx_algid(c
);
1014 /* FIXME: info->dwExchStrength? */
1015 info
->dwExchStrength
= 0;
1020 #ifndef HAVE_SSLCOPYPEERCERTIFICATES
1021 static void schan_imp_cf_release(const void *arg
, void *ctx
)
1027 SECURITY_STATUS
schan_imp_get_session_peer_certificate(schan_imp_session session
, HCERTSTORE store
,
1028 PCCERT_CONTEXT
*ret_cert
)
1030 struct mac_session
* s
= (struct mac_session
*)session
;
1031 SECURITY_STATUS ret
= SEC_E_OK
;
1032 PCCERT_CONTEXT cert
= NULL
;
1033 SecCertificateRef mac_cert
;
1034 CFArrayRef cert_array
;
1040 TRACE("(%p/%p, %p)\n", s
, s
->context
, cert
);
1042 #ifdef HAVE_SSLCOPYPEERCERTIFICATES
1043 status
= SSLCopyPeerCertificates(s
->context
, &cert_array
);
1045 status
= SSLGetPeerCertificates(s
->context
, &cert_array
);
1047 if (status
!= noErr
|| !cert_array
)
1049 WARN("SSLCopyPeerCertificates failed: %d\n", status
);
1050 return SEC_E_INTERNAL_ERROR
;
1053 cnt
= CFArrayGetCount(cert_array
);
1054 for (i
=0; i
< cnt
; i
++) {
1055 if (!(mac_cert
= (SecCertificateRef
)CFArrayGetValueAtIndex(cert_array
, i
)) ||
1056 (SecKeychainItemExport(mac_cert
, kSecFormatX509Cert
, 0, NULL
, &data
) != noErr
))
1058 WARN("Couldn't extract certificate data\n");
1059 ret
= SEC_E_INTERNAL_ERROR
;
1063 res
= CertAddEncodedCertificateToStore(store
, X509_ASN_ENCODING
, CFDataGetBytePtr(data
), CFDataGetLength(data
),
1064 CERT_STORE_ADD_REPLACE_EXISTING
, i
? NULL
: &cert
);
1068 ret
= GetLastError();
1069 WARN("CertAddEncodedCertificateToStore failed: %x\n", ret
);
1074 #ifndef HAVE_SSLCOPYPEERCERTIFICATES
1075 /* This is why SSLGetPeerCertificates was deprecated */
1076 CFArrayApplyFunction(cert_array
, CFRangeMake(0, CFArrayGetCount(cert_array
)),
1077 schan_imp_cf_release
, NULL
);
1079 CFRelease(cert_array
);
1080 if (ret
!= SEC_E_OK
) {
1082 CertFreeCertificateContext(cert
);
1090 SECURITY_STATUS
schan_imp_send(schan_imp_session session
, const void *buffer
,
1093 struct mac_session
* s
= (struct mac_session
*)session
;
1096 TRACE("(%p/%p, %p, %p/%lu)\n", s
, s
->context
, buffer
, length
, *length
);
1098 EnterCriticalSection(&s
->cs
);
1099 status
= SSLWrite(s
->context
, buffer
, *length
, length
);
1100 LeaveCriticalSection(&s
->cs
);
1101 if (status
== noErr
)
1102 TRACE("Wrote %lu bytes\n", *length
);
1103 else if (status
== errSSLWouldBlock
)
1107 TRACE("Would block before being able to write anything\n");
1108 return SEC_I_CONTINUE_NEEDED
;
1111 TRACE("Wrote %lu bytes before would block\n", *length
);
1115 WARN("SSLWrite failed: %d\n", status
);
1116 return SEC_E_INTERNAL_ERROR
;
1122 SECURITY_STATUS
schan_imp_recv(schan_imp_session session
, void *buffer
,
1125 struct mac_session
* s
= (struct mac_session
*)session
;
1128 TRACE("(%p/%p, %p, %p/%lu)\n", s
, s
->context
, buffer
, length
, *length
);
1130 EnterCriticalSection(&s
->cs
);
1131 status
= SSLRead(s
->context
, buffer
, *length
, length
);
1132 LeaveCriticalSection(&s
->cs
);
1133 if (status
== noErr
|| status
== errSSLClosedGraceful
)
1134 TRACE("Read %lu bytes\n", *length
);
1135 else if (status
== errSSLWouldBlock
)
1139 TRACE("Would block before being able to read anything\n");
1140 return SEC_I_CONTINUE_NEEDED
;
1143 TRACE("Read %lu bytes before would block\n", *length
);
1147 WARN("SSLRead failed: %d\n", status
);
1148 return SEC_E_INTERNAL_ERROR
;
1154 BOOL
schan_imp_allocate_certificate_credentials(schan_credentials
*c
)
1156 /* The certificate is never really used for anything. */
1157 c
->credentials
= NULL
;
1161 void schan_imp_free_certificate_credentials(schan_credentials
*c
)
1165 BOOL
schan_imp_init(void)
1169 supported_protocols
= SP_PROT_SSL2_CLIENT
| SP_PROT_SSL3_CLIENT
| SP_PROT_TLS1_0_CLIENT
;
1171 #if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080
1172 if(SSLGetProtocolVersionMax
!= NULL
) {
1173 SSLProtocol max_protocol
;
1177 status
= SSLNewContext(FALSE
, &ctx
);
1178 if(status
== noErr
) {
1179 status
= SSLGetProtocolVersionMax(ctx
, &max_protocol
);
1180 if(status
== noErr
) {
1181 if(max_protocol
>= kTLSProtocol11
)
1182 supported_protocols
|= SP_PROT_TLS1_1_CLIENT
;
1183 if(max_protocol
>= kTLSProtocol12
)
1184 supported_protocols
|= SP_PROT_TLS1_2_CLIENT
;
1186 SSLDisposeContext(ctx
);
1188 WARN("SSLNewContext failed\n");
1196 void schan_imp_deinit(void)
1201 #endif /* HAVE_SECURITY_SECURITY_H */