6 #ifndef SecProtocolPriv_h
7 #define SecProtocolPriv_h
9 #include <Security/SecProtocolOptions.h>
10 #include <Security/SecProtocolMetadata.h>
14 typedef struct sec_protocol_options_content
{
15 SSLProtocol min_version
;
16 SSLProtocol max_version
;
18 void *ciphersuites
; // xpc_object_t (array of uint64)
20 void *application_protocols
; // xpc_object_t (array of strings)
22 void *identity
; // sec_identity_t
25 void *pre_shared_keys
; // xpc_object_t (array of (data, identity))
27 void *key_update_block
; // sec_protocol_key_update_t
28 void *key_update_queue
; // dispatch_queue_t
29 void *challenge_block
; // sec_protocol_challenge_t
30 void *challenge_queue
; // dispatch_queue_t
31 void *verify_block
; // sec_protocol_verify_t
32 void *verify_queue
; // dispatch_queue_t
34 void *dh_params
; // dispatch_data_t
36 void *custom_extensions
; // sec_array_t of sec_tls_extension_t
38 unsigned disable_sni
: 1;
39 unsigned enable_fallback_attempt
: 1;
40 unsigned enable_false_start
: 1;
41 unsigned enable_tickets
: 1;
42 unsigned enable_sct
: 1;
43 unsigned enable_ocsp
: 1;
44 unsigned enforce_ev
: 1;
45 unsigned enable_resumption
: 1;
46 unsigned enable_renegotiation
: 1;
47 unsigned enable_early_data
: 1;
48 unsigned peer_authentication_required
: 1;
49 unsigned peer_authentication_override
: 1;
50 } *sec_protocol_options_content_t
;
52 typedef dispatch_data_t (*sec_protocol_metadata_exporter
)(void * handle
, size_t label_len
, const char *label
,
53 size_t context_len
, const uint8_t *context
, size_t exporter_len
);
55 typedef struct sec_protocol_metadata_content
{
56 void *peer_certificate_chain
; // sec_array_t of sec_certificate_t
57 void *peer_public_key
; // dispatch_data_t
59 const char *negotiated_protocol
;
61 SSLProtocol negotiated_protocol_version
;
62 SSLCipherSuite negotiated_ciphersuite
;
64 void *supported_signature_algorithms
; // xpc_object_t (array of uint64)
65 void *request_certificate_types
; // dispatch_data
66 void *ocsp_response
; // sec_array_t of dispatch_data
67 void *distinguished_names
; // sec_array_t of dispatch_data
69 void *exporter_context
; // Opaque context for the exporter function
70 sec_protocol_metadata_exporter exporter_function
; // Exporter function pointer. This MUST be set by the metadata allocator.
72 unsigned early_data_accepted
: 1;
73 unsigned false_start_used
: 1;
74 unsigned ticket_offered
: 1;
75 unsigned ticket_received
: 1;
76 unsigned session_resumed
: 1;
77 unsigned session_renewed
: 1;
80 unsigned __pad_bits
: 2;
81 } *sec_protocol_metadata_content_t
;
83 #ifndef SEC_OBJECT_IMPL
84 SEC_OBJECT_DECL(sec_array
);
85 #endif // !SEC_OBJECT_IMPL
87 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
88 SEC_RETURNS_RETAINED sec_array_t
89 sec_array_create(void);
91 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
93 sec_array_append(sec_array_t array
, sec_object_t object
);
95 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
97 sec_array_get_count(sec_array_t array
);
100 typedef bool (^sec_array_applier_t
) (size_t index
, sec_object_t object
);
102 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
104 sec_array_apply(sec_array_t array
, sec_array_applier_t applier
);
108 * @block sec_protocol_tls_ext_add_callback
111 * A valid `sec_protocol_metadata_t` instance.
113 * @param extension_type
114 * The 2-byte identifier for the extension.
117 * Pointer to a uint8_t buffer where the encoded extension data is located.
120 * Pointer to a variable containing the data length. This should be set to the size of the `data` buffer.
123 * Pointer to a return error code that's populated in the event of an error.
125 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
126 typedef int (^sec_protocol_tls_ext_add_callback
)(sec_protocol_metadata_t metadata
, uint16_t extension_type
,
127 const uint8_t **data
, size_t *data_length
, int *error
);
130 * @block sec_protocol_tls_ext_free_callback
133 * A valid `sec_protocol_metadata_t` instance.
135 * @param extension_type
136 * The 2-byte identifier for the extension.
139 * Pointer to a uint8_t buffer where the encoded extension data is located.
141 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
142 typedef void (^sec_protocol_tls_ext_free_callback
)(sec_protocol_metadata_t metadata
, uint16_t extension_type
,
143 const uint8_t *data
);
146 * @block sec_protocol_tls_ext_parse_callback
149 * A valid `sec_protocol_metadata_t` handle.
151 * @param extension_type
152 * The 2-byte identifier for the extension.
155 * A buffer where the encoded extension data is stored.
158 * Length of the encoded extension data.
161 * Pointer to a return error code that's populated in the event of an error.
163 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
164 typedef int (^sec_protocol_tls_ext_parse_callback
)(sec_protocol_metadata_t metadata
, uint16_t extension_type
,
165 const uint8_t *data
, size_t data_length
,
169 #ifndef SEC_OBJECT_IMPL
170 SEC_OBJECT_DECL(sec_tls_extension
);
171 #endif // !SEC_OBJECT_IMPL
174 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
176 sec_tls_extension_get_type(sec_tls_extension_t extension
);
178 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
179 SEC_RETURNS_RETAINED sec_protocol_tls_ext_add_callback
180 sec_tls_extension_copy_add_block(sec_tls_extension_t extension
);
182 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
183 SEC_RETURNS_RETAINED sec_protocol_tls_ext_parse_callback
184 sec_tls_extension_copy_parse_block(sec_tls_extension_t extension
);
186 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
187 SEC_RETURNS_RETAINED sec_protocol_tls_ext_free_callback
188 sec_tls_extension_copy_free_block(sec_tls_extension_t extension
);
190 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
192 sec_tls_extension_create(uint16_t type
, sec_protocol_tls_ext_add_callback add_block
,
193 sec_protocol_tls_ext_parse_callback parse_block
,
194 sec_protocol_tls_ext_free_callback free_block
);
198 * @function sec_protocol_options_add_tls_extension
201 * Add support for a custom TLS extension.
203 * Clients such as QUIC use this when custom TLS extensions are needed.
206 * A `sec_protocol_options_t` instance.
209 * A `sec_tls_extension_t` instance.
211 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
213 sec_protocol_options_add_tls_extension(sec_protocol_options_t options
, sec_tls_extension_t extension
);
218 * @function sec_protocol_options_set_tls_early_data_enabled
221 * Enable or disable early (0-RTT) data for TLS.
224 * A `sec_protocol_options_t` instance.
226 * @param early_data_enabled
227 * Flag to enable or disable early (0-RTT) data.
229 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
231 sec_protocol_options_set_tls_early_data_enabled(sec_protocol_options_t options
, bool early_data_enabled
);
234 * @function sec_protocol_options_set_tls_sni_disabled
237 * Enable or disable the TLS SNI extension. This defaults to `false`.
240 * A `sec_protocol_options_t` instance.
242 * @param sni_disabled
243 * Flag to enable or disable use of the TLS SNI extension.
245 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
247 sec_protocol_options_set_tls_sni_disabled(sec_protocol_options_t options
, bool sni_disabled
);
250 * @function sec_protocol_options_set_enforce_ev
253 * Enable or disable EV enforcement.
256 * A `sec_protocol_options_t` instance.
259 * Flag to determine if EV is enforced.
261 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
263 sec_protocol_options_set_enforce_ev(sec_protocol_options_t options
, bool enforce_ev
);
266 * @function sec_protocol_metadata_get_tls_false_start_used
269 * Determine if False Start was used.
272 * A `sec_protocol_metadata_t` instance.
274 * @return True if False Start was used, and false otherwise.
276 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
278 sec_protocol_metadata_get_tls_false_start_used(sec_protocol_metadata_t metadata
);
281 * @function sec_protocol_metadata_get_ticket_offered
284 * Determine if a ticket was offered for session resumption.
287 * A `sec_protocol_metadata_t` instance.
289 * @return True if a ticket was offered for resumption, and false otherwise.
291 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
293 sec_protocol_metadata_get_ticket_offered(sec_protocol_metadata_t metadata
);
296 * @function sec_protocol_metadata_get_ticket_received
299 * Determine if a ticket was received upon completing the new connection.
302 * A `sec_protocol_metadata_t` instance.
304 * @return True if a ticket was received from the peer (server), and false otherwise.
306 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
308 sec_protocol_metadata_get_ticket_received(sec_protocol_metadata_t metadata
);
311 * @function sec_protocol_metadata_get_session_resumed
314 * Determine if this new connection was a session resumption.
317 * A `sec_protocol_metadata_t` instance.
319 * @return True if this new connection was resumed, and false otherwise.
321 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
323 sec_protocol_metadata_get_session_resumed(sec_protocol_metadata_t metadata
);
326 * @function sec_protocol_metadata_get_session_renewed
329 * Determine if this resumed connection was renewed with a new ticket.
332 * A `sec_protocol_metadata_t` instance.
334 * @return True if this resumed connection was renewed with a new ticket, and false otherwise.
336 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
338 sec_protocol_metadata_get_session_renewed(sec_protocol_metadata_t metadata
);
342 #endif /* SecProtocolPriv_h */
projects / apple / security.git / blob